[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Mon Jul 25 19:26:03 MDT 2011
The branch, master has been updated
via 51b94ab s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is given
via 0b29853 s4:heimdal_build: hdb.asn1 needs --sequence=HDB-Ext-KeySet --sequence=Keys
via 5a8635b s4:heimdal: import lorikeet-heimdal-201107241840 (commit 0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
from f1a59f9 Fix typo Loggs -> Logs.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 51b94ab3fd4d13ee38813eb7d20db11edaa667a8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 25 10:06:47 2011 +0200
s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is given
Windows seems to always canonicalize the principal in TGS replies.
metze
Autobuild-User: Stefan Metzmacher <metze at samba.org>
Autobuild-Date: Tue Jul 26 03:25:06 CEST 2011 on sn-devel-104
commit 0b29853fd7383114fd398b531371c96f874e68d6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 25 11:06:18 2011 +0200
s4:heimdal_build: hdb.asn1 needs --sequence=HDB-Ext-KeySet --sequence=Keys
metze
commit 5a8635bca1b6d60a5b81c602eb4f0b7fd8902d7b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 25 18:51:53 2011 +0200
s4:heimdal: import lorikeet-heimdal-201107241840 (commit 0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
-----------------------------------------------------------------------
Summary of changes:
source4/heimdal/kdc/default_config.c | 2 +-
source4/heimdal/kdc/kerberos5.c | 2 +-
source4/heimdal/kdc/krb5tgs.c | 12 ++-
source4/heimdal/kdc/misc.c | 2 +-
source4/heimdal/kdc/pkinit.c | 2 +-
source4/heimdal/kuser/kinit.c | 2 +-
source4/heimdal/lib/asn1/krb5.asn1 | 2 +-
source4/heimdal/lib/gssapi/gssapi/gssapi.h | 12 ++-
source4/heimdal/lib/gssapi/krb5/arcfour.c | 4 +-
source4/heimdal/lib/gssapi/krb5/get_mic.c | 15 ++-
source4/heimdal/lib/gssapi/krb5/unwrap.c | 15 ++-
source4/heimdal/lib/gssapi/krb5/verify_mic.c | 16 ++-
source4/heimdal/lib/gssapi/krb5/wrap.c | 30 +++---
source4/heimdal/lib/gssapi/version-script.map | 2 +-
source4/heimdal/lib/hcrypto/pkcs12.c | 9 ++-
source4/heimdal/lib/hdb/db.c | 22 ++++-
source4/heimdal/lib/hdb/ext.c | 64 +++++++++++
source4/heimdal/lib/hdb/hdb.asn1 | 25 +++-
source4/heimdal/lib/hdb/hdb.c | 5 +-
source4/heimdal/lib/hdb/hdb.h | 8 ++
source4/heimdal/lib/hdb/hdb_err.et | 1 +
source4/heimdal/lib/hdb/hdb_locl.h | 3 +
source4/heimdal/lib/hdb/keys.c | 143 +++++++++++++++++++++---
source4/heimdal/lib/hdb/mkey.c | 150 ++++++++++++++++++++++++-
source4/heimdal/lib/hdb/version-script.map | 24 +++-
source4/heimdal/lib/krb5/auth_context.c | 2 +-
source4/heimdal/lib/krb5/crypto-aes.c | 4 +-
source4/heimdal/lib/krb5/crypto-arcfour.c | 2 +-
source4/heimdal/lib/krb5/crypto-des.c | 4 +-
source4/heimdal/lib/krb5/crypto-des3.c | 4 +-
source4/heimdal/lib/krb5/crypto-null.c | 2 +-
source4/heimdal/lib/krb5/crypto.c | 32 ++++--
source4/heimdal/lib/krb5/crypto.h | 2 +-
source4/heimdal/lib/krb5/error_string.c | 15 +++
source4/heimdal/lib/krb5/get_cred.c | 5 +
source4/heimdal/lib/krb5/get_for_creds.c | 2 +-
source4/heimdal/lib/krb5/get_in_tkt.c | 2 +-
source4/heimdal/lib/krb5/init_creds_pw.c | 6 +-
source4/heimdal/lib/krb5/keyblock.c | 2 +-
source4/heimdal/lib/krb5/krb5.h | 11 ++-
source4/heimdal/lib/krb5/mit_glue.c | 2 +-
source4/heimdal/lib/krb5/version-script.map | 1 +
source4/heimdal_build/wscript_build | 1 +
source4/kdc/db-glue.c | 9 +-
44 files changed, 563 insertions(+), 117 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index fe977de..6fbf5fd 100644
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -54,7 +54,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->as_use_strongest_session_key = FALSE;
c->preauth_use_strongest_session_key = FALSE;
c->tgs_use_strongest_session_key = FALSE;
- c->use_strongest_server_key = FALSE;
+ c->use_strongest_server_key = TRUE;
c->check_ticket_addresses = TRUE;
c->allow_null_ticket_addresses = TRUE;
c->allow_anonymous = FALSE;
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 4bc1619..c13abb7 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -978,7 +978,7 @@ _kdc_as_rep(krb5_context context,
krb5_crypto crypto;
Key *ckey, *skey;
EncryptionKey *reply_key = NULL, session_key;
- int flags = 0;
+ int flags = HDB_F_FOR_AS_REQ;
#ifdef PKINIT
pk_client_params *pkp = NULL;
#endif
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 92cce57..6aad65d 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1216,7 +1216,7 @@ tgs_parse_request(krb5_context context,
}
if(ap_req.ticket.enc_part.kvno &&
- (unsigned int)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
+ *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
char *p;
ret = krb5_unparse_name (context, princ, &p);
@@ -1508,6 +1508,7 @@ tgs_build_reply(krb5_context context,
Key *tkey_check;
Key *tkey_sign;
+ int flags = HDB_F_FOR_TGS_REQ;
memset(&sessionkey, 0, sizeof(sessionkey));
memset(&adtkt, 0, sizeof(adtkt));
@@ -1517,6 +1518,9 @@ tgs_build_reply(krb5_context context,
s = b->sname;
r = b->realm;
+ if (b->kdc_options.canonicalize)
+ flags |= HDB_F_CANON;
+
if(b->kdc_options.enc_tkt_in_skey){
Ticket *t;
hdb_entry_ex *uu;
@@ -1591,7 +1595,7 @@ tgs_build_reply(krb5_context context,
*/
server_lookup:
- ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
+ ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | flags,
NULL, NULL, &server);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
@@ -1777,7 +1781,7 @@ server_lookup:
goto out;
}
- ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
+ ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | flags,
NULL, &clientdb, &client);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
/* This is OK, we are just trying to find out if they have
@@ -1912,7 +1916,7 @@ server_lookup:
if(rspac.data) {
krb5_pac p = NULL;
krb5_data_free(&rspac);
- ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | HDB_F_CANON,
+ ret = _kdc_db_fetch(context, config, tp, HDB_F_GET_CLIENT | flags,
NULL, &s4u2self_impersonated_clientdb, &s4u2self_impersonated_client);
if (ret) {
const char *msg;
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index f9b3457..1b2c440 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -40,7 +40,7 @@ _kdc_db_fetch(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal principal,
unsigned flags,
- krb5int32 *kvno_ptr,
+ krb5uint32 *kvno_ptr,
HDB **db,
hdb_entry_ex **h)
{
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index a02cb81..d85b156 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -1420,7 +1420,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
memset(&rep, 0, sizeof(rep));
pa_type = KRB5_PADATA_PK_AS_REP_19;
- rep.element = choice_PA_PK_AS_REP_encKeyPack;
+ rep.element = choice_PA_PK_AS_REP_Win2k_encKeyPack;
ret = krb5_generate_random_keyblock(context, enctype,
&cp->reply_key);
diff --git a/source4/heimdal/kuser/kinit.c b/source4/heimdal/kuser/kinit.c
index e872fef..0b3876d 100644
--- a/source4/heimdal/kuser/kinit.c
+++ b/source4/heimdal/kuser/kinit.c
@@ -434,7 +434,7 @@ get_new_tickets(krb5_context context,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
- if ((pk_enterprise_flag || enterprise_flag || canonicalize_flag) && windows_flag)
+ if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
if (pk_user_id || ent_user_id || anonymous_flag) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
diff --git a/source4/heimdal/lib/asn1/krb5.asn1 b/source4/heimdal/lib/asn1/krb5.asn1
index 02fab7a..568fe0c 100644
--- a/source4/heimdal/lib/asn1/krb5.asn1
+++ b/source4/heimdal/lib/asn1/krb5.asn1
@@ -361,7 +361,7 @@ LastReq ::= SEQUENCE OF SEQUENCE {
EncryptedData ::= SEQUENCE {
etype[0] ENCTYPE, -- EncryptionType
- kvno[1] krb5int32 OPTIONAL,
+ kvno[1] krb5uint32 OPTIONAL,
cipher[2] OCTET STRING -- ciphertext
}
diff --git a/source4/heimdal/lib/gssapi/gssapi/gssapi.h b/source4/heimdal/lib/gssapi/gssapi/gssapi.h
index fa53a29..bbb2fd5 100644
--- a/source4/heimdal/lib/gssapi/gssapi/gssapi.h
+++ b/source4/heimdal/lib/gssapi/gssapi/gssapi.h
@@ -61,6 +61,11 @@
#endif
#endif
+/* Compatiblity with MIT Kerberos on the Mac */
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
+#pragma pack(push,2)
+#endif
+
#ifdef __cplusplus
#define GSSAPI_CPP_START extern "C" {
#define GSSAPI_CPP_END }
@@ -1041,7 +1046,8 @@ GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
gss_userok(const gss_name_t name,
const char *user);
-extern GSSAPI_LIB_VARIABLE gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
+extern GSSAPI_LIB_VARIABLE gss_buffer_desc __gss_c_attr_local_login_user;
+#define GSS_C_ATTR_LOCAL_LOGIN_USER (&__gss_c_attr_local_login_user)
/*
* Naming extensions
@@ -1105,6 +1111,10 @@ gss_name_to_oid(const char *name);
GSSAPI_CPP_END
+#if defined(__APPLE__) && (defined(__ppc__) || defined(__ppc64__) || defined(__i386__) || defined(__x86_64__))
+#pragma pack(pop)
+#endif
+
#undef GSSAPI_DEPRECATED_FUNCTION
#endif /* GSSAPI_GSSAPI_H_ */
diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
index 0264207..f5e41e4 100644
--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
@@ -86,7 +86,7 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key,
cksum_k5.checksum.data = k5_data;
cksum_k5.checksum.length = sizeof(k5_data);
- if (key->keytype == KEYTYPE_ARCFOUR_56) {
+ if (key->keytype == KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56) {
char L40[14] = "fortybits";
memcpy(L40 + 10, T, sizeof(T));
@@ -100,7 +100,7 @@ arcfour_mic_key(krb5_context context, krb5_keyblock *key,
if (ret)
return ret;
- key5.keytype = KEYTYPE_ARCFOUR;
+ key5.keytype = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5;
key5.keyvalue = cksum_k5.checksum;
cksum_k6.checksum.data = key6_data;
diff --git a/source4/heimdal/lib/gssapi/krb5/get_mic.c b/source4/heimdal/lib/gssapi/krb5/get_mic.c
index 0109ca7..d032d23 100644
--- a/source4/heimdal/lib/gssapi/krb5/get_mic.c
+++ b/source4/heimdal/lib/gssapi/krb5/get_mic.c
@@ -285,7 +285,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_get_mic
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_keyblock *key;
OM_uint32 ret;
- krb5_keytype keytype;
GSSAPI_KRB5_INIT (&context);
@@ -300,10 +299,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_get_mic
*minor_status = ret;
return GSS_S_FAILURE;
}
- krb5_enctype_to_keytype (context, key->keytype, &keytype);
- switch (keytype) {
- case KEYTYPE_DES :
+ switch (key->keytype) {
+ case KRB5_ENCTYPE_DES_CBC_CRC :
+ case KRB5_ENCTYPE_DES_CBC_MD4 :
+ case KRB5_ENCTYPE_DES_CBC_MD5 :
#ifdef HEIM_WEAK_CRYPTO
ret = mic_des (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
@@ -311,12 +311,13 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_get_mic
ret = GSS_S_FAILURE;
#endif
break;
- case KEYTYPE_DES3 :
+ case KRB5_ENCTYPE_DES3_CBC_MD5 :
+ case KRB5_ENCTYPE_DES3_CBC_SHA1 :
ret = mic_des3 (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
- case KEYTYPE_ARCFOUR:
- case KEYTYPE_ARCFOUR_56:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56:
ret = _gssapi_get_mic_arcfour (minor_status, ctx, context, qop_req,
message_buffer, message_token, key);
break;
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
index d6bc204..b3da35e 100644
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
@@ -392,7 +392,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_unwrap
krb5_keyblock *key;
krb5_context context;
OM_uint32 ret;
- krb5_keytype keytype;
gsskrb5_ctx ctx = (gsskrb5_ctx) context_handle;
output_message_buffer->value = NULL;
@@ -414,12 +413,13 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_unwrap
*minor_status = ret;
return GSS_S_FAILURE;
}
- krb5_enctype_to_keytype (context, key->keytype, &keytype);
*minor_status = 0;
- switch (keytype) {
- case KEYTYPE_DES :
+ switch (key->keytype) {
+ case KRB5_ENCTYPE_DES_CBC_CRC :
+ case KRB5_ENCTYPE_DES_CBC_MD4 :
+ case KRB5_ENCTYPE_DES_CBC_MD5 :
#ifdef HEIM_WEAK_CRYPTO
ret = unwrap_des (minor_status, ctx,
input_message_buffer, output_message_buffer,
@@ -428,13 +428,14 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_unwrap
ret = GSS_S_FAILURE;
#endif
break;
- case KEYTYPE_DES3 :
+ case KRB5_ENCTYPE_DES3_CBC_MD5 :
+ case KRB5_ENCTYPE_DES3_CBC_SHA1 :
ret = unwrap_des3 (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
break;
- case KEYTYPE_ARCFOUR:
- case KEYTYPE_ARCFOUR_56:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56:
ret = _gssapi_unwrap_arcfour (minor_status, ctx, context,
input_message_buffer, output_message_buffer,
conf_state, qop_state, key);
diff --git a/source4/heimdal/lib/gssapi/krb5/verify_mic.c b/source4/heimdal/lib/gssapi/krb5/verify_mic.c
index 3123787..af06e0a 100644
--- a/source4/heimdal/lib/gssapi/krb5/verify_mic.c
+++ b/source4/heimdal/lib/gssapi/krb5/verify_mic.c
@@ -281,7 +281,6 @@ _gsskrb5_verify_mic_internal
{
krb5_keyblock *key;
OM_uint32 ret;
- krb5_keytype keytype;
if (ctx->more_flags & IS_CFX)
return _gssapi_verify_mic_cfx (minor_status, ctx,
@@ -296,9 +295,11 @@ _gsskrb5_verify_mic_internal
return GSS_S_FAILURE;
}
*minor_status = 0;
- krb5_enctype_to_keytype (context, key->keytype, &keytype);
- switch (keytype) {
- case KEYTYPE_DES :
+
+ switch (key->keytype) {
+ case KRB5_ENCTYPE_DES_CBC_CRC :
+ case KRB5_ENCTYPE_DES_CBC_MD4 :
+ case KRB5_ENCTYPE_DES_CBC_MD5 :
#ifdef HEIM_WEAK_CRYPTO
ret = verify_mic_des (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key,
@@ -307,13 +308,14 @@ _gsskrb5_verify_mic_internal
ret = GSS_S_FAILURE;
#endif
break;
- case KEYTYPE_DES3 :
+ case KRB5_ENCTYPE_DES3_CBC_MD5 :
+ case KRB5_ENCTYPE_DES3_CBC_SHA1 :
ret = verify_mic_des3 (minor_status, ctx, context,
message_buffer, token_buffer, qop_state, key,
type);
break;
- case KEYTYPE_ARCFOUR :
- case KEYTYPE_ARCFOUR_56 :
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56:
ret = _gssapi_verify_mic_arcfour (minor_status, ctx,
context,
message_buffer, token_buffer,
diff --git a/source4/heimdal/lib/gssapi/krb5/wrap.c b/source4/heimdal/lib/gssapi/krb5/wrap.c
index efd0d82..4d095c8 100644
--- a/source4/heimdal/lib/gssapi/krb5/wrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/wrap.c
@@ -147,7 +147,6 @@ _gsskrb5_wrap_size_limit (
krb5_context context;
krb5_keyblock *key;
OM_uint32 ret;
- krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
GSSAPI_KRB5_INIT (&context);
@@ -164,23 +163,25 @@ _gsskrb5_wrap_size_limit (
*minor_status = ret;
return GSS_S_FAILURE;
}
- krb5_enctype_to_keytype (context, key->keytype, &keytype);
- switch (keytype) {
- case KEYTYPE_DES :
+ switch (key->keytype) {
+ case KRB5_ENCTYPE_DES_CBC_CRC :
+ case KRB5_ENCTYPE_DES_CBC_MD4 :
+ case KRB5_ENCTYPE_DES_CBC_MD5 :
#ifdef HEIM_WEAK_CRYPTO
ret = sub_wrap_size(req_output_size, max_input_size, 8, 22);
#else
ret = GSS_S_FAILURE;
#endif
break;
- case KEYTYPE_ARCFOUR:
- case KEYTYPE_ARCFOUR_56:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56:
ret = _gssapi_wrap_size_arcfour(minor_status, ctx, context,
conf_req_flag, qop_req,
req_output_size, max_input_size, key);
break;
- case KEYTYPE_DES3 :
+ case KRB5_ENCTYPE_DES3_CBC_MD5 :
+ case KRB5_ENCTYPE_DES3_CBC_SHA1 :
ret = sub_wrap_size(req_output_size, max_input_size, 8, 34);
break;
default :
@@ -538,7 +539,6 @@ _gsskrb5_wrap
krb5_context context;
krb5_keyblock *key;
OM_uint32 ret;
- krb5_keytype keytype;
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
output_message_buffer->value = NULL;
@@ -558,10 +558,11 @@ _gsskrb5_wrap
*minor_status = ret;
return GSS_S_FAILURE;
}
- krb5_enctype_to_keytype (context, key->keytype, &keytype);
- switch (keytype) {
- case KEYTYPE_DES :
+ switch (key->keytype) {
+ case KRB5_ENCTYPE_DES_CBC_CRC :
+ case KRB5_ENCTYPE_DES_CBC_MD4 :
+ case KRB5_ENCTYPE_DES_CBC_MD5 :
#ifdef HEIM_WEAK_CRYPTO
ret = wrap_des (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
@@ -570,13 +571,14 @@ _gsskrb5_wrap
ret = GSS_S_FAILURE;
#endif
break;
- case KEYTYPE_DES3 :
+ case KRB5_ENCTYPE_DES3_CBC_MD5 :
+ case KRB5_ENCTYPE_DES3_CBC_SHA1 :
ret = wrap_des3 (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
break;
- case KEYTYPE_ARCFOUR:
- case KEYTYPE_ARCFOUR_56:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5:
+ case KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56:
ret = _gssapi_wrap_arcfour (minor_status, ctx, context, conf_req_flag,
qop_req, input_message_buffer, conf_state,
output_message_buffer, key);
diff --git a/source4/heimdal/lib/gssapi/version-script.map b/source4/heimdal/lib/gssapi/version-script.map
index ebd8ee2..bcb79bf 100644
--- a/source4/heimdal/lib/gssapi/version-script.map
+++ b/source4/heimdal/lib/gssapi/version-script.map
@@ -14,7 +14,7 @@ HEIMDAL_GSS_2.0 {
__gss_c_attr_stream_sizes_oid_desc;
__gss_c_cred_password_oid_desc;
__gss_c_cred_certificate_oid_desc;
- GSS_C_ATTR_LOCAL_LOGIN_USER;
+ __gss_c_attr_local_login_user;
gss_accept_sec_context;
gss_acquire_cred;
gss_acquire_cred_with_password;
diff --git a/source4/heimdal/lib/hcrypto/pkcs12.c b/source4/heimdal/lib/hcrypto/pkcs12.c
index a890f01..ff0f776 100644
--- a/source4/heimdal/lib/hcrypto/pkcs12.c
+++ b/source4/heimdal/lib/hcrypto/pkcs12.c
@@ -55,6 +55,13 @@ PKCS12_key_gen(const void *key, size_t keylen,
unsigned char *outp = out;
int i, vlen;
+ /**
+ * The argument key is pointing to an utf16 string, and thus
+ * keylen that is no a multiple of 2 is invalid.
+ */
+ if (keylen & 1)
+ return 0;
+
ctx = EVP_MD_CTX_create();
if (ctx == NULL)
return 0;
@@ -83,7 +90,7 @@ PKCS12_key_gen(const void *key, size_t keylen,
* empty string, in the empty string the UTF16 NUL terminator is
* included into the string.
*/
- if (key && keylen >= 0) {
+ if (key) {
for (i = 0; i < vlen / 2; i++) {
I[(i * 2) + size_I] = 0;
I[(i * 2) + size_I + 1] = ((unsigned char*)key)[i % (keylen + 1)];
diff --git a/source4/heimdal/lib/hdb/db.c b/source4/heimdal/lib/hdb/db.c
index 69940ed..2ed054a 100644
--- a/source4/heimdal/lib/hdb/db.c
+++ b/source4/heimdal/lib/hdb/db.c
@@ -65,12 +65,24 @@ DB_lock(krb5_context context, HDB *db, int operation)
{
DB *d = (DB*)db->hdb_db;
int fd = (*d->fd)(d);
+ krb5_error_code ret;
+
+ if (db->lock_count > 0) {
+ db->lock_count++;
+ if (db->lock_type == HDB_WLOCK || db->lock_type == operation)
+ return 0;
+ }
+
if(fd < 0) {
krb5_set_error_message(context, HDB_ERR_CANT_LOCK_DB,
"Can't lock database: %s", db->hdb_name);
return HDB_ERR_CANT_LOCK_DB;
}
- return hdb_lock(fd, operation);
+ ret = hdb_lock(fd, operation);
+ if (ret)
+ return ret;
+ db->lock_count++;
+ return 0;
}
static krb5_error_code
@@ -78,6 +90,14 @@ DB_unlock(krb5_context context, HDB *db)
{
DB *d = (DB*)db->hdb_db;
int fd = (*d->fd)(d);
+
+ if (db->lock_count > 1) {
+ db->lock_count--;
+ return 0;
+ }
+ heim_assert(db->lock_count == 1, "HDB lock/unlock sequence does not match");
+ db->lock_count--;
+
if(fd < 0) {
krb5_set_error_message(context, HDB_ERR_CANT_LOCK_DB,
--
Samba Shared Repository
More information about the samba-cvs
mailing list