From f7242f643763ccb6e10801af4ce53d0873e2d3e1 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 10 Jan 2007 01:57:32 +0000
Subject: r20640: Commit part 2/2

Update Heimdal to match current lorikeet-heimdal.  This includes
integrated PAC hooks, so Samba doesn't have to handle this any more.

This also brings in the PKINIT code, hence so many new files.

Andrew Bartlett
(This used to be commit 351f7040f7bb73b9a60b22b564686f7c2f98a729)
---
 source4/heimdal/lib/krb5/init_creds_pw.c | 36 +++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 14 deletions(-)

(limited to 'source4/heimdal/lib/krb5/init_creds_pw.c')

diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index d43ae0ae6f..f6f6eac7d5 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -33,7 +33,7 @@
 
 #include "krb5_locl.h"
 
-RCSID("$Id: init_creds_pw.c,v 1.101 2006/10/02 12:00:59 lha Exp $");
+RCSID("$Id: init_creds_pw.c,v 1.105 2007/01/09 10:44:59 lha Exp $");
 
 typedef struct krb5_get_init_creds_ctx {
     KDCOptions flags;
@@ -656,7 +656,7 @@ free_paid(krb5_context context, struct pa_info_data *ppaid)
 {
     krb5_free_salt(context, ppaid->salt);
     if (ppaid->s2kparams)
-	krb5_data_free(ppaid->s2kparams);
+	krb5_free_data(context, ppaid->s2kparams);
 }
 
 
@@ -729,8 +729,8 @@ pa_etype_info2(krb5_context context,
 		if (e.val[i].salt == NULL)
 		    krb5_free_salt(context, salt);
 		if (ret == 0) {
-			free_ETYPE_INFO2(&e);
-			return paid;
+		    free_ETYPE_INFO2(&e);
+		    return paid;
 		}
 	    }
 	}
@@ -1092,23 +1092,31 @@ process_pa_data_to_md(krb5_context context,
     (*out_md)->len = 0;
     (*out_md)->val = NULL;
     
-    if (in_md->len != 0) {
-	struct pa_info_data paid, *ppaid;
+    /*
+     * Make sure we don't sent both ENC-TS and PK-INIT pa data, no
+     * need to expose our password protecting our PKCS12 key.
+     */
 
-	memset(&paid, 0, sizeof(paid));
+    if (ctx->pk_init_ctx) {
+
+	ret = pa_data_to_md_pkinit(context, a, creds->client, ctx, *out_md);
+	if (ret)
+	    return ret;
 
+    } else if (in_md->len != 0) {
+	struct pa_info_data paid, *ppaid;
+	
+	memset(&paid, 0, sizeof(paid));
+	
 	paid.etype = ENCTYPE_NULL;
 	ppaid = process_pa_info(context, creds->client, a, &paid, in_md);
-
+	
 	pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md);
 	if (ppaid)
 	    free_paid(context, ppaid);
     }
 
     pa_data_add_pac_request(context, ctx, *out_md);
-    ret = pa_data_to_md_pkinit(context, a, creds->client, ctx, *out_md);
-    if (ret)
-	return ret;
 
     if ((*out_md)->len == 0) {
 	free(*out_md);
@@ -1503,7 +1511,7 @@ krb5_get_init_creds_password(krb5_context context,
 	free (q);
 	if (ret) {
 	    memset (buf, 0, sizeof(buf));
-	    krb5_get_init_creds_opt_free(options);
+	    krb5_get_init_creds_opt_free(context, options);
 	    ret = KRB5_LIBOS_PWDINTR;
 	    krb5_clear_error_string (context);
 	    return ret;
@@ -1515,7 +1523,7 @@ krb5_get_init_creds_password(krb5_context context,
 	ret = krb5_get_init_creds_opt_set_pa_password(context, options,
 						      password, NULL);
 	if (ret) {
-	    krb5_get_init_creds_opt_free(options);
+	    krb5_get_init_creds_opt_free(context, options);
 	    memset(buf, 0, sizeof(buf));
 	    return ret;
 	}
@@ -1523,7 +1531,7 @@ krb5_get_init_creds_password(krb5_context context,
 
     ret = krb5_get_init_creds(context, creds, client, prompter,
 			      data, start_time, in_tkt_service, options);
-    krb5_get_init_creds_opt_free(options);
+    krb5_get_init_creds_opt_free(context, options);
     memset(buf, 0, sizeof(buf));
     return ret;
 }
-- 
cgit