s4:heimdal: import lorikeet-heimdal-200908050050 (commit 8714779fa7376fd9f7761587639e68b48afc8c9c)

This also adds a new hdb-glue.c file, to cope with Heimdal's
uncondtional enabling of SQLITE.

(Very reasonable, but not required for Samba4's use).

Andrew Bartlett

4 files changed, 25 insertions, 20 deletions

diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h
index daf155839c..024937e763 100644
--- a/source4/heimdal/kdc/kdc_locl.h
+++ b/source4/heimdal/kdc/kdc_locl.h
@@ -67,6 +67,9 @@ extern const struct units _kdc_digestunits[];
 extern struct timeval _kdc_now;
 #define kdc_time (_kdc_now.tv_sec)
 
+extern char *runas_string;
+extern char *chroot_string;
+
 void
 loop(krb5_context context, krb5_kdc_configuration *config);
 
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 53e9f54537..8edc07a49b 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1208,19 +1208,13 @@ _kdc_as_rep(krb5_context context,
 			(unsigned)abs(kdc_time - p.patimestamp),
 			context->max_skew,
 			client_name);
-#if 1
-		/* This code is from samba, needs testing */
+
 		/*
-		 * the following is needed to make windows clients
-		 * to retry using the timestamp in the error message
-		 *
-		 * this is maybe a bug in windows to not trying when e_text
-		 * is present...
+		 * The following is needed to make windows clients to
+		 * retry using the timestamp in the error message, if
+		 * there is a e_text, they become unhappy.
 		 */
 		e_text = NULL;
-#else
-		e_text = "Too large time skew";
-#endif
 		goto out;
 	    }
 	    et.flags.pre_authent = 1;
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 247cb575de..e016183615 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -65,12 +65,15 @@ _kdc_db_fetch(krb5_context context,
 				       "malformed request: "
 				       "enterprise name with %d name components",
 				       principal->name.name_string.len);
+		free(ent);
 		return ret;
 	    }
 	    ret = krb5_parse_name(context, principal->name.name_string.val[0],
 				  &enterprise_principal);
-	    if (ret)
+	    if (ret) {
+		free(ent);
 		return ret;
+	    }
 
 	    principal = enterprise_principal;
 	}
@@ -98,7 +101,8 @@ _kdc_db_fetch(krb5_context context,
 	}
     }
     free(ent);
-    krb5_set_error_message(context, HDB_ERR_NOENTRY, "no such entry found in hdb");
+    krb5_set_error_message(context, HDB_ERR_NOENTRY,
+			   "no such entry found in hdb");
     return HDB_ERR_NOENTRY;
 }
 
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 644eae0fe4..0d00ef2173 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -284,7 +284,7 @@ generate_dh_keyblock(krb5_context context,
 	dh_gen_keylen = ECDH_compute_key(dh_gen_key, size, 
 					 EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
 					 client_params->u.ecdh.key, NULL);
-	ret = 0;
+
 #endif /* HAVE_OPENSSL */
     } else {
 	ret = KRB5KRB_ERR_GENERIC;
@@ -1450,8 +1450,10 @@ _kdc_pk_mk_pa_reply(krb5_context context,
 
 	ret = krb5_generate_random_keyblock(context, sessionetype, 
 					    sessionkey);
-	if (ret)
+	if (ret) {
+	    free(buf);
 	    goto out;
+	}
 
     } else
 	krb5_abortx(context, "PK-INIT internal error");
@@ -1981,12 +1983,14 @@ _kdc_pk_initialize(krb5_context context,
 		hx509_name name;
 		char *str;
 		ret = hx509_cert_get_subject(cert, &name);
-		hx509_name_to_string(name, &str);
-		krb5_warnx(context, "WARNING Found KDC certificate (%s)"
-			   "is missing the PK-INIT KDC EKU, this is bad for "
-			   "interoperability.", str);
-		hx509_name_free(&name);
-		free(str);
+		if (ret == 0) {
+		    hx509_name_to_string(name, &str);
+		    krb5_warnx(context, "WARNING Found KDC certificate (%s)"
+			       "is missing the PK-INIT KDC EKU, this is bad for "
+			       "interoperability.", str);
+		    hx509_name_free(&name);
+		    free(str);
+		}
 	    }
 	    hx509_cert_free(cert);
 	} else