r12000: Update to current lorikeet-heimdal, including in particular support

for referencing an existing in-MEMORY keytab (required for the new way we push that to GSSAPI). Andrew Bartlett (This used to be commit 2426581dfb9f5f0f9367f846c01dfd3c30fea954)
author: Andrew Bartlett <abartlet@samba.org> 2005-12-01 22:18:34 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:46:57 -0500
commit: 6913dddf644525f4bdadfb740b5bff41abe030b2 (patch)
tree: 5325b59915008cd16f1f5bf6ab242e8788b0b808 /source4/heimdal/lib/krb5
parent: f536c4a608bc8de3a9a0fd73f4c75f3183caa547 (diff)
download: samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.gz
samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.bz2
samba-6913dddf644525f4bdadfb740b5bff41abe030b2.zip
5 files changed, 105 insertions, 9 deletions
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 25dc2cb8c0..0c821cb11d 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: cache.c,v 1.74 2005/11/01 09:36:41 lha Exp $");
+RCSID("$Id: cache.c,v 1.76 2005/11/29 09:10:47 lha Exp $");
 
 /*
  * Add a new ccache type with operations `ops', overwriting any
@@ -701,6 +701,9 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
     char *p, *p1;
     int i;
     
+    if (prefix[0] == '/')
+	return &krb5_fcc_ops;
+
     p = strdup(prefix);
     if (p == NULL) {
 	krb5_set_error_string(context, "malloc - out of memory");
diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c
index 1d866fa11e..afa8f433ac 100644
--- a/source4/heimdal/lib/krb5/keytab_memory.c
+++ b/source4/heimdal/lib/krb5/keytab_memory.c
@@ -33,26 +33,64 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: keytab_memory.c,v 1.6 2005/05/18 04:44:40 lha Exp $");
+RCSID("$Id: keytab_memory.c,v 1.7 2005/12/01 12:40:22 lha Exp $");
 
 /* memory operations -------------------------------------------- */
 
 struct mkt_data {
     krb5_keytab_entry *entries;
     int num_entries;
+    char *name;
+    int refcount;
+    struct mkt_data *next;
 };
 
+/* this mutex protects mkt_head, ->refcount, and ->next 
+ * content is not protected (name is static and need no protection)
+ */
+static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static struct mkt_data *mkt_head;
+
+
 static krb5_error_code
 mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
 {
     struct mkt_data *d;
-    d = malloc(sizeof(*d));
+
+    HEIMDAL_MUTEX_lock(&mkt_mutex);
+
+    for (d = mkt_head; d != NULL; d = d->next)
+	if (strcmp(d->name, name) == 0)
+	    break;
+    if (d) {
+	if (d->refcount < 1)
+	    krb5_abortx(context, "Double close on memory keytab, "
+			"refcount < 1 %d", d->refcount);
+	d->refcount++;
+	id->data = d;
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	return 0;
+    }
+
+    d = calloc(1, sizeof(*d));
     if(d == NULL) {
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	krb5_set_error_string (context, "malloc: out of memory");
+	return ENOMEM;
+    }
+    d->name = strdup(name);
+    if (d->name == NULL) {
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	free(d);
 	krb5_set_error_string (context, "malloc: out of memory");
 	return ENOMEM;
     }
     d->entries = NULL;
     d->num_entries = 0;
+    d->refcount = 1;
+    d->next = mkt_head;
+    mkt_head = d;
+    HEIMDAL_MUTEX_unlock(&mkt_mutex);
     id->data = d;
     return 0;
 }
@@ -60,8 +98,27 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
 static krb5_error_code
 mkt_close(krb5_context context, krb5_keytab id)
 {
-    struct mkt_data *d = id->data;
+    struct mkt_data *d = id->data, **dp;
     int i;
+
+    HEIMDAL_MUTEX_lock(&mkt_mutex);
+    if (d->refcount < 1)
+	krb5_abortx(context, 
+		    "krb5 internal error, memory keytab refcount < 1 on close");
+
+    if (--d->refcount > 0) {
+	HEIMDAL_MUTEX_unlock(&mkt_mutex);
+	return 0;
+    }
+    for (dp = &mkt_head; *dp != NULL; dp = &(*dp)->next) {
+	if (*dp == d) {
+	    *dp = d->next;
+	    break;
+	}
+    }
+    HEIMDAL_MUTEX_unlock(&mkt_mutex);
+
+    free(d->name);
     for(i = 0; i < d->num_entries; i++)
 	krb5_kt_free_entry(context, &d->entries[i]);
     free(d->entries);
@@ -75,7 +132,8 @@ mkt_get_name(krb5_context context,
 	     char *name, 
 	     size_t namesize)
 {
-    strlcpy(name, "", namesize);
+    struct mkt_data *d = id->data;
+    strlcpy(name, d->name, namesize);
     return 0;
 }
 
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 33e35ca60e..301b8853e4 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -20,6 +20,24 @@ extern "C" {
 #endif
 #endif
 
+void
+initialize_heim_error_table (void);
+
+void
+initialize_heim_error_table_r (struct et_list **/*list*/);
+
+void
+initialize_k524_error_table (void);
+
+void
+initialize_k524_error_table_r (struct et_list **/*list*/);
+
+void
+initialize_krb5_error_table (void);
+
+void
+initialize_krb5_error_table_r (struct et_list **/*list*/);
+
 krb5_error_code KRB5_LIB_FUNCTION
 krb524_convert_creds_kdc (
 	krb5_context /*context*/,
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index fe9a0e5e7a..adee4708e6 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5.h,v 1.239 2005/10/12 12:39:28 lha Exp $ */
+/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */
 
 #ifndef __KRB5_H__
 #define __KRB5_H__
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index 582b71db03..313c14f6e6 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska H�gskolan
+ * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska H�gskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $");
+RCSID("$Id: rd_req.c,v 1.61 2005/11/29 18:22:51 lha Exp $");
 
 static krb5_error_code
 decrypt_tkt_enc_part (krb5_context context,
@@ -136,7 +136,11 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
     int num_realms;
     krb5_error_code ret;
 	    
-    /* Windows w2k and w2k3 uses this */
+    /* 
+     * Windows 2000 and 2003 uses this inside their TGT so its normaly
+     * not seen by others, however, samba4 joined with a Windows AD as
+     * a Domain Controller gets exposed to this.
+     */
     if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0)
 	return 0;
 
@@ -417,6 +421,19 @@ krb5_verify_ap_req2(krb5_context context,
 	goto out;
     }
 
+    /* check timestamp in authenticator */
+    {
+	krb5_timestamp now;
+
+	krb5_timeofday (context, &now);
+
+	if (abs(ac->authenticator->ctime - now) > context->max_skew) {
+	    ret = KRB5KRB_AP_ERR_SKEW;
+	    krb5_clear_error_string (context);
+	    goto out;
+	}
+    }
+
     if (ac->authenticator->seq_number)
 	krb5_auth_con_setremoteseqnumber(context, ac,
 					 *ac->authenticator->seq_number);
author	Andrew Bartlett <abartlet@samba.org>	2005-12-01 22:18:34 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:46:57 -0500
commit	6913dddf644525f4bdadfb740b5bff41abe030b2 (patch)
tree	5325b59915008cd16f1f5bf6ab242e8788b0b808 /source4/heimdal/lib/krb5
parent	f536c4a608bc8de3a9a0fd73f4c75f3183caa547 (diff)
download	samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.gz samba-6913dddf644525f4bdadfb740b5bff41abe030b2.tar.bz2 samba-6913dddf644525f4bdadfb740b5bff41abe030b2.zip