r15481: Update heimdal/ to match current lorikeet-heimdal.

author Andrew Bartlett <abartlet@samba.org>

Sun, 7 May 2006 04:51:30 +0000 (04:51 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 19:05:39 +0000 (14:05 -0500)
author Andrew Bartlett <abartlet@samba.org>
Sun, 7 May 2006 04:51:30 +0000 (04:51 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:05:39 +0000 (14:05 -0500)
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c

index 9fcf40a4c2ad2eb9feac7f491009716bd0e323a2..14969aaa520bf03e94ca840bea1c2c26078aa1f9 100644 (file)
--- a/source4/heimdal/kdc/524.c
+++ b/source4/heimdal/kdc/524.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
@@ -33,7 +33,7 @@
  
  #include "kdc_locl.h"
  
-RCSID("$Id: 524.c,v 1.36 2006/04/07 22:12:28 lha Exp $");
+RCSID("$Id: 524.c,v 1.37 2006/04/27 11:33:20 lha Exp $");
  
  #include <krb5-v4compat.h>
  
@@ -66,7 +66,7 @@ fetch_server (krb5_context context,
                 krb5_get_err_text(context, ret));
         return ret;
      }
-    ret = _kdc_db_fetch(context, config, sprinc, HDB_ENT_TYPE_SERVER, server);
+    ret = _kdc_db_fetch(context, config, sprinc, HDB_F_GET_SERVER, server);
      krb5_free_principal(context, sprinc);
      if (ret) {
         kdc_log(context, config, 0,
diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c

index 05fedeca29eec90b648b14e2ffb67dc10bdd2f20..c08a51b9cc4073cbbb8ce7e8cf056738d91fe76a 100644 (file)
--- a/source4/heimdal/kdc/kaserver.c
+++ b/source4/heimdal/kdc/kaserver.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
@@ -33,7 +33,7 @@
  
  #include "kdc_locl.h"
  
-RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $");
+RCSID("$Id: kaserver.c,v 1.35 2006/05/05 10:49:50 lha Exp $");
  
  #include <krb5-v4compat.h>
  #include <rx.h>
@@ -107,38 +107,69 @@ RCSID("$Id: kaserver.c,v 1.32 2006/04/02 01:54:37 lha Exp $");
  #define KATOOSOON                                (180521L)
  #define KALOCKED                                 (180522L)
  
-static void
+
+static krb5_error_code
  decode_rx_header (krb5_storage *sp,
                   struct rx_header *h)
  {
-    krb5_ret_int32(sp, &h->epoch);
-    krb5_ret_int32(sp, &h->connid);
-    krb5_ret_int32(sp, &h->callid);
-    krb5_ret_int32(sp, &h->seqno);
-    krb5_ret_int32(sp, &h->serialno);
-    krb5_ret_int8(sp,  &h->type);
-    krb5_ret_int8(sp,  &h->flags);
-    krb5_ret_int8(sp,  &h->status);
-    krb5_ret_int8(sp,  &h->secindex);
-    krb5_ret_int16(sp, &h->reserved);
-    krb5_ret_int16(sp, &h->serviceid);
+    krb5_error_code ret;
+
+    ret = krb5_ret_uint32(sp, &h->epoch);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->connid);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->callid);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->seqno);
+    if (ret) return ret;
+    ret = krb5_ret_uint32(sp, &h->serialno);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->type);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->flags);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->status);
+    if (ret) return ret;
+    ret = krb5_ret_uint8(sp,  &h->secindex);
+    if (ret) return ret;
+    ret = krb5_ret_uint16(sp, &h->reserved);
+    if (ret) return ret;
+    ret = krb5_ret_uint16(sp, &h->serviceid);
+    if (ret) return ret;
+
+    return 0;
  }
  
-static void
+static krb5_error_code
  encode_rx_header (struct rx_header *h,
                   krb5_storage *sp)
  {
-    krb5_store_int32(sp, h->epoch);
-    krb5_store_int32(sp, h->connid);
-    krb5_store_int32(sp, h->callid);
-    krb5_store_int32(sp, h->seqno);
-    krb5_store_int32(sp, h->serialno);
-    krb5_store_int8(sp,  h->type);
-    krb5_store_int8(sp,  h->flags);
-    krb5_store_int8(sp,  h->status);
-    krb5_store_int8(sp,  h->secindex);
-    krb5_store_int16(sp, h->reserved);
-    krb5_store_int16(sp, h->serviceid);
+    krb5_error_code ret;
+
+    ret = krb5_store_uint32(sp, h->epoch);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->connid);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->callid);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->seqno);
+    if (ret) return ret;
+    ret = krb5_store_uint32(sp, h->serialno);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->type);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->flags);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->status);
+    if (ret) return ret;
+    ret = krb5_store_uint8(sp,  h->secindex);
+    if (ret) return ret;
+    ret = krb5_store_uint16(sp, h->reserved);
+    if (ret) return ret;
+    ret = krb5_store_uint16(sp, h->serviceid);
+    if (ret) return ret;
+
+    return 0;
  }
  
  static void
@@ -162,7 +193,7 @@ init_reply_header (struct rx_header *hdr,
  
  static void
  make_error_reply (struct rx_header *hdr,
-                 u_int32_t ret,
+                 uint32_t ret,
                   krb5_data *reply)
  
  {
@@ -171,7 +202,7 @@ make_error_reply (struct rx_header *hdr,
  
      init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
      sp = krb5_storage_emem();
-    encode_rx_header (&reply_hdr, sp);
+    ret = encode_rx_header (&reply_hdr, sp);
      krb5_store_int32(sp, ret);
      krb5_storage_to_data (sp, reply);
      krb5_storage_free (sp);
@@ -249,11 +280,12 @@ create_reply_ticket (krb5_context context,
                      int kvno,
                      int32_t max_seq_len,
                      const char *sname, const char *sinstance,
-                    u_int32_t challenge,
+                    uint32_t challenge,
                      const char *label,
                      krb5_keyblock *key,
                      krb5_data *reply)
  {
+    krb5_error_code ret;
      krb5_data ticket;
      krb5_keyblock session;
      krb5_storage *sp;
@@ -339,7 +371,7 @@ create_reply_ticket (krb5_context context,
      /* create the reply packet */
      init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST);
      sp = krb5_storage_emem ();
-    encode_rx_header (&reply_hdr, sp);
+    ret = encode_rx_header (&reply_hdr, sp);
      krb5_store_int32 (sp, max_seq_len);
      krb5_store_xdr_data (sp, enc_data);
      krb5_data_free (&enc_data);
@@ -410,7 +442,7 @@ do_authenticate (krb5_context context,
      Key *skey = NULL;
      krb5_storage *reply_sp;
      time_t max_life;
-    u_int8_t life;
+    uint8_t life;
      int32_t chal;
      char client_name[256];
      char server_name[256];
@@ -433,8 +465,7 @@ do_authenticate (krb5_context context,
             client_name, from, server_name);
  
      ret = _kdc_db_fetch4 (context, config, name, instance, 
-                         config->v4_realm, HDB_ENT_TYPE_CLIENT, 
-                         &client_entry);
+                         config->v4_realm, HDB_F_GET_CLIENT, &client_entry);
      if (ret) {
         kdc_log(context, config, 0, "Client not found in database: %s: %s",
                 client_name, krb5_get_err_text(context, ret));
@@ -444,7 +475,7 @@ do_authenticate (krb5_context context,
  
      ret = _kdc_db_fetch4 (context, config, "krbtgt", 
                           config->v4_realm, config->v4_realm, 
-                         HDB_ENT_TYPE_SERVER, &server_entry);
+                         HDB_F_GET_KRBTGT, &server_entry);
      if (ret) {
         kdc_log(context, config, 0, "Server not found in database: %s: %s",
                 server_name, krb5_get_err_text(context, ret));
@@ -650,8 +681,7 @@ do_getticket (krb5_context context,
               "%s.%s@%s", name, instance, config->v4_realm);
  
      ret = _kdc_db_fetch4 (context, config, name, instance, 
-                         config->v4_realm, HDB_ENT_TYPE_SERVER, 
-                         &server_entry);
+                         config->v4_realm, HDB_F_GET_SERVER, &server_entry);
      if (ret) {
         kdc_log(context, config, 0, "Server not found in database: %s: %s",
                 server_name, krb5_get_err_text(context, ret));
@@ -660,8 +690,7 @@ do_getticket (krb5_context context,
      }
  
      ret = _kdc_db_fetch4 (context, config, "krbtgt", 
-                         config->v4_realm, config->v4_realm, 
-                         HDB_ENT_TYPE_CLIENT, &krbtgt_entry);
+                    config->v4_realm, config->v4_realm, HDB_F_GET_KRBTGT, &krbtgt_entry);
      if (ret) {
         kdc_log(context, config, 0,
                 "Server not found in database: %s.%s@%s: %s",
@@ -734,8 +763,8 @@ do_getticket (krb5_context context,
             client_name, from, server_name);
  
      ret = _kdc_db_fetch4 (context, config, 
-                         ad.pname, ad.pinst, ad.prealm, 
-                         HDB_ENT_TYPE_CLIENT, &client_entry);
+                         ad.pname, ad.pinst, ad.prealm, HDB_F_GET_CLIENT,
+                         &client_entry);
      if(ret && ret != HDB_ERR_NOENTRY) {
         kdc_log(context, config, 0,
                 "Client not found in database: (krb4) %s: %s",
@@ -842,14 +871,16 @@ _kdc_do_kaserver(krb5_context context,
  {
      krb5_error_code ret = 0;
      struct rx_header hdr;
-    u_int32_t op;
+    uint32_t op;
      krb5_storage *sp;
  
      if (len < RX_HEADER_SIZE)
         return -1;
      sp = krb5_storage_from_mem (buf, len);
  
-    decode_rx_header (sp, &hdr);
+    ret = decode_rx_header (sp, &hdr);
+    if (ret)
+       goto out;
      buf += RX_HEADER_SIZE;
      len -= RX_HEADER_SIZE;
  
@@ -875,7 +906,9 @@ _kdc_do_kaserver(krb5_context context,
         goto out;
      }
  
-    krb5_ret_int32(sp, &op);
+    ret = krb5_ret_uint32(sp, &op);
+    if (ret)
+       goto out;
      switch (op) {
      case AUTHENTICATE :
      case AUTHENTICATE_V2 :
diff --git a/source4/heimdal/kdc/kdc-private.h b/source4/heimdal/kdc/kdc-private.h

index c718b1fd52480c7274427fc5932bdaf552591880..251e06b14aa6a39cd947da647bb53ecefd4f5544 100644 (file)
--- a/source4/heimdal/kdc/kdc-private.h
+++ b/source4/heimdal/kdc/kdc-private.h
@@ -28,8 +28,8 @@ krb5_error_code
  _kdc_db_fetch (
         krb5_context /*context*/,
         krb5_kdc_configuration */*config*/,
-       krb5_principal /*principal*/,
-       enum hdb_ent_type /*ent_type*/,
+       krb5_const_principal /*principal*/,
+       unsigned /*flags*/,
         hdb_entry_ex **/*h*/);
  
  krb5_error_code
@@ -39,7 +39,7 @@ _kdc_db_fetch4 (
         const char */*name*/,
         const char */*instance*/,
         const char */*realm*/,
-       enum hdb_ent_type /*ent_type*/,
+       unsigned /*flags*/,
         hdb_entry_ex **/*ent*/);
  
  krb5_error_code
diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h

index 3d25729d4ec9d12ec9de00433f6d3152d948cd67..2948570e3a1f2f9906aed45834afbdb9381111bb 100644 (file)
--- a/source4/heimdal/kdc/kdc.h
+++ b/source4/heimdal/kdc/kdc.h
@@ -35,7 +35,7 @@
   */
  
  /* 
- * $Id: kdc.h,v 1.5 2005/10/21 17:11:21 lha Exp $ 
+ * $Id: kdc.h,v 1.6 2006/05/03 12:03:29 lha Exp $ 
   */
  
  #ifndef __KDC_H__
@@ -72,6 +72,7 @@ typedef struct krb5_kdc_configuration {
  
      krb5_boolean enable_pkinit;
      krb5_boolean enable_pkinit_princ_in_cert;
+    char *pkinit_kdc_ocsp_file;
  
      krb5_log_facility *logf;
  
diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c

index 030405adc239309c999d2eb765fd348d2125f9c6..4ece1a47d680dd8438f69dd55fe0972644c21548 100644 (file)
--- a/source4/heimdal/kdc/kerberos4.c
+++ b/source4/heimdal/kdc/kerberos4.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
@@ -35,11 +35,11 @@
  
  #include <krb5-v4compat.h>
  
-RCSID("$Id: kerberos4.c,v 1.57 2006/04/02 01:54:37 lha Exp $");
+RCSID("$Id: kerberos4.c,v 1.60 2006/05/05 10:50:44 lha Exp $");
  
  #ifndef swap32
-static u_int32_t
-swap32(u_int32_t x)
+static uint32_t
+swap32(uint32_t x)
  {
      return ((x << 24) & 0xff000000) |
         ((x << 8) & 0xff0000) |
@@ -62,12 +62,17 @@ make_err_reply(krb5_context context, krb5_data *reply,
                            kdc_time, code, msg, reply);
  }
  
+struct valid_princ_ctx {
+    krb5_kdc_configuration *config;
+    unsigned flags;
+};
+
  static krb5_boolean
  valid_princ(krb5_context context,
             void *funcctx,
             krb5_principal princ)
  {
-    krb5_kdc_configuration *config = funcctx;
+    struct valid_princ_ctx *ctx = funcctx;
      krb5_error_code ret;
      char *s;
      hdb_entry_ex *ent;
@@ -75,14 +80,14 @@ valid_princ(krb5_context context,
      ret = krb5_unparse_name(context, princ, &s);
      if (ret)
         return FALSE;
-    ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_ANY, &ent);
+    ret = _kdc_db_fetch(context, ctx->config, princ, ctx->flags, &ent);
      if (ret) {
-       kdc_log(context, config, 7, "Lookup %s failed: %s", s,
+       kdc_log(context, ctx->config, 7, "Lookup %s failed: %s", s,
                 krb5_get_err_text (context, ret));
         free(s);
         return FALSE;
      }
-    kdc_log(context, config, 7, "Lookup %s succeeded", s);
+    kdc_log(context, ctx->config, 7, "Lookup %s succeeded", s);
      free(s);
      _kdc_free_ent(context, ent);
      return TRUE;
@@ -90,19 +95,23 @@ valid_princ(krb5_context context,
  
  krb5_error_code
  _kdc_db_fetch4(krb5_context context,
-         krb5_kdc_configuration *config,
-         const char *name, const char *instance, const char *realm,
-         enum hdb_ent_type ent_type, 
-         hdb_entry_ex **ent)
+              krb5_kdc_configuration *config,
+              const char *name, const char *instance, const char *realm,
+              unsigned flags,
+              hdb_entry_ex **ent)
  {
      krb5_principal p;
      krb5_error_code ret;
+    struct valid_princ_ctx ctx;
+
+    ctx.config = config;
+    ctx.flags = flags;
      
      ret = krb5_425_conv_principal_ext2(context, name, instance, realm, 
-                                      valid_princ, config, 0, &p);
+                                      valid_princ, &ctx, 0, &p);
      if(ret)
         return ret;
-    ret = _kdc_db_fetch(context, config, p, ent_type, ent);
+    ret = _kdc_db_fetch(context, config, p, flags, ent);
      krb5_free_principal(context, p);
      return ret;
  }
@@ -135,7 +144,7 @@ _kdc_do_version4(krb5_context context,
      char *sname = NULL, *sinst = NULL;
      int32_t req_time;
      time_t max_life;
-    u_int8_t life;
+    uint8_t life;
      char client_name[256];
      char server_name[256];
  
@@ -171,7 +180,7 @@ _kdc_do_version4(krb5_context context,
         RCHECK(krb5_ret_int32(sp, &req_time), out1);
         if(lsb)
             req_time = swap32(req_time);
-       RCHECK(krb5_ret_int8(sp, &life), out1);
+       RCHECK(krb5_ret_uint8(sp, &life), out1);
         RCHECK(krb5_ret_stringz(sp, &sname), out1);
         RCHECK(krb5_ret_stringz(sp, &sinst), out1);
         snprintf (client_name, sizeof(client_name),
@@ -182,7 +191,8 @@ _kdc_do_version4(krb5_context context,
         kdc_log(context, config, 0, "AS-REQ (krb4) %s from %s for %s",
                 client_name, from, server_name);
  
-       ret = _kdc_db_fetch4(context, config, name, inst, realm, HDB_ENT_TYPE_CLIENT, &client);
+       ret = _kdc_db_fetch4(context, config, name, inst, realm, 
+                            HDB_F_GET_CLIENT, &client);
         if(ret) {
             kdc_log(context, config, 0, "Client not found in database: %s: %s",
                     client_name, krb5_get_err_text(context, ret));
@@ -190,8 +200,8 @@ _kdc_do_version4(krb5_context context,
                            "principal unknown");
             goto out1;
         }
-       ret = _kdc_db_fetch4(context, config, sname, sinst, 
-                       config->v4_realm, HDB_ENT_TYPE_SERVER, &server);
+       ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+                            HDB_F_GET_SERVER, &server);
         if(ret){
             kdc_log(context, config, 0, "Server not found in database: %s: %s",
                     server_name, krb5_get_err_text(context, ret));
@@ -361,7 +371,8 @@ _kdc_do_version4(krb5_context context,
             goto out2;
         }
  
-       ret = _kdc_db_fetch(context, config, tgt_princ, HDB_ENT_TYPE_SERVER, &tgt);
+       ret = _kdc_db_fetch(context, config, tgt_princ,
+                           HDB_F_GET_KRBTGT, &tgt);
         if(ret){
             char *s;
             s = kdc_log_msg(context, config, 0, "Ticket-granting ticket not "
@@ -418,7 +429,7 @@ _kdc_do_version4(krb5_context context,
         RCHECK(krb5_ret_int32(sp, &req_time), out2);
         if(lsb)
             req_time = swap32(req_time);
-       RCHECK(krb5_ret_int8(sp, &life), out2);
+       RCHECK(krb5_ret_uint8(sp, &life), out2);
         RCHECK(krb5_ret_stringz(sp, &sname), out2);
         RCHECK(krb5_ret_stringz(sp, &sinst), out2);
         snprintf (server_name, sizeof(server_name),
@@ -456,7 +467,8 @@ _kdc_do_version4(krb5_context context,
             goto out2;
         }
         
-       ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm, HDB_ENT_TYPE_CLIENT, &client);
+       ret = _kdc_db_fetch4(context, config, ad.pname, ad.pinst, ad.prealm,
+                            HDB_F_GET_CLIENT, &client);
         if(ret && ret != HDB_ERR_NOENTRY) {
             char *s;
             s = kdc_log_msg(context, config, 0,
@@ -476,8 +488,8 @@ _kdc_do_version4(krb5_context context,
             goto out2;
         }
  
-       ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm, 
-                            HDB_ENT_TYPE_SERVER, &server);
+       ret = _kdc_db_fetch4(context, config, sname, sinst, config->v4_realm,
+                            HDB_F_GET_SERVER, &server);
         if(ret){
             char *s;
             s = kdc_log_msg(context, config, 0,
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c

index 68720d692ebed923979c5d65a5a2fea7e79ed25c..877b88c155bd5a229bccca28267fb7b8cb05bb62 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
  
  #include "kdc_locl.h"
  
-RCSID("$Id: kerberos5.c,v 1.206 2006/04/02 01:54:37 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.211 2006/04/27 12:01:09 lha Exp $");
  
  #define MAX_TIME ((time_t)((1U << 31) - 1))
  
@@ -120,7 +120,9 @@ static krb5_error_code
  find_keys(krb5_context context, 
           krb5_kdc_configuration *config,
           const hdb_entry_ex *client,
-         const hdb_entry_ex *server, 
+         const char *client_name,
+         const hdb_entry_ex *server,
+         const char *server_name,
           Key **ckey,
           krb5_enctype *cetype,
           Key **skey,
@@ -128,20 +130,14 @@ find_keys(krb5_context context,
           krb5_enctype *etypes,
           unsigned num_etypes)
  {
-    char unparse_name[] = "krb5_unparse_name failed";
      krb5_error_code ret;
-    char *name;
  
      if(client){
         /* find client key */
         ret = find_etype(context, client, etypes, num_etypes, ckey, cetype);
         if (ret) {
-           if (krb5_unparse_name(context, client->entry.principal, &name) != 0)
-               name = unparse_name;
             kdc_log(context, config, 0, 
-                   "Client (%s) has no support for etypes", name);
-           if (name != unparse_name)
-               free(name);
+                   "Client (%s) has no support for etypes", client_name);
             return ret;
         }
      }
@@ -150,12 +146,8 @@ find_keys(krb5_context context,
         /* find server key */
         ret = find_etype(context, server, etypes, num_etypes, skey, setype);
         if (ret) {
-           if (krb5_unparse_name(context, server->entry.principal, &name) != 0)
-               name = unparse_name;
             kdc_log(context, config, 0, 
-                   "Server (%s) has no support for etypes", name);
-           if (name != unparse_name)
-               free(name);
+                   "Server (%s) has no support for etypes", server_name);
             return ret;
         }
      }
@@ -243,6 +235,9 @@ log_patypes(krb5_context context,
             return;
         }
      }
+    if (p == NULL)
+       p = rk_strpoolprintf(p, "none");
+       
      str = rk_strpoolcollect(p);
      kdc_log(context, config, 0, "Client sent patypes: %s", str);
      free(str);
@@ -899,7 +894,8 @@ _kdc_as_rep(krb5_context context,
      kdc_log(context, config, 0, "AS-REQ %s from %s for %s", 
             client_name, from, server_name);
  
-    ret = _kdc_db_fetch(context, config, client_princ, HDB_ENT_TYPE_CLIENT, &client);
+    ret = _kdc_db_fetch(context, config, client_princ, 
+                       HDB_F_GET_CLIENT, &client);
      if(ret){
         kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
                 krb5_get_err_text(context, ret));
@@ -907,7 +903,8 @@ _kdc_as_rep(krb5_context context,
         goto out;
      }
  
-    ret = _kdc_db_fetch(context, config, server_princ, HDB_ENT_TYPE_SERVER, &server);
+    ret = _kdc_db_fetch(context, config, server_princ,
+                       HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, &server);
      if(ret){
         kdc_log(context, config, 0, "UNKNOWN -- %s: %s", server_name,
                 krb5_get_err_text(context, ret));
@@ -1166,6 +1163,7 @@ _kdc_as_rep(krb5_context context,
          * - If the client is 'modern', because it knows about 'new'
          *   enctype types, then only send the 'info2' reply.
         */
+
         /* XXX check ret */
         if (only_older_enctype_p(req))
             ret = get_pa_etype_info(context, config,
@@ -1200,12 +1198,12 @@ _kdc_as_rep(krb5_context context,
      }
      
      ret = find_keys(context, config, 
-                   client, server, &ckey, &cetype, &skey, &setype,
+                   client, client_name, 
+                   server, server_name, 
+                   &ckey, &cetype, &skey, &setype,
                     b->etype.val, b->etype.len);
-    if(ret) {
-       kdc_log(context, config, 0, "Server/client has no support for etypes");
+    if(ret)
         goto out;
-    }
         
      {
         struct rk_strpool *p = NULL;
@@ -1226,6 +1224,9 @@ _kdc_as_rep(krb5_context context,
                 goto out;
             }
         }
+       if (p == NULL)
+           p = rk_strpoolprintf(p, "no encryption types");
+
         str = rk_strpoolcollect(p);
         kdc_log(context, config, 0, "Client supported enctypes: %s", str);
         free(str);
@@ -1757,6 +1758,7 @@ tgs_make_reply(krb5_context context,
                AuthorizationData *auth_data,
                krb5_ticket *tgs_ticket,
                hdb_entry_ex *server, 
+              const char *server_name, 
                hdb_entry_ex *client, 
                krb5_principal client_principal, 
                hdb_entry_ex *krbtgt,
@@ -1788,12 +1790,11 @@ tgs_make_reply(krb5_context context,
         etype = b->etype.val[i];
      }else{
         ret = find_keys(context, config, 
-                       NULL, server, NULL, NULL, &skey, &etype, 
+                       NULL, NULL, server, server_name,
+                       NULL, NULL, &skey, &etype, 
                         b->etype.val, b->etype.len);
-       if(ret) {
-           kdc_log(context, config, 0, "Server has no support for etypes");
+       if(ret)
             return ret;
-       }
         ekey = &skey->key;
      }
      
@@ -2140,7 +2141,7 @@ tgs_rep2(krb5_context context,
                                        ap_req.ticket.sname,
                                        ap_req.ticket.realm);
      
-    ret = _kdc_db_fetch(context, config, princ, HDB_ENT_TYPE_SERVER, &krbtgt);
+    ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, &krbtgt);
  
      if(ret) {
         char *p;
@@ -2340,7 +2341,8 @@ tgs_rep2(krb5_context context,
                 goto out2;
             }
             _krb5_principalname2krb5_principal(&p, t->sname, t->realm);
-           ret = _kdc_db_fetch(context, config, p, HDB_ENT_TYPE_SERVER, &uu);
+           ret = _kdc_db_fetch(context, config, p, 
+                               HDB_F_GET_CLIENT|HDB_F_GET_SERVER, &uu);
             krb5_free_principal(context, p);
             if(ret){
                 if (ret == HDB_ERR_NOENTRY)
@@ -2381,7 +2383,7 @@ tgs_rep2(krb5_context context,
             kdc_log(context, config, 0,
                     "TGS-REQ %s from %s for %s", cpn, from, spn);
      server_lookup:
-       ret = _kdc_db_fetch(context, config, sp, HDB_ENT_TYPE_SERVER, &server);
+       ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, &server);
  
         if(ret){
             const char *new_rlm;
@@ -2430,24 +2432,28 @@ tgs_rep2(krb5_context context,
             goto out;
         }
  
-       ret = _kdc_db_fetch(context, config, cp, HDB_ENT_TYPE_CLIENT, &client);
+       ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, &client);
         if(ret)
             kdc_log(context, config, 1, "Client not found in database: %s: %s",
                     cpn, krb5_get_err_text(context, ret));
-#if 0
-       /* XXX check client only if same realm as krbtgt-instance */
-       if(ret){
-           kdc_log(context, config, 0,
-                   "Client not found in database: %s: %s",
-                   cpn, krb5_get_err_text(context, ret));
-           if (ret == HDB_ERR_NOENTRY)
-               ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-           goto out;
-       }
-#endif
+
+       /*
+        * If the client belongs to the same realm as our krbtgt, it
+        * should exist in the local database.
+        *
+        * If its not the same, check the "direction" on the krbtgt,
+        * so its not a backward uni-directional trust.
+        */
  
         if(strcmp(krb5_principal_get_realm(context, sp),
-                 krb5_principal_get_comp_string(context, krbtgt->entry.principal, 1)) != 0) {
+                 krb5_principal_get_comp_string(context, 
+                                                krbtgt->entry.principal, 1)) == 0) {
+           if(ret) {
+               if (ret == HDB_ERR_NOENTRY)
+                   ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+               goto out;
+           }
+       } else {
             char *tpn;
             ret = krb5_unparse_name(context, krbtgt->entry.principal, &tpn);
             kdc_log(context, config, 0,
@@ -2491,6 +2497,7 @@ tgs_rep2(krb5_context context,
                              auth_data,
                              ticket,
                              server, 
+                            spn,
                              client, 
                              cp, 
                              krbtgt, 
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c

index 4d38e1f12dc3671be7e39465c8030db9bcddd2e5..a61c647f719fc956be7b6b7ae75f9f19cc5f26c6 100644 (file)
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
@@ -33,14 +33,15 @@
  
  #include "kdc_locl.h"
  
-RCSID("$Id: misc.c,v 1.27 2006/01/01 23:17:16 lha Exp $");
+RCSID("$Id: misc.c,v 1.29 2006/04/27 11:33:21 lha Exp $");
  
  struct timeval _kdc_now;
  
  krb5_error_code
  _kdc_db_fetch(krb5_context context,
               krb5_kdc_configuration *config,
-             krb5_principal principal, enum hdb_ent_type ent_type, 
+             krb5_const_principal principal,
+             unsigned flags,
               hdb_entry_ex **h)
  {
      hdb_entry_ex *ent;
@@ -60,9 +61,8 @@ _kdc_db_fetch(krb5_context context,
         }
         ret = config->db[i]->hdb_fetch(context, 
                                        config->db[i],
-                                      HDB_F_DECRYPT, 
-                                      principal, 
-                                      ent_type,
+                                      principal,
+                                      flags | HDB_F_DECRYPT,
                                        ent);
         config->db[i]->hdb_close(context, config->db[i]);
         if(ret == 0) {
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c

index 3f064f9d50b749546e96e7a95f756e929679f703..c220e70dddb77ca32605eeddcbb5d3ea231ab5a2 100755 (executable)
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
  
  #include "kdc_locl.h"
  
-RCSID("$Id: pkinit.c,v 1.59 2006/04/22 12:10:16 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.65 2006/05/06 13:22:33 lha Exp $");
  
  #ifdef PKINIT
  
@@ -82,6 +82,12 @@ static struct krb5_pk_identity *kdc_identity;
  static struct pk_principal_mapping principal_mappings;
  static struct krb5_dh_moduli **moduli;
  
+static struct {
+    krb5_data data;
+    time_t expire;
+    time_t next_update;
+} ocsp;
+
  /*
   *
   */
@@ -260,7 +266,6 @@ get_dh_param(krb5_context context,
      DomainParameters dhparam;
      DH *dh = NULL;
      krb5_error_code ret;
-    int dhret;
  
      memset(&dhparam, 0, sizeof(dhparam));
  
@@ -338,14 +343,6 @@ get_dh_param(krb5_context context,
             goto out;
      }
  
-
-    if (DH_check_pubkey(dh, client_params->dh_public_key, &dhret) != 1 ||
-       dhret != 0) {
-       krb5_set_error_string(context, "PKINIT DH data not ok");
-       ret = KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
-       goto out;
-    }
-
      client_params->dh = dh;
      dh = NULL;
      ret = 0;
@@ -754,7 +751,8 @@ pk_mk_pa_reply_dh(krb5_context context,
                    DH *kdc_dh,
                   pk_client_params *client_params,
                    krb5_keyblock *reply_key,
-                 ContentInfo *content_info)
+                 ContentInfo *content_info,
+                 hx509_cert *kdc_cert)
  {
      KDCDHKeyInfo dh_info;
      krb5_data signed_data, buf;
@@ -768,6 +766,8 @@ pk_mk_pa_reply_dh(krb5_context context,
      krb5_data_zero(&buf);
      krb5_data_zero(&signed_data);
  
+    *kdc_cert = NULL;
+
      ret = BN_to_integer(context, kdc_dh->pub_key, &i);
      if (ret)
         return ret;
@@ -803,8 +803,8 @@ pk_mk_pa_reply_dh(krb5_context context,
       */
  
      {
-       hx509_cert cert;
         hx509_query *q;
+       hx509_cert cert;
         
         ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
         if (ret)
@@ -830,7 +830,7 @@ pk_mk_pa_reply_dh(krb5_context context,
                                         kdc_identity->anchors,
                                         kdc_identity->certpool,
                                         &signed_data);
-       hx509_cert_free(cert);
+       *kdc_cert = cert;
      }
      if (ret)
         goto out;
@@ -843,6 +843,11 @@ pk_mk_pa_reply_dh(krb5_context context,
         goto out;
  
   out:
+    if (ret && *kdc_cert) {
+       hx509_cert_free(*kdc_cert);
+       *kdc_cert = NULL;
+    }
+
      krb5_data_free(&buf);
      krb5_data_free(&signed_data);
      free_KDCDHKeyInfo(&dh_info);
@@ -869,6 +874,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
      size_t len, size;
      krb5_enctype enctype;
      int pa_type;
+    hx509_cert kdc_cert = NULL;
      int i;
  
      if (!config->enable_pkinit) {
@@ -947,7 +953,8 @@ _kdc_pk_mk_pa_reply(krb5_context context,
             ret = pk_mk_pa_reply_dh(context, client_params->dh,
                                     client_params, 
                                     &client_params->reply_key,
-                                   &info);
+                                   &info,
+                                   &kdc_cert);
  
             ASN1_MALLOC_ENCODE(ContentInfo, rep.u.dhInfo.dhSignedData.data,
                                rep.u.dhInfo.dhSignedData.length, &info, &size,
@@ -982,48 +989,43 @@ _kdc_pk_mk_pa_reply(krb5_context context,
  
      } else if (client_params->type == PKINIT_COMPAT_WIN2K) {
         PA_PK_AS_REP_Win2k rep;
-
-       pa_type = KRB5_PADATA_PK_AS_REP_19;
-
-       memset(&rep, 0, sizeof(rep));
+       ContentInfo info;
  
         if (client_params->dh) {
-           krb5_set_error_string(context, "DH -27 not implemented");
+           krb5_set_error_string(context, "Windows PK-INIT doesn't support DH");
             ret = KRB5KRB_ERR_GENERIC;
-       } else {
-           rep.element = choice_PA_PK_AS_REP_encKeyPack;
-           ContentInfo info;
+           goto out;
+       }
  
-           krb5_generate_random_keyblock(context, enctype, 
-                                         &client_params->reply_key);
-           ret = pk_mk_pa_reply_enckey(context,
-                                       client_params,
-                                       req,
-                                       req_buffer,
-                                       &client_params->reply_key,
-                                       &info);
-           if (ret) {
-               free_PA_PK_AS_REP_Win2k(&rep);
-               goto out;
-           }
-           ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, 
-                              rep.u.encKeyPack.length, &info, &size, 
-                              ret);
-           free_ContentInfo(&info);
-           if (ret) {
-               krb5_set_error_string(context, "encoding of Key ContentInfo "
-                                     "failed %d", ret);
-               free_PA_PK_AS_REP_Win2k(&rep);
-               goto out;
-           }
-           if (rep.u.encKeyPack.length != size)
-               krb5_abortx(context, "Internal ASN.1 encoder error");
+       memset(&rep, 0, sizeof(rep));
  
+       pa_type = KRB5_PADATA_PK_AS_REP_19;
+       rep.element = choice_PA_PK_AS_REP_encKeyPack;
+
+       krb5_generate_random_keyblock(context, enctype, 
+                                     &client_params->reply_key);
+       ret = pk_mk_pa_reply_enckey(context,
+                                   client_params,
+                                   req,
+                                   req_buffer,
+                                   &client_params->reply_key,
+                                   &info);
+       if (ret) {
+           free_PA_PK_AS_REP_Win2k(&rep);
+           goto out;
         }
+       ASN1_MALLOC_ENCODE(ContentInfo, rep.u.encKeyPack.data, 
+                          rep.u.encKeyPack.length, &info, &size, 
+                          ret);
+       free_ContentInfo(&info);
         if (ret) {
+           krb5_set_error_string(context, "encoding of Key ContentInfo "
+                                 "failed %d", ret);
             free_PA_PK_AS_REP_Win2k(&rep);
             goto out;
         }
+       if (rep.u.encKeyPack.length != size)
+           krb5_abortx(context, "Internal ASN.1 encoder error");
  
         ASN1_MALLOC_ENCODE(PA_PK_AS_REP_Win2k, buf, len, &rep, &size, ret);
         free_PA_PK_AS_REP_Win2k(&rep);
@@ -1041,11 +1043,88 @@ _kdc_pk_mk_pa_reply(krb5_context context,
  
      ret = krb5_padata_add(context, md, pa_type, buf, len);
      if (ret) {
-       krb5_set_error_string(context, "failed adding "
-                             "PA-PK-AS-REP-19 %d", ret);
+       krb5_set_error_string(context, "failed adding PA-PK-AS-REP %d", ret);
         free(buf);
+       goto out;
      }
- out:
+
+    if (config->pkinit_kdc_ocsp_file) {
+
+       if (ocsp.expire == 0 && ocsp.next_update > kdc_time) {
+           struct stat sb;
+           int fd;
+
+           krb5_data_free(&ocsp.data);
+
+           ocsp.expire = 0;
+
+           fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
+           if (fd < 0) {
+               kdc_log(context, config, 0, 
+                       "PK-INIT failed to open ocsp data file %d", errno);
+               goto out_ocsp;
+           }
+           ret = fstat(fd, &sb);
+           if (ret) {
+               ret = errno;
+               close(fd);
+               kdc_log(context, config, 0, 
+                       "PK-INIT failed to stat ocsp data %d", ret);
+               goto out_ocsp;
+           }
+           
+           ret = krb5_data_alloc(&ocsp.data, sb.st_size);
+           if (ret) {
+               close(fd);
+               kdc_log(context, config, 0, 
+                       "PK-INIT failed to stat ocsp data %d", ret);
+               goto out_ocsp;
+           }
+           ocsp.data.length = sb.st_size;
+           ret = read(fd, ocsp.data.data, sb.st_size);
+           close(fd);
+           if (ret != sb.st_size) {
+               kdc_log(context, config, 0, 
+                       "PK-INIT failed to read ocsp data %d", errno);
+               goto out_ocsp;
+           }
+
+           ret = hx509_ocsp_verify(kdc_identity->hx509ctx,
+                                   kdc_time,
+                                   kdc_cert,
+                                   0,
+                                   ocsp.data.data, ocsp.data.length,
+                                   &ocsp.expire);
+           if (ret) {
+               kdc_log(context, config, 0, 
+                       "PK-INIT failed to verify ocsp data %d", ret);
+               krb5_data_free(&ocsp.data);
+               ocsp.expire = 0;
+           } else if (ocsp.expire > 180)
+               ocsp.expire -= 180; /* refetch the ocsp before it expire */
+           
+       out_ocsp:
+           ocsp.next_update = kdc_time + 3600;
+           ret = 0;
+       }
+
+       if (ocsp.expire != 0 && ocsp.expire > kdc_time) {
+
+           ret = krb5_padata_add(context, md, 
+                                 KRB5_PADATA_PA_PK_OCSP_RESPONSE,
+                                 ocsp.data.data, ocsp.data.length);
+           if (ret) {
+               krb5_set_error_string(context, 
+                                     "Failed adding OCSP response %d", ret);
+               goto out;
+           }
+       }
+    }
+
+out:
+    if (kdc_cert)
+       hx509_cert_free(kdc_cert);
+
      if (ret == 0)
         *reply_key = &client_params->reply_key;
      return ret;
@@ -1120,15 +1199,9 @@ _kdc_pk_check_client(krb5_context context,
      hx509_name name;
      int i;
  
-    if (config->enable_pkinit_princ_in_cert) {
-       ret = pk_principal_from_X509(context, config, 
-                                    client_params->cert,
-                                    client_princ);
-       if (ret == 0)
-           return 0;
-    }
-
-    ret = hx509_cert_get_subject(client_params->cert, &name);
+    ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx, 
+                                     client_params->cert,
+                                     &name);
      if (ret)
         return ret;
  
@@ -1141,6 +1214,17 @@ _kdc_pk_check_client(krb5_context context,
             "Trying to authorize subject DN %s", 
             *subject_name);
  
+    if (config->enable_pkinit_princ_in_cert) {
+       ret = pk_principal_from_X509(context, config, 
+                                    client_params->cert,
+                                    client_princ);
+       if (ret == 0) {
+           kdc_log(context, config, 5,
+                   "Found matching PK-INIT SAN in certificate");
+           return 0;
+       }
+    }
+
      for (i = 0; i < principal_mappings.len; i++) {
         krb5_boolean b;
  
@@ -1231,6 +1315,14 @@ _kdc_pk_initialize(krb5_context context,
         return ret;
      }
  
+    ret = krb5_config_get_bool_default(context, 
+                                      NULL,
+                                      FALSE,
+                                      "kdc",
+                                      "pki-allow-proxy-certificate",
+                                      NULL);
+    _krb5_pk_allow_proxy_certificate(kdc_identity, ret);
+
      file = krb5_config_get_string_default(context, 
                                           NULL,
                                           HDB_DB_DIR "/pki-mapping",
diff --git a/source4/heimdal/kdc/rx.h b/source4/heimdal/kdc/rx.h

index ab8ec80523183de720e8b112ef34794abacd2ebf..370e33732f4acc98090a8a1db8ae37cb768fa680 100644 (file)
--- a/source4/heimdal/kdc/rx.h
+++ b/source4/heimdal/kdc/rx.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE. 
   */
  
-/* $Id: rx.h,v 1.4 1999/12/02 17:05:00 joda Exp $ */
+/* $Id: rx.h,v 1.5 2006/05/05 10:51:10 lha Exp $ */
  
  #ifndef __RX_H__
  #define __RX_H__
@@ -59,17 +59,17 @@ enum rx_header_flag {
  };
  
  struct rx_header {
-     u_int32_t epoch;
-     u_int32_t connid;         /* And channel ID */
-     u_int32_t callid;
-     u_int32_t seqno;
-     u_int32_t serialno;
+     uint32_t epoch;
+     uint32_t connid;          /* And channel ID */
+     uint32_t callid;
+     uint32_t seqno;
+     uint32_t serialno;
       u_char type;
       u_char flags;
       u_char status;
       u_char secindex;
-     u_int16_t reserved;       /* ??? verifier? */
-     u_int16_t serviceid;
+     uint16_t reserved;        /* ??? verifier? */
+     uint16_t serviceid;
  /* This should be the other way around according to everything but */
  /* tcpdump */
  };
diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c

index 0bf3cdafdb9e54fa0eec1aa8b6e6a53791ed2cfb..e498d8f9656668368c98eb5782744f14304db4ef 100644 (file)
--- a/source4/heimdal/lib/asn1/parse.c
+++ b/source4/heimdal/lib/asn1/parse.c
@@ -247,7 +247,7 @@
  #include "gen_locl.h"
  #include "der.h"
  
-RCSID("$Id: parse.y,v 1.27 2005/12/14 09:44:36 lha Exp $");
+RCSID("$Id: parse.y,v 1.28 2006/04/28 10:51:35 lha Exp $");
  
  static Type *new_type (Typetype t);
  static struct constraint_spec *new_constraint_spec(enum ctype);
@@ -538,13 +538,13 @@ static const unsigned short int yyrline[] =
       327,   328,   331,   338,   348,   353,   360,   368,   374,   379,
       383,   396,   404,   407,   414,   422,   428,   435,   442,   448,
       456,   464,   470,   478,   486,   493,   494,   497,   508,   513,
-     520,   536,   541,   543,   544,   547,   553,   561,   571,   577,
-     590,   599,   602,   606,   610,   617,   620,   624,   631,   642,
-     645,   650,   655,   660,   665,   670,   678,   684,   689,   700,
-     711,   717,   723,   731,   737,   744,   757,   758,   761,   768,
-     771,   782,   786,   797,   803,   804,   807,   808,   809,   810,
-     811,   814,   817,   820,   831,   839,   845,   853,   861,   864,
-     869
+     520,   536,   542,   545,   546,   549,   555,   563,   573,   579,
+     592,   601,   604,   608,   612,   619,   622,   626,   633,   644,
+     647,   652,   657,   662,   667,   672,   680,   686,   691,   702,
+     713,   719,   725,   733,   739,   746,   759,   760,   763,   770,
+     773,   784,   788,   799,   805,   806,   809,   810,   811,   812,
+     813,   816,   819,   822,   833,   841,   847,   855,   863,   866,
+     871
  };
  #endif
  
@@ -1752,7 +1752,7 @@ yyreduce:
      break;
  
    case 75:
-#line 548 "parse.y"
+#line 550 "parse.y"
      {
                     (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
                     (yyval.constraint_spec)->u.content.type = (yyvsp[0].type);
@@ -1761,7 +1761,7 @@ yyreduce:
      break;
  
    case 76:
-#line 554 "parse.y"
+#line 556 "parse.y"
      {
                     if ((yyvsp[0].value)->type != objectidentifiervalue)
                         error_message("Non-OID used in ENCODED BY constraint");
@@ -1772,7 +1772,7 @@ yyreduce:
      break;
  
    case 77:
-#line 562 "parse.y"
+#line 564 "parse.y"
      {
                     if ((yyvsp[0].value)->type != objectidentifiervalue)
                         error_message("Non-OID used in ENCODED BY constraint");
@@ -1783,14 +1783,14 @@ yyreduce:
      break;
  
    case 78:
-#line 572 "parse.y"
+#line 574 "parse.y"
      {
                     (yyval.constraint_spec) = new_constraint_spec(CT_USER);
                 }
      break;
  
    case 79:
-#line 578 "parse.y"
+#line 580 "parse.y"
      {
                         (yyval.type) = new_type(TTag);
                         (yyval.type)->tag = (yyvsp[-2].tag);
@@ -1804,7 +1804,7 @@ yyreduce:
      break;
  
    case 80:
-#line 591 "parse.y"
+#line 593 "parse.y"
      {
                         (yyval.tag).tagclass = (yyvsp[-2].constant);
                         (yyval.tag).tagvalue = (yyvsp[-1].constant);
@@ -1813,56 +1813,56 @@ yyreduce:
      break;
  
    case 81:
-#line 599 "parse.y"
+#line 601 "parse.y"
      {
                         (yyval.constant) = ASN1_C_CONTEXT;
                 }
      break;
  
    case 82:
-#line 603 "parse.y"
+#line 605 "parse.y"
      {
                         (yyval.constant) = ASN1_C_UNIV;
                 }
      break;
  
    case 83:
-#line 607 "parse.y"
+#line 609 "parse.y"
      {
                         (yyval.constant) = ASN1_C_APPL;
                 }
      break;
  
    case 84:
-#line 611 "parse.y"
+#line 613 "parse.y"
      {
                         (yyval.constant) = ASN1_C_PRIVATE;
                 }
      break;
  
    case 85:
-#line 617 "parse.y"
+#line 619 "parse.y"
      {
                         (yyval.constant) = TE_EXPLICIT;
                 }
      break;
  
    case 86:
-#line 621 "parse.y"
+#line 623 "parse.y"
      {
                         (yyval.constant) = TE_EXPLICIT;
                 }
      break;
  
    case 87:
-#line 625 "parse.y"
+#line 627 "parse.y"
      {
                         (yyval.constant) = TE_IMPLICIT;
                 }
      break;
  
    case 88:
-#line 632 "parse.y"
+#line 634 "parse.y"
      {
                         Symbol *s;
                         s = addsym ((yyvsp[-3].name));
@@ -1874,7 +1874,7 @@ yyreduce:
      break;
  
    case 90:
-#line 646 "parse.y"
+#line 648 "parse.y"
      {
                         (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString, 
                                      TE_EXPLICIT, new_type(TGeneralString));
@@ -1882,7 +1882,7 @@ yyreduce:
      break;
  
    case 91:
-#line 651 "parse.y"
+#line 653 "parse.y"
      {
                         (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String, 
                                      TE_EXPLICIT, new_type(TUTF8String));
@@ -1890,7 +1890,7 @@ yyreduce:
      break;
  
    case 92:
-#line 656 "parse.y"
+#line 658 "parse.y"
      {
                         (yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString, 
                                      TE_EXPLICIT, new_type(TPrintableString));
@@ -1898,7 +1898,7 @@ yyreduce:
      break;
  
    case 93:
-#line 661 "parse.y"
+#line 663 "parse.y"
      {
                         (yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String, 
                                      TE_EXPLICIT, new_type(TIA5String));
@@ -1906,7 +1906,7 @@ yyreduce:
      break;
  
    case 94:
-#line 666 "parse.y"
+#line 668 "parse.y"
      {
                         (yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString, 
                                      TE_EXPLICIT, new_type(TBMPString));
@@ -1914,7 +1914,7 @@ yyreduce:
      break;
  
    case 95:
-#line 671 "parse.y"
+#line 673 "parse.y"
      {
                         (yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString, 
                                      TE_EXPLICIT, new_type(TUniversalString));
@@ -1922,7 +1922,7 @@ yyreduce:
      break;
  
    case 96:
-#line 679 "parse.y"
+#line 681 "parse.y"
      {
                         (yyval.members) = emalloc(sizeof(*(yyval.members)));
                         ASN1_TAILQ_INIT((yyval.members));
@@ -1931,7 +1931,7 @@ yyreduce:
      break;
  
    case 97:
-#line 685 "parse.y"
+#line 687 "parse.y"
      {
                         ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
                         (yyval.members) = (yyvsp[-2].members);
@@ -1939,7 +1939,7 @@ yyreduce:
      break;
  
    case 98:
-#line 690 "parse.y"
+#line 692 "parse.y"
      {
                         struct member *m = ecalloc(1, sizeof(*m));
                         m->name = estrdup("...");
@@ -1951,7 +1951,7 @@ yyreduce:
      break;
  
    case 99:
-#line 701 "parse.y"
+#line 703 "parse.y"
      {
                   (yyval.member) = emalloc(sizeof(*(yyval.member)));
                   (yyval.member)->name = (yyvsp[-1].name);
@@ -1963,7 +1963,7 @@ yyreduce:
      break;
  
    case 100:
-#line 712 "parse.y"
+#line 714 "parse.y"
      {
                         (yyval.member) = (yyvsp[0].member);
                         (yyval.member)->optional = 0;
@@ -1972,7 +1972,7 @@ yyreduce:
      break;
  
    case 101:
-#line 718 "parse.y"
+#line 720 "parse.y"
      {
                         (yyval.member) = (yyvsp[-1].member);
                         (yyval.member)->optional = 1;
@@ -1981,7 +1981,7 @@ yyreduce:
      break;
  
    case 102:
-#line 724 "parse.y"
+#line 726 "parse.y"
      {
                         (yyval.member) = (yyvsp[-2].member);
                         (yyval.member)->optional = 0;
@@ -1990,7 +1990,7 @@ yyreduce:
      break;
  
    case 103:
-#line 732 "parse.y"
+#line 734 "parse.y"
      {
                         (yyval.members) = emalloc(sizeof(*(yyval.members)));
                         ASN1_TAILQ_INIT((yyval.members));
@@ -1999,7 +1999,7 @@ yyreduce:
      break;
  
    case 104:
-#line 738 "parse.y"
+#line 740 "parse.y"
      {
                         ASN1_TAILQ_INSERT_TAIL((yyvsp[-2].members), (yyvsp[0].member), members);
                         (yyval.members) = (yyvsp[-2].members);
@@ -2007,7 +2007,7 @@ yyreduce:
      break;
  
    case 105:
-#line 745 "parse.y"
+#line 747 "parse.y"
      {
                   (yyval.member) = emalloc(sizeof(*(yyval.member)));
                   (yyval.member)->name = (yyvsp[-3].name);
@@ -2021,26 +2021,26 @@ yyreduce:
      break;
  
    case 107:
-#line 758 "parse.y"
+#line 760 "parse.y"
      { (yyval.objid) = NULL; }
      break;
  
    case 108:
-#line 762 "parse.y"
+#line 764 "parse.y"
      {
                         (yyval.objid) = (yyvsp[-1].objid);
                 }
      break;
  
    case 109:
-#line 768 "parse.y"
+#line 770 "parse.y"
      {
                         (yyval.objid) = NULL;
                 }
      break;
  
    case 110:
-#line 772 "parse.y"
+#line 774 "parse.y"
      {
                         if ((yyvsp[0].objid)) {
                                 (yyval.objid) = (yyvsp[0].objid);
@@ -2052,14 +2052,14 @@ yyreduce:
      break;
  
    case 111:
-#line 783 "parse.y"
+#line 785 "parse.y"
      {
                         (yyval.objid) = new_objid((yyvsp[-3].name), (yyvsp[-1].constant));
                 }
      break;
  
    case 112:
-#line 787 "parse.y"
+#line 789 "parse.y"
      {
                     Symbol *s = addsym((yyvsp[0].name));
                     if(s->stype != SValue ||
@@ -2073,14 +2073,14 @@ yyreduce:
      break;
  
    case 113:
-#line 798 "parse.y"
+#line 800 "parse.y"
      {
                     (yyval.objid) = new_objid(NULL, (yyvsp[0].constant));
                 }
      break;
  
    case 123:
-#line 821 "parse.y"
+#line 823 "parse.y"
      {
                         Symbol *s = addsym((yyvsp[0].name));
                         if(s->stype != SValue)
@@ -2092,7 +2092,7 @@ yyreduce:
      break;
  
    case 124:
-#line 832 "parse.y"
+#line 834 "parse.y"
      {
                         (yyval.value) = emalloc(sizeof(*(yyval.value)));
                         (yyval.value)->type = stringvalue;
@@ -2101,7 +2101,7 @@ yyreduce:
      break;
  
    case 125:
-#line 840 "parse.y"
+#line 842 "parse.y"
      {
                         (yyval.value) = emalloc(sizeof(*(yyval.value)));
                         (yyval.value)->type = booleanvalue;
@@ -2110,7 +2110,7 @@ yyreduce:
      break;
  
    case 126:
-#line 846 "parse.y"
+#line 848 "parse.y"
      {
                         (yyval.value) = emalloc(sizeof(*(yyval.value)));
                         (yyval.value)->type = booleanvalue;
@@ -2119,7 +2119,7 @@ yyreduce:
      break;
  
    case 127:
-#line 854 "parse.y"
+#line 856 "parse.y"
      {
                         (yyval.value) = emalloc(sizeof(*(yyval.value)));
                         (yyval.value)->type = integervalue;
@@ -2128,13 +2128,13 @@ yyreduce:
      break;
  
    case 129:
-#line 865 "parse.y"
+#line 867 "parse.y"
      {
                 }
      break;
  
    case 130:
-#line 870 "parse.y"
+#line 872 "parse.y"
      {
                         (yyval.value) = emalloc(sizeof(*(yyval.value)));
                         (yyval.value)->type = objectidentifiervalue;
@@ -2374,7 +2374,7 @@ yyreturn:
  }
  
  
-#line 877 "parse.y"
+#line 879 "parse.y"
  
  
  void
diff --git a/source4/heimdal/lib/asn1/pkcs9.asn1 b/source4/heimdal/lib/asn1/pkcs9.asn1

index bcc8f50398ff2607977ba08625f7844976832815..e6df32f65d2ec3cd3f38e2759956422459a83d0f 100644 (file)
--- a/source4/heimdal/lib/asn1/pkcs9.asn1
+++ b/source4/heimdal/lib/asn1/pkcs9.asn1
@@ -1,4 +1,4 @@
--- $Id: pkcs9.asn1,v 1.3 2005/07/23 10:38:28 lha Exp $ --
+-- $Id: pkcs9.asn1,v 1.5 2006/04/24 08:59:10 lha Exp $ --
  
  PKCS9 DEFINITIONS ::=
  
@@ -9,6 +9,7 @@ BEGIN
  id-pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
         rsadsi(113549) pkcs(1) pkcs-9(9) }
  
+id-pkcs9-emailAddress          OBJECT IDENTIFIER ::= {id-pkcs-9 1 }
  id-pkcs9-contentType           OBJECT IDENTIFIER ::= {id-pkcs-9 3 }
  id-pkcs9-messageDigest         OBJECT IDENTIFIER ::= {id-pkcs-9 4 }
  id-pkcs9-signingTime           OBJECT IDENTIFIER ::= {id-pkcs-9 5 }
diff --git a/source4/heimdal/lib/des/aes.h b/source4/heimdal/lib/des/aes.h

index 8a62c6461d44180a887d0a8cb7b80032d708497c..3ea1c141be9872a0d62d843ee5421a51a437d812 100755 (executable)
--- a/source4/heimdal/lib/des/aes.h
+++ b/source4/heimdal/lib/des/aes.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE.
   */
  
-/* $Id: aes.h,v 1.5 2006/01/08 21:47:27 lha Exp $ */
+/* $Id: aes.h,v 1.6 2006/05/05 11:06:35 lha Exp $ */
  
  #ifndef HEIM_AES_H
  #define HEIM_AES_H 1
@@ -54,7 +54,7 @@
  #define AES_DECRYPT 0
  
  typedef struct aes_key {
-    u_int32_t key[(AES_MAXNR+1)*4];
+    uint32_t key[(AES_MAXNR+1)*4];
      int rounds;
  } AES_KEY;
  
diff --git a/source4/heimdal/lib/des/des.c b/source4/heimdal/lib/des/des.c

index 32d479e372b4680911d4263acef1221ea62a5ea4..5b1f5c29f4f5e4fb409a6c00aaf40dd0ec2fd270 100644 (file)
--- a/source4/heimdal/lib/des/des.c
+++ b/source4/heimdal/lib/des/des.c
@@ -45,7 +45,7 @@
  
  #ifdef HAVE_CONFIG_H
  #include <config.h>
-RCSID("$Id: des.c,v 1.17 2006/04/14 14:19:36 lha Exp $");
+RCSID("$Id: des.c,v 1.18 2006/04/24 14:26:19 lha Exp $");
  #endif
  
  #include <stdio.h>
@@ -513,9 +513,10 @@ DES_cfb64_encrypt(const void *in, void *out,
  
      load(*iv, uiv);
  
+    assert(*num >= 0 && *num < DES_CBLOCK_LEN);
+
      if (forward_encrypt) {
         int i = *num;
-       assert(i >= 0);
  
         while (length > 0) {
             if (i == 0)
@@ -537,7 +538,6 @@ DES_cfb64_encrypt(const void *in, void *out,
      } else {
         int i = *num;
         unsigned char c;
-       assert(i >= 0);
  
         while (length > 0) {
             if (i == 0) {
diff --git a/source4/heimdal/lib/des/dh.h b/source4/heimdal/lib/des/dh.h

index 419c7d8902280a7a1b45378f1a656be2852ea82d..105d298bc3da766bf401b335ef0f351c2e10be89 100644 (file)
--- a/source4/heimdal/lib/des/dh.h
+++ b/source4/heimdal/lib/des/dh.h
@@ -32,7 +32,7 @@
   */
  
  /*
- * $Id: dh.h,v 1.5 2006/04/20 18:16:17 lha Exp $
+ * $Id: dh.h,v 1.6 2006/05/06 13:11:15 lha Exp $
   */
  
  #ifndef _HEIM_DH_H
@@ -40,6 +40,7 @@
  
  /* symbol renaming */
  #define DH_null_method hc_DH_null_method
+#define DH_imath_method hc_DH_imath_method
  #define DH_new hc_DH_new
  #define DH_new_method hc_DH_new_method
  #define DH_free hc_DH_free
@@ -113,6 +114,7 @@ struct DH {
   */
  
  const DH_METHOD *DH_null_method(void);
+const DH_METHOD *DH_imath_method(void);
  
  DH *   DH_new(void);
  DH *   DH_new_method(ENGINE *);
diff --git a/source4/heimdal/lib/des/engine.h b/source4/heimdal/lib/des/engine.h

index 757d0f75fbcb428ac33c35b344806e7888e059b2..65588f7d78f68cb9f5635c6785534e896b47162b 100644 (file)
--- a/source4/heimdal/lib/des/engine.h
+++ b/source4/heimdal/lib/des/engine.h
@@ -32,7 +32,7 @@
   */
  
  /*
- * $Id: engine.h,v 1.5 2006/04/17 13:16:17 lha Exp $
+ * $Id: engine.h,v 1.6 2006/05/06 12:34:36 lha Exp $
   */
  
  #ifndef _HEIM_ENGINE_H
@@ -55,6 +55,10 @@
  #define ENGINE_set_name hc_ENGINE_set_name
  #define ENGINE_set_destroy_function hc_ENGINE_set_destroy_function
  #define ENGINE_up_ref hc_ENGINE_up_ref
+#define ENGINE_get_default_DH hc_ENGINE_get_default_DH
+#define ENGINE_get_default_RSA hc_ENGINE_get_default_RSA
+#define ENGINE_set_default_DH hc_ENGINE_set_default_DH
+#define ENGINE_set_default_RSA hc_ENGINE_set_default_RSA
  
  /*
   *
diff --git a/source4/heimdal/lib/des/evp.c b/source4/heimdal/lib/des/evp.c

index 475bb7314e251300509f3db520f0fc6b8513664a..fd6ac63ec2e4b5d5fe4e33c1be0588cc75bb5e4b 100644 (file)
--- a/source4/heimdal/lib/des/evp.c
+++ b/source4/heimdal/lib/des/evp.c
@@ -841,11 +841,13 @@ EVP_BytesToKey(const EVP_CIPHER *type,
             EVP_DigestUpdate(&c, salt, PKCS5_SALT_LEN);
  
         EVP_DigestFinal_ex(&c, buf, &mds);
+       assert(mds == EVP_MD_size(md));
  
         for (i = 1; i < count; i++) {
             EVP_DigestInit_ex(&c, md, NULL);
             EVP_DigestUpdate(&c, buf, mds);
             EVP_DigestFinal_ex(&c, buf, &mds);
+           assert(mds == EVP_MD_size(md));
         }
  
         i = 0;
diff --git a/source4/heimdal/lib/des/hash.h b/source4/heimdal/lib/des/hash.h

index 24217a27a58c82315e2bc06c7f968d94b1bb2bd2..b6da9bd8e0fae019aceb7bf5bc76e3f0ba35f06a 100644 (file)
--- a/source4/heimdal/lib/des/hash.h
+++ b/source4/heimdal/lib/des/hash.h
@@ -30,7 +30,7 @@
   * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
   * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
  
-/* $Id: hash.h,v 1.3 2005/04/27 11:53:48 lha Exp $ */
+/* $Id: hash.h,v 1.4 2006/05/05 11:06:49 lha Exp $ */
  
  /* stuff in common between md4, md5, and sha1 */
  
@@ -61,8 +61,8 @@
  #define CRAYFIX(X) (X)
  #endif
  
-static inline u_int32_t
-cshift (u_int32_t x, unsigned int n)
+static inline uint32_t
+cshift (uint32_t x, unsigned int n)
  {
      x = CRAYFIX(x);
      return CRAYFIX((x << n) | (x >> (32 - n)));
diff --git a/source4/heimdal/lib/des/md4.c b/source4/heimdal/lib/des/md4.c

index 693b8f5c762476dc180eb122a62e77500e87d720..ded4fe12e8fab42703d2436c48f1b926f5c24e88 100644 (file)
--- a/source4/heimdal/lib/des/md4.c
+++ b/source4/heimdal/lib/des/md4.c
@@ -34,7 +34,7 @@
  #ifdef HAVE_CONFIG_H
  #include "config.h"
  
-RCSID("$Id: md4.c,v 1.17 2005/04/27 11:54:56 lha Exp $");
+RCSID("$Id: md4.c,v 1.18 2006/05/05 10:22:04 lha Exp $");
  #endif
  
  #include "hash.h"
@@ -69,9 +69,9 @@ a = cshift(a + OP(b,c,d) + X[k] + i, s)
  #define DO3(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,H)
  
  static inline void
-calc (struct md4 *m, u_int32_t *data)
+calc (struct md4 *m, uint32_t *data)
  {
-  u_int32_t AA, BB, CC, DD;
+  uint32_t AA, BB, CC, DD;
  
    AA = A;
    BB = B;
@@ -155,10 +155,10 @@ calc (struct md4 *m, u_int32_t *data)
   */
  
  #if defined(WORDS_BIGENDIAN)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
  {
-  u_int32_t temp1, temp2;
+  uint32_t temp1, temp2;
  
    temp1   = cshift(t, 16);
    temp2   = temp1 >> 8;
@@ -194,15 +194,15 @@ MD4_Update (struct md4 *m, const void *v, size_t len)
         if(offset == 64) {
  #if defined(WORDS_BIGENDIAN)
             int i;
-           u_int32_t current[16];
+           uint32_t current[16];
             struct x32 *u = (struct x32*)m->save;
             for(i = 0; i < 8; i++){
-               current[2*i+0] = swap_u_int32_t(u[i].a);
-               current[2*i+1] = swap_u_int32_t(u[i].b);
+               current[2*i+0] = swap_uint32_t(u[i].a);
+               current[2*i+1] = swap_uint32_t(u[i].b);
             }
             calc(m, current);
  #else
-           calc(m, (u_int32_t*)m->save);
+           calc(m, (uint32_t*)m->save);
  #endif
             offset = 0;
         }
@@ -241,10 +241,10 @@ MD4_Final (void *res, struct md4 *m)
  #if 0
    {
      int i;
-    u_int32_t *r = (u_int32_t *)res;
+    uint32_t *r = (uint32_t *)res;
  
      for (i = 0; i < 4; ++i)
-      r[i] = swap_u_int32_t (m->counter[i]);
+      r[i] = swap_uint32_t (m->counter[i]);
    }
  #endif
  }
diff --git a/source4/heimdal/lib/des/md4.h b/source4/heimdal/lib/des/md4.h

index 79055e0fb0ced9b5d774cac3948c9a7c89ad1199..f8c011b9b79b4799b9ee4b4e04d22d9da0f3a3d7 100644 (file)
--- a/source4/heimdal/lib/des/md4.h
+++ b/source4/heimdal/lib/des/md4.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE.
   */
  
-/* $Id: md4.h,v 1.10 2006/01/08 21:47:28 lha Exp $ */
+/* $Id: md4.h,v 1.11 2006/05/05 11:07:01 lha Exp $ */
  
  #ifndef HEIM_MD4_H
  #define HEIM_MD4_H 1
@@ -49,7 +49,7 @@
  
  struct md4 {
    unsigned int sz[2];
-  u_int32_t counter[4];
+  uint32_t counter[4];
    unsigned char save[64];
  };
  
diff --git a/source4/heimdal/lib/des/md5.c b/source4/heimdal/lib/des/md5.c

index d5b7c245f62dc8832c0b9ac7456c2fd34b144a3a..e23d6c8fd7108f1191887353698cd0db33c73e51 100644 (file)
--- a/source4/heimdal/lib/des/md5.c
+++ b/source4/heimdal/lib/des/md5.c
@@ -34,7 +34,7 @@
  #ifdef HAVE_CONFIG_H
  #include "config.h"
  
-RCSID("$Id: md5.c,v 1.17 2005/04/27 11:54:35 lha Exp $");
+RCSID("$Id: md5.c,v 1.18 2006/05/05 10:22:35 lha Exp $");
  #endif
  
  #include "hash.h"
@@ -71,9 +71,9 @@ a = b + cshift(a + OP(b,c,d) + X[k] + (i), s)
  #define DO4(a,b,c,d,k,s,i) DOIT(a,b,c,d,k,s,i,I)
  
  static inline void
-calc (struct md5 *m, u_int32_t *data)
+calc (struct md5 *m, uint32_t *data)
  {
-  u_int32_t AA, BB, CC, DD;
+  uint32_t AA, BB, CC, DD;
  
    AA = A;
    BB = B;
@@ -179,10 +179,10 @@ calc (struct md5 *m, u_int32_t *data)
   */
  
  #if defined(WORDS_BIGENDIAN)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
  {
-  u_int32_t temp1, temp2;
+  uint32_t temp1, temp2;
  
    temp1   = cshift(t, 16);
    temp2   = temp1 >> 8;
@@ -218,15 +218,15 @@ MD5_Update (struct md5 *m, const void *v, size_t len)
      if(offset == 64){
  #if defined(WORDS_BIGENDIAN)
        int i;
-      u_int32_t current[16];
+      uint32_t current[16];
        struct x32 *u = (struct x32*)m->save;
        for(i = 0; i < 8; i++){
-       current[2*i+0] = swap_u_int32_t(u[i].a);
-       current[2*i+1] = swap_u_int32_t(u[i].b);
+       current[2*i+0] = swap_uint32_t(u[i].a);
+       current[2*i+1] = swap_uint32_t(u[i].b);
        }
        calc(m, current);
  #else
-      calc(m, (u_int32_t*)m->save);
+      calc(m, (uint32_t*)m->save);
  #endif
        offset = 0;
      }
@@ -265,10 +265,10 @@ MD5_Final (void *res, struct md5 *m)
  #if 0
    {
      int i;
-    u_int32_t *r = (u_int32_t *)res;
+    uint32_t *r = (uint32_t *)res;
  
      for (i = 0; i < 4; ++i)
-      r[i] = swap_u_int32_t (m->counter[i]);
+      r[i] = swap_uint32_t (m->counter[i]);
    }
  #endif
  }
diff --git a/source4/heimdal/lib/des/md5.h b/source4/heimdal/lib/des/md5.h

index 534bc9917e75570646b3ef24be3b5126fcae7bc2..54c34fe572d8f738583a22d90de6092fb0a836c9 100644 (file)
--- a/source4/heimdal/lib/des/md5.h
+++ b/source4/heimdal/lib/des/md5.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE.
   */
  
-/* $Id: md5.h,v 1.10 2006/01/08 21:47:28 lha Exp $ */
+/* $Id: md5.h,v 1.11 2006/05/05 11:07:11 lha Exp $ */
  
  #ifndef HEIM_MD5_H
  #define HEIM_MD5_H 1
@@ -49,7 +49,7 @@
  
  struct md5 {
    unsigned int sz[2];
-  u_int32_t counter[4];
+  uint32_t counter[4];
    unsigned char save[64];
  };
  
@@ -57,6 +57,6 @@ typedef struct md5 MD5_CTX;
  
  void MD5_Init (struct md5 *m);
  void MD5_Update (struct md5 *m, const void *p, size_t len);
-void MD5_Final (void *res, struct md5 *m); /* u_int32_t res[4] */
+void MD5_Final (void *res, struct md5 *m); /* uint32_t res[4] */
  
  #endif /* HEIM_MD5_H */
diff --git a/source4/heimdal/lib/des/pkcs5.c b/source4/heimdal/lib/des/pkcs5.c

index 4bfc313741c9e172dc04d923c7cde4902f145ee5..9ed494ef6fc42cd69d50dcf58e5074cdfe908020 100644 (file)
--- a/source4/heimdal/lib/des/pkcs5.c
+++ b/source4/heimdal/lib/des/pkcs5.c
@@ -35,7 +35,11 @@
  #include <config.h>
  #endif
  
-RCSID("$Id: pkcs5.c,v 1.1 2006/02/28 14:16:57 lha Exp $");
+RCSID("$Id: pkcs5.c,v 1.3 2006/05/05 10:23:11 lha Exp $");
+
+#ifdef KRB5
+#include <krb5-types.h>
+#endif
  
  #include <stdio.h>
  #include <stdlib.h>
@@ -53,7 +57,7 @@ PKCS5_PBKDF2_HMAC_SHA1(const void * password, size_t password_len,
  {
      size_t datalen, leftofkey, checksumsize;
      char *data, *tmpcksum;
-    u_int32_t keypart;
+    uint32_t keypart;
      const EVP_MD *md;
      unsigned long i;
      int j;
diff --git a/source4/heimdal/lib/des/rijndael-alg-fst.c b/source4/heimdal/lib/des/rijndael-alg-fst.c

index 65b36ab741339d6ad6e8af3401cff7bbd67d9d70..d6e4f45c187c6c20825b44d94bd25483e094bbdd 100755 (executable)
--- a/source4/heimdal/lib/des/rijndael-alg-fst.c
+++ b/source4/heimdal/lib/des/rijndael-alg-fst.c
@@ -31,7 +31,7 @@
  #ifdef HAVE_CONFIG_H
  #include "config.h"
  
-RCSID("$Id: rijndael-alg-fst.c,v 1.2 2004/06/02 20:09:48 lha Exp $");
+RCSID("$Id: rijndael-alg-fst.c,v 1.3 2006/05/05 10:23:41 lha Exp $");
  #endif
  
  #ifdef KRB5
@@ -41,9 +41,9 @@ RCSID("$Id: rijndael-alg-fst.c,v 1.2 2004/06/02 20:09:48 lha Exp $");
  #include <rijndael-alg-fst.h>
  
  /* the file should not be used from outside */
-typedef u_int8_t               u8;
-typedef u_int16_t              u16;    
-typedef u_int32_t              u32;
+typedef uint8_t                        u8;
+typedef uint16_t               u16;    
+typedef uint32_t               u32;
  
  /*
  Te0[x] = S [x].[02, 01, 01, 03];
diff --git a/source4/heimdal/lib/des/rijndael-alg-fst.h b/source4/heimdal/lib/des/rijndael-alg-fst.h

index 6b6e2a5cd31f3fda7927712d09296e5966049362..7e2e1935fd2998656342c27f3c5761fab1e8f39e 100755 (executable)
--- a/source4/heimdal/lib/des/rijndael-alg-fst.h
+++ b/source4/heimdal/lib/des/rijndael-alg-fst.h
@@ -38,9 +38,9 @@
  #define RIJNDAEL_MAXKB (256/8)
  #define RIJNDAEL_MAXNR 14
  
-int rijndaelKeySetupEnc(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits);
-int rijndaelKeySetupDec(u_int32_t rk[/*4*(Nr + 1)*/], const u_int8_t cipherKey[], int keyBits);
-void rijndaelEncrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t pt[16], u_int8_t ct[16]);
-void rijndaelDecrypt(const u_int32_t rk[/*4*(Nr + 1)*/], int Nr, const u_int8_t ct[16], u_int8_t pt[16]);
+int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits);
+int rijndaelKeySetupDec(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[], int keyBits);
+void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t pt[16], uint8_t ct[16]);
+void rijndaelDecrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr, const uint8_t ct[16], uint8_t pt[16]);
  
  #endif /* __RIJNDAEL_ALG_FST_H */
diff --git a/source4/heimdal/lib/des/rnd_keys.c b/source4/heimdal/lib/des/rnd_keys.c

index e27b00defa34df9e28a0b4ec6cd25cd0654ba079..e58faefcb09db7d1a41cf442b06871bae7a83129 100644 (file)
--- a/source4/heimdal/lib/des/rnd_keys.c
+++ b/source4/heimdal/lib/des/rnd_keys.c
@@ -34,7 +34,7 @@
  #ifdef HAVE_CONFIG_H
  #include "config.h"
  
-RCSID("$Id: rnd_keys.c,v 1.70 2006/01/08 21:47:29 lha Exp $");
+RCSID("$Id: rnd_keys.c,v 1.71 2006/05/05 10:24:31 lha Exp $");
  #endif
  
  #ifdef KRB5
@@ -82,8 +82,8 @@ static
  int
  sumFile (const char *name, int len, void *res)
  {
-  u_int32_t sum[2] = { 0, 0 };
-  u_int32_t buf[1024*2];
+  uint32_t sum[2] = { 0, 0 };
+  uint32_t buf[1024*2];
    int fd, i;
  
    fd = open (name, 0);
@@ -148,7 +148,7 @@ md5sumFile (const char *name, int len, int32_t sum[4])
   * based on an initial des key used as a seed.
   */
  static DES_key_schedule sequence_seed;
-static u_int32_t sequence_index[2];
+static uint32_t sequence_index[2];
  
  /* 
   * Random number generator based on ideas from truerand in cryptolib
diff --git a/source4/heimdal/lib/des/sha.c b/source4/heimdal/lib/des/sha.c

index ca6c1c16d4c714af8fd2b2a3d2de2e6d71fca928..fae0fe01cbaf77e9b5eae8bbcddf0640d23157e7 100644 (file)
--- a/source4/heimdal/lib/des/sha.c
+++ b/source4/heimdal/lib/des/sha.c
@@ -34,7 +34,7 @@
  #ifdef HAVE_CONFIG_H
  #include "config.h"
  
-RCSID("$Id: sha.c,v 1.18 2005/04/27 11:55:05 lha Exp $");
+RCSID("$Id: sha.c,v 1.19 2006/05/05 10:25:00 lha Exp $");
  #endif
  
  #include "hash.h"
@@ -72,7 +72,7 @@ SHA1_Init (struct sha *m)
  
  #define DO(t,f,k) \
  do { \
-  u_int32_t temp; \
+  uint32_t temp; \
   \
    temp = cshift(AA, 5) + f(BB,CC,DD) + EE + data[t] + k; \
    EE = DD; \
@@ -83,10 +83,10 @@ do { \
  } while(0)
  
  static inline void
-calc (struct sha *m, u_int32_t *in)
+calc (struct sha *m, uint32_t *in)
  {
-  u_int32_t AA, BB, CC, DD, EE;
-  u_int32_t data[80];
+  uint32_t AA, BB, CC, DD, EE;
+  uint32_t data[80];
    int i;
  
    AA = A;
@@ -204,11 +204,11 @@ calc (struct sha *m, u_int32_t *in)
   */
  
  #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
  {
  #define ROL(x,n) ((x)<<(n))|((x)>>(32-(n)))
-  u_int32_t temp1, temp2;
+  uint32_t temp1, temp2;
  
    temp1   = cshift(t, 16);
    temp2   = temp1 >> 8;
@@ -244,15 +244,15 @@ SHA1_Update (struct sha *m, const void *v, size_t len)
      if(offset == 64){
  #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
        int i;
-      u_int32_t current[16];
+      uint32_t current[16];
        struct x32 *u = (struct x32*)m->save;
        for(i = 0; i < 8; i++){
-       current[2*i+0] = swap_u_int32_t(u[i].a);
-       current[2*i+1] = swap_u_int32_t(u[i].b);
+       current[2*i+0] = swap_uint32_t(u[i].a);
+       current[2*i+1] = swap_uint32_t(u[i].b);
        }
        calc(m, current);
  #else
-      calc(m, (u_int32_t*)m->save);
+      calc(m, (uint32_t*)m->save);
  #endif
        offset = 0;
      }
@@ -291,10 +291,10 @@ SHA1_Final (void *res, struct sha *m)
  #if 0
    {
      int i;
-    u_int32_t *r = (u_int32_t *)res;
+    uint32_t *r = (uint32_t *)res;
  
      for (i = 0; i < 5; ++i)
-      r[i] = swap_u_int32_t (m->counter[i]);
+      r[i] = swap_uint32_t (m->counter[i]);
    }
  #endif
  }
diff --git a/source4/heimdal/lib/des/sha.h b/source4/heimdal/lib/des/sha.h

index 6021823f5cc91cf8a2e3fba939c4055399fe2a4a..977b9f7bb2bef97d0ca9eed5468b17cdc17c44ac 100644 (file)
--- a/source4/heimdal/lib/des/sha.h
+++ b/source4/heimdal/lib/des/sha.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE.
   */
  
-/* $Id: sha.h,v 1.10 2006/04/15 07:54:11 lha Exp $ */
+/* $Id: sha.h,v 1.11 2006/05/05 11:06:21 lha Exp $ */
  
  #ifndef HEIM_SHA_H
  #define HEIM_SHA_H 1
@@ -52,7 +52,7 @@
  
  struct sha {
    unsigned int sz[2];
-  u_int32_t counter[5];
+  uint32_t counter[5];
    unsigned char save[64];
  };
  
@@ -70,7 +70,7 @@ void SHA1_Final (void *res, struct sha *m);
  
  struct hc_sha256state {
    unsigned int sz[2];
-  u_int32_t counter[8];
+  uint32_t counter[8];
    unsigned char save[64];
  };
  
diff --git a/source4/heimdal/lib/des/sha256.c b/source4/heimdal/lib/des/sha256.c

index 8c12ce504cc7707fbd5699a9815ce5426cdc1984..58fb92815a29c03e59d43f578aa73db25b451697 100644 (file)
--- a/source4/heimdal/lib/des/sha256.c
+++ b/source4/heimdal/lib/des/sha256.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1995 - 2001, 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden).
   * All rights reserved.
   * 
@@ -34,7 +34,7 @@
  #ifdef HAVE_CONFIG_H
  #include "config.h"
  
-RCSID("$Id: sha256.c,v 1.1 2006/04/15 07:53:07 lha Exp $");
+RCSID("$Id: sha256.c,v 1.2 2006/05/05 10:25:37 lha Exp $");
  #endif
  
  #include "hash.h"
@@ -59,7 +59,7 @@ RCSID("$Id: sha256.c,v 1.1 2006/04/15 07:53:07 lha Exp $");
  #define G m->counter[6]
  #define H m->counter[7]
  
-static const u_int32_t constant_256[64] = {
+static const uint32_t constant_256[64] = {
      0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
      0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
      0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
@@ -94,10 +94,10 @@ SHA256_Init (SHA256_CTX *m)
  }
  
  static void
-calc (SHA256_CTX *m, u_int32_t *in)
+calc (SHA256_CTX *m, uint32_t *in)
  {
-    u_int32_t AA, BB, CC, DD, EE, FF, GG, HH;
-    u_int32_t data[64];
+    uint32_t AA, BB, CC, DD, EE, FF, GG, HH;
+    uint32_t data[64];
      int i;
  
      AA = A;
@@ -116,7 +116,7 @@ calc (SHA256_CTX *m, u_int32_t *in)
             sigma0(data[i-15]) + data[i - 16];
  
      for (i = 0; i < 64; i++) {
-       u_int32_t T1, T2;
+       uint32_t T1, T2;
  
         T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_256[i] + data[i];
         T2 = Sigma0(AA) + Maj(AA,BB,CC);
@@ -146,11 +146,11 @@ calc (SHA256_CTX *m, u_int32_t *in)
   */
  
  #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
-static inline u_int32_t
-swap_u_int32_t (u_int32_t t)
+static inline uint32_t
+swap_uint32_t (uint32_t t)
  {
  #define ROL(x,n) ((x)<<(n))|((x)>>(32-(n)))
-    u_int32_t temp1, temp2;
+    uint32_t temp1, temp2;
  
      temp1   = cshift(t, 16);
      temp2   = temp1 >> 8;
@@ -186,15 +186,15 @@ SHA256_Update (SHA256_CTX *m, const void *v, size_t len)
         if(offset == 64){
  #if !defined(WORDS_BIGENDIAN) || defined(_CRAY)
             int i;
-           u_int32_t current[16];
+           uint32_t current[16];
             struct x32 *u = (struct x32*)m->save;
             for(i = 0; i < 8; i++){
-               current[2*i+0] = swap_u_int32_t(u[i].a);
-               current[2*i+1] = swap_u_int32_t(u[i].b);
+               current[2*i+0] = swap_uint32_t(u[i].a);
+               current[2*i+1] = swap_uint32_t(u[i].b);
             }
             calc(m, current);
  #else
-           calc(m, (u_int32_t*)m->save);
+           calc(m, (uint32_t*)m->save);
  #endif
             offset = 0;
         }
diff --git a/source4/heimdal/lib/gssapi/8003.c b/source4/heimdal/lib/gssapi/8003.c

index 0062068d5b88900d129d6528eb8d04377b1f81d4..ad580811a5515b150169ccff37e14805674ddb92 100644 (file)
--- a/source4/heimdal/lib/gssapi/8003.c
+++ b/source4/heimdal/lib/gssapi/8003.c
@@ -33,7 +33,7 @@
  
  #include "gssapi_locl.h"
  
-RCSID("$Id: 8003.c,v 1.17 2005/04/01 08:55:36 lha Exp $");
+RCSID("$Id: 8003.c,v 1.18 2006/05/04 11:55:40 lha Exp $");
  
  krb5_error_code
  gssapi_encode_om_uint32(OM_uint32 n, u_char *p)
@@ -56,15 +56,17 @@ gssapi_encode_be_om_uint32(OM_uint32 n, u_char *p)
  }
  
  krb5_error_code
-gssapi_decode_om_uint32(u_char *p, OM_uint32 *n)
+gssapi_decode_om_uint32(const void *ptr, OM_uint32 *n)
  {
+    const u_char *p = ptr;
      *n = (p[0] << 0) | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
      return 0;
  }
  
  krb5_error_code
-gssapi_decode_be_om_uint32(u_char *p, OM_uint32 *n)
+gssapi_decode_be_om_uint32(const void *ptr, OM_uint32 *n)
  {
+    const u_char *p = ptr;
      *n = (p[0] <<24) | (p[1] << 16) | (p[2] << 8) | (p[3] << 0);
      return 0;
  }
diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/arcfour.c

index 01c6c75ecc2b0f7d4f6541d53eb86d33ddd9fcc2..936a20d403053ba265d03b1925906720e290d887 100644 (file)
--- a/source4/heimdal/lib/gssapi/arcfour.c
+++ b/source4/heimdal/lib/gssapi/arcfour.c
@@ -33,7 +33,7 @@
  
  #include "gssapi_locl.h"
  
-RCSID("$Id: arcfour.c,v 1.18 2005/11/01 06:55:55 lha Exp $");
+RCSID("$Id: arcfour.c,v 1.19 2006/05/04 11:56:50 lha Exp $");
  
  /*
   * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -246,8 +246,8 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
      krb5_error_code ret;
      int32_t seq_number;
      OM_uint32 omret;
-    char cksum_data[8], k6_data[16], SND_SEQ[8];
-    u_char *p;
+    u_char SND_SEQ[8], cksum_data[8], *p;
+    char k6_data[16];
      int cmp;
      
      if (qop_state)
@@ -295,7 +295,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
      {
         RC4_KEY rc4_key;
         
-       RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+       RC4_set_key (&rc4_key, sizeof(k6_data), (void*)k6_data);
         RC4 (&rc4_key, 8, p, SND_SEQ);
         
         memset(&rc4_key, 0, sizeof(rc4_key));
@@ -480,7 +480,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
      if(conf_req_flag) {
         RC4_KEY rc4_key;
  
-       RC4_set_key (&rc4_key, sizeof(k6_data), k6_data);
+       RC4_set_key (&rc4_key, sizeof(k6_data), (void *)k6_data);
         /* XXX ? */
         RC4 (&rc4_key, 8 + datalen, p0 + 24, p0 + 24); /* Confounder + data */
         memset(&rc4_key, 0, sizeof(rc4_key));
@@ -526,8 +526,8 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
      int32_t seq_number;
      size_t len, datalen;
      OM_uint32 omret;
-    char k6_data[16], SND_SEQ[8], Confounder[8];
-    char cksum_data[8];
+    u_char k6_data[16], SND_SEQ[8], Confounder[8];
+    u_char cksum_data[8];
      u_char *p, *p0;
      int cmp;
      int conf_flag;
diff --git a/source4/heimdal/lib/gssapi/cfx.c b/source4/heimdal/lib/gssapi/cfx.c

index 3e7592b3a73070765797d4bc90cf9123a5436b76..1aebd008a6299370e2a27209366fbec3a5b186e0 100755 (executable)
--- a/source4/heimdal/lib/gssapi/cfx.c
+++ b/source4/heimdal/lib/gssapi/cfx.c
@@ -32,7 +32,7 @@
  
  #include "gssapi_locl.h"
  
-RCSID("$Id: cfx.c,v 1.17 2005/04/27 17:47:32 lha Exp $");
+RCSID("$Id: cfx.c,v 1.19 2006/05/05 10:26:43 lha Exp $");
  
  /*
   * Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt
@@ -143,11 +143,10 @@ OM_uint32 _gssapi_wrap_size_cfx(OM_uint32 *minor_status,
   */
  
  static krb5_error_code
-rrc_rotate(void *data, size_t len, u_int16_t rrc, krb5_boolean unrotate)
+rrc_rotate(void *data, size_t len, uint16_t rrc, krb5_boolean unrotate)
  {
-    u_char *tmp;
+    u_char *tmp, buf[256];
      size_t left;
-    char buf[256];
  
      if (len == 0)
         return 0;
@@ -220,7 +219,7 @@ OM_uint32 _gssapi_wrap_cfx(OM_uint32 *minor_status,
      }
  
      /* Always rotate encrypted token (if any) and checksum to header */
-    rrc = (conf_req_flag ? sizeof(*token) : 0) + (u_int16_t)cksumsize;
+    rrc = (conf_req_flag ? sizeof(*token) : 0) + (uint16_t)cksumsize;
  
      output_message_buffer->length = wrapped_len;
      output_message_buffer->value = malloc(output_message_buffer->length);
@@ -420,7 +419,7 @@ OM_uint32 _gssapi_unwrap_cfx(OM_uint32 *minor_status,
      krb5_error_code ret;
      unsigned usage;
      krb5_data data;
-    u_int16_t ec, rrc;
+    uint16_t ec, rrc;
      OM_uint32 seq_number_lo, seq_number_hi;
      size_t len;
      u_char *p;
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h

index b93ad4e481d01117ab8022ded711157d29cb0e29..eac2737f4306c730213e8f7000defd76f02ac970 100644 (file)
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
@@ -31,7 +31,7 @@
   * SUCH DAMAGE. 
   */
  
-/* $Id: gssapi.h,v 1.39 2005/12/05 11:52:45 lha Exp $ */
+/* $Id: gssapi.h,v 1.40 2006/05/05 11:08:29 lha Exp $ */
  
  #ifndef GSSAPI_H_
  #define GSSAPI_H_
@@ -47,9 +47,9 @@
   * Now define the three implementation-dependent types.
   */
  
-typedef u_int32_t OM_uint32;
+typedef uint32_t OM_uint32;
  
-typedef u_int32_t gss_uint32;
+typedef uint32_t gss_uint32;
  
  /*
   * This is to avoid having to include <krb5.h>
diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h

index be2277b96faedd0246111c0c4c4a717f4e112dd3..81169a85000aca009b47ffd6b7c26a020087e237 100644 (file)
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE. 
   */
  
-/* $Id: gssapi_locl.h,v 1.44 2006/04/12 17:44:05 lha Exp $ */
+/* $Id: gssapi_locl.h,v 1.45 2006/05/04 11:56:14 lha Exp $ */
  
  #ifndef GSSAPI_LOCL_H
  #define GSSAPI_LOCL_H
@@ -307,9 +307,9 @@ krb5_error_code
  gssapi_encode_be_om_uint32(OM_uint32, u_char *);
  
  krb5_error_code
-gssapi_decode_om_uint32(u_char *, OM_uint32 *);
+gssapi_decode_om_uint32(const void *, OM_uint32 *);
  
  krb5_error_code
-gssapi_decode_be_om_uint32(u_char *, OM_uint32 *);
+gssapi_decode_be_om_uint32(const void *, OM_uint32 *);
  
  #endif
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c

index e363ee22f732e51eaa4c6c151c8a24386205b7b6..dc937daae5fcc26b56247e3786e23810a6e2d266 100644 (file)
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -33,7 +33,7 @@
  
  #include "gssapi_locl.h"
  
-RCSID("$Id: init_sec_context.c,v 1.62 2006/04/09 18:45:18 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.63 2006/05/05 10:27:13 lha Exp $");
  
  /*
   * copy the addresses from `input_chan_bindings' (if any) to
diff --git a/source4/heimdal/lib/gssapi/wrap.c b/source4/heimdal/lib/gssapi/wrap.c

index 0c089067b6838b8ce9f0a6526335eb8ae76d7168..7072ca27546a7bd20982ab714584202071d6db3a 100644 (file)
--- a/source4/heimdal/lib/gssapi/wrap.c
+++ b/source4/heimdal/lib/gssapi/wrap.c
@@ -33,7 +33,7 @@
  
  #include "gssapi_locl.h"
  
-RCSID("$Id: wrap.c,v 1.32 2006/04/02 02:10:03 lha Exp $");
+RCSID("$Id: wrap.c,v 1.33 2006/05/05 10:27:36 lha Exp $");
  
  OM_uint32
  gsskrb5_get_initiator_subkey(OM_uint32 *minor_status,
@@ -428,7 +428,7 @@ wrap_des3
    u_char seq[8];
    int32_t seq_number;
    size_t len, total_len, padlength, datalen;
-  u_int32_t ret;
+  uint32_t ret;
    krb5_crypto crypto;
    Checksum cksum;
    krb5_data encdata;
diff --git a/source4/heimdal/lib/hdb/ext.c b/source4/heimdal/lib/hdb/ext.c

index 850b23fb047b300b74be69c7d3c34c4712f87213..a8995e41388e5db949c36076b9dc9ca755a78c2b 100644 (file)
--- a/source4/heimdal/lib/hdb/ext.c
+++ b/source4/heimdal/lib/hdb/ext.c
@@ -34,7 +34,7 @@
  #include "hdb_locl.h"
  #include <der.h>
  
-RCSID("$Id: ext.c,v 1.1 2005/08/11 20:49:31 lha Exp $");
+RCSID("$Id: ext.c,v 1.2 2006/04/25 10:20:22 lha Exp $");
  
  krb5_error_code
  hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
@@ -168,10 +168,10 @@ hdb_replace_extension(krb5_context context,
  
      ret = copy_HDB_extension(ext,
                              &entry->extensions->val[entry->extensions->len]);
-    if (ret == 0) {
+    if (ret == 0)
         entry->extensions->len++;
+    else
         krb5_set_error_string(context, "hdb: failed to copy new extension");
-    }
  
      return ret;
  }
diff --git a/source4/heimdal/lib/hdb/hdb-private.h b/source4/heimdal/lib/hdb/hdb-private.h

index e602f01373b77a7ac77435bcc264f378dd6e8d4c..5147d8b90bd59a85b521c095576f2c0e4d9a6924 100644 (file)
--- a/source4/heimdal/lib/hdb/hdb-private.h
+++ b/source4/heimdal/lib/hdb/hdb-private.h
@@ -8,14 +8,13 @@ krb5_error_code
  _hdb_fetch (
         krb5_context /*context*/,
         HDB */*db*/,
-       unsigned /*flags*/,
         krb5_const_principal /*principal*/,
-       enum hdb_ent_type /*ent_type*/,
+       unsigned /*flags*/,
         hdb_entry_ex */*entry*/);
  
  hdb_master_key
  _hdb_find_master_key (
-       u_int32_t */*mkvno*/,
+       uint32_t */*mkvno*/,
         hdb_master_key /*mkey*/);
  
  int
@@ -43,7 +42,7 @@ krb5_error_code
  _hdb_remove (
         krb5_context /*context*/,
         HDB */*db*/,
-       hdb_entry_ex */*entry*/);
+       krb5_const_principal /*principal*/);
  
  krb5_error_code
  _hdb_store (
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c

index b89937f82feb73c5a322c633a039ca662c362bc6..5d2ce8f3bb74eeaf90af901f98a6df5dcb3ae037 100644 (file)
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -33,7 +33,7 @@
  
  #include "hdb_locl.h"
  
-RCSID("$Id: hdb.c,v 1.60 2005/12/12 12:35:36 lha Exp $");
+RCSID("$Id: hdb.c,v 1.61 2006/04/24 20:57:58 lha Exp $");
  
  #ifdef HAVE_DLFCN_H
  #include <dlfcn.h>
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h

index 463cbf71f24af9736b92e7d0fa26a429320ca529..d14eea7ddc4ec794c50cfa58d0b100c472dc9f37 100644 (file)
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE. 
   */
  
-/* $Id: hdb.h,v 1.36 2005/12/12 12:35:36 lha Exp $ */
+/* $Id: hdb.h,v 1.38 2006/04/28 07:37:11 lha Exp $ */
  
  #ifndef __HDB_H__
  #define __HDB_H__
@@ -44,14 +44,16 @@
  enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
  
  /* flags for various functions */
-#define HDB_F_DECRYPT          1 /* decrypt keys */
-#define HDB_F_REPLACE          2 /* replace entry */
+#define HDB_F_DECRYPT          1       /* decrypt keys */
+#define HDB_F_REPLACE          2       /* replace entry */
+#define HDB_F_GET_CLIENT       4       /* fetch client */
+#define HDB_F_GET_SERVER       8       /* fetch server */
+#define HDB_F_GET_KRBTGT       16      /* fetch krbtgt */
+#define HDB_F_GET_ANY          28      /* fetch any of client,server,krbtgt */
  
  /* key usage for master key */
  #define HDB_KU_MKEY    0x484442
  
-enum hdb_ent_type{ HDB_ENT_TYPE_CLIENT, HDB_ENT_TYPE_SERVER, HDB_ENT_TYPE_ANY };
-
  typedef struct hdb_master_key_data *hdb_master_key;
  
  typedef struct hdb_entry_ex {
@@ -87,30 +89,60 @@ typedef struct HDB{
      hdb_master_key hdb_master_key;
      void *hdb_openp;
  
-    krb5_error_code (*hdb_open)(krb5_context, struct HDB*, int, mode_t);
-    krb5_error_code (*hdb_close)(krb5_context, struct HDB*);
-    void           (*hdb_free)(krb5_context,struct HDB*,hdb_entry_ex*);
-    krb5_error_code (*hdb_fetch)(krb5_context,struct HDB*,unsigned hdb_flags, 
-                                krb5_const_principal principal,
-                                enum hdb_ent_type ent_type, hdb_entry_ex*);
-    krb5_error_code (*hdb_store)(krb5_context,struct HDB*,
-                                unsigned,hdb_entry_ex*);
-    krb5_error_code (*hdb_remove)(krb5_context, struct HDB*, hdb_entry_ex*);
-    krb5_error_code (*hdb_firstkey)(krb5_context, struct HDB*,
-                                   unsigned, hdb_entry_ex*);
-    krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
-                                  unsigned, hdb_entry_ex*);
-    krb5_error_code (*hdb_lock)(krb5_context, struct HDB*, int operation);
-    krb5_error_code (*hdb_unlock)(krb5_context, struct HDB*);
-    krb5_error_code (*hdb_rename)(krb5_context, struct HDB*, const char*);
-    krb5_error_code (*hdb__get)(krb5_context,struct HDB*,krb5_data,krb5_data*);
-    krb5_error_code (*hdb__put)(krb5_context, struct HDB*, int, 
-                               krb5_data, krb5_data);
-    krb5_error_code (*hdb__del)(krb5_context, struct HDB*, krb5_data);
-    krb5_error_code (*hdb_destroy)(krb5_context, struct HDB*);
+    krb5_error_code (*hdb_open)(krb5_context,
+                               struct HDB*,
+                               int,
+                               mode_t);
+    krb5_error_code (*hdb_close)(krb5_context, 
+                                struct HDB*);
+    void           (*hdb_free)(krb5_context,
+                               struct HDB*,
+                               hdb_entry_ex*);
+    krb5_error_code (*hdb_fetch)(krb5_context,
+                                struct HDB*,
+                                krb5_const_principal,
+                                unsigned,
+                                hdb_entry_ex*);
+    krb5_error_code (*hdb_store)(krb5_context,
+                                struct HDB*,
+                                unsigned,
+                                hdb_entry_ex*);
+    krb5_error_code (*hdb_remove)(krb5_context,
+                                 struct HDB*,
+                                 krb5_const_principal);
+    krb5_error_code (*hdb_firstkey)(krb5_context,
+                                   struct HDB*,
+                                   unsigned,
+                                   hdb_entry_ex*);
+    krb5_error_code (*hdb_nextkey)(krb5_context,
+                                  struct HDB*,
+                                  unsigned,
+                                  hdb_entry_ex*);
+    krb5_error_code (*hdb_lock)(krb5_context,
+                               struct HDB*,
+                               int operation);
+    krb5_error_code (*hdb_unlock)(krb5_context,
+                                 struct HDB*);
+    krb5_error_code (*hdb_rename)(krb5_context,
+                                 struct HDB*,
+                                 const char*);
+    krb5_error_code (*hdb__get)(krb5_context,
+                               struct HDB*,
+                               krb5_data,
+                               krb5_data*);
+    krb5_error_code (*hdb__put)(krb5_context,
+                               struct HDB*,
+                               int, 
+                               krb5_data,
+                               krb5_data);
+    krb5_error_code (*hdb__del)(krb5_context, 
+                               struct HDB*,
+                               krb5_data);
+    krb5_error_code (*hdb_destroy)(krb5_context,
+                                  struct HDB*);
  }HDB;
  
-#define HDB_INTERFACE_VERSION  3
+#define HDB_INTERFACE_VERSION  4
  
  struct hdb_so_method {
      int version;
diff --git a/source4/heimdal/lib/hdb/keys.c b/source4/heimdal/lib/hdb/keys.c

index 0ca3846f9dbd511a47dcf793dfb98831aab0ae3e..d7c2f2c89bdc6903815131b21c7e9674adff393d 100644 (file)
--- a/source4/heimdal/lib/hdb/keys.c
+++ b/source4/heimdal/lib/hdb/keys.c
@@ -33,7 +33,7 @@
  
  #include "hdb_locl.h"
  
-RCSID("$Id: keys.c,v 1.4 2006/04/02 00:45:48 lha Exp $");
+RCSID("$Id: keys.c,v 1.5 2006/04/25 08:09:38 lha Exp $");
  
  /*
   * free all the memory used by (len, keys)
@@ -112,23 +112,19 @@ parse_key_set(krb5_context context, const char *key,
             if(strcmp(buf[i], "des") == 0) {
                 enctypes = all_etypes;
                 num_enctypes = 3;
-               continue;
             } else if(strcmp(buf[i], "des3") == 0) {
                 e = ETYPE_DES3_CBC_SHA1;
                 enctypes = &e;
                 num_enctypes = 1;
-               continue;
             } else {
                 ret = krb5_string_to_enctype(context, buf[i], &e);
                 if (ret == 0) {
                     enctypes = &e;
                     num_enctypes = 1;
-                   continue;
-               }
+               } else
+                   return ret;
             }
-       }
-
-       if(salt->salttype == 0) {
+       } else if(salt->salttype == 0) {
             /* interpret string as a salt specifier, if no etype
                is set, this sets default values */
             /* XXX should perhaps use string_to_salttype, but that
@@ -152,7 +148,7 @@ parse_key_set(krb5_context context, const char *key,
                v4 compat, and a cell name for afs compat */
             salt->saltvalue.data = strdup(buf[i]);
             if (salt->saltvalue.data == NULL) {
-               krb5_set_error_string(context, "malloc out of memory");
+               krb5_set_error_string(context, "out of memory");
                 return ENOMEM;
             }
             salt->saltvalue.length = strlen(buf[i]);
@@ -297,7 +293,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal,
         ret = parse_key_set(context, p,
                             &enctypes, &num_enctypes, &salt, principal);
         if (ret) {
-           krb5_warnx(context, "bad value for default_keys `%s'", *kp);
+           krb5_warn(context, ret, "bad value for default_keys `%s'", *kp);
             ret = 0;
             continue;
         }
diff --git a/source4/heimdal/lib/hdb/keytab.c b/source4/heimdal/lib/hdb/keytab.c

index 12979eaecf1a53492295a62ff4966337db8a0abc..b4fa5f84c929631e39c5727a23f1815bf408a4ba 100644 (file)
--- a/source4/heimdal/lib/hdb/keytab.c
+++ b/source4/heimdal/lib/hdb/keytab.c
@@ -35,7 +35,7 @@
  
  /* keytab backend for HDB databases */
  
-RCSID("$Id: keytab.c,v 1.10 2006/04/02 20:20:45 lha Exp $");
+RCSID("$Id: keytab.c,v 1.11 2006/04/27 11:01:30 lha Exp $");
  
  struct hdb_data {
      char *dbname;
@@ -218,8 +218,8 @@ hdb_get_entry(krb5_context context,
         (*db->hdb_destroy)(context, db);
         return ret;
      }
+    ret = (*db->hdb_fetch)(context, db, principal, HDB_F_DECRYPT, &ent);
  
-    ret = (*db->hdb_fetch)(context, db, HDB_F_DECRYPT, principal, HDB_ENT_TYPE_SERVER, &ent);
  
      /* Shutdown the hdb on error */
      if(ret == HDB_ERR_NOENTRY) {
diff --git a/source4/heimdal/lib/hdb/mkey.c b/source4/heimdal/lib/hdb/mkey.c

index f12f73e809dd96463d90dabd844c7cdb6467eb91..40569b29ad9add72925c1ce185fb58b813f75527 100644 (file)
--- a/source4/heimdal/lib/hdb/mkey.c
+++ b/source4/heimdal/lib/hdb/mkey.c
@@ -36,7 +36,7 @@
  #define O_BINARY 0
  #endif
  
-RCSID("$Id: mkey.c,v 1.21 2005/08/19 13:07:03 lha Exp $");
+RCSID("$Id: mkey.c,v 1.22 2006/05/05 10:27:59 lha Exp $");
  
  struct hdb_master_key_data {
      krb5_keytab_entry keytab;
@@ -355,7 +355,7 @@ hdb_write_master_key(krb5_context context, const char *filename,
  }
  
  hdb_master_key
-_hdb_find_master_key(u_int32_t *mkvno, hdb_master_key mkey)
+_hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey)
  {
      hdb_master_key ret = NULL;
      while(mkey) {
diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c

index f4c2497abc93149b25f9158836acb05268cd3710..6c72ea78c570200844e809bf7bd4336ea8c4e01d 100644 (file)
--- a/source4/heimdal/lib/hdb/ndbm.c
+++ b/source4/heimdal/lib/hdb/ndbm.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
diff --git a/source4/heimdal/lib/krb5/addr_families.c b/source4/heimdal/lib/krb5/addr_families.c

index ebdbcfed46c9a5ec76bab9732dc629a7b86036d3..895b01f9d85eea9c8c71b43746043c839dccb13d 100644 (file)
--- a/source4/heimdal/lib/krb5/addr_families.c
+++ b/source4/heimdal/lib/krb5/addr_families.c
@@ -33,7 +33,7 @@
  
  #include "krb5_locl.h"
  
-RCSID("$Id: addr_families.c,v 1.51 2006/04/02 02:17:31 lha Exp $");
+RCSID("$Id: addr_families.c,v 1.52 2006/05/05 09:26:22 lha Exp $");
  
  struct addr_operations {
      int af;
@@ -199,7 +199,7 @@ ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr,
                    unsigned long len, krb5_address *low, krb5_address *high)
  {
      unsigned long ia;
-    u_int32_t l, h, m = 0xffffffff;
+    uint32_t l, h, m = 0xffffffff;
  
      if (len > 32) {
         krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len);
@@ -391,7 +391,7 @@ ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr,
                    unsigned long len, krb5_address *low, krb5_address *high)
  {
      struct in6_addr addr, laddr, haddr;
-    u_int32_t m;
+    uint32_t m;
      int i, sub_len;
  
      if (len > 128) {
diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c

index 7907e1ad9c6c35621b7cc386ddf3a369c5b04e3a..ba584a04a44d6e64017475f5914675ce13ba7a09 100644 (file)
--- a/source4/heimdal/lib/krb5/changepw.c
+++ b/source4/heimdal/lib/krb5/changepw.c
@@ -33,7 +33,7 @@
  
  #include <krb5_locl.h>
  
-RCSID("$Id: changepw.c,v 1.55 2005/12/12 12:48:57 lha Exp $");
+RCSID("$Id: changepw.c,v 1.56 2006/05/05 09:26:47 lha Exp $");
  
  static void
  str2data (krb5_data *d,
@@ -271,7 +271,7 @@ process_reply (krb5_context context,
      krb5_error_code ret;
      u_char reply[1024 * 3];
      ssize_t len;
-    u_int16_t pkt_len, pkt_ver;
+    uint16_t pkt_len, pkt_ver;
      krb5_data ap_rep_data;
      int save_errno;
  
diff --git a/source4/heimdal/lib/krb5/crc.c b/source4/heimdal/lib/krb5/crc.c

index c7cedd8c9efa180dc8bd4ff14a11cd0a78eed7dc..4cfed751545ae7f12f0c067b2e6b504c4e6de8af 100644 (file)
--- a/source4/heimdal/lib/krb5/crc.c
+++ b/source4/heimdal/lib/krb5/crc.c
@@ -33,7 +33,7 @@
  
  #include "krb5_locl.h"
  
-RCSID("$Id: crc.c,v 1.9 2000/08/03 01:45:14 assar Exp $");
+RCSID("$Id: crc.c,v 1.10 2006/05/05 09:27:09 lha Exp $");
  
  static u_long table[256];
  
@@ -62,8 +62,8 @@ _krb5_crc_init_table(void)
      flag = 1;
  }
  
-u_int32_t
-_krb5_crc_update (const char *p, size_t len, u_int32_t res)
+uint32_t
+_krb5_crc_update (const char *p, size_t len, uint32_t res)
  {
      while (len--)
         res = table[(res ^ *p++) & 0xFF] ^ (res >> 8);
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c

index 3a9099528349e69f266efe759f1bf56a67388507..2e8160518bba5c036b393b364b153e82bddfbc0b 100644 (file)
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -32,7 +32,7 @@
   */
  
  #include "krb5_locl.h"
-RCSID("$Id: crypto.c,v 1.134 2006/04/10 08:58:53 lha Exp $");
+RCSID("$Id: crypto.c,v 1.135 2006/05/05 09:27:24 lha Exp $");
  
  #undef CRYPTO_DEBUG
  #ifdef CRYPTO_DEBUG
@@ -602,7 +602,7 @@ AES_string_to_key(krb5_context context,
                   krb5_keyblock *key)
  {
      krb5_error_code ret;
-    u_int32_t iter;
+    uint32_t iter;
      struct encryption_type *et;
      struct key_data kd;
  
@@ -611,7 +611,7 @@ AES_string_to_key(krb5_context context,
      else if (opaque.length == 4) {
         unsigned long v;
         _krb5_get_int(opaque.data, &v, 4);
-       iter = ((u_int32_t)v);
+       iter = ((uint32_t)v);
      } else
         return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */
         
@@ -1296,7 +1296,7 @@ CRC32_checksum(krb5_context context,
                unsigned usage,
                Checksum *C)
  {
-    u_int32_t crc;
+    uint32_t crc;
      unsigned char *r = C->checksum.data;
      _krb5_crc_init_table ();
      crc = _krb5_crc_update (data, len, 0);
@@ -4282,7 +4282,7 @@ _krb5_pk_octetstring2key(krb5_context context,
  static krb5_error_code
  krb5_get_keyid(krb5_context context,
                krb5_keyblock *key,
-              u_int32_t *keyid)
+              uint32_t *keyid)
  {
      MD5_CTX md5;
      unsigned char tmp[16];
@@ -4300,7 +4300,7 @@ krb5_crypto_debug(krb5_context context,
                   size_t len,
                   krb5_keyblock *key)
  {
-    u_int32_t keyid;
+    uint32_t keyid;
      char *kt;
      krb5_get_keyid(context, key, &keyid);
      krb5_enctype_to_string(context, key->keytype, &kt);
diff --git a/source4/heimdal/lib/krb5/generate_seq_number.c b/source4/heimdal/lib/krb5/generate_seq_number.c

index f9e9cded5f717771938799bc73055a39849fc6b4..7f79e29858cc98c50132d8c6b68a22afc6be9c78 100644 (file)
--- a/source4/heimdal/lib/krb5/generate_seq_number.c
+++ b/source4/heimdal/lib/krb5/generate_seq_number.c
@@ -33,16 +33,16 @@
  
  #include <krb5_locl.h>
  
-RCSID("$Id: generate_seq_number.c,v 1.9 2004/05/25 21:25:22 lha Exp $");
+RCSID("$Id: generate_seq_number.c,v 1.10 2006/05/05 09:28:06 lha Exp $");
  
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_generate_seq_number(krb5_context context,
                          const krb5_keyblock *key,
-                        u_int32_t *seqno)
+                        uint32_t *seqno)
  {
      krb5_error_code ret;
      krb5_keyblock *subkey;
-    u_int32_t q;
+    uint32_t q;
      u_char *p;
      int i;
  
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c

index 489a88a31b4db29643c1f640bcb7a9daa0646de8..70b6c3e4c33ea1a3ab0a4d8d9ddf614e6a09ffc0 100644 (file)
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -33,7 +33,7 @@
  
  #include "krb5_locl.h"
  
-RCSID("$Id: init_creds_pw.c,v 1.92 2006/04/02 01:20:15 lha Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $");
  
  typedef struct krb5_get_init_creds_ctx {
      krb5_kdc_flags flags;
@@ -1150,6 +1150,7 @@ process_pa_data_to_key(krb5_context context,
      if (pa && ctx->pk_init_ctx) {
  #ifdef PKINIT
         ret = _krb5_pk_rd_pa_reply(context,
+                                  a->req_body.realm,
                                    ctx->pk_init_ctx,
                                    etype,
                                    hi,
diff --git a/source4/heimdal/lib/krb5/kcm.c b/source4/heimdal/lib/krb5/kcm.c

index f4372422ac88badb95d605a44eaf00f1a5e2a4f4..8f2d9f7f86ebb5666c92c33a90abc58ae78691ee 100644 (file)
--- a/source4/heimdal/lib/krb5/kcm.c
+++ b/source4/heimdal/lib/krb5/kcm.c
@@ -43,7 +43,7 @@
  
  #include "kcm.h"
  
-RCSID("$Id: kcm.c,v 1.8 2005/09/19 20:23:05 lha Exp $");
+RCSID("$Id: kcm.c,v 1.9 2006/05/05 09:28:48 lha Exp $");
  
  typedef struct krb5_kcmcache {
      char *name;
@@ -53,7 +53,7 @@ typedef struct krb5_kcmcache {
  
  #define KCMCACHE(X)    ((krb5_kcmcache *)(X)->data.data)
  #define CACHENAME(X)   (KCMCACHE(X)->name)
-#define KCMCURSOR(C)   (*(u_int32_t *)(C))
+#define KCMCURSOR(C)   (*(uint32_t *)(C))
  
  static krb5_error_code
  try_door(krb5_context context, const krb5_kcmcache *k,
@@ -903,7 +903,7 @@ _krb5_kcm_noop(krb5_context context,
  krb5_error_code
  _krb5_kcm_chmod(krb5_context context,
                 krb5_ccache id,
-               u_int16_t mode)
+               uint16_t mode)
  {
      krb5_error_code ret;
      krb5_kcmcache *k = KCMCACHE(id);
@@ -944,8 +944,8 @@ _krb5_kcm_chmod(krb5_context context,
  krb5_error_code
  _krb5_kcm_chown(krb5_context context,
                 krb5_ccache id,
-               u_int32_t uid,
-               u_int32_t gid)
+               uint32_t uid,
+               uint32_t gid)
  {
      krb5_error_code ret;
      krb5_kcmcache *k = KCMCACHE(id);
diff --git a/source4/heimdal/lib/krb5/keytab_file.c b/source4/heimdal/lib/krb5/keytab_file.c

index f9a76e634a84beca9e5735f73cb8b1294e467cb6..1b063873395d8dc89e0758aa9b3a086d5b71d239 100644 (file)
--- a/source4/heimdal/lib/krb5/keytab_file.c
+++ b/source4/heimdal/lib/krb5/keytab_file.c
@@ -33,7 +33,7 @@
  
  #include "krb5_locl.h"
  
-RCSID("$Id: keytab_file.c,v 1.22 2006/04/07 21:57:31 lha Exp $");
+RCSID("$Id: keytab_file.c,v 1.23 2006/05/05 12:36:57 lha Exp $");
  
  #define KRB5_KT_VNO_1 1
  #define KRB5_KT_VNO_2 2
@@ -428,7 +428,7 @@ loop:
       * if it's zero, assume that the 8bit one was right,
       * otherwise trust the new value */
      curpos = krb5_storage_seek(cursor->sp, 0, SEEK_CUR);
-    if(len + 4 + pos - curpos == 4) {
+    if(len + 4 + pos - curpos >= 4) {
         ret = krb5_ret_int32(cursor->sp, &tmp32);
         if (ret == 0 && tmp32 != 0) {
             entry->vno = tmp32;
diff --git a/source4/heimdal/lib/krb5/keytab_keyfile.c b/source4/heimdal/lib/krb5/keytab_keyfile.c

index 32fb48a8a27fa445f0fe5721b3748fb622bacbd2..d7f8a720e14d442207d4c61dac246b83383d4b55 100644 (file)
--- a/source4/heimdal/lib/krb5/keytab_keyfile.c
+++ b/source4/heimdal/lib/krb5/keytab_keyfile.c
@@ -33,7 +33,7 @@
  
  #include "krb5_locl.h"
  
-RCSID("$Id: keytab_keyfile.c,v 1.18 2006/04/02 01:24:52 lha Exp $");
+RCSID("$Id: keytab_keyfile.c,v 1.19 2006/04/24 15:06:57 lha Exp $");
  
  /* afs keyfile operations --------------------------------------- */
  
@@ -63,8 +63,7 @@ struct akf_data {
   */
  
  static int
-get_cell_and_realm (krb5_context context,
-                   struct akf_data *d)
+get_cell_and_realm (krb5_context context, struct akf_data *d)
  {
      FILE *f;
      char buf[BUFSIZ], *cp;
@@ -95,6 +94,7 @@ get_cell_and_realm (krb5_context context,
      if (f != NULL) {
         if (fgets (buf, sizeof(buf), f) == NULL) {
             free (d->cell);
+           d->cell = NULL;
             fclose (f);
             krb5_set_error_string (context, "no realm in %s",
                                    AFS_SERVERMAGICKRBCONF);
@@ -110,6 +110,7 @@ get_cell_and_realm (krb5_context context,
      d->realm = strdup (buf);
      if (d->realm == NULL) {
         free (d->cell);
+       d->cell = NULL;
         krb5_set_error_string (context, "malloc: out of memory");
         return ENOMEM;
      }
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h

index 00126d60ed766f02e201cdbf902990618319b121..17b282f1d8f940895e7d6a05ba0e7ebc739622ac 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -30,11 +30,11 @@ _krb5_cc_allocate (
  void
  _krb5_crc_init_table (void);
  
-u_int32_t
+uint32_t
  _krb5_crc_update (
         const char */*p*/,
         size_t /*len*/,
-       u_int32_t /*res*/);
+       uint32_t /*res*/);
  
  krb5_error_code
  _krb5_dh_group_ok (
@@ -120,14 +120,14 @@ krb5_error_code
  _krb5_kcm_chmod (
         krb5_context /*context*/,
         krb5_ccache /*id*/,
-       u_int16_t /*mode*/);
+       uint16_t /*mode*/);
  
  krb5_error_code
  _krb5_kcm_chown (
         krb5_context /*context*/,
         krb5_ccache /*id*/,
-       u_int32_t /*uid*/,
-       u_int32_t /*gid*/);
+       uint32_t /*uid*/,
+       uint32_t /*gid*/);
  
  krb5_error_code
  _krb5_kcm_get_initial_ticket (
@@ -158,8 +158,8 @@ _krb5_krb_cr_err_reply (
         const char */*name*/,
         const char */*inst*/,
         const char */*realm*/,
-       u_int32_t /*time_ws*/,
-       u_int32_t /*e*/,
+       uint32_t /*time_ws*/,
+       uint32_t /*e*/,
         const char */*e_string*/,
         krb5_data */*data*/);
  
@@ -171,7 +171,7 @@ _krb5_krb_create_auth_reply (
         const char */*prealm*/,
         int32_t /*time_ws*/,
         int /*n*/,
-       u_int32_t /*x_date*/,
+       uint32_t /*x_date*/,
         unsigned char /*kvno*/,
         const krb5_data */*cipher*/,
         krb5_data */*data*/);
@@ -183,10 +183,10 @@ _krb5_krb_create_ciph (
         const char */*service*/,
         const char */*instance*/,
         const char */*realm*/,
-       u_int32_t /*life*/,
+       uint32_t /*life*/,
         unsigned char /*kvno*/,
         const krb5_data */*ticket*/,
-       u_int32_t /*kdc_time*/,
+       uint32_t /*kdc_time*/,
         const krb5_keyblock */*key*/,
         krb5_data */*enc_data*/);
  
@@ -298,6 +298,11 @@ _krb5_parse_moduli_line (
         char */*p*/,
         struct krb5_dh_moduli **/*m*/);
  
+void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate (
+       struct krb5_pk_identity */*id*/,
+       int /*boolean*/);
+
  void KRB5_LIB_FUNCTION
  _krb5_pk_cert_free (struct krb5_pk_cert */*cert*/);
  
@@ -341,6 +346,7 @@ _krb5_pk_octetstring2key (
  krb5_error_code KRB5_LIB_FUNCTION
  _krb5_pk_rd_pa_reply (
         krb5_context /*context*/,
+       const char */*realm*/,
         void */*c*/,
         krb5_enctype /*etype*/,
         const krb5_krbhst_info */*hi*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h

index 56f43f6c3d642c60be070304300b5e45aaf4ba86..37293ff9824ca11ac50485905b21255bfb8bc1d1 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -1592,7 +1592,7 @@ krb5_error_code KRB5_LIB_FUNCTION
  krb5_generate_seq_number (
         krb5_context /*context*/,
         const krb5_keyblock */*key*/,
-       u_int32_t */*seqno*/);
+       uint32_t */*seqno*/);
  
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_generate_subkey (
@@ -2802,6 +2802,21 @@ krb5_ret_times (
         krb5_storage */*sp*/,
         krb5_times */*times*/);
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16 (
+       krb5_storage */*sp*/,
+       uint16_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32 (
+       krb5_storage */*sp*/,
+       uint32_t */*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8 (
+       krb5_storage */*sp*/,
+       uint8_t */*value*/);
+
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_salttype_to_string (
         krb5_context /*context*/,
@@ -3087,7 +3102,7 @@ krb5_store_keyblock (
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_store_principal (
         krb5_storage */*sp*/,
-       krb5_principal /*p*/);
+       krb5_const_principal /*p*/);
  
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_store_string (
@@ -3104,6 +3119,21 @@ krb5_store_times (
         krb5_storage */*sp*/,
         krb5_times /*times*/);
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16 (
+       krb5_storage */*sp*/,
+       uint16_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32 (
+       krb5_storage */*sp*/,
+       uint32_t /*value*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8 (
+       krb5_storage */*sp*/,
+       uint8_t /*value*/);
+
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_string_to_deltat (
         const char */*string*/,
diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h

index 1d092dcbc93262aaa2728c422d080aa638d1c104..3e14c5a38fcc89ce01067313be9776fe9033fdc5 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5-v4compat.h
+++ b/source4/heimdal/lib/krb5/krb5-v4compat.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE. 
   */
  
-/* $Id: krb5-v4compat.h,v 1.6 2005/04/23 19:38:16 lha Exp $ */
+/* $Id: krb5-v4compat.h,v 1.7 2006/05/05 09:29:07 lha Exp $ */
  
  #ifndef __KRB5_V4COMPAT_H__
  #define __KRB5_V4COMPAT_H__
@@ -119,7 +119,7 @@
  struct ktext {
      unsigned int length;               /* Length of the text */
      unsigned char dat[MAX_KTXT_LEN];   /* The data itself */
-    u_int32_t mbz;             /* zero to catch runaway strings */
+    uint32_t mbz;              /* zero to catch runaway strings */
  };
  
  struct credentials {
@@ -157,11 +157,11 @@ struct _krb5_krb_auth_data {
      char    *pname;            /* Principal's name */
      char    *pinst;            /* His Instance */
      char    *prealm;           /* His Realm */
-    u_int32_t checksum;                /* Data checksum (opt) */
+    uint32_t checksum;         /* Data checksum (opt) */
      krb5_keyblock session;     /* Session Key */
      unsigned char life;                /* Life of ticket */
-    u_int32_t time_sec;                /* Time ticket issued */
-    u_int32_t address;         /* Address in ticket */
+    uint32_t time_sec;         /* Time ticket issued */
+    uint32_t address;          /* Address in ticket */
  };
  
  time_t         _krb5_krb_life_to_time (int, int);
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h

index 98148176004c8ada4d8fe2a824d5970ef40eeaf7..32fdd6d38313dbbad8d1a73a52a1d676039f2664 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE. 
   */
  
-/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */
+/* $Id: krb5.h,v 1.241 2006/05/05 09:29:36 lha Exp $ */
  
  #ifndef __KRB5_H__
  #define __KRB5_H__
@@ -64,7 +64,7 @@ typedef int32_t krb5_error_code;
  
  typedef int krb5_kvno;
  
-typedef u_int32_t krb5_flags;
+typedef uint32_t krb5_flags;
  
  typedef void *krb5_pointer;
  typedef const void *krb5_const_pointer;
@@ -492,7 +492,7 @@ typedef struct krb5_keytab_entry {
      krb5_principal principal;
      krb5_kvno vno;
      krb5_keyblock keyblock;
-    u_int32_t timestamp;
+    uint32_t timestamp;
  } krb5_keytab_entry;
  
  typedef struct krb5_kt_cursor {
@@ -536,7 +536,7 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args;
  typedef struct krb5_replay_data {
      krb5_timestamp timestamp;
      int32_t usec;
-    u_int32_t seq;
+    uint32_t seq;
  } krb5_replay_data;
  
  /* flags for krb5_auth_con_setflags */
@@ -569,8 +569,8 @@ typedef struct krb5_auth_context_data {
      krb5_keyblock *local_subkey;
      krb5_keyblock *remote_subkey;
  
-    u_int32_t local_seqnumber;
-    u_int32_t remote_seqnumber;
+    uint32_t local_seqnumber;
+    uint32_t remote_seqnumber;
  
      krb5_authenticator authenticator;
    
diff --git a/source4/heimdal/lib/krb5/krb5_ccapi.h b/source4/heimdal/lib/krb5/krb5_ccapi.h

index 29b2ddbecc18694e932bd14328966d35665a2f2a..d59b589304eafa899e0b88c5c94a7802abd05f4c 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5_ccapi.h
+++ b/source4/heimdal/lib/krb5/krb5_ccapi.h
@@ -31,7 +31,7 @@
   * SUCH DAMAGE. 
   */
  
-/* $Id: krb5_ccapi.h,v 1.2 2006/03/27 04:21:06 lha Exp $ */
+/* $Id: krb5_ccapi.h,v 1.3 2006/05/05 09:29:59 lha Exp $ */
  
  #ifndef KRB5_CCAPI_H
  #define KRB5_CCAPI_H 1
@@ -84,7 +84,7 @@ enum {
  };
  
  typedef int32_t cc_int32;
-typedef u_int32_t cc_uint32;
+typedef uint32_t cc_uint32;
  typedef struct cc_context_t *cc_context_t;
  typedef struct cc_ccache_t *cc_ccache_t;
  typedef struct cc_ccache_iterator_t *cc_ccache_iterator_t;
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h

index 92dd3271f553b6dc25cfcc174630a9edd69295d1..4dcac40c7af3ad3e08ac7558054c13ef6bb02f00 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
diff --git a/source4/heimdal/lib/krb5/log.c b/source4/heimdal/lib/krb5/log.c

index 7e478bf1e075cccb7b50014d9f5680f4743222d0..e6fcb6bbb926b7bca283fffb9e49ba76bbbe7922 100644 (file)
--- a/source4/heimdal/lib/krb5/log.c
+++ b/source4/heimdal/lib/krb5/log.c
@@ -33,7 +33,7 @@
  
  #include "krb5_locl.h"
  
-RCSID("$Id: log.c,v 1.38 2006/04/10 09:41:26 lha Exp $");
+RCSID("$Id: log.c,v 1.39 2006/04/24 15:09:27 lha Exp $");
  
  struct facility {
      int min;
@@ -221,8 +221,10 @@ log_file(const char *timestr,
      if(f->fd == NULL)
         return;
      fprintf(f->fd, "%s %s\n", timestr, msg);
-    if(f->keep_open == 0)
+    if(f->keep_open == 0) {
         fclose(f->fd);
+       f->fd = NULL;
+    }
  }
  
  static void
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c

index fa4fb4699e41dd55e022b2a5440237ee20c1707f..7e91946095b2f99130639870d112456ad176cb54 100755 (executable)
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
  
  #include "krb5_locl.h"
  
-RCSID("$Id: pkinit.c,v 1.88 2006/04/23 21:30:17 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.98 2006/05/06 13:24:54 lha Exp $");
  
  struct krb5_dh_moduli {
      char *name;
@@ -84,6 +84,7 @@ struct krb5_pk_init_ctx_data {
      int require_binding;
      int require_eku;
      int require_krbtgt_otherName;
+    int require_hostname_match;
  };
  
  void KRB5_LIB_FUNCTION
@@ -161,6 +162,109 @@ _krb5_pk_create_sign(krb5_context context,
      return ret;
  }
  
+static int
+cert2epi(hx509_context context, void *ctx, hx509_cert c)
+{
+    ExternalPrincipalIdentifiers *ids = ctx;
+    ExternalPrincipalIdentifier id;
+    hx509_name subject = NULL;
+    void *p;
+    int ret;
+
+    memset(&id, 0, sizeof(id));
+
+    ret = hx509_cert_get_subject(c, &subject);
+    if (ret)
+       return ret;
+
+    if (hx509_name_is_null_p(subject) != 0) {
+
+       id.subjectName = calloc(1, sizeof(*id.subjectName));
+       if (id.subjectName == NULL) {
+           hx509_name_free(&subject);
+           free_ExternalPrincipalIdentifier(&id);
+           return ENOMEM;
+       }
+    
+       ret = hx509_name_to_der_name(subject, &id.subjectName->data,
+                                    &id.subjectName->length);
+       if (ret) {
+           hx509_name_free(&subject);
+           free_ExternalPrincipalIdentifier(&id);
+           return ret;
+       }
+    }
+    hx509_name_free(&subject);
+
+
+    id.issuerAndSerialNumber = calloc(1, sizeof(*id.issuerAndSerialNumber));
+    if (id.issuerAndSerialNumber == NULL) {
+       free_ExternalPrincipalIdentifier(&id);
+       return ENOMEM;
+    }
+
+    {
+       IssuerAndSerialNumber iasn;
+       hx509_name issuer;
+       size_t size;
+       
+       memset(&iasn, 0, sizeof(iasn));
+
+       ret = hx509_cert_get_issuer(c, &issuer);
+       if (ret) {
+           free_ExternalPrincipalIdentifier(&id);
+           return ret;
+       }
+
+       ret = hx509_name_to_Name(issuer, &iasn.issuer);
+       hx509_name_free(&issuer);
+       if (ret) {
+           free_ExternalPrincipalIdentifier(&id);
+           return ret;
+       }
+       
+       ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
+       if (ret) {
+           free_IssuerAndSerialNumber(&iasn);
+           free_ExternalPrincipalIdentifier(&id);
+           return ret;
+       }
+
+       ASN1_MALLOC_ENCODE(IssuerAndSerialNumber,
+                          id.issuerAndSerialNumber->data, 
+                          id.issuerAndSerialNumber->length,
+                          &iasn, &size, ret);
+       free_IssuerAndSerialNumber(&iasn);
+       if (ret)
+           return ret;
+       if (id.issuerAndSerialNumber->length != size)
+           abort();
+    }
+
+    id.subjectKeyIdentifier = NULL;
+
+    p = realloc(ids->val, sizeof(ids->val[0]) * (ids->len + 1)); 
+    if (p == NULL) {
+       free_ExternalPrincipalIdentifier(&id);
+       return ENOMEM;
+    }
+
+    ids->val = p;
+    ids->val[ids->len] = id;
+    ids->len++;
+
+    return 0;
+}
+
+static krb5_error_code
+build_edi(krb5_context context,
+         hx509_context hx509ctx,
+         hx509_certs certs,
+         ExternalPrincipalIdentifiers *ids)
+{
+    return hx509_certs_iter(hx509ctx, certs, cert2epi, ids);
+}
+
  static krb5_error_code
  build_auth_pack(krb5_context context,
                 unsigned nonce,
@@ -446,8 +550,19 @@ pk_mk_padata(krb5_context context,
         memset(&req, 0, sizeof(req));
         req.signedAuthPack = buf;       
  
-       /* XXX tell the kdc what CAs the client is willing to accept */
-       req.trustedCertifiers = NULL;
+       req.trustedCertifiers = calloc(1, sizeof(*req.trustedCertifiers));
+       if (req.trustedCertifiers == NULL) {
+           krb5_set_error_string(context, "malloc: out of memory");
+           free_PA_PK_AS_REQ(&req);
+           goto out;
+       }
+       ret = build_edi(context, ctx->id->hx509ctx, 
+                       ctx->id->anchors, req.trustedCertifiers);
+       if (ret) {
+           krb5_set_error_string(context, "pk-init: failed to build trustedCertifiers");
+           free_PA_PK_AS_REQ(&req);
+           goto out;
+       }
         req.kdcPkId = NULL;
  
         ASN1_MALLOC_ENCODE(PA_PK_AS_REQ, buf.data, buf.length,
@@ -524,6 +639,13 @@ _krb5_pk_mk_padata(krb5_context context,
                                      "pkinit_require_krbtgt_otherName",
                                      NULL);
  
+    ctx->require_hostname_match = 
+       krb5_config_get_bool_default(context, NULL,
+                                    FALSE,
+                                    "realms",
+                                    req_body->realm,
+                                    "pkinit_require_hostname_match",
+                                    NULL);
  
      return pk_mk_padata(context, type, ctx, req_body, nonce, md);
  }
@@ -710,6 +832,8 @@ get_reply_key(krb5_context context,
  
  static krb5_error_code
  pk_verify_host(krb5_context context,
+              const char *realm,
+              const krb5_krbhst_info *hi,
                struct krb5_pk_init_ctx_data *ctx,
                struct krb5_pk_cert *host)
  {
@@ -719,13 +843,12 @@ pk_verify_host(krb5_context context,
         ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
                                    oid_id_pkkdcekuoid(), 0);
         if (ret) {
-           krb5_clear_error_string(context);
+           krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
             return ret;
         }
      }
      if (ctx->require_krbtgt_otherName) {
         hx509_octet_string_list list;
-       krb5_error_code ret;
         int i;
  
         ret = hx509_cert_find_subjectAltName_otherName(host->cert,
@@ -738,6 +861,7 @@ pk_verify_host(krb5_context context,
  
         for (i = 0; i < list.len; i++) {
             KRB5PrincipalName r;
+
             ret = decode_KRB5PrincipalName(list.val[i].data,
                                            list.val[i].length,
                                            &r,
@@ -747,13 +871,15 @@ pk_verify_host(krb5_context context,
                 break;
             }
  
-#if 0
-           if (r.principalName.name.len != 2) {
-               krb5_clear_error_string(context);
+           if (r.principalName.name_string.len != 2 ||
+               strcmp(r.principalName.name_string.val[0], KRB5_TGS_NAME) != 0 ||
+               strcmp(r.principalName.name_string.val[1], realm) != 0 ||
+               strcmp(r.realm, realm) != 0)
+           {
+               krb5_set_error_string(context, "KDC have wrong realm name in "
+                                     "the certificate");
                 ret = EINVAL;
             }
-#endif
-           /* XXX verify realm */
  
             free_KRB5PrincipalName(&r);
             if (ret)
@@ -761,14 +887,26 @@ pk_verify_host(krb5_context context,
         }
         hx509_free_octet_string_list(&list);
      }
+    if (ret)
+       return ret;
+    
+    if (hi) {
+       ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, 
+                                   ctx->require_hostname_match,
+                                   hi->hostname,
+                                   hi->ai->ai_addr, hi->ai->ai_addrlen);
  
+       if (ret)
+           krb5_set_error_string(context, "Address mismatch in the KDC certificate");
+    }
      return ret;
  }
  
  static krb5_error_code
  pk_rd_pa_reply_enckey(krb5_context context,
                       int type,
-                      ContentInfo *rep,
+                      const ContentInfo *rep,
+                     const char *realm,
                       krb5_pk_init_ctx ctx,
                       krb5_enctype etype,
                       const krb5_krbhst_info *hi,
@@ -846,7 +984,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
         goto out;
  
      /* make sure that it is the kdc's certificate */
-    ret = pk_verify_host(context, ctx, host);
+    ret = pk_verify_host(context, realm, hi, ctx, host);
      if (ret) {
         krb5_set_error_string(context, "PKINIT: failed verify host: %d", ret);
         goto out;
@@ -894,7 +1032,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
  
  static krb5_error_code
  pk_rd_pa_reply_dh(krb5_context context,
-                  ContentInfo *rep,
+                  const ContentInfo *rep,
+                 const char *realm,
                   krb5_pk_init_ctx ctx,
                   krb5_enctype etype,
                   const krb5_krbhst_info *hi,
@@ -938,7 +1077,7 @@ pk_rd_pa_reply_dh(krb5_context context,
         goto out;
  
      /* make sure that it is the kdc's certificate */
-    ret = pk_verify_host(context, ctx, host);
+    ret = pk_verify_host(context, realm, hi, ctx, host);
      if (ret)
         goto out;
  
@@ -1066,6 +1205,7 @@ pk_rd_pa_reply_dh(krb5_context context,
  
  krb5_error_code KRB5_LIB_FUNCTION
  _krb5_pk_rd_pa_reply(krb5_context context,
+                    const char *realm,
                      void *c,
                      krb5_enctype etype,
                      const krb5_krbhst_info *hi,
@@ -1106,7 +1246,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
                 free_PA_PK_AS_REP(&rep);
                 break;
             }
-           ret = pk_rd_pa_reply_dh(context, &ci, ctx, etype, hi,
+           ret = pk_rd_pa_reply_dh(context, &ci, realm, ctx, etype, hi,
                                     ctx->clientDHNonce,
                                     rep.u.dhInfo.serverDHNonce,
                                     nonce, pa, key);
@@ -1126,7 +1266,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
                                       "ContentInfo: %d", ret);
                 break;
             }
-           ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, ctx,
+           ret = pk_rd_pa_reply_enckey(context, COMPAT_IETF, &ci, realm, ctx,
                                         etype, hi, nonce, req_buffer, pa, key);
             free_ContentInfo(&ci);
             return ret;
@@ -1173,7 +1313,7 @@ _krb5_pk_rd_pa_reply(krb5_context context,
                                       ret);
                 return ret;
             }
-           ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, ctx,
+           ret = pk_rd_pa_reply_enckey(context, COMPAT_WIN2K, &ci, realm, ctx,
                                         etype, hi, nonce, req_buffer, pa, key);
             free_ContentInfo(&ci);
             break;
@@ -1204,8 +1344,8 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter)
      krb5_data password_data;
      struct prompter *p = data;
     
-    password_data.data   = prompter->reply->data;
-    password_data.length = prompter->reply->length;
+    password_data.data   = prompter->reply.data;
+    password_data.length = prompter->reply.length;
      prompt.prompt = "Enter your private key passphrase: ";
      prompt.hidden = 1;
      prompt.reply  = &password_data;
@@ -1216,12 +1356,21 @@ hx_pass_prompter(void *data, const hx509_prompt *prompter)
     
      ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
      if (ret) {
-       memset (prompter->reply->data, 0, prompter->reply->length);
+       memset (prompter->reply.data, 0, prompter->reply.length);
         return 0;
      }
-    return strlen(prompter->reply->data);
+    return strlen(prompter->reply.data);
+}
+
+
+void KRB5_LIB_FUNCTION
+_krb5_pk_allow_proxy_certificate(struct krb5_pk_identity *id,
+                                int boolean)
+{
+    hx509_verify_set_proxy_certificate(id->verify_ctx, boolean);
  }
  
+
  krb5_error_code KRB5_LIB_FUNCTION
  _krb5_pk_load_id(krb5_context context,
                  struct krb5_pk_identity **ret_id,
@@ -1715,7 +1864,7 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
         }
  
         if (DH_generate_key(opt->opt_private->pk_init_ctx->dh) != 1) {
-           krb5_set_error_string(context, "malloc: out of memory");
+           krb5_set_error_string(context, "pkinit: failed to generate DH key");
             _krb5_get_init_creds_opt_free_pkinit(opt);
             return ENOMEM;
         }
diff --git a/source4/heimdal/lib/krb5/principal.c b/source4/heimdal/lib/krb5/principal.c

index 34086b1fbe2c7d233f688351e57a6e12ccf3694b..f6e3847cceafa94b4be4d34326ffb71ffd866232 100644 (file)
--- a/source4/heimdal/lib/krb5/principal.c
+++ b/source4/heimdal/lib/krb5/principal.c
@@ -41,7 +41,7 @@
  #include <fnmatch.h>
  #include "resolve.h"
  
-RCSID("$Id: principal.c,v 1.94 2006/04/10 10:10:01 lha Exp $");
+RCSID("$Id: principal.c,v 1.95 2006/04/24 15:16:14 lha Exp $");
  
  #define princ_num_comp(P) ((P)->name.name_string.len)
  #define princ_type(P) ((P)->name.name_type)
@@ -829,7 +829,6 @@ krb5_425_conv_principal_ext2(krb5_context context,
         if (r) {
             if (r->head && r->head->type == T_AAAA) {
                 inst = strdup(r->head->domain);
-               dns_free_data(r);
                 passed = TRUE;
             }
             dns_free_data(r);
diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c

index 4a567bb379c80bb02979e3e85018e8c6f2ac3453..a6f4a011a1bbdf398fbe45ae7be7a5a1cb6e5660 100644 (file)
--- a/source4/heimdal/lib/krb5/store.c
+++ b/source4/heimdal/lib/krb5/store.c
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
   * (Royal Institute of Technology, Stockholm, Sweden). 
   * All rights reserved. 
   *
@@ -34,7 +34,7 @@
  #include "krb5_locl.h"
  #include "store-int.h"
  
-RCSID("$Id: store.c,v 1.51 2006/04/07 22:23:20 lha Exp $");
+RCSID("$Id: store.c,v 1.58 2006/05/05 07:15:18 lha Exp $");
  
  #define BYTEORDER_IS(SP, V) (((SP)->flags & KRB5_STORAGE_BYTEORDER_MASK) == (V))
  #define BYTEORDER_IS_LE(SP) BYTEORDER_IS((SP), KRB5_STORAGE_BYTEORDER_LE)
@@ -181,6 +181,13 @@ krb5_store_int32(krb5_storage *sp,
      return krb5_store_int(sp, value, 4);
  }
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint32(krb5_storage *sp,
+                 uint32_t value)
+{
+    return krb5_store_int32(sp, (int32_t)value);
+}
+
  static krb5_error_code
  krb5_ret_int(krb5_storage *sp,
              int32_t *value,
@@ -211,6 +218,20 @@ krb5_ret_int32(krb5_storage *sp,
      return 0;
  }
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint32(krb5_storage *sp,
+               uint32_t *value)
+{
+    krb5_error_code ret;
+    int32_t v;
+
+    ret = krb5_ret_int32(sp, &v);
+    if (ret == 0)
+       *value = (uint32_t)v;
+
+    return ret;
+}
+
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_store_int16(krb5_storage *sp,
                  int16_t value)
@@ -222,6 +243,13 @@ krb5_store_int16(krb5_storage *sp,
      return krb5_store_int(sp, value, 2);
  }
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint16(krb5_storage *sp,
+                 uint16_t value)
+{
+    return krb5_store_int16(sp, (int16_t)value);
+}
+
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_ret_int16(krb5_storage *sp,
                int16_t *value)
@@ -239,6 +267,20 @@ krb5_ret_int16(krb5_storage *sp,
      return 0;
  }
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint16(krb5_storage *sp,
+               uint16_t *value)
+{
+    krb5_error_code ret;
+    int16_t v;
+
+    ret = krb5_ret_int16(sp, &v);
+    if (ret == 0)
+       *value = (uint16_t)v;
+
+    return ret;
+}
+
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_store_int8(krb5_storage *sp,
                 int8_t value)
@@ -251,6 +293,13 @@ krb5_store_int8(krb5_storage *sp,
      return 0;
  }
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_store_uint8(krb5_storage *sp,
+                uint8_t value)
+{
+    return krb5_store_int8(sp, (int8_t)value);
+}
+
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_ret_int8(krb5_storage *sp,
               int8_t *value)
@@ -263,6 +312,20 @@ krb5_ret_int8(krb5_storage *sp,
      return 0;
  }
  
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_ret_uint8(krb5_storage *sp,
+              uint8_t *value)
+{
+    krb5_error_code ret;
+    int8_t v;
+
+    ret = krb5_ret_int8(sp, &v);
+    if (ret == 0)
+       *value = (uint8_t)v;
+
+    return ret;
+}
+
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_store_data(krb5_storage *sp,
                 krb5_data data)
@@ -380,19 +443,19 @@ krb5_ret_stringz(krb5_storage *sp,
  
  krb5_error_code KRB5_LIB_FUNCTION
  krb5_store_principal(krb5_storage *sp,
-                    krb5_principal p)
+                    krb5_const_principal p)
  {
      int i;
      int ret;
  
      if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
-    ret = krb5_store_int32(sp, p->name.name_type);
-    if(ret) return ret;
+       ret = krb5_store_int32(sp, p->name.name_type);
+       if(ret) return ret;
      }
      if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
         ret = krb5_store_int32(sp, p->name.name_string.len + 1);
      else
-    ret = krb5_store_int32(sp, p->name.name_string.len);
+       ret = krb5_store_int32(sp, p->name.name_string.len);
      
      if(ret) return ret;
      ret = krb5_store_string(sp, p->realm);
@@ -710,7 +773,7 @@ krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
       * format.
       */
      {
-       u_int32_t mask = 0xffff0000;
+       uint32_t mask = 0xffff0000;
         creds->flags.i = 0;
         creds->flags.b.anonymous = 1;
         if (creds->flags.i & mask)
@@ -865,7 +928,7 @@ krb5_ret_creds_tag(krb5_storage *sp,
       * format.
       */
      {
-       u_int32_t mask = 0xffff0000;
+       uint32_t mask = 0xffff0000;
         creds->flags.i = 0;
         creds->flags.b.anonymous = 1;
         if (creds->flags.i & mask)
diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c

index dd294c8943ecd2a4fe97ec29d1fd3893f1d49c02..b1e12674dc821ceb48b21eb65fca3941859274e0 100644 (file)
--- a/source4/heimdal/lib/krb5/v4_glue.c
+++ b/source4/heimdal/lib/krb5/v4_glue.c
@@ -32,7 +32,7 @@
   */
  
  #include "krb5_locl.h"
-RCSID("$Id: v4_glue.c,v 1.3 2006/04/02 01:39:54 lha Exp $");
+RCSID("$Id: v4_glue.c,v 1.5 2006/05/05 09:31:00 lha Exp $");
  
  #include "krb5-v4compat.h"
  
@@ -463,10 +463,10 @@ _krb5_krb_create_ciph(krb5_context context,
                       const char *service,
                       const char *instance,
                       const char *realm,
-                     u_int32_t life,
+                     uint32_t life,
                       unsigned char kvno,
                       const krb5_data *ticket,
-                     u_int32_t kdc_time,
+                     uint32_t kdc_time,
                       const krb5_keyblock *key,
                       krb5_data *enc_data)
  {
@@ -523,7 +523,7 @@ _krb5_krb_create_auth_reply(krb5_context context,
                             const char *prealm,
                             int32_t time_ws,
                             int n,
-                           u_int32_t x_date,
+                           uint32_t x_date,
                             unsigned char kvno,
                             const krb5_data *cipher,
                             krb5_data *data)
@@ -573,8 +573,8 @@ _krb5_krb_cr_err_reply(krb5_context context,
                        const char *name,
                        const char *inst,
                        const char *realm,
-                      u_int32_t time_ws,
-                      u_int32_t e,
+                      uint32_t time_ws,
+                      uint32_t e,
                        const char *e_string,
                        krb5_data *data)
  {
@@ -668,7 +668,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
      RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error);
      RCHECK(ret, get_v4_stringz(sp, &ad->pinst, INST_SZ), error);
      RCHECK(ret, get_v4_stringz(sp, &ad->prealm, REALM_SZ), error);
-    RCHECK(ret, krb5_ret_int32(sp, &ad->address), error);
+    RCHECK(ret, krb5_ret_uint32(sp, &ad->address), error);
         
      size = krb5_storage_read(sp, des_key, sizeof(des_key));
      if (size != sizeof(des_key)) {
@@ -676,14 +676,14 @@ _krb5_krb_decomp_ticket(krb5_context context,
         goto error;
      }
  
-    RCHECK(ret, krb5_ret_int8(sp, &ad->life), error);
+    RCHECK(ret, krb5_ret_uint8(sp, &ad->life), error);
  
      if (ad->k_flags & 1)
         krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE);
      else
         krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_BE);
  
-    RCHECK(ret, krb5_ret_int32(sp, &ad->time_sec), error);
+    RCHECK(ret, krb5_ret_uint32(sp, &ad->time_sec), error);
  
      RCHECK(ret, get_v4_stringz(sp, sname, ANAME_SZ), error);
      RCHECK(ret, get_v4_stringz(sp, sinstance, INST_SZ), error);
@@ -744,9 +744,9 @@ _krb5_krb_rd_req(krb5_context context,
      int8_t pvno;
      int8_t type;
      int8_t s_kvno;
-    u_int8_t ticket_length;
-    u_int8_t eaut_length;
-    u_int8_t time_5ms;
+    uint8_t ticket_length;
+    uint8_t eaut_length;
+    uint8_t time_5ms;
      char *realm = NULL;
      char *sname = NULL;
      char *sinstance = NULL;
@@ -754,7 +754,7 @@ _krb5_krb_rd_req(krb5_context context,
      char *r_name = NULL;
      char *r_instance = NULL;
  
-    u_int32_t r_time_sec;      /* Coarse time from authenticator */
+    uint32_t r_time_sec;       /* Coarse time from authenticator */
      unsigned long delta_t;      /* Time in authenticator - local time */
      long tkt_age;              /* Age of ticket */
  
@@ -795,8 +795,8 @@ _krb5_krb_rd_req(krb5_context context,
  
      RCHECK(ret, krb5_ret_int8(sp, &s_kvno), error);
      RCHECK(ret, get_v4_stringz(sp, &realm, REALM_SZ), error);
-    RCHECK(ret, krb5_ret_int8(sp, &ticket_length), error);
-    RCHECK(ret, krb5_ret_int8(sp, &eaut_length), error);
+    RCHECK(ret, krb5_ret_uint8(sp, &ticket_length), error);
+    RCHECK(ret, krb5_ret_uint8(sp, &eaut_length), error);
      RCHECK(ret, krb5_data_alloc(&ticket, ticket_length), error);
  
      size = krb5_storage_read(sp, ticket.data, ticket.length);
@@ -842,9 +842,9 @@ _krb5_krb_rd_req(krb5_context context,
      RCHECK(ret, get_v4_stringz(sp, &r_instance, INST_SZ), error);
      RCHECK(ret, get_v4_stringz(sp, &r_realm, REALM_SZ), error);
  
-    RCHECK(ret, krb5_ret_int32(sp, &ad->checksum), error);
-    RCHECK(ret, krb5_ret_int8(sp, &time_5ms), error);
-    RCHECK(ret, krb5_ret_int32(sp, &r_time_sec), error);
+    RCHECK(ret, krb5_ret_uint32(sp, &ad->checksum), error);
+    RCHECK(ret, krb5_ret_uint8(sp, &time_5ms), error);
+    RCHECK(ret, krb5_ret_uint32(sp, &r_time_sec), error);
  
      if (strcmp(ad->pname, r_name) != 0 ||
         strcmp(ad->pinst, r_instance) != 0 ||
@@ -853,7 +853,7 @@ _krb5_krb_rd_req(krb5_context context,
         goto error;
      }
      
-    if (from_addr && from_addr == ad->address) {
+    if (from_addr && from_addr != ad->address) {
         ret = EINVAL; /* RD_AP_BADD */
         goto error;
      }
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c

index 5fd48c49ef9b05cc4646cbb9f8c9bc880240869c..c1d74ee406b83b67e8704b82fb6ca8f627031e11 100644 (file)
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -590,195 +590,233 @@ static krb5_error_code LDB_rename(krb5_context context, HDB *db, const char *new
         return HDB_ERR_DB_INUSE;
  }
  
-static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
-                                krb5_const_principal principal,
-                                enum hdb_ent_type ent_type,
-                                hdb_entry_ex *entry_ex)
-{
+static krb5_error_code LDB_fetch_client(krb5_context context, HDB *db, 
+                                       TALLOC_CTX *mem_ctx, 
+                                       krb5_const_principal principal,
+                                       unsigned flags,
+                                       hdb_entry_ex *entry_ex) {
+       NTSTATUS nt_status;
+       char *principal_string;
+       krb5_error_code ret;
         struct ldb_message **msg = NULL;
         struct ldb_message **realm_ref_msg = NULL;
-       struct ldb_message **realm_fixed_msg = NULL;
-       enum hdb_ldb_ent_type ldb_ent_type;
-       krb5_error_code ret;
-
-       const char *realm;
-       const struct ldb_dn *realm_dn;
-       TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context");
  
-       if (!mem_ctx) {
-               krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
+       ret = krb5_unparse_name(context, principal, &principal_string);
+       
+       if (ret != 0) {
+               return ret;
+       }
+       
+       nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db,
+                                             mem_ctx, principal_string, 
+                                             &msg, &realm_ref_msg);
+       free(principal_string);
+       if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
+               talloc_free(mem_ctx);
+               return HDB_ERR_NOENTRY;
+       } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
+               talloc_free(mem_ctx);
                 return ENOMEM;
+       } else if (!NT_STATUS_IS_OK(nt_status)) {
+               talloc_free(mem_ctx);
+               return EINVAL;
         }
+       
+       ret = LDB_message2entry(context, db, mem_ctx, 
+                               principal, HDB_LDB_ENT_TYPE_CLIENT,
+                               msg[0], realm_ref_msg[0], entry_ex);
+       return ret;
+}
  
-       switch (ent_type) {
-       case HDB_ENT_TYPE_CLIENT:
-       {
-               NTSTATUS nt_status;
-               char *principal_string;
-               ldb_ent_type = HDB_LDB_ENT_TYPE_CLIENT;
+static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db, 
+                                       TALLOC_CTX *mem_ctx, 
+                                       krb5_const_principal principal,
+                                       unsigned flags,
+                                       hdb_entry_ex *entry_ex)
+{
+       krb5_error_code ret;
+       struct ldb_message **msg = NULL;
+       struct ldb_message **realm_ref_msg = NULL;
+       const struct ldb_dn *realm_dn;
+
+       krb5_principal alloc_principal = NULL;
+       if (principal->name.name_string.len != 2
+           || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
+               /* Not a krbtgt */
+               return HDB_ERR_NOENTRY;
+       }
  
-               ret = krb5_unparse_name(context, principal, &principal_string);
+       /* krbtgt case.  Either us or a trusted realm */
+       if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
+                             mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
+               /* us */
+               /* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
+                * is in our db, then direct the caller at our primary
+                * krgtgt */
                 
-               if (ret != 0) {
-                       talloc_free(mem_ctx);
+               const char *dnsdomain = ldb_msg_find_string(realm_ref_msg[0], "dnsRoot", NULL);
+               char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
+               if (!realm_fixed) {
+                       krb5_set_error_string(context, "strupper_talloc: out of memory");
+                       return ENOMEM;
+               }
+               
+               ret = krb5_copy_principal(context, principal, &alloc_principal);
+               if (ret) {
                         return ret;
                 }
  
-               nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db,
-                                                     mem_ctx, principal_string, 
-                                                     &msg, &realm_ref_msg);
-               free(principal_string);
-               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
-                       talloc_free(mem_ctx);
-                       return HDB_ERR_NOENTRY;
-               } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
-                       talloc_free(mem_ctx);
+               free(alloc_principal->name.name_string.val[1]);
+               alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
+               talloc_free(realm_fixed);
+               if (!alloc_principal->name.name_string.val[1]) {
+                       krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
                         return ENOMEM;
-               } else if (!NT_STATUS_IS_OK(nt_status)) {
-                       talloc_free(mem_ctx);
-                       return EINVAL;
                 }
+               principal = alloc_principal;
+               realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+               
+       } else {
+               /* we should lookup trusted domains */
+               return HDB_ERR_NOENTRY;
+       }
  
-               ret = LDB_message2entry(context, db, mem_ctx, 
-                                       principal, ldb_ent_type, 
-                                       msg[0], realm_ref_msg[0], entry_ex);
-
-               talloc_free(mem_ctx);
+       realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+       
+       ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, 
+                                  mem_ctx, 
+                                  principal, HDB_LDB_ENT_TYPE_KRBTGT, realm_dn, &msg);
+       
+       if (ret != 0) {
+               krb5_warnx(context, "LDB_fetch: could not find principal in DB");
+               krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
                 return ret;
         }
-       case HDB_ENT_TYPE_SERVER:
-               if (principal->name.name_string.len == 2
-                   && (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) == 0)) {
-                       /* krbtgt case.  Either us or a trusted realm */
-                       if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
-                                             mem_ctx, principal->name.name_string.val[1], &realm_fixed_msg) == 0)) {
-                               /* us */
-                               /* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
-                                * is in our db, then direct the caller at our primary
-                                * krgtgt */
-
-                               const char *dnsdomain = ldb_msg_find_string(realm_fixed_msg[0], "dnsRoot", NULL);
-                               char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
-                               if (!realm_fixed) {
-                                       krb5_set_error_string(context, "strupper_talloc: out of memory");
-                                       talloc_free(mem_ctx);
-                                       return ENOMEM;
-                               }
-                               
-                               free(principal->name.name_string.val[1]);
-                               principal->name.name_string.val[1] = strdup(realm_fixed);
-                               talloc_free(realm_fixed);
-                               if (!principal->name.name_string.val[1]) {
-                                       krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
-                                       talloc_free(mem_ctx);
-                                       return ENOMEM;
-                               }
-                               ldb_ent_type = HDB_LDB_ENT_TYPE_KRBTGT;
-                               break;
-                       } else {
-                               /* we should lookup trusted domains */
-                               talloc_free(mem_ctx);
-                               return HDB_ERR_NOENTRY;
-                       }
  
-               } else if (principal->name.name_string.len >= 2) {
-                       /* 'normal server' case */
-                       int ldb_ret;
-                       NTSTATUS nt_status;
-                       struct ldb_dn *user_dn, *domain_dn;
-                       char *principal_string;
-                       ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER;
-                       
-                       ret = krb5_unparse_name_norealm(context, principal, &principal_string);
-                       
-                       if (ret != 0) {
-                               talloc_free(mem_ctx);
-                               return ret;
-                       }
-                       
-                       /* At this point we may find the host is known to be
-                        * in a different realm, so we should generate a
-                        * referral instead */
-                       nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
-                                                                mem_ctx, principal_string, 
-                                                                &user_dn, &domain_dn);
-                       free(principal_string);
-                       
-                       if (!NT_STATUS_IS_OK(nt_status)) {
-                               talloc_free(mem_ctx);
-                               return HDB_ERR_NOENTRY;
-                       }
-                       
-                       ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
-                                                 mem_ctx, user_dn, &msg, krb5_attrs);
-                       
-                       if (ldb_ret != 1) {
-                               talloc_free(mem_ctx);
-                               return HDB_ERR_NOENTRY;
-                       }
-                       
-                       ldb_ret = gendb_search((struct ldb_context *)db->hdb_db,
-                                              mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs, 
-                                              "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn));
-                       
-                       if (ldb_ret != 1) {
-                               talloc_free(mem_ctx);
-                               return HDB_ERR_NOENTRY;
-                       }
+       ret = LDB_message2entry(context, db, mem_ctx, 
+                               principal, HDB_LDB_ENT_TYPE_KRBTGT, 
+                               msg[0], realm_ref_msg[0], entry_ex);
+       if (ret != 0) {
+               krb5_warnx(context, "LDB_fetch: message2entry failed"); 
+       }
+       return ret;
+}
  
-                       ret = LDB_message2entry(context, db, mem_ctx, 
-                                               principal, ldb_ent_type, 
-                                               msg[0], realm_ref_msg[0], entry_ex);
-                       talloc_free(mem_ctx);
+static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db, 
+                                       TALLOC_CTX *mem_ctx, 
+                                       krb5_const_principal principal,
+                                       unsigned flags,
+                                       hdb_entry_ex *entry_ex)
+{
+       krb5_error_code ret;
+       const char *realm;
+       struct ldb_message **msg = NULL;
+       struct ldb_message **realm_ref_msg = NULL;
+       if (principal->name.name_string.len >= 2) {
+               /* 'normal server' case */
+               int ldb_ret;
+               NTSTATUS nt_status;
+               struct ldb_dn *user_dn, *domain_dn;
+               char *principal_string;
+               
+               ret = krb5_unparse_name_norealm(context, principal, &principal_string);
+               if (ret != 0) {
                         return ret;
-                       
-               } else {
-                       ldb_ent_type = HDB_LDB_ENT_TYPE_SERVER;
-                       /* server as client principal case, but we must not lookup userPrincipalNames */
-                       break;
                 }
-       case HDB_ENT_TYPE_ANY:
-               krb5_warnx(context, "LDB_fetch: ENT_TYPE_ANY is not valid in hdb-ldb!");
-               talloc_free(mem_ctx);
-               return HDB_ERR_NOENTRY;
-       default:
-               krb5_warnx(context, "LDB_fetch: invalid ent_type specified!");
-               talloc_free(mem_ctx);
-               return HDB_ERR_NOENTRY;
-       }
-
+               
+               /* At this point we may find the host is known to be
+                * in a different realm, so we should generate a
+                * referral instead */
+               nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db,
+                                                        mem_ctx, principal_string, 
+                                                        &user_dn, &domain_dn);
+               free(principal_string);
+               
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       return HDB_ERR_NOENTRY;
+               }
+               
+               ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
+                                         mem_ctx, user_dn, &msg, krb5_attrs);
+               
+               if (ldb_ret != 1) {
+                       return HDB_ERR_NOENTRY;
+               }
+               
+               ldb_ret = gendb_search((struct ldb_context *)db->hdb_db,
+                                      mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs, 
+                                      "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn));
+               
+               if (ldb_ret != 1) {
+                       return HDB_ERR_NOENTRY;
+               }
+               
+       } else {
+               const struct ldb_dn *realm_dn;
+               /* server as client principal case, but we must not lookup userPrincipalNames */
  
-       realm = krb5_principal_get_realm(context, principal);
+               realm = krb5_principal_get_realm(context, principal);
+               
+               ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, 
+                                      mem_ctx, realm, &realm_ref_msg);
+               if (ret != 0) {
+                       return HDB_ERR_NOENTRY;
+               }
+               
+               realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+               
+               ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, 
+                                          mem_ctx, 
+                                          principal, HDB_LDB_ENT_TYPE_SERVER, realm_dn, &msg);
+               
+               if (ret != 0) {
+                       return ret;
+               }
+       }
  
-       ret = LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db, 
-                              mem_ctx, realm, &realm_ref_msg);
+       ret = LDB_message2entry(context, db, mem_ctx, 
+                               principal, HDB_LDB_ENT_TYPE_SERVER,
+                               msg[0], realm_ref_msg[0], entry_ex);
         if (ret != 0) {
-               krb5_warnx(context, "LDB_fetch: could not find realm");
-               talloc_free(mem_ctx);
-               return HDB_ERR_NOENTRY;
+               krb5_warnx(context, "LDB_fetch: message2entry failed"); 
         }
  
-       realm_dn = samdb_result_dn(mem_ctx, realm_ref_msg[0], "nCName", NULL);
+       return ret;
+}
+                       
+static krb5_error_code LDB_fetch(krb5_context context, HDB *db, 
+                                krb5_const_principal principal,
+                                unsigned flags,
+                                hdb_entry_ex *entry_ex)
+{
+       krb5_error_code ret;
  
-       ret = LDB_lookup_principal(context, (struct ldb_context *)db->hdb_db, 
-                                  mem_ctx, 
-                                  principal, ldb_ent_type, realm_dn, &msg);
+       TALLOC_CTX *mem_ctx = talloc_named(db, 0, "LDB_fetch context");
  
-       if (ret != 0) {
-               krb5_warnx(context, "LDB_fetch: could not find principal in DB");
-               krb5_set_error_string(context, "LDB_fetch: could not find principal in DB");
-               talloc_free(mem_ctx);
-               return ret;
-       } else {
-               ret = LDB_message2entry(context, db, mem_ctx, 
-                                       principal, ldb_ent_type, 
-                                       msg[0], realm_ref_msg[0], entry_ex);
-               if (ret != 0) {
-                       krb5_warnx(context, "LDB_fetch: message2entry failed\n");       
-               }
+       if (!mem_ctx) {
+               krb5_set_error_string(context, "LDB_fetch: talloc_named() failed!");
+               return ENOMEM;
         }
  
-       talloc_free(mem_ctx);
+       if (flags & HDB_F_GET_CLIENT) {
+               ret = LDB_fetch_client(context, db, mem_ctx, principal, flags, entry_ex);
+               if (ret != HDB_ERR_NOENTRY) {
+                       talloc_free(mem_ctx);
+                       return ret;
+               }
+       }
+       if (flags & HDB_F_GET_SERVER) {
+               ret = LDB_fetch_server(context, db, mem_ctx, principal, flags, entry_ex);
+               if (ret != HDB_ERR_NOENTRY) {
+                       return ret;
+               }
+       }
+       if (flags & HDB_F_GET_KRBTGT) {
+               ret = LDB_fetch_krbtgt(context, db, mem_ctx, principal, flags, entry_ex);
+               if (ret != HDB_ERR_NOENTRY) {
+                       return ret;
+               }
+       }
         return ret;
  }
  
@@ -787,7 +825,7 @@ static krb5_error_code LDB_store(krb5_context context, HDB *db, unsigned flags,
         return HDB_ERR_DB_INUSE;
  }
  
-static krb5_error_code LDB_remove(krb5_context context, HDB *db, hdb_entry_ex *entry)
+static krb5_error_code LDB_remove(krb5_context context, HDB *db, krb5_const_principal principal)
  {
         return HDB_ERR_DB_INUSE;
  }
author	Andrew Bartlett <abartlet@samba.org>
	Sun, 7 May 2006 04:51:30 +0000 (04:51 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 19:05:39 +0000 (14:05 -0500)
source4/heimdal/kdc/524.c		patch \| blob \| history
source4/heimdal/kdc/kaserver.c		patch \| blob \| history
source4/heimdal/kdc/kdc-private.h		patch \| blob \| history
source4/heimdal/kdc/kdc.h		patch \| blob \| history
source4/heimdal/kdc/kerberos4.c		patch \| blob \| history
source4/heimdal/kdc/kerberos5.c		patch \| blob \| history
source4/heimdal/kdc/misc.c		patch \| blob \| history
source4/heimdal/kdc/pkinit.c		patch \| blob \| history
source4/heimdal/kdc/rx.h		patch \| blob \| history
source4/heimdal/lib/asn1/parse.c		patch \| blob \| history
source4/heimdal/lib/asn1/pkcs9.asn1		patch \| blob \| history
source4/heimdal/lib/des/aes.h		patch \| blob \| history
source4/heimdal/lib/des/des.c		patch \| blob \| history
source4/heimdal/lib/des/dh.h		patch \| blob \| history
source4/heimdal/lib/des/engine.h		patch \| blob \| history
source4/heimdal/lib/des/evp.c		patch \| blob \| history
source4/heimdal/lib/des/hash.h		patch \| blob \| history
source4/heimdal/lib/des/md4.c		patch \| blob \| history
source4/heimdal/lib/des/md4.h		patch \| blob \| history
source4/heimdal/lib/des/md5.c		patch \| blob \| history
source4/heimdal/lib/des/md5.h		patch \| blob \| history
source4/heimdal/lib/des/pkcs5.c		patch \| blob \| history
source4/heimdal/lib/des/rijndael-alg-fst.c		patch \| blob \| history
source4/heimdal/lib/des/rijndael-alg-fst.h		patch \| blob \| history
source4/heimdal/lib/des/rnd_keys.c		patch \| blob \| history
source4/heimdal/lib/des/sha.c		patch \| blob \| history
source4/heimdal/lib/des/sha.h		patch \| blob \| history
source4/heimdal/lib/des/sha256.c		patch \| blob \| history
source4/heimdal/lib/gssapi/8003.c		patch \| blob \| history
source4/heimdal/lib/gssapi/arcfour.c		patch \| blob \| history
source4/heimdal/lib/gssapi/cfx.c		patch \| blob \| history
source4/heimdal/lib/gssapi/gssapi.h		patch \| blob \| history
source4/heimdal/lib/gssapi/gssapi_locl.h		patch \| blob \| history
source4/heimdal/lib/gssapi/init_sec_context.c		patch \| blob \| history
source4/heimdal/lib/gssapi/wrap.c		patch \| blob \| history
source4/heimdal/lib/hdb/ext.c		patch \| blob \| history
source4/heimdal/lib/hdb/hdb-private.h		patch \| blob \| history
source4/heimdal/lib/hdb/hdb.c		patch \| blob \| history
source4/heimdal/lib/hdb/hdb.h		patch \| blob \| history
source4/heimdal/lib/hdb/keys.c		patch \| blob \| history
source4/heimdal/lib/hdb/keytab.c		patch \| blob \| history
source4/heimdal/lib/hdb/mkey.c		patch \| blob \| history
source4/heimdal/lib/hdb/ndbm.c		patch \| blob \| history
source4/heimdal/lib/krb5/addr_families.c		patch \| blob \| history
source4/heimdal/lib/krb5/changepw.c		patch \| blob \| history
source4/heimdal/lib/krb5/crc.c		patch \| blob \| history
source4/heimdal/lib/krb5/crypto.c		patch \| blob \| history
source4/heimdal/lib/krb5/generate_seq_number.c		patch \| blob \| history
source4/heimdal/lib/krb5/init_creds_pw.c		patch \| blob \| history
source4/heimdal/lib/krb5/kcm.c		patch \| blob \| history
source4/heimdal/lib/krb5/keytab_file.c		patch \| blob \| history
source4/heimdal/lib/krb5/keytab_keyfile.c		patch \| blob \| history
source4/heimdal/lib/krb5/krb5-private.h		patch \| blob \| history
source4/heimdal/lib/krb5/krb5-protos.h		patch \| blob \| history
source4/heimdal/lib/krb5/krb5-v4compat.h		patch \| blob \| history
source4/heimdal/lib/krb5/krb5.h		patch \| blob \| history
source4/heimdal/lib/krb5/krb5_ccapi.h		patch \| blob \| history
source4/heimdal/lib/krb5/krb5_locl.h		patch \| blob \| history
source4/heimdal/lib/krb5/log.c		patch \| blob \| history
source4/heimdal/lib/krb5/pkinit.c		patch \| blob \| history
source4/heimdal/lib/krb5/principal.c		patch \| blob \| history
source4/heimdal/lib/krb5/store.c		patch \| blob \| history
source4/heimdal/lib/krb5/v4_glue.c		patch \| blob \| history
source4/kdc/hdb-ldb.c		patch \| blob \| history