r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour of a more tasteful replacement.

Remove kerberos_verify.c, as we don't need that code any more.
Replace with code for using the new krb5_rd_req_ctx() borrowed from
Heimdal's accecpt_sec_context.c

Andrew Bartlett
(This used to be commit 13c9df1d4f0517468c80040d3756310d4dcbdd50)

19 files changed, 508 insertions, 224 deletions

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 19287b31cc..84c16190f9 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c,v 1.223 2006/10/17 02:16:29 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.224 2006/11/04 17:05:28 lha Exp $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -1063,13 +1063,14 @@ _kdc_as_rep(krb5_context context,
 	    free_PA_ENC_TS_ENC(&p);
 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
 		char client_time[100];
-
+		
 		krb5_format_time(context, p.patimestamp, 
 				 client_time, sizeof(client_time), TRUE); 
 
-		ret = KRB5KRB_AP_ERR_SKEW;
-		kdc_log(context, config, 0,
-			"Too large time skew, client time %s is out by %u > %u seconds -- %s", 
+ 		ret = KRB5KRB_AP_ERR_SKEW;
+ 		kdc_log(context, config, 0,
+			"Too large time skew, "
+			"client time %s is out by %u > %u seconds -- %s", 
 			client_time, 
 			(unsigned)abs(kdc_time - p.patimestamp), 
 			context->max_skew,
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index e3d77c0621..1a300cce3e 100755
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: pkinit.c,v 1.72 2006/10/24 17:51:33 lha Exp $");
+RCSID("$Id: pkinit.c,v 1.73 2006/11/07 17:24:57 lha Exp $");
 
 #ifdef PKINIT
 
@@ -528,8 +528,10 @@ _kdc_pk_rd_padata(krb5_context context,
 				      &eContent,
 				      &signer_certs);
 	if (ret) {
-	    kdc_log(context, config, 0,
-		    "PK-INIT failed to verify signature %d", ret);
+	    char *s = hx509_get_error_string(kdc_identity->hx509ctx, ret);
+	    krb5_warnx(context, "PKINIT: failed to verify signature: %s: %d",
+		       s, ret);
+	    free(s);
 	    goto out;
 	}
 
@@ -1376,6 +1378,36 @@ _kdc_pk_initialize(krb5_context context,
 	return ret;
     }
 
+    {
+	hx509_query *q;
+	hx509_cert cert;
+	
+	ret = hx509_query_alloc(kdc_identity->hx509ctx, &q);
+	if (ret) {
+	    krb5_warnx(context, "PKINIT: out of memory");
+	    return ENOMEM;
+	}
+	
+	hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+	hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+	
+	ret = hx509_certs_find(kdc_identity->hx509ctx,
+			       kdc_identity->certs,
+			       q,
+			       &cert);
+	hx509_query_free(kdc_identity->hx509ctx, q);
+	if (ret == 0) {
+	    if (hx509_cert_check_eku(kdc_identity->hx509ctx, cert,
+				     oid_id_pkkdcekuoid(), 0))
+		krb5_warnx(context, "WARNING Found KDC certificate "
+			   "is missing the PK-INIT KDC EKU, this is bad for "
+			   "interoperability.");
+	    hx509_cert_free(cert);
+	} else
+	    krb5_warnx(context, "PKINIT: failed to find a signing "
+		       "certifiate with a public key");
+    }
+
     ret = krb5_config_get_bool_default(context, 
 				       NULL,
 				       FALSE,
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
index 8c025c8366..67a9a12bfe 100644
--- a/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
+++ b/source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gssapi_krb5.h,v 1.10 2006/10/20 22:04:03 lha Exp $ */
+/* $Id: gssapi_krb5.h,v 1.12 2006/11/05 00:06:09 lha Exp $ */
 
 #ifndef GSSAPI_KRB5_H_
 #define GSSAPI_KRB5_H_
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index e42bb11b85..6ac80461c3 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: accept_sec_context.c,v 1.64 2006/10/25 04:19:45 lha Exp $");
+RCSID("$Id: accept_sec_context.c,v 1.65 2006/11/07 14:52:05 lha Exp $");
 
 HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
 krb5_keytab _gsskrb5_keytab;
@@ -264,9 +264,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     OM_uint32 ret = GSS_S_COMPLETE;
     krb5_data indata;
     krb5_flags ap_options;
-    krb5_ticket *ticket = NULL;
     krb5_keytab keytab = NULL;
-    krb5_keyblock *keyblock = NULL;
     int is_cfx = 0;
     const gsskrb5_cred acceptor_cred = (gsskrb5_cred)acceptor_cred_handle;
 
@@ -298,34 +296,65 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
     /*
      * We need to check the ticket and create the AP-REP packet
      */
-    kret = krb5_rd_req_return_keyblock(_gsskrb5_context,
-				       &ctx->auth_context,
-				       &indata,
-				       (acceptor_cred == NULL) ? NULL : acceptor_cred->principal,
-				       keytab,
-				       &ap_options,
-				       &ticket,
-				       &keyblock);
-    if (kret) {
-	ret = GSS_S_FAILURE;
-	*minor_status = kret;
-	_gsskrb5_set_error_string ();
-	return ret;
+
+    {
+	krb5_rd_req_in_ctx in = NULL;
+	krb5_rd_req_out_ctx out = NULL;
+
+	kret = krb5_rd_req_in_ctx_alloc(_gsskrb5_context, &in);
+	if (kret == 0)
+	    kret = krb5_rd_req_in_set_keytab(_gsskrb5_context, in, keytab);
+	if (kret) {
+	    if (in)
+		krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    _gsskrb5_set_error_string ();
+	    return ret;
+	}
+
+	kret = krb5_rd_req_ctx(_gsskrb5_context,
+			       &ctx->auth_context,
+			       &indata,
+			       (acceptor_cred_handle == GSS_C_NO_CREDENTIAL) ? NULL : acceptor_cred->principal,
+			       in, &out);
+	krb5_rd_req_in_ctx_free(_gsskrb5_context, in);
+	if (kret) {
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    _gsskrb5_set_error_string ();
+	    return ret;
+	}
+
+	/*
+	 * We need to remember some data on the context_handle.
+	 */
+	kret = krb5_rd_req_out_get_ap_req_options(_gsskrb5_context, out,
+						  &ap_options);
+	if (kret == 0)
+	    kret = krb5_rd_req_out_get_ticket(_gsskrb5_context, out, 
+					      &ctx->ticket);
+	if (kret == 0)
+	    kret = krb5_rd_req_out_get_keyblock(_gsskrb5_context, out,
+						&ctx->service_keyblock);
+	ctx->lifetime = ctx->ticket->ticket.endtime;
+
+	krb5_rd_req_out_ctx_free(_gsskrb5_context, out);
+	if (kret) {
+	    ret = GSS_S_FAILURE;
+	    *minor_status = kret;
+	    _gsskrb5_set_error_string ();
+	    return ret;
+	}
     }
     
-    /*
-     * We need to remember some data on the context_handle.
-     */
-    ctx->ticket = ticket;
-    ctx->service_keyblock = keyblock;
-    ctx->lifetime = ticket->ticket.endtime;
     
     /*
      * We need to copy the principal names to the context and the
      * calling layer.
      */
     kret = krb5_copy_principal(_gsskrb5_context,
-			       ticket->client,
+			       ctx->ticket->client,
 			       &ctx->source);
     if (kret) {
 	ret = GSS_S_FAILURE;
@@ -333,7 +362,9 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	_gsskrb5_set_error_string ();
     }
 
-    kret = krb5_copy_principal(_gsskrb5_context, ticket->server, &ctx->target);
+    kret = krb5_copy_principal(_gsskrb5_context, 
+			       ctx->ticket->server,
+			       &ctx->target);
     if (kret) {
 	ret = GSS_S_FAILURE;
 	*minor_status = kret;
@@ -351,7 +382,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 
     if (src_name != NULL) {
 	kret = krb5_copy_principal (_gsskrb5_context,
-				    ticket->client,
+				    ctx->ticket->client,
 				    (gsskrb5_name*)src_name);
 	if (kret) {
 	    ret = GSS_S_FAILURE;
@@ -471,7 +502,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 
     /* Remember the flags */
     
-    ctx->lifetime = ticket->ticket.endtime;
+    ctx->lifetime = ctx->ticket->ticket.endtime;
     ctx->more_flags |= OPEN;
     
     if (mech_type)
diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
index 82851f5a78..2c43ed8b32 100644
--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: arcfour.c,v 1.29 2006/10/07 22:14:05 lha Exp $");
+RCSID("$Id: arcfour.c,v 1.30 2006/11/07 19:05:16 lha Exp $");
 
 /*
  * Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -355,17 +355,16 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
     if (conf_state)
 	*conf_state = 0;
 
-    if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
-	datalen = input_message_buffer->length + 1 /* padding */;
-
-	len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
-	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
-    } else {
-	datalen = input_message_buffer->length;
+    datalen = input_message_buffer->length;
 
+    if (IS_DCE_STYLE(context_handle)) {
 	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
 	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
 	total_len += datalen;
+    } else {
+	datalen += 1; /* padding */
+	len = datalen + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
+	_gssapi_encap_length(len, &len, &total_len, GSS_KRB5_MECHANISM);
     }
 
     output_message_buffer->length = total_len;
@@ -418,9 +417,8 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
     p = p0 + GSS_ARCFOUR_WRAP_TOKEN_SIZE;
     memcpy(p, input_message_buffer->value, input_message_buffer->length);
 
-    if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
-	p[input_message_buffer->length] = 1; /* PADDING */
-    }
+    if (!IS_DCE_STYLE(context_handle))
+	p[input_message_buffer->length] = 1; /* padding */
 
     ret = arcfour_mic_cksum(key, KRB5_KU_USAGE_SEAL,
 			    p0 + 16, 8, /* SGN_CKSUM */ 
@@ -518,13 +516,13 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
 
     p0 = input_message_buffer->value;
 
-    if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
-	len = input_message_buffer->length;
-    } else {
+    if (IS_DCE_STYLE(context_handle)) {
 	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE + 
 	    GSS_ARCFOUR_WRAP_TOKEN_DCE_DER_HEADER_SIZE;
 	if (input_message_buffer->length < len)
 	    return GSS_S_BAD_MECH;
+    } else {
+	len = input_message_buffer->length;
     }
 
     omret = _gssapi_verify_mech_header(&p0,
@@ -635,7 +633,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
     }
     memset(k6_data, 0, sizeof(k6_data));
 
-    if ((context_handle->flags & GSS_C_DCE_STYLE) == 0) {
+    if (!IS_DCE_STYLE(context_handle)) {
 	ret = _gssapi_verify_pad(output_message_buffer, datalen, &padlen);
 	if (ret) {
 	    _gsskrb5_release_buffer(minor_status, output_message_buffer);
@@ -688,7 +686,7 @@ max_wrap_length_arcfour(const gsskrb5_ctx ctx,
      *  - we only need to encapsulate the WRAP token
      * However, since this is a fixed since, we just 
      */
-    if (ctx->flags & GSS_C_DCE_STYLE) {
+    if (IS_DCE_STYLE(ctx)) {
 	size_t len, total_len;
 
 	len = GSS_ARCFOUR_WRAP_TOKEN_SIZE;
diff --git a/source4/heimdal/lib/gssapi/krb5/external.c b/source4/heimdal/lib/gssapi/krb5/external.c
index 7419bc2fe8..ece03ddf57 100644
--- a/source4/heimdal/lib/gssapi/krb5/external.c
+++ b/source4/heimdal/lib/gssapi/krb5/external.c
@@ -34,7 +34,7 @@
 #include "krb5/gsskrb5_locl.h"
 #include <gssapi_mech.h>
 
-RCSID("$Id: external.c,v 1.18 2006/10/20 21:50:24 lha Exp $");
+RCSID("$Id: external.c,v 1.21 2006/11/07 21:05:03 lha Exp $");
 
 /*
  * The implementation must reserve static storage for a
@@ -340,12 +340,18 @@ static gss_OID_desc gss_krb5_get_authtime_x_desc =
 
 gss_OID GSS_KRB5_GET_AUTHTIME_X = &gss_krb5_get_authtime_x_desc;
 
-/* 1.2.752.43.13.14 */
+/* 1.2.752.43.13.13 */
 static gss_OID_desc gss_krb5_get_service_keyblock_x_desc =
 {6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d")};
 
 gss_OID GSS_KRB5_GET_SERVICE_KEYBLOCK_X = &gss_krb5_get_service_keyblock_x_desc;
 
+/* 1.2.752.43.13.14 */
+static gss_OID_desc gss_krb5_set_allowable_enctypes_x_desc =
+{6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e")};
+
+gss_OID GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X = &gss_krb5_set_allowable_enctypes_x_desc;
+
 /* 1.2.752.43.14.1 */
 static gss_OID_desc gss_sasl_digest_md5_mechanism_desc =
 {6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
diff --git a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
index 4d814032c3..ea7a561b5b 100644
--- a/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
+++ b/source4/heimdal/lib/gssapi/krb5/gsskrb5_locl.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: gsskrb5_locl.h,v 1.6 2006/10/07 22:14:49 lha Exp $ */
+/* $Id: gsskrb5_locl.h,v 1.7 2006/11/07 17:57:43 lha Exp $ */
 
 #ifndef GSSKRB5_LOCL_H
 #define GSSKRB5_LOCL_H
@@ -56,6 +56,7 @@ struct gss_msg_order;
 typedef struct {
   struct krb5_auth_context_data *auth_context;
   krb5_principal source, target;
+#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
   OM_uint32 flags;
   enum { LOCAL = 1, OPEN = 2, 
 	 COMPAT_OLD_DES3 = 4,
diff --git a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
index 00f2543833..7a97b6262c 100644
--- a/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/init_sec_context.c
@@ -33,7 +33,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: init_sec_context.c,v 1.72 2006/10/24 23:03:19 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.73 2006/11/07 17:40:01 lha Exp $");
 
 /*
  * copy the addresses from `input_chan_bindings' (if any) to
@@ -549,18 +549,18 @@ failure:
 
 static OM_uint32
 repl_mutual
-           (OM_uint32 * minor_status,
-	    gsskrb5_ctx ctx,
-            const gss_OID mech_type,
-            OM_uint32 req_flags,
-            OM_uint32 time_req,
-            const gss_channel_bindings_t input_chan_bindings,
-            const gss_buffer_t input_token,
-            gss_OID * actual_mech_type,
-            gss_buffer_t output_token,
-            OM_uint32 * ret_flags,
-            OM_uint32 * time_rec
-           )
+(OM_uint32 * minor_status,
+ gsskrb5_ctx ctx,
+ const gss_OID mech_type,
+ OM_uint32 req_flags,
+ OM_uint32 time_req,
+ const gss_channel_bindings_t input_chan_bindings,
+ const gss_buffer_t input_token,
+ gss_OID * actual_mech_type,
+ gss_buffer_t output_token,
+ OM_uint32 * ret_flags,
+ OM_uint32 * time_rec
+    )
 {
     OM_uint32 ret;
     krb5_error_code kret;
@@ -574,7 +574,7 @@ repl_mutual
     if (actual_mech_type)
 	*actual_mech_type = GSS_KRB5_MECHANISM;
 
-    if (req_flags & GSS_C_DCE_STYLE) {
+    if (ctx->flags & GSS_C_DCE_STYLE) {
 	/* There is no OID wrapping. */
 	indata.length	= input_token->length;
 	indata.data	= input_token->value;
@@ -619,8 +619,8 @@ repl_mutual
     *minor_status = 0;
     if (time_rec) {
 	ret = _gsskrb5_lifetime_left(minor_status,
-				   ctx->lifetime,
-				   time_rec);
+				     ctx->lifetime,
+				     time_rec);
     } else {
 	ret = GSS_S_COMPLETE;
     }
diff --git a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
index 0b46cc5495..ee4210d74a 100644
--- a/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
+++ b/source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
@@ -32,7 +32,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: inquire_sec_context_by_oid.c,v 1.8 2006/10/24 15:55:28 lha Exp $");
+RCSID("$Id: inquire_sec_context_by_oid.c,v 1.11 2006/11/07 14:34:35 lha Exp $");
 
 static int
 oid_prefix_equal(gss_OID oid_enc, gss_OID prefix_enc, unsigned *suffix)
@@ -149,6 +149,11 @@ static OM_uint32 inquire_sec_context_get_subkey
     HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
     if (ret) 
 	goto out;
+    if (key == NULL) {
+	_gsskrb5_set_status("have no subkey of type %d", keytype);
+	ret = EINVAL;
+	goto out;
+    }
 
     ret = krb5_store_keyblock(sp, *key);
     krb5_free_keyblock (_gsskrb5_context, key);
@@ -400,6 +405,7 @@ get_authtime(OM_uint32 *minor_status,
 
 {
     gss_buffer_desc value;
+    unsigned char buf[4];
     OM_uint32 authtime;
 
     HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
@@ -414,14 +420,9 @@ get_authtime(OM_uint32 *minor_status,
     
     HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 
-    value.length = 4;
-    value.value = malloc(value.length);
-    if (!value.value) {
-	_gsskrb5_clear_status();
-	*minor_status = ENOMEM;
-	return GSS_S_FAILURE;
-    }
-    _gsskrb5_encode_om_uint32(authtime, value.value);
+    _gsskrb5_encode_om_uint32(authtime, buf);
+    value.length = sizeof(buf);
+    value.value = buf;
 
     return gss_add_buffer_set_member(minor_status,
 				     &value,
diff --git a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
index 67f5e8e722..fb098679b2 100644
--- a/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
+++ b/source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
@@ -36,7 +36,7 @@
 
 #include "krb5/gsskrb5_locl.h"
 
-RCSID("$Id: set_sec_context_option.c,v 1.6 2006/10/20 18:58:22 lha Exp $");
+RCSID("$Id: set_sec_context_option.c,v 1.7 2006/11/04 03:01:14 lha Exp $");
 
 static OM_uint32
 get_bool(OM_uint32 *minor_status,
diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c
index 8514137999..ebbc975b8a 100644
--- a/source4/heimdal/lib/gssapi/krb5/wrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/wrap.c
@@ -103,7 +103,6 @@ _gsskrb5i_get_token_key(const gsskrb5_ctx ctx, krb5_keyblock **key)
 	_gsskrb5_set_status("No token key available");
 	return GSS_KRB5_S_KG_NO_SUBKEY;
     }
-    _gsskrb5_clear_status();
     return 0;
 }
 
diff --git a/source4/heimdal/lib/gssapi/mech/gss_krb5.c b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
index c6ea3cecb7..fd66fb04f5 100644
--- a/source4/heimdal/lib/gssapi/mech/gss_krb5.c
+++ b/source4/heimdal/lib/gssapi/mech/gss_krb5.c
@@ -27,12 +27,11 @@
  */
 
 #include "mech_locl.h"
-#include "krb5/gsskrb5_locl.h"
-RCSID("$Id: gss_krb5.c,v 1.13 2006/10/20 22:05:02 lha Exp $");
+RCSID("$Id: gss_krb5.c,v 1.16 2006/11/07 14:41:35 lha Exp $");
 
 #include <krb5.h>
 #include <roken.h>
-
+#include "krb5/gsskrb5_locl.h"
 
 OM_uint32
 gss_krb5_copy_ccache(OM_uint32 *minor_status,
@@ -264,7 +263,10 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
     krb5_storage *sp = NULL;
     uint32_t num;
 
-    if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT || version != 1) {
+    if (context_handle == NULL
+	|| *context_handle == GSS_C_NO_CONTEXT
+	|| version != 1)
+    {
 	ret = EINVAL;
 	return GSS_S_FAILURE;
     }
@@ -509,9 +511,8 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
 {
     gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
     OM_uint32 maj_stat;
-    gss_OID_desc authz_oid_flat;
-    heim_oid authz_oid;
-    heim_oid new_authz_oid;
+    gss_OID_desc oid_flat;
+    heim_oid baseoid, oid;
     size_t size;
 
     if (context_handle == GSS_C_NO_CONTEXT) {
@@ -523,57 +524,55 @@ gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
 
     if (der_get_oid(GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->elements,
 		    GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X->length,
-		    &authz_oid, NULL) != 0) {
+		    &baseoid, NULL) != 0) {
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
     
-    new_authz_oid.length = authz_oid.length + 1;
-    new_authz_oid.components = malloc(new_authz_oid.length * sizeof(*new_authz_oid.components));
-    if (!new_authz_oid.components) {
-	free(authz_oid.components);
+    oid.length = baseoid.length + 1;
+    oid.components = calloc(oid.length, sizeof(*oid.components));
+    if (oid.components == NULL) {
+	der_free_oid(&baseoid);
 
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
     }
 
-    memcpy(new_authz_oid.components, authz_oid.components, 
-	   authz_oid.length * sizeof(*authz_oid.components));
+    memcpy(oid.components, baseoid.components, 
+	   baseoid.length * sizeof(*baseoid.components));
     
-    free(authz_oid.components);
+    der_free_oid(&baseoid);
 
-    new_authz_oid.components[new_authz_oid.length - 1] = ad_type;
-
-    authz_oid_flat.length = der_length_oid(&new_authz_oid);
-    authz_oid_flat.elements = malloc(authz_oid_flat.length);
-
-    if (!authz_oid_flat.elements) {
-	free(new_authz_oid.components);
+    oid.components[oid.length - 1] = ad_type;
 
+    oid_flat.length = der_length_oid(&oid);
+    oid_flat.elements = malloc(oid_flat.length);
+    if (oid_flat.elements == NULL) {
+	free(oid.components);
 	*minor_status = ENOMEM;
 	return GSS_S_FAILURE;
     }
 
-    if (der_put_oid((unsigned char *)authz_oid_flat.elements + authz_oid_flat.length - 1, 
-		    authz_oid_flat.length,
-		    &new_authz_oid, &size) != 0) {
-	free(new_authz_oid.components);
+    if (der_put_oid((unsigned char *)oid_flat.elements + oid_flat.length - 1, 
+		    oid_flat.length, &oid, &size) != 0) {
+	free(oid.components);
 
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
     }
+    if (oid_flat.length != size)
+	abort();
 
-    free(new_authz_oid.components);
+    free(oid.components);
 
     /* FINALLY, we have the OID */
 
-    maj_stat =
-	gss_inquire_sec_context_by_oid (minor_status,
-					context_handle,
-					&authz_oid_flat,
-					&data_set);
+    maj_stat = gss_inquire_sec_context_by_oid (minor_status,
+					       context_handle,
+					       &oid_flat,
+					       &data_set);
 
-    free(authz_oid_flat.elements);
+    free(oid_flat.elements);
 
     if (maj_stat)
 	return maj_stat;
@@ -608,20 +607,20 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
     krb5_error_code ret;
     gss_buffer_set_t data_set = GSS_C_NO_BUFFER_SET;
     OM_uint32 major_status;
+    krb5_context context = NULL;
     krb5_storage *sp = NULL;
 
-    ret = _gsskrb5_init();
+    if (context_handle == GSS_C_NO_CONTEXT) {
+	ret = EINVAL;
+	return GSS_S_FAILURE;
+    }
+    
+    ret = krb5_init_context(&context);
     if(ret) {
 	*minor_status = ret;
 	return GSS_S_FAILURE;
     }
 
-    if (context_handle == GSS_C_NO_CONTEXT) {
-	_gsskrb5_set_status("no context handle");
-	*minor_status = EINVAL;
-	return GSS_S_FAILURE;
-    }
-    
     major_status =
 	gss_inquire_sec_context_by_oid (minor_status,
 					context_handle,
@@ -630,15 +629,7 @@ gsskrb5_extract_key(OM_uint32 *minor_status,
     if (major_status)
 	return major_status;
     
-    if (data_set == GSS_C_NO_BUFFER_SET) {
-	_gsskrb5_set_status("no buffers returned");
-	gss_release_buffer_set(minor_status, &data_set);
-	*minor_status = EINVAL;
-	return GSS_S_FAILURE;
-    }
-
-    if (data_set->count != 1) {
-	_gsskrb5_set_status("%d != 1 buffers returned", data_set->count);
+    if (data_set == GSS_C_NO_BUFFER_SET || data_set->count != 1) {
 	gss_release_buffer_set(minor_status, &data_set);
 	*minor_status = EINVAL;
 	return GSS_S_FAILURE;
@@ -663,16 +654,17 @@ out:
     gss_release_buffer_set(minor_status, &data_set);
     if (sp)
 	krb5_storage_free(sp);
-    if (ret) {
-	_gsskrb5_set_error_string();
-	if (keyblock) {
-	    krb5_free_keyblock(_gsskrb5_context, *keyblock);
-	}
+    if (ret && keyblock) {
+	krb5_free_keyblock(context, *keyblock);
+	*keyblock = NULL;
+    }
+    if (context)
+	krb5_free_context(context);
 
-	*minor_status = ret;
+    *minor_status = ret;
+    if (ret)
 	return GSS_S_FAILURE;
-    }
-    *minor_status = 0;
+
     return GSS_S_COMPLETE;
 }
 
@@ -705,6 +697,6 @@ gsskrb5_get_subkey(OM_uint32 *minor_status,
 {
     return gsskrb5_extract_key(minor_status,
 			       context_handle,
-			       GSS_KRB5_GET_ACCEPTOR_SUBKEY_X,
+			       GSS_KRB5_GET_SUBKEY_X,
 			       keyblock);
 }
diff --git a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
index 571bce5569..255e07d056 100644
--- a/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
+++ b/source4/heimdal/lib/gssapi/spnego/spnego_locl.h
@@ -30,7 +30,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: spnego_locl.h,v 1.11 2006/10/12 06:28:06 lha Exp $ */
+/* $Id: spnego_locl.h,v 1.12 2006/11/07 19:53:40 lha Exp $ */
 
 #ifndef SPNEGO_LOCL_H
 #define SPNEGO_LOCL_H
@@ -69,6 +69,8 @@
 #include "spnego_asn1.h"
 #include <der.h>
 
+#include <roken.h>
+
 #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
 
 typedef struct {
diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index f7b3ffbf9e..a25bb80786 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -34,7 +34,7 @@
 #include "krb5_locl.h"
 #include <com_err.h>
 
-RCSID("$Id: context.c,v 1.108 2006/10/20 22:26:10 lha Exp $");
+RCSID("$Id: context.c,v 1.110 2006/11/04 03:27:47 lha Exp $");
 
 #define INIT_FIELD(C, T, E, D, F)					\
     (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
@@ -181,7 +181,7 @@ init_context_from_config_file(krb5_context context)
     INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup");
     INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc");
     INIT_FIELD(context, int, large_msg_size, 6000, "large_message_size");
-    INIT_FIELD(context, bool, dns_canonicalize_hostname, TRUE, "dns_canonize_hostname");
+    INIT_FIELD(context, bool, dns_canonicalize_hostname, TRUE, "dns_canonicalize_hostname");
     context->default_cc_name = NULL;
     return 0;
 }
@@ -691,7 +691,7 @@ krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
 }
 
 krb5_boolean KRB5_LIB_FUNCTION
-krb5_get_dns_canonize_hostname (krb5_context context)
+krb5_get_dns_canonicalize_hostname (krb5_context context)
 {
     return context->dns_canonicalize_hostname;
 }
@@ -705,3 +705,15 @@ krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
 	*usec = context->kdc_usec_offset;
     return 0;
 }
+
+time_t KRB5_LIB_FUNCTION
+krb5_get_time_wrap (krb5_context context)
+{
+    return context->max_skew;
+}
+
+void KRB5_LIB_FUNCTION
+krb5_set_time_wrap (krb5_context context, time_t t)
+{
+    context->max_skew = t;
+}
diff --git a/source4/heimdal/lib/krb5/expand_hostname.c b/source4/heimdal/lib/krb5/expand_hostname.c
index 4d0692bcfa..46e784f561 100644
--- a/source4/heimdal/lib/krb5/expand_hostname.c
+++ b/source4/heimdal/lib/krb5/expand_hostname.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: expand_hostname.c,v 1.13 2006/10/17 09:16:32 lha Exp $");
+RCSID("$Id: expand_hostname.c,v 1.14 2006/11/04 03:34:57 lha Exp $");
 
 static krb5_error_code
 copy_hostname(krb5_context context,
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 968b6079b7..0bf184a530 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -399,6 +399,11 @@ _krb5_put_int (
 	size_t /*size*/);
 
 krb5_error_code KRB5_LIB_FUNCTION
+_krb5_rd_req_out_ctx_alloc (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx */*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
 _krb5_s4u2self_to_checksumdata (
 	krb5_context /*context*/,
 	const PA_S4U2Self */*self*/,
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 2010e25f5a..104f10bdf2 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -1866,7 +1866,7 @@ krb5_get_default_realms (
 	krb5_realm **/*realms*/);
 
 krb5_boolean KRB5_LIB_FUNCTION
-krb5_get_dns_canonize_hostname (krb5_context /*context*/);
+krb5_get_dns_canonicalize_hostname (krb5_context /*context*/);
 
 const char* KRB5_LIB_FUNCTION
 krb5_get_err_text (
@@ -2177,6 +2177,9 @@ krb5_get_server_rcache (
 	const krb5_data */*piece*/,
 	krb5_rcache */*id*/);
 
+time_t KRB5_LIB_FUNCTION
+krb5_get_time_wrap (krb5_context /*context*/);
+
 krb5_boolean KRB5_LIB_FUNCTION
 krb5_get_use_admin_kdc (krb5_context /*context*/);
 
@@ -2865,15 +2868,58 @@ krb5_rd_req (
 	krb5_ticket **/*ticket*/);
 
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_return_keyblock (
+krb5_rd_req_ctx (
 	krb5_context /*context*/,
 	krb5_auth_context */*auth_context*/,
 	const krb5_data */*inbuf*/,
 	krb5_const_principal /*server*/,
-	krb5_keytab /*keytab*/,
-	krb5_flags */*ap_req_options*/,
-	krb5_ticket **/*ticket*/,
-	krb5_keyblock **/*return_keyblock*/);
+	krb5_rd_req_in_ctx /*inctx*/,
+	krb5_rd_req_out_ctx */*outctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_alloc (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx */*ctx*/);
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_free (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx /*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keyblock (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx /*in*/,
+	krb5_keyblock */*keyblock*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keytab (
+	krb5_context /*context*/,
+	krb5_rd_req_in_ctx /*in*/,
+	krb5_keytab /*keytab*/);
+
+void KRB5_LIB_FUNCTION
+krb5_rd_req_out_ctx_free (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*ctx*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ap_req_options (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*out*/,
+	krb5_flags */*ap_req_options*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_keyblock (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*out*/,
+	krb5_keyblock **/*keyblock*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ticket (
+	krb5_context /*context*/,
+	krb5_rd_req_out_ctx /*out*/,
+	krb5_ticket **/*ticket*/);
 
 krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_req_with_keyblock (
@@ -3152,6 +3198,11 @@ krb5_set_send_to_kdc_func (
 	void */*data*/);
 
 void KRB5_LIB_FUNCTION
+krb5_set_time_wrap (
+	krb5_context /*context*/,
+	time_t /*t*/);
+
+void KRB5_LIB_FUNCTION
 krb5_set_use_admin_kdc (
 	krb5_context /*context*/,
 	krb5_boolean /*flag*/);
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 4b5058094b..f5c8b069de 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
  * SUCH DAMAGE. 
  */
 
-/* $Id: krb5.h,v 1.253 2006/10/20 18:12:06 lha Exp $ */
+/* $Id: krb5.h,v 1.254 2006/11/07 00:17:42 lha Exp $ */
 
 #ifndef __KRB5_H__
 #define __KRB5_H__
@@ -78,6 +78,9 @@ typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt;
 struct krb5_digest;
 typedef struct krb5_digest *krb5_digest;
 
+typedef struct krb5_rd_req_in_ctx *krb5_rd_req_in_ctx;
+typedef struct krb5_rd_req_out_ctx *krb5_rd_req_out_ctx;
+
 typedef CKSUMTYPE krb5_cksumtype;
 
 typedef Checksum krb5_checksum;
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index c424a73a34..3352334f65 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include <krb5_locl.h>
 
-RCSID("$Id: rd_req.c,v 1.66 2006/10/06 17:04:29 lha Exp $");
+RCSID("$Id: rd_req.c,v 1.68 2006/11/07 17:11:31 lha Exp $");
 
 static krb5_error_code
 decrypt_tkt_enc_part (krb5_context context,
@@ -506,6 +506,151 @@ krb5_verify_ap_req2(krb5_context context,
     return ret;
 }
 		   
+/*
+ *
+ */
+
+struct krb5_rd_req_in_ctx {
+    krb5_keytab keytab;
+    krb5_keyblock *keyblock;
+};
+
+struct krb5_rd_req_out_ctx {
+    krb5_keyblock *keyblock;
+    krb5_flags ap_req_options;
+    krb5_ticket *ticket;
+};
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx)
+{
+    *ctx = calloc(1, sizeof(**ctx));
+    if (*ctx == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keytab(krb5_context context, 
+			  krb5_rd_req_in_ctx in,
+			  krb5_keytab keytab)
+{
+    in->keytab = keytab; /* XXX should make copy */
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_in_set_keyblock(krb5_context context, 
+			    krb5_rd_req_in_ctx in,
+			    krb5_keyblock *keyblock)
+{
+    in->keyblock = keyblock; /* XXX should make copy */
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ap_req_options(krb5_context context, 
+				   krb5_rd_req_out_ctx out,
+				   krb5_flags *ap_req_options)
+{
+    *ap_req_options = out->ap_req_options;
+    return 0;
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_ticket(krb5_context context, 
+			    krb5_rd_req_out_ctx out,
+			    krb5_ticket **ticket)
+{
+    return krb5_copy_ticket(context, out->ticket, ticket);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req_out_get_keyblock(krb5_context context, 
+			    krb5_rd_req_out_ctx out,
+			    krb5_keyblock **keyblock)
+{
+    return krb5_copy_keyblock(context, out->keyblock, keyblock);
+}
+
+void  KRB5_LIB_FUNCTION
+krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx)
+{
+    free(ctx);
+}
+
+krb5_error_code KRB5_LIB_FUNCTION
+_krb5_rd_req_out_ctx_alloc(krb5_context context, krb5_rd_req_out_ctx *ctx)
+{
+    *ctx = calloc(1, sizeof(**ctx));
+    if (*ctx == NULL) {
+	krb5_set_error_string(context, "out of memory");
+	return ENOMEM;
+    }
+    return 0;
+}
+
+void  KRB5_LIB_FUNCTION
+krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx)
+{
+    krb5_free_keyblock(context, ctx->keyblock);
+    free(ctx);
+}
+
+/*
+ *
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_rd_req(krb5_context context,
+	    krb5_auth_context *auth_context,
+	    const krb5_data *inbuf,
+	    krb5_const_principal server,
+	    krb5_keytab keytab,
+	    krb5_flags *ap_req_options,
+	    krb5_ticket **ticket)
+{
+    krb5_error_code ret;
+    krb5_rd_req_in_ctx in;
+    krb5_rd_req_out_ctx out;
+
+    ret = krb5_rd_req_in_ctx_alloc(context, &in);
+    if (ret)
+	return ret;
+    
+    ret = krb5_rd_req_in_set_keytab(context, in, keytab);
+    if (ret) {
+	krb5_rd_req_in_ctx_free(context, in);
+	return ret;
+    }
+
+    ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out);
+    krb5_rd_req_in_ctx_free(context, in);
+    if (ret)
+	return ret;
+
+    if (ap_req_options)
+	*ap_req_options = out->ap_req_options;
+    if (ticket) {
+	ret = krb5_copy_ticket(context, out->ticket, ticket);
+	if (ret)
+	    goto out;
+    }
+
+out:
+    krb5_rd_req_out_ctx_free(context, out);
+    return ret;
+}
+
+/*
+ *
+ */
 
 krb5_error_code KRB5_LIB_FUNCTION
 krb5_rd_req_with_keyblock(krb5_context context,
@@ -517,31 +662,41 @@ krb5_rd_req_with_keyblock(krb5_context context,
 			  krb5_ticket **ticket)
 {
     krb5_error_code ret;
-    krb5_ap_req ap_req;
+    krb5_rd_req_in_ctx in;
+    krb5_rd_req_out_ctx out;
 
-    if (*auth_context == NULL) {
-	ret = krb5_auth_con_init(context, auth_context);
-	if (ret)
-	    return ret;
+    ret = krb5_rd_req_in_ctx_alloc(context, &in);
+    if (ret)
+	return ret;
+    
+    ret = krb5_rd_req_in_set_keyblock(context, in, keyblock);
+    if (ret) {
+	krb5_rd_req_in_ctx_free(context, in);
+	return ret;
     }
 
-    ret = krb5_decode_ap_req(context, inbuf, &ap_req);
-    if(ret)
+    ret = krb5_rd_req_ctx(context, auth_context, inbuf, server, in, &out);
+    krb5_rd_req_in_ctx_free(context, in);
+    if (ret)
 	return ret;
 
-    ret = krb5_verify_ap_req(context,
-			     auth_context,
-			     &ap_req,
-			     server,
-			     keyblock,
-			     0,
-			     ap_req_options,
-			     ticket);
+    if (ap_req_options)
+	*ap_req_options = out->ap_req_options;
+    if (ticket) {
+	ret = krb5_copy_ticket(context, out->ticket, ticket);
+	if (ret)
+	    goto out;
+    }
 
-    free_AP_REQ(&ap_req);
+out:
+    krb5_rd_req_out_ctx_free(context, out);
     return ret;
 }
 
+/*
+ *
+ */
+
 static krb5_error_code
 get_key_from_keytab(krb5_context context,
 		    krb5_auth_context *auth_context,
@@ -582,39 +737,44 @@ out:
     return ret;
 }
 
+/*
+ *
+ */
+
 krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req_return_keyblock(krb5_context context,
-			    krb5_auth_context *auth_context,
-			    const krb5_data *inbuf,
-			    krb5_const_principal server,
-			    krb5_keytab keytab,
-			    krb5_flags *ap_req_options,
-			    krb5_ticket **ticket, 
-			    krb5_keyblock **return_keyblock)
+krb5_rd_req_ctx(krb5_context context,
+		krb5_auth_context *auth_context,
+		const krb5_data *inbuf,
+		krb5_const_principal server,
+		krb5_rd_req_in_ctx inctx,
+		krb5_rd_req_out_ctx *outctx)
 {
     krb5_error_code ret;
     krb5_ap_req ap_req;
-    krb5_keyblock *keyblock = NULL;
     krb5_principal service = NULL;
+    krb5_rd_req_out_ctx o = NULL;
 
-    if (return_keyblock)
-	*return_keyblock = NULL;
+    ret = _krb5_rd_req_out_ctx_alloc(context, &o);
+    if (ret)
+	goto out;
 
     if (*auth_context == NULL) {
 	ret = krb5_auth_con_init(context, auth_context);
 	if (ret)
-	    return ret;
+	    goto out;
     }
 
     ret = krb5_decode_ap_req(context, inbuf, &ap_req);
     if(ret)
-	return ret;
+	goto out;
 
     if(server == NULL){
-	_krb5_principalname2krb5_principal(context,
-					   &service,
-					   ap_req.ticket.sname,
-					   ap_req.ticket.realm);
+	ret = _krb5_principalname2krb5_principal(context,
+						 &service,
+						 ap_req.ticket.sname,
+						 ap_req.ticket.realm);
+	if (ret)
+	    goto out;
 	server = service;
     }
     if (ap_req.ap_options.use_session_key &&
@@ -625,61 +785,51 @@ krb5_rd_req_return_keyblock(krb5_context context,
 	goto out;
     }
 
-    if((*auth_context)->keyblock == NULL){
+    if((*auth_context)->keyblock){
+	ret = krb5_copy_keyblock(context,
+				 (*auth_context)->keyblock,
+				 &o->keyblock);
+	if (ret)
+	    goto out;
+    } else if(inctx->keyblock){
+	ret = krb5_copy_keyblock(context,
+				 inctx->keyblock,
+				 &o->keyblock);
+	if (ret)
+	    goto out;
+    } else {
+	krb5_keytab keytab = NULL;
+
+	if (inctx && inctx->keytab)
+	    keytab = inctx->keytab;
+
 	ret = get_key_from_keytab(context, 
 				  auth_context, 
 				  &ap_req,
 				  server,
 				  keytab,
-				  &keyblock);
+				  &o->keyblock);
 	if(ret)
 	    goto out;
-    } else {
-	ret = krb5_copy_keyblock(context,
-				 (*auth_context)->keyblock,
-				 &keyblock);
-	if (ret)
-	    goto out;
     }
 
     ret = krb5_verify_ap_req(context,
 			     auth_context,
 			     &ap_req,
 			     server,
-			     keyblock,
+			     o->keyblock,
 			     0,
-			     ap_req_options,
-			     ticket);
-
-    if (ret == 0 && return_keyblock)
-	*return_keyblock = keyblock;
-    else
-        krb5_free_keyblock(context, keyblock);
+			     &o->ap_req_options,
+			     &o->ticket);
 
 out:
+    if (ret || outctx == NULL) {
+	krb5_rd_req_out_ctx_free(context, o);
+    } else 
+	*outctx = o;
+
     free_AP_REQ(&ap_req);
     if(service)
 	krb5_free_principal(context, service);
     return ret;
 }
-
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_rd_req(krb5_context context,
-	    krb5_auth_context *auth_context,
-	    const krb5_data *inbuf,
-	    krb5_const_principal server,
-	    krb5_keytab keytab,
-	    krb5_flags *ap_req_options,
-	    krb5_ticket **ticket)
-{
-    return krb5_rd_req_return_keyblock(context,
-				       auth_context,
-				       inbuf,
-				       server,
-				       keytab,
-				       ap_req_options,
-				       ticket,
-				       NULL);
-
-}
-