r12000: Update to current lorikeet-heimdal, including in particular support

for referencing an existing in-MEMORY keytab (required for the new way
we push that to GSSAPI).

Andrew Bartlett
(This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)

diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/acquire_cred.c
index 44dbef3c4820847e7d03f76ded20eb401f263973..fa5d709a30362756c5d00d6bac723efc41fd80af 100644 (file)
--- a/source4/heimdal/lib/gssapi/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/acquire_cred.c
@@ -33,7 +33,7 @@
 
 #include "gssapi_locl.h"
 
-RCSID("$Id: acquire_cred.c,v 1.25 2005/11/02 08:56:25 lha Exp $");
+RCSID("$Id: acquire_cred.c,v 1.27 2005/12/01 16:26:02 lha Exp $");
 
 OM_uint32
 _gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
@@ -245,6 +245,17 @@ static OM_uint32 acquire_acceptor_cred
     kret = get_keytab(context, &handle->keytab);
     if (kret)
        goto end;
+    
+    /* check that the requested principal exists in the keytab */
+    if (handle->principal) {
+       krb5_keytab_entry entry;
+
+       kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab, 
+                                handle->principal, 0, 0, &entry);
+       if (kret)
+           goto end;
+       krb5_kt_free_entry(gssapi_krb5_context, &entry);
+    }
     ret = GSS_S_COMPLETE;
  
 end:

diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h
index b9bea7db2e6fb0d32683ebb7d4edd6ae80c8cbf2..bd5d0db2b5a38a68d5f0ad0cd2a3470ab99e4af9 100644 (file)
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -81,7 +81,6 @@ typedef struct gss_cred_id_t_desc_struct {
   gss_name_t principal;
   int cred_flags;
 #define GSS_CF_DESTROY_CRED_ON_RELEASE 1
-  krb5_boolean made_keytab;
   struct krb5_keytab_data *keytab;
   OM_uint32 lifetime;
   gss_cred_usage_t usage;

diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/release_cred.c
index cca3dfe37995114d9164301c6dc82da643bc4692..fc9fc3fc01e81abe5e6a8627a77278c6d2732757 100644 (file)
--- a/source4/heimdal/lib/gssapi/release_cred.c
+++ b/source4/heimdal/lib/gssapi/release_cred.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -52,7 +52,7 @@ OM_uint32 gss_release_cred
 
     if ((*cred_handle)->principal != NULL)
         krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
-    if ((*cred_handle)->made_keytab)
+    if ((*cred_handle)->keytab != NULL)
        krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
     if ((*cred_handle)->ccache != NULL) {
        const krb5_cc_ops *ops;

diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c
index b9f1ab47e1e41d8cff6507f35bfcc85b53242c05..4cc0218a5c9641657851d87b75b329bf810a7758 100644 (file)
--- a/source4/heimdal/lib/hdb/db.c
+++ b/source4/heimdal/lib/hdb/db.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *

diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h
index f7e0c54b7cffad533f80e4f92d981d814ffd0266..4b5b4d3edeab906169730453b2fb4357ad1bfbee 100644 (file)
--- a/source4/heimdal/lib/hdb/hdb-protos.h
+++ b/source4/heimdal/lib/hdb/hdb-protos.h
@@ -8,6 +8,317 @@
 extern "C" {
 #endif
 
+unsigned
+HDBFlags2int (HDBFlags /*f*/);
+
+int
+copy_Event (
+       const Event */*from*/,
+       Event */*to*/);
+
+int
+copy_GENERATION (
+       const GENERATION */*from*/,
+       GENERATION */*to*/);
+
+int
+copy_HDBFlags (
+       const HDBFlags */*from*/,
+       HDBFlags */*to*/);
+
+int
+copy_HDB_Ext_Aliases (
+       const HDB_Ext_Aliases */*from*/,
+       HDB_Ext_Aliases */*to*/);
+
+int
+copy_HDB_Ext_Constrained_delegation_acl (
+       const HDB_Ext_Constrained_delegation_acl */*from*/,
+       HDB_Ext_Constrained_delegation_acl */*to*/);
+
+int
+copy_HDB_Ext_Lan_Manager_OWF (
+       const HDB_Ext_Lan_Manager_OWF */*from*/,
+       HDB_Ext_Lan_Manager_OWF */*to*/);
+
+int
+copy_HDB_Ext_PKINIT_acl (
+       const HDB_Ext_PKINIT_acl */*from*/,
+       HDB_Ext_PKINIT_acl */*to*/);
+
+int
+copy_HDB_Ext_PKINIT_certificate (
+       const HDB_Ext_PKINIT_certificate */*from*/,
+       HDB_Ext_PKINIT_certificate */*to*/);
+
+int
+copy_HDB_Ext_Password (
+       const HDB_Ext_Password */*from*/,
+       HDB_Ext_Password */*to*/);
+
+int
+copy_HDB_extension (
+       const HDB_extension */*from*/,
+       HDB_extension */*to*/);
+
+int
+copy_HDB_extensions (
+       const HDB_extensions */*from*/,
+       HDB_extensions */*to*/);
+
+int
+copy_Key (
+       const Key */*from*/,
+       Key */*to*/);
+
+int
+copy_Salt (
+       const Salt */*from*/,
+       Salt */*to*/);
+
+int
+copy_hdb_entry (
+       const hdb_entry */*from*/,
+       hdb_entry */*to*/);
+
+int
+decode_Event (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       Event */*data*/,
+       size_t */*size*/);
+
+int
+decode_GENERATION (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       GENERATION */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDBFlags (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDBFlags */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_Ext_Aliases (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_Ext_Aliases */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_Ext_Constrained_delegation_acl (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_Ext_Constrained_delegation_acl */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_Ext_Lan_Manager_OWF (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_Ext_Lan_Manager_OWF */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_Ext_PKINIT_acl (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_Ext_PKINIT_acl */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_Ext_PKINIT_certificate (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_Ext_PKINIT_certificate */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_Ext_Password (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_Ext_Password */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_extension (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_extension */*data*/,
+       size_t */*size*/);
+
+int
+decode_HDB_extensions (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       HDB_extensions */*data*/,
+       size_t */*size*/);
+
+int
+decode_Key (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       Key */*data*/,
+       size_t */*size*/);
+
+int
+decode_Salt (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       Salt */*data*/,
+       size_t */*size*/);
+
+int
+decode_hdb_entry (
+       const unsigned char */*p*/,
+       size_t /*len*/,
+       hdb_entry */*data*/,
+       size_t */*size*/);
+
+int
+encode_Event (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const Event */*data*/,
+       size_t */*size*/);
+
+int
+encode_GENERATION (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const GENERATION */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDBFlags (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDBFlags */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_Ext_Aliases (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_Ext_Aliases */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_Ext_Constrained_delegation_acl (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_Ext_Constrained_delegation_acl */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_Ext_Lan_Manager_OWF (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_Ext_Lan_Manager_OWF */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_Ext_PKINIT_acl (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_Ext_PKINIT_acl */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_Ext_PKINIT_certificate (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_Ext_PKINIT_certificate */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_Ext_Password (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_Ext_Password */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_extension (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_extension */*data*/,
+       size_t */*size*/);
+
+int
+encode_HDB_extensions (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const HDB_extensions */*data*/,
+       size_t */*size*/);
+
+int
+encode_Key (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const Key */*data*/,
+       size_t */*size*/);
+
+int
+encode_Salt (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const Salt */*data*/,
+       size_t */*size*/);
+
+int
+encode_hdb_entry (
+       unsigned char */*p*/,
+       size_t /*len*/,
+       const hdb_entry */*data*/,
+       size_t */*size*/);
+
+void
+free_Event (Event */*data*/);
+
+void
+free_GENERATION (GENERATION */*data*/);
+
+void
+free_HDBFlags (HDBFlags */*data*/);
+
+void
+free_HDB_Ext_Aliases (HDB_Ext_Aliases */*data*/);
+
+void
+free_HDB_Ext_Constrained_delegation_acl (HDB_Ext_Constrained_delegation_acl */*data*/);
+
+void
+free_HDB_Ext_Lan_Manager_OWF (HDB_Ext_Lan_Manager_OWF */*data*/);
+
+void
+free_HDB_Ext_PKINIT_acl (HDB_Ext_PKINIT_acl */*data*/);
+
+void
+free_HDB_Ext_PKINIT_certificate (HDB_Ext_PKINIT_certificate */*data*/);
+
+void
+free_HDB_Ext_Password (HDB_Ext_Password */*data*/);
+
+void
+free_HDB_extension (HDB_extension */*data*/);
+
+void
+free_HDB_extensions (HDB_extensions */*data*/);
+
+void
+free_Key (Key */*data*/);
+
+void
+free_Salt (Salt */*data*/);
+
+void
+free_hdb_entry (hdb_entry */*data*/);
+
 krb5_error_code
 hdb_add_master_key (
        krb5_context /*context*/,
@@ -302,6 +613,57 @@ hdb_write_master_key (
        const char */*filename*/,
        hdb_master_key /*mkey*/);
 
+void
+initialize_hdb_error_table (void);
+
+void
+initialize_hdb_error_table_r (struct et_list **/*list*/);
+
+HDBFlags
+int2HDBFlags (unsigned /*n*/);
+
+size_t
+length_Event (const Event */*data*/);
+
+size_t
+length_GENERATION (const GENERATION */*data*/);
+
+size_t
+length_HDBFlags (const HDBFlags */*data*/);
+
+size_t
+length_HDB_Ext_Aliases (const HDB_Ext_Aliases */*data*/);
+
+size_t
+length_HDB_Ext_Constrained_delegation_acl (const HDB_Ext_Constrained_delegation_acl */*data*/);
+
+size_t
+length_HDB_Ext_Lan_Manager_OWF (const HDB_Ext_Lan_Manager_OWF */*data*/);
+
+size_t
+length_HDB_Ext_PKINIT_acl (const HDB_Ext_PKINIT_acl */*data*/);
+
+size_t
+length_HDB_Ext_PKINIT_certificate (const HDB_Ext_PKINIT_certificate */*data*/);
+
+size_t
+length_HDB_Ext_Password (const HDB_Ext_Password */*data*/);
+
+size_t
+length_HDB_extension (const HDB_extension */*data*/);
+
+size_t
+length_HDB_extensions (const HDB_extensions */*data*/);
+
+size_t
+length_Key (const Key */*data*/);
+
+size_t
+length_Salt (const Salt */*data*/);
+
+size_t
+length_hdb_entry (const hdb_entry */*data*/);
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index e8161afbc1d99c3e37aae76336769b850061da4c..df342ffadfefe60f6725f0331b7e205084e5863b 100644 (file)
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: hdb.c,v 1.56 2005/10/19 13:51:40 lha Exp $");
+RCSID("$Id: hdb.c,v 1.59 2005/11/30 12:22:09 lha Exp $");
 
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
@@ -53,16 +53,17 @@ static struct hdb_method methods[] = {
 #endif
 #if defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
     {"ldap:",  hdb_ldap_create},
+    {"ldapi:", hdb_ldapi_create},
 #endif
+    {NULL,     NULL}
+};
+
 #if HAVE_DB1 || HAVE_DB3
-    {"",       hdb_db_create},
+static struct hdb_method dbmetod = {"",        hdb_db_create };
 #elif defined(HAVE_NDBM)
-    {"",       hdb_ndbm_create},
-#elif defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
-    {"",       hdb_ldap_create},
+static struct hdb_method dbmetod = {"",        hdb_ndbm_create };
 #endif
-    {NULL,     NULL}
-};
+
 
 krb5_error_code
 hdb_next_enctype2key(krb5_context context,
@@ -337,11 +338,22 @@ find_method (const char *filename, const char **rest)
 {
     const struct hdb_method *h;
 
-    for (h = methods; h->prefix != NULL; ++h)
+    for (h = methods; h->prefix != NULL; ++h) {
        if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0) {
            *rest = filename + strlen(h->prefix);
            return h;
        }
+    }
+#if defined(HAVE_DB1) || defined(HAVE_DB3) || defined(HAVE_NDBM)
+    if (strncmp(filename, "/", 1) == 0
+       || strncmp(filename, "./", 2) == 0
+       || strncmp(filename, "../", 3) == 0)
+    {
+       *rest = filename;
+       return &dbmetod;
+    }
+#endif
+
     return NULL;
 }
 
@@ -367,8 +379,6 @@ hdb_list_builtin(krb5_context context, char **list)
     buf[0] = '\0';
 
     for (h = methods; h->prefix != NULL; ++h) {
-       if (h->prefix[0] == '\0')
-           continue;
        if (h != methods)
            strlcat(buf, ", ", len);
        strlcat(buf, h->prefix, len);

diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c
index dfd5bfa8f131be2e3ea772336d07314ee6958d8b..793d03829d6ad5e6e368879435e343885b27004c 100644 (file)
--- a/source4/heimdal/lib/hdb/ndbm.c
+++ b/source4/heimdal/lib/hdb/ndbm.c
@@ -33,7 +33,7 @@
 
 #include "hdb_locl.h"
 
-RCSID("$Id: ndbm.c,v 1.35 2005/06/23 13:37:57 lha Exp $");
+RCSID("$Id: ndbm.c,v 1.36 2005/11/28 23:31:36 lha Exp $");
 
 #if HAVE_NDBM
 
@@ -333,7 +333,7 @@ krb5_error_code
 hdb_ndbm_create(krb5_context context, HDB **db, 
                const char *filename)
 {
-    *db = malloc(sizeof(**db));
+    *db = calloc(1, sizeof(**db));
     if (*db == NULL) {
        krb5_set_error_string(context, "malloc: out of memory");
        return ENOMEM;

diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 25dc2cb8c0d8df089f49555a006631a9427a199c..0c821cb11d9ad6137ca2630be13c042d18e3c74d 100644 (file)
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: cache.c,v 1.74 2005/11/01 09:36:41 lha Exp $");
+RCSID("$Id: cache.c,v 1.76 2005/11/29 09:10:47 lha Exp $");
 
 /*
  * Add a new ccache type with operations `ops', overwriting any
@@ -701,6 +701,9 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
     char *p, *p1;
     int i;
     
+    if (prefix[0] == '/')
+       return &krb5_fcc_ops;
+
     p = strdup(prefix);
     if (p == NULL) {
        krb5_set_error_string(context, "malloc - out of memory");

diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c
index 1d866fa11e08e73092ea30b0e2f6efbb247e958b..afa8f433ac82f6ad29530f7f361433e3cadb1c89 100644 (file)
--- a/source4/heimdal/lib/krb5/keytab_memory.c
+++ b/source4/heimdal/lib/krb5/keytab_memory.c
@@ -33,26 +33,64 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_memory.c,v 1.6 2005/05/18 04:44:40 lha Exp $");
+RCSID("$Id: keytab_memory.c,v 1.7 2005/12/01 12:40:22 lha Exp $");
 
 /* memory operations -------------------------------------------- */
 
 struct mkt_data {
     krb5_keytab_entry *entries;
     int num_entries;
+    char *name;
+    int refcount;
+    struct mkt_data *next;
 };
 
+/* this mutex protects mkt_head, ->refcount, and ->next 
+ * content is not protected (name is static and need no protection)
+ */
+static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static struct mkt_data *mkt_head;
+
+
 static krb5_error_code
 mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
 {
     struct mkt_data *d;
-    d = malloc(sizeof(*d));
+
+    HEIMDAL_MUTEX_lock(&mkt_mutex);
+
+    for (d = mkt_head; d != NULL; d = d->next)
+       if (strcmp(d->name, name) == 0)
+           break;
+    if (d) {
+       if (d->refcount < 1)
+           krb5_abortx(context, "Double close on memory keytab, "
+                       "refcount < 1 %d", d->refcount);
+       d->refcount++;
+       id->data = d;
+       HEIMDAL_MUTEX_unlock(&mkt_mutex);
+       return 0;
+    }
+
+    d = calloc(1, sizeof(*d));
     if(d == NULL) {
+       HEIMDAL_MUTEX_unlock(&mkt_mutex);
+       krb5_set_error_string (context, "malloc: out of memory");
+       return ENOMEM;
+    }
+    d->name = strdup(name);
+    if (d->name == NULL) {
+       HEIMDAL_MUTEX_unlock(&mkt_mutex);
+       free(d);
        krb5_set_error_string (context, "malloc: out of memory");
        return ENOMEM;
     }
     d->entries = NULL;
     d->num_entries = 0;
+    d->refcount = 1;
+    d->next = mkt_head;
+    mkt_head = d;
+    HEIMDAL_MUTEX_unlock(&mkt_mutex);
     id->data = d;
     return 0;
 }
@@ -60,8 +98,27 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
 static krb5_error_code
 mkt_close(krb5_context context, krb5_keytab id)
 {
-    struct mkt_data *d = id->data;
+    struct mkt_data *d = id->data, **dp;
     int i;
+
+    HEIMDAL_MUTEX_lock(&mkt_mutex);
+    if (d->refcount < 1)
+       krb5_abortx(context, 
+                   "krb5 internal error, memory keytab refcount < 1 on close");
+
+    if (--d->refcount > 0) {
+       HEIMDAL_MUTEX_unlock(&mkt_mutex);
+       return 0;
+    }
+    for (dp = &mkt_head; *dp != NULL; dp = &(*dp)->next) {
+       if (*dp == d) {
+           *dp = d->next;
+           break;
+       }
+    }
+    HEIMDAL_MUTEX_unlock(&mkt_mutex);
+
+    free(d->name);
     for(i = 0; i < d->num_entries; i++)
        krb5_kt_free_entry(context, &d->entries[i]);
     free(d->entries);
@@ -75,7 +132,8 @@ mkt_get_name(krb5_context context,
             char *name, 
             size_t namesize)
 {
-    strlcpy(name, "", namesize);
+    struct mkt_data *d = id->data;
+    strlcpy(name, d->name, namesize);
     return 0;
 }
 

diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 33e35ca60e45cf3ab6de2ef529cd0b91fd3bc161..301b8853e42247f9d135b876f7eee23fdd289d30 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -20,6 +20,24 @@ extern "C" {
 #endif
 #endif
 
+void
+initialize_heim_error_table (void);
+
+void
+initialize_heim_error_table_r (struct et_list **/*list*/);
+
+void
+initialize_k524_error_table (void);
+
+void
+initialize_k524_error_table_r (struct et_list **/*list*/);
+
+void
+initialize_krb5_error_table (void);
+
+void
+initialize_krb5_error_table_r (struct et_list **/*list*/);
+
 krb5_error_code KRB5_LIB_FUNCTION
 krb524_convert_creds_kdc (
        krb5_context /*context*/,

diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index fe9a0e5e7a0dd130284f7af3ec61dd03aa7c41c7..adee4708e6fac08b87ec7e6f0da51889b5f0a7f2 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5.h,v 1.239 2005/10/12 12:39:28 lha Exp $ */
+/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */
 
 #ifndef __KRB5_H__
 #define __KRB5_H__

diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index 582b71db03af6c765a5ee0a038ae47de4bdf6294..313c14f6e63df934199bc92dacf77a5d941c99b2 100644 (file)
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $");
+RCSID("$Id: rd_req.c,v 1.61 2005/11/29 18:22:51 lha Exp $");
 
 static krb5_error_code
 decrypt_tkt_enc_part (krb5_context context,
@@ -136,7 +136,11 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
     int num_realms;
     krb5_error_code ret;
            
-    /* Windows w2k and w2k3 uses this */
+    /* 
+     * Windows 2000 and 2003 uses this inside their TGT so its normaly
+     * not seen by others, however, samba4 joined with a Windows AD as
+     * a Domain Controller gets exposed to this.
+     */
     if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0)
        return 0;
 
@@ -417,6 +421,19 @@ krb5_verify_ap_req2(krb5_context context,
        goto out;
     }
 
+    /* check timestamp in authenticator */
+    {
+       krb5_timestamp now;
+
+       krb5_timeofday (context, &now);
+
+       if (abs(ac->authenticator->ctime - now) > context->max_skew) {
+           ret = KRB5KRB_AP_ERR_SKEW;
+           krb5_clear_error_string (context);
+           goto out;
+       }
+    }
+
     if (ac->authenticator->seq_number)
        krb5_auth_con_setremoteseqnumber(context, ac,
                                         *ac->authenticator->seq_number);