[SCM] Samba Shared Repository - branch v4-0-test updated - release-4-0-0alpha2-1338-g400c16e

Andrew Bartlett abartlet at samba.org
Tue Mar 18 23:55:18 GMT 2008


The branch, v4-0-test has been updated
       via  400c16e7004bc3a881bb6efb99a273cdac87f70c (commit)
       via  d88b530522d3cef67c24422bd5182fb875d87ee2 (commit)
      from  b7dad8674a3aaa27bc1103a83be75434d413239b (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit 400c16e7004bc3a881bb6efb99a273cdac87f70c
Merge: d88b530522d3cef67c24422bd5182fb875d87ee2 b7dad8674a3aaa27bc1103a83be75434d413239b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Mar 19 10:18:35 2008 +1100

    Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local

commit d88b530522d3cef67c24422bd5182fb875d87ee2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Mar 19 10:17:42 2008 +1100

    Merge lorikeet-heimdal -r 787 into Samba4 tree.
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source/heimdal/kdc/digest.c                        |   26 +-
 source/heimdal/kdc/kaserver.c                      |    2 +-
 source/heimdal/kdc/kdc_locl.h                      |    5 +-
 source/heimdal/kdc/kerberos5.c                     |   41 +-
 source/heimdal/kdc/krb5tgs.c                       |   24 +-
 source/heimdal/kdc/log.c                           |   10 +-
 source/heimdal/kdc/pkinit.c                        |   34 +-
 source/heimdal/kuser/kinit.c                       |   27 +-
 source/heimdal/lib/asn1/asn1-common.h              |    2 +-
 source/heimdal/lib/asn1/canthandle.asn1            |    4 +-
 source/heimdal/lib/asn1/der.c                      |    2 +-
 source/heimdal/lib/asn1/digest.asn1                |   18 +-
 source/heimdal/lib/asn1/gen.c                      |    2 +-
 source/heimdal/lib/asn1/gen_encode.c               |    2 +-
 source/heimdal/lib/asn1/k5.asn1                    |    6 +-
 source/heimdal/lib/asn1/lex.c                      |   44 +-
 source/heimdal/lib/asn1/parse.c                    |  184 +-
 source/heimdal/lib/asn1/parse.h                    |    4 +-
 source/heimdal/lib/asn1/pkinit.asn1                |   23 +-
 source/heimdal/lib/asn1/rfc2459.asn1               |    2 +
 source/heimdal/lib/com_err/lex.c                   |   44 +-
 source/heimdal/lib/com_err/parse.c                 |   28 +-
 source/heimdal/lib/com_err/parse.h                 |    4 +-
 source/heimdal/lib/gssapi/gssapi/gssapi_krb5.h     |    3 +-
 source/heimdal/lib/gssapi/gssapi_mech.h            |    2 +
 source/heimdal/lib/gssapi/krb5/acquire_cred.c      |   74 +-
 source/heimdal/lib/gssapi/krb5/external.c          |    4 +-
 source/heimdal/lib/gssapi/krb5/gsskrb5-private.h   |    2 +-
 source/heimdal/lib/gssapi/krb5/gsskrb5_locl.h      |    3 +-
 source/heimdal/lib/gssapi/krb5/init_sec_context.c  |   54 +-
 source/heimdal/lib/gssapi/krb5/set_cred_option.c   |   39 +-
 source/heimdal/lib/gssapi/mech/context.c           |   18 +-
 .../lib/gssapi/mech/gss_accept_sec_context.c       |    6 +-
 source/heimdal/lib/gssapi/mech/gss_krb5.c          |   43 +-
 source/heimdal/lib/gssapi/mech/gss_mech_switch.c   |    2 +-
 .../heimdal/lib/gssapi/mech/gss_release_oid_set.c  |    4 +-
 .../heimdal/lib/gssapi/spnego/accept_sec_context.c |   27 +-
 source/heimdal/lib/gssapi/spnego/compat.c          |    3 +-
 source/heimdal/lib/gssapi/spnego/context_stubs.c   |   70 +-
 source/heimdal/lib/gssapi/spnego/external.c        |    4 +-
 .../heimdal/lib/gssapi/spnego/init_sec_context.c   |   11 +-
 source/heimdal/lib/gssapi/spnego/spnego-private.h  |    9 -
 source/heimdal/lib/hcrypto/bn.c                    |    6 +-
 source/heimdal/lib/hcrypto/bn.h                    |    4 +-
 source/heimdal/lib/hcrypto/camellia-ntt.c          | 1461 ++
 source/heimdal/lib/hcrypto/camellia-ntt.h          |   54 +
 source/heimdal/lib/hcrypto/camellia.c              |  118 +
 source/heimdal/lib/hcrypto/camellia.h              |   74 +
 source/heimdal/lib/hcrypto/dh-imath.c              |   14 +-
 source/heimdal/lib/hcrypto/dh.c                    |  215 +-
 source/heimdal/lib/hcrypto/evp.c                   |  648 +-
 source/heimdal/lib/hcrypto/evp.h                   |    8 +-
 source/heimdal/lib/hcrypto/hmac.c                  |   35 +-
 source/heimdal/lib/hcrypto/imath/imath.c           |    6 +-
 source/heimdal/lib/hcrypto/rand.c                  |   15 +-
 source/heimdal/lib/hcrypto/rsa.c                   |   97 +-
 source/heimdal/lib/hcrypto/rsa.h                   |    4 +-
 source/heimdal/lib/hdb/dbinfo.c                    |  266 +
 source/heimdal/lib/hdb/hdb-protos.h                |   11 +
 source/heimdal/lib/hdb/hdb.h                       |    6 +-
 source/heimdal/lib/hdb/hdb_locl.h                  |    5 +-
 source/heimdal/lib/hdb/keys.c                      |   15 +-
 source/heimdal/lib/hdb/mkey.c                      |    7 +-
 source/heimdal/lib/hx509/ca.c                      |  334 +-
 source/heimdal/lib/hx509/cert.c                    |  878 +-
 source/heimdal/lib/hx509/cms.c                     |  173 +-
 source/heimdal/lib/hx509/crypto.c                  |  194 +-
 source/heimdal/lib/hx509/env.c                     |   52 +-
 source/heimdal/lib/hx509/error.c                   |   81 +-
 source/heimdal/lib/hx509/hx509-private.h           |   52 +-
 source/heimdal/lib/hx509/hx509-protos.h            |   47 +-
 source/heimdal/lib/hx509/hx509.h                   |    7 +-
 source/heimdal/lib/hx509/hx509_err.et              |    4 +-
 source/heimdal/lib/hx509/hx_locl.h                 |    6 +-
 source/heimdal/lib/hx509/keyset.c                  |  237 +-
 source/heimdal/lib/hx509/ks_file.c                 |   38 +-
 source/heimdal/lib/hx509/ks_keychain.c             |   10 +-
 source/heimdal/lib/hx509/ks_p11.c                  |    4 +-
 source/heimdal/lib/hx509/lock.c                    |    8 +-
 source/heimdal/lib/hx509/name.c                    |  367 +-
 source/heimdal/lib/hx509/peer.c                    |   54 +-
 source/heimdal/lib/hx509/print.c                   |  200 +-
 source/heimdal/lib/hx509/revoke.c                  |  398 +-
 source/heimdal/lib/krb5/acache.c                   |  270 +-
 source/heimdal/lib/krb5/add_et_list.c              |   12 +-
 source/heimdal/lib/krb5/addr_families.c            |  282 +-
 source/heimdal/lib/krb5/asn1_glue.c                |    6 +-
 source/heimdal/lib/krb5/auth_context.c             |    8 +-
 source/heimdal/lib/krb5/cache.c                    |  330 +-
 source/heimdal/lib/krb5/context.c                  |  334 +-
 source/heimdal/lib/krb5/convert_creds.c            |   31 +-
 source/heimdal/lib/krb5/copy_host_realm.c          |   13 +-
 source/heimdal/lib/krb5/creds.c                    |   84 +-
 source/heimdal/lib/krb5/crypto.c                   |   63 +-
 source/heimdal/lib/krb5/data.c                     |  100 +-
 source/heimdal/lib/krb5/eai_to_heim_errno.c        |   26 +-
 source/heimdal/lib/krb5/error_string.c             |   33 +-
 source/heimdal/lib/krb5/expand_hostname.c          |    6 +-
 source/heimdal/lib/krb5/fcache.c                   |  131 +-
 source/heimdal/lib/krb5/get_cred.c                 |   10 +-
 source/heimdal/lib/krb5/get_for_creds.c            |   94 +-
 source/heimdal/lib/krb5/get_in_tkt.c               |    2 +-
 source/heimdal/lib/krb5/init_creds.c               |    2 +-
 source/heimdal/lib/krb5/init_creds_pw.c            |   12 +-
 source/heimdal/lib/krb5/kcm.c                      |   30 +-
 source/heimdal/lib/krb5/keytab.c                   |    7 +-
 source/heimdal/lib/krb5/keytab_file.c              |    6 +-
 source/heimdal/lib/krb5/keytab_keyfile.c           |    6 +-
 source/heimdal/lib/krb5/keytab_krb4.c              |   28 +-
 source/heimdal/lib/krb5/krb5-private.h             |   11 +-
 source/heimdal/lib/krb5/krb5-protos.h              |   50 +-
 source/heimdal/lib/krb5/krb5.h                     |   21 +-
 source/heimdal/lib/krb5/krb5_ccapi.h               |    8 +-
 source/heimdal/lib/krb5/krb5_locl.h                |   14 +-
 source/heimdal/lib/krb5/mcache.c                   |   57 +-
 source/heimdal/lib/krb5/n-fold.c                   |   23 +-
 source/heimdal/lib/krb5/pac.c                      |   92 +-
 source/heimdal/lib/krb5/pkinit.c                   |   90 +-
 source/heimdal/lib/krb5/plugin.c                   |   23 +-
 source/heimdal/lib/krb5/principal.c                |   37 +-
 source/heimdal/lib/krb5/rd_priv.c                  |    2 +-
 source/heimdal/lib/krb5/rd_req.c                   |   44 +-
 source/heimdal/lib/krb5/send_to_kdc.c              |    4 +-
 source/heimdal/lib/krb5/store.c                    |   10 +-
 source/heimdal/lib/krb5/store_emem.c               |   21 +-
 source/heimdal/lib/krb5/transited.c                |   19 +-
 source/heimdal/lib/krb5/v4_glue.c                  |    4 +-
 source/heimdal/lib/ntlm/heimntlm-protos.h          |   11 +-
 source/heimdal/lib/ntlm/heimntlm.h                 |   81 +-
 source/heimdal/lib/ntlm/ntlm.c                     |  278 +-
 source/heimdal/lib/vers/print_version.c            |    4 +-
 source/heimdal/lib/wind/bidi.c                     |   92 +
 source/heimdal/lib/wind/bidi_table.c               |  410 +
 source/heimdal/lib/wind/bidi_table.h               |   21 +
 source/heimdal/lib/wind/combining.c                |   62 +
 source/heimdal/lib/wind/combining_table.c          |  362 +
 source/heimdal/lib/wind/combining_table.h          |   18 +
 source/heimdal/lib/wind/errorlist.c                |   77 +
 source/heimdal/lib/wind/errorlist_table.c          |   88 +
 source/heimdal/lib/wind/errorlist_table.h          |   19 +
 source/heimdal/lib/wind/ldap.c                     |   91 +
 source/heimdal/lib/wind/map.c                      |   87 +
 source/heimdal/lib/wind/map_table.c                | 2613 +++
 source/heimdal/lib/wind/map_table.h                |   22 +
 source/heimdal/lib/wind/normalize.c                |  301 +
 source/heimdal/lib/wind/normalize_table.c          |22976 ++++++++++++++++++++
 source/heimdal/lib/wind/normalize_table.h          |   34 +
 source/heimdal/lib/wind/stringprep.c               |  141 +
 source/heimdal/lib/wind/utf8.c                     |  443 +
 source/heimdal/lib/wind/wind.h                     |   82 +
 source/heimdal/lib/wind/wind_err.et                |   22 +
 source/heimdal/lib/wind/windlocl.h                 |   64 +
 source/heimdal_build/config.mk                     |   35 +-
 source/kdc/kdc.c                                   |    6 +-
 source/static_deps.mk                              |    3 +-
 155 files changed, 36677 insertions(+), 1351 deletions(-)
 create mode 100644 source/heimdal/lib/hcrypto/camellia-ntt.c
 create mode 100644 source/heimdal/lib/hcrypto/camellia-ntt.h
 create mode 100644 source/heimdal/lib/hcrypto/camellia.c
 create mode 100644 source/heimdal/lib/hcrypto/camellia.h
 create mode 100644 source/heimdal/lib/hdb/dbinfo.c
 create mode 100644 source/heimdal/lib/wind/bidi.c
 create mode 100644 source/heimdal/lib/wind/bidi_table.c
 create mode 100644 source/heimdal/lib/wind/bidi_table.h
 create mode 100644 source/heimdal/lib/wind/combining.c
 create mode 100644 source/heimdal/lib/wind/combining_table.c
 create mode 100644 source/heimdal/lib/wind/combining_table.h
 create mode 100644 source/heimdal/lib/wind/errorlist.c
 create mode 100644 source/heimdal/lib/wind/errorlist_table.c
 create mode 100644 source/heimdal/lib/wind/errorlist_table.h
 create mode 100644 source/heimdal/lib/wind/ldap.c
 create mode 100644 source/heimdal/lib/wind/map.c
 create mode 100644 source/heimdal/lib/wind/map_table.c
 create mode 100644 source/heimdal/lib/wind/map_table.h
 create mode 100644 source/heimdal/lib/wind/normalize.c
 create mode 100644 source/heimdal/lib/wind/normalize_table.c
 create mode 100644 source/heimdal/lib/wind/normalize_table.h
 create mode 100644 source/heimdal/lib/wind/stringprep.c
 create mode 100644 source/heimdal/lib/wind/utf8.c
 create mode 100644 source/heimdal/lib/wind/wind.h
 create mode 100644 source/heimdal/lib/wind/wind_err.et
 create mode 100644 source/heimdal/lib/wind/windlocl.h


Changeset truncated at 500 lines:

diff --git a/source/heimdal/kdc/digest.c b/source/heimdal/kdc/digest.c
index 358ca5a..b845b0f 100644
--- a/source/heimdal/kdc/digest.c
+++ b/source/heimdal/kdc/digest.c
@@ -34,7 +34,7 @@
 #include "kdc_locl.h"
 #include <hex.h>
 
-RCSID("$Id: digest.c 21606 2007-07-17 07:03:25Z lha $");
+RCSID("$Id: digest.c 22374 2007-12-28 18:36:52Z lha $");
 
 #define MS_CHAP_V2	0x20
 #define CHAP_MD5	0x10
@@ -1003,7 +1003,8 @@ _kdc_do_digest(krb5_context context,
 	}
 
 	r.u.ntlmInitReply.flags |= 
-	    NTLM_NEG_TARGET_DOMAIN |
+	    NTLM_NEG_TARGET |
+	    NTLM_TARGET_DOMAIN |
 	    NTLM_ENC_128;
 
 #define ALL					\
@@ -1331,6 +1332,27 @@ _kdc_do_digest(krb5_context context,
 		version, ireq.u.ntlmRequest.username);
 	break;
     }
+    case choice_DigestReqInner_supportedMechs:
+
+	kdc_log(context, config, 0, "digest supportedMechs from %s", from);
+
+	r.element = choice_DigestRepInner_supportedMechs;
+	memset(&r.u.supportedMechs, 0, sizeof(r.u.supportedMechs));
+
+	if (config->digests_allowed & NTLM_V1)
+	    r.u.supportedMechs.ntlm_v1 = 1;
+	if (config->digests_allowed & NTLM_V1_SESSION)
+	    r.u.supportedMechs.ntlm_v1_session = 1;
+	if (config->digests_allowed & NTLM_V2)
+	    r.u.supportedMechs.ntlm_v2 = 1;
+	if (config->digests_allowed & DIGEST_MD5)
+	    r.u.supportedMechs.digest_md5 = 1;
+	if (config->digests_allowed & CHAP_MD5)
+	    r.u.supportedMechs.chap_md5 = 1;
+	if (config->digests_allowed & MS_CHAP_V2)
+	    r.u.supportedMechs.ms_chap_v2 = 1;
+	break;
+
     default: {
 	char *s;
 	krb5_set_error_string(context, "unknown operation to digest");
diff --git a/source/heimdal/kdc/kaserver.c b/source/heimdal/kdc/kaserver.c
index 15624e8..27f497e 100644
--- a/source/heimdal/kdc/kaserver.c
+++ b/source/heimdal/kdc/kaserver.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c 21661 2007-07-22 01:57:17Z lha $");
+RCSID("$Id: kaserver.c 21654 2007-07-21 17:30:18Z lha $");
 
 #include <krb5-v4compat.h>
 #include <rx.h>
diff --git a/source/heimdal/kdc/kdc_locl.h b/source/heimdal/kdc/kdc_locl.h
index fdbdf27..fe05236 100644
--- a/source/heimdal/kdc/kdc_locl.h
+++ b/source/heimdal/kdc/kdc_locl.h
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h 20954 2007-06-07 03:30:15Z lha $ 
+ * $Id: kdc_locl.h 22247 2007-12-08 23:49:41Z lha $ 
  */
 
 #ifndef __KDC_LOCL_H__
@@ -58,8 +58,7 @@ extern int detach_from_console;
 
 extern const struct units _kdc_digestunits[];
 
-#define _PATH_KDC_CONF		HDB_DB_DIR "/kdc.conf"
-#define DEFAULT_LOG_DEST	"0-1/FILE:" HDB_DB_DIR "/kdc.log"
+#define KDC_LOG_FILE		"kdc.log"
 
 extern struct timeval _kdc_now;
 #define kdc_time (_kdc_now.tv_sec)
diff --git a/source/heimdal/kdc/kerberos5.c b/source/heimdal/kdc/kerberos5.c
index 40a9c9c..bc600a5 100644
--- a/source/heimdal/kdc/kerberos5.c
+++ b/source/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c 21529 2007-07-13 12:37:14Z lha $");
+RCSID("$Id: kerberos5.c 22071 2007-11-14 20:04:50Z lha $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -362,6 +362,13 @@ older_enctype(krb5_enctype enctype)
     case ETYPE_DES3_CBC_SHA1:
     case ETYPE_ARCFOUR_HMAC_MD5:
     case ETYPE_ARCFOUR_HMAC_MD5_56:
+    /* 
+     * The following three is "old" windows enctypes and is needed for
+     * windows 2000 hosts.
+     */
+    case ETYPE_ARCFOUR_MD4:
+    case ETYPE_ARCFOUR_HMAC_OLD:
+    case ETYPE_ARCFOUR_HMAC_OLD_EXP:
 	return 1;
     default:
 	return 0;
@@ -411,8 +418,8 @@ make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
 	*ent->salttype = key->salt->type;
 #else
 	/* 
-	 * We shouldn't sent salttype since its incompatible with the
-	 * specification and its break windows clients.  The afs
+	 * We shouldn't sent salttype since it is incompatible with the
+	 * specification and it breaks windows clients.  The afs
 	 * salting problem is solved by using KRB5-PADATA-AFS3-SALT
 	 * implemented in Heimdal 0.7 and later.
 	 */
@@ -472,11 +479,13 @@ get_pa_etype_info(krb5_context context,
 		    free_ETYPE_INFO(&pa);
 		    return ret;
 		}
+		break;
 	    }
 	}
     skip1:;
     }
     for(i = 0; i < client->keys.len; i++) {
+	/* already added? */
 	for(j = 0; j < etypes_len; j++) {
 	    if(client->keys.val[i].key.keytype == etypes[j])
 		goto skip2;
@@ -497,7 +506,7 @@ get_pa_etype_info(krb5_context context,
     }
     
     if(n < pa.len) {
-	/* stripped out newer enctypes */
+	/* stripped out dups, newer enctypes, and not valid enctypes */
  	pa.len = n;
     }
 
@@ -621,23 +630,29 @@ get_pa_etype_info2(krb5_context context,
 	    if(client->keys.val[i].key.keytype == etypes[j]) {
 		if (krb5_enctype_valid(context, etypes[j]) != 0)
 		    continue;
+		if (n >= pa.len)
+		    krb5_abortx(context, "internal error: n >= p.len");
 		if((ret = make_etype_info2_entry(&pa.val[n++], 
 						 &client->keys.val[i])) != 0) {
 		    free_ETYPE_INFO2(&pa);
 		    return ret;
 		}
+		break;
 	    }
 	}
     skip1:;
     }
-    /* send enctypes that the cliene doesn't know about too */
+    /* send enctypes that the client doesn't know about too */
     for(i = 0; i < client->keys.len; i++) {
+	/* already added? */
 	for(j = 0; j < etypes_len; j++) {
 	    if(client->keys.val[i].key.keytype == etypes[j])
 		goto skip2;
 	}
 	if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
 	    continue;
+	if (n >= pa.len)
+	    krb5_abortx(context, "internal error: n >= p.len");
 	if((ret = make_etype_info2_entry(&pa.val[n++],
 					 &client->keys.val[i])) != 0) {
 	    free_ETYPE_INFO2(&pa);
@@ -646,16 +661,8 @@ get_pa_etype_info2(krb5_context context,
       skip2:;
     }
     
-    if(n != pa.len) {
-	char *name;
-	ret = krb5_unparse_name(context, client->principal, &name);
-	if (ret)
-	    name = rk_UNCONST("<unparse_name failed>");
-	kdc_log(context, config, 0,
-		"internal error in get_pa_etype_info2(%s): %d != %d", 
-		name, n, pa.len);
-	if (ret == 0)
-	    free(name);
+    if(n < pa.len) {
+	/* stripped out dups, and not valid enctypes */
  	pa.len = n;
     }
 
@@ -1554,6 +1561,10 @@ _kdc_as_rep(krb5_context context,
      * otherwise just a dummy lr.
      */
     ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
+    if (ek.last_req.val == NULL) {
+	ret = ENOMEM;
+	goto out;
+    }
     ek.last_req.len = 0;
     if (client->entry.pw_end
 	&& (config->kdc_warn_pwexpire == 0
diff --git a/source/heimdal/kdc/krb5tgs.c b/source/heimdal/kdc/krb5tgs.c
index 4d6be60..32bdee9 100644
--- a/source/heimdal/kdc/krb5tgs.c
+++ b/source/heimdal/kdc/krb5tgs.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: krb5tgs.c 21262 2007-06-21 15:18:37Z lha $");
+RCSID("$Id: krb5tgs.c 22071 2007-11-14 20:04:50Z lha $");
 
 /*
  * return the realm of a krbtgt-ticket or NULL
@@ -822,7 +822,7 @@ tgs_make_reply(krb5_context context,
     if(rspac->length) {
 	/*
 	 * No not need to filter out the any PAC from the
-	 * auth_data since its signed by the KDC.
+	 * auth_data since it's signed by the KDC.
 	 */
 	ret = _kdc_tkt_add_if_relevant_ad(context, &et,
 					  KRB5_AUTHDATA_WIN2K_PAC,
@@ -1099,11 +1099,14 @@ tgs_parse_request(krb5_context context,
     ret = hdb_enctype2key(context, &(*krbtgt)->entry, 
 			  ap_req.ticket.enc_part.etype, &tkey);
     if(ret){
-	char *str, *p;
+	char *str = NULL, *p = NULL;
+
 	krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
 	krb5_unparse_name(context, princ, &p);
-	kdc_log(context, config, 0,
-		"No server key with enctype %s found for %s", str, p);
+ 	kdc_log(context, config, 0,
+		"No server key with enctype %s found for %s",
+		str ? str : "<unknown enctype>",
+		p ? p : "<unparse_name failed>");
 	free(str);
 	free(p);
 	ret = KRB5KRB_AP_ERR_BADKEYVER;
@@ -1163,8 +1166,10 @@ tgs_parse_request(krb5_context context,
     }
 
     if (b->enc_authorization_data) {
+	unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
 	krb5_keyblock *subkey;
 	krb5_data ad;
+
 	ret = krb5_auth_con_getremotesubkey(context,
 					    ac,
 					    &subkey);
@@ -1175,6 +1180,7 @@ tgs_parse_request(krb5_context context,
 	    goto out;
 	}
 	if(subkey == NULL){
+	    usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
 	    ret = krb5_auth_con_getkey(context, ac, &subkey);
 	    if(ret) {
 		krb5_auth_con_free(context, ac);
@@ -1199,7 +1205,7 @@ tgs_parse_request(krb5_context context,
 	}
 	ret = krb5_decrypt_EncryptedData (context,
 					  crypto,
-					  KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
+					  usage,
 					  b->enc_authorization_data,
 					  &ad);
 	krb5_crypto_destroy(context, crypto);
@@ -1373,6 +1379,7 @@ server_lookup:
 		    ret = krb5_unparse_name(context, sp, &spn);	
 		    if (ret)
 			goto out;
+		    auth_data = NULL; /* ms don't handle AD in referals */
 		    goto server_lookup;
 		}
 	    }
@@ -1390,6 +1397,7 @@ server_lookup:
 		if (ret)
 		    goto out;
 		krb5_free_host_realm(context, realms);
+		auth_data = NULL; /* ms don't handle AD in referals */
 		goto server_lookup;
 	    }
 	    krb5_free_host_realm(context, realms);
@@ -1431,8 +1439,8 @@ server_lookup:
     }
     
     /*
-     * Check that service is in the same realm as the krbtgt. If its
-     * not the same, its someone that is using a uni-directional trust
+     * Check that service is in the same realm as the krbtgt. If it's
+     * not the same, it's someone that is using a uni-directional trust
      * backward.
      */
     
diff --git a/source/heimdal/kdc/log.c b/source/heimdal/kdc/log.c
index 977b1c9..8cf967f 100644
--- a/source/heimdal/kdc/log.c
+++ b/source/heimdal/kdc/log.c
@@ -32,7 +32,7 @@
  */
 
 #include "kdc_locl.h"
-RCSID("$Id: log.c 15532 2005-06-30 01:54:49Z lha $");
+RCSID("$Id: log.c 22254 2007-12-09 06:01:05Z lha $");
 
 void
 kdc_openlog(krb5_context context, 
@@ -47,8 +47,12 @@ kdc_openlog(krb5_context context,
 	for(p = s; *p; p++)
 	    krb5_addlog_dest(context, config->logf, *p);
 	krb5_config_free_strings(s);
-    }else
-	krb5_addlog_dest(context, config->logf, DEFAULT_LOG_DEST);
+    }else {
+	char *s;
+	asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
+	krb5_addlog_dest(context, config->logf, s);
+	free(s);
+    }
     krb5_set_warn_dest(context, config->logf);
 }
 
diff --git a/source/heimdal/kdc/pkinit.c b/source/heimdal/kdc/pkinit.c
index ead9610..bf248af 100755
--- a/source/heimdal/kdc/pkinit.c
+++ b/source/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: pkinit.c 21290 2007-06-25 14:13:23Z lha $");
+RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
 
 #ifdef PKINIT
 
@@ -1248,6 +1248,7 @@ out:
 static int
 match_rfc_san(krb5_context context, 
 	      krb5_kdc_configuration *config,
+	      hx509_context hx509ctx,
 	      hx509_cert client_cert, 
 	      krb5_const_principal match)
 {
@@ -1256,7 +1257,8 @@ match_rfc_san(krb5_context context,
 
     memset(&list, 0 , sizeof(list));
 
-    ret = hx509_cert_find_subjectAltName_otherName(client_cert,
+    ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
+						   client_cert,
 						   oid_id_pkinit_san(),
 						   &list);
     if (ret)
@@ -1304,6 +1306,7 @@ out:
 static int
 match_ms_upn_san(krb5_context context, 
 		 krb5_kdc_configuration *config,
+		 hx509_context hx509ctx,
 		 hx509_cert client_cert, 
 		 krb5_const_principal match)
 {
@@ -1315,7 +1318,8 @@ match_ms_upn_san(krb5_context context,
 
     memset(&list, 0 , sizeof(list));
 
-    ret = hx509_cert_find_subjectAltName_otherName(client_cert,
+    ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
+						   client_cert,
 						   oid_id_pkinit_ms_san(),
 						   &list);
     if (ret)
@@ -1376,7 +1380,7 @@ _kdc_pk_check_client(krb5_context context,
     hx509_name name;
     int i;
 
-    ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx, 
+    ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
 				      client_params->cert,
 				      &name);
     if (ret)
@@ -1393,6 +1397,7 @@ _kdc_pk_check_client(krb5_context context,
 
     if (config->pkinit_princ_in_cert) {
 	ret = match_rfc_san(context, config,
+			    kdc_identity->hx509ctx,
 			    client_params->cert,
 			    client->entry.principal);
 	if (ret == 0) {
@@ -1401,6 +1406,7 @@ _kdc_pk_check_client(krb5_context context,
 	    return 0;
 	}
 	ret = match_ms_upn_san(context, config,
+			       kdc_identity->hx509ctx,
 			       client_params->cert,
 			       client->entry.principal);
 	if (ret == 0) {
@@ -1580,7 +1586,8 @@ _kdc_pk_initialize(krb5_context context,
 		   char **pool,
 		   char **revoke_list)
 {
-    const char *file; 
+    const char *file;
+    char *fn = NULL;
     krb5_error_code ret;
 
     file = krb5_config_get_string(context, NULL,
@@ -1646,14 +1653,19 @@ _kdc_pk_initialize(krb5_context context,
 				       NULL);
     _krb5_pk_allow_proxy_certificate(kdc_identity, ret);
 
-    file = krb5_config_get_string_default(context, 
-					  NULL,
-					  HDB_DB_DIR "/pki-mapping",
-					  "kdc",
-					  "pkinit_mappings_file",
-					  NULL);
+    file = krb5_config_get_string(context, 
+				  NULL,
+				  "kdc",
+				  "pkinit_mappings_file",
+				  NULL);
+    if (file == NULL) {
+	asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
+	file = fn;
+    }
 
     load_mappings(context, file);
+    if (fn)
+	free(fn);
 
     return 0;
 }
diff --git a/source/heimdal/kuser/kinit.c b/source/heimdal/kuser/kinit.c
index 23fa7a5..2676309 100644
--- a/source/heimdal/kuser/kinit.c
+++ b/source/heimdal/kuser/kinit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 #include "kuser_locl.h"
-RCSID("$Id: kinit.c 21483 2007-07-10 16:40:46Z lha $");
+RCSID("$Id: kinit.c 22116 2007-12-03 21:22:58Z lha $");
 
 #include "krb5-v4compat.h"
 
@@ -260,7 +260,7 @@ renew_validate(krb5_context context,
 
     if (renew) {
 	/* 
-	 * no need to check the error here, its only to be 
+	 * no need to check the error here, it's only to be 
 	 * friendly to the user
 	 */
 	krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
@@ -377,6 +377,7 @@ get_new_tickets(krb5_context context,
     char *renewstr = NULL;
     krb5_enctype *enctype = NULL;
     struct ntlm_buf ntlmkey;
+    krb5_ccache tempccache;
 
     memset(&ntlmkey, 0, sizeof(ntlmkey));
     passwd[0] = '\0';
@@ -577,16 +578,25 @@ get_new_tickets(krb5_context context,
 	}
     }
 
-    ret = krb5_cc_initialize (context, ccache, cred.client);
+    ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache), 
+			     NULL, &tempccache);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_cc_new_unique");
+
+    ret = krb5_cc_initialize (context, tempccache, cred.client);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_cc_initialize");
     
-    ret = krb5_cc_store_cred (context, ccache, &cred);
+    ret = krb5_cc_store_cred (context, tempccache, &cred);
     if (ret)
 	krb5_err (context, 1, ret, "krb5_cc_store_cred");
 
     krb5_free_cred_contents (context, &cred);
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list