summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/heimdal/lib/gssapi/acquire_cred.c13
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_locl.h1
-rw-r--r--source4/heimdal/lib/gssapi/release_cred.c4
-rw-r--r--source4/heimdal/lib/hdb/db.c2
-rw-r--r--source4/heimdal/lib/hdb/hdb-protos.h362
-rw-r--r--source4/heimdal/lib/hdb/hdb.c30
-rw-r--r--source4/heimdal/lib/hdb/ndbm.c4
-rw-r--r--source4/heimdal/lib/krb5/cache.c5
-rw-r--r--source4/heimdal/lib/krb5/keytab_memory.c66
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h18
-rw-r--r--source4/heimdal/lib/krb5/krb5.h2
-rw-r--r--source4/heimdal/lib/krb5/rd_req.c23
12 files changed, 504 insertions, 26 deletions
diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/acquire_cred.c
index 44dbef3c48..fa5d709a30 100644
--- a/source4/heimdal/lib/gssapi/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/acquire_cred.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: acquire_cred.c,v 1.25 2005/11/02 08:56:25 lha Exp $");
+RCSID("$Id: acquire_cred.c,v 1.27 2005/12/01 16:26:02 lha Exp $");
OM_uint32
_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
@@ -245,6 +245,17 @@ static OM_uint32 acquire_acceptor_cred
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
+
+ /* check that the requested principal exists in the keytab */
+ if (handle->principal) {
+ krb5_keytab_entry entry;
+
+ kret = krb5_kt_get_entry(gssapi_krb5_context, handle->keytab,
+ handle->principal, 0, 0, &entry);
+ if (kret)
+ goto end;
+ krb5_kt_free_entry(gssapi_krb5_context, &entry);
+ }
ret = GSS_S_COMPLETE;
end:
diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h
index b9bea7db2e..bd5d0db2b5 100644
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -81,7 +81,6 @@ typedef struct gss_cred_id_t_desc_struct {
gss_name_t principal;
int cred_flags;
#define GSS_CF_DESTROY_CRED_ON_RELEASE 1
- krb5_boolean made_keytab;
struct krb5_keytab_data *keytab;
OM_uint32 lifetime;
gss_cred_usage_t usage;
diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/release_cred.c
index cca3dfe379..fc9fc3fc01 100644
--- a/source4/heimdal/lib/gssapi/release_cred.c
+++ b/source4/heimdal/lib/gssapi/release_cred.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -52,7 +52,7 @@ OM_uint32 gss_release_cred
if ((*cred_handle)->principal != NULL)
krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
- if ((*cred_handle)->made_keytab)
+ if ((*cred_handle)->keytab != NULL)
krb5_kt_close(gssapi_krb5_context, (*cred_handle)->keytab);
if ((*cred_handle)->ccache != NULL) {
const krb5_cc_ops *ops;
diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c
index b9f1ab47e1..4cc0218a5c 100644
--- a/source4/heimdal/lib/hdb/db.c
+++ b/source4/heimdal/lib/hdb/db.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h
index f7e0c54b7c..4b5b4d3ede 100644
--- a/source4/heimdal/lib/hdb/hdb-protos.h
+++ b/source4/heimdal/lib/hdb/hdb-protos.h
@@ -8,6 +8,317 @@
extern "C" {
#endif
+unsigned
+HDBFlags2int (HDBFlags /*f*/);
+
+int
+copy_Event (
+ const Event */*from*/,
+ Event */*to*/);
+
+int
+copy_GENERATION (
+ const GENERATION */*from*/,
+ GENERATION */*to*/);
+
+int
+copy_HDBFlags (
+ const HDBFlags */*from*/,
+ HDBFlags */*to*/);
+
+int
+copy_HDB_Ext_Aliases (
+ const HDB_Ext_Aliases */*from*/,
+ HDB_Ext_Aliases */*to*/);
+
+int
+copy_HDB_Ext_Constrained_delegation_acl (
+ const HDB_Ext_Constrained_delegation_acl */*from*/,
+ HDB_Ext_Constrained_delegation_acl */*to*/);
+
+int
+copy_HDB_Ext_Lan_Manager_OWF (
+ const HDB_Ext_Lan_Manager_OWF */*from*/,
+ HDB_Ext_Lan_Manager_OWF */*to*/);
+
+int
+copy_HDB_Ext_PKINIT_acl (
+ const HDB_Ext_PKINIT_acl */*from*/,
+ HDB_Ext_PKINIT_acl */*to*/);
+
+int
+copy_HDB_Ext_PKINIT_certificate (
+ const HDB_Ext_PKINIT_certificate */*from*/,
+ HDB_Ext_PKINIT_certificate */*to*/);
+
+int
+copy_HDB_Ext_Password (
+ const HDB_Ext_Password */*from*/,
+ HDB_Ext_Password */*to*/);
+
+int
+copy_HDB_extension (
+ const HDB_extension */*from*/,
+ HDB_extension */*to*/);
+
+int
+copy_HDB_extensions (
+ const HDB_extensions */*from*/,
+ HDB_extensions */*to*/);
+
+int
+copy_Key (
+ const Key */*from*/,
+ Key */*to*/);
+
+int
+copy_Salt (
+ const Salt */*from*/,
+ Salt */*to*/);
+
+int
+copy_hdb_entry (
+ const hdb_entry */*from*/,
+ hdb_entry */*to*/);
+
+int
+decode_Event (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ Event */*data*/,
+ size_t */*size*/);
+
+int
+decode_GENERATION (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ GENERATION */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDBFlags (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDBFlags */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_Ext_Aliases (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_Ext_Aliases */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_Ext_Constrained_delegation_acl (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_Ext_Constrained_delegation_acl */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_Ext_Lan_Manager_OWF (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_Ext_Lan_Manager_OWF */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_Ext_PKINIT_acl (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_Ext_PKINIT_acl */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_Ext_PKINIT_certificate (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_Ext_PKINIT_certificate */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_Ext_Password (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_Ext_Password */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_extension (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_extension */*data*/,
+ size_t */*size*/);
+
+int
+decode_HDB_extensions (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ HDB_extensions */*data*/,
+ size_t */*size*/);
+
+int
+decode_Key (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ Key */*data*/,
+ size_t */*size*/);
+
+int
+decode_Salt (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ Salt */*data*/,
+ size_t */*size*/);
+
+int
+decode_hdb_entry (
+ const unsigned char */*p*/,
+ size_t /*len*/,
+ hdb_entry */*data*/,
+ size_t */*size*/);
+
+int
+encode_Event (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const Event */*data*/,
+ size_t */*size*/);
+
+int
+encode_GENERATION (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const GENERATION */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDBFlags (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDBFlags */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_Ext_Aliases (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_Ext_Aliases */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_Ext_Constrained_delegation_acl (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_Ext_Constrained_delegation_acl */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_Ext_Lan_Manager_OWF (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_Ext_Lan_Manager_OWF */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_Ext_PKINIT_acl (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_Ext_PKINIT_acl */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_Ext_PKINIT_certificate (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_Ext_PKINIT_certificate */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_Ext_Password (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_Ext_Password */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_extension (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_extension */*data*/,
+ size_t */*size*/);
+
+int
+encode_HDB_extensions (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const HDB_extensions */*data*/,
+ size_t */*size*/);
+
+int
+encode_Key (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const Key */*data*/,
+ size_t */*size*/);
+
+int
+encode_Salt (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const Salt */*data*/,
+ size_t */*size*/);
+
+int
+encode_hdb_entry (
+ unsigned char */*p*/,
+ size_t /*len*/,
+ const hdb_entry */*data*/,
+ size_t */*size*/);
+
+void
+free_Event (Event */*data*/);
+
+void
+free_GENERATION (GENERATION */*data*/);
+
+void
+free_HDBFlags (HDBFlags */*data*/);
+
+void
+free_HDB_Ext_Aliases (HDB_Ext_Aliases */*data*/);
+
+void
+free_HDB_Ext_Constrained_delegation_acl (HDB_Ext_Constrained_delegation_acl */*data*/);
+
+void
+free_HDB_Ext_Lan_Manager_OWF (HDB_Ext_Lan_Manager_OWF */*data*/);
+
+void
+free_HDB_Ext_PKINIT_acl (HDB_Ext_PKINIT_acl */*data*/);
+
+void
+free_HDB_Ext_PKINIT_certificate (HDB_Ext_PKINIT_certificate */*data*/);
+
+void
+free_HDB_Ext_Password (HDB_Ext_Password */*data*/);
+
+void
+free_HDB_extension (HDB_extension */*data*/);
+
+void
+free_HDB_extensions (HDB_extensions */*data*/);
+
+void
+free_Key (Key */*data*/);
+
+void
+free_Salt (Salt */*data*/);
+
+void
+free_hdb_entry (hdb_entry */*data*/);
+
krb5_error_code
hdb_add_master_key (
krb5_context /*context*/,
@@ -302,6 +613,57 @@ hdb_write_master_key (
const char */*filename*/,
hdb_master_key /*mkey*/);
+void
+initialize_hdb_error_table (void);
+
+void
+initialize_hdb_error_table_r (struct et_list **/*list*/);
+
+HDBFlags
+int2HDBFlags (unsigned /*n*/);
+
+size_t
+length_Event (const Event */*data*/);
+
+size_t
+length_GENERATION (const GENERATION */*data*/);
+
+size_t
+length_HDBFlags (const HDBFlags */*data*/);
+
+size_t
+length_HDB_Ext_Aliases (const HDB_Ext_Aliases */*data*/);
+
+size_t
+length_HDB_Ext_Constrained_delegation_acl (const HDB_Ext_Constrained_delegation_acl */*data*/);
+
+size_t
+length_HDB_Ext_Lan_Manager_OWF (const HDB_Ext_Lan_Manager_OWF */*data*/);
+
+size_t
+length_HDB_Ext_PKINIT_acl (const HDB_Ext_PKINIT_acl */*data*/);
+
+size_t
+length_HDB_Ext_PKINIT_certificate (const HDB_Ext_PKINIT_certificate */*data*/);
+
+size_t
+length_HDB_Ext_Password (const HDB_Ext_Password */*data*/);
+
+size_t
+length_HDB_extension (const HDB_extension */*data*/);
+
+size_t
+length_HDB_extensions (const HDB_extensions */*data*/);
+
+size_t
+length_Key (const Key */*data*/);
+
+size_t
+length_Salt (const Salt */*data*/);
+
+size_t
+length_hdb_entry (const hdb_entry */*data*/);
+
#ifdef __cplusplus
}
#endif
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index e8161afbc1..df342ffadf 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -33,7 +33,7 @@
#include "hdb_locl.h"
-RCSID("$Id: hdb.c,v 1.56 2005/10/19 13:51:40 lha Exp $");
+RCSID("$Id: hdb.c,v 1.59 2005/11/30 12:22:09 lha Exp $");
#ifdef HAVE_DLFCN_H
#include <dlfcn.h>
@@ -53,16 +53,17 @@ static struct hdb_method methods[] = {
#endif
#if defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
{"ldap:", hdb_ldap_create},
+ {"ldapi:", hdb_ldapi_create},
#endif
+ {NULL, NULL}
+};
+
#if HAVE_DB1 || HAVE_DB3
- {"", hdb_db_create},
+static struct hdb_method dbmetod = {"", hdb_db_create };
#elif defined(HAVE_NDBM)
- {"", hdb_ndbm_create},
-#elif defined(OPENLDAP) && !defined(OPENLDAP_MODULE)
- {"", hdb_ldap_create},
+static struct hdb_method dbmetod = {"", hdb_ndbm_create };
#endif
- {NULL, NULL}
-};
+
krb5_error_code
hdb_next_enctype2key(krb5_context context,
@@ -337,11 +338,22 @@ find_method (const char *filename, const char **rest)
{
const struct hdb_method *h;
- for (h = methods; h->prefix != NULL; ++h)
+ for (h = methods; h->prefix != NULL; ++h) {
if (strncmp (filename, h->prefix, strlen(h->prefix)) == 0) {
*rest = filename + strlen(h->prefix);
return h;
}
+ }
+#if defined(HAVE_DB1) || defined(HAVE_DB3) || defined(HAVE_NDBM)
+ if (strncmp(filename, "/", 1) == 0
+ || strncmp(filename, "./", 2) == 0
+ || strncmp(filename, "../", 3) == 0)
+ {
+ *rest = filename;
+ return &dbmetod;
+ }
+#endif
+
return NULL;
}
@@ -367,8 +379,6 @@ hdb_list_builtin(krb5_context context, char **list)
buf[0] = '\0';
for (h = methods; h->prefix != NULL; ++h) {
- if (h->prefix[0] == '\0')
- continue;
if (h != methods)
strlcat(buf, ", ", len);
strlcat(buf, h->prefix, len);
diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c
index dfd5bfa8f1..793d03829d 100644
--- a/source4/heimdal/lib/hdb/ndbm.c
+++ b/source4/heimdal/lib/hdb/ndbm.c
@@ -33,7 +33,7 @@
#include "hdb_locl.h"
-RCSID("$Id: ndbm.c,v 1.35 2005/06/23 13:37:57 lha Exp $");
+RCSID("$Id: ndbm.c,v 1.36 2005/11/28 23:31:36 lha Exp $");
#if HAVE_NDBM
@@ -333,7 +333,7 @@ krb5_error_code
hdb_ndbm_create(krb5_context context, HDB **db,
const char *filename)
{
- *db = malloc(sizeof(**db));
+ *db = calloc(1, sizeof(**db));
if (*db == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM;
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index 25dc2cb8c0..0c821cb11d 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: cache.c,v 1.74 2005/11/01 09:36:41 lha Exp $");
+RCSID("$Id: cache.c,v 1.76 2005/11/29 09:10:47 lha Exp $");
/*
* Add a new ccache type with operations `ops', overwriting any
@@ -701,6 +701,9 @@ krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
char *p, *p1;
int i;
+ if (prefix[0] == '/')
+ return &krb5_fcc_ops;
+
p = strdup(prefix);
if (p == NULL) {
krb5_set_error_string(context, "malloc - out of memory");
diff --git a/source4/heimdal/lib/krb5/keytab_memory.c b/source4/heimdal/lib/krb5/keytab_memory.c
index 1d866fa11e..afa8f433ac 100644
--- a/source4/heimdal/lib/krb5/keytab_memory.c
+++ b/source4/heimdal/lib/krb5/keytab_memory.c
@@ -33,26 +33,64 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab_memory.c,v 1.6 2005/05/18 04:44:40 lha Exp $");
+RCSID("$Id: keytab_memory.c,v 1.7 2005/12/01 12:40:22 lha Exp $");
/* memory operations -------------------------------------------- */
struct mkt_data {
krb5_keytab_entry *entries;
int num_entries;
+ char *name;
+ int refcount;
+ struct mkt_data *next;
};
+/* this mutex protects mkt_head, ->refcount, and ->next
+ * content is not protected (name is static and need no protection)
+ */
+static HEIMDAL_MUTEX mkt_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static struct mkt_data *mkt_head;
+
+
static krb5_error_code
mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
{
struct mkt_data *d;
- d = malloc(sizeof(*d));
+
+ HEIMDAL_MUTEX_lock(&mkt_mutex);
+
+ for (d = mkt_head; d != NULL; d = d->next)
+ if (strcmp(d->name, name) == 0)
+ break;
+ if (d) {
+ if (d->refcount < 1)
+ krb5_abortx(context, "Double close on memory keytab, "
+ "refcount < 1 %d", d->refcount);
+ d->refcount++;
+ id->data = d;
+ HEIMDAL_MUTEX_unlock(&mkt_mutex);
+ return 0;
+ }
+
+ d = calloc(1, sizeof(*d));
if(d == NULL) {
+ HEIMDAL_MUTEX_unlock(&mkt_mutex);
+ krb5_set_error_string (context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ d->name = strdup(name);
+ if (d->name == NULL) {
+ HEIMDAL_MUTEX_unlock(&mkt_mutex);
+ free(d);
krb5_set_error_string (context, "malloc: out of memory");
return ENOMEM;
}
d->entries = NULL;
d->num_entries = 0;
+ d->refcount = 1;
+ d->next = mkt_head;
+ mkt_head = d;
+ HEIMDAL_MUTEX_unlock(&mkt_mutex);
id->data = d;
return 0;
}
@@ -60,8 +98,27 @@ mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
static krb5_error_code
mkt_close(krb5_context context, krb5_keytab id)
{
- struct mkt_data *d = id->data;
+ struct mkt_data *d = id->data, **dp;
int i;
+
+ HEIMDAL_MUTEX_lock(&mkt_mutex);
+ if (d->refcount < 1)
+ krb5_abortx(context,
+ "krb5 internal error, memory keytab refcount < 1 on close");
+
+ if (--d->refcount > 0) {
+ HEIMDAL_MUTEX_unlock(&mkt_mutex);
+ return 0;
+ }
+ for (dp = &mkt_head; *dp != NULL; dp = &(*dp)->next) {
+ if (*dp == d) {
+ *dp = d->next;
+ break;
+ }
+ }
+ HEIMDAL_MUTEX_unlock(&mkt_mutex);
+
+ free(d->name);
for(i = 0; i < d->num_entries; i++)
krb5_kt_free_entry(context, &d->entries[i]);
free(d->entries);
@@ -75,7 +132,8 @@ mkt_get_name(krb5_context context,
char *name,
size_t namesize)
{
- strlcpy(name, "", namesize);
+ struct mkt_data *d = id->data;
+ strlcpy(name, d->name, namesize);
return 0;
}
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index 33e35ca60e..301b8853e4 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -20,6 +20,24 @@ extern "C" {
#endif
#endif
+void
+initialize_heim_error_table (void);
+
+void
+initialize_heim_error_table_r (struct et_list **/*list*/);
+
+void
+initialize_k524_error_table (void);
+
+void
+initialize_k524_error_table_r (struct et_list **/*list*/);
+
+void
+initialize_krb5_error_table (void);
+
+void
+initialize_krb5_error_table_r (struct et_list **/*list*/);
+
krb5_error_code KRB5_LIB_FUNCTION
krb524_convert_creds_kdc (
krb5_context /*context*/,
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index fe9a0e5e7a..adee4708e6 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: krb5.h,v 1.239 2005/10/12 12:39:28 lha Exp $ */
+/* $Id: krb5.h,v 1.240 2005/11/30 15:20:32 lha Exp $ */
#ifndef __KRB5_H__
#define __KRB5_H__
diff --git a/source4/heimdal/lib/krb5/rd_req.c b/source4/heimdal/lib/krb5/rd_req.c
index 582b71db03..313c14f6e6 100644
--- a/source4/heimdal/lib/krb5/rd_req.c
+++ b/source4/heimdal/lib/krb5/rd_req.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001, 2003 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_req.c,v 1.58 2005/08/27 05:48:57 lha Exp $");
+RCSID("$Id: rd_req.c,v 1.61 2005/11/29 18:22:51 lha Exp $");
static krb5_error_code
decrypt_tkt_enc_part (krb5_context context,
@@ -136,7 +136,11 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
int num_realms;
krb5_error_code ret;
- /* Windows w2k and w2k3 uses this */
+ /*
+ * Windows 2000 and 2003 uses this inside their TGT so its normaly
+ * not seen by others, however, samba4 joined with a Windows AD as
+ * a Domain Controller gets exposed to this.
+ */
if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0)
return 0;
@@ -417,6 +421,19 @@ krb5_verify_ap_req2(krb5_context context,
goto out;
}
+ /* check timestamp in authenticator */
+ {
+ krb5_timestamp now;
+
+ krb5_timeofday (context, &now);
+
+ if (abs(ac->authenticator->ctime - now) > context->max_skew) {
+ ret = KRB5KRB_AP_ERR_SKEW;
+ krb5_clear_error_string (context);
+ goto out;
+ }
+ }
+
if (ac->authenticator->seq_number)
krb5_auth_con_setremoteseqnumber(context, ac,
*ac->authenticator->seq_number);