[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Wed Nov 2 05:22:01 UTC 2022


The branch, master has been updated
       via  bf446bcf612 third_party/heimdal_build: Update fallthrough macro for switch statements
       via  ef28247f3bb third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222)
       via  ab4c7bda8da heimdal: Fix the 32-bit build on FreeBSD
       via  074e9284971 third_party/heimdal: Introduce macro for common plugin structure elements
       via  6353f9e9c47 Add Heimdal test file test_base.c to bi-directional encoding ignore list
      from  bdbb38d16c8 s3: libsmbclient: Fix smbc_getxattr() to return 0 on success.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit bf446bcf612791c7fcf8284cca4061b651b7d4f6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 28 14:34:31 2022 +1300

    third_party/heimdal_build: Update fallthrough macro for switch statements
    
    This is an adaptation to Heimdal:
    
    commit 133f5174820b34e2a12c3f3412bf554cae2ee22f
    Author: Daria Phoebe Brashear <dariaphoebe at auristor.com>
    Date:   Fri Sep 16 09:57:24 2022 -0400
    
        rewrite fallthrough to HEIM_FALLTHROUGH to deal with new Apple SDKs
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Nov  2 05:21:29 UTC 2022 on sn-devel-184

commit ef28247f3bbbd7cf9daed7a4dba28855496ce38e
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Oct 31 14:33:09 2022 +1300

    third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222)
    
    This commit won't compile on it's own, as we need to fix the build system
    to cope in the next commit.
    
    The purpose of this commit is to update to a new lorikeet-heimdal tree
    that includes the previous two patches and is rebased on a current
    Heimdal master snapshot.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

commit ab4c7bda8daccdb99adaf6ec7fddf8b5f84be09a
Author: Volker Lendecke <vl at samba.org>
Date:   Fri Jul 22 18:38:21 2022 +0200

    heimdal: Fix the 32-bit build on FreeBSD
    
    REF: https://github.com/heimdal/heimdal/pull/1004
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 074e92849715ed3485703cfbba3771d405e4e78a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Sat Oct 22 10:11:53 2022 +1300

    third_party/heimdal: Introduce macro for common plugin structure elements
    
    Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
    it, doesn't work on 32-bit builds due to structure fields being arranged
    in the wrong order. This problem presents itself in the form of
    segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
    builds thanks to extra structure padding absorbing the errant fields.
    
    This commit reorders the HDB plugin structure fields to prevent crashes
    and introduces a common macro to ensure every plugin presents a
    consistent interface.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 6353f9e9c47d02dc0e18585bfaad48b2ce85441d
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Oct 27 13:07:34 2022 +1300

    Add Heimdal test file test_base.c to bi-directional encoding ignore list
    
    Heimdal commit c6a46f0c96dde73ef4f3a247a1e904d4cf15aeb2 introduces test data
    that triggers our LTR and RTL detection code.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/source_chars.py                 |    1 +
 third_party/heimdal/.github/workflows/osx.yml      |    6 +-
 third_party/heimdal/.github/workflows/windows.yml  |    2 +
 third_party/heimdal/admin/Makefile.am              |    1 +
 third_party/heimdal/admin/add.c                    |  178 +++-
 third_party/heimdal/admin/copy.c                   |   19 +-
 third_party/heimdal/admin/get.c                    |   38 +-
 third_party/heimdal/admin/ktutil-commands.in       |   33 +-
 third_party/heimdal/admin/ktutil.1                 |   72 +-
 third_party/heimdal/admin/list.c                   |  139 ++-
 third_party/heimdal/apply_heimdal.sh               |    6 +-
 third_party/heimdal/configure.ac                   |   20 +-
 third_party/heimdal/doc/Makefile.am                |    3 +-
 third_party/heimdal/doc/NTMakefile                 |    1 -
 third_party/heimdal/doc/apps.texi                  |  201 +---
 third_party/heimdal/doc/copyright.texi             |    2 -
 third_party/heimdal/doc/heimdal.texi               |   21 +-
 third_party/heimdal/doc/hx509.texi                 |    6 +-
 third_party/heimdal/doc/kerberos4.texi             |  173 ----
 third_party/heimdal/doc/migration.texi             |   12 +-
 third_party/heimdal/doc/misc.texi                  |    2 +-
 third_party/heimdal/doc/setup.texi                 |  164 +++-
 third_party/heimdal/doc/whatis.texi                |    6 +-
 third_party/heimdal/doc/win2k.texi                 |   15 +-
 third_party/heimdal/include/config.h.w32           |    4 +-
 third_party/heimdal/kadmin/NTMakefile              |   28 +-
 third_party/heimdal/kadmin/check.c                 |   15 +-
 third_party/heimdal/kadmin/cpw.c                   |   44 +-
 third_party/heimdal/kadmin/del.c                   |   29 +-
 third_party/heimdal/kadmin/ext.c                   |   12 +-
 third_party/heimdal/kadmin/get.c                   |   31 +-
 third_party/heimdal/kadmin/kadmin-commands.in      |   13 +
 third_party/heimdal/kadmin/kadmin.1                |   48 +-
 third_party/heimdal/kadmin/kadmin_locl.h           |    1 +
 third_party/heimdal/kadmin/kadmind.c               |    4 +
 third_party/heimdal/kadmin/mod.c                   |   72 +-
 third_party/heimdal/kadmin/rpc.c                   |    2 +-
 third_party/heimdal/kadmin/server.c                |  387 +++++++-
 third_party/heimdal/kadmin/util.c                  |  140 ++-
 third_party/heimdal/kcm/config.c                   |   12 +
 third_party/heimdal/kcm/events.c                   |    2 +-
 third_party/heimdal/kcm/kcm_locl.h                 |    1 +
 third_party/heimdal/kdc/Makefile.am                |    1 +
 third_party/heimdal/kdc/bx509d.8                   |  257 ++++-
 third_party/heimdal/kdc/bx509d.c                   | 1031 +++++++++++++++++---
 third_party/heimdal/kdc/csr_authorizer_plugin.h    |    4 +-
 third_party/heimdal/kdc/digest-service.c           |    2 +-
 third_party/heimdal/kdc/digest.c                   |    2 +-
 third_party/heimdal/kdc/gss_preauth.c              |    2 +-
 .../heimdal/kdc/gss_preauth_authorizer_plugin.h    |    4 +-
 third_party/heimdal/kdc/httpkadmind.8              |  243 ++++-
 third_party/heimdal/kdc/httpkadmind.c              |  607 ++++++++++--
 third_party/heimdal/kdc/kdc-plugin.h               |    4 +-
 third_party/heimdal/kdc/process.c                  |   27 +
 third_party/heimdal/kdc/simple_csr_authorizer.c    |    8 +-
 third_party/heimdal/kdc/token_validator_plugin.h   |    4 +-
 third_party/heimdal/kuser/Makefile.am              |    1 +
 third_party/heimdal/kuser/kinit.c                  |   10 +-
 third_party/heimdal/kuser/klist.c                  |  464 +++++++--
 third_party/heimdal/lib/asn1/asn1_compile.1        |    5 +
 third_party/heimdal/lib/asn1/gen_copy.c            |    2 +-
 third_party/heimdal/lib/asn1/gen_encode.c          |    4 +-
 third_party/heimdal/lib/asn1/gen_free.c            |    2 +-
 third_party/heimdal/lib/asn1/gen_template.c        |    4 +-
 third_party/heimdal/lib/asn1/main.c                |    8 +
 third_party/heimdal/lib/asn1/template.c            |    4 +-
 third_party/heimdal/lib/base/common_plugin.h       |    6 +-
 third_party/heimdal/lib/base/heimbase-svc.h        |    5 +
 third_party/heimdal/lib/base/heimbase.h            |   30 +-
 third_party/heimdal/lib/base/heimbasepriv.h        |   23 -
 third_party/heimdal/lib/base/json.c                |  864 ++++++++++++++--
 third_party/heimdal/lib/base/log.c                 |    5 +-
 third_party/heimdal/lib/base/plugin.c              |    2 +-
 third_party/heimdal/lib/base/string.c              |    5 +-
 third_party/heimdal/lib/base/test_base.c           |  340 ++++++-
 third_party/heimdal/lib/base/version-script.map    |    2 +
 third_party/heimdal/lib/gssapi/Makefile.am         |   12 +-
 third_party/heimdal/lib/gssapi/gss-token.c         |    6 +-
 third_party/heimdal/lib/gssapi/krb5/8003.c         |    2 +-
 .../heimdal/lib/gssapi/krb5/init_sec_context.c     |    2 +-
 third_party/heimdal/lib/gssapi/netlogon/crypto.c   |    2 +-
 third_party/heimdal/lib/gssapi/ntlm/crypto.c       |    2 +-
 third_party/heimdal/lib/hcrypto/des.c              |    2 +-
 third_party/heimdal/lib/hcrypto/dh.c               |    2 +-
 third_party/heimdal/lib/hcrypto/dsa.c              |    2 +-
 third_party/heimdal/lib/hcrypto/engine.c           |    2 +-
 third_party/heimdal/lib/hcrypto/evp-openssl.c      |    4 +-
 third_party/heimdal/lib/hcrypto/evp.c              |   10 +-
 third_party/heimdal/lib/hcrypto/hmac.c             |    6 +-
 third_party/heimdal/lib/hcrypto/md2.c              |    2 +-
 third_party/heimdal/lib/hcrypto/passwd_dlg.c       |    4 +-
 third_party/heimdal/lib/hcrypto/rand-fortuna.c     |    2 +-
 third_party/heimdal/lib/hcrypto/rc2.c              |    2 +-
 third_party/heimdal/lib/hcrypto/rsa.c              |    4 +-
 third_party/heimdal/lib/hdb/Makefile.am            |    4 +-
 third_party/heimdal/lib/hdb/common.c               |  195 +++-
 third_party/heimdal/lib/hdb/hdb-ldap.c             |    3 +-
 third_party/heimdal/lib/hdb/hdb-mdb.c              |    2 +-
 third_party/heimdal/lib/hdb/hdb.asn1               |    2 +
 third_party/heimdal/lib/hdb/hdb.c                  |   40 +-
 third_party/heimdal/lib/hdb/hdb.h                  |    4 +-
 third_party/heimdal/lib/hdb/hdb.opt                |    4 +
 third_party/heimdal/lib/hdb/keytab.c               |    5 +-
 third_party/heimdal/lib/hdb/test_namespace.c       |    8 +-
 third_party/heimdal/lib/hx509/cert.c               |    2 +-
 third_party/heimdal/lib/hx509/cms.c                |    2 +-
 third_party/heimdal/lib/hx509/file.c               |    2 +-
 third_party/heimdal/lib/hx509/hxtool.1             |  207 ++++
 third_party/heimdal/lib/hx509/hxtool.c             |   68 +-
 third_party/heimdal/lib/hx509/req.c                |    8 +-
 third_party/heimdal/lib/ipc/server.c               |   46 +-
 third_party/heimdal/lib/kadm5/ad.c                 |   38 +-
 third_party/heimdal/lib/kadm5/common_glue.c        |   15 +
 third_party/heimdal/lib/kadm5/context_s.c          |   10 +-
 third_party/heimdal/lib/kadm5/create_s.c           |    8 +
 third_party/heimdal/lib/kadm5/destroy_s.c          |   12 +-
 third_party/heimdal/lib/kadm5/get_c.c              |    2 +-
 third_party/heimdal/lib/kadm5/get_princs_c.c       |  186 +++-
 third_party/heimdal/lib/kadm5/get_princs_s.c       |  124 ++-
 third_party/heimdal/lib/kadm5/init_c.c             |   52 +
 third_party/heimdal/lib/kadm5/init_s.c             |   15 +
 third_party/heimdal/lib/kadm5/iprop.8              |   46 +-
 third_party/heimdal/lib/kadm5/ipropd_slave.c       |   46 +-
 third_party/heimdal/lib/kadm5/kadm5-hook.h         |    6 +-
 .../heimdal/lib/kadm5/libkadm5srv-exports.def      |    2 +
 third_party/heimdal/lib/kadm5/private.h            |    2 +
 .../heimdal/lib/kadm5/version-script-client.map    |    5 +
 third_party/heimdal/lib/kadm5/version-script.map   |    2 +
 third_party/heimdal/lib/kafs/kafs_locl.h           |    1 -
 third_party/heimdal/lib/kafs/rxkad_kdf.c           |    2 +-
 third_party/heimdal/lib/krb5/Makefile.am           |    1 -
 third_party/heimdal/lib/krb5/NTMakefile            |   12 +-
 third_party/heimdal/lib/krb5/an2ln_plugin.h        |    6 +-
 third_party/heimdal/lib/krb5/aname_to_localname.c  |    1 +
 third_party/heimdal/lib/krb5/changepw.c            |    2 +-
 third_party/heimdal/lib/krb5/context.c             |  115 ++-
 third_party/heimdal/lib/krb5/convert_creds.c       |    3 -
 third_party/heimdal/lib/krb5/db_plugin.h           |    6 +-
 third_party/heimdal/lib/krb5/kcm.c                 |    3 +-
 third_party/heimdal/lib/krb5/keytab.c              |    3 +-
 third_party/heimdal/lib/krb5/krb5-v4compat.h       |  139 ---
 third_party/heimdal/lib/krb5/kuserok_plugin.h      |    6 +-
 third_party/heimdal/lib/krb5/locate_plugin.h       |    6 +-
 third_party/heimdal/lib/krb5/pac.c                 |    5 +-
 third_party/heimdal/lib/krb5/pkinit.c              |   12 +-
 third_party/heimdal/lib/krb5/send_to_kdc.c         |    4 +-
 third_party/heimdal/lib/krb5/send_to_kdc_plugin.h  |    5 +-
 third_party/heimdal/lib/krb5/store.c               |    2 +
 third_party/heimdal/lib/krb5/ticket.c              |    2 +-
 third_party/heimdal/lib/libedit/config.h.in        |  100 +-
 third_party/heimdal/lib/ntlm/digest.c              |    2 +-
 third_party/heimdal/lib/ntlm/ntlm.c                |    8 +-
 third_party/heimdal/lib/otp/otp_verify.c           |    2 +-
 third_party/heimdal/lib/roken/Makefile.am          |    2 +-
 third_party/heimdal/lib/roken/base32.c             |    8 +-
 third_party/heimdal/lib/roken/dirent-test.c        |    4 +-
 third_party/heimdal/lib/roken/fnmatch.c            |    2 +-
 third_party/heimdal/lib/roken/getaddrinfo.c        |    4 +-
 third_party/heimdal/lib/roken/getuserinfo.c        |    2 +-
 third_party/heimdal/lib/roken/parse_units.c        |    3 +-
 third_party/heimdal/lib/roken/parse_units.h        |    4 +-
 third_party/heimdal/lib/roken/snprintf.c           |    2 +-
 third_party/heimdal/lib/roken/strftime.c           |    2 +-
 third_party/heimdal/lib/roken/strptime.c           |    2 +-
 third_party/heimdal/lib/sl/slc-gram.y              |    2 +-
 third_party/heimdal/lib/wind/utf8.c                |   14 +-
 .../heimdal/packages/windows/sdk/NTMakefile        |    2 -
 third_party/heimdal/tests/gss/krb5.conf.in         |    1 +
 third_party/heimdal/tests/kdc/check-bx509.in       |  283 +++++-
 third_party/heimdal/tests/kdc/check-httpkadmind.in |  177 +++-
 third_party/heimdal/tests/kdc/check-kadmin.in      |  236 +++--
 third_party/heimdal/tests/kdc/check-kdc.in         |    6 +-
 third_party/heimdal/tests/kdc/check-referral.in    |   94 +-
 .../heimdal/tests/kdc/krb5-httpkadmind.conf.in     |    6 +
 third_party/heimdal/tests/kdc/krb5.conf.in         |    3 +
 third_party/heimdal/windows/README.md              |   61 +-
 third_party/heimdal_build/config.h                 |    2 +-
 177 files changed, 6738 insertions(+), 1821 deletions(-)
 delete mode 100644 third_party/heimdal/doc/kerberos4.texi
 create mode 100644 third_party/heimdal/lib/hx509/hxtool.1
 delete mode 100644 third_party/heimdal/lib/krb5/krb5-v4compat.h


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/source_chars.py b/python/samba/tests/source_chars.py
index 856a27b0d1a..f0351b67a91 100644
--- a/python/samba/tests/source_chars.py
+++ b/python/samba/tests/source_chars.py
@@ -110,6 +110,7 @@ SAFE_FORMAT_CHARS = {
 # In the real world mixing directions would be normal in bilingual
 # documents, but it is rare in Samba source code.
 BIDI_FILES = {
+    'third_party/heimdal/lib/base/test_base.c',
     'third_party/heimdal/lib/wind/NormalizationTest.txt',
     'testdata/source-chars-bidi.py',
 }
diff --git a/third_party/heimdal/.github/workflows/osx.yml b/third_party/heimdal/.github/workflows/osx.yml
index 342f850f1c7..3463e99b6e9 100644
--- a/third_party/heimdal/.github/workflows/osx.yml
+++ b/third_party/heimdal/.github/workflows/osx.yml
@@ -66,7 +66,7 @@ jobs:
                 echo "bison, flex, ncurses, texinfo, and unzip are in the base OS."
                 echo "berkeley-db, perl, python, curl, and jq are installed in the"
                 echo "base image already."
-                brew install autoconf automake libtool cpanm
+                brew install autoconf automake libtool cpanm texinfo texi2html
                 sudo cpanm install JSON
             - name: Clone repository
               uses: actions/checkout at v1
@@ -79,8 +79,10 @@ jobs:
                 /bin/sh ./autogen.sh
                 mkdir build
                 cd build
-                ../configure --srcdir=`dirname "$PWD"` --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3"
+                ../configure --srcdir=`dirname "$PWD"` --disable-heimdal-documentation --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3"
                 ulimit -c unlimited
+                PATH=/usr/local/opt/texinfo/bin:$PATH
+                export PATH
                 make -j4
             #- name: Setup upterm session
             #  uses: lhotari/action-upterm at v1
diff --git a/third_party/heimdal/.github/workflows/windows.yml b/third_party/heimdal/.github/workflows/windows.yml
index f1c187c397a..0d3bad83b21 100644
--- a/third_party/heimdal/.github/workflows/windows.yml
+++ b/third_party/heimdal/.github/workflows/windows.yml
@@ -4,6 +4,7 @@ on:
     push:
       branches:
          - 'master'
+         - 'windows-build'
          - 'heimdal-7-1-branch'
       paths:
          - '!docs/**'
@@ -76,6 +77,7 @@ jobs:
                 pacman --noconfirm -S bison
                 pacman --noconfirm -S perl
                 pacman --noconfirm -S perl-JSON
+                pacman --noconfirm -S texinfo
                 set PATH=%PATH%;%wix%bin
                 title Heimdal Build %CPU% %dbg__type%
                 set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop"
diff --git a/third_party/heimdal/admin/Makefile.am b/third_party/heimdal/admin/Makefile.am
index a4a7bb4c0f9..1821d4b2e4b 100644
--- a/third_party/heimdal/admin/Makefile.am
+++ b/third_party/heimdal/admin/Makefile.am
@@ -37,6 +37,7 @@ LDADD = \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
 	$(top_builddir)/lib/sl/libsl.la \
+	$(LIB_heimbase) \
 	$(LIB_readline) \
 	$(LIB_roken)
 
diff --git a/third_party/heimdal/admin/add.c b/third_party/heimdal/admin/add.c
index 13580b9bb57..5f1920ff8be 100644
--- a/third_party/heimdal/admin/add.c
+++ b/third_party/heimdal/admin/add.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2022 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  *
@@ -32,6 +32,8 @@
  */
 
 #include "ktutil_locl.h"
+#include <heimbase.h>
+#include <base64.h>
 
 RCSID("$Id$");
 
@@ -153,6 +155,178 @@ kt_add(struct add_options *opt, int argc, char **argv)
 	krb5_warn(context, ret, "add");
  out:
     krb5_kt_free_entry(context, &entry);
-    krb5_kt_close(context, keytab);
+    if (ret == 0) {
+        ret = krb5_kt_close(context, keytab);
+        if (ret)
+            krb5_warn(context, ret, "Could not write the keytab");
+    } else {
+        krb5_kt_close(context, keytab);
+    }
+    return ret != 0;
+}
+
+/* We might be reading from a pipe, so we can't use rk_undumpdata() */
+static char *
+read_file(FILE *f)
+{
+    size_t alloced;
+    size_t len = 0;
+    size_t bytes;
+    char *res, *end, *p;
+
+    if ((res = malloc(1024)) == NULL)
+        err(1, "Out of memory");
+    alloced = 1024;
+
+    end = res + alloced;
+    p = res;
+    do {
+        if (p == end) {
+            char *tmp;
+
+            if ((tmp = realloc(res, alloced + (alloced > 1))) == NULL)
+                err(1, "Out of memory");
+            alloced += alloced > 1;
+            p = tmp + (p - res);
+            res = tmp;
+            end = res + alloced;
+        }
+        bytes = fread(p, 1, end - p, f);
+        len += bytes;
+        p += bytes;
+    } while (bytes && !feof(f) && !ferror(f));
+
+    if (ferror(f))
+        errx(1, "Could not read all input");
+    if (p == end) {
+        char *tmp;
+
+        if ((tmp = strndup(res, len)) == NULL)
+            err(1, "Out of memory");
+        free(res);
+        res = tmp;
+    }
+    if (strlen(res) != len)
+        err(1, "Embedded NULs in input!");
+    return res;
+}
+
+static void
+json2keytab_entry(heim_dict_t d, krb5_keytab kt, size_t idx)
+{
+    krb5_keytab_entry e;
+    krb5_error_code ret;
+    heim_object_t v;
+    uint64_t u;
+    int64_t i;
+    char *buf = NULL;
+
+    memset(&e, 0, sizeof(e));
+
+    v = heim_dict_get_value(d, HSTR("timestamp"));
+    if (heim_get_tid(v) != HEIM_TID_NUMBER)
+        goto bad;
+    u = heim_number_get_long(v);
+    e.timestamp = u;
+    if (u != (uint64_t)e.timestamp)
+        goto bad;
+
+    v = heim_dict_get_value(d, HSTR("kvno"));
+    if (heim_get_tid(v) != HEIM_TID_NUMBER)
+        goto bad;
+    i = heim_number_get_long(v);
+    e.vno = i;
+    if (i != (int64_t)e.vno)
+        goto bad;
+
+    v = heim_dict_get_value(d, HSTR("enctype_number"));
+    if (heim_get_tid(v) != HEIM_TID_NUMBER)
+        goto bad;
+    i = heim_number_get_long(v);
+    e.keyblock.keytype = i;
+    if (i != (int64_t)e.keyblock.keytype)
+        goto bad;
+
+    v = heim_dict_get_value(d, HSTR("key"));
+    if (heim_get_tid(v) != HEIM_TID_STRING)
+        goto bad;
+    {
+        const char *s = heim_string_get_utf8(v);
+        int declen;
+
+        if ((buf = malloc(strlen(s))) == NULL)
+            err(1, "Out of memory");
+        declen = rk_base64_decode(s, buf);
+        if (declen < 0)
+            goto bad;
+        e.keyblock.keyvalue.data = buf;
+        e.keyblock.keyvalue.length = declen;
+    }
+
+    v = heim_dict_get_value(d, HSTR("principal"));
+    if (heim_get_tid(v) != HEIM_TID_STRING)
+        goto bad;
+    ret = krb5_parse_name(context, heim_string_get_utf8(v), &e.principal);
+    if (ret == 0)
+        ret = krb5_kt_add_entry(context, kt, &e);
+
+    /* For now, ignore aliases; besides, they're never set anywhere in-tree */
+
+    if (ret)
+        krb5_warn(context, ret,
+                  "Could not parse or write keytab entry %lu",
+                  (unsigned long)idx);
+bad:
+    krb5_free_principal(context, e.principal);
+}
+
+int
+kt_import(void *opt, int argc, char **argv)
+{
+    krb5_error_code ret;
+    krb5_keytab kt;
+    heim_object_t o;
+    heim_error_t json_err = NULL;
+    heim_json_flags_t flags = HEIM_JSON_F_STRICT;
+    FILE *f = argc == 0 ? stdin : fopen(argv[0], "r");
+    size_t alen, i;
+    char *json;
+
+    if (f == NULL)
+        err(1, "Could not open file %s", argv[0]);
+
+    json = read_file(f);
+    o = heim_json_create(json, 10, flags, &json_err);
+    free(json);
+    if (o == NULL) {
+        if (json_err != NULL) {
+            o = heim_error_copy_string(json_err);
+            if (o)
+                errx(1, "Could not parse JSON: %s", heim_string_get_utf8(o));
+        }
+        errx(1, "Could not parse JSON");
+    }
+
+    if (heim_get_tid(o) != HEIM_TID_ARRAY)
+        errx(1, "JSON text must be an array");
+
+    alen = heim_array_get_length(o);
+    if (alen == 0)
+        errx(1, "Empty JSON array; not overwriting keytab");
+
+    if ((kt = ktutil_open_keytab()) == NULL)
+	err(1, "Could not open keytab");
+
+    for (i = 0; i < alen; i++) {
+        heim_object_t e = heim_array_get_value(o, i);
+
+        if (heim_get_tid(e) != HEIM_TID_DICT)
+            warnx("Element %ld of JSON text array is not an object", (long)i);
+        else
+            json2keytab_entry(heim_array_get_value(o, i), kt, i);
+    }
+    ret = krb5_kt_close(context, kt);
+    if (ret)
+        krb5_warn(context, ret, "Could not write the keytab");
     return ret != 0;
 }
diff --git a/third_party/heimdal/admin/copy.c b/third_party/heimdal/admin/copy.c
index 7b50de1c3cb..8acd6e48ed0 100644
--- a/third_party/heimdal/admin/copy.c
+++ b/third_party/heimdal/admin/copy.c
@@ -47,7 +47,7 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b)
 }
 
 int
-kt_copy (void *opt, int argc, char **argv)
+kt_copy (struct copy_options *opt, int argc, char **argv)
 {
     krb5_error_code ret;
     krb5_keytab src_keytab, dst_keytab;
@@ -106,11 +106,18 @@ kt_copy (void *opt, int argc, char **argv)
 			   "already exists for %s, keytype %s, kvno %d",
 			   name_str, etype_str, entry.vno);
 	    }
-	    krb5_kt_free_entry(context, &dummy);
-	    krb5_kt_free_entry (context, &entry);
-	    free(name_str);
-	    free(etype_str);
-	    continue;
+            if (!opt->copy_duplicates_flag) {
+                krb5_kt_free_entry(context, &dummy);
+                krb5_kt_free_entry (context, &entry);
+                free(name_str);
+                free(etype_str);
+                continue;
+            }
+            /*
+             * Because we can end up trying all keys that match the enctype,
+             * copying entries with duplicate principal, vno, and enctype, but
+             * different keys, can be useful.
+             */
 	} else if(ret != KRB5_KT_NOTFOUND) {
 	    krb5_warn (context, ret, "%s: fetching %s/%s/%u",
 		       to, name_str, etype_str, entry.vno);
diff --git a/third_party/heimdal/admin/get.c b/third_party/heimdal/admin/get.c
index f56e50f4359..ecd6f6a160e 100644
--- a/third_party/heimdal/admin/get.c
+++ b/third_party/heimdal/admin/get.c
@@ -197,23 +197,27 @@ kt_get(struct get_options *opt, int argc, char **argv)
 		break;
 	}
 
-	ret = kadm5_create_principal(kadm_handle, &princ, mask, "thisIs_aUseless.password123");
-	if(ret == 0)
-	    created = 1;
-	else if(ret != KADM5_DUP) {
-	    krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
-	    krb5_free_principal(context, princ_ent);
-	    failed++;
-	    continue;
-	}
-        ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks, ks,
-                                        &keys, &n_keys);
-	if (ret) {
-	    krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
-	    krb5_free_principal(context, princ_ent);
-	    failed++;
-	    continue;
-	}
+        if (opt->create_flag) {
+            ret = kadm5_create_principal(kadm_handle, &princ, mask, "thisIs_aUseless.password123");
+            if(ret == 0)
+                created = 1;
+            else if(ret != KADM5_DUP) {
+                krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
+                krb5_free_principal(context, princ_ent);
+                failed++;
+                continue;
+            }
+        }
+        if (opt->change_keys_flag) {
+            ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks, ks,
+                                            &keys, &n_keys);
+            if (ret) {
+                krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
+                krb5_free_principal(context, princ_ent);
+                failed++;
+                continue;
+            }
+        }
 
 	ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
 			      KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
diff --git a/third_party/heimdal/admin/ktutil-commands.in b/third_party/heimdal/admin/ktutil-commands.in
index 2b771e931a1..a85eb5c5715 100644
--- a/third_party/heimdal/admin/ktutil-commands.in
+++ b/third_party/heimdal/admin/ktutil-commands.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004-2022 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -151,11 +151,17 @@ command = {
 }
 command = {
 	name = "copy"
+	name = "merge"
 	function = "kt_copy"
+	option = {
+		long = "copy-duplicates"
+		type = "flag"
+		help = "copy entries for the same principal and kvno, but different keys"
+	}
 	argument = "source destination"
 	min_args = "2"
 	max_args = "2"
-	help = "Copies one keytab to another."
+	help = "Merges one keytab into another."
 }
 command = {
 	name = "get"
@@ -166,6 +172,16 @@ command = {
 		help = "admin principal"
 		argument = "principal"
 	}
+	option = {
+		long = "create"
+		type = "-flag"
+		help = "do not create the principal"
+	}
+	option = {
+		long = "change-keys"
+		type = "-flag"
+		help = "do not change the principal's keys"
+	}
 	option = {
 		long = "enctypes"
 		short = "e"
@@ -214,6 +230,14 @@ command = {
 	argument = "principal..."
 	help = "Change keys for specified principals, and add them to the keytab."
 }
+command = {
+	name = "import"
+	function = "kt_import"
+	help = "Imports a keytab from JSON output of ktutil list --json --keys."
+        min_args = "0"
+        max_args = "1"
+	argument = "JSON-FILE"
+}
 command = {
 	name = "list"
 	option = {
@@ -226,6 +250,11 @@ command = {
 		type = "flag"
 		help = "show timestamps"
 	}
+	option = {
+		long = "json"
+		type = "flag"
+		help = "output JSON representation"
+	}
 	max_args = "0"
 	function = "kt_list"
 	help = "Show contents of keytab."
diff --git a/third_party/heimdal/admin/ktutil.1 b/third_party/heimdal/admin/ktutil.1
index 125b5e8f0d5..0036edcbd9b 100644
--- a/third_party/heimdal/admin/ktutil.1
+++ b/third_party/heimdal/admin/ktutil.1
@@ -60,7 +60,7 @@ Verbose output.
 .Ar command
 can be one of the following:
 .Bl -tag -width srvconvert
-.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
+.It Nm add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
 Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
 Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
 Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
@@ -72,7 +72,7 @@ principal to add; if what you really want is to add a new principal to
 the keytab, you should consider the
 .Ar get
 command, which talks to the kadmin server.
-.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
+.It Nm change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
 Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
 Oo Fl Fl enctype= Ns Ar enctype Oc \
 Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \
@@ -82,30 +82,68 @@ server for the realm of a keytab entry.  Otherwise it will use the
 values specified by the options.
 .Pp
 If no principals are given, all the ones in the keytab are updated.
-.It copy Ar keytab-src Ar keytab-dest
+.It Nm copy Oo Fl Fl copy-duplicates Oc Ar keytab-src Ar keytab-dest
 Copies all the entries from
 .Ar keytab-src
 to
 .Ar keytab-dest .
-.It get Oo Fl p Ar admin principal Oc \
+Because entries already in
+.Ar keytab-dest
+are kept, this command functions to merge keytabs.
+Entries for the same principal, key version number, and
+encryption type in the
+.Ar keytab-src
+that are also in the
+.Ar keytab-dest
+will not be copied to the
+.Ar keytab-dest
+unless the
+.Fl Fl copy-duplicates
+option is given.
+.It Nm get Oo Fl p Ar admin principal Oc \
 Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
+Oo Fl Fl no-create Oc \
+Oo Fl Fl no-change-keys Oc \
 Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
 Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
 Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
 Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
 Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
+.Pp
 For each
 .Ar principal ,
-generate a new key for it (creating it if it doesn't already exist),
-and put that key in the keytab.
+get a the principal's keys from the KDC via the kadmin protocol,
+creating the principal if it doesn't exist (unless
+.Fl Fl no-create
+is given), and changing its keys to new random keys (unless
+.Fl Fl no-change-keys
+is given).
 .Pp
 If no
 .Ar realm
 is specified, the realm to operate on is taken from the first
 principal.


-- 
Samba Shared Repository



More information about the samba-cvs mailing list