From 255e3e18e00f717d99f3bc57c8a8895ff624f3c3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 15 Jul 2011 09:10:30 +0200
Subject: s4:heimdal: import lorikeet-heimdal-201107150856 (commit
 48936803fae4a2fb362c79365d31f420c917b85b)

---
 source4/heimdal/lib/krb5/get_cred.c | 63 +++++++++++++++++++------------------
 1 file changed, 33 insertions(+), 30 deletions(-)

(limited to 'source4/heimdal/lib/krb5/get_cred.c')

diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index 7f2b57247d..e3bb23a2e9 100644
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -55,7 +55,7 @@ make_pa_tgs_req(krb5_context context,
 {
     u_char *buf;
     size_t buf_size;
-    size_t len;
+    size_t len = 0;
     krb5_data in_data;
     krb5_error_code ret;
 
@@ -90,7 +90,7 @@ set_auth_data (krb5_context context,
 	       krb5_keyblock *subkey)
 {
     if(authdata->len) {
-	size_t len, buf_size;
+	size_t len = 0, buf_size;
 	unsigned char *buf;
 	krb5_crypto crypto;
 	krb5_error_code ret;
@@ -166,10 +166,11 @@ init_tgs_req (krb5_context context,
 	}
 	t->req_body.etype.val[0] = in_creds->session.keytype;
     } else {
-	ret = krb5_init_etype(context,
-			      &t->req_body.etype.len,
-			      &t->req_body.etype.val,
-			      NULL);
+	ret = _krb5_init_etype(context,
+			       KRB5_PDU_TGS_REQUEST,
+			       &t->req_body.etype.len,
+			       &t->req_body.etype.val,
+			       NULL);
     }
     if (ret)
 	goto fail;
@@ -235,7 +236,7 @@ init_tgs_req (krb5_context context,
 	goto fail;
     }
     {
-	int i;
+	size_t i;
 	for (i = 0; i < padata->len; i++) {
 	    ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
 	    if (ret) {
@@ -249,16 +250,16 @@ init_tgs_req (krb5_context context,
     ret = krb5_auth_con_init(context, &ac);
     if(ret)
 	goto fail;
-    
+
     ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
     if (ret)
 	goto fail;
-    
+
     ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
 			 ac->local_subkey);
     if (ret)
 	goto fail;
-    
+
     ret = make_pa_tgs_req(context,
 			  ac,
 			  &t->req_body,
@@ -334,6 +335,8 @@ decrypt_tkt_with_subkey (krb5_context context,
 
     assert(usage == 0);
 
+    krb5_data_zero(&data);
+
     /*
      * start out with trying with subkey if we have one
      */
@@ -383,7 +386,7 @@ decrypt_tkt_with_subkey (krb5_context context,
 				   &dec_rep->enc_part,
 				   &size);
     if (ret)
-      krb5_set_error_message(context, ret, 
+      krb5_set_error_message(context, ret,
 			     N_("Failed to decode encpart in ticket", ""));
     krb5_data_free (&data);
     return ret;
@@ -408,7 +411,7 @@ get_cred_kdc(krb5_context context,
     krb5_error_code ret;
     unsigned nonce;
     krb5_keyblock *subkey = NULL;
-    size_t len;
+    size_t len = 0;
     Ticket second_ticket_data;
     METHOD_DATA padata;
 
@@ -435,12 +438,12 @@ get_cred_kdc(krb5_context context,
 	PA_S4U2Self self;
 	krb5_data data;
 	void *buf;
-	size_t size;
+	size_t size = 0;
 
 	self.name = impersonate_principal->name;
 	self.realm = impersonate_principal->realm;
 	self.auth = estrdup("Kerberos");
-	
+
 	ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
 	if (ret) {
 	    free(self.auth);
@@ -475,7 +478,7 @@ get_cred_kdc(krb5_context context,
 	    goto out;
 	if (len != size)
 	    krb5_abortx(context, "internal asn1 error");
-	
+
 	ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len);
 	if (ret)
 	    goto out;
@@ -609,7 +612,7 @@ get_cred_kdc_address(krb5_context context,
 
 	krb5_appdefault_boolean(context, NULL, krbtgt->server->realm,
 				"no-addresses", FALSE, &noaddr);
-	
+
 	if (!noaddr) {
 	    krb5_get_all_client_addrs(context, &addresses);
 	    /* XXX this sucks. */
@@ -734,7 +737,7 @@ get_cred_kdc_capath_worker(krb5_context context,
                            krb5_creds *in_creds,
                            krb5_const_realm try_realm,
                            krb5_principal impersonate_principal,
-                           Ticket *second_ticket,			
+                           Ticket *second_ticket,
                            krb5_creds **out_creds,
                            krb5_creds ***ret_tgts)
 {
@@ -809,7 +812,7 @@ get_cred_kdc_capath_worker(krb5_context context,
 	    krb5_free_principal(context, tmp_creds.client);
 	    return ret;
 	}
-	/* 
+	/*
 	 * if either of the chain or the ok_as_delegate was stripped
 	 * by the kdc, make sure we strip it too.
 	 */
@@ -842,7 +845,7 @@ get_cred_kdc_capath_worker(krb5_context context,
 	    return ret;
 	}
     }
-	
+
     krb5_free_principal(context, tmp_creds.server);
     krb5_free_principal(context, tmp_creds.client);
     *out_creds = calloc(1, sizeof(**out_creds));
@@ -860,7 +863,7 @@ get_cred_kdc_capath_worker(krb5_context context,
     }
     krb5_free_creds(context, tgt);
     return ret;
-}                           
+}
 
 /*
 get_cred(server)
@@ -883,7 +886,7 @@ get_cred_kdc_capath(krb5_context context,
 		    krb5_ccache ccache,
 		    krb5_creds *in_creds,
 		    krb5_principal impersonate_principal,
-		    Ticket *second_ticket,			
+		    Ticket *second_ticket,
 		    krb5_creds **out_creds,
 		    krb5_creds ***ret_tgts)
 {
@@ -918,7 +921,7 @@ get_cred_kdc_referral(krb5_context context,
 		      krb5_ccache ccache,
 		      krb5_creds *in_creds,
 		      krb5_principal impersonate_principal,
-		      Ticket *second_ticket,			
+		      Ticket *second_ticket,
 		      krb5_creds **out_creds,
 		      krb5_creds ***ret_tgts)
 {
@@ -946,7 +949,7 @@ get_cred_kdc_referral(krb5_context context,
     /* find tgt for the clients base realm */
     {
 	krb5_principal tgtname;
-	
+
 	ret = krb5_make_principal(context, &tgtname,
 				  client_realm,
 				  KRB5_TGS_NAME,
@@ -954,7 +957,7 @@ get_cred_kdc_referral(krb5_context context,
 				  NULL);
 	if(ret)
 	    return ret;
-	
+
 	ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt);
 	krb5_free_principal(context, tgtname);
 	if (ret)
@@ -1032,9 +1035,9 @@ get_cred_kdc_referral(krb5_context context,
                 goto out;
 	    }
 	    tickets++;
-	}	
+	}
 
-	/* 
+	/*
 	 * if either of the chain or the ok_as_delegate was stripped
 	 * by the kdc, make sure we strip it too.
 	 */
@@ -1080,7 +1083,7 @@ _krb5_get_cred_kdc_any(krb5_context context,
 		       krb5_ccache ccache,
 		       krb5_creds *in_creds,
 		       krb5_principal impersonate_principal,
-		       Ticket *second_ticket,			
+		       Ticket *second_ticket,
 		       krb5_creds **out_creds,
 		       krb5_creds ***ret_tgts)
 {
@@ -1165,7 +1168,7 @@ krb5_get_credentials_with_flags(krb5_context context,
             *out_creds = res_creds;
             return 0;
         }
-	
+
 	krb5_timeofday(context, &timeret);
 	if(res_creds->times.endtime > timeret) {
 	    *out_creds = res_creds;
@@ -1382,7 +1385,7 @@ krb5_get_creds(krb5_context context,
 	    krb5_free_principal(context, in_creds.client);
             goto out;
         }
-	
+
 	krb5_timeofday(context, &timeret);
 	if(res_creds->times.endtime > timeret) {
 	    *out_creds = res_creds;
@@ -1467,7 +1470,7 @@ krb5_get_renewed_creds(krb5_context context,
 	}
     } else {
 	const char *realm = krb5_principal_get_realm(context, client);
-	
+
 	ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME,
 				  realm, NULL);
 	if (ret) {
-- 
cgit