r16100: Patch from Michael Wood <mwood@icts.uct.ac.za>: s/then/than/ for correct...

[kai/samba.git] / source / heimdal / lib / krb5 / init_creds_pw.c

diff --git a/source/heimdal/lib/krb5/init_creds_pw.c b/source/heimdal/lib/krb5/init_creds_pw.c
index 8b3975f418085bd4c196bf0a352878b9f2e07148..c05386ec238cdf39868fb31151b765bdcc81b9ba 100644 (file)
--- a/source/heimdal/lib/krb5/init_creds_pw.c
+++ b/source/heimdal/lib/krb5/init_creds_pw.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds_pw.c,v 1.87 2005/06/17 04:15:20 lha Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.94 2006/04/24 08:49:08 lha Exp $");
 
 typedef struct krb5_get_init_creds_ctx {
     krb5_kdc_flags flags;
@@ -45,6 +45,7 @@ typedef struct krb5_get_init_creds_ctx {
     unsigned nonce;
     unsigned pk_nonce;
 
+    krb5_data req_buffer;
     AS_REQ as_req;
     int pa_counter;
 
@@ -78,8 +79,10 @@ default_s2k_func(krb5_context context, krb5_enctype type,
        return ENOMEM;
     ret = krb5_string_to_key_data_salt_opaque(context, type, password,
                                              salt, opaque, *key);
-    if (ret)
+    if (ret) {
        free(*key);
+       *key = NULL;
+    }
     return ret;
 }
 
@@ -274,11 +277,11 @@ get_init_creds_common(krb5_context context,
        options = &default_opt;
     }
 
-    if (options->private) {
-       ctx->password = options->private->password;
-       ctx->key_proc = options->private->key_proc;
-       ctx->req_pac = options->private->req_pac;
-       ctx->pk_init_ctx = options->private->pk_init_ctx;
+    if (options->opt_private) {
+       ctx->password = options->opt_private->password;
+       ctx->key_proc = options->opt_private->key_proc;
+       ctx->req_pac = options->opt_private->req_pac;
+       ctx->pk_init_ctx = options->opt_private->pk_init_ctx;
     } else
        ctx->req_pac = KRB5_PA_PAC_DONT_CARE;
 
@@ -544,23 +547,14 @@ init_creds_init_as_req (krb5_context context,
        krb5_set_error_string(context, "malloc: out of memory");
        goto fail;
     }
-    if (creds->client) {
-       ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
-       if (ret)
-           goto fail;
-       ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
-       if (ret)
-           goto fail;
-    } else {
-       krb5_realm realm;
 
-       a->req_body.cname = NULL;
-       ret = krb5_get_default_realm(context, &realm);
-       if (ret)
-           goto fail;
-       ret = copy_Realm(&realm, &a->req_body.realm);
-       free(realm);
-    }
+    ret = _krb5_principal2principalname (a->req_body.cname, creds->client);
+    if (ret)
+       goto fail;
+    ret = copy_Realm(&creds->client->realm, &a->req_body.realm);
+    if (ret)
+       goto fail;
+
     ret = _krb5_principal2principalname (a->req_body.sname, creds->server);
     if (ret)
        goto fail;
@@ -1013,10 +1007,10 @@ pa_data_to_md_pkinit(krb5_context context,
        return 0;
 #ifdef PKINIT
     return _krb5_pk_mk_padata(context,
-                             ctx->pk_init_ctx,
-                             &a->req_body,
-                             ctx->pk_nonce,
-                             md);
+                            ctx->pk_init_ctx,
+                            &a->req_body,
+                            ctx->pk_nonce,
+                            md);
 #else
     krb5_set_error_string(context, "no support for PKINIT compiled in");
     return EINVAL;
@@ -1113,6 +1107,7 @@ process_pa_data_to_key(krb5_context context,
                       krb5_creds *creds,
                       AS_REQ *a,
                       krb5_kdc_rep *rep,
+                      const krb5_krbhst_info *hi,
                       krb5_keyblock **key)
 {
     struct pa_info_data paid, *ppaid = NULL;
@@ -1155,9 +1150,12 @@ process_pa_data_to_key(krb5_context context,
     if (pa && ctx->pk_init_ctx) {
 #ifdef PKINIT
        ret = _krb5_pk_rd_pa_reply(context,
+                                  a->req_body.realm,
                                   ctx->pk_init_ctx,
                                   etype,
+                                  hi,
                                   ctx->pk_nonce,
+                                  &ctx->req_buffer,
                                   pa,
                                   key);
 #else
@@ -1192,6 +1190,8 @@ init_cred_loop(krb5_context context,
     size_t len;
     size_t size;
     int send_to_kdc_flags = 0;
+    krb5_krbhst_info *hi = NULL;
+
 
     memset(&md, 0, sizeof(md));
     memset(&rep, 0, sizeof(rep));
@@ -1211,14 +1211,13 @@ init_cred_loop(krb5_context context,
     ctx->pk_nonce = ctx->nonce;
 
     /*
-     * Increase counter when we want other pre-auth types then
+     * Increase counter when we want other pre-auth types than
      * KRB5_PA_ENC_TIMESTAMP.
      */
 #define MAX_PA_COUNTER 3 
 
     ctx->pa_counter = 0;
     while (ctx->pa_counter < MAX_PA_COUNTER) {
-       krb5_data req;
 
        ctx->pa_counter++;
 
@@ -1237,17 +1236,20 @@ init_cred_loop(krb5_context context,
                                    prompter, prompter_data);
        if (ret)
            goto out;
-       ASN1_MALLOC_ENCODE(AS_REQ, req.data, req.length, 
+
+       krb5_data_free(&ctx->req_buffer);
+
+       ASN1_MALLOC_ENCODE(AS_REQ, 
+                          ctx->req_buffer.data, ctx->req_buffer.length, 
                           &ctx->as_req, &len, ret);
        if (ret)
            goto out;
-       if(len != req.length)
+       if(len != ctx->req_buffer.length)
            krb5_abortx(context, "internal error in ASN.1 encoder");
 
-       ret = krb5_sendto_kdc_flags (context, &req, 
+       ret = krb5_sendto_kdc_flags (context, &ctx->req_buffer, 
                                     &creds->client->realm, &resp,
                                     send_to_kdc_flags);
-       krb5_data_free(&req);
        if (ret)
            goto out;
 
@@ -1317,7 +1319,7 @@ init_cred_loop(krb5_context context,
        krb5_keyblock *key = NULL;
 
        ret = process_pa_data_to_key(context, ctx, creds, 
-                                    &ctx->as_req, &rep, &key);
+                                    &ctx->as_req, &rep, hi, &key);
        if (ret)
            goto out;
        
@@ -1336,6 +1338,7 @@ init_cred_loop(krb5_context context,
        krb5_free_keyblock(context, key);
     }
 out:
+    krb5_data_free(&ctx->req_buffer);
     free_METHOD_DATA(&md);
     memset(&md, 0, sizeof(md));
 
@@ -1388,7 +1391,7 @@ krb5_get_init_creds(krb5_context context,
        case KRB5KDC_ERR_KEY_EXPIRED :
            /* try to avoid recursion */
 
-           /* don't try to change password where then where none */
+           /* don't try to change password where there where none */
            if (prompter == NULL || ctx.password == NULL)
                goto out;
 
@@ -1457,8 +1460,8 @@ krb5_get_init_creds_password(krb5_context context,
        return ret;
 
     if (password == NULL &&
-       options->private->password == NULL &&
-       options->private->pk_init_ctx == NULL)
+       options->opt_private->password == NULL &&
+       options->opt_private->pk_init_ctx == NULL)
     {
        krb5_prompt prompt;
        krb5_data password_data;
@@ -1486,7 +1489,7 @@ krb5_get_init_creds_password(krb5_context context,
        password = password_data.data;
     }
 
-    if (options->private->password == NULL) {
+    if (options->opt_private->password == NULL) {
        ret = krb5_get_init_creds_opt_set_pa_password(context, options,
                                                      password, NULL);
        if (ret) {