summaryrefslogtreecommitdiff
path: root/source4/heimdal
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal')
-rw-r--r--source4/heimdal/kdc/kerberos5.c25
-rw-r--r--source4/heimdal/lib/gssapi/accept_sec_context.c106
-rw-r--r--source4/heimdal/lib/gssapi/acquire_cred.c50
-rw-r--r--source4/heimdal/lib/gssapi/arcfour.c8
-rw-r--r--source4/heimdal/lib/gssapi/copy_ccache.c123
-rw-r--r--source4/heimdal/lib/gssapi/gssapi.h21
-rw-r--r--source4/heimdal/lib/gssapi/gssapi_locl.h2
-rw-r--r--source4/heimdal/lib/gssapi/init_sec_context.c2
-rw-r--r--source4/heimdal/lib/gssapi/release_cred.c2
-rw-r--r--source4/heimdal/lib/hdb/db.c6
-rw-r--r--source4/heimdal/lib/hdb/hdb-protos.h4
-rw-r--r--source4/heimdal/lib/hdb/ndbm.c2
-rw-r--r--source4/heimdal/lib/krb5/cache.c37
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c22
-rw-r--r--source4/heimdal/lib/krb5/keytab.c36
-rw-r--r--source4/heimdal/lib/krb5/krb5-private.h17
-rw-r--r--source4/heimdal/lib/krb5/krb5-protos.h12
-rw-r--r--source4/heimdal/lib/krb5/rd_cred.c2
18 files changed, 258 insertions, 219 deletions
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 565c7478f9..6f6203a92c 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kerberos5.c,v 1.177 2005/06/15 11:34:53 lha Exp $");
+RCSID("$Id: kerberos5.c,v 1.198 2005/11/28 20:33:57 lha Exp $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@@ -666,8 +666,7 @@ _kdc_check_flags(krb5_context context,
starttime_str, sizeof(starttime_str), TRUE);
kdc_log(context, config, 0,
"Client not yet valid until %s -- %s",
- starttime_str,
- client_name);
+ starttime_str, client_name);
return KRB5KDC_ERR_CLIENT_NOTYET;
}
@@ -676,7 +675,8 @@ _kdc_check_flags(krb5_context context,
krb5_format_time(context, *client->valid_end,
endtime_str, sizeof(endtime_str), TRUE);
kdc_log(context, config, 0,
- "Client expired at %s -- %s", endtime_str, client_name);
+ "Client expired at %s -- %s",
+ endtime_str, client_name);
return KRB5KDC_ERR_NAME_EXP;
}
@@ -686,7 +686,8 @@ _kdc_check_flags(krb5_context context,
krb5_format_time(context, *client->pw_end,
pwend_str, sizeof(pwend_str), TRUE);
kdc_log(context, config, 0,
- "Client's key has expired at %s -- %s", pwend_str, client_name);
+ "Client's key has expired at %s -- %s",
+ pwend_str, client_name);
return KRB5KDC_ERR_KEY_EXPIRED;
}
}
@@ -717,7 +718,8 @@ _kdc_check_flags(krb5_context context,
krb5_format_time(context, *server->valid_start,
starttime_str, sizeof(starttime_str), TRUE);
kdc_log(context, config, 0,
- "Server not yet valid until %s -- %s", server_name);
+ "Server not yet valid until %s -- %s",
+ starttime_str, server_name);
return KRB5KDC_ERR_SERVICE_NOTYET;
}
@@ -1099,11 +1101,12 @@ _kdc_as_rep(krb5_context context,
pa->padata_value.data = NULL;
#endif
- /* RFC4120 requires:
- - If the client only knows about old enctypes, then send both info replies
- (we send 'info' first in the list).
- - If the client is 'modern', because it knows about 'new' enc types, then
- only send the 'info2' reply.
+ /*
+ * RFC4120 requires:
+ * - If the client only knows about old enctypes, then send
+ * both info replies (we send 'info' first in the list).
+ * - If the client is 'modern', because it knows about 'new'
+ * enctype types, then only send the 'info2' reply.
*/
/* XXX check ret */
if (only_older_enctype_p(req))
diff --git a/source4/heimdal/lib/gssapi/accept_sec_context.c b/source4/heimdal/lib/gssapi/accept_sec_context.c
index 5d43cdcb43..9ca60a6cdd 100644
--- a/source4/heimdal/lib/gssapi/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/accept_sec_context.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: accept_sec_context.c,v 1.53 2005/05/29 15:12:41 lha Exp $");
+RCSID("$Id: accept_sec_context.c,v 1.55 2005/11/25 15:57:35 lha Exp $");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab gssapi_krb5_keytab;
@@ -125,66 +125,24 @@ gsskrb5_accept_delegated_token
krb5_principal principal = (*context_handle)->source;
krb5_ccache ccache = NULL;
krb5_error_code kret;
- int32_t ac_flags, ret;
- gss_cred_id_t handle = NULL;
+ int32_t ac_flags, ret = GSS_S_COMPLETE;
- if (delegated_cred_handle == NULL) {
- /* XXX Create a new delegated_cred_handle? */
-
- ret = 0;
+ *minor_status = 0;
+ /* XXX Create a new delegated_cred_handle? */
+ if (delegated_cred_handle == NULL)
kret = krb5_cc_default (gssapi_krb5_context, &ccache);
- if (kret) {
- *flags &= ~GSS_C_DELEG_FLAG;
- goto end_fwd;
- }
- } else {
-
- *delegated_cred_handle = NULL;
-
- handle = calloc(1, sizeof(*handle));
- if (handle == NULL) {
- ret = GSS_S_FAILURE;
- *minor_status = ENOMEM;
- krb5_set_error_string(gssapi_krb5_context, "out of memory");
- gssapi_krb5_set_error_string();
- *flags &= ~GSS_C_DELEG_FLAG;
- goto end_fwd;
- }
- if ((ret = gss_duplicate_name(minor_status, principal,
- &handle->principal)) != 0) {
- *flags &= ~GSS_C_DELEG_FLAG;
- ret = 0;
- goto end_fwd;
- }
- kret = krb5_cc_gen_new (gssapi_krb5_context,
- &krb5_mcc_ops,
- &handle->ccache);
- if (kret) {
- *flags &= ~GSS_C_DELEG_FLAG;
- ret = 0;
- goto end_fwd;
- }
- ccache = handle->ccache;
-
- ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
- if (ret) {
- *flags &= ~GSS_C_DELEG_FLAG;
- goto end_fwd;
- }
- ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
- &handle->mechanisms);
- if (ret) {
- *flags &= ~GSS_C_DELEG_FLAG;
- goto end_fwd;
- }
+ else
+ kret = krb5_cc_gen_new (gssapi_krb5_context, &krb5_mcc_ops, &ccache);
+ if (kret) {
+ *flags &= ~GSS_C_DELEG_FLAG;
+ goto out;
}
kret = krb5_cc_initialize(gssapi_krb5_context, ccache, principal);
if (kret) {
*flags &= ~GSS_C_DELEG_FLAG;
- ret = 0;
- goto end_fwd;
+ goto out;
}
krb5_auth_con_removeflags(gssapi_krb5_context,
@@ -204,29 +162,29 @@ gsskrb5_accept_delegated_token
*flags &= ~GSS_C_DELEG_FLAG;
ret = GSS_S_FAILURE;
*minor_status = kret;
- goto end_fwd;
+ goto out;
}
- end_fwd:
- /* if there was some kind of failure, clean up internal structures */
- if ((*flags & GSS_C_DELEG_FLAG) == 0) {
- if (handle) {
- if (handle->principal)
- gss_release_name(minor_status, &handle->principal);
- if (handle->mechanisms)
- gss_release_oid_set(NULL, &handle->mechanisms);
- if (handle->ccache)
- krb5_cc_destroy(gssapi_krb5_context, handle->ccache);
- free(handle);
- handle = NULL;
- }
+
+ if (delegated_cred_handle) {
+ ret = gss_krb5_import_cred(minor_status,
+ ccache,
+ NULL,
+ NULL,
+ delegated_cred_handle);
+ if (ret != GSS_S_COMPLETE)
+ goto out;
+
+ (*delegated_cred_handle)->cred_flags |= GSS_CF_DESTROY_CRED_ON_RELEASE;
+ ccache = NULL;
}
- if (delegated_cred_handle == NULL) {
- if (ccache)
+
+out:
+ if (ccache) {
+ if (delegated_cred_handle == NULL)
krb5_cc_close(gssapi_krb5_context, ccache);
+ else
+ krb5_cc_destroy(gssapi_krb5_context, ccache);
}
- if (handle)
- *delegated_cred_handle = handle;
-
return ret;
}
@@ -1054,7 +1012,7 @@ spnego_accept_sec_context
if(len > data.length - taglen)
return ASN1_OVERRUN;
- ret = decode_NegTokenInit((const char *)data.data + taglen, len,
+ ret = decode_NegTokenInit((const unsigned char *)data.data + taglen, len,
&ni, &ni_len);
if (ret)
return GSS_S_DEFECTIVE_TOKEN;
@@ -1065,7 +1023,7 @@ spnego_accept_sec_context
}
for (i = 0; !found && i < ni.mechTypes->len; ++i) {
- char mechbuf[17];
+ unsigned char mechbuf[17];
size_t mech_len;
ret = der_put_oid (mechbuf + sizeof(mechbuf) - 1,
diff --git a/source4/heimdal/lib/gssapi/acquire_cred.c b/source4/heimdal/lib/gssapi/acquire_cred.c
index d67b400920..44dbef3c48 100644
--- a/source4/heimdal/lib/gssapi/acquire_cred.c
+++ b/source4/heimdal/lib/gssapi/acquire_cred.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: acquire_cred.c,v 1.24 2005/10/26 11:25:16 lha Exp $");
+RCSID("$Id: acquire_cred.c,v 1.25 2005/11/02 08:56:25 lha Exp $");
OM_uint32
_gssapi_krb5_ccache_lifetime(OM_uint32 *minor_status,
@@ -106,7 +106,6 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
- krb5_keytab keytab,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -122,7 +121,7 @@ static OM_uint32 acquire_initiator_cred
krb5_get_init_creds_opt *opt;
krb5_ccache ccache;
krb5_error_code kret;
- krb5_boolean made_keytab = FALSE;
+ krb5_keytab keytab;
ccache = NULL;
def_princ = NULL;
@@ -214,7 +213,7 @@ end:
krb5_free_cred_contents(context, &cred);
if (def_princ != NULL)
krb5_free_principal(context, def_princ);
- if (made_keytab)
+ if (keytab != NULL)
krb5_kt_close(context, keytab);
if (ret != GSS_S_COMPLETE) {
if (ccache != NULL)
@@ -230,7 +229,6 @@ end:
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
- krb5_keytab keytab,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_cred_usage_t cred_usage,
@@ -244,21 +242,14 @@ static OM_uint32 acquire_acceptor_cred
kret = 0;
ret = GSS_S_FAILURE;
- if (keytab == NULL) {
- kret = get_keytab(context, &handle->keytab);
- if (kret)
- goto end;
- handle->made_keytab = TRUE;
- } else {
- handle->keytab = keytab;
- handle->made_keytab = FALSE;
- }
+ kret = get_keytab(context, &handle->keytab);
+ if (kret)
+ goto end;
ret = GSS_S_COMPLETE;
end:
if (ret != GSS_S_COMPLETE) {
- if (handle->made_keytab)
- krb5_kt_close(context, handle->keytab);
+ krb5_kt_close(context, handle->keytab);
if (kret != 0) {
*minor_status = kret;
gssapi_krb5_set_error_string ();
@@ -267,9 +258,8 @@ end:
return (ret);
}
-OM_uint32 gsskrb5_acquire_cred
+OM_uint32 gss_acquire_cred
(OM_uint32 * minor_status,
- struct krb5_keytab_data *keytab,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
@@ -328,7 +318,6 @@ OM_uint32 gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, gssapi_krb5_context,
- keytab,
desired_name, time_req,
desired_mechs, cred_usage,
handle, actual_mechs, time_rec);
@@ -341,7 +330,7 @@ OM_uint32 gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, gssapi_krb5_context,
- keytab, time_req,
+ time_req,
desired_mechs, cred_usage,
handle, actual_mechs, time_rec);
if (ret != GSS_S_COMPLETE) {
@@ -381,24 +370,3 @@ OM_uint32 gsskrb5_acquire_cred
return (GSS_S_COMPLETE);
}
-OM_uint32 gss_acquire_cred
- (OM_uint32 * minor_status,
- const gss_name_t desired_name,
- OM_uint32 time_req,
- const gss_OID_set desired_mechs,
- gss_cred_usage_t cred_usage,
- gss_cred_id_t * output_cred_handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
- )
-{
- return gsskrb5_acquire_cred(minor_status,
- NULL,
- desired_name,
- time_req,
- desired_mechs,
- cred_usage,
- output_cred_handle,
- actual_mechs,
- time_rec);
-}
diff --git a/source4/heimdal/lib/gssapi/arcfour.c b/source4/heimdal/lib/gssapi/arcfour.c
index 52bb2ecf1b..01c6c75ecc 100644
--- a/source4/heimdal/lib/gssapi/arcfour.c
+++ b/source4/heimdal/lib/gssapi/arcfour.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: arcfour.c,v 1.17 2005/05/06 07:13:32 lha Exp $");
+RCSID("$Id: arcfour.c,v 1.18 2005/11/01 06:55:55 lha Exp $");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt
@@ -105,7 +105,7 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key,
static krb5_error_code
arcfour_mic_cksum(krb5_keyblock *key, unsigned usage,
u_char *sgn_cksum, size_t sgn_cksum_sz,
- const char *v1, size_t l1,
+ const u_char *v1, size_t l1,
const void *v2, size_t l2,
const void *v3, size_t l3)
{
@@ -256,7 +256,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
p = token_buffer->value;
omret = gssapi_krb5_verify_header (&p,
token_buffer->length,
- type,
+ (u_char *)type,
GSS_KRB5_MECHANISM);
if (omret)
return omret;
diff --git a/source4/heimdal/lib/gssapi/copy_ccache.c b/source4/heimdal/lib/gssapi/copy_ccache.c
index 0f2f155870..782b701e44 100644
--- a/source4/heimdal/lib/gssapi/copy_ccache.c
+++ b/source4/heimdal/lib/gssapi/copy_ccache.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: copy_ccache.c,v 1.9 2005/10/31 16:02:08 lha Exp $");
+RCSID("$Id: copy_ccache.c,v 1.13 2005/11/28 23:05:44 lha Exp $");
OM_uint32
gss_krb5_copy_ccache(OM_uint32 *minor_status,
@@ -63,9 +63,11 @@ gss_krb5_copy_ccache(OM_uint32 *minor_status,
OM_uint32
-gss_krb5_import_ccache(OM_uint32 *minor_status,
- krb5_ccache in,
- gss_cred_id_t *cred)
+gss_krb5_import_cred(OM_uint32 *minor_status,
+ krb5_ccache id,
+ krb5_principal keytab_principal,
+ krb5_keytab keytab,
+ gss_cred_id_t *cred)
{
krb5_error_code kret;
gss_cred_id_t handle;
@@ -83,57 +85,94 @@ gss_krb5_import_ccache(OM_uint32 *minor_status,
}
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
- handle->usage = GSS_C_INITIATE;
+ handle->usage = 0;
- kret = krb5_cc_get_principal(gssapi_krb5_context, in, &handle->principal);
- if (kret) {
- free(handle);
- gssapi_krb5_set_error_string ();
- *minor_status = kret;
- return GSS_S_FAILURE;
- }
+ if (id) {
+ char *str;
- ret = _gssapi_krb5_ccache_lifetime(minor_status,
- in,
- handle->principal,
- &handle->lifetime);
- if (ret != GSS_S_COMPLETE) {
- krb5_free_principal(gssapi_krb5_context, handle->principal);
- free(handle);
- return ret;
- }
+ handle->usage |= GSS_C_INITIATE;
- ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
- if (ret == GSS_S_COMPLETE)
- ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
- &handle->mechanisms);
- if (ret != GSS_S_COMPLETE) {
- krb5_free_principal(gssapi_krb5_context, handle->principal);
- free(handle);
- *minor_status = kret;
- return GSS_S_FAILURE;
+ kret = krb5_cc_get_principal(gssapi_krb5_context, id,
+ &handle->principal);
+ if (kret) {
+ free(handle);
+ gssapi_krb5_set_error_string ();
+ *minor_status = kret;
+ return GSS_S_FAILURE;
+ }
+
+ if (keytab_principal) {
+ krb5_boolean match;
+
+ match = krb5_principal_compare(gssapi_krb5_context,
+ handle->principal,
+ keytab_principal);
+ if (match == FALSE) {
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ free(handle);
+ gssapi_krb5_clear_status ();
+ *minor_status = EINVAL;
+ return GSS_S_FAILURE;
+ }
+ }
+
+ ret = _gssapi_krb5_ccache_lifetime(minor_status,
+ id,
+ handle->principal,
+ &handle->lifetime);
+ if (ret != GSS_S_COMPLETE) {
+ krb5_free_principal(gssapi_krb5_context, handle->principal);
+ free(handle);
+ return ret;
+ }
+
+
+ kret = krb5_cc_get_full_name(gssapi_krb5_context, id, &str);
+ if (kret)
+ goto out;
+
+ kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache);
+ free(str);
+ if (kret)
+ goto out;
}
- {
- const char *type, *name;
+
+ if (keytab) {
char *str;
- type = krb5_cc_get_type(gssapi_krb5_context, in);
- name = krb5_cc_get_name(gssapi_krb5_context, in);
-
- if (asprintf(&str, "%s:%s", type, name) == -1) {
- krb5_set_error_string(gssapi_krb5_context,
- "malloc - out of memory");
- kret = ENOMEM;
- goto out;
+ handle->usage |= GSS_C_ACCEPT;
+
+ if (keytab_principal && handle->principal == NULL) {
+ kret = krb5_copy_principal(gssapi_krb5_context,
+ keytab_principal,
+ &handle->principal);
+ if (kret)
+ goto out;
}
- kret = krb5_cc_resolve(gssapi_krb5_context, str, &handle->ccache);
+ kret = krb5_kt_get_full_name(gssapi_krb5_context, keytab, &str);
+ if (kret)
+ goto out;
+
+ kret = krb5_kt_resolve(gssapi_krb5_context, str, &handle->keytab);
free(str);
if (kret)
goto out;
}
+
+ if (id || keytab) {
+ ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
+ if (ret == GSS_S_COMPLETE)
+ ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
+ &handle->mechanisms);
+ if (ret != GSS_S_COMPLETE) {
+ kret = *minor_status;
+ goto out;
+ }
+ }
+
*minor_status = 0;
*cred = handle;
return GSS_S_COMPLETE;
diff --git a/source4/heimdal/lib/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi.h
index 64a31d1eee..20700dc826 100644
--- a/source4/heimdal/lib/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi.h
@@ -775,18 +775,6 @@ OM_uint32 gss_unseal
* kerberos mechanism specific functions
*/
-OM_uint32 gsskrb5_acquire_cred
- (OM_uint32 * minor_status,
- struct krb5_keytab_data *keytab,
- const gss_name_t desired_name,
- OM_uint32 time_req,
- const gss_OID_set desired_mechs,
- gss_cred_usage_t cred_usage,
- gss_cred_id_t * output_cred_handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
- );
-
OM_uint32
gss_krb5_ccache_name(OM_uint32 * /*minor_status*/,
const char * /*name */,
@@ -805,10 +793,11 @@ OM_uint32 gss_krb5_copy_service_keyblock
gss_ctx_id_t context_handle,
struct EncryptionKey **out);
-OM_uint32
-gss_krb5_import_ccache(OM_uint32 */*minor*/,
- struct krb5_ccache_data * /*in*/,
- gss_cred_id_t */*out*/);
+OM_uint32 gss_krb5_import_cred(OM_uint32 *minor_status,
+ struct krb5_ccache_data * /* id */,
+ struct Principal * /* keytab_principal */,
+ struct krb5_keytab_data * /* keytab */,
+ gss_cred_id_t */* cred */);
OM_uint32 gss_krb5_get_tkt_flags
(OM_uint32 */*minor*/,
diff --git a/source4/heimdal/lib/gssapi/gssapi_locl.h b/source4/heimdal/lib/gssapi/gssapi_locl.h
index ae291d15a9..b9bea7db2e 100644
--- a/source4/heimdal/lib/gssapi/gssapi_locl.h
+++ b/source4/heimdal/lib/gssapi/gssapi_locl.h
@@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
-/* $Id: gssapi_locl.h,v 1.42 2005/10/26 11:23:48 lha Exp $ */
+/* $Id: gssapi_locl.h,v 1.43 2005/11/02 08:51:17 lha Exp $ */
#ifndef GSSAPI_LOCL_H
#define GSSAPI_LOCL_H
diff --git a/source4/heimdal/lib/gssapi/init_sec_context.c b/source4/heimdal/lib/gssapi/init_sec_context.c
index e7e8f5153e..61c020b800 100644
--- a/source4/heimdal/lib/gssapi/init_sec_context.c
+++ b/source4/heimdal/lib/gssapi/init_sec_context.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: init_sec_context.c,v 1.60 2005/10/12 07:25:18 lha Exp $");
+RCSID("$Id: init_sec_context.c,v 1.61 2005/11/02 11:52:49 lha Exp $");
/*
* copy the addresses from `input_chan_bindings' (if any) to
diff --git a/source4/heimdal/lib/gssapi/release_cred.c b/source4/heimdal/lib/gssapi/release_cred.c
index ddd80c144b..cca3dfe379 100644
--- a/source4/heimdal/lib/gssapi/release_cred.c
+++ b/source4/heimdal/lib/gssapi/release_cred.c
@@ -33,7 +33,7 @@
#include "gssapi_locl.h"
-RCSID("$Id: release_cred.c,v 1.10 2003/10/07 00:51:46 lha Exp $");
+RCSID("$Id: release_cred.c,v 1.11 2005/11/02 08:57:35 lha Exp $");
OM_uint32 gss_release_cred
(OM_uint32 * minor_status,
diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c
index d7a4cf35ee..b9f1ab47e1 100644
--- a/source4/heimdal/lib/hdb/db.c
+++ b/source4/heimdal/lib/hdb/db.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include "hdb_locl.h"
-RCSID("$Id: db.c,v 1.32 2005/06/23 13:34:17 lha Exp $");
+RCSID("$Id: db.c,v 1.33 2005/11/28 23:30:51 lha Exp $");
#if HAVE_DB1
@@ -270,7 +270,7 @@ krb5_error_code
hdb_db_create(krb5_context context, HDB **db,
const char *filename)
{
- *db = malloc(sizeof(**db));
+ *db = calloc(1, sizeof(**db));
if (*db == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM;
diff --git a/source4/heimdal/lib/hdb/hdb-protos.h b/source4/heimdal/lib/hdb/hdb-protos.h
index 7557b46bff..f7e0c54b7c 100644
--- a/source4/heimdal/lib/hdb/hdb-protos.h
+++ b/source4/heimdal/lib/hdb/hdb-protos.h
@@ -120,7 +120,9 @@ hdb_free_entry (
hdb_entry */*ent*/);
void
-hdb_free_entry_ex(krb5_context context, hdb_entry_ex *ent);
+hdb_free_entry_ex (
+ krb5_context /*context*/,
+ hdb_entry_ex */*ent*/);
void
hdb_free_key (Key */*key*/);
diff --git a/source4/heimdal/lib/hdb/ndbm.c b/source4/heimdal/lib/hdb/ndbm.c
index 588ff80728..dfd5bfa8f1 100644
--- a/source4/heimdal/lib/hdb/ndbm.c
+++ b/source4/heimdal/lib/hdb/ndbm.c
@@ -339,6 +339,8 @@ hdb_ndbm_create(krb5_context context, HDB **db,
return ENOMEM;
}
+ memset(*db, '\0', sizeof(**db));
+
(*db)->hdb_db = NULL;
(*db)->hdb_name = strdup(filename);
if ((*db)->hdb_name == NULL) {
diff --git a/source4/heimdal/lib/krb5/cache.c b/source4/heimdal/lib/krb5/cache.c
index ec956409a7..25dc2cb8c0 100644
--- a/source4/heimdal/lib/krb5/cache.c
+++ b/source4/heimdal/lib/krb5/cache.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: cache.c,v 1.73 2005/10/19 17:30:40 lha Exp $");
+RCSID("$Id: cache.c,v 1.74 2005/11/01 09:36:41 lha Exp $");
/*
* Add a new ccache type with operations `ops', overwriting any
@@ -223,6 +223,41 @@ krb5_cc_get_type(krb5_context context,
}
/*
+ * Return the complete resolvable name the ccache `id' in `str´.
+ * `str` should be freed with free(3).
+ * Returns 0 or an error (and then *str is set to NULL).
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_get_full_name(krb5_context context,
+ krb5_ccache id,
+ char **str)
+{
+ const char *type, *name;
+
+ *str = NULL;
+
+ type = krb5_cc_get_type(context, id);
+ if (type == NULL) {
+ krb5_set_error_string(context, "cache have no name of type");
+ return KRB5_CC_UNKNOWN_TYPE;
+ }
+
+ name = krb5_cc_get_name(context, id);
+ if (name == NULL) {
+ krb5_set_error_string(context, "cache of type %s have no name", type);
+ return KRB5_CC_BADNAME;
+ }
+
+ if (asprintf(str, "%s:%s", type, name) == -1) {
+ krb5_set_error_string(context, "malloc - out of memory");
+ *str = NULL;
+ return ENOMEM;
+ }
+ return 0;
+}
+
+/*
* Return krb5_cc_ops of a the ccache `id'.
*/
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index 7bc8942f66..be5c1db47d 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: get_for_creds.c,v 1.45 2005/06/15 02:44:36 lha Exp $");
+RCSID("$Id: get_for_creds.c,v 1.46 2005/11/28 20:43:02 lha Exp $");
static krb5_error_code
add_addrs(krb5_context context,
@@ -385,17 +385,13 @@ krb5_get_forwarded_creds (krb5_context context,
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
} else {
- /*
- * RFC4120 claims we should use the session key, but Heimdal
- * before 0.8 used the remote subkey if it was send in the
- * auth_context.
- *
- * Lorikeet-Heimdal is interested in windows compatiblity
- * more than Heimdal compatability, so we must choose the
- * session key, and break forwarding credentials to older
- * Heimdal servers.
- */
-
+ /*
+ * Here older versions then 0.7.2 of Heimdal used the local or
+ * remote subkey. That is wrong, the session key should be
+ * used. Heimdal 0.7.2 and newer have code to try both in the
+ * receiving end.
+ */
+
ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
diff --git a/source4/heimdal/lib/krb5/keytab.c b/source4/heimdal/lib/krb5/keytab.c
index 23f6685049..43fc21c1d1 100644
--- a/source4/heimdal/lib/krb5/keytab.c
+++ b/source4/heimdal/lib/krb5/keytab.c
@@ -33,7 +33,7 @@
#include "krb5_locl.h"
-RCSID("$Id: keytab.c,v 1.62 2005/07/06 01:14:42 lha Exp $");
+RCSID("$Id: keytab.c,v 1.63 2005/11/25 21:46:40 lha Exp $");
/*
* Register a new keytab in `ops'
@@ -240,6 +240,40 @@ krb5_kt_get_name(krb5_context context,
}
/*
+ * Retrieve the full name of the keytab `keytab' and store the name in
+ * `str'. `str' needs to be freed by the caller using free(3).
+ * Returns 0 or an error. On error, *str is set to NULL.
+ */
+
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_kt_get_full_name(krb5_context context,
+ krb5_keytab keytab,
+ char **str)
+{
+ char type[KRB5_KT_PREFIX_MAX_LEN];
+ char name[MAXPATHLEN];
+ krb5_error_code ret;
+
+ *str = NULL;
+
+ ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
+ if (ret)
+ return ret;
+
+ ret = krb5_kt_get_name(context, keytab, name, sizeof(name));
+ if (ret)
+ return ret;
+
+ if (asprintf(str, "%s:%s", type, name) == -1) {
+ krb5_set_error_string(context, "malloc - out of memory");
+ *str = NULL;
+ return ENOMEM;
+ }
+
+ return 0;
+}
+
+/*
* Finish using the keytab in `id'. All resources will be released,
* even on errors. Return 0 or an error.
*/
diff --git a/source4/heimdal/lib/krb5/krb5-private.h b/source4/heimdal/lib/krb5/krb5-private.h
index 2645c29fe7..3602c89ec6 100644
--- a/source4/heimdal/lib/krb5/krb5-private.h
+++ b/source4/heimdal/lib/krb5/krb5-private.h
@@ -77,6 +77,15 @@ _krb5_extract_ticket (
krb5_decrypt_proc /*decrypt_proc*/,
krb5_const_pointer /*decryptarg*/);
+int
+_krb5_find_type_in_ad (
+ krb5_context /*context*/,
+ int /*type*/,
+ krb5_data */*data*/,
+ krb5_boolean */*found*/,
+ krb5_keyblock */*sessionkey*/,
+ const AuthorizationData */*ad*/);
+
void
_krb5_free_krbhst_info (krb5_krbhst_info */*hi*/);
@@ -399,12 +408,4 @@ _krb5_xunlock (
krb5_context /*context*/,
int /*fd*/);
-int
-_krb5_find_type_in_ad(krb5_context context,
- int type,
- krb5_data *data,
- int *found,
- krb5_keyblock *sessionkey,
- const AuthorizationData *ad);
-
#endif /* __krb5_private_h__ */
diff --git a/source4/heimdal/lib/krb5/krb5-protos.h b/source4/heimdal/lib/krb5/krb5-protos.h
index a46f8b8f8f..33e35ca60e 100644
--- a/source4/heimdal/lib/krb5/krb5-protos.h
+++ b/source4/heimdal/lib/krb5/krb5-protos.h
@@ -607,6 +607,12 @@ krb5_cc_gen_new (
const krb5_cc_ops */*ops*/,
krb5_ccache */*id*/);
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_cc_get_full_name (
+ krb5_context /*context*/,
+ krb5_ccache /*id*/,
+ char **/*str*/);
+
const char* KRB5_LIB_FUNCTION
krb5_cc_get_name (
krb5_context /*context*/,
@@ -2186,6 +2192,12 @@ krb5_kt_get_entry (
krb5_keytab_entry */*entry*/);
krb5_error_code KRB5_LIB_FUNCTION
+krb5_kt_get_full_name (
+ krb5_context /*context*/,
+ krb5_keytab /*keytab*/,
+ char **/*str*/);
+
+krb5_error_code KRB5_LIB_FUNCTION
krb5_kt_get_name (
krb5_context /*context*/,
krb5_keytab /*keytab*/,
diff --git a/source4/heimdal/lib/krb5/rd_cred.c b/source4/heimdal/lib/krb5/rd_cred.c
index 07f142267c..d62adadf26 100644
--- a/source4/heimdal/lib/krb5/rd_cred.c
+++ b/source4/heimdal/lib/krb5/rd_cred.c
@@ -33,7 +33,7 @@
#include <krb5_locl.h>
-RCSID("$Id: rd_cred.c,v 1.25 2005/09/23 03:37:57 lha Exp $");
+RCSID("$Id: rd_cred.c,v 1.26 2005/11/02 08:36:42 lha Exp $");
static krb5_error_code
compare_addrs(krb5_context context,