r9413: Bring Samba4 back up to date with lorikeet-heimdal.

Delete test_crypto_wrapping.c, previously included but unbuilt.

Andrew Bartlett
(This used to be commit d5fb30fb0cef330e0947969f0c9afc1f58fc4c7d)

4 files changed, 77 insertions, 26 deletions

diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h
index d347c6080c..b87895d56c 100644
--- a/source4/heimdal/kdc/kdc_locl.h
+++ b/source4/heimdal/kdc/kdc_locl.h
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h,v 1.71 2005/07/01 15:36:16 lha Exp $ 
+ * $Id: kdc_locl.h,v 1.72 2005/08/12 08:46:39 lha Exp $ 
  */
 
 #ifndef __KDC_LOCL_H__
@@ -61,7 +61,8 @@ extern struct timeval _kdc_now;
 krb5_error_code
 _kdc_as_rep(krb5_context context, 
 	    krb5_kdc_configuration *config,
-	    KDC_REQ*, krb5_data*, const char*, struct sockaddr*);
+	    KDC_REQ*, const krb5_data*, krb5_data*, 
+	    const char*, struct sockaddr*);
 
 krb5_kdc_configuration *
 configure(krb5_context context, int argc, char **argv);
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index e85a269a01..27a25d95ff 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -189,7 +189,8 @@ log_timestamp(krb5_context context,
 	      KerberosTime authtime, KerberosTime *starttime, 
 	      KerberosTime endtime, KerberosTime *renew_till)
 {
-    char authtime_str[100], starttime_str[100], endtime_str[100], renewtime_str[100];
+    char authtime_str[100], starttime_str[100], 
+	endtime_str[100], renewtime_str[100];
     
     krb5_format_time(context, authtime, 
 		     authtime_str, sizeof(authtime_str), TRUE); 
@@ -728,6 +729,7 @@ krb5_error_code
 _kdc_as_rep(krb5_context context, 
 	    krb5_kdc_configuration *config,
 	    KDC_REQ *req, 
+	    const krb5_data *req_buffer, 
 	    krb5_data *reply,
 	    const char *from,
 	    struct sockaddr *from_addr)
@@ -940,7 +942,8 @@ _kdc_as_rep(krb5_context context,
 		kdc_log(context, config, 5, 
 			"Failed to decrypt PA-DATA -- %s "
 			"(enctype %s) error %s",
-			client_name, str ? str : "unknown enctype", 
+			client_name,
+			str ? str : "unknown enctype", 
 			krb5_get_err_text(context, ret));
 		free(str);
 
@@ -1308,8 +1311,9 @@ _kdc_as_rep(krb5_context context,
     reply_key = &ckey->key;
 #if PKINIT
     if (pkp) {
-	ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, req,
-			      &reply_key, rep.padata);
+	ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, 
+				  req, req_buffer, 
+				  &reply_key, rep.padata);
 	if (ret)
 	    goto out;
     }
@@ -1372,30 +1376,35 @@ check_tgs_flags(krb5_context context,
 	
     if(f.validate){
 	if(!tgt->flags.invalid || tgt->starttime == NULL){
-	    kdc_log(context, config, 0, "Bad request to validate ticket");
+	    kdc_log(context, config, 0,
+		    "Bad request to validate ticket");
 	    return KRB5KDC_ERR_BADOPTION;
 	}
 	if(*tgt->starttime > kdc_time){
-	    kdc_log(context, config, 0, "Early request to validate ticket");
+	    kdc_log(context, config, 0,
+		    "Early request to validate ticket");
 	    return KRB5KRB_AP_ERR_TKT_NYV;
 	}
 	/* XXX  tkt = tgt */
 	et->flags.invalid = 0;
     }else if(tgt->flags.invalid){
-	kdc_log(context, config, 0, "Ticket-granting ticket has INVALID flag set");
+	kdc_log(context, config, 0, 
+		"Ticket-granting ticket has INVALID flag set");
 	return KRB5KRB_AP_ERR_TKT_INVALID;
     }
 
     if(f.forwardable){
 	if(!tgt->flags.forwardable){
-	    kdc_log(context, config, 0, "Bad request for forwardable ticket");
+	    kdc_log(context, config, 0,
+		    "Bad request for forwardable ticket");
 	    return KRB5KDC_ERR_BADOPTION;
 	}
 	et->flags.forwardable = 1;
     }
     if(f.forwarded){
 	if(!tgt->flags.forwardable){
-	    kdc_log(context, config, 0, "Request to forward non-forwardable ticket");
+	    kdc_log(context, config, 0,
+		    "Request to forward non-forwardable ticket");
 	    return KRB5KDC_ERR_BADOPTION;
 	}
 	et->flags.forwarded = 1;
@@ -1906,7 +1915,8 @@ tgs_check_authenticator(krb5_context context,
     free(buf);
     krb5_crypto_destroy(context, crypto);
     if(ret){
-	kdc_log(context, config, 0, "Failed to verify authenticator checksum: %s", 
+	kdc_log(context, config, 0,
+		"Failed to verify authenticator checksum: %s", 
 		krb5_get_err_text(context, ret));
     }
 out:
@@ -2102,11 +2112,11 @@ tgs_rep2(krb5_context context,
 
     ret = tgs_check_authenticator(context, config, 
 				  ac, b, &e_text, &tgt->key);
-    if(ret){
+    if (ret) {
 	krb5_auth_con_free(context, ac);
 	goto out2;
     }
-    
+
     if (b->enc_authorization_data) {
 	krb5_keyblock *subkey;
 	krb5_data ad;
@@ -2167,6 +2177,8 @@ tgs_rep2(krb5_context context,
 	}
     }
 
+    krb5_auth_con_free(context, ac);
+
     {
 	PrincipalName *s;
 	Realm r;
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index f591aa8fc1..fdeaf27ac4 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: pkinit.c,v 1.37 2005/07/26 18:37:02 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.41 2005/08/12 09:21:40 lha Exp $");
 
 #ifdef PKINIT
 
@@ -66,7 +66,7 @@ struct krb5_pk_cert {
 enum pkinit_type {
     PKINIT_COMPAT_WIN2K = 1,
     PKINIT_COMPAT_19 = 2,
-    PKINIT_COMPAT_25 = 3
+    PKINIT_COMPAT_27 = 3
 };
 
 struct pk_client_params {
@@ -640,7 +640,7 @@ _kdc_pk_rd_padata(krb5_context context,
 	PA_PK_AS_REQ r;
 	ContentInfo info;
 
-	type = "PK-INIT-25";
+	type = "PK-INIT-27";
 	pa_contentType = oid_id_pkauthdata();
 
 	ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
@@ -796,7 +796,7 @@ _kdc_pk_rd_padata(krb5_context context,
 	    goto out;
 	}
 
-	client_params->type = PKINIT_COMPAT_25;
+	client_params->type = PKINIT_COMPAT_27;
 	client_params->nonce = ap.pkAuthenticator.nonce;
 
 	if (ap.clientPublicValue) {
@@ -851,6 +851,7 @@ static krb5_error_code
 pk_mk_pa_reply_enckey(krb5_context context,
 		      pk_client_params *client_params,
 		      const KDC_REQ *req,
+		      const krb5_data *req_buffer,
 		      krb5_keyblock *reply_key,
 		      ContentInfo *content_info)
 {
@@ -945,7 +946,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
 			   &kp, &size,ret);
 	free_ReplyKeyPack_19(&kp);
     }
-    case PKINIT_COMPAT_25: {
+    case PKINIT_COMPAT_27: {
+	krb5_crypto ascrypto;
 	ReplyKeyPack kp;
 	memset(&kp, 0, sizeof(kp));
 
@@ -954,9 +956,29 @@ pk_mk_pa_reply_enckey(krb5_context context,
 	    krb5_clear_error_string(context);
 	    goto out;
 	}
-	/* XXX add whatever is the outcome of asChecksum discussion here */
+
+	ret = krb5_crypto_init(context, reply_key, 0, &ascrypto);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+
+	ret = krb5_create_checksum(context, ascrypto, 6, 0,
+				   req_buffer->data, req_buffer->length,
+				   &kp.asChecksum);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
+			     
+	ret = krb5_crypto_destroy(context, ascrypto);
+	if (ret) {
+	    krb5_clear_error_string(context);
+	    goto out;
+	}
 	ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
 	free_ReplyKeyPack(&kp);
+	break;
     }
     default:
 	krb5_abortx(context, "internal pkinit error");
@@ -1194,6 +1216,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 		    pk_client_params *client_params,
 		    const hdb_entry *client,
 		    const KDC_REQ *req,
+		    const krb5_data *req_buffer,
 		    krb5_keyblock **reply_key,
 		    METHOD_DATA *md)
 {
@@ -1223,7 +1246,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
     } else
 	enctype = ETYPE_DES3_CBC_SHA1;
 
-    if (client_params->type == PKINIT_COMPAT_25) {
+    if (client_params->type == PKINIT_COMPAT_27) {
 	PA_PK_AS_REP rep;
 
 	pa_type = KRB5_PADATA_PK_AS_REP;
@@ -1239,6 +1262,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 	    ret = pk_mk_pa_reply_enckey(context,
 					client_params,
 					req,
+					req_buffer,
 					&client_params->reply_key,
 					&info);
 	    if (ret) {
@@ -1259,7 +1283,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 		krb5_abortx(context, "Internal ASN.1 encoder error");
 
 	} else {
-	    krb5_set_error_string(context, "DH -25 not implemented");
+	    krb5_set_error_string(context, "DH -27 not implemented");
 	    ret = KRB5KRB_ERR_GENERIC;
 	}
 	if (ret) {
@@ -1291,6 +1315,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 	    ret = pk_mk_pa_reply_enckey(context,
 					client_params,
 					req,
+					req_buffer,
 					&client_params->reply_key,
 					&rep.u.encKeyPack);
 	} else {
@@ -1332,7 +1357,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 	memset(&rep, 0, sizeof(rep));
 
 	if (client_params->dh) {
-	    krb5_set_error_string(context, "DH -25 not implemented");
+	    krb5_set_error_string(context, "DH -27 not implemented");
 	    ret = KRB5KRB_ERR_GENERIC;
 	} else {
 	    rep.element = choice_PA_PK_AS_REP_encKeyPack;
@@ -1343,6 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 	    ret = pk_mk_pa_reply_enckey(context,
 					client_params,
 					req,
+					req_buffer,
 					&client_params->reply_key,
 					&info);
 	    if (ret) {
diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c
index 22cf23c48d..d0f8245bf9 100644
--- a/source4/heimdal/kdc/process.c
+++ b/source4/heimdal/kdc/process.c
@@ -34,7 +34,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: process.c,v 1.2 2005/06/30 01:54:49 lha Exp $");
+RCSID("$Id: process.c,v 1.3 2005/08/12 08:25:48 lha Exp $");
 
 /*
  * handle the request in `buf, len', from `addr' (or `from' as a string),
@@ -58,7 +58,13 @@ krb5_kdc_process_generic_request(krb5_context context,
 
     gettimeofday(&_kdc_now, NULL);
     if(decode_AS_REQ(buf, len, &req, &i) == 0){
-	ret = _kdc_as_rep(context, config, &req, reply, from, addr);
+	krb5_data req_buffer;
+
+	req_buffer.data = buf;
+	req_buffer.length = len;
+
+	ret = _kdc_as_rep(context, config, &req, &req_buffer, 
+			  reply, from, addr);
 	free_AS_REQ(&req);
 	return ret;
     }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){
@@ -105,7 +111,13 @@ krb5_kdc_process_krb5_request(krb5_context context,
 
     gettimeofday(&_kdc_now, NULL);
     if(decode_AS_REQ(buf, len, &req, &i) == 0){
-	ret = _kdc_as_rep(context, config, &req, reply, from, addr);
+	krb5_data req_buffer;
+
+	req_buffer.data = buf;
+	req_buffer.length = len;
+
+	ret = _kdc_as_rep(context, config, &req, &req_buffer,
+			  reply, from, addr);
 	free_AS_REQ(&req);
 	return ret;
     }else if(decode_TGS_REQ(buf, len, &req, &i) == 0){