r14198: Update Samba4 to current lorikeet-heimdal.

Andrew Bartlett (This used to be commit 97a0a0e2fa6784e5fc5278f7a15b385ddcb6a3b3)
author: Andrew Bartlett <abartlet@samba.org> 2006-03-11 04:03:12 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:56:58 -0500
commit: b7afac2b834674e20f303c3a03b4ac7bb283695e (patch)
tree: 4828afb0cf5bc89f0063d3225d0f15cc01cd2012 /source4/heimdal/lib/krb5
parent: 64b619cefe99c833297f2a635db06bd186843481 (diff)
download: samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.gz
samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.bz2
samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.zip
11 files changed, 168 insertions, 250 deletions
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index de40b059b8..3cfc780eb4 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -32,7 +32,7 @@
  */
 
 #include "krb5_locl.h"
-RCSID("$Id: crypto.c,v 1.130 2005/12/02 14:47:44 lha Exp $");
+RCSID("$Id: crypto.c,v 1.132 2006/02/28 14:52:57 lha Exp $");
 
 #undef CRYPTO_DEBUG
 #ifdef CRYPTO_DEBUG
@@ -591,114 +591,6 @@ ARCFOUR_string_to_key(krb5_context context,
  * AES
  */
 
-/* iter is really 1 based, so iter == 0 will be 1 iteration */
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype,
-		   krb5_data password, krb5_salt salt, u_int32_t iter,
-		   krb5_keytype type, krb5_keyblock *key)
-{
-    struct checksum_type *c = _find_checksum(cktype);
-    struct key_type *kt;
-    size_t datalen, leftofkey;
-    krb5_error_code ret;
-    u_int32_t keypart;
-    struct key_data ksign;
-    krb5_keyblock kb;
-    Checksum result;
-    char *data, *tmpcksum;
-    int i, j;
-    char *p;
-    
-    if (c == NULL) {
-	krb5_set_error_string(context, "checksum %d not supported", cktype);
-	return KRB5_PROG_KEYTYPE_NOSUPP;
-    }
-
-    kt = _find_keytype(type);
-    if (kt == NULL) {
-	krb5_set_error_string(context, "key type %d not supported", type);
-	return KRB5_PROG_KEYTYPE_NOSUPP;
-    }
-    
-    key->keytype = type;
-    ret = krb5_data_alloc (&key->keyvalue, kt->bits / 8);
-    if (ret) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	return ret;
-    }
-	
-    ret = krb5_data_alloc (&result.checksum, c->checksumsize);
-    if (ret) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	krb5_data_free (&key->keyvalue);
-	return ret;
-    }
-
-    tmpcksum = malloc(c->checksumsize);
-    if (tmpcksum == NULL) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	krb5_data_free (&key->keyvalue);
-	krb5_data_free (&result.checksum);
-	return ENOMEM;
-    }
-
-    datalen = salt.saltvalue.length + 4;
-    data = malloc(datalen);
-    if (data == NULL) {
-	krb5_set_error_string(context, "malloc: out of memory");
-	free(tmpcksum);
-	krb5_data_free (&key->keyvalue);
-	krb5_data_free (&result.checksum);
-	return ENOMEM;
-    }
-
-    kb.keyvalue = password;
-    ksign.key = &kb;
-
-    memcpy(data, salt.saltvalue.data, salt.saltvalue.length);
-
-    keypart = 1;
-    leftofkey = key->keyvalue.length;
-    p = key->keyvalue.data;
-
-    while (leftofkey) {
-	int len;
-
-	if (leftofkey > c->checksumsize)
-	    len = c->checksumsize;
-	else
-	    len = leftofkey;
-
-	_krb5_put_int(data + datalen - 4, keypart, 4);
-
-	ret = hmac(context, c, data, datalen, 0, &ksign, &result);
-	if (ret)
-	    krb5_abortx(context, "hmac failed");
-	memcpy(p, result.checksum.data, len);
-	memcpy(tmpcksum, result.checksum.data, result.checksum.length);
-	for (i = 0; i < iter; i++) {
-	    ret = hmac(context, c, tmpcksum, result.checksum.length,
-		       0, &ksign, &result);
-	    if (ret)
-		krb5_abortx(context, "hmac failed");
-	    memcpy(tmpcksum, result.checksum.data, result.checksum.length);
-	    for (j = 0; j < len; j++)
-		p[j] ^= tmpcksum[j];
-	}
-
-	p += len;
-	leftofkey -= len;
-	keypart++;
-    }
-
-    free(data);
-    free(tmpcksum);
-    krb5_data_free (&result.checksum);
-
-    return 0;
-}
-
 int _krb5_AES_string_to_default_iterator = 4096;
 
 static krb5_error_code
@@ -715,33 +607,44 @@ AES_string_to_key(krb5_context context,
     struct key_data kd;
 
     if (opaque.length == 0)
-	iter = _krb5_AES_string_to_default_iterator - 1;
+	iter = _krb5_AES_string_to_default_iterator;
     else if (opaque.length == 4) {
 	unsigned long v;
 	_krb5_get_int(opaque.data, &v, 4);
-	iter = ((u_int32_t)v) - 1;
+	iter = ((u_int32_t)v);
     } else
 	return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */
 	
-
     et = _find_enctype(enctype);
     if (et == NULL)
 	return KRB5_PROG_KEYTYPE_NOSUPP;
 
-    ret = _krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, 
-			     iter, enctype, key);
-    if (ret)
+    key->keytype = enctype;
+    ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
+    if (ret) {
+	krb5_set_error_string(context, "Failed to allocate pkcs5 key");
 	return ret;
-
+    }
     ret = krb5_copy_keyblock(context, key, &kd.key);
+    if (ret) {
+	krb5_free_keyblock(context, key);
+	return ret;
+    }
+
+    ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length,
+				 salt.saltvalue.data, salt.saltvalue.length,
+				 iter, 
+				 et->keytype->size, kd.key->keyvalue.data);
     kd.schedule = NULL;
+    if (ret != 1) {
+	krb5_set_error_string(context, "Error calculating s2k");
+	return KRB5_PROG_KEYTYPE_NOSUPP;
+    }
 
     ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos"));
-    krb5_free_keyblock_contents(context, key);
-    if (ret == 0) {
+    if (ret == 0)
 	ret = krb5_copy_keyblock_contents(context, kd.key, key);
-	free_key_data(context, &kd);
-    }
+    free_key_data(context, &kd);
 
     return ret;
 }
@@ -3789,7 +3692,8 @@ krb5_generate_random_block(void *buf, size_t len)
 	rng_initialized = 1;
     }
     HEIMDAL_MUTEX_unlock(&crypto_mutex);
-    RAND_bytes(buf, len);
+    if (RAND_bytes(buf, len) != 1)
+	krb5_abortx(NULL, "Failed to generate random block");
 }
 
 #else
diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c
index 649bdd20fd..b672fe74f9 100644
--- a/source4/heimdal/lib/krb5/error_string.c
+++ b/source4/heimdal/lib/krb5/error_string.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001 Kungliga Tekniska H�gskolan
+ * Copyright (c) 2001, 2003, 2005 - 2006 Kungliga Tekniska H�gskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: error_string.c,v 1.3 2004/05/25 21:23:55 lha Exp $");
+RCSID("$Id: error_string.c,v 1.7 2006/02/16 07:49:23 lha Exp $");
 
 #undef __attribute__
 #define __attribute__(X)
@@ -107,3 +107,24 @@ krb5_have_error_string(krb5_context context)
     HEIMDAL_MUTEX_unlock(context->mutex);
     return str != NULL;
 }
+
+char * KRB5_LIB_FUNCTION
+krb5_get_error_message(krb5_context context, krb5_error_code code)
+{
+    const char *cstr;
+    char *str;
+
+    str = krb5_get_error_string(context);
+    if (str)
+	return str;
+
+    cstr = krb5_get_err_text(context, code);
+    if (cstr)
+	return strdup(cstr);
+
+    if (asprintf(&str, "<unknown error: %d>", code) == -1)
+	return NULL;
+
+    return str;
+}
+
diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index 7043b8ae51..1fa3f9143e 100644
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_cred.c,v 1.108 2005/07/13 07:38:02 lha Exp $");
+RCSID("$Id: get_cred.c,v 1.109 2006/02/03 11:41:02 lha Exp $");
 
 /*
  * Take the `body' and encode it into `padata' using the credentials
@@ -772,7 +772,8 @@ get_cred_from_kdc_flags(krb5_context context,
 	krb5_boolean noaddr;
 
 	krb5_appdefault_boolean(context, NULL, tgt->server->realm,
-				"no-addresses", FALSE, &noaddr);
+				"no-addresses", KRB5_ADDRESSLESS_DEFAULT,
+				&noaddr);
 	if (noaddr)
 	    ret = get_cred_kdc (context, ccache, flags, NULL,
 				in_creds, tgt, *out_creds);
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index be5c1db47d..aa7c62befc 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: get_for_creds.c,v 1.46 2005/11/28 20:43:02 lha Exp $");
+RCSID("$Id: get_for_creds.c,v 1.47 2006/02/03 11:37:29 lha Exp $");
 
 static krb5_error_code
 add_addrs(krb5_context context,
@@ -284,21 +284,14 @@ krb5_get_forwarded_creds (krb5_context	    context,
 	enc_krb_cred_part.usec = NULL;
     }
 
-    if (auth_context->local_address && auth_context->local_port) {
-	krb5_boolean noaddr;
-	krb5_const_realm srealm;
-
-	srealm = krb5_principal_get_realm(context, out_creds->server);
-	krb5_appdefault_boolean(context, NULL, srealm, "no-addresses", 
-				paddrs == NULL,	&noaddr);
-	if (!noaddr) {
-	    ret = krb5_make_addrport (context,
-				      &enc_krb_cred_part.s_address,
-				      auth_context->local_address,
-				      auth_context->local_port);
-	    if (ret)
-		goto out4;
-	}
+    if (auth_context->local_address && auth_context->local_port && paddrs) {
+
+	ret = krb5_make_addrport (context,
+				  &enc_krb_cred_part.s_address,
+				  auth_context->local_address,
+				  auth_context->local_port);
+	if (ret)
+	    goto out4;
     }
 
     if (auth_context->remote_address) {
diff --git a/source4/heimdal/lib/krb5/init_creds.c b/source4/heimdal/lib/krb5/init_creds.c
index 51b8ebc392..316c2f02eb 100644
--- a/source4/heimdal/lib/krb5/init_creds.c
+++ b/source4/heimdal/lib/krb5/init_creds.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds.c,v 1.21 2005/10/12 12:45:27 lha Exp $");
+RCSID("$Id: init_creds.c,v 1.22 2006/02/03 11:42:31 lha Exp $");
 
 void KRB5_LIB_FUNCTION
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
@@ -191,7 +191,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
     if(t != 0)
 	krb5_get_init_creds_opt_set_renew_life(opt, t);
 
-    krb5_appdefault_boolean(context, appname, realm, "no-addresses", FALSE, &b);
+    krb5_appdefault_boolean(context, appname, realm, "no-addresses", 
+			    KRB5_ADDRESSLESS_DEFAULT, &b);
     if (b)
 	krb5_get_init_creds_opt_set_address_list (opt, &no_addrs);
 
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index c308287a36..8d9b3c62ac 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -12,19 +12,6 @@
 #endif
 #endif
 
-struct krb5_dh_moduli;
-struct _krb5_krb_auth_data;
-
-krb5_error_code KRB5_LIB_FUNCTION
-_krb5_PKCS5_PBKDF2 (
-	krb5_context /*context*/,
-	krb5_cksumtype /*cktype*/,
-	krb5_data /*password*/,
-	krb5_salt /*salt*/,
-	u_int32_t /*iter*/,
-	krb5_keytype /*type*/,
-	krb5_keyblock */*key*/);
-
 void KRB5_LIB_FUNCTION
 _krb5_aes_cts_encrypt (
 	const unsigned char */*in*/,
@@ -92,6 +79,9 @@ _krb5_find_type_in_ad (
 void
 _krb5_free_krbhst_info (krb5_krbhst_info */*hi*/);
 
+void
+_krb5_free_moduli (struct krb5_dh_moduli **/*moduli*/);
+
 krb5_error_code
 _krb5_get_default_principal_local (
 	krb5_context /*context*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index c08d8058a4..d7e74621ef 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -20,15 +20,6 @@ extern "C" {
 #endif
 #endif
 
-void
-initialize_heim_error_table_r (struct et_list **/*list*/);
-
-void
-initialize_k524_error_table_r (struct et_list **/*list*/);
-
-void
-initialize_krb5_error_table_r (struct et_list **/*list*/);
-
 krb5_error_code KRB5_LIB_FUNCTION
 krb524_convert_creds_kdc (
 	krb5_context /*context*/,
@@ -1689,6 +1680,11 @@ krb5_get_err_text (
 	krb5_error_code /*code*/);
 
 char * KRB5_LIB_FUNCTION
+krb5_get_error_message (
+	krb5_context /*context*/,
+	krb5_error_code /*code*/);
+
+char * KRB5_LIB_FUNCTION
 krb5_get_error_string (krb5_context /*context*/);
 
 krb5_error_code KRB5_LIB_FUNCTION
diff --git a/source4/heimdal/lib/krb5/krb5_err.et b/source4/heimdal/lib/krb5/krb5_err.et
index 1257b074fb..e7bada1808 100644
--- a/source4/heimdal/lib/krb5/krb5_err.et
+++ b/source4/heimdal/lib/krb5/krb5_err.et
@@ -3,7 +3,7 @@
 #
 # This might look like a com_err file, but is not
 #
-id "$Id: krb5_err.et,v 1.12 2004/10/14 15:30:29 lha Exp $"
+id "$Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $"
 
 error_table krb5
 
@@ -74,35 +74,36 @@ prefix KRB5_KDC_ERR
 error_code CLIENT_NOT_TRUSTED,	"Client not trusted"
 error_code KDC_NOT_TRUSTED,	"KDC not trusted"
 error_code INVALID_SIG,		"Invalid signature"
-error_code KEY_SIZE,		"Key size too small/key too weak"
-error_code CERTIFICATE_MISMATCH, "Certificate mismatch"
+error_code DH_KEY_PARAMETERS_NOT_ACCEPTED, "DH parameters not accepted"
 
+index 69
 prefix KRB5_AP_ERR
 error_code USER_TO_USER_REQUIRED, "User to user required"
 
 index 70
-prefix KRB5_KDC_ERROR
+prefix KRB5_KDC_ERR
 error_code CANT_VERIFY_CERTIFICATE, "Cannot verify certificate"
-error_code INVALID_CERTIFICATE,	"Invalid certificate"
-error_code REVOKED_CERTIFICATE,	"Revoked certificate"
+error_code INVALID_CERTIFICATE, "Certificate invalid"
+error_code REVOKED_CERTIFICATE, "Certificate revoked"
 error_code REVOCATION_STATUS_UNKNOWN, "Revocation status unknown"
-error_code REVOCATION_STATUS_UNAVAILABLE, "Revocation status unknown"
-error_code CLIENT_NAME_MISMATCH,	"Client name mismatch"
-index 75
-error_code KDC_NAME_MISMATCH,	"KDC name mismatch"
-
-# 76-79 are reserved
-
-index 80
-prefix KRB5_IAKERB
-error_code ERR_KDC_NOT_FOUND,	"IAKERB proxy could not find a KDC"
-error_code ERR_KDC_NO_RESPONSE,	"IAKERB proxy never reeived a response from a KDC"
+error_code CLIENT_NAME_MISMATCH, "Revocation status unknown"
+error_code INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose"
+error_code DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted"
+error_code PA_CHECKSUM_MUST_BE_INCLUDED, "paChecksum must be included"
+error_code DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signedData not accepted"
+error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported"
+
+## these are never used
+#index 80
+#prefix KRB5_IAKERB
+#error_code ERR_KDC_NOT_FOUND,	"IAKERB proxy could not find a KDC"
+#error_code ERR_KDC_NO_RESPONSE,	"IAKERB proxy never reeived a response from a KDC"
 
 # 82-127 are reserved
 
 index 128
 prefix
-error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et,v 1.12 2004/10/14 15:30:29 lha Exp $"
+error_code KRB5_ERR_RCSID,	"$Id: krb5_err.et,v 1.14 2006/02/13 11:28:22 lha Exp $"
 
 error_code KRB5_LIBOS_BADLOCKFLAG,	"Invalid flag for file lock mode"
 error_code KRB5_LIBOS_CANTREADPWD,	"Cannot read password"
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index 60d72c8f80..92dd3271f5 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan
+ * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5_locl.h,v 1.84 2005/12/13 15:40:50 lha Exp $ */
+/* $Id: krb5_locl.h,v 1.87 2006/02/09 11:36:27 lha Exp $ */
 
 #ifndef __KRB5_LOCL_H__
 #define __KRB5_LOCL_H__
@@ -170,14 +170,6 @@ struct _krb5_krb_auth_data;
 
 #define KRB5_BUFSIZ 1024
 
-#ifndef KRB5_DEFAULT_CCNAME
-#ifdef __APPLE__
-#define KRB5_DEFAULT_CCNAME "API:"
-#else
-#define KRB5_DEFAULT_CCNAME "FILE:/tmp/krb5cc_%{uid}"
-#endif
-#endif
-
 typedef enum {
     KRB5_PA_PAC_DONT_CARE = 0, 
     KRB5_PA_PAC_REQ_TRUE,
@@ -196,4 +188,20 @@ struct _krb5_get_init_creds_opt_private {
     int canonicalize;
 };
 
+/*
+ * Configurable options
+ */
+
+#ifndef KRB5_DEFAULT_CCNAME
+#ifdef __APPLE__
+#define KRB5_DEFAULT_CCNAME "API:"
+#else
+#define KRB5_DEFAULT_CCNAME "FILE:/tmp/krb5cc_%{uid}"
+#endif
+#endif
+
+#ifndef KRB5_ADDRESSLESS_DEFAULT
+#define KRB5_ADDRESSLESS_DEFAULT FALSE
+#endif
+
 #endif /* __KRB5_LOCL_H__ */
diff --git a/source4/heimdal/lib/krb5/mk_priv.c b/source4/heimdal/lib/krb5/mk_priv.c
index 56112eea8c..b5a1aadfea 100644
--- a/source4/heimdal/lib/krb5/mk_priv.c
+++ b/source4/heimdal/lib/krb5/mk_priv.c
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: mk_priv.c,v 1.34 2004/05/25 21:33:32 lha Exp $");
+RCSID("$Id: mk_priv.c,v 1.35 2006/02/01 12:39:26 lha Exp $");
 
       
 krb5_error_code KRB5_LIB_FUNCTION
@@ -129,9 +129,11 @@ krb5_mk_priv(krb5_context context,
 
 
     ASN1_MALLOC_ENCODE(KRB_PRIV, buf, buf_size, &s, &len, ret);
-
-    if(ret)
+    if (ret)
 	goto fail;
+    if (buf_size != len)
+	krb5_abortx(context, "internal error in ASN.1 encoder");
+
     krb5_data_free (&s.enc_part.cipher);
 
     ret = krb5_data_copy(outbuf, buf + buf_size - len, len);
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 0c5dfc44e9..1247bb22ca 100755
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -33,7 +33,15 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: pkinit.c,v 1.75 2005/10/21 17:18:38 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.77 2006/02/14 10:08:29 lha Exp $");
+
+struct krb5_dh_moduli {
+    char *name;
+    unsigned long bits;
+    heim_integer p;
+    heim_integer g;
+    heim_integer q;
+};
 
 #ifdef PKINIT
 
@@ -104,14 +112,6 @@ struct krb5_pk_cert {
     X509 *cert;
 };
 
-struct krb5_dh_moduli {
-    char *name;
-    unsigned long bits;
-    heim_integer p;
-    heim_integer g;
-    heim_integer q;
-};
-
 struct krb5_pk_init_ctx_data {
     struct krb5_pk_identity *id;
     DH *dh;
@@ -505,7 +505,13 @@ build_auth_pack(krb5_context context,
     if (ret) 
 	return ret;
 
-    ret = krb5_data_copy(&a->pkAuthenticator.paChecksum,
+    ALLOC(a->pkAuthenticator.paChecksum, 1);
+    if (a->pkAuthenticator.paChecksum == NULL) {
+	krb5_set_error_string(context, "malloc: out of memory");
+	return ENOMEM;
+    }
+
+    ret = krb5_data_copy(a->pkAuthenticator.paChecksum,
 			 checksum.checksum.data, checksum.checksum.length);
     free_Checksum(&checksum);
     if (ret)
@@ -984,11 +990,9 @@ pk_verify_chain_standard(krb5_context context,
      * Since X509_verify_cert() doesn't do CRL checking at all, we have to
      * perform own verification against CRLs
      */
-#if 0
-    ret = pk_verify_crl(context, store_ctx, id->crls);
-    if (ret)
-	goto end;
-#endif
+    /*
+     * XXX add crl checking
+     */
 
     if (client_cert && cert)
 	*client_cert = X509_dup(cert);
@@ -2429,6 +2433,31 @@ _krb5_pk_load_openssl_id(krb5_context context,
     return ret;
 }
 
+static krb5_error_code
+select_dh_group(krb5_context context, DH *dh, unsigned long bits, 
+		struct krb5_dh_moduli **moduli)
+{
+    const struct krb5_dh_moduli *m;
+
+    m = moduli[1]; /* XXX */
+    if (m == NULL)
+	m = moduli[0]; /* XXX */
+
+    dh->p = integer_to_BN(context, "p", &m->p);
+    if (dh->p == NULL)
+	return ENOMEM;
+    dh->g = integer_to_BN(context, "g", &m->g);
+    if (dh->g == NULL)
+	return ENOMEM;
+    dh->q = integer_to_BN(context, "q", &m->q);
+    if (dh->q == NULL)
+	return ENOMEM;
+
+    return 0;
+}
+
+#endif /* PKINIT */
+
 static int
 parse_integer(krb5_context context, char **p, const char *file, int lineno, 
 	      const char *name, heim_integer *integer)
@@ -2526,7 +2555,7 @@ out:
     return ret;
 }
 
-static void
+void
 _krb5_free_moduli(struct krb5_dh_moduli **moduli)
 {
     int i;
@@ -2541,8 +2570,9 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli)
 }
 
 static const char *default_moduli =
-    /* bits */
+    /* name */
     "RFC2412-MODP-group2 "
+    /* bits */
     "1024 "
     /* p */
     "FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
@@ -2566,7 +2596,7 @@ krb5_error_code
 _krb5_parse_moduli(krb5_context context, const char *file,
 		   struct krb5_dh_moduli ***moduli)
 {
-    /* comment bits P G Q */
+    /* name bits P G Q */
     krb5_error_code ret;
     struct krb5_dh_moduli **m = NULL, **m2;
     char buf[4096];
@@ -2589,10 +2619,8 @@ _krb5_parse_moduli(krb5_context context, const char *file,
     }
     n = 1;
 
-    if (file == NULL) {
-	*moduli = m;
-	return 0;
-    }
+    if (file == NULL)
+	file = MODULI_FILE;
 
     f = fopen(file, "r");
     if (f == NULL) {
@@ -2646,7 +2674,7 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
     for (i = 0; moduli[i] != NULL; i++) {
 	if (heim_integer_cmp(&moduli[i]->g, g) == 0 &&
 	    heim_integer_cmp(&moduli[i]->p, p) == 0 &&
-	    heim_integer_cmp(&moduli[i]->q, q) == 0)
+	    (q == NULL || heim_integer_cmp(&moduli[i]->q, q) == 0))
 	{
 	    if (bits && bits > moduli[i]->bits) {
 		krb5_set_error_string(context, "PKINIT: DH group parameter %s "
@@ -2663,32 +2691,6 @@ _krb5_dh_group_ok(krb5_context context, unsigned long bits,
     return KRB5_KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED;
 }
 
-static krb5_error_code
-select_dh_group(krb5_context context, DH *dh, unsigned long bits, 
-		struct krb5_dh_moduli **moduli)
-{
-    const struct krb5_dh_moduli *m;
-
-    m = moduli[1]; /* XXX */
-    if (m == NULL)
-	m = moduli[0]; /* XXX */
-
-    dh->p = integer_to_BN(context, "p", &m->p);
-    if (dh->p == NULL)
-	return ENOMEM;
-    dh->g = integer_to_BN(context, "g", &m->g);
-    if (dh->g == NULL)
-	return ENOMEM;
-    dh->q = integer_to_BN(context, "q", &m->q);
-    if (dh->q == NULL)
-	return ENOMEM;
-
-    return 0;
-}
-
-
-#endif /* PKINIT */
-
 void KRB5_LIB_FUNCTION
 _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
 {
@@ -2772,11 +2774,10 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context,
     if ((flags & 2) == 0) {
 	const char *moduli_file;
 
-	moduli_file = krb5_config_get_string_default(context, NULL,
-						     MODULI_FILE,
-						     "libdefaults",
-						     "moduli",
-						     NULL);
+	moduli_file = krb5_config_get_string(context, NULL,
+					     "libdefaults",
+					     "moduli",
+					     NULL);
 
 	ret = _krb5_parse_moduli(context, moduli_file, 
 				 &opt->opt_private->pk_init_ctx->m);
author	Andrew Bartlett <abartlet@samba.org>	2006-03-11 04:03:12 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:56:58 -0500
commit	b7afac2b834674e20f303c3a03b4ac7bb283695e (patch)
tree	4828afb0cf5bc89f0063d3225d0f15cc01cd2012 /source4/heimdal/lib/krb5
parent	64b619cefe99c833297f2a635db06bd186843481 (diff)
download	samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.gz samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.tar.bz2 samba-b7afac2b834674e20f303c3a03b4ac7bb283695e.zip