r24614: Merge with current lorikeet-heimdal. This brings us one step closer

to an alpha release.

Andrew Bartlett
(This used to be commit 30e02747d511630659c59eafec8d28f58605943b)

diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index e06366f214b39105fa2c9f3d236da93823fc7b65..5f336e3275db23a1efa1076cda23db6a18e61fc8 100644 (file)
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -36,7 +36,7 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: default_config.c 21296 2007-06-25 14:49:11Z lha $");
+RCSID("$Id: default_config.c 21405 2007-07-04 10:35:45Z lha $");
 
 krb5_error_code
 krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)

diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c
index 801449fe5e5319a4c71709ac940c019b5329e2cb..358ca5ad56d7162b2a083c38e127057b90035f87 100644 (file)
--- a/source4/heimdal/kdc/digest.c
+++ b/source4/heimdal/kdc/digest.c
@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 #include <hex.h>
 
-RCSID("$Id: digest.c 21241 2007-06-20 11:30:19Z lha $");
+RCSID("$Id: digest.c 21606 2007-07-17 07:03:25Z lha $");
 
 #define MS_CHAP_V2     0x20
 #define CHAP_MD5       0x10
@@ -975,7 +975,7 @@ _kdc_do_digest(krb5_context context,
        }
 
        kdc_log(context, config, 0, "Digest %s request successful %s",
-               ireq.u.digestRequest.type, from);
+               ireq.u.digestRequest.type, ireq.u.digestRequest.username);
 
        break;
     }
@@ -1227,7 +1227,7 @@ _kdc_do_digest(krb5_context context,
            version = 1;
 
            if (flags & NTLM_NEG_NTLM2_SESSION) {
-               char sessionhash[MD5_DIGEST_LENGTH];
+               unsigned char sessionhash[MD5_DIGEST_LENGTH];
                MD5_CTX md5ctx;
                
                if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
@@ -1331,10 +1331,24 @@ _kdc_do_digest(krb5_context context,
                version, ireq.u.ntlmRequest.username);
        break;
     }
-    default:
+    default: {
+       char *s;
+       krb5_set_error_string(context, "unknown operation to digest");
+       ret = EINVAL;
+
     failed:
+
+       s = krb5_get_error_message(context, ret);
+       if (s == NULL) {
+           krb5_clear_error_string(context);
+           goto out;
+       }
+       
+       kdc_log(context, config, 0, "Digest failed with: %s", s);
+
        r.element = choice_DigestRepInner_error;
-       r.u.error.reason = strdup("unknown/failed operation");
+       r.u.error.reason = strdup("unknown error");
+       krb5_free_error_string(context, s);
        if (r.u.error.reason == NULL) {
            krb5_set_error_string(context, "out of memory");
            ret = ENOMEM;
@@ -1343,6 +1357,7 @@ _kdc_do_digest(krb5_context context,
        r.u.error.code = EINVAL;
        break;
     }
+    }
 
     ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
     if (ret) {

diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c
index deb32e1019954daff756f1cad50ad2cb9b31a7b4..15624e8e76393b03ccd97c6533bd5c30895fbd77 100644 (file)
--- a/source4/heimdal/kdc/kaserver.c
+++ b/source4/heimdal/kdc/kaserver.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c 17904 2006-08-23 11:45:16Z lha $");
+RCSID("$Id: kaserver.c 21661 2007-07-22 01:57:17Z lha $");
 
 #include <krb5-v4compat.h>
 #include <rx.h>
@@ -191,19 +191,28 @@ init_reply_header (struct rx_header *hdr,
     reply_hdr->serviceid = hdr->serviceid;
 }
 
+/*
+ * Create an error `reply´ using for the packet `hdr' with the error
+ * `error´ code.
+ */
 static void
 make_error_reply (struct rx_header *hdr,
-                 uint32_t ret,
+                 uint32_t error,
                  krb5_data *reply)
 
 {
-    krb5_storage *sp;
     struct rx_header reply_hdr;
+    krb5_error_code ret;
+    krb5_storage *sp;
 
     init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
     sp = krb5_storage_emem();
+    if (sp == NULL)
+       return;
     ret = encode_rx_header (&reply_hdr, sp);
-    krb5_store_int32(sp, ret);
+    if (ret)
+       return;
+    krb5_store_int32(sp, error);
     krb5_storage_to_data (sp, reply);
     krb5_storage_free (sp);
 }

diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c
index 3c76bb99b22a24fb6bdeede9ca77fde3af14f4c2..cbba64945b3e495ce885af2376c3d81aba519dc3 100644 (file)
--- a/source4/heimdal/kdc/kerberos4.c
+++ b/source4/heimdal/kdc/kerberos4.c
@@ -35,7 +35,7 @@
 
 #include <krb5-v4compat.h>
 
-RCSID("$Id: kerberos4.c 18349 2006-10-08 13:43:52Z lha $");
+RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $");
 
 #ifndef swap32
 static uint32_t
@@ -151,7 +151,8 @@ _kdc_do_version4(krb5_context context,
     if(!config->enable_v4) {
        kdc_log(context, config, 0,
                "Rejected version 4 request from %s", from);
-       make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
+       make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
+                      "Function not enabled");
        return 0;
     }
 
@@ -160,7 +161,7 @@ _kdc_do_version4(krb5_context context,
     if(pvno != 4){
        kdc_log(context, config, 0,
                "Protocol version mismatch (krb4) (%d)", pvno);
-       make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
+       make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
        goto out;
     }
     RCHECK(krb5_ret_int8(sp, &msg_type), out);
@@ -196,7 +197,7 @@ _kdc_do_version4(krb5_context context,
        if(ret) {
            kdc_log(context, config, 0, "Client not found in database: %s: %s",
                    client_name, krb5_get_err_text(context, ret));
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
                           "principal unknown");
            goto out1;
        }
@@ -205,7 +206,7 @@ _kdc_do_version4(krb5_context context,
        if(ret){
            kdc_log(context, config, 0, "Server not found in database: %s: %s",
                    server_name, krb5_get_err_text(context, ret));
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
                           "principal unknown");
            goto out1;
        }
@@ -216,7 +217,7 @@ _kdc_do_version4(krb5_context context,
                                TRUE);
        if (ret) {
            /* good error code? */
-           make_err_reply(context, reply, KERB_ERR_NAME_EXP,
+           make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
                           "operation not allowed");
            goto out1;
        }
@@ -227,7 +228,7 @@ _kdc_do_version4(krb5_context context,
            kdc_log(context, config, 0,
                    "Per principal Kerberos 4 flag not turned on for %s",
                    client_name);
-           make_err_reply(context, reply, KERB_ERR_NULL_KEY,
+           make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
                           "allow kerberos4 flag required");
            goto out1;
        }
@@ -244,7 +245,7 @@ _kdc_do_version4(krb5_context context,
                    "Pre-authentication required for v4-request: "
                    "%s for %s",
                    client_name, server_name);
-           make_err_reply(context, reply, KERB_ERR_NULL_KEY,
+           make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
                           "preauth required");
            goto out1;
        }
@@ -252,7 +253,7 @@ _kdc_do_version4(krb5_context context,
        ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
        if(ret){
            kdc_log(context, config, 0, "no suitable DES key for client");
-           make_err_reply(context, reply, KDC_NULL_KEY, 
+           make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
                           "no suitable DES key for client");
            goto out1;
        }
@@ -265,7 +266,7 @@ _kdc_do_version4(krb5_context context,
        if(ret){
            kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", 
                    name, inst, realm);
-           make_err_reply(context, reply, KDC_NULL_KEY, 
+           make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
                           "No version-4 salted key in database");
            goto out1;
        }
@@ -274,8 +275,7 @@ _kdc_do_version4(krb5_context context,
        ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
        if(ret){
            kdc_log(context, config, 0, "no suitable DES key for server");
-           /* XXX */
-           make_err_reply(context, reply, KDC_NULL_KEY, 
+           make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
                           "no suitable DES key for server");
            goto out1;
        }
@@ -400,7 +400,7 @@ _kdc_do_version4(krb5_context context,
                    "tgs-req (krb4) with old kvno %d (current %d) for "
                    "krbtgt.%s@%s", kvno, tgt->entry.kvno % 256, 
                    realm, config->v4_realm);
-           make_err_reply(context, reply, KDC_AUTH_EXP,
+           make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
                           "old krbtgt kvno used");
            goto out2;
        }
@@ -409,8 +409,7 @@ _kdc_do_version4(krb5_context context,
        if(ret){
            kdc_log(context, config, 0, 
                    "no suitable DES key for krbtgt (krb4)");
-           /* XXX */
-           make_err_reply(context, reply, KDC_NULL_KEY, 
+           make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
                           "no suitable DES key for krbtgt");
            goto out2;
        }
@@ -456,7 +455,7 @@ _kdc_do_version4(krb5_context context,
        if(strcmp(ad.prealm, realm)){
            kdc_log(context, config, 0, 
                    "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, 
                           "Can't hop realms");
            goto out2;
        }
@@ -465,7 +464,7 @@ _kdc_do_version4(krb5_context context,
            kdc_log(context, config, 0, 
                    "krb4 Cross-realm %s -> %s disabled",
                    realm, config->v4_realm);
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
                           "Can't hop realms");
            goto out2;
        }
@@ -473,7 +472,7 @@ _kdc_do_version4(krb5_context context,
        if(strcmp(sname, "changepw") == 0){
            kdc_log(context, config, 0, 
                    "Bad request for changepw ticket (krb4)");
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, 
                           "Can't authorize password change based on TGT");
            goto out2;
        }
@@ -485,7 +484,7 @@ _kdc_do_version4(krb5_context context,
            s = kdc_log_msg(context, config, 0,
                            "Client not found in database: (krb4) %s: %s",
                            client_name, krb5_get_err_text(context, ret));
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
            free(s);
            goto out2;
        }
@@ -494,7 +493,7 @@ _kdc_do_version4(krb5_context context,
            s = kdc_log_msg(context, config, 0,
                            "Local client not found in database: (krb4) "
                            "%s", client_name);
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
            free(s);
            goto out2;
        }
@@ -506,7 +505,7 @@ _kdc_do_version4(krb5_context context,
            s = kdc_log_msg(context, config, 0,
                            "Server not found in database (krb4): %s: %s",
                            server_name, krb5_get_err_text(context, ret));
-           make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
+           make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
            free(s);
            goto out2;
        }
@@ -516,8 +515,7 @@ _kdc_do_version4(krb5_context context,
                                server, server_name,
                                FALSE);
        if (ret) {
-           /* good error code? */
-           make_err_reply(context, reply, KERB_ERR_NAME_EXP,
+           make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
                           "operation not allowed");
            goto out2;
        }
@@ -526,8 +524,7 @@ _kdc_do_version4(krb5_context context,
        if(ret){
            kdc_log(context, config, 0, 
                    "no suitable DES key for server (krb4)");
-           /* XXX */
-           make_err_reply(context, reply, KDC_NULL_KEY, 
+           make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, 
                           "no suitable DES key for server");
            goto out2;
        }
@@ -787,7 +784,7 @@ _kdc_get_des_key(krb5_context context,
        else if(is_server && server_key)
            *ret_key = server_key;
        else
-           return KERB_ERR_NULL_KEY;
+           return KRB4ET_KDC_NULL_KEY;
     } else {
        if(v4_key)
            *ret_key = v4_key;
@@ -798,11 +795,11 @@ _kdc_get_des_key(krb5_context context,
        else if(is_server && server_key)
            *ret_key = server_key;
        else
-           return KERB_ERR_NULL_KEY;
+           return KRB4ET_KDC_NULL_KEY;
     }
 
     if((*ret_key)->key.keyvalue.length == 0)
-       return KERB_ERR_NULL_KEY;
+       return KRB4ET_KDC_NULL_KEY;
     return 0;
 }
 

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index e34938447a263eb2479d01cbed4916a85186d647..40a9c9c972f53ba52d871c24f598bf1611fc732f 100644 (file)
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c 21040 2007-06-10 06:20:59Z lha $");
+RCSID("$Id: kerberos5.c 21529 2007-07-13 12:37:14Z lha $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -84,6 +84,22 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
     return NULL;
 }
 
+/*
+ * Detect if `key' is the using the the precomputed `default_salt'.
+ */
+
+static krb5_boolean
+is_default_salt_p(const krb5_salt *default_salt, const Key *key)
+{
+    if (key->salt == NULL)
+       return TRUE;
+    if (default_salt->salttype != key->salt->type)
+       return FALSE;
+    if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt))
+       return FALSE;
+    return TRUE;
+}
+
 /*
  * return the first appropriate key of `princ' in `ret_key'.  Look for
  * all the etypes in (`etypes', `len'), stopping as soon as we find
@@ -97,6 +113,9 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
 {
     int i;
     krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+    krb5_salt def_salt;
+
+    krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
 
     for(i = 0; ret != 0 && i < len ; i++) {
        Key *key = NULL;
@@ -112,10 +131,13 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
            *ret_key   = key;
            *ret_etype = etypes[i];
            ret = 0;
-           if (key->salt == NULL)
+           if (is_default_salt_p(&def_salt, key)) {
+               krb5_free_salt (context, def_salt);
                return ret;
+           }
        }
     }
+    krb5_free_salt (context, def_salt);
     return ret;
 }
 
@@ -325,6 +347,43 @@ _kdc_encode_reply(krb5_context context,
     return 0;
 }
 
+/*
+ * Return 1 if the client have only older enctypes, this is for
+ * determining if the server should send ETYPE_INFO2 or not.
+ */
+
+static int
+older_enctype(krb5_enctype enctype)
+{
+    switch (enctype) {
+    case ETYPE_DES_CBC_CRC:
+    case ETYPE_DES_CBC_MD4:
+    case ETYPE_DES_CBC_MD5:
+    case ETYPE_DES3_CBC_SHA1:
+    case ETYPE_ARCFOUR_HMAC_MD5:
+    case ETYPE_ARCFOUR_HMAC_MD5_56:
+       return 1;
+    default:
+       return 0;
+    }
+}
+
+static int
+only_older_enctype_p(const KDC_REQ *req)
+{
+    int i;
+
+    for(i = 0; i < req->req_body.etype.len; i++) {
+       if (!older_enctype(req->req_body.etype.val[i]))
+           return 0;
+    }
+    return 1;
+}
+
+/*
+ *
+ */
+
 static krb5_error_code
 make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
 {
@@ -395,14 +454,18 @@ get_pa_etype_info(krb5_context context,
        return ENOMEM;
     memset(pa.val, 0, pa.len * sizeof(*pa.val));
 
-    for(j = 0; j < etypes_len; j++) {
-       for (i = 0; i < n; i++)
-           if (pa.val[i].etype == etypes[j])
+    for(i = 0; i < client->keys.len; i++) {
+       for (j = 0; j < n; j++)
+           if (pa.val[j].etype == client->keys.val[i].key.keytype)
                goto skip1;
-       for(i = 0; i < client->keys.len; i++) {
+       for(j = 0; j < etypes_len; j++) {
            if(client->keys.val[i].key.keytype == etypes[j]) {
                if (krb5_enctype_valid(context, etypes[j]) != 0)
                    continue;
+               if (!older_enctype(etypes[j]))
+                   continue;
+               if (n >= pa.len)
+                   krb5_abortx(context, "internal error: n >= p.len");
                if((ret = make_etype_info_entry(context, 
                                                &pa.val[n++], 
                                                &client->keys.val[i])) != 0) {
@@ -420,6 +483,10 @@ get_pa_etype_info(krb5_context context,
        }
        if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
            continue;
+       if (!older_enctype(etypes[j]))
+           continue;
+       if (n >= pa.len)
+           krb5_abortx(context, "internal error: n >= p.len");
        if((ret = make_etype_info_entry(context, 
                                        &pa.val[n++], 
                                        &client->keys.val[i])) != 0) {
@@ -429,16 +496,8 @@ get_pa_etype_info(krb5_context context,
     skip2:;
     }
     
-    if(n != pa.len) {
-       char *name;
-       ret = krb5_unparse_name(context, client->principal, &name);
-       if (ret)
-           name = rk_UNCONST("<unparse_name failed>");
-       kdc_log(context, config, 0, 
-               "internal error in get_pa_etype_info(%s): %d != %d", 
-               name, n, pa.len);
-       if (ret == 0)
-           free(name);
+    if(n < pa.len) {
+       /* stripped out newer enctypes */
        pa.len = n;
     }
 
@@ -528,33 +587,9 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
 }
 
 /*
- * Return 1 if the client have only older enctypes, this is for
- * determining if the server should send ETYPE_INFO2 or not.
- */
-
-static int
-only_older_enctype_p(const KDC_REQ *req)
-{
-    int i;
-
-    for(i = 0; i < req->req_body.etype.len; i++) {
-       switch (req->req_body.etype.val[i]) {
-       case ETYPE_DES_CBC_CRC:
-       case ETYPE_DES_CBC_MD4:
-       case ETYPE_DES_CBC_MD5:
-       case ETYPE_DES3_CBC_SHA1:
-       case ETYPE_ARCFOUR_HMAC_MD5:
-       case ETYPE_ARCFOUR_HMAC_MD5_56:
-           break;
-       default:
-           return 0;
-       }
-    }
-    return 1;
-}
-
-/*
- *
+ * Return an ETYPE-INFO2. Enctypes are storted the same way as in the
+ * database (client supported enctypes first, then the unsupported
+ * enctypes).
  */
 
 static krb5_error_code
@@ -578,11 +613,11 @@ get_pa_etype_info2(krb5_context context,
        return ENOMEM;
     memset(pa.val, 0, pa.len * sizeof(*pa.val));
 
-    for(j = 0; j < etypes_len; j++) {
-       for (i = 0; i < n; i++)
-           if (pa.val[i].etype == etypes[j])
+    for(i = 0; i < client->keys.len; i++) {
+       for (j = 0; j < n; j++)
+           if (pa.val[j].etype == client->keys.val[i].key.keytype)
                goto skip1;
-       for(i = 0; i < client->keys.len; i++) {
+       for(j = 0; j < etypes_len; j++) {
            if(client->keys.val[i].key.keytype == etypes[j]) {
                if (krb5_enctype_valid(context, etypes[j]) != 0)
                    continue;
@@ -595,6 +630,7 @@ get_pa_etype_info2(krb5_context context,
        }
     skip1:;
     }
+    /* send enctypes that the cliene doesn't know about too */
     for(i = 0; i < client->keys.len; i++) {
        for(j = 0; j < etypes_len; j++) {
            if(client->keys.val[i].key.keytype == etypes[j])
@@ -959,7 +995,9 @@ _kdc_as_rep(krb5_context context,
        if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
            if (b->cname->name_string.len != 1) {
                kdc_log(context, config, 0,
-                       "AS-REQ malformed canon request from %s", from);
+                       "AS-REQ malformed canon request from %s, "
+                       "enterprise name with %d name components", 
+                       from, b->cname->name_string.len);
                ret = KRB5_PARSE_MALFORMED;
                goto out;
            }
@@ -1395,6 +1433,12 @@ _kdc_as_rep(krb5_context context,
     copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
     _krb5_principal2principalname(&rep.ticket.sname, 
                                  server->entry.principal);
+    /* java 1.6 expects the name to be the same type, lets allow that
+     * uncomplicated name-types. */
+#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
+    if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
+       rep.ticket.sname.name_type = b->sname->name_type;
+#undef CNT
 
     et.flags.initial = 1;
     if(client->entry.flags.forwardable && server->entry.flags.forwardable)

diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c
index 8414ecb4b2a2b5abf7c2fa9d895b47719268230d..b1b861efef88efe507e624119d595669a32a1dee 100644 (file)
--- a/source4/heimdal/kdc/kx509.c
+++ b/source4/heimdal/kdc/kx509.c
@@ -36,7 +36,7 @@
 #include <rfc2459_asn1.h>
 #include <hx509.h>
 
-RCSID("$Id: kx509.c 19992 2007-01-20 09:06:18Z lha $");
+RCSID("$Id: kx509.c 21607 2007-07-17 07:04:52Z lha $");
 
 /*
  *
@@ -56,7 +56,7 @@ _kdc_try_kx509_request(void *ptr, size_t len, Kx509Request *req, size_t *size)
  *
  */
 
-static const char version_2_0[4] = {0 , 0, 2, 0};
+static const unsigned char version_2_0[4] = {0 , 0, 2, 0};
 
 static krb5_error_code
 verify_req_hash(krb5_context context, 
@@ -122,7 +122,7 @@ calculate_reply_hash(krb5_context context,
     if (rep->certificate)
        HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length);
     if (rep->e_text)
-       HMAC_Update(&ctx, *rep->e_text, strlen(*rep->e_text));
+       HMAC_Update(&ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text));
 
     HMAC_Final(&ctx, rep->hash->data, 0);
     HMAC_CTX_cleanup(&ctx);

diff --git a/source4/heimdal/kuser/kinit.c b/source4/heimdal/kuser/kinit.c
index 29a9bdd5c725742753f41085a4a943b28a8f4e18..23fa7a5bafb0623cb2188811cca4bbf53a230ce9 100644 (file)
--- a/source4/heimdal/kuser/kinit.c
+++ b/source4/heimdal/kuser/kinit.c
@@ -32,18 +32,10 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kinit.c 20517 2007-04-22 10:42:26Z lha $");
+RCSID("$Id: kinit.c 21483 2007-07-10 16:40:46Z lha $");
 
 #include "krb5-v4compat.h"
 
-struct krb5_pk_identity;
-struct krb5_pk_cert;
-struct ContentInfo;
-struct _krb5_krb_auth_data;
-struct krb5_dh_moduli;
-struct krb5_plugin;
-enum plugin_type;
-#include "krb5-private.h"
 #include "heimntlm.h"
 
 int forwardable_flag   = -1;

diff --git a/source4/heimdal/lib/asn1/asn1_err.et b/source4/heimdal/lib/asn1/asn1_err.et
index 67af1a44fc3b9977d418ae8817913187867a0096..c624e218e7ccad82bd4577b11e437f1d115d93e2 100644 (file)
--- a/source4/heimdal/lib/asn1/asn1_err.et
+++ b/source4/heimdal/lib/asn1/asn1_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: asn1_err.et 20010 2007-01-20 21:52:27Z lha $"
+id "$Id: asn1_err.et 21394 2007-07-02 10:14:43Z lha $"
 
 error_table asn1
 prefix ASN1
@@ -19,4 +19,7 @@ error_code BAD_FORMAT,                "ASN.1 badly-formatted encoding"
 error_code PARSE_ERROR,                "ASN.1 parse error"
 error_code EXTRA_DATA,         "ASN.1 extra data past end of end structure"
 error_code BAD_CHARACTER,      "ASN.1 invalid character in string"
+error_code MIN_CONSTRAINT,     "ASN.1 too few elements"
+error_code MAX_CONSTRAINT,     "ASN.1 too many elements"
+error_code EXACT_CONSTRAINT,   "ASN.1 wrong number of elements"
 end

diff --git a/source4/heimdal/lib/asn1/der_get.c b/source4/heimdal/lib/asn1/der_get.c
index 3022435b336497b9e4a414f8aa6978cb14ca6d69..f232ce9a296dc880f89b43ae57d1ade825698e4c 100644 (file)
--- a/source4/heimdal/lib/asn1/der_get.c
+++ b/source4/heimdal/lib/asn1/der_get.c
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: der_get.c 20570 2007-04-27 14:06:27Z lha $");
+RCSID("$Id: der_get.c 21369 2007-06-27 10:14:39Z lha $");
 
 #include <version.h>
 
@@ -336,32 +336,25 @@ generalizedtime2time (const char *s, time_t *t)
     *t = _der_timegm (&tm);
     return 0;
 }
-#undef timegm
 
 static int
 der_get_time (const unsigned char *p, size_t len, 
              time_t *data, size_t *size)
 {
-    heim_octet_string k;
     char *times;
-    size_t ret = 0;
-    size_t l;
     int e;
 
-    e = der_get_octet_string (p, len, &k, &l);
-    if (e) return e;
-    p += l;
-    len -= l;
-    ret += l;
-    times = realloc(k.data, k.length + 1);
-    if (times == NULL){
-       free(k.data);
+    if (len > len + 1 || len == 0)
+       return ASN1_BAD_LENGTH;
+
+    times = malloc(len + 1);
+    if (times == NULL)
        return ENOMEM;
-    }
-    times[k.length] = 0;
+    memcpy(times, p, len);
+    times[len] = '\0';
     e = generalizedtime2time(times, data);
     free (times);
-    if(size) *size = ret;
+    if(size) *size = len;
     return e;
 }
 

diff --git a/source4/heimdal/lib/asn1/gen.c b/source4/heimdal/lib/asn1/gen.c
index cc1a3056def8a56e370aae83495b053e1234e267..26890212ae6425c6249381f3d3ebfe424e686943 100644 (file)
--- a/source4/heimdal/lib/asn1/gen.c
+++ b/source4/heimdal/lib/asn1/gen.c
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen.c 20670 2007-05-11 00:39:41Z lha $");
+RCSID("$Id: gen.c 21364 2007-06-27 08:51:06Z lha $");
 
 FILE *headerfile, *codefile, *logfile;
 
@@ -253,6 +253,7 @@ generate_header_of_codefile(const char *name)
             "#include <time.h>\n"
             "#include <string.h>\n"
             "#include <errno.h>\n"
+            "#include <limits.h>\n"
             "#include <krb5-types.h>\n",
             orig_filename);
 

diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c
index 7ebef6cdceb75d274cf6d5d37ee454550e8bb068..face9ba47a0487761a3e9447ddc9352bc1cf7f73 100644 (file)
--- a/source4/heimdal/lib/asn1/gen_decode.c
+++ b/source4/heimdal/lib/asn1/gen_decode.c
@@ -34,7 +34,7 @@
 #include "gen_locl.h"
 #include "lex.h"
 
-RCSID("$Id: gen_decode.c 19572 2006-12-29 17:30:32Z lha $");
+RCSID("$Id: gen_decode.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
 decode_primitive (const char *typename, const char *name, const char *forwstr)
@@ -202,6 +202,32 @@ find_tag (const Type *t,
     }
 }
 
+static void
+range_check(const char *name,
+           const char *length,
+           const char *forwstr, 
+           struct range *r)
+{
+    if (r->min == r->max + 2 || r->min < r->max)
+       fprintf (codefile,
+                "if ((%s)->%s > %d) {\n"
+                "e = ASN1_MAX_CONSTRAINT; %s;\n"
+                "}\n",
+                name, length, r->max, forwstr);
+    if (r->min - 1 == r->max || r->min < r->max)
+       fprintf (codefile,
+                "if ((%s)->%s < %d) {\n"
+                "e = ASN1_MIN_CONSTRAINT; %s;\n"
+                "}\n",
+                name, length, r->min, forwstr);
+    if (r->max == r->min)
+       fprintf (codefile,
+                "if ((%s)->%s != %d) {\n"
+                "e = ASN1_EXACT_CONSTRAINT; %s;\n"
+                "}\n",
+                name, length, r->min, forwstr);
+}
+
 static int
 decode_type (const char *name, const Type *t, int optional, 
             const char *forwstr, const char *tmpstr)
@@ -236,12 +262,14 @@ decode_type (const char *name, const Type *t, int optional,
     }
     case TInteger:
        if(t->members) {
-           char *s;
-           asprintf(&s, "(int*)%s", name);
-           if (s == NULL)
-               errx (1, "out of memory");
-           decode_primitive ("integer", s, forwstr);
-           free(s);
+           fprintf(codefile,
+                   "{\n"
+                   "int enumint;\n");
+           decode_primitive ("integer", "&enumint", forwstr);
+           fprintf(codefile,
+                   "*%s = enumint;\n"
+                   "}\n",
+                   name);
        } else if (t->range == NULL) {
            decode_primitive ("heim_integer", name, forwstr);
        } else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
@@ -262,6 +290,8 @@ decode_type (const char *name, const Type *t, int optional,
        break;
     case TOctetString:
        decode_primitive ("octet_string", name, forwstr);
+       if (t->range)
+           range_check(name, "length", forwstr, t->range);
        break;
     case TBitString: {
        Member *m;
@@ -394,19 +424,31 @@ decode_type (const char *name, const Type *t, int optional,
                 "{\n"
                 "size_t %s_origlen = len;\n"
                 "size_t %s_oldret = ret;\n"
+                "size_t %s_olen = 0;\n"
                 "void *%s_tmp;\n"
                 "ret = 0;\n"
                 "(%s)->len = 0;\n"
-                "(%s)->val = NULL;\n"
+                "(%s)->val = NULL;\n",
+                tmpstr,
+                tmpstr,
+                tmpstr,
+                tmpstr,
+                name,
+                name);
+
+       fprintf (codefile,
                 "while(ret < %s_origlen) {\n"
-                "%s_tmp = realloc((%s)->val, "
-                "    sizeof(*((%s)->val)) * ((%s)->len + 1));\n"
-                "if (%s_tmp == NULL) { %s; }\n"
+                "size_t %s_nlen = %s_olen + sizeof(*((%s)->val));\n"
+                "if (%s_olen > %s_nlen) { e = ASN1_OVERFLOW; %s; }\n"
+                "%s_olen = %s_nlen;\n"
+                "%s_tmp = realloc((%s)->val, %s_olen);\n"
+                "if (%s_tmp == NULL) { e = ENOMEM; %s; }\n"
                 "(%s)->val = %s_tmp;\n",
-                tmpstr, tmpstr, tmpstr,
-                name, name,
+                tmpstr,
+                tmpstr, tmpstr, name,
+                tmpstr, tmpstr, forwstr,
                 tmpstr, tmpstr,
-                name, name, name,
+                tmpstr, name, tmpstr,
                 tmpstr, forwstr, 
                 name, tmpstr);
 
@@ -425,6 +467,8 @@ decode_type (const char *name, const Type *t, int optional,
                 "}\n",
                 name,
                 tmpstr, tmpstr);
+       if (t->range)
+           range_check(name, "len", forwstr, t->range);
        free (n);
        free (sname);
        break;

diff --git a/source4/heimdal/lib/asn1/gen_encode.c b/source4/heimdal/lib/asn1/gen_encode.c
index b5337b1c430104e3e71b2b103ed86a5a351d2f18..9544514212f89f543db40b6e2f0386231d4d86fc 100644 (file)
--- a/source4/heimdal/lib/asn1/gen_encode.c
+++ b/source4/heimdal/lib/asn1/gen_encode.c
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_encode.c 19572 2006-12-29 17:30:32Z lha $");
+RCSID("$Id: gen_encode.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
 encode_primitive (const char *typename, const char *name)
@@ -121,12 +121,12 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
        break;
     case TInteger:
        if(t->members) {
-           char *s;
-           asprintf(&s, "(const int*)%s", name);
-           if(s == NULL)
-               errx(1, "out of memory");
-           encode_primitive ("integer", s);
-           free(s);
+           fprintf(codefile,
+                   "{\n"
+                   "int enumint = (int)*%s;\n",
+                   name);
+           encode_primitive ("integer", "&enumint");
+           fprintf(codefile, "}\n;");
        } else if (t->range == NULL) {
            encode_primitive ("heim_integer", name);
        } else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
@@ -292,6 +292,11 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
                "size_t elen, totallen = 0;\n"
                "int eret;\n");
 
+       fprintf(codefile,
+               "if ((%s)->len > UINT_MAX/sizeof(val[0]))\n"
+               "return ERANGE;\n",
+               name);
+
        fprintf(codefile,
                "val = malloc(sizeof(val[0]) * (%s)->len);\n"
                "if (val == NULL && (%s)->len != 0) return ENOMEM;\n",

diff --git a/source4/heimdal/lib/asn1/gen_length.c b/source4/heimdal/lib/asn1/gen_length.c
index a1f7cc66444e84dd99378ba5872e018803a820ce..4cb5d45089f5d51e55ad37f6398ef9028e4d606b 100644 (file)
--- a/source4/heimdal/lib/asn1/gen_length.c
+++ b/source4/heimdal/lib/asn1/gen_length.c
@@ -33,7 +33,7 @@
 
 #include "gen_locl.h"
 
-RCSID("$Id: gen_length.c 19539 2006-12-28 17:15:05Z lha $");
+RCSID("$Id: gen_length.c 21503 2007-07-12 11:57:19Z lha $");
 
 static void
 length_primitive (const char *typename,
@@ -72,12 +72,11 @@ length_type (const char *name, const Type *t,
        break;
     case TInteger:
        if(t->members) {
-           char *s;
-           asprintf(&s, "(const int*)%s", name);
-           if(s == NULL)
-               errx (1, "out of memory");
-           length_primitive ("integer", s, variable);
-           free(s);
+           fprintf(codefile,
+                   "{\n"
+                   "int enumint = *%s;\n", name);
+           length_primitive ("integer", "&enumint", variable);
+           fprintf(codefile, "}\n");
        } else if (t->range == NULL) {
            length_primitive ("heim_integer", name, variable);
        } else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {

diff --git a/source4/heimdal/lib/asn1/k5.asn1 b/source4/heimdal/lib/asn1/k5.asn1
index 14e9793fdc0e741e0a59e75a326a803b0241d0db..e3fe2b11e9ac297a631c21e11a507c64bccdd30e 100644 (file)
--- a/source4/heimdal/lib/asn1/k5.asn1
+++ b/source4/heimdal/lib/asn1/k5.asn1
@@ -1,4 +1,4 @@
--- $Id: k5.asn1 21092 2007-06-15 19:47:46Z lha $
+-- $Id: k5.asn1 21400 2007-07-02 19:57:31Z lha $
 
 KERBEROS5 DEFINITIONS ::=
 BEGIN
@@ -332,7 +332,7 @@ ETYPE-INFO2-ENTRY ::= SEQUENCE {
        s2kparams[2]            OCTET STRING OPTIONAL
 }
 
-ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
+ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
 
 METHOD-DATA ::= SEQUENCE OF PA-DATA
 
@@ -341,7 +341,7 @@ TypedData ::=   SEQUENCE {
        data-value[1]           OCTET STRING OPTIONAL
 }
 
-TYPED-DATA ::= SEQUENCE OF TypedData
+TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
 
 KDC-REQ-BODY ::= SEQUENCE {
        kdc-options[0]          KDCOptions,

diff --git a/source4/heimdal/lib/asn1/lex.c b/source4/heimdal/lib/asn1/lex.c
index fe488eb904e8b1070fa18ca308eab1fc14ab844b..d628e4696f5d7caf68d2fcc4aa105bc6d2d122fe 100644 (file)
--- a/source4/heimdal/lib/asn1/lex.c
+++ b/source4/heimdal/lib/asn1/lex.c
@@ -1,6 +1,5 @@
-#include "config.h"
 
-#line 3 "lex.yy.c"
+#line 3 "lex.c"
 
 #define  YY_INT_ALIGNED short int
 
@@ -343,6 +342,9 @@ FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
 typedef int yy_state_type;
 
 extern int yylineno;
+
+int yylineno = 1;
+
 extern char *yytext;
 #define yytext_ptr yytext
 
@@ -824,7 +826,7 @@ char *yytext;
  * SUCH DAMAGE. 
  */
 
-/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */
+/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
@@ -849,7 +851,7 @@ static unsigned lineno = 1;
 static void unterminated(const char *, unsigned);
 
 /* This is for broken old lexes (solaris 10 and hpux) */
-#line 852 "lex.yy.c"
+#line 855 "lex.c"
 
 #define INITIAL 0
 
@@ -1004,7 +1006,7 @@ YY_DECL
     
 #line 68 "lex.l"
 
-#line 1007 "lex.yy.c"
+#line 1010 "lex.c"
 
        if ( !(yy_init) )
                {
@@ -1673,7 +1675,7 @@ YY_RULE_SETUP
 #line 274 "lex.l"
 ECHO;
        YY_BREAK
-#line 1676 "lex.yy.c"
+#line 1679 "lex.c"
 case YY_STATE_EOF(INITIAL):
        yyterminate();
 
@@ -2483,6 +2485,15 @@ static void yy_fatal_error (yyconst char* msg )
 
 /* Accessor  methods (get/set functions) to struct members. */
 
+/** Get the current line number.
+ * 
+ */
+int yyget_lineno  (void)
+{
+        
+    return yylineno;
+}
+
 /** Get the input stream.
  * 
  */
@@ -2516,6 +2527,16 @@ char *yyget_text  (void)
         return yytext;
 }
 
+/** Set the current line number.
+ * @param line_number
+ * 
+ */
+void yyset_lineno (int  line_number )
+{
+    
+    yylineno = line_number;
+}
+
 /** Set the input stream. This does not discard the current
  * input buffer.
  * @param in_str A readable stream.

diff --git a/source4/heimdal/lib/asn1/parse.c b/source4/heimdal/lib/asn1/parse.c
index d9cd23b662365af0e3e2c226980e4e0f13158f0a..6a3e524e93a949e354eb856ee69029c2eebb1ef9 100644 (file)
--- a/source4/heimdal/lib/asn1/parse.c
+++ b/source4/heimdal/lib/asn1/parse.c
@@ -16,7 +16,9 @@
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
-   along with this program; if not, see <http://www.gnu.org/licenses/>.  */
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -259,7 +261,7 @@
 #include "gen_locl.h"
 #include "der.h"
 
-RCSID("$Id: parse.y 19539 2006-12-28 17:15:05Z lha $");
+RCSID("$Id: parse.y 21597 2007-07-16 18:48:58Z lha $");
 
 static Type *new_type (Typetype t);
 static struct constraint_spec *new_constraint_spec(enum ctype);
@@ -300,7 +302,7 @@ typedef union YYSTYPE
 {
     int constant;
     struct value *value;
-    struct range range;
+    struct range *range;
     char *name;
     Type *type;
     Member *member;
@@ -538,18 +540,18 @@ union yyalloc
 #endif
 
 /* YYFINAL -- State number of the termination state.  */
-#define YYFINAL  4
+#define YYFINAL  6
 /* YYLAST -- Last index in YYTABLE.  */
-#define YYLAST   169
+#define YYLAST   195
 
 /* YYNTOKENS -- Number of terminals.  */
 #define YYNTOKENS  98
 /* YYNNTS -- Number of nonterminals.  */
-#define YYNNTS  67
+#define YYNNTS  68
 /* YYNRULES -- Number of rules.  */
-#define YYNRULES  131
+#define YYNRULES  136
 /* YYNRULES -- Number of states.  */
-#define YYNSTATES  202
+#define YYNSTATES  214
 
 /* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX.  */
 #define YYUNDEFTOK  2
@@ -603,80 +605,83 @@ static const yytype_uint8 yytranslate[] =
    YYRHS.  */
 static const yytype_uint16 yyprhs[] =
 {
-       0,     0,     3,    12,    15,    18,    21,    22,    25,    26,
-      29,    30,    34,    35,    37,    38,    40,    43,    48,    50,
-      53,    55,    57,    61,    63,    67,    69,    71,    73,    75,
-      77,    79,    81,    83,    85,    87,    89,    91,    93,    95,
-      97,    99,   101,   103,   109,   111,   114,   119,   121,   125,
-     129,   134,   139,   141,   144,   150,   153,   156,   158,   163,
-     167,   171,   176,   180,   184,   189,   191,   193,   195,   197,
-     199,   202,   206,   208,   210,   212,   215,   219,   225,   230,
-     234,   239,   240,   242,   244,   246,   247,   249,   251,   256,
-     258,   260,   262,   264,   266,   268,   270,   272,   274,   278,
-     282,   285,   287,   290,   294,   296,   300,   305,   307,   308,
-     312,   313,   316,   321,   323,   325,   327,   329,   331,   333,
-     335,   337,   339,   341,   343,   345,   347,   349,   351,   353,
-     355,   357
+       0,     0,     3,    13,    16,    19,    22,    23,    26,    27,
+      30,    31,    35,    36,    38,    39,    41,    44,    49,    51,
+      54,    56,    58,    62,    64,    68,    70,    72,    74,    76,
+      78,    80,    82,    84,    86,    88,    90,    92,    94,    96,
+      98,   100,   102,   104,   110,   116,   122,   126,   128,   131,
+     136,   138,   142,   146,   151,   156,   158,   161,   167,   170,
+     174,   176,   177,   180,   185,   189,   194,   199,   203,   207,
+     212,   214,   216,   218,   220,   222,   225,   229,   231,   233,
+     235,   238,   242,   248,   253,   257,   262,   263,   265,   267,
+     269,   270,   272,   274,   279,   281,   283,   285,   287,   289,
+     291,   293,   295,   297,   301,   305,   308,   310,   313,   317,
+     319,   323,   328,   330,   331,   335,   336,   339,   344,   346,
+     348,   350,   352,   354,   356,   358,   360,   362,   364,   366,
+     368,   370,   372,   374,   376,   378,   380
 };
 
 /* YYRHS -- A `-1'-separated list of the rules' RHS.  */
 static const yytype_int16 yyrhs[] =
 {
-      99,     0,    -1,    86,    21,   100,   101,    84,     8,   102,
-      24,    -1,    27,    70,    -1,    38,    70,    -1,     7,    70,
-      -1,    -1,    29,    39,    -1,    -1,   103,   107,    -1,    -1,
-      40,   104,    90,    -1,    -1,   105,    -1,    -1,   106,    -1,
-     105,   106,    -1,   109,    32,    86,   150,    -1,   108,    -1,
-     108,   107,    -1,   110,    -1,   142,    -1,    86,    91,   109,
-      -1,    86,    -1,    86,    84,   111,    -1,   112,    -1,   129,
-      -1,   132,    -1,   120,    -1,   113,    -1,   143,    -1,   128,
-      -1,   118,    -1,   115,    -1,   123,    -1,   121,    -1,   122,
-      -1,   124,    -1,   125,    -1,   126,    -1,   127,    -1,   138,
-      -1,    11,    -1,    92,   154,    83,   154,    93,    -1,    43,
-      -1,    43,   114,    -1,    43,    94,   116,    95,    -1,   117,
-      -1,   116,    91,   117,    -1,   116,    91,    85,    -1,    86,
-      92,   162,    93,    -1,    25,    94,   119,    95,    -1,   116,
-      -1,     9,    67,    -1,     9,    67,    94,   148,    95,    -1,
-      51,    37,    -1,    52,    67,    -1,    49,    -1,    64,    94,
-     145,    95,    -1,    64,    94,    95,    -1,    64,    53,   111,
-      -1,    65,    94,   145,    95,    -1,    65,    94,    95,    -1,
-      65,    53,   111,    -1,    14,    94,   145,    95,    -1,   130,
-      -1,   131,    -1,    86,    -1,    34,    -1,    77,    -1,   111,
-     133,    -1,    92,   134,    93,    -1,   135,    -1,   136,    -1,
-     137,    -1,    19,   111,    -1,    23,    12,   154,    -1,    19,
-     111,    23,    12,   154,    -1,    18,    12,    94,    95,    -1,
-     139,   141,   111,    -1,    96,   140,    89,    97,    -1,    -1,
-      76,    -1,     6,    -1,    60,    -1,    -1,    27,    -1,    38,
-      -1,    86,   111,    84,   154,    -1,   144,    -1,    33,    -1,
-      78,    -1,    61,    -1,    81,    -1,    36,    -1,    10,    -1,
-      79,    -1,   147,    -1,   145,    91,   147,    -1,   145,    91,
-      85,    -1,    86,   111,    -1,   146,    -1,   146,    54,    -1,
-     146,    20,   154,    -1,   149,    -1,   148,    91,   149,    -1,
-      86,    92,    89,    93,    -1,   151,    -1,    -1,    94,   152,
-      95,    -1,    -1,   153,   152,    -1,    86,    92,    89,    93,
-      -1,    86,    -1,    89,    -1,   155,    -1,   156,    -1,   160,
-      -1,   159,    -1,   161,    -1,   164,    -1,   163,    -1,   157,
-      -1,   158,    -1,    86,    -1,    88,    -1,    71,    -1,    31,
-      -1,   162,    -1,    89,    -1,    49,    -1,   151,    -1
+      99,     0,    -1,    86,   151,    21,   100,   101,    84,     8,
+     102,    24,    -1,    27,    70,    -1,    38,    70,    -1,     7,
+      70,    -1,    -1,    29,    39,    -1,    -1,   103,   107,    -1,
+      -1,    40,   104,    90,    -1,    -1,   105,    -1,    -1,   106,
+      -1,   105,   106,    -1,   109,    32,    86,   151,    -1,   108,
+      -1,   108,   107,    -1,   110,    -1,   143,    -1,    86,    91,
+     109,    -1,    86,    -1,    86,    84,   111,    -1,   112,    -1,
+     130,    -1,   133,    -1,   120,    -1,   113,    -1,   144,    -1,
+     129,    -1,   118,    -1,   115,    -1,   123,    -1,   121,    -1,
+     122,    -1,   125,    -1,   126,    -1,   127,    -1,   128,    -1,
+     139,    -1,    11,    -1,    92,   155,    83,   155,    93,    -1,
+      92,   155,    83,    46,    93,    -1,    92,    47,    83,   155,
+      93,    -1,    92,   155,    93,    -1,    43,    -1,    43,   114,
+      -1,    43,    94,   116,    95,    -1,   117,    -1,   116,    91,
+     117,    -1,   116,    91,    85,    -1,    86,    92,   163,    93,
+      -1,    25,    94,   119,    95,    -1,   116,    -1,     9,    67,
+      -1,     9,    67,    94,   149,    95,    -1,    51,    37,    -1,
+      52,    67,   124,    -1,    49,    -1,    -1,    66,   114,    -1,
+      64,    94,   146,    95,    -1,    64,    94,    95,    -1,    64,
+     124,    53,   111,    -1,    65,    94,   146,    95,    -1,    65,
+      94,    95,    -1,    65,    53,   111,    -1,    14,    94,   146,
+      95,    -1,   131,    -1,   132,    -1,    86,    -1,    34,    -1,
+      77,    -1,   111,   134,    -1,    92,   135,    93,    -1,   136,
+      -1,   137,    -1,   138,    -1,    19,   111,    -1,    23,    12,
+     155,    -1,    19,   111,    23,    12,   155,    -1,    18,    12,
+      94,    95,    -1,   140,   142,   111,    -1,    96,   141,    89,
+      97,    -1,    -1,    76,    -1,     6,    -1,    60,    -1,    -1,
+      27,    -1,    38,    -1,    86,   111,    84,   155,    -1,   145,
+      -1,    33,    -1,    78,    -1,    61,    -1,    81,    -1,    36,
+      -1,    10,    -1,    79,    -1,   148,    -1,   146,    91,   148,
+      -1,   146,    91,    85,    -1,    86,   111,    -1,   147,    -1,
+     147,    54,    -1,   147,    20,   155,    -1,   150,    -1,   149,
+      91,   150,    -1,    86,    92,    89,    93,    -1,   152,    -1,
+      -1,    94,   153,    95,    -1,    -1,   154,   153,    -1,    86,
+      92,    89,    93,    -1,    86,    -1,    89,    -1,   156,    -1,
+     157,    -1,   161,    -1,   160,    -1,   162,    -1,   165,    -1,
+     164,    -1,   158,    -1,   159,    -1,    86,    -1,    88,    -1,
+      71,    -1,    31,    -1,   163,    -1,    89,    -1,    49,    -1,
+     152,    -1
 };
 
 /* YYRLINE[YYN] -- source line where rule number YYN was defined.  */
 static const yytype_uint16 yyrline[] =
 {
-       0,   231,   231,   238,   239,   241,   243,   246,   248,   251,
-     252,   255,   256,   259,   260,   263,   264,   267,   278,   279,
-     282,   283,   286,   292,   300,   310,   311,   312,   315,   316,
-     317,   318,   319,   320,   321,   322,   323,   324,   325,   326,
-     327,   328,   331,   338,   348,   353,   360,   368,   374,   379,
-     383,   396,   404,   407,   414,   422,   428,   435,   442,   448,
-     456,   464,   470,   478,   486,   493,   494,   497,   508,   513,
-     520,   536,   542,   545,   546,   549,   555,   563,   573,   579,
-     592,   601,   604,   608,   612,   619,   622,   626,   633,   644,
-     647,   652,   657,   662,   667,   672,   677,   685,   691,   696,
-     707,   718,   724,   730,   738,   744,   751,   764,   765,   768,
-     775,   778,   789,   793,   804,   810,   811,   814,   815,   816,
-     817,   818,   821,   824,   827,   838,   846,   852,   860,   868,
-     871,   876
+       0,   233,   233,   240,   241,   243,   245,   248,   250,   253,
+     254,   257,   258,   261,   262,   265,   266,   269,   280,   281,
+     284,   285,   288,   294,   302,   312,   313,   314,   317,   318,
+     319,   320,   321,   322,   323,   324,   325,   326,   327,   328,
+     329,   330,   333,   340,   350,   358,   366,   377,   382,   388,
+     396,   402,   407,   411,   424,   432,   435,   442,   450,   456,
+     465,   473,   474,   479,   485,   493,   502,   508,   516,   524,
+     531,   532,   535,   546,   551,   558,   574,   580,   583,   584,
+     587,   593,   601,   611,   617,   630,   639,   642,   646,   650,
+     657,   660,   664,   671,   682,   685,   690,   695,   700,   705,
+     710,   715,   723,   729,   734,   745,   756,   762,   768,   776,
+     782,   789,   802,   803,   806,   813,   816,   827,   831,   842,
+     848,   849,   852,   853,   854,   855,   856,   859,   862,   865,
+     876,   884,   890,   898,   906,   909,   914
 };
 #endif
 
@@ -712,7 +717,7 @@ static const char *const yytname[] =
   "TypeAssignment", "Type", "BuiltinType", "BooleanType", "range",
   "IntegerType", "NamedNumberList", "NamedNumber", "EnumeratedType",
   "Enumerations", "BitStringType", "ObjectIdentifierType",
-  "OctetStringType", "NullType", "SequenceType", "SequenceOfType",
+  "OctetStringType", "NullType", "size", "SequenceType", "SequenceOfType",
   "SetType", "SetOfType", "ChoiceType", "ReferencedType", "DefinedType",
   "UsefulType", "ConstrainedType", "Constraint", "ConstraintSpec",
   "GeneralConstraint", "ContentsConstraint", "UserDefinedConstraint",
@@ -751,35 +756,35 @@ static const yytype_uint8 yyr1[] =
      102,   103,   103,   104,   104,   105,   105,   106,   107,   107,
      108,   108,   109,   109,   110,   111,   111,   111,   112,   112,
      112,   112,   112,   112,   112,   112,   112,   112,   112,   112,
-     112,   112,   113,   114,   115,   115,   115,   116,   116,   116,
-     117,   118,   119,   120,   120,   121,   122,   123,   124,   124,
-     125,   126,   126,   127,   128,   129,   129,   130,   131,   131,
-     132,   133,   134,   135,   135,   136,   136,   136,   137,   138,
-     139,   140,   140,   140,   140,   141,   141,   141,   142,   143,
-     144,   144,   144,   144,   144,   144,   144,   145,   145,   145,
-     146,   147,   147,   147,   148,   148,   149,   150,   150,   151,
-     152,   152,   153,   153,   153,   154,   154,   155,   155,   155,
-     155,   155,   156,   157,   158,   159,   160,   160,   161,   162,
-     163,   164
+     112,   112,   113,   114,   114,   114,   114,   115,   115,   115,
+     116,   116,   116,   117,   118,   119,   120,   120,   121,   122,
+     123,   124,   124,   125,   125,   126,   127,   127,   128,   129,
+     130,   130,   131,   132,   132,   133,   134,   135,   136,   136,
+     137,   137,   137,   138,   139,   140,   141,   141,   141,   141,
+     142,   142,   142,   143,   144,   145,   145,   145,   145,   145,
+     145,   145,   146,   146,   146,   147,   148,   148,   148,   149,
+     149,   150,   151,   151,   152,   153,   153,   154,   154,   154,
+     155,   155,   156,   156,   156,   156,   156,   157,   158,   159,
+     160,   161,   161,   162,   163,   164,   165
 };
 
 /* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN.  */
 static const yytype_uint8 yyr2[] =
 {
-       0,     2,     8,     2,     2,     2,     0,     2,     0,     2,
+       0,     2,     9,     2,     2,     2,     0,     2,     0,     2,
        0,     3,     0,     1,     0,     1,     2,     4,     1,     2,
        1,     1,     3,     1,     3,     1,     1,     1,     1,     1,
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
-       1,     1,     1,     5,     1,     2,     4,     1,     3,     3,
-       4,     4,     1,     2,     5,     2,     2,     1,     4,     3,
-       3,     4,     3,     3,     4,     1,     1,     1,     1,     1,
-       2,     3,     1,     1,     1,     2,     3,     5,     4,     3,
-       4,     0,     1,     1,     1,     0,     1,     1,     4,     1,
-       1,     1,     1,     1,     1,     1,     1,     1,     3,     3,
-       2,     1,     2,     3,     1,     3,     4,     1,     0,     3,
-       0,     2,     4,     1,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     5,     5,     5,     3,     1,     2,     4,
+       1,     3,     3,     4,     4,     1,     2,     5,     2,     3,
+       1,     0,     2,     4,     3,     4,     4,     3,     3,     4,
+       1,     1,     1,     1,     1,     2,     3,     1,     1,     1,
+       2,     3,     5,     4,     3,     4,     0,     1,     1,     1,
+       0,     1,     1,     4,     1,     1,     1,     1,     1,     1,
+       1,     1,     1,     3,     3,     2,     1,     2,     3,     1,
+       3,     4,     1,     0,     3,     0,     2,     4,     1,     1,
        1,     1,     1,     1,     1,     1,     1,     1,     1,     1,
-       1,     1
+       1,     1,     1,     1,     1,     1,     1
 };
 
 /* YYDEFACT[STATE-NAME] -- Default rule to reduce with in state
@@ -787,79 +792,81 @@ static const yytype_uint8 yyr2[] =
    means the default is an error.  */
 static const yytype_uint8 yydefact[] =
 {
-       0,     0,     0,     6,     1,     0,     0,     0,     8,     5,
-       3,     4,     0,     0,     7,     0,    10,    14,     0,     0,
-      23,     0,    13,    15,     0,     2,     0,     9,    18,    20,
-      21,     0,    11,    16,     0,     0,    95,    42,     0,     0,
-      90,    68,    94,    44,    57,     0,     0,    92,     0,     0,
-      69,    91,    96,    93,     0,    67,    81,     0,    25,    29,
-      33,    32,    28,    35,    36,    34,    37,    38,    39,    40,
-      31,    26,    65,    66,    27,    41,    85,    30,    89,    19,
-      22,   108,    53,     0,     0,     0,     0,    45,    55,    56,
-       0,     0,     0,     0,    24,    83,    84,    82,     0,     0,
-       0,    70,    86,    87,     0,   110,    17,   107,     0,     0,
-       0,   101,    97,     0,    52,    47,     0,   127,   130,   126,
-     124,   125,   129,   131,     0,   115,   116,   122,   123,   118,
-     117,   119,   128,   121,   120,     0,    60,    59,     0,    63,
-      62,     0,     0,    88,     0,     0,     0,     0,    72,    73,
-      74,    79,   113,   114,     0,   110,     0,     0,   104,   100,
-       0,    64,     0,   102,     0,     0,    51,     0,    46,    58,
-      61,    80,     0,    75,     0,    71,     0,   109,   111,     0,
-       0,    54,    99,    98,   103,     0,    49,    48,     0,     0,
-       0,    76,     0,     0,   105,    50,    43,    78,     0,   112,
-     106,    77
+       0,   113,     0,   115,     0,   112,     1,   118,   119,     0,
+     115,     6,     0,   114,   116,     0,     0,     0,     8,     0,
+       5,     3,     4,     0,     0,   117,     7,     0,    10,    14,
+       0,     0,    23,     0,    13,    15,     0,     2,     0,     9,
+      18,    20,    21,     0,    11,    16,     0,     0,   100,    42,
+       0,     0,    95,    73,    99,    47,    60,     0,     0,    97,
+      61,     0,    74,    96,   101,    98,     0,    72,    86,     0,
+      25,    29,    33,    32,    28,    35,    36,    34,    37,    38,
+      39,    40,    31,    26,    70,    71,    27,    41,    90,    30,
+      94,    19,    22,   113,    56,     0,     0,     0,     0,    48,
+      58,    61,     0,     0,     0,     0,     0,    24,    88,    89,
+      87,     0,     0,     0,    75,    91,    92,     0,    17,     0,
+       0,     0,   106,   102,     0,    55,    50,     0,   132,     0,
+     135,   131,   129,   130,   134,   136,     0,   120,   121,   127,
+     128,   123,   122,   124,   133,   126,   125,     0,    59,    62,
+      64,     0,     0,    68,    67,     0,     0,    93,     0,     0,
+       0,     0,    77,    78,    79,    84,     0,     0,   109,   105,
+       0,    69,     0,   107,     0,     0,    54,     0,     0,    46,
+      49,    63,    65,    66,    85,     0,    80,     0,    76,     0,
+       0,    57,   104,   103,   108,     0,    52,    51,     0,     0,
+       0,     0,     0,    81,     0,   110,    53,    45,    44,    43,
+      83,     0,   111,    82
 };
 
 /* YYDEFGOTO[NTERM-NUM].  */
 static const yytype_int16 yydefgoto[] =
 {
-      -1,     2,     8,    13,    18,    19,    21,    22,    23,    27,
-      28,    24,    29,    57,    58,    59,    87,    60,   114,   115,
-      61,   116,    62,    63,    64,    65,    66,    67,    68,    69,
-      70,    71,    72,    73,    74,   101,   147,   148,   149,   150,
-      75,    76,    98,   104,    30,    77,    78,   110,   111,   112,
-     157,   158,   106,   123,   154,   155,   124,   125,   126,   127,
-     128,   129,   130,   131,   132,   133,   134
+      -1,     2,    18,    24,    30,    31,    33,    34,    35,    39,
+      40,    36,    41,    69,    70,    71,    99,    72,   125,   126,
+      73,   127,    74,    75,    76,    77,   104,    78,    79,    80,
+      81,    82,    83,    84,    85,    86,   114,   161,   162,   163,
+     164,    87,    88,   111,   117,    42,    89,    90,   121,   122,
+     123,   167,   168,     4,   135,     9,    10,   136,   137,   138,
+     139,   140,   141,   142,   143,   144,   145,   146
 };
 
 /* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing
    STATE-NUM.  */
-#define YYPACT_NINF -100
+#define YYPACT_NINF -113
 static const yytype_int16 yypact[] =
 {
-     -65,    19,    33,     5,  -100,   -29,   -17,    11,    53,  -100,
-    -100,  -100,    47,    13,  -100,    90,   -34,    18,    81,    20,
-      16,    21,    18,  -100,    76,  -100,    -7,  -100,    20,  -100,
-    -100,    18,  -100,  -100,    23,    43,  -100,  -100,    24,    25,
-    -100,  -100,  -100,    -4,  -100,    77,    46,  -100,   -48,   -45,
-    -100,  -100,  -100,  -100,    51,  -100,     4,   -64,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,   -16,  -100,  -100,  -100,
-    -100,    26,    27,    31,    36,    52,    36,  -100,  -100,  -100,
-      51,   -71,    51,   -70,    32,  -100,  -100,  -100,    37,    52,
-      12,  -100,  -100,  -100,    51,   -39,  -100,  -100,    39,    51,
-     -78,    -6,  -100,    35,    40,  -100,    38,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,    56,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,   -72,    32,  -100,   -57,    32,
-    -100,   -36,    45,  -100,   122,    51,   123,    50,  -100,  -100,
-    -100,    32,    44,  -100,    49,   -39,    57,   -22,  -100,    32,
-     -19,  -100,    52,  -100,    59,    10,  -100,    52,  -100,  -100,
-    -100,  -100,    58,   -14,    52,  -100,    61,  -100,  -100,    62,
-      39,  -100,  -100,  -100,  -100,    60,  -100,  -100,    63,    64,
-     133,  -100,    65,    67,  -100,  -100,  -100,  -100,    52,  -100,
-    -100,  -100
+     -74,   -67,    38,   -69,    23,  -113,  -113,   -44,  -113,   -41,
+     -69,     4,   -26,  -113,  -113,    -3,     1,    10,    52,   -10,
+    -113,  -113,  -113,    45,    13,  -113,  -113,    77,   -35,    15,
+      64,    19,    17,    20,    15,  -113,    85,  -113,    25,  -113,
+      19,  -113,  -113,    15,  -113,  -113,    27,    47,  -113,  -113,
+      26,    29,  -113,  -113,  -113,   -30,  -113,    89,    61,  -113,
+     -57,   -47,  -113,  -113,  -113,  -113,    82,  -113,    -4,   -68,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   -17,  -113,
+    -113,  -113,  -113,   -67,    35,    33,    46,    51,    46,  -113,
+    -113,    69,    44,   -73,    88,    82,   -72,    56,  -113,  -113,
+    -113,    49,    93,     7,  -113,  -113,  -113,    82,  -113,    58,
+      82,   -76,   -13,  -113,    57,    59,  -113,    60,  -113,    68,
+    -113,  -113,  -113,  -113,  -113,  -113,   -75,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,   -63,  -113,  -113,
+    -113,   -62,    82,    56,  -113,   -46,    65,  -113,   141,    82,
+     142,    63,  -113,  -113,  -113,    56,    66,   -38,  -113,    56,
+     -16,  -113,    93,  -113,    76,    -7,  -113,    93,    81,  -113,
+    -113,  -113,    56,  -113,  -113,    72,   -19,    93,  -113,    83,
+      58,  -113,  -113,  -113,  -113,    78,  -113,  -113,    80,    84,
+      87,    62,   162,  -113,    90,  -113,  -113,  -113,  -113,  -113,
+    -113,    93,  -113,  -113
 };
 
 /* YYPGOTO[NTERM-NUM].  */
 static const yytype_int16 yypgoto[] =
 {
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,   132,   127,
-    -100,   126,  -100,   -53,  -100,  -100,  -100,  -100,    75,    -3,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,  -100,  -100,  -100,     0,  -100,     3,
-    -100,   -15,  -100,    83,    14,  -100,   -99,  -100,  -100,  -100,
-    -100,  -100,  -100,  -100,     2,  -100,  -100
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   150,   136,
+    -113,   143,  -113,   -65,  -113,  -113,    86,  -113,    91,    16,
+    -113,  -113,  -113,  -113,  -113,  -113,    92,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,  -113,  -113,  -113,   -60,  -113,
+      22,  -113,    -5,    97,     2,   184,  -113,  -112,  -113,  -113,
+    -113,  -113,  -113,  -113,  -113,    21,  -113,  -113
 };
 
 /* YYTABLE[YYPACT[STATE-NUM]].  What to do in state STATE-NUM.  If
@@ -869,71 +876,78 @@ static const yytype_int16 yypgoto[] =
 #define YYTABLE_NINF -13
 static const yytype_int16 yytable[] =
 {
-     143,    94,    35,    36,    37,    90,    17,    38,    92,   190,
-      95,   102,     5,   160,   162,   109,   109,   161,    39,   165,
-      99,     1,   103,   168,   137,   140,    40,    41,   100,    42,
-     144,   145,     6,     4,   160,   146,    43,   136,   169,   139,
-       3,     9,    44,     7,    45,    46,    91,   152,   163,    93,
-     153,   151,   -12,    10,    47,   160,   159,    48,    49,   170,
-      35,    36,    37,   184,    96,    38,   182,   109,   188,   180,
-      50,    51,    52,   181,    53,   191,    39,    54,   100,    55,
-      97,    11,    12,   117,    40,    41,    14,    42,    85,    56,
-      86,   138,   173,   141,    43,   186,   113,    15,    16,   201,
-      44,   118,    45,    46,    20,    25,    26,    31,    34,    81,
-      82,    32,    47,    89,    88,    48,    49,   109,    83,    84,
-     105,   108,   113,   119,   100,   156,   142,   164,    50,    51,
-      52,   165,    53,   166,   172,   174,   176,    55,   120,   167,
-     121,   122,   171,   175,   177,   198,   105,    56,   122,   179,
-     192,   193,   189,   195,    33,    79,   196,    80,   199,   197,
-     200,   135,   187,   183,   107,   194,   185,     0,     0,   178
+     157,   107,   108,     5,   202,    29,   105,   172,   178,   102,
+     115,    15,     1,   120,   120,   170,   112,     7,   179,   171,
+       8,   116,   150,   154,   113,   158,   159,     3,   175,   170,
+     160,    16,   180,   181,    47,    48,    49,   103,     6,    50,
+     153,   173,    17,   151,    11,   170,   155,   106,    12,   183,
+      51,   -12,   165,   190,    13,   169,   109,   191,    52,    53,
+     194,    54,    97,    19,    98,   198,   200,    20,    55,   192,
+     120,    21,   110,   113,    56,   203,    57,    58,   196,   124,
+      22,    23,   128,    25,    26,    28,    59,   182,    37,    60,
+      61,    47,    48,    49,   186,     5,    50,    27,   129,   213,
+     130,    32,    62,    63,    64,    38,    65,    51,    43,    66,
+      44,    67,   128,    93,    94,    52,    53,    46,    54,   120,
+      95,    68,   131,    96,   128,    55,   100,   199,   101,   119,
+     130,    56,   124,    57,    58,   102,    97,   132,   156,   133,
+     134,   152,   130,    59,   166,     3,    60,    61,   113,   174,
+     175,   177,   131,   185,   187,   176,   188,   210,   189,    62,
+      63,    64,   184,    65,   131,   134,   201,   132,    67,   133,
+     134,   206,   204,   207,   211,     3,    91,   208,    68,   132,
+     209,   133,   134,   212,    45,   205,    92,     3,   149,   147,
+     118,   197,   193,   148,    14,   195
 };
 
-static const yytype_int16 yycheck[] =
+static const yytype_uint8 yycheck[] =
 {
-      99,    54,     9,    10,    11,    53,    40,    14,    53,    23,
-       6,    27,     7,    91,    20,    86,    86,    95,    25,    91,
-      84,    86,    38,    95,    95,    95,    33,    34,    92,    36,
-      18,    19,    27,     0,    91,    23,    43,    90,    95,    92,
-      21,    70,    49,    38,    51,    52,    94,    86,    54,    94,
-      89,   104,    86,    70,    61,    91,   109,    64,    65,    95,
-       9,    10,    11,   162,    60,    14,    85,    86,   167,    91,
-      77,    78,    79,    95,    81,   174,    25,    84,    92,    86,
-      76,    70,    29,    31,    33,    34,    39,    36,    92,    96,
-      94,    91,   145,    93,    43,    85,    86,    84,     8,   198,
-      49,    49,    51,    52,    86,    24,    86,    91,    32,    86,
-      67,    90,    61,    67,    37,    64,    65,    86,    94,    94,
-      94,    94,    86,    71,    92,    86,    89,    92,    77,    78,
-      79,    91,    81,    95,    12,    12,    92,    86,    86,    83,
-      88,    89,    97,    93,    95,    12,    94,    96,    89,    92,
-      89,    89,    94,    93,    22,    28,    93,    31,    93,    95,
-      93,    86,   165,   160,    81,   180,   164,    -1,    -1,   155
+     112,    66,     6,     1,    23,    40,    53,    20,    83,    66,
+      27,     7,    86,    86,    86,    91,    84,    86,    93,    95,
+      89,    38,    95,    95,    92,    18,    19,    94,    91,    91,
+      23,    27,    95,    95,     9,    10,    11,    94,     0,    14,
+     105,    54,    38,   103,    21,    91,   106,    94,    92,    95,
+      25,    86,   117,    91,    95,   120,    60,    95,    33,    34,
+     172,    36,    92,    89,    94,   177,   178,    70,    43,    85,
+      86,    70,    76,    92,    49,   187,    51,    52,    85,    86,
+      70,    29,    31,    93,    39,     8,    61,   152,    24,    64,
+      65,     9,    10,    11,   159,    93,    14,    84,    47,   211,
+      49,    86,    77,    78,    79,    86,    81,    25,    91,    84,
+      90,    86,    31,    86,    67,    33,    34,    32,    36,    86,
+      94,    96,    71,    94,    31,    43,    37,    46,    67,    94,
+      49,    49,    86,    51,    52,    66,    92,    86,    89,    88,
+      89,    53,    49,    61,    86,    94,    64,    65,    92,    92,
+      91,    83,    71,    12,    12,    95,    93,    95,    92,    77,
+      78,    79,    97,    81,    71,    89,    94,    86,    86,    88,
+      89,    93,    89,    93,    12,    94,    40,    93,    96,    86,
+      93,    88,    89,    93,    34,   190,    43,    94,   102,    98,
+      93,   175,   170,   101,    10,   174
 };
 
 /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
    symbol of state STATE-NUM.  */
 static const yytype_uint8 yystos[] =
 {
-       0,    86,    99,    21,     0,     7,    27,    38,   100,    70,
-      70,    70,    29,   101,    39,    84,     8,    40,   102,   103,
-      86,   104,   105,   106,   109,    24,    86,   107,   108,   110,
-     142,    91,    90,   106,    32,     9,    10,    11,    14,    25,
-      33,    34,    36,    43,    49,    51,    52,    61,    64,    65,
-      77,    78,    79,    81,    84,    86,    96,   111,   112,   113,
-     115,   118,   120,   121,   122,   123,   124,   125,   126,   127,
-     128,   129,   130,   131,   132,   138,   139,   143,   144,   107,
-     109,    86,    67,    94,    94,    92,    94,   114,    37,    67,
-      53,    94,    53,    94,   111,     6,    60,    76,   140,    84,
-      92,   133,    27,    38,   141,    94,   150,   151,    94,    86,
-     145,   146,   147,    86,   116,   117,   119,    31,    49,    71,
-      86,    88,    89,   151,   154,   155,   156,   157,   158,   159,
-     160,   161,   162,   163,   164,   116,   111,    95,   145,   111,
-      95,   145,    89,   154,    18,    19,    23,   134,   135,   136,
-     137,   111,    86,    89,   152,   153,    86,   148,   149,   111,
-      91,    95,    20,    54,    92,    91,    95,    83,    95,    95,
-      95,    97,    12,   111,    12,    93,    92,    95,   152,    92,
-      91,    95,    85,   147,   154,   162,    85,   117,   154,    94,
-      23,   154,    89,    89,   149,    93,    93,    95,    12,    93,
-      93,   154
+       0,    86,    99,    94,   151,   152,     0,    86,    89,   153,
+     154,    21,    92,    95,   153,     7,    27,    38,   100,    89,
+      70,    70,    70,    29,   101,    93,    39,    84,     8,    40,
+     102,   103,    86,   104,   105,   106,   109,    24,    86,   107,
+     108,   110,   143,    91,    90,   106,    32,     9,    10,    11,
+      14,    25,    33,    34,    36,    43,    49,    51,    52,    61,
+      64,    65,    77,    78,    79,    81,    84,    86,    96,   111,
+     112,   113,   115,   118,   120,   121,   122,   123,   125,   126,
+     127,   128,   129,   130,   131,   132,   133,   139,   140,   144,
+     145,   107,   109,    86,    67,    94,    94,    92,    94,   114,
+      37,    67,    66,    94,   124,    53,    94,   111,     6,    60,
+      76,   141,    84,    92,   134,    27,    38,   142,   151,    94,
+      86,   146,   147,   148,    86,   116,   117,   119,    31,    47,
+      49,    71,    86,    88,    89,   152,   155,   156,   157,   158,
+     159,   160,   161,   162,   163,   164,   165,   116,   124,   114,
+      95,   146,    53,   111,    95,   146,    89,   155,    18,    19,
+      23,   135,   136,   137,   138,   111,    86,   149,   150,   111,
+      91,    95,    20,    54,    92,    91,    95,    83,    83,    93,
+      95,    95,   111,    95,    97,    12,   111,    12,    93,    92,
+      91,    95,    85,   148,   155,   163,    85,   117,   155,    46,
+     155,    94,    23,   155,    89,   150,    93,    93,    93,    93,
+      95,    12,    93,   155
 };
 
 #define yyerrok                (yyerrstatus = 0)
@@ -1748,29 +1762,29 @@ yyreduce:
   switch (yyn)
     {
         case 2:
-#line 233 "parse.y"
+#line 235 "parse.y"
     {
                        checkundefined();
                }
     break;
 
   case 4:
-#line 240 "parse.y"
+#line 242 "parse.y"
     { error_message("implicit tagging is not supported"); }
     break;
 
   case 5:
-#line 242 "parse.y"
+#line 244 "parse.y"
     { error_message("automatic tagging is not supported"); }
     break;
 
   case 7:
-#line 247 "parse.y"
+#line 249 "parse.y"
     { error_message("no extensibility options supported"); }
     break;
 
   case 17:
-#line 268 "parse.y"
+#line 270 "parse.y"
     { 
                    struct string_list *sl;
                    for(sl = (yyvsp[(1) - (4)].sl); sl != NULL; sl = sl->next) {
@@ -1782,7 +1796,7 @@ yyreduce:
     break;
 
   case 22:
-#line 287 "parse.y"
+#line 289 "parse.y"
     {
                    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
                    (yyval.sl)->string = (yyvsp[(1) - (3)].name);
@@ -1791,7 +1805,7 @@ yyreduce:
     break;
 
   case 23:
-#line 293 "parse.y"
+#line 295 "parse.y"
     {
                    (yyval.sl) = emalloc(sizeof(*(yyval.sl)));
                    (yyval.sl)->string = (yyvsp[(1) - (1)].name);
@@ -1800,7 +1814,7 @@ yyreduce:
     break;
 
   case 24:
-#line 301 "parse.y"
+#line 303 "parse.y"
     {
                    Symbol *s = addsym ((yyvsp[(1) - (3)].name));
                    s->stype = Stype;
@@ -1811,7 +1825,7 @@ yyreduce:
     break;
 
   case 42:
-#line 332 "parse.y"
+#line 334 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_Boolean, 
                                     TE_EXPLICIT, new_type(TBoolean));
@@ -1819,36 +1833,70 @@ yyreduce:
     break;
 
   case 43:
-#line 339 "parse.y"
+#line 341 "parse.y"
     {
-                       if((yyvsp[(2) - (5)].value)->type != integervalue || 
-                          (yyvsp[(4) - (5)].value)->type != integervalue)
-                               error_message("Non-integer value used in range");
-                       (yyval.range).min = (yyvsp[(2) - (5)].value)->u.integervalue;
-                       (yyval.range).max = (yyvsp[(4) - (5)].value)->u.integervalue;
+                   if((yyvsp[(2) - (5)].value)->type != integervalue)
+                       error_message("Non-integer used in first part of range");
+                   if((yyvsp[(2) - (5)].value)->type != integervalue)
+                       error_message("Non-integer in second part of range");
+                   (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+                   (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue;
+                   (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue;
                }
     break;
 
   case 44:
-#line 349 "parse.y"
+#line 351 "parse.y"
+    {          
+                   if((yyvsp[(2) - (5)].value)->type != integervalue)
+                       error_message("Non-integer in first part of range");
+                   (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+                   (yyval.range)->min = (yyvsp[(2) - (5)].value)->u.integervalue;
+                   (yyval.range)->max = (yyvsp[(2) - (5)].value)->u.integervalue - 1;
+               }
+    break;
+
+  case 45:
+#line 359 "parse.y"
+    {          
+                   if((yyvsp[(4) - (5)].value)->type != integervalue)
+                       error_message("Non-integer in second part of range");
+                   (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+                   (yyval.range)->min = (yyvsp[(4) - (5)].value)->u.integervalue + 2;
+                   (yyval.range)->max = (yyvsp[(4) - (5)].value)->u.integervalue;
+               }
+    break;
+
+  case 46:
+#line 367 "parse.y"
+    {
+                   if((yyvsp[(2) - (3)].value)->type != integervalue)
+                       error_message("Non-integer used in limit");
+                   (yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
+                   (yyval.range)->min = (yyvsp[(2) - (3)].value)->u.integervalue;
+                   (yyval.range)->max = (yyvsp[(2) - (3)].value)->u.integervalue;
+               }
+    break;
+
+  case 47:
+#line 378 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, 
                                     TE_EXPLICIT, new_type(TInteger));
                }
     break;
 
-  case 45:
-#line 354 "parse.y"
+  case 48:
+#line 383 "parse.y"
     {
                        (yyval.type) = new_type(TInteger);
-                       (yyval.type)->range = emalloc(sizeof(*(yyval.type)->range));
-                       *((yyval.type)->range) = (yyvsp[(2) - (2)].range);
+                       (yyval.type)->range = (yyvsp[(2) - (2)].range);
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer, TE_EXPLICIT, (yyval.type));
                }
     break;
 
-  case 46:
-#line 361 "parse.y"
+  case 49:
+#line 389 "parse.y"
     {
                  (yyval.type) = new_type(TInteger);
                  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1856,8 +1904,8 @@ yyreduce:
                }
     break;
 
-  case 47:
-#line 369 "parse.y"
+  case 50:
+#line 397 "parse.y"
     {
                        (yyval.members) = emalloc(sizeof(*(yyval.members)));
                        ASN1_TAILQ_INIT((yyval.members));
@@ -1865,21 +1913,21 @@ yyreduce:
                }
     break;
 
-  case 48:
-#line 375 "parse.y"
+  case 51:
+#line 403 "parse.y"
     {
                        ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
                        (yyval.members) = (yyvsp[(1) - (3)].members);
                }
     break;
 
-  case 49:
-#line 380 "parse.y"
+  case 52:
+#line 408 "parse.y"
     { (yyval.members) = (yyvsp[(1) - (3)].members); }
     break;
 
-  case 50:
-#line 384 "parse.y"
+  case 53:
+#line 412 "parse.y"
     {
                        (yyval.member) = emalloc(sizeof(*(yyval.member)));
                        (yyval.member)->name = (yyvsp[(1) - (4)].name);
@@ -1892,8 +1940,8 @@ yyreduce:
                }
     break;
 
-  case 51:
-#line 397 "parse.y"
+  case 54:
+#line 425 "parse.y"
     {
                  (yyval.type) = new_type(TInteger);
                  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1901,8 +1949,8 @@ yyreduce:
                }
     break;
 
-  case 53:
-#line 408 "parse.y"
+  case 56:
+#line 436 "parse.y"
     {
                  (yyval.type) = new_type(TBitString);
                  (yyval.type)->members = emalloc(sizeof(*(yyval.type)->members));
@@ -1911,8 +1959,8 @@ yyreduce:
                }
     break;
 
-  case 54:
-#line 415 "parse.y"
+  case 57:
+#line 443 "parse.y"
     {
                  (yyval.type) = new_type(TBitString);
                  (yyval.type)->members = (yyvsp[(4) - (5)].members);
@@ -1920,32 +1968,44 @@ yyreduce:
                }
     break;
 
-  case 55:
-#line 423 "parse.y"
+  case 58:
+#line 451 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_OID, 
                                     TE_EXPLICIT, new_type(TOID));
                }
     break;
 
-  case 56:
-#line 429 "parse.y"
+  case 59:
+#line 457 "parse.y"
     {
-                       (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString, 
-                                    TE_EXPLICIT, new_type(TOctetString));
+                   Type *t = new_type(TOctetString);
+                   t->range = (yyvsp[(3) - (3)].range);
+                   (yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString, 
+                                TE_EXPLICIT, t);
                }
     break;
 
-  case 57:
-#line 436 "parse.y"
+  case 60:
+#line 466 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_Null, 
                                     TE_EXPLICIT, new_type(TNull));
                }
     break;
 
-  case 58:
-#line 443 "parse.y"
+  case 61:
+#line 473 "parse.y"
+    { (yyval.range) = NULL; }
+    break;
+
+  case 62:
+#line 475 "parse.y"
+    { (yyval.range) = (yyvsp[(2) - (2)].range); }
+    break;
+
+  case 63:
+#line 480 "parse.y"
     {
                  (yyval.type) = new_type(TSequence);
                  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1953,8 +2013,8 @@ yyreduce:
                }
     break;
 
-  case 59:
-#line 449 "parse.y"
+  case 64:
+#line 486 "parse.y"
     {
                  (yyval.type) = new_type(TSequence);
                  (yyval.type)->members = NULL;
@@ -1962,17 +2022,18 @@ yyreduce:
                }
     break;
 
-  case 60:
-#line 457 "parse.y"
+  case 65:
+#line 494 "parse.y"
     {
                  (yyval.type) = new_type(TSequenceOf);
-                 (yyval.type)->subtype = (yyvsp[(3) - (3)].type);
+                 (yyval.type)->range = (yyvsp[(2) - (4)].range);
+                 (yyval.type)->subtype = (yyvsp[(4) - (4)].type);
                  (yyval.type) = new_tag(ASN1_C_UNIV, UT_Sequence, TE_EXPLICIT, (yyval.type));
                }
     break;
 
-  case 61:
-#line 465 "parse.y"
+  case 66:
+#line 503 "parse.y"
     {
                  (yyval.type) = new_type(TSet);
                  (yyval.type)->members = (yyvsp[(3) - (4)].members);
@@ -1980,8 +2041,8 @@ yyreduce:
                }
     break;
 
-  case 62:
-#line 471 "parse.y"
+  case 67:
+#line 509 "parse.y"
     {
                  (yyval.type) = new_type(TSet);
                  (yyval.type)->members = NULL;
@@ -1989,8 +2050,8 @@ yyreduce:
                }
     break;
 
-  case 63:
-#line 479 "parse.y"
+  case 68:
+#line 517 "parse.y"
     {
                  (yyval.type) = new_type(TSetOf);
                  (yyval.type)->subtype = (yyvsp[(3) - (3)].type);
@@ -1998,16 +2059,16 @@ yyreduce:
                }
     break;
 
-  case 64:
-#line 487 "parse.y"
+  case 69:
+#line 525 "parse.y"
     {
                  (yyval.type) = new_type(TChoice);
                  (yyval.type)->members = (yyvsp[(3) - (4)].members);
                }
     break;
 
-  case 67:
-#line 498 "parse.y"
+  case 72:
+#line 536 "parse.y"
     {
                  Symbol *s = addsym((yyvsp[(1) - (1)].name));
                  (yyval.type) = new_type(TType);
@@ -2018,24 +2079,24 @@ yyreduce:
                }
     break;
 
-  case 68:
-#line 509 "parse.y"
+  case 73:
+#line 547 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralizedTime, 
                                     TE_EXPLICIT, new_type(TGeneralizedTime));
                }
     break;
 
-  case 69:
-#line 514 "parse.y"
+  case 74:
+#line 552 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTCTime, 
                                     TE_EXPLICIT, new_type(TUTCTime));
                }
     break;
 
-  case 70:
-#line 521 "parse.y"
+  case 75:
+#line 559 "parse.y"
     {
                    /* if (Constraint.type == contentConstrant) {
                       assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too
@@ -2050,15 +2111,15 @@ yyreduce:
                }
     break;
 
-  case 71:
-#line 537 "parse.y"
+  case 76:
+#line 575 "parse.y"
     {
                    (yyval.constraint_spec) = (yyvsp[(2) - (3)].constraint_spec);
                }
     break;
 
-  case 75:
-#line 550 "parse.y"
+  case 80:
+#line 588 "parse.y"
     {
                    (yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
                    (yyval.constraint_spec)->u.content.type = (yyvsp[(2) - (2)].type);
@@ -2066,8 +2127,8 @@ yyreduce:
                }
     break;
 
-  case 76:
-#line 556 "parse.y"
+  case 81:
+#line 594 "parse.y"
     {
                    if ((yyvsp[(3) - (3)].value)->type != objectidentifiervalue)
                        error_message("Non-OID used in ENCODED BY constraint");
@@ -2077,8 +2138,8 @@ yyreduce:
                }
     break;
 
-  case 77:
-#line 564 "parse.y"
+  case 82:
+#line 602 "parse.y"
     {
                    if ((yyvsp[(5) - (5)].value)->type != objectidentifiervalue)
                        error_message("Non-OID used in ENCODED BY constraint");
@@ -2088,15 +2149,15 @@ yyreduce:
                }
     break;
 
-  case 78:
-#line 574 "parse.y"
+  case 83:
+#line 612 "parse.y"
     {
                    (yyval.constraint_spec) = new_constraint_spec(CT_USER);
                }
     break;
 
-  case 79:
-#line 580 "parse.y"
+  case 84:
+#line 618 "parse.y"
     {
                        (yyval.type) = new_type(TTag);
                        (yyval.type)->tag = (yyvsp[(1) - (3)].tag);
@@ -2109,8 +2170,8 @@ yyreduce:
                }
     break;
 
-  case 80:
-#line 593 "parse.y"
+  case 85:
+#line 631 "parse.y"
     {
                        (yyval.tag).tagclass = (yyvsp[(2) - (4)].constant);
                        (yyval.tag).tagvalue = (yyvsp[(3) - (4)].constant);
@@ -2118,57 +2179,57 @@ yyreduce:
                }
     break;
 
-  case 81:
-#line 601 "parse.y"
+  case 86:
+#line 639 "parse.y"
     {
                        (yyval.constant) = ASN1_C_CONTEXT;
                }
     break;
 
-  case 82:
-#line 605 "parse.y"
+  case 87:
+#line 643 "parse.y"
     {
                        (yyval.constant) = ASN1_C_UNIV;
                }
     break;
 
-  case 83:
-#line 609 "parse.y"
+  case 88:
+#line 647 "parse.y"
     {
                        (yyval.constant) = ASN1_C_APPL;
                }
     break;
 
-  case 84:
-#line 613 "parse.y"
+  case 89:
+#line 651 "parse.y"
     {
                        (yyval.constant) = ASN1_C_PRIVATE;
                }
     break;
 
-  case 85:
-#line 619 "parse.y"
+  case 90:
+#line 657 "parse.y"
     {
                        (yyval.constant) = TE_EXPLICIT;
                }
     break;
 
-  case 86:
-#line 623 "parse.y"
+  case 91:
+#line 661 "parse.y"
     {
                        (yyval.constant) = TE_EXPLICIT;
                }
     break;
 
-  case 87:
-#line 627 "parse.y"
+  case 92:
+#line 665 "parse.y"
     {
                        (yyval.constant) = TE_IMPLICIT;
                }
     break;
 
-  case 88:
-#line 634 "parse.y"
+  case 93:
+#line 672 "parse.y"
     {
                        Symbol *s;
                        s = addsym ((yyvsp[(1) - (4)].name));
@@ -2179,64 +2240,64 @@ yyreduce:
                }
     break;
 
-  case 90:
-#line 648 "parse.y"
+  case 95:
+#line 686 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString, 
                                     TE_EXPLICIT, new_type(TGeneralString));
                }
     break;
 
-  case 91:
-#line 653 "parse.y"
+  case 96:
+#line 691 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String, 
                                     TE_EXPLICIT, new_type(TUTF8String));
                }
     break;
 
-  case 92:
-#line 658 "parse.y"
+  case 97:
+#line 696 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString, 
                                     TE_EXPLICIT, new_type(TPrintableString));
                }
     break;
 
-  case 93:
-#line 663 "parse.y"
+  case 98:
+#line 701 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_VisibleString, 
                                     TE_EXPLICIT, new_type(TVisibleString));
                }
     break;
 
-  case 94:
-#line 668 "parse.y"
+  case 99:
+#line 706 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String, 
                                     TE_EXPLICIT, new_type(TIA5String));
                }
     break;
 
-  case 95:
-#line 673 "parse.y"
+  case 100:
+#line 711 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString, 
                                     TE_EXPLICIT, new_type(TBMPString));
                }
     break;
 
-  case 96:
-#line 678 "parse.y"
+  case 101:
+#line 716 "parse.y"
     {
                        (yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString, 
                                     TE_EXPLICIT, new_type(TUniversalString));
                }
     break;
 
-  case 97:
-#line 686 "parse.y"
+  case 102:
+#line 724 "parse.y"
     {
                        (yyval.members) = emalloc(sizeof(*(yyval.members)));
                        ASN1_TAILQ_INIT((yyval.members));
@@ -2244,16 +2305,16 @@ yyreduce:
                }
     break;
 
-  case 98:
-#line 692 "parse.y"
+  case 103:
+#line 730 "parse.y"
     {
                        ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
                        (yyval.members) = (yyvsp[(1) - (3)].members);
                }
     break;
 
-  case 99:
-#line 697 "parse.y"
+  case 104:
+#line 735 "parse.y"
     {
                        struct member *m = ecalloc(1, sizeof(*m));
                        m->name = estrdup("...");
@@ -2264,8 +2325,8 @@ yyreduce:
                }
     break;
 
-  case 100:
-#line 708 "parse.y"
+  case 105:
+#line 746 "parse.y"
     {
                  (yyval.member) = emalloc(sizeof(*(yyval.member)));
                  (yyval.member)->name = (yyvsp[(1) - (2)].name);
@@ -2276,8 +2337,8 @@ yyreduce:
                }
     break;
 
-  case 101:
-#line 719 "parse.y"
+  case 106:
+#line 757 "parse.y"
     {
                        (yyval.member) = (yyvsp[(1) - (1)].member);
                        (yyval.member)->optional = 0;
@@ -2285,8 +2346,8 @@ yyreduce:
                }
     break;
 
-  case 102:
-#line 725 "parse.y"
+  case 107:
+#line 763 "parse.y"
     {
                        (yyval.member) = (yyvsp[(1) - (2)].member);
                        (yyval.member)->optional = 1;
@@ -2294,8 +2355,8 @@ yyreduce:
                }
     break;
 
-  case 103:
-#line 731 "parse.y"
+  case 108:
+#line 769 "parse.y"
     {
                        (yyval.member) = (yyvsp[(1) - (3)].member);
                        (yyval.member)->optional = 0;
@@ -2303,8 +2364,8 @@ yyreduce:
                }
     break;
 
-  case 104:
-#line 739 "parse.y"
+  case 109:
+#line 777 "parse.y"
     {
                        (yyval.members) = emalloc(sizeof(*(yyval.members)));
                        ASN1_TAILQ_INIT((yyval.members));
@@ -2312,16 +2373,16 @@ yyreduce:
                }
     break;
 
-  case 105:
-#line 745 "parse.y"
+  case 110:
+#line 783 "parse.y"
     {
                        ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
                        (yyval.members) = (yyvsp[(1) - (3)].members);
                }
     break;
 
-  case 106:
-#line 752 "parse.y"
+  case 111:
+#line 790 "parse.y"
     {
                  (yyval.member) = emalloc(sizeof(*(yyval.member)));
                  (yyval.member)->name = (yyvsp[(1) - (4)].name);
@@ -2334,27 +2395,27 @@ yyreduce:
                }
     break;
 
-  case 108:
-#line 765 "parse.y"
+  case 113:
+#line 803 "parse.y"
     { (yyval.objid) = NULL; }
     break;
 
-  case 109:
-#line 769 "parse.y"
+  case 114:
+#line 807 "parse.y"
     {
                        (yyval.objid) = (yyvsp[(2) - (3)].objid);
                }
     break;
 
-  case 110:
-#line 775 "parse.y"
+  case 115:
+#line 813 "parse.y"
     {
                        (yyval.objid) = NULL;
                }
     break;
 
-  case 111:
-#line 779 "parse.y"
+  case 116:
+#line 817 "parse.y"
     {
                        if ((yyvsp[(2) - (2)].objid)) {
                                (yyval.objid) = (yyvsp[(2) - (2)].objid);
@@ -2365,15 +2426,15 @@ yyreduce:
                }
     break;
 
-  case 112:
-#line 790 "parse.y"
+  case 117:
+#line 828 "parse.y"
     {
                        (yyval.objid) = new_objid((yyvsp[(1) - (4)].name), (yyvsp[(3) - (4)].constant));
                }
     break;
 
-  case 113:
-#line 794 "parse.y"
+  case 118:
+#line 832 "parse.y"
     {
                    Symbol *s = addsym((yyvsp[(1) - (1)].name));
                    if(s->stype != SValue ||
@@ -2386,15 +2447,15 @@ yyreduce:
                }
     break;
 
-  case 114:
-#line 805 "parse.y"
+  case 119:
+#line 843 "parse.y"
     {
                    (yyval.objid) = new_objid(NULL, (yyvsp[(1) - (1)].constant));
                }
     break;
 
-  case 124:
-#line 828 "parse.y"
+  case 129:
+#line 866 "parse.y"
     {
                        Symbol *s = addsym((yyvsp[(1) - (1)].name));
                        if(s->stype != SValue)
@@ -2405,8 +2466,8 @@ yyreduce:
                }
     break;
 
-  case 125:
-#line 839 "parse.y"
+  case 130:
+#line 877 "parse.y"
     {
                        (yyval.value) = emalloc(sizeof(*(yyval.value)));
                        (yyval.value)->type = stringvalue;
@@ -2414,8 +2475,8 @@ yyreduce:
                }
     break;
 
-  case 126:
-#line 847 "parse.y"
+  case 131:
+#line 885 "parse.y"
     {
                        (yyval.value) = emalloc(sizeof(*(yyval.value)));
                        (yyval.value)->type = booleanvalue;
@@ -2423,8 +2484,8 @@ yyreduce:
                }
     break;
 
-  case 127:
-#line 853 "parse.y"
+  case 132:
+#line 891 "parse.y"
     {
                        (yyval.value) = emalloc(sizeof(*(yyval.value)));
                        (yyval.value)->type = booleanvalue;
@@ -2432,8 +2493,8 @@ yyreduce:
                }
     break;
 
-  case 128:
-#line 861 "parse.y"
+  case 133:
+#line 899 "parse.y"
     {
                        (yyval.value) = emalloc(sizeof(*(yyval.value)));
                        (yyval.value)->type = integervalue;
@@ -2441,14 +2502,14 @@ yyreduce:
                }
     break;
 
-  case 130:
-#line 872 "parse.y"
+  case 135:
+#line 910 "parse.y"
     {
                }
     break;
 
-  case 131:
-#line 877 "parse.y"
+  case 136:
+#line 915 "parse.y"
     {
                        (yyval.value) = emalloc(sizeof(*(yyval.value)));
                        (yyval.value)->type = objectidentifiervalue;
@@ -2458,7 +2519,7 @@ yyreduce:
 
 
 /* Line 1267 of yacc.c.  */
-#line 2464 "parse.c"
+#line 2523 "parse.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -2672,7 +2733,7 @@ yyreturn:
 }
 
 
-#line 884 "parse.y"
+#line 922 "parse.y"
 
 
 void

diff --git a/source4/heimdal/lib/asn1/parse.h b/source4/heimdal/lib/asn1/parse.h
index a0c26d50f15c0c8f027cf888e69e5e47c2d5e176..5e73094f9e6b2a1833f6d12a411c710437bc7d96 100644 (file)
--- a/source4/heimdal/lib/asn1/parse.h
+++ b/source4/heimdal/lib/asn1/parse.h
@@ -16,7 +16,9 @@
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
-   along with this program; if not, see <http://www.gnu.org/licenses/>.  */
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 51 Franklin Street, Fifth Floor,
+   Boston, MA 02110-1301, USA.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -224,7 +226,7 @@ typedef union YYSTYPE
 {
     int constant;
     struct value *value;
-    struct range range;
+    struct range *range;
     char *name;
     Type *type;
     Member *member;

diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1
index 71f197eba7734ebfee8ef1e969b6dd9845a9d0f6..0ec3b695ebebeb9c50a6015e9e25c4f226bf2f1a 100644 (file)
--- a/source4/heimdal/lib/asn1/rfc2459.asn1
+++ b/source4/heimdal/lib/asn1/rfc2459.asn1
@@ -169,7 +169,7 @@ Extension  ::=  SEQUENCE  {
      extnValue   OCTET STRING
 }
 
-Extensions  ::=  SEQUENCE OF Extension --  SIZE (1..MAX) 
+Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
 
 TBSCertificate  ::=  SEQUENCE  {
      version         [0]  Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1,
@@ -232,7 +232,7 @@ GeneralName ::= CHOICE {
        registeredID                    [8]     IMPLICIT OBJECT IDENTIFIER
 }
 
-GeneralNames ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralName
+GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
 
 id-x509-ce-keyUsage OBJECT IDENTIFIER ::=  { id-x509-ce 15 }
 
@@ -320,7 +320,7 @@ DistributionPointReasonFlags ::= BIT STRING {
 }
 
 DistributionPointName ::= CHOICE {
-       fullName                [0]     IMPLICIT -- GeneralNames --  SEQUENCE -- SIZE (1..MAX) -- OF GeneralName,
+       fullName                [0]     IMPLICIT -- GeneralNames --  SEQUENCE SIZE (1..MAX) OF GeneralName,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName
 }
 
@@ -330,7 +330,7 @@ DistributionPoint ::= SEQUENCE {
        cRLIssuer               [2]     IMPLICIT heim_any -- GeneralNames -- OPTIONAL
 }
 
-CRLDistributionPoints ::= SEQUENCE -- SIZE (1..MAX) -- OF DistributionPoint
+CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
 
 
 -- rfc3279
@@ -449,11 +449,20 @@ id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 }
 id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 }
 id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 }
 
--- RFC 3820 Proxy Certificate Profile
-
 id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
 
-id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
+id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 }
+
+AccessDescription  ::=  SEQUENCE {
+       accessMethod          OBJECT IDENTIFIER,
+       accessLocation        GeneralName
+}
+
+AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription
+
+-- RFC 3820 Proxy Certificate Profile
+
+id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
 
 id-pkix-ppl  OBJECT IDENTIFIER ::= { id-pkix 21 }
 

diff --git a/source4/heimdal/lib/asn1/test.asn1 b/source4/heimdal/lib/asn1/test.asn1
index 98b507a4da655bf8372ed3245480553ca48b86f2..b2f58a20c2ce0286e9dd86683f06112ef77a0f61 100644 (file)
--- a/source4/heimdal/lib/asn1/test.asn1
+++ b/source4/heimdal/lib/asn1/test.asn1
@@ -1,4 +1,4 @@
--- $Id: test.asn1 18013 2006-09-05 14:00:44Z lha $ --
+-- $Id: test.asn1 21455 2007-07-10 12:51:19Z lha $ --
 
 TEST DEFINITIONS ::=
 
@@ -85,4 +85,11 @@ TESTUSERCONSTRAINED ::= OCTET STRING (CONSTRAINED BY { -- meh -- })
 
 TESTSeqOf ::= SEQUENCE OF TESTInteger
 
+TESTSeqSizeOf1 ::= SEQUENCE SIZE (2) OF TESTInteger
+TESTSeqSizeOf2 ::= SEQUENCE SIZE (1..2) OF TESTInteger
+TESTSeqSizeOf3 ::= SEQUENCE SIZE (1..MAX) OF TESTInteger
+TESTSeqSizeOf4 ::= SEQUENCE SIZE (MIN..2) OF TESTInteger
+
+TESTOSSize1 ::= OCTET STRING SIZE (1..2)
+
 END

diff --git a/source4/heimdal/lib/asn1/timegm.c b/source4/heimdal/lib/asn1/timegm.c
index a6776458cf9a9ec57c9052543c9d5d68926eaf89..33b9684a5d87f55d6a0b0b5eeb6b362bcb733e3b 100644 (file)
--- a/source4/heimdal/lib/asn1/timegm.c
+++ b/source4/heimdal/lib/asn1/timegm.c
@@ -33,7 +33,7 @@
 
 #include "der_locl.h"
 
-RCSID("$Id: timegm.c 18607 2006-10-19 16:19:32Z lha $");
+RCSID("$Id: timegm.c 21366 2007-06-27 10:06:22Z lha $");
 
 static int
 is_leap(unsigned y)
@@ -43,8 +43,8 @@ is_leap(unsigned y)
 }
 
 /* 
- * This is a simplifed version of _der_timegm that doesn't accept out
- * of bound values that timegm(3) normally accepts but those are not
+ * This is a simplifed version of timegm(3) that doesn't accept out of
+ * bound values that timegm(3) normally accepts but those are not
  * valid in asn1 encodings.
  */
 

diff --git a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
index d6e448a223a8833b1ca1f6eb138773a34569f3d7..cb1b62308c0a0b28cb5110011eb5f243eb55e982 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_acquire_cred.c 20626 2007-05-08 13:56:49Z lha $");
+RCSID("$Id: gss_acquire_cred.c 21478 2007-07-10 16:32:01Z lha $");
 
 OM_uint32
 gss_acquire_cred(OM_uint32 *minor_status,
@@ -50,7 +50,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
        int i;
 
        *minor_status = 0;
-       if (actual_mechs)
+       if (output_cred_handle)
            *output_cred_handle = GSS_C_NO_CREDENTIAL;
        if (actual_mechs)
            *actual_mechs = GSS_C_NO_OID_SET;
@@ -106,8 +106,9 @@ gss_acquire_cred(OM_uint32 *minor_status,
                        continue;
 
                if (desired_name != GSS_C_NO_NAME) {
-                       mn = _gss_find_mn(name, &mechs->elements[i]);
-                       if (!mn)
+                       major_status = _gss_find_mn(minor_status, name,
+                                                   &mechs->elements[i], &mn);
+                       if (major_status != GSS_S_COMPLETE)
                                continue;
                }
 

diff --git a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
index 4947c5c30edcdf3ac691fd7c3a7f1bb7d9d9cd92..09b592b5da7c4f4ead4316c185c231b02def9709 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_add_cred.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_add_cred.c 20626 2007-05-08 13:56:49Z lha $");
+RCSID("$Id: gss_add_cred.c 21474 2007-07-10 16:30:23Z lha $");
 
 static struct _gss_mechanism_cred *
 _gss_copy_cred(struct _gss_mechanism_cred *mc)
@@ -136,11 +136,13 @@ gss_add_cred(OM_uint32 *minor_status,
         * Figure out a suitable mn, if any.
         */
        if (desired_name) {
-               mn = _gss_find_mn((struct _gss_name *) desired_name,
-                       desired_mech);
-               if (!mn) {
+               major_status = _gss_find_mn(minor_status,
+                                           (struct _gss_name *) desired_name,
+                                           desired_mech,
+                                           &mn);
+               if (major_status != GSS_S_COMPLETE) {
                        free(new_cred);
-                       return (GSS_S_BAD_NAME);
+                       return major_status;
                }
        } else {
                mn = 0;

diff --git a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
index 1437a9bc7b50b6fe7e53e74c8d9a93f5381079ea..c950c03166b1de24884dbbdcd5239141c6673239 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_canonicalize_name.c 19928 2007-01-16 10:37:54Z lha $");
+RCSID("$Id: gss_canonicalize_name.c 21476 2007-07-10 16:31:27Z lha $");
 
 OM_uint32
 gss_canonicalize_name(OM_uint32 *minor_status,
@@ -44,10 +44,9 @@ gss_canonicalize_name(OM_uint32 *minor_status,
        *minor_status = 0;
        *output_name = 0;
 
-       mn = _gss_find_mn(name, mech_type);
-       if (!mn) {
-               return (GSS_S_BAD_MECH);
-       }
+       major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
+       if (major_status)
+               return major_status;
 
        m = mn->gmn_mech;
        major_status = m->gm_canonicalize_name(minor_status,

diff --git a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c
index 147ad60c94ef0a5cfe8372342eb642defb29487c..617ff13d984436f2dc7e55018c11ce49a19683e8 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_compare_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_compare_name.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_compare_name.c 17700 2006-06-28 09:00:26Z lha $");
+RCSID("$Id: gss_compare_name.c 21475 2007-07-10 16:31:03Z lha $");
 
 OM_uint32
 gss_compare_name(OM_uint32 *minor_status,
@@ -57,8 +57,11 @@ gss_compare_name(OM_uint32 *minor_status,
                struct _gss_mechanism_name *mn2;
 
                SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) {
-                       mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid);
-                       if (mn2) {
+                       OM_uint32 major_status;
+
+                       major_status = _gss_find_mn(minor_status, name2,
+                                                   mn1->gmn_mech_oid, &mn2);
+                       if (major_status == GSS_S_COMPLETE) {
                                return (mn1->gmn_mech->gm_compare_name(
                                                minor_status,
                                                mn1->gmn_name,

diff --git a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
index 4ff81fdf2df6f29be0dc8c1748d751b5ba0b5dc1..f38c840b314c53619bfd4ea02f488ac917be6f6a 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_duplicate_name.c 21219 2007-06-20 08:27:11Z lha $");
+RCSID("$Id: gss_duplicate_name.c 21480 2007-07-10 16:32:32Z lha $");
 
 OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
     const gss_name_t src_name,
@@ -54,7 +54,9 @@ OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
                new_name = (struct _gss_name *) *dest_name;
                
                SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
-                       _gss_find_mn(new_name, mn->gmn_mech_oid);
+                   struct _gss_mechanism_name *mn2;
+                   _gss_find_mn(minor_status, new_name, 
+                                mn->gmn_mech_oid, &mn2);
                }
        } else {
                new_name = malloc(sizeof(struct _gss_name));

diff --git a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
index c1c058d146cdc5a25ecc99f222f3face9a30e95f..b9a1680dcb3ed3a00cb48c7ab52c5948ab627c02 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
@@ -27,7 +27,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_init_sec_context.c 19957 2007-01-17 13:48:11Z lha $");
+RCSID("$Id: gss_init_sec_context.c 21479 2007-07-10 16:32:19Z lha $");
 
 static gss_cred_id_t
 _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
@@ -109,11 +109,11 @@ gss_init_sec_context(OM_uint32 * minor_status,
        /*
         * Find the MN for this mechanism.
         */
-       mn = _gss_find_mn(name, mech_type);
-       if (mn == NULL) {
+       major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
+       if (major_status != GSS_S_COMPLETE) {
                if (allocated_ctx)
                        free(ctx);
-               return GSS_S_BAD_NAME;
+               return major_status;
        }
 
        /*

diff --git a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
index 604027490ef0b91396af19c46034eeb18cc01a86..f1a18afb13a65cf77dad28737f02f0977e272296 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
@@ -28,7 +28,7 @@
 
 #include "mech_locl.h"
 #include <heim_threads.h>
-RCSID("$Id: gss_mech_switch.c 20625 2007-05-08 13:55:03Z lha $");
+RCSID("$Id: gss_mech_switch.c 21700 2007-07-26 19:08:34Z lha $");
 
 #ifndef _PATH_GSS_MECH
 #define _PATH_GSS_MECH "/etc/gss/mech"
@@ -223,9 +223,9 @@ _gss_load_mech(void)
        add_builtin(__gss_spnego_initialize());
        add_builtin(__gss_ntlm_initialize());
 
+#ifdef HAVE_DLOPEN
        fp = fopen(_PATH_GSS_MECH, "r");
        if (!fp) {
-/*             perror(_PATH_GSS_MECH); */
                HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
                return;
        }
@@ -316,6 +316,7 @@ _gss_load_mech(void)
                continue;
        }
        fclose(fp);
+#endif
        HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
 }
 

diff --git a/source4/heimdal/lib/gssapi/mech/gss_names.c b/source4/heimdal/lib/gssapi/mech/gss_names.c
index 3ab609c19292d5b812c0b7a41b11b1f58133cf68..f78672d8374d09b657686e215eac57ad3e2bf62a 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_names.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_names.c
@@ -27,15 +27,18 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_names.c 19928 2007-01-16 10:37:54Z lha $");
+RCSID("$Id: gss_names.c 21473 2007-07-10 16:29:53Z lha $");
 
-struct _gss_mechanism_name *
-_gss_find_mn(struct _gss_name *name, gss_OID mech)
+OM_uint32
+_gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech, 
+            struct _gss_mechanism_name **output_mn)
 {
-       OM_uint32 major_status, minor_status;
+       OM_uint32 major_status;
        gssapi_mech_interface m;
        struct _gss_mechanism_name *mn;
 
+       *output_mn = NULL;
+
        SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
                if (gss_oid_equal(mech, mn->gmn_mech_oid))
                        break;
@@ -47,34 +50,36 @@ _gss_find_mn(struct _gss_name *name, gss_OID mech)
                 * MN but it is from a different mech), give up now.
                 */
                if (!name->gn_value.value)
-                       return (0);
+                       return GSS_S_BAD_NAME;
 
                m = __gss_get_mechanism(mech);
                if (!m)
-                       return (0);
+                       return (GSS_S_BAD_MECH);
 
                mn = malloc(sizeof(struct _gss_mechanism_name));
                if (!mn)
-                       return (0);
+                       return GSS_S_FAILURE;
                
-               major_status = m->gm_import_name(&minor_status,
+               major_status = m->gm_import_name(minor_status,
                    &name->gn_value,
                    (name->gn_type.elements
                        ? &name->gn_type : GSS_C_NO_OID),
                    &mn->gmn_name);
                if (major_status != GSS_S_COMPLETE) {
-                       _gss_mg_error(m, major_status, minor_status);
+                       _gss_mg_error(m, major_status, *minor_status);
                        free(mn);
-                       return (0);
+                       return major_status;
                }
 
                mn->gmn_mech = m;
                mn->gmn_mech_oid = &m->gm_mech_oid;
                SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
        }
-       return (mn);
+       *output_mn = mn;
+       return 0;
 }
 
+
 /*
  * Make a name from an MN.
  */

diff --git a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c
index 3195370b77721a66af114de68835901a54be4c9a..e2cecaf6b446e09b79eabb2cf21945b617519656 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_oid_to_str.c
@@ -32,7 +32,7 @@
  */
 
 #include "mech_locl.h"
-RCSID("$Id: gss_oid_to_str.c 19963 2007-01-17 16:01:22Z lha $");
+RCSID("$Id: gss_oid_to_str.c 21409 2007-07-04 14:19:11Z lha $");
 
 OM_uint32
 gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
@@ -44,6 +44,9 @@ gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
 
     _mg_buffer_zero(oid_str);
 
+    if (oid == GSS_C_NULL_OID)
+       return GSS_S_FAILURE;
+
     ret = der_get_oid (oid->elements, oid->length, &o, &size);
     if (ret) {
        *minor_status = ret;

diff --git a/source4/heimdal/lib/gssapi/mech/name.h b/source4/heimdal/lib/gssapi/mech/name.h
index 2252150a06f6a6ced8de6a633506b3936e6ec815..7c9ba33d85cb3d6958fa33886672f0fb32a80794 100644 (file)
--- a/source4/heimdal/lib/gssapi/mech/name.h
+++ b/source4/heimdal/lib/gssapi/mech/name.h
@@ -24,7 +24,7 @@
  * SUCH DAMAGE.
  *
  *     $FreeBSD: src/lib/libgssapi/name.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
- *     $Id: name.h 18246 2006-10-05 18:36:07Z lha $
+ *     $Id: name.h 21477 2007-07-10 16:31:44Z lha $
  */
 
 struct _gss_mechanism_name {
@@ -41,7 +41,8 @@ struct _gss_name {
        struct _gss_mechanism_name_list gn_mn;  /* list of MNs */
 };
 
-struct _gss_mechanism_name *
-       _gss_find_mn(struct _gss_name *name, gss_OID mech);
+OM_uint32
+       _gss_find_mn(OM_uint32 *, struct _gss_name *, gss_OID, 
+             struct _gss_mechanism_name **);
 struct _gss_name *
        _gss_make_name(gssapi_mech_interface m, gss_name_t new_mn);

diff --git a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
index d20c913bf016d86ab016f337073727b29c4400b8..1afe26f1e39dae042c68a37f69fa792a49a8efa9 100644 (file)
--- a/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "spnego/spnego_locl.h"
 
-RCSID("$Id: accept_sec_context.c 21243 2007-06-20 15:16:22Z lha $");
+RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $");
 
 static OM_uint32
 send_reject (OM_uint32 *minor_status,
@@ -555,23 +555,16 @@ acceptor_start
     int get_mic = 0;
     int first_ok = 0;
 
-    if (src_name)
-       *src_name = GSS_C_NO_NAME;
-
     mech_output_token.value = NULL;
     mech_output_token.length = 0;
     mech_buf.value = NULL;
 
-    if (*context_handle == GSS_C_NO_CONTEXT) {
-       ret = _gss_spnego_alloc_sec_context(minor_status,
-                                           context_handle);
-       if (ret != GSS_S_COMPLETE)
-           return ret;
-
-       if (input_token_buffer->length == 0) {
-           return send_supported_mechs (minor_status, output_token);
-       }
-    }
+    if (input_token_buffer->length == 0)
+       return send_supported_mechs (minor_status, output_token);
+       
+    ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
+    if (ret != GSS_S_COMPLETE)
+       return ret;
 
     ctx = (gssspnego_ctx)*context_handle;
 

diff --git a/source4/heimdal/lib/gssapi/spnego/spnego.asn1 b/source4/heimdal/lib/gssapi/spnego/spnego.asn1
index aed67dc4ae74ffccfece148eefdd41d739efe399..058f10ba3ad1407b7be8d75cdfc883426c686689 100644 (file)
--- a/source4/heimdal/lib/gssapi/spnego/spnego.asn1
+++ b/source4/heimdal/lib/gssapi/spnego/spnego.asn1
@@ -1,4 +1,4 @@
--- $Id: spnego.asn1 19420 2006-12-18 18:28:49Z lha $
+-- $Id: spnego.asn1 21403 2007-07-04 08:13:12Z lha $
 
 SPNEGO DEFINITIONS ::=
 BEGIN
@@ -8,34 +8,34 @@ MechType::= OBJECT IDENTIFIER
 MechTypeList ::= SEQUENCE OF MechType
 
 ContextFlags ::= BIT STRING {
-        delegFlag       (0),
-        mutualFlag      (1),
-        replayFlag      (2),
-        sequenceFlag    (3),
-        anonFlag        (4),
-        confFlag        (5),
-        integFlag       (6)
+    delegFlag       (0),
+    mutualFlag      (1),
+    replayFlag      (2),
+    sequenceFlag    (3),
+    anonFlag        (4),
+    confFlag        (5),
+    integFlag       (6)
 }
 
 NegHints ::= SEQUENCE {
-    hintName       [0]  GeneralString                          OPTIONAL,
-    hintAddress    [1]  OCTET STRING                           OPTIONAL
+    hintName       [0]  GeneralString  OPTIONAL,
+    hintAddress    [1]  OCTET STRING   OPTIONAL
 } 
 
 NegTokenInitWin ::= SEQUENCE {
-                            mechTypes       [0] MechTypeList,
-                            reqFlags        [1] ContextFlags   OPTIONAL,
-                            mechToken       [2] OCTET STRING   OPTIONAL,
-                           negHints        [3] NegHints       OPTIONAL
-                            }
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags   OPTIONAL,
+    mechToken       [2] OCTET STRING   OPTIONAL,
+    negHints        [3] NegHints       OPTIONAL
+}
 
 NegTokenInit ::= SEQUENCE {
-                            mechTypes       [0] MechTypeList,
-                            reqFlags        [1] ContextFlags   OPTIONAL,
-                            mechToken       [2] OCTET STRING   OPTIONAL,
-                           mechListMIC     [3] OCTET STRING   OPTIONAL
-                         }
-
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags   OPTIONAL,
+    mechToken       [2] OCTET STRING   OPTIONAL,
+    mechListMIC            [3] OCTET STRING   OPTIONAL,
+    ...
+}
 
 -- NB: negResult is not OPTIONAL in the new SPNEGO spec but
 -- Windows clients do not always send it
@@ -47,7 +47,8 @@ NegTokenResp ::= SEQUENCE {
                             request-mic         (3) }          OPTIONAL,
     supportedMech  [1] MechType                                OPTIONAL,
     responseToken  [2] OCTET STRING                            OPTIONAL,
-    mechListMIC    [3] OCTET STRING                            OPTIONAL
+    mechListMIC    [3] OCTET STRING                            OPTIONAL,
+    ...
 }
 
 NegotiationToken ::= CHOICE {

diff --git a/source4/heimdal/lib/hcrypto/hmac.c b/source4/heimdal/lib/hcrypto/hmac.c
index 848b987a90c3295f75a041e6daf1f38c0fd54d8d..b8156e38d447bc572e8719cfff88c0a417efc468 100644 (file)
--- a/source4/heimdal/lib/hcrypto/hmac.c
+++ b/source4/heimdal/lib/hcrypto/hmac.c
@@ -52,8 +52,10 @@ HMAC_Init_ex(HMAC_CTX *ctx,
 
     if (ctx->md != md) {
        ctx->md = md;
-       if (ctx->buf)
+       if (ctx->buf) {
+           memset(ctx->buf, 0, ctx->key_length);
            free (ctx->buf);
+       }
        ctx->key_length = EVP_MD_size(ctx->md);
        ctx->buf = malloc(ctx->key_length);
     }
@@ -67,10 +69,14 @@ HMAC_Init_ex(HMAC_CTX *ctx,
        keylen = EVP_MD_size(ctx->md);
     }
 
-    if (ctx->opad)
+    if (ctx->opad) {
+       memset(ctx->opad, 0, ctx->key_length);
        free(ctx->opad);
-    if (ctx->ipad)
+    }
+    if (ctx->ipad) {
+       memset(ctx->ipad, 0, ctx->key_length);
        free(ctx->ipad);
+    }
 
     ctx->opad = malloc(EVP_MD_block_size(ctx->md));
     ctx->ipad = malloc(EVP_MD_block_size(ctx->md));

diff --git a/source4/heimdal/lib/hx509/ca.c b/source4/heimdal/lib/hx509/ca.c
index 0e48269aa47fd6180c31ffe5fa199c777f6575ed..bf8fe1be1a4c91bc7bd16dc94d7df89139ef1049 100644 (file)
--- a/source4/heimdal/lib/hx509/ca.c
+++ b/source4/heimdal/lib/hx509/ca.c
@@ -33,7 +33,7 @@
 
 #include "hx_locl.h"
 #include <pkinit_asn1.h>
-RCSID("$Id: ca.c 20904 2007-06-05 01:58:45Z lha $");
+RCSID("$Id: ca.c 21379 2007-06-28 07:38:17Z lha $");
 
 struct hx509_ca_tbs {
     hx509_name subject;
@@ -1002,7 +1002,7 @@ ca_sign(hx509_context context,
        if (size != data.length)
            _hx509_abort("internal ASN.1 encoder error");
        ret = add_extension(context, tbsc, 0,
-                           oid_id_pe_proxyCertInfo(),
+                           oid_id_pkix_pe_proxyCertInfo(),
                            &data);
        free(data.data);
        if (ret)

diff --git a/source4/heimdal/lib/hx509/cert.c b/source4/heimdal/lib/hx509/cert.c
index caf163f8e4b7918deeed09b60dce332a1468c897..b7f19d152a9f5342685ac899642a2f6a3eb6f8da 100644 (file)
--- a/source4/heimdal/lib/hx509/cert.c
+++ b/source4/heimdal/lib/hx509/cert.c
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: cert.c 21294 2007-06-25 14:37:15Z lha $");
+RCSID("$Id: cert.c 21380 2007-06-28 07:38:38Z lha $");
 #include "crypto-headers.h"
 #include <rtbl.h>
 
@@ -898,7 +898,7 @@ is_proxy_cert(hx509_context context,
     if (rinfo)
        memset(rinfo, 0, sizeof(*rinfo));
 
-    e = find_extension(cert, oid_id_pe_proxyCertInfo(), &i);
+    e = find_extension(cert, oid_id_pkix_pe_proxyCertInfo(), &i);
     if (e == NULL) {
        hx509_clear_error_string(context);
        return HX509_EXTENSION_NOT_FOUND;

diff --git a/source4/heimdal/lib/hx509/hx509-private.h b/source4/heimdal/lib/hx509/hx509-private.h
index 451c3c89f2b6e5f0138ef2bda9cfddc2422847f3..acbc3218c649a7250cb00fa72c0b2481c450e47b 100644 (file)
--- a/source4/heimdal/lib/hx509/hx509-private.h
+++ b/source4/heimdal/lib/hx509/hx509-private.h
@@ -314,14 +314,6 @@ _hx509_pbe_decrypt (
        const heim_octet_string */*econtent*/,
        heim_octet_string */*content*/);
 
-int
-_hx509_pbe_encrypt (
-       hx509_context /*context*/,
-       hx509_lock /*lock*/,
-       const AlgorithmIdentifier */*ai*/,
-       const heim_octet_string */*content*/,
-       heim_octet_string */*econtent*/);
-
 void
 _hx509_pi_printf (
        int (*/*func*/)(void *, const char *),
@@ -422,35 +414,11 @@ _hx509_request_add_email (
 void
 _hx509_request_free (hx509_request */*req*/);
 
-int
-_hx509_request_get_SubjectPublicKeyInfo (
-       hx509_context /*context*/,
-       hx509_request /*req*/,
-       SubjectPublicKeyInfo */*key*/);
-
-int
-_hx509_request_get_name (
-       hx509_context /*context*/,
-       hx509_request /*req*/,
-       hx509_name */*name*/);
-
 int
 _hx509_request_init (
        hx509_context /*context*/,
        hx509_request */*req*/);
 
-int
-_hx509_request_parse (
-       hx509_context /*context*/,
-       const char */*path*/,
-       hx509_request */*req*/);
-
-int
-_hx509_request_print (
-       hx509_context /*context*/,
-       hx509_request /*req*/,
-       FILE */*f*/);
-
 int
 _hx509_request_set_SubjectPublicKeyInfo (
        hx509_context /*context*/,

diff --git a/source4/heimdal/lib/hx509/ks_p11.c b/source4/heimdal/lib/hx509/ks_p11.c
index b899005b333fbe00a2a4015e8395f13f4e42c14f..e3066bbcfacd7420d0b18b1c27535d4dc08c1163 100644 (file)
--- a/source4/heimdal/lib/hx509/ks_p11.c
+++ b/source4/heimdal/lib/hx509/ks_p11.c
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: ks_p11.c 21085 2007-06-13 06:39:53Z lha $");
+RCSID("$Id: ks_p11.c 21387 2007-06-28 08:53:45Z lha $");
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
 #endif
@@ -1129,8 +1129,17 @@ p11_printinfo(hx509_context context,
                MECHNAME(CKM_RSA_X_509, "rsa-x-509");
                MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
                MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
+               MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
+               MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
+               MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
                MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
                MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
+               MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
+               MECHNAME(CKM_SHA512, "sha512");
+               MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
+               MECHNAME(CKM_SHA384, "sha384");
+               MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
+               MECHNAME(CKM_SHA256, "sha256");
                MECHNAME(CKM_SHA_1, "sha1");
                MECHNAME(CKM_MD5, "md5");
                MECHNAME(CKM_MD2, "md2");

diff --git a/source4/heimdal/lib/hx509/peer.c b/source4/heimdal/lib/hx509/peer.c
index eccedf10433831650c1019f43bed92809324d9c5..e90f8f34b06786485fdcea70b7839e2f5ad640de 100644 (file)
--- a/source4/heimdal/lib/hx509/peer.c
+++ b/source4/heimdal/lib/hx509/peer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: peer.c 20938 2007-06-06 20:51:34Z lha $");
+RCSID("$Id: peer.c 21481 2007-07-10 16:33:23Z lha $");
 
 int
 hx509_peer_info_alloc(hx509_context context, hx509_peer_info *peer)
@@ -143,7 +143,7 @@ hx509_peer_info_parse(hx509_peer_info peer,
 
 int
 hx509_peer_info_unparse(hx509_peer_info peer,
-                    heim_octet_string *data)
+                       heim_octet_string *data)
 {
     return 0;
 }

diff --git a/source4/heimdal/lib/hx509/print.c b/source4/heimdal/lib/hx509/print.c
index dc9d4cfa58c5794dfb2b6b559f1f7fdf337dae36..e6f71ea2cebc927cc993f868850dd4d3a8bb5ff4 100644 (file)
--- a/source4/heimdal/lib/hx509/print.c
+++ b/source4/heimdal/lib/hx509/print.c
@@ -32,7 +32,7 @@
  */
 
 #include "hx_locl.h"
-RCSID("$Id: print.c 20908 2007-06-05 02:59:33Z lha $");
+RCSID("$Id: print.c 21381 2007-06-28 08:29:22Z lha $");
 
 
 struct hx509_validate_ctx_data {
@@ -591,11 +591,50 @@ check_proxyCertInfo(hx509_validate_ctx ctx,
                    enum critical_flag cf, 
                    const Extension *e)
 {
+    check_Null(ctx, status, cf, e);
     status->isproxy = 1;
+    return 0;
+}
+
+static int
+check_authorityInfoAccess(hx509_validate_ctx ctx, 
+                         struct cert_status *status,
+                         enum critical_flag cf, 
+                         const Extension *e)
+{
+    AuthorityInfoAccessSyntax aia;
+    size_t size;
+    int ret, i;
+
+    check_Null(ctx, status, cf, e);
+
+    ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data, 
+                                          e->extnValue.length,
+                                          &aia, &size);
+    if (ret) {
+       printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
+       return 0;
+    }
+
+    for (i = 0; i < aia.len; i++) {
+       char *str;
+       validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                      "\ttype: ");
+       hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
+       hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
+       validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
+                      "\n\tdirname: %s\n", str);
+       free(str);
+    }
+    free_AuthorityInfoAccessSyntax(&aia);
 
     return 0;
 }
 
+/*
+ *
+ */
+
 struct {
     const char *name;
     const heim_oid *(*oid)(void);
@@ -628,8 +667,11 @@ struct {
     { ext(extKeyUsage, Null), D_C },
     { ext(freshestCRL, Null), M_N_C },
     { ext(inhibitAnyPolicy, Null), M_C },
-    { "proxyCertInfo", oid_id_pe_proxyCertInfo, 
-      check_proxyCertInfo, M_C },
+#undef ext
+#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname 
+    { ext(proxyCertInfo, proxyCertInfo), M_C },
+    { ext(authorityInfoAccess, authorityInfoAccess), M_C },
+#undef ext
     { "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim, 
       check_Null, D_C },
     { "Netscape cert comment", oid_id_netscape_cert_comment, 

diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 5be3935f2bbe812df53c726917779db3e5e337ef..59aae40d2896cce50b9d22a3c24c84c128c0fa8c 100644 (file)
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: cache.c 20503 2007-04-21 22:03:56Z lha $");
+RCSID("$Id: cache.c 21498 2007-07-11 09:41:43Z lha $");
 
 /*
  * Add a new ccache type with operations `ops', overwriting any
@@ -338,6 +338,35 @@ _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
     return 0;
 }
 
+/*
+ * Return non-zero if envirnoment that will determine default krb5cc
+ * name has changed.
+ */
+
+static int
+environment_changed(krb5_context context)
+{
+    const char *e;
+
+    if(issuid())
+       return 0;
+
+    e = getenv("KRB5CCNAME");
+    if (e == NULL) {
+       if (context->default_cc_name_env) {
+           free(context->default_cc_name_env);
+           context->default_cc_name_env = NULL;
+           return 1;
+       }
+    } else {
+       if (context->default_cc_name_env == NULL)
+           return 1;
+       if (strcmp(e, context->default_cc_name_env) != 0)
+           return 1;
+    }
+    return 0;
+}
+
 /*
  * Set the default cc name for `context' to `name'.
  */
@@ -353,8 +382,12 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
 
        if(!issuid()) {
            e = getenv("KRB5CCNAME");
-           if (e)
+           if (e) {
                p = strdup(e);
+               if (context->default_cc_name_env)
+                   free(context->default_cc_name_env);
+               context->default_cc_name_env = strdup(e);
+           }
        }
        if (e == NULL) {
            e = krb5_config_get_string(context, NULL, "libdefaults",
@@ -389,7 +422,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
 const char* KRB5_LIB_FUNCTION
 krb5_cc_default_name(krb5_context context)
 {
-    if (context->default_cc_name == NULL)
+    if (context->default_cc_name == NULL || environment_changed(context))
        krb5_cc_set_default_name(context, NULL);
 
     return context->default_cc_name;

diff --git a/source4/heimdal/lib/krb5/changepw.c b/source4/heimdal/lib/krb5/changepw.c
index 3ceb6df89cabb60b825003ad04e563178274738f..703cf43eb6fb99b6c9a5821f7d57c82a160e580b 100644 (file)
--- a/source4/heimdal/lib/krb5/changepw.c
+++ b/source4/heimdal/lib/krb5/changepw.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: changepw.c 17442 2006-05-05 09:31:15Z lha $");
+RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $");
 
 static void
 str2data (krb5_data *d,
@@ -46,10 +46,12 @@ str2data (krb5_data *d,
          ...)
 {
     va_list args;
+    char *str;
 
     va_start(args, fmt);
-    d->length = vasprintf ((char **)&d->data, fmt, args);
+    d->length = vasprintf (&str, fmt, args);
     va_end(args);
+    d->data = str;
 }
 
 /*

diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index 8a0af23e408f77e05c211dd442047ebf6bcc4d50..7c3f128ae592a7560de6577a390d78bf6d36d559 100644 (file)
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_cred.c 21327 2007-06-26 10:54:15Z lha $");
+RCSID("$Id: get_cred.c 21669 2007-07-22 11:29:13Z lha $");
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -1224,9 +1224,10 @@ krb5_get_renewed_creds(krb5_context context,
 {
     krb5_error_code ret;
     krb5_kdc_flags flags;
-    krb5_creds in, *template;
+    krb5_creds in, *template, *out = NULL;
 
     memset(&in, 0, sizeof(in));
+    memset(creds, 0, sizeof(*creds));
 
     ret = krb5_copy_principal(context, client, &in.client);
     if (ret)
@@ -1263,9 +1264,14 @@ krb5_get_renewed_creds(krb5_context context,
        krb5_free_creds (context, template);
     }
 
-    ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &creds);
+    ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out);
     krb5_free_principal(context, in.client);
     krb5_free_principal(context, in.server);
+    if (ret)
+       return ret;
+
+    ret = krb5_copy_creds_contents(context, out, creds);
+    krb5_free_creds(context, out);
 
     return ret;
 }

diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c
index 5bdf23d97f03e37cf95e0b103648ecc0ecd9051e..bd250cef2bdfd885753ae9c1e3674359d179a478 100644 (file)
--- a/source4/heimdal/lib/krb5/init_creds.c
+++ b/source4/heimdal/lib/krb5/init_creds.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds.c 20541 2007-04-23 12:19:14Z lha $");
+RCSID("$Id: init_creds.c 21712 2007-07-27 14:23:41Z lha $");
 
 void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
@@ -225,9 +225,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
        krb5_get_init_creds_opt_set_renew_life(opt, t);
 
     krb5_appdefault_boolean(context, appname, realm, "no-addresses", 
-                           FALSE, &b);
-    if (b)
-       krb5_get_init_creds_opt_set_addressless (context, opt, TRUE);
+                           KRB5_ADDRESSLESS_DEFAULT, &b);
+    krb5_get_init_creds_opt_set_addressless (context, opt, b);
 
 #if 0
     krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b);

diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 1676da3bd627ff43b12154387c921b2a755c13ef..0043b5ef3c1d45744eb82cdd9b18d02156da7a31 100644 (file)
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds_pw.c 21061 2007-06-12 17:56:30Z lha $");
+RCSID("$Id: init_creds_pw.c 21428 2007-07-10 12:31:58Z lha $");
 
 typedef struct krb5_get_init_creds_ctx {
     KDCOptions flags;

diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index a551c42ecd1dfed3b7f9e9fbad58f64be8bcd572..9a84dde61a71ac0c3268b0aef3f7077c2da9db0c 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -383,7 +383,7 @@ _krb5_pk_verify_sign (
 krb5_error_code
 _krb5_plugin_find (
        krb5_context /*context*/,
-       enum plugin_type /*type*/,
+       enum krb5_plugin_type /*type*/,
        const char */*name*/,
        struct krb5_plugin **/*list*/);
 
@@ -399,7 +399,7 @@ _krb5_plugin_get_symbol (struct krb5_plugin */*p*/);
 krb5_error_code
 _krb5_plugin_register (
        krb5_context /*context*/,
-       enum plugin_type /*type*/,
+       enum krb5_plugin_type /*type*/,
        const char */*name*/,
        void */*symbol*/);
 

diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 058496434e067e390805cd64e126d693ed9657b9..740b394be8acadad59e45349b851482240b927ee 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -2243,14 +2243,6 @@ krb5_get_pw_salt (
        krb5_const_principal /*principal*/,
        krb5_salt */*salt*/);
 
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_get_renewed_creds (
-       krb5_context /*context*/,
-       krb5_creds */*creds*/,
-       krb5_const_principal /*client*/,
-       krb5_ccache /*ccache*/,
-       const char */*in_tkt_service*/);
-
 krb5_error_code KRB5_LIB_FUNCTION
 krb5_get_server_rcache (
        krb5_context /*context*/,

diff --git a/source4/heimdal/lib/krb5/krb5-v4compat.h b/source4/heimdal/lib/krb5/krb5-v4compat.h
index 2ea534cfe3a512f82fe3a48841f4fa81480add6e..dfd7e944607f566bb0a2d4ad64644e25b3f12b9f 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5-v4compat.h
+++ b/source4/heimdal/lib/krb5/krb5-v4compat.h
@@ -31,11 +31,13 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5-v4compat.h 17442 2006-05-05 09:31:15Z lha $ */
+/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */
 
 #ifndef __KRB5_V4COMPAT_H__
 #define __KRB5_V4COMPAT_H__
 
+#include "krb_err.h"
+
 /* 
  * This file must only be included with v4 compat glue stuff in
  * heimdal sources.
@@ -57,56 +59,10 @@
 #define                AUTH_MSG_KDC_RENEW                      (10<<1)
 #define        AUTH_MSG_DIE                            (63<<1)
 
-/* values for kerb error codes */
-
-#define                KERB_ERR_OK                              0
-#define                KERB_ERR_NAME_EXP                        1
-#define                KERB_ERR_SERVICE_EXP                     2
-#define                KERB_ERR_AUTH_EXP                        3
-#define                KERB_ERR_PKT_VER                         4
-#define                KERB_ERR_NAME_MAST_KEY_VER               5
-#define                KERB_ERR_SERV_MAST_KEY_VER               6
-#define                KERB_ERR_BYTE_ORDER                      7
-#define                KERB_ERR_PRINCIPAL_UNKNOWN               8
-#define                KERB_ERR_PRINCIPAL_NOT_UNIQUE            9
-#define                KERB_ERR_NULL_KEY                       10
-#define                KERB_ERR_TIMEOUT                        11
-
-
-/* Error codes returned from the KDC */
-#define                KDC_OK          0       /* Request OK */
-#define                KDC_NAME_EXP    1       /* Principal expired */
-#define                KDC_SERVICE_EXP 2       /* Service expired */
-#define                KDC_AUTH_EXP    3       /* Auth expired */
-#define                KDC_PKT_VER     4       /* Protocol version unknown */
-#define                KDC_P_MKEY_VER  5       /* Wrong master key version */
-#define                KDC_S_MKEY_VER  6       /* Wrong master key version */
-#define                KDC_BYTE_ORDER  7       /* Byte order unknown */
-#define                KDC_PR_UNKNOWN  8       /* Principal unknown */
-#define                KDC_PR_N_UNIQUE 9       /* Principal not unique */
-#define                KDC_NULL_KEY   10       /* Principal has null key */
-#define                KDC_GEN_ERR    20       /* Generic error from KDC */
-
 /* General definitions */
 #define                KSUCCESS        0
 #define                KFAILURE        255
 
-/* Values returned by rd_ap_req */
-#define                RD_AP_OK        0       /* Request authentic */
-#define                RD_AP_UNDEC    31       /* Can't decode authenticator */
-#define                RD_AP_EXP      32       /* Ticket expired */
-#define                RD_AP_NYV      33       /* Ticket not yet valid */
-#define                RD_AP_REPEAT   34       /* Repeated request */
-#define                RD_AP_NOT_US   35       /* The ticket isn't for us */
-#define                RD_AP_INCON    36       /* Request is inconsistent */
-#define                RD_AP_TIME     37       /* delta_t too big */
-#define                RD_AP_BADD     38       /* Incorrect net address */
-#define                RD_AP_VERSION  39       /* protocol version mismatch */
-#define                RD_AP_MSG_TYPE 40       /* invalid msg type */
-#define                RD_AP_MODIFIED 41       /* message stream modified */
-#define                RD_AP_ORDER    42       /* message out of order */
-#define                RD_AP_UNAUTHOR 43       /* unauthorized request */
-
 /* */
 
 #define                MAX_KTXT_LEN    1250

diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 345fe70764f6069c2c3c0b2b8bd3a17c5aa32bfe..4f9a63bf0549566ef20ef466051f3e869c9547d8 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5.h 21252 2007-06-21 04:18:28Z lha $ */
+/* $Id: krb5.h 21551 2007-07-15 09:03:39Z lha $ */
 
 #ifndef __KRB5_H__
 #define __KRB5_H__
@@ -436,11 +436,6 @@ typedef struct krb5_config_binding krb5_config_binding;
 
 typedef krb5_config_binding krb5_config_section;
 
-enum {
-    KRB5_PKINIT_WIN2K          = 1,    /* wire compatible with Windows 2k */
-    KRB5_PKINIT_PACKET_CABLE   = 2     /* use packet cable standard */
-};
-
 typedef struct krb5_ticket {
     EncTicketPart ticket;
     krb5_principal client;
@@ -766,6 +761,12 @@ typedef struct krb5_sendto_ctx *krb5_sendto_ctx;
 
 typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *);
 
+struct krb5_plugin;
+enum krb5_plugin_type {
+    PLUGIN_TYPE_DATA = 1,
+    PLUGIN_TYPE_FUNC
+};
+
 struct credentials; /* this is to keep the compiler happy */
 struct getargs;
 struct sockaddr;

diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index 87169fc43078db6899828a0ddadda3cf3ec4aa37..b41e6e1182eea180d0a788ba333d0e83bcc324aa 100644 (file)
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5_locl.h 20261 2007-02-18 00:32:22Z lha $ */
+/* $Id: krb5_locl.h 21552 2007-07-15 09:04:00Z lha $ */
 
 #ifndef __KRB5_LOCL_H__
 #define __KRB5_LOCL_H__
@@ -148,12 +148,6 @@ struct krb5_dh_moduli;
 /* v4 glue */
 struct _krb5_krb_auth_data;
 
-struct krb5_plugin;
-enum plugin_type {
-    PLUGIN_TYPE_DATA = 1,
-    PLUGIN_TYPE_FUNC
-};
-
 #include <der.h>
 
 #include <krb5.h>
@@ -236,7 +230,7 @@ typedef struct krb5_context_data {
     char error_buf[256];
     krb5_addresses *ignore_addresses;
     char *default_cc_name;
-    int pkinit_flags;
+    char *default_cc_name_env;
     void *mutex;                       /* protects error_string/error_buf */
     int large_msg_size;
     int dns_canonicalize_hostname;

diff --git a/source4/heimdal/lib/krb5/krb_err.et b/source4/heimdal/lib/krb5/krb_err.et
new file mode 100644 (file)
index 0000000..f7dbb6c
--- /dev/null
+++ b/source4/heimdal/lib/krb5/krb_err.et
@@ -0,0 +1,63 @@
+#
+# Error messages for the krb4 library
+#
+# This might look like a com_err file, but is not
+#
+id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $"
+
+error_table krb
+
+prefix KRB4ET
+ec KSUCCESS,           "Kerberos 4 successful"
+ec KDC_NAME_EXP,       "Kerberos 4 principal expired"
+ec KDC_SERVICE_EXP,    "Kerberos 4 service expired"
+ec KDC_AUTH_EXP,       "Kerberos 4 auth expired"
+ec KDC_PKT_VER,                "Incorrect Kerberos 4 master key version"
+ec KDC_P_MKEY_VER,     "Incorrect Kerberos 4 master key version"
+ec KDC_S_MKEY_VER,     "Incorrect Kerberos 4 master key version"
+ec KDC_BYTE_ORDER,     "Kerberos 4 byte order unknown"
+ec KDC_PR_UNKNOWN,     "Kerberos 4 principal unknown"
+ec KDC_PR_N_UNIQUE,    "Kerberos 4 principal not unique"
+ec KDC_NULL_KEY,       "Kerberos 4 principal has null key"
+index 20
+ec KDC_GEN_ERR,                "Generic error from KDC (Kerberos 4)"
+ec GC_TKFIL,           "Can't read Kerberos 4 ticket file"
+ec GC_NOTKT,           "Can't find Kerberos 4 ticket or TGT"
+index 26
+ec MK_AP_TGTEXP,       "Kerberos 4 TGT Expired"
+index 31
+ec RD_AP_UNDEC,                "Kerberos 4: Can't decode authenticator"
+ec RD_AP_EXP,          "Kerberos 4 ticket expired"
+ec RD_AP_NYV,          "Kerberos 4 ticket not yet valid"
+ec RD_AP_REPEAT,       "Kerberos 4: Repeated request"
+ec RD_AP_NOT_US,       "The Kerberos 4 ticket isn't for us"
+ec RD_AP_INCON,                "Kerberos 4 request inconsistent"
+ec RD_AP_TIME,         "Kerberos 4: delta_t too big"
+ec RD_AP_BADD,         "Kerberos 4: incorrect net address"
+ec RD_AP_VERSION,      "Kerberos protocol not version 4"
+ec RD_AP_MSG_TYPE,     "Kerberos 4: invalid msg type"
+ec RD_AP_MODIFIED,     "Kerberos 4: message stream modified"
+ec RD_AP_ORDER,                "Kerberos 4: message out of order"
+ec RD_AP_UNAUTHOR,     "Kerberos 4: unauthorized request"
+index 51
+ec GT_PW_NULL,         "Kerberos 4: current PW is null"
+ec GT_PW_BADPW,                "Kerberos 4: Incorrect current password"
+ec GT_PW_PROT,         "Kerberos 4 protocol error"
+ec GT_PW_KDCERR,       "Error returned by KDC (Kerberos 4)"
+ec GT_PW_NULLTKT,      "Null Kerberos 4 ticket returned by KDC"
+ec SKDC_RETRY,         "Kerberos 4: Retry count exceeded"
+ec SKDC_CANT,          "Kerberos 4: Can't send request"
+index 61
+ec INTK_W_NOTALL,      "Kerberos 4: not all tickets returned"
+ec INTK_BADPW,         "Kerberos 4: incorrect password"
+ec INTK_PROT,          "Kerberos 4: Protocol Error"
+index 70
+ec INTK_ERR,           "Other error in Kerberos 4"
+ec AD_NOTGT,           "Don't have Kerberos 4 ticket-granting ticket"
+index 76
+ec NO_TKT_FIL,         "No Kerberos 4 ticket file found"
+ec TKT_FIL_ACC,                "Couldn't access Kerberos 4 ticket file"
+ec TKT_FIL_LCK,                "Couldn't lock Kerberos 4 ticket file"
+ec TKT_FIL_FMT,                "Bad Kerberos 4 ticket file format"
+ec TKT_FIL_INI,                "Kerberos 4: tf_init not called first"
+ec KNAME_FMT,          "Bad Kerberos 4 name format"

diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c
index 69b52dd808c296f7b6423a60130d99093df7a95b..094fd4f9c64d9e88f596bbcdbf1526c25030f5f8 100644 (file)
--- a/source4/heimdal/lib/krb5/krbhst.c
+++ b/source4/heimdal/lib/krb5/krbhst.c
@@ -35,7 +35,7 @@
 #include <resolve.h>
 #include "locate_plugin.h"
 
-RCSID("$Id: krbhst.c 21131 2007-06-18 20:48:09Z lha $");
+RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $");
 
 static int
 string_to_proto(const char *string)
@@ -919,8 +919,10 @@ gethostlist(krb5_context context, const char *realm,
 
     while(krb5_krbhst_next(context, handle, &hostinfo) == 0)
        nhost++;
-    if(nhost == 0)
+    if(nhost == 0) {
+       krb5_set_error_string(context, "No KDC found for realm %s", realm);
        return KRB5_KDC_UNREACH;
+    }
     *hostlist = calloc(nhost + 1, sizeof(**hostlist));
     if(*hostlist == NULL) {
        krb5_krbhst_free(context, handle);

diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 105cab554d86814af483afb2450dd6522366dc8c..c8587770f4ca3096c114ccd58f1a91ab71b228ce 100755 (executable)
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: pkinit.c 21321 2007-06-26 05:21:56Z lha $");
+RCSID("$Id: pkinit.c 21684 2007-07-23 23:09:10Z lha $");
 
 struct krb5_dh_moduli {
     char *name;
@@ -645,8 +645,6 @@ _krb5_pk_mk_padata(krb5_context context,
                                                req_body->realm,
                                                "pkinit_win2k",
                                                NULL);
-    if (context->pkinit_flags & KRB5_PKINIT_WIN2K)
-       win2k_compat = 1;
 
     if (win2k_compat) {
        ctx->require_binding = 
@@ -1721,7 +1719,7 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli)
     free(moduli);
 }
 
-static const char *default_moduli =
+static const char *default_moduli_RFC2412_MODP_group2 =
     /* name */
     "RFC2412-MODP-group2 "
     /* bits */
@@ -1743,6 +1741,37 @@ static const char *default_moduli =
     "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0"
     "FFFFFFFF" "FFFFFFFF";
 
+static const char *default_moduli_rfc3526_MODP_group14 =
+    /* name */
+    "rfc3526-MODP-group14 "
+    /* bits */
+    "1760 "
+    /* p */
+    "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
+    "29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
+    "EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
+    "E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
+    "EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
+    "C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
+    "83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
+    "670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
+    "E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
+    "DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
+    "15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF "
+    /* g */
+    "02 "
+    /* q */
+    "7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
+    "94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
+    "F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
+    "F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
+    "F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E"
+    "E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF"
+    "C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36"
+    "B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D"
+    "F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964"
+    "EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288"
+    "0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF";
 
 krb5_error_code
 _krb5_parse_moduli(krb5_context context, const char *file,
@@ -1757,19 +1786,28 @@ _krb5_parse_moduli(krb5_context context, const char *file,
 
     *moduli = NULL;
 
-    m = calloc(1, sizeof(m[0]) * 2);
+    m = calloc(1, sizeof(m[0]) * 3);
     if (m == NULL) {
        krb5_set_error_string(context, "malloc: out of memory");
        return ENOMEM;
     }
 
-    strlcpy(buf, default_moduli, sizeof(buf));
+    strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf));
     ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[0]);
     if (ret) {
        _krb5_free_moduli(m);
        return ret;
     }
-    n = 1;
+    n++;
+
+    strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf));
+    ret = _krb5_parse_moduli_line(context, "builtin", 1, buf,  &m[1]);
+    if (ret) {
+       _krb5_free_moduli(m);
+       return ret;
+    }
+    n++;
+
 
     if (file == NULL)
        file = MODULI_FILE;

diff --git a/source4/heimdal/lib/krb5/plugin.c b/source4/heimdal/lib/krb5/plugin.c
index 68317a12c0d2594dc6e46a6aeecf1b9a0ac17097..43fa3f5b45a385058358bdc0f53f7800a7977e40 100644 (file)
--- a/source4/heimdal/lib/krb5/plugin.c
+++ b/source4/heimdal/lib/krb5/plugin.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: plugin.c 21134 2007-06-18 21:02:23Z lha $");
+RCSID("$Id: plugin.c 21702 2007-07-26 19:13:53Z lha $");
 #ifdef HAVE_DLFCN_H
 #include <dlfcn.h>
 #endif
@@ -45,7 +45,7 @@ struct krb5_plugin {
 };
 
 struct plugin {
-    enum plugin_type type;
+    enum krb5_plugin_type type;
     void *name;
     void *symbol;
     struct plugin *next;
@@ -76,9 +76,11 @@ _krb5_plugin_get_next(struct krb5_plugin *p)
  *
  */
 
+#ifdef HAVE_DLOPEN
+
 static krb5_error_code
 loadlib(krb5_context context,
-       enum plugin_type type,
+       enum krb5_plugin_type type,
        const char *name,
        const char *lib,
        struct krb5_plugin **e)
@@ -113,10 +115,11 @@ loadlib(krb5_context context,
 
     return 0;
 }
+#endif /* HAVE_DLOPEN */
 
 krb5_error_code
 _krb5_plugin_register(krb5_context context,
-                     enum plugin_type type,
+                     enum krb5_plugin_type type,
                      const char *name, 
                      void *symbol)
 {
@@ -146,7 +149,7 @@ _krb5_plugin_register(krb5_context context,
 
 krb5_error_code
 _krb5_plugin_find(krb5_context context,
-                 enum plugin_type type,
+                 enum krb5_plugin_type type,
                  const char *name, 
                  struct krb5_plugin **list)
 {
@@ -181,6 +184,8 @@ _krb5_plugin_find(krb5_context context,
     }
     HEIMDAL_MUTEX_unlock(&plugin_mutex);
 
+#ifdef HAVE_DLOPEN
+
     dirs = krb5_config_get_strings(context, NULL, "libdefaults", 
                                   "plugin_dir", NULL);
     if (dirs == NULL) {
@@ -213,6 +218,7 @@ _krb5_plugin_find(krb5_context context,
     }
     if (dirs != sysdirs)
        krb5_config_free_strings(dirs);
+#endif /* HAVE_DLOPEN */
 
     if (*list == NULL) {
        krb5_set_error_string(context, "Did not find a plugin for %s", name);

diff --git a/source4/heimdal/lib/krb5/rd_priv.c b/source4/heimdal/lib/krb5/rd_priv.c
index d3920dd941739cb9fe5cdc86bd074d4d50737426..47b5df85b23b052ceb4be4201b2bfd440e12ab31 100644 (file)
--- a/source4/heimdal/lib/krb5/rd_priv.c
+++ b/source4/heimdal/lib/krb5/rd_priv.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_priv.c 17056 2006-04-12 16:18:10Z lha $");
+RCSID("$Id: rd_priv.c 21770 2007-08-01 04:04:33Z lha $");
 
 krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_priv(krb5_context context,
@@ -55,13 +55,17 @@ krb5_rd_priv(krb5_context context,
 
     if ((auth_context->flags & 
         (KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
-       outdata == NULL)
+       outdata == NULL) {
+       krb5_clear_error_string (context);
        return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
+    }
 
     memset(&priv, 0, sizeof(priv));
     ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
-    if (ret) 
+    if (ret) {
+       krb5_clear_error_string (context);
        goto failure;
+    }
     if (priv.pvno != 5) {
        krb5_clear_error_string (context);
        ret = KRB5KRB_AP_ERR_BADVERSION;
@@ -94,8 +98,10 @@ krb5_rd_priv(krb5_context context,
 
     ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len);
     krb5_data_free (&plain);
-    if (ret) 
+    if (ret) {
+       krb5_clear_error_string (context);
        goto failure;
+    }
   
     /* check sender address */
 

diff --git a/source4/heimdal/lib/krb5/v4_glue.c b/source4/heimdal/lib/krb5/v4_glue.c
index d42fbec3a50fe751a3f8d0ddb6a4698717f1592f..3f99df6391c4647d108519293667df588cdeb976 100644 (file)
--- a/source4/heimdal/lib/krb5/v4_glue.c
+++ b/source4/heimdal/lib/krb5/v4_glue.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: v4_glue.c 17442 2006-05-05 09:31:15Z lha $");
+RCSID("$Id: v4_glue.c 21572 2007-07-16 05:13:08Z lha $");
 
 #include "krb5-v4compat.h"
 
@@ -351,12 +351,12 @@ storage_to_etext(krb5_context context,
 
     size = krb5_storage_seek(sp, 0, SEEK_END);
     if (size < 0)
-       return EINVAL;
+       return KRB4ET_RD_AP_UNDEC;
     size = 8 - (size & 7);
 
     ret = krb5_storage_write(sp, eightzeros, size);
     if (ret != size)
-       return EINVAL;
+       return KRB4ET_RD_AP_UNDEC;
 
     ret = krb5_storage_to_data(sp, &data);
     if (ret)
@@ -435,7 +435,7 @@ _krb5_krb_create_ticket(krb5_context context,
                             session->keyvalue.data, 
                             session->keyvalue.length);
     if (ret != session->keyvalue.length) {
-       ret = EINVAL;
+       ret = KRB4ET_INTK_PROT;
        goto error;
     }
 
@@ -487,7 +487,7 @@ _krb5_krb_create_ciph(krb5_context context,
                             session->keyvalue.data, 
                             session->keyvalue.length);
     if (ret != session->keyvalue.length) {
-       ret = EINVAL;
+       ret = KRB4ET_INTK_PROT;
        goto error;
     }
 
@@ -497,7 +497,7 @@ _krb5_krb_create_ciph(krb5_context context,
     RCHECK(ret, krb5_store_int8(sp, ticket->length), error);
     ret = krb5_storage_write(sp, ticket->data, ticket->length);
     if (ret != ticket->length) {
-       ret = EINVAL;
+       ret = KRB4ET_INTK_PROT;
        goto error;
     }
     RCHECK(ret, krb5_store_int32(sp, kdc_time), error);
@@ -550,7 +550,7 @@ _krb5_krb_create_auth_reply(krb5_context context,
     RCHECK(ret, krb5_store_int16(sp, cipher->length), error);
     ret = krb5_storage_write(sp, cipher->data, cipher->length);
     if (ret != cipher->length) {
-       ret = EINVAL;
+       ret = KRB4ET_INTK_PROT;
        goto error;
     }
 
@@ -599,6 +599,9 @@ _krb5_krb_cr_err_reply(krb5_context context,
     RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error);
     RCHECK(ret, put_nir(sp, name, inst, realm), error);
     RCHECK(ret, krb5_store_int32(sp, time_ws), error);
+    /* If its a Kerberos 4 error-code, remove the et BASE */
+    if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255)
+       e -= ERROR_TABLE_BASE_krb;
     RCHECK(ret, krb5_store_int32(sp, e), error);
     RCHECK(ret, krb5_store_stringz(sp, e_string), error);
 
@@ -623,7 +626,7 @@ get_v4_stringz(krb5_storage *sp, char **str, size_t max_len)
     if (strlen(*str) > max_len) {
        free(*str);
        *str = NULL;
-       return EINVAL;
+       return KRB4ET_INTK_PROT;
     }
     return 0;
 }
@@ -662,7 +665,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
        return ENOMEM;
     }
 
-    krb5_storage_set_eof_code(sp, EINVAL); /* XXX */
+    krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
 
     RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error);
     RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error);
@@ -672,7 +675,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
        
     size = krb5_storage_read(sp, des_key, sizeof(des_key));
     if (size != sizeof(des_key)) {
-       ret = EINVAL; /* XXX */
+       ret = KRB4ET_INTK_PROT;
        goto error;
     }
 
@@ -770,26 +773,32 @@ _krb5_krb_rd_req(krb5_context context,
        return ENOMEM;
     }
 
-    krb5_storage_set_eof_code(sp, EINVAL); /* XXX */
+    krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
 
     ret = krb5_ret_int8(sp, &pvno);
-    if (ret)
+    if (ret) {
+       krb5_set_error_string(context, "Failed reading v4 pvno");
        goto error;
+    }
 
     if (pvno != KRB_PROT_VERSION) {
-       ret = EINVAL; /* XXX */
+       ret = KRB4ET_RD_AP_VERSION;
+       krb5_set_error_string(context, "Failed v4 pvno not 4");
        goto error;
     }
 
     ret = krb5_ret_int8(sp, &type);
-    if (ret)
+    if (ret) {
+       krb5_set_error_string(context, "Failed readin v4 type");
        goto error;
+    }
 
     little_endian = type & 1;
     type &= ~1;
     
     if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) {
-       ret = EINVAL; /* RD_AP_MSG_TYPE */
+       ret = KRB4ET_RD_AP_MSG_TYPE;
+       krb5_set_error_string(context, "Not a valid v4 request type");
        goto error;
     }
 
@@ -801,7 +810,8 @@ _krb5_krb_rd_req(krb5_context context,
 
     size = krb5_storage_read(sp, ticket.data, ticket.length);
     if (size != ticket.length) {
-       ret = EINVAL;
+       ret = KRB4ET_INTK_PROT;
+       krb5_set_error_string(context, "Failed reading v4 ticket");
        goto error;
     }
 
@@ -815,7 +825,8 @@ _krb5_krb_rd_req(krb5_context context,
 
     size = krb5_storage_read(sp, eaut.data, eaut.length);
     if (size != eaut.length) {
-       ret = EINVAL;
+       ret = KRB4ET_INTK_PROT;
+       krb5_set_error_string(context, "Failed reading v4 authenticator");
        goto error;
     }
 
@@ -828,8 +839,8 @@ _krb5_krb_rd_req(krb5_context context,
 
     sp = krb5_storage_from_data(&aut);
     if (sp == NULL) {
-       krb5_set_error_string(context, "alloc: out of memory");
        ret = ENOMEM;
+       krb5_set_error_string(context, "alloc: out of memory");
        goto error;
     }
 
@@ -849,19 +860,22 @@ _krb5_krb_rd_req(krb5_context context,
     if (strcmp(ad->pname, r_name) != 0 ||
        strcmp(ad->pinst, r_instance) != 0 ||
        strcmp(ad->prealm, r_realm) != 0) {
-       ret = EINVAL; /* RD_AP_INCON */
+       krb5_set_error_string(context, "v4 principal mismatch");
+       ret = KRB4ET_RD_AP_INCON;
        goto error;
     }
     
-    if (from_addr && from_addr != ad->address) {
-       ret = EINVAL; /* RD_AP_BADD */
+    if (from_addr && ad->address && from_addr != ad->address) {
+       krb5_set_error_string(context, "v4 bad address in ticket");
+       ret = KRB4ET_RD_AP_BADD;
        goto error;
     }
 
     gettimeofday(&tv, NULL);
     delta_t = abs((int)(tv.tv_sec - r_time_sec));
     if (delta_t > CLOCK_SKEW) {
-        ret = EINVAL; /* RD_AP_TIME */
+        ret = KRB4ET_RD_AP_TIME;
+       krb5_set_error_string(context, "v4 clock skew");
        goto error;
     }
 
@@ -870,12 +884,14 @@ _krb5_krb_rd_req(krb5_context context,
     tkt_age = tv.tv_sec - ad->time_sec;
     
     if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) {
-        ret = EINVAL; /* RD_AP_NYV */
+        ret = KRB4ET_RD_AP_NYV;
+       krb5_set_error_string(context, "v4 clock skew for expiration");
        goto error;
     }
 
     if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) {
-       ret = EINVAL; /* RD_AP_EXP */
+       ret = KRB4ET_RD_AP_EXP;
+       krb5_set_error_string(context, "v4 ticket expired");
        goto error;
     }
 

diff --git a/source4/heimdal/lib/ntlm/ntlm.c b/source4/heimdal/lib/ntlm/ntlm.c
index 1961c7fa22f09b9f5c199175ee0c851bf12dd07f..671bf329e86c36f7157037547b3fef1e737dea2f 100644 (file)
--- a/source4/heimdal/lib/ntlm/ntlm.c
+++ b/source4/heimdal/lib/ntlm/ntlm.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: ntlm.c 21317 2007-06-25 19:22:02Z lha $");
+RCSID("$Id: ntlm.c 21604 2007-07-17 06:48:55Z lha $");
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -1105,7 +1105,7 @@ heim_ntlm_verify_ntlm2(const void *key, size_t len,
     HMAC_CTX_init(&c);
     HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL);
     HMAC_Update(&c, serverchallange, 8);
-    HMAC_Update(&c, ((char *)answer->data) + 16, answer->length - 16);
+    HMAC_Update(&c, ((unsigned char *)answer->data) + 16, answer->length - 16);
     HMAC_Final(&c, serveranswer, &hmaclen);
     HMAC_CTX_cleanup(&c);
 

diff --git a/source4/heimdal_build/config.mk b/source4/heimdal_build/config.mk
index 73187c31dcb2f2488b5ddd53df5bcb2eebaf44c1..940d9cdb9ce6b958cab916669cb2f90f3c92a7bc 100644 (file)
--- a/source4/heimdal_build/config.mk
+++ b/source4/heimdal_build/config.mk
@@ -259,7 +259,8 @@ OBJ_FILES = \
        ../heimdal/lib/krb5/warn.o \
        ../heimdal/lib/krb5/krb5_err.o \
        ../heimdal/lib/krb5/heim_err.o \
-       ../heimdal/lib/krb5/k524_err.o
+       ../heimdal/lib/krb5/k524_err.o \
+       ../heimdal/lib/krb5/krb_err.o
 # End SUBSYSTEM HEIMDAL_KRB5
 #######################
 
@@ -568,10 +569,15 @@ include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/CMS.asn1 cms_asn1 hei
 include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/ocsp.asn1 ocsp_asn1 heimdal/lib/hx509 --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData|
 include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/kx509.asn1 kx509_asn1 heimdal/lib/asn1|
 include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/pkcs10.asn1 pkcs10_asn1 heimdal/lib/hx509 --preserve-binary=CertificationRequestInfo|
+
+#
+# Ensure to update ../static_deps.mk when you add a new entry here!
+#
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/asn1/asn1_err.et heimdal/lib/asn1|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/hdb/hdb_err.et heimdal/lib/hdb|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/heim_err.et heimdal/lib/krb5|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/k524_err.et heimdal/lib/krb5|
+include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb_err.et heimdal/lib/krb5|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb5_err.et heimdal/lib/krb5|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/gssapi/krb5/gkrb5_err.et heimdal/lib/gssapi|
 include perl_path_wrapper.sh et_deps.pl heimdal/lib/hx509/hx509_err.et heimdal/lib/hx509|

diff --git a/source4/static_deps.mk b/source4/static_deps.mk
index 34bb1263c19becd41a6fcf6e8b0f4c069c907723..1c9173b32c6544f2ee42190f135ef34223db1e97 100644 (file)
--- a/source4/static_deps.mk
+++ b/source4/static_deps.mk
@@ -35,6 +35,7 @@ heimdal_basics: \
        heimdal/lib/hdb/hdb_err.h \
        heimdal/lib/krb5/heim_err.h \
        heimdal/lib/krb5/k524_err.h \
+       heimdal/lib/krb5/krb_err.h \
        heimdal/lib/krb5/krb5_err.h \
        heimdal/lib/gssapi/gkrb5_err.h \
        heimdal/lib/hx509/hx509_err.h