The branch, v4-0-test has been updated
via 400c16e7004bc3a881bb6efb99a273cdac87f70c (commit)
via d88b530522d3cef67c24422bd5182fb875d87ee2 (commit)
from b7dad8674a3aaa27bc1103a83be75434d413239b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 400c16e7004bc3a881bb6efb99a273cdac87f70c
Merge: d88b530522d3cef67c24422bd5182fb875d87ee2
b7dad8674a3aaa27bc1103a83be75434d413239b
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Wed Mar 19 10:18:35 2008 +1100
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into
4-0-local
commit d88b530522d3cef67c24422bd5182fb875d87ee2
Author: Andrew Bartlett <[EMAIL PROTECTED]>
Date: Wed Mar 19 10:17:42 2008 +1100
Merge lorikeet-heimdal -r 787 into Samba4 tree.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source/heimdal/kdc/digest.c | 26 +-
source/heimdal/kdc/kaserver.c | 2 +-
source/heimdal/kdc/kdc_locl.h | 5 +-
source/heimdal/kdc/kerberos5.c | 41 +-
source/heimdal/kdc/krb5tgs.c | 24 +-
source/heimdal/kdc/log.c | 10 +-
source/heimdal/kdc/pkinit.c | 34 +-
source/heimdal/kuser/kinit.c | 27 +-
source/heimdal/lib/asn1/asn1-common.h | 2 +-
source/heimdal/lib/asn1/canthandle.asn1 | 4 +-
source/heimdal/lib/asn1/der.c | 2 +-
source/heimdal/lib/asn1/digest.asn1 | 18 +-
source/heimdal/lib/asn1/gen.c | 2 +-
source/heimdal/lib/asn1/gen_encode.c | 2 +-
source/heimdal/lib/asn1/k5.asn1 | 6 +-
source/heimdal/lib/asn1/lex.c | 44 +-
source/heimdal/lib/asn1/parse.c | 184 +-
source/heimdal/lib/asn1/parse.h | 4 +-
source/heimdal/lib/asn1/pkinit.asn1 | 23 +-
source/heimdal/lib/asn1/rfc2459.asn1 | 2 +
source/heimdal/lib/com_err/lex.c | 44 +-
source/heimdal/lib/com_err/parse.c | 28 +-
source/heimdal/lib/com_err/parse.h | 4 +-
source/heimdal/lib/gssapi/gssapi/gssapi_krb5.h | 3 +-
source/heimdal/lib/gssapi/gssapi_mech.h | 2 +
source/heimdal/lib/gssapi/krb5/acquire_cred.c | 74 +-
source/heimdal/lib/gssapi/krb5/external.c | 4 +-
source/heimdal/lib/gssapi/krb5/gsskrb5-private.h | 2 +-
source/heimdal/lib/gssapi/krb5/gsskrb5_locl.h | 3 +-
source/heimdal/lib/gssapi/krb5/init_sec_context.c | 54 +-
source/heimdal/lib/gssapi/krb5/set_cred_option.c | 39 +-
source/heimdal/lib/gssapi/mech/context.c | 18 +-
.../lib/gssapi/mech/gss_accept_sec_context.c | 6 +-
source/heimdal/lib/gssapi/mech/gss_krb5.c | 43 +-
source/heimdal/lib/gssapi/mech/gss_mech_switch.c | 2 +-
.../heimdal/lib/gssapi/mech/gss_release_oid_set.c | 4 +-
.../heimdal/lib/gssapi/spnego/accept_sec_context.c | 27 +-
source/heimdal/lib/gssapi/spnego/compat.c | 3 +-
source/heimdal/lib/gssapi/spnego/context_stubs.c | 70 +-
source/heimdal/lib/gssapi/spnego/external.c | 4 +-
.../heimdal/lib/gssapi/spnego/init_sec_context.c | 11 +-
source/heimdal/lib/gssapi/spnego/spnego-private.h | 9 -
source/heimdal/lib/hcrypto/bn.c | 6 +-
source/heimdal/lib/hcrypto/bn.h | 4 +-
source/heimdal/lib/hcrypto/camellia-ntt.c | 1461 ++
source/heimdal/lib/hcrypto/camellia-ntt.h | 54 +
source/heimdal/lib/hcrypto/camellia.c | 118 +
source/heimdal/lib/hcrypto/camellia.h | 74 +
source/heimdal/lib/hcrypto/dh-imath.c | 14 +-
source/heimdal/lib/hcrypto/dh.c | 215 +-
source/heimdal/lib/hcrypto/evp.c | 648 +-
source/heimdal/lib/hcrypto/evp.h | 8 +-
source/heimdal/lib/hcrypto/hmac.c | 35 +-
source/heimdal/lib/hcrypto/imath/imath.c | 6 +-
source/heimdal/lib/hcrypto/rand.c | 15 +-
source/heimdal/lib/hcrypto/rsa.c | 97 +-
source/heimdal/lib/hcrypto/rsa.h | 4 +-
source/heimdal/lib/hdb/dbinfo.c | 266 +
source/heimdal/lib/hdb/hdb-protos.h | 11 +
source/heimdal/lib/hdb/hdb.h | 6 +-
source/heimdal/lib/hdb/hdb_locl.h | 5 +-
source/heimdal/lib/hdb/keys.c | 15 +-
source/heimdal/lib/hdb/mkey.c | 7 +-
source/heimdal/lib/hx509/ca.c | 334 +-
source/heimdal/lib/hx509/cert.c | 878 +-
source/heimdal/lib/hx509/cms.c | 173 +-
source/heimdal/lib/hx509/crypto.c | 194 +-
source/heimdal/lib/hx509/env.c | 52 +-
source/heimdal/lib/hx509/error.c | 81 +-
source/heimdal/lib/hx509/hx509-private.h | 52 +-
source/heimdal/lib/hx509/hx509-protos.h | 47 +-
source/heimdal/lib/hx509/hx509.h | 7 +-
source/heimdal/lib/hx509/hx509_err.et | 4 +-
source/heimdal/lib/hx509/hx_locl.h | 6 +-
source/heimdal/lib/hx509/keyset.c | 237 +-
source/heimdal/lib/hx509/ks_file.c | 38 +-
source/heimdal/lib/hx509/ks_keychain.c | 10 +-
source/heimdal/lib/hx509/ks_p11.c | 4 +-
source/heimdal/lib/hx509/lock.c | 8 +-
source/heimdal/lib/hx509/name.c | 367 +-
source/heimdal/lib/hx509/peer.c | 54 +-
source/heimdal/lib/hx509/print.c | 200 +-
source/heimdal/lib/hx509/revoke.c | 398 +-
source/heimdal/lib/krb5/acache.c | 270 +-
source/heimdal/lib/krb5/add_et_list.c | 12 +-
source/heimdal/lib/krb5/addr_families.c | 282 +-
source/heimdal/lib/krb5/asn1_glue.c | 6 +-
source/heimdal/lib/krb5/auth_context.c | 8 +-
source/heimdal/lib/krb5/cache.c | 330 +-
source/heimdal/lib/krb5/context.c | 334 +-
source/heimdal/lib/krb5/convert_creds.c | 31 +-
source/heimdal/lib/krb5/copy_host_realm.c | 13 +-
source/heimdal/lib/krb5/creds.c | 84 +-
source/heimdal/lib/krb5/crypto.c | 63 +-
source/heimdal/lib/krb5/data.c | 100 +-
source/heimdal/lib/krb5/eai_to_heim_errno.c | 26 +-
source/heimdal/lib/krb5/error_string.c | 33 +-
source/heimdal/lib/krb5/expand_hostname.c | 6 +-
source/heimdal/lib/krb5/fcache.c | 131 +-
source/heimdal/lib/krb5/get_cred.c | 10 +-
source/heimdal/lib/krb5/get_for_creds.c | 94 +-
source/heimdal/lib/krb5/get_in_tkt.c | 2 +-
source/heimdal/lib/krb5/init_creds.c | 2 +-
source/heimdal/lib/krb5/init_creds_pw.c | 12 +-
source/heimdal/lib/krb5/kcm.c | 30 +-
source/heimdal/lib/krb5/keytab.c | 7 +-
source/heimdal/lib/krb5/keytab_file.c | 6 +-
source/heimdal/lib/krb5/keytab_keyfile.c | 6 +-
source/heimdal/lib/krb5/keytab_krb4.c | 28 +-
source/heimdal/lib/krb5/krb5-private.h | 11 +-
source/heimdal/lib/krb5/krb5-protos.h | 50 +-
source/heimdal/lib/krb5/krb5.h | 21 +-
source/heimdal/lib/krb5/krb5_ccapi.h | 8 +-
source/heimdal/lib/krb5/krb5_locl.h | 14 +-
source/heimdal/lib/krb5/mcache.c | 57 +-
source/heimdal/lib/krb5/n-fold.c | 23 +-
source/heimdal/lib/krb5/pac.c | 92 +-
source/heimdal/lib/krb5/pkinit.c | 90 +-
source/heimdal/lib/krb5/plugin.c | 23 +-
source/heimdal/lib/krb5/principal.c | 37 +-
source/heimdal/lib/krb5/rd_priv.c | 2 +-
source/heimdal/lib/krb5/rd_req.c | 44 +-
source/heimdal/lib/krb5/send_to_kdc.c | 4 +-
source/heimdal/lib/krb5/store.c | 10 +-
source/heimdal/lib/krb5/store_emem.c | 21 +-
source/heimdal/lib/krb5/transited.c | 19 +-
source/heimdal/lib/krb5/v4_glue.c | 4 +-
source/heimdal/lib/ntlm/heimntlm-protos.h | 11 +-
source/heimdal/lib/ntlm/heimntlm.h | 81 +-
source/heimdal/lib/ntlm/ntlm.c | 278 +-
source/heimdal/lib/vers/print_version.c | 4 +-
source/heimdal/lib/wind/bidi.c | 92 +
source/heimdal/lib/wind/bidi_table.c | 410 +
source/heimdal/lib/wind/bidi_table.h | 21 +
source/heimdal/lib/wind/combining.c | 62 +
source/heimdal/lib/wind/combining_table.c | 362 +
source/heimdal/lib/wind/combining_table.h | 18 +
source/heimdal/lib/wind/errorlist.c | 77 +
source/heimdal/lib/wind/errorlist_table.c | 88 +
source/heimdal/lib/wind/errorlist_table.h | 19 +
source/heimdal/lib/wind/ldap.c | 91 +
source/heimdal/lib/wind/map.c | 87 +
source/heimdal/lib/wind/map_table.c | 2613 +++
source/heimdal/lib/wind/map_table.h | 22 +
source/heimdal/lib/wind/normalize.c | 301 +
source/heimdal/lib/wind/normalize_table.c |22976 ++++++++++++++++++++
source/heimdal/lib/wind/normalize_table.h | 34 +
source/heimdal/lib/wind/stringprep.c | 141 +
source/heimdal/lib/wind/utf8.c | 443 +
source/heimdal/lib/wind/wind.h | 82 +
source/heimdal/lib/wind/wind_err.et | 22 +
source/heimdal/lib/wind/windlocl.h | 64 +
source/heimdal_build/config.mk | 35 +-
source/kdc/kdc.c | 6 +-
source/static_deps.mk | 3 +-
155 files changed, 36677 insertions(+), 1351 deletions(-)
create mode 100644 source/heimdal/lib/hcrypto/camellia-ntt.c
create mode 100644 source/heimdal/lib/hcrypto/camellia-ntt.h
create mode 100644 source/heimdal/lib/hcrypto/camellia.c
create mode 100644 source/heimdal/lib/hcrypto/camellia.h
create mode 100644 source/heimdal/lib/hdb/dbinfo.c
create mode 100644 source/heimdal/lib/wind/bidi.c
create mode 100644 source/heimdal/lib/wind/bidi_table.c
create mode 100644 source/heimdal/lib/wind/bidi_table.h
create mode 100644 source/heimdal/lib/wind/combining.c
create mode 100644 source/heimdal/lib/wind/combining_table.c
create mode 100644 source/heimdal/lib/wind/combining_table.h
create mode 100644 source/heimdal/lib/wind/errorlist.c
create mode 100644 source/heimdal/lib/wind/errorlist_table.c
create mode 100644 source/heimdal/lib/wind/errorlist_table.h
create mode 100644 source/heimdal/lib/wind/ldap.c
create mode 100644 source/heimdal/lib/wind/map.c
create mode 100644 source/heimdal/lib/wind/map_table.c
create mode 100644 source/heimdal/lib/wind/map_table.h
create mode 100644 source/heimdal/lib/wind/normalize.c
create mode 100644 source/heimdal/lib/wind/normalize_table.c
create mode 100644 source/heimdal/lib/wind/normalize_table.h
create mode 100644 source/heimdal/lib/wind/stringprep.c
create mode 100644 source/heimdal/lib/wind/utf8.c
create mode 100644 source/heimdal/lib/wind/wind.h
create mode 100644 source/heimdal/lib/wind/wind_err.et
create mode 100644 source/heimdal/lib/wind/windlocl.h
Changeset truncated at 500 lines:
diff --git a/source/heimdal/kdc/digest.c b/source/heimdal/kdc/digest.c
index 358ca5a..b845b0f 100644
--- a/source/heimdal/kdc/digest.c
+++ b/source/heimdal/kdc/digest.c
@@ -34,7 +34,7 @@
#include "kdc_locl.h"
#include <hex.h>
-RCSID("$Id: digest.c 21606 2007-07-17 07:03:25Z lha $");
+RCSID("$Id: digest.c 22374 2007-12-28 18:36:52Z lha $");
#define MS_CHAP_V2 0x20
#define CHAP_MD5 0x10
@@ -1003,7 +1003,8 @@ _kdc_do_digest(krb5_context context,
}
r.u.ntlmInitReply.flags |=
- NTLM_NEG_TARGET_DOMAIN |
+ NTLM_NEG_TARGET |
+ NTLM_TARGET_DOMAIN |
NTLM_ENC_128;
#define ALL \
@@ -1331,6 +1332,27 @@ _kdc_do_digest(krb5_context context,
version, ireq.u.ntlmRequest.username);
break;
}
+ case choice_DigestReqInner_supportedMechs:
+
+ kdc_log(context, config, 0, "digest supportedMechs from %s", from);
+
+ r.element = choice_DigestRepInner_supportedMechs;
+ memset(&r.u.supportedMechs, 0, sizeof(r.u.supportedMechs));
+
+ if (config->digests_allowed & NTLM_V1)
+ r.u.supportedMechs.ntlm_v1 = 1;
+ if (config->digests_allowed & NTLM_V1_SESSION)
+ r.u.supportedMechs.ntlm_v1_session = 1;
+ if (config->digests_allowed & NTLM_V2)
+ r.u.supportedMechs.ntlm_v2 = 1;
+ if (config->digests_allowed & DIGEST_MD5)
+ r.u.supportedMechs.digest_md5 = 1;
+ if (config->digests_allowed & CHAP_MD5)
+ r.u.supportedMechs.chap_md5 = 1;
+ if (config->digests_allowed & MS_CHAP_V2)
+ r.u.supportedMechs.ms_chap_v2 = 1;
+ break;
+
default: {
char *s;
krb5_set_error_string(context, "unknown operation to digest");
diff --git a/source/heimdal/kdc/kaserver.c b/source/heimdal/kdc/kaserver.c
index 15624e8..27f497e 100644
--- a/source/heimdal/kdc/kaserver.c
+++ b/source/heimdal/kdc/kaserver.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kaserver.c 21661 2007-07-22 01:57:17Z lha $");
+RCSID("$Id: kaserver.c 21654 2007-07-21 17:30:18Z lha $");
#include <krb5-v4compat.h>
#include <rx.h>
diff --git a/source/heimdal/kdc/kdc_locl.h b/source/heimdal/kdc/kdc_locl.h
index fdbdf27..fe05236 100644
--- a/source/heimdal/kdc/kdc_locl.h
+++ b/source/heimdal/kdc/kdc_locl.h
@@ -32,7 +32,7 @@
*/
/*
- * $Id: kdc_locl.h 20954 2007-06-07 03:30:15Z lha $
+ * $Id: kdc_locl.h 22247 2007-12-08 23:49:41Z lha $
*/
#ifndef __KDC_LOCL_H__
@@ -58,8 +58,7 @@ extern int detach_from_console;
extern const struct units _kdc_digestunits[];
-#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
-#define DEFAULT_LOG_DEST "0-1/FILE:" HDB_DB_DIR "/kdc.log"
+#define KDC_LOG_FILE "kdc.log"
extern struct timeval _kdc_now;
#define kdc_time (_kdc_now.tv_sec)
diff --git a/source/heimdal/kdc/kerberos5.c b/source/heimdal/kdc/kerberos5.c
index 40a9c9c..bc600a5 100644
--- a/source/heimdal/kdc/kerberos5.c
+++ b/source/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: kerberos5.c 21529 2007-07-13 12:37:14Z lha $");
+RCSID("$Id: kerberos5.c 22071 2007-11-14 20:04:50Z lha $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@@ -362,6 +362,13 @@ older_enctype(krb5_enctype enctype)
case ETYPE_DES3_CBC_SHA1:
case ETYPE_ARCFOUR_HMAC_MD5:
case ETYPE_ARCFOUR_HMAC_MD5_56:
+ /*
+ * The following three is "old" windows enctypes and is needed for
+ * windows 2000 hosts.
+ */
+ case ETYPE_ARCFOUR_MD4:
+ case ETYPE_ARCFOUR_HMAC_OLD:
+ case ETYPE_ARCFOUR_HMAC_OLD_EXP:
return 1;
default:
return 0;
@@ -411,8 +418,8 @@ make_etype_info_entry(krb5_context context,
ETYPE_INFO_ENTRY *ent, Key *key)
*ent->salttype = key->salt->type;
#else
/*
- * We shouldn't sent salttype since its incompatible with the
- * specification and its break windows clients. The afs
+ * We shouldn't sent salttype since it is incompatible with the
+ * specification and it breaks windows clients. The afs
* salting problem is solved by using KRB5-PADATA-AFS3-SALT
* implemented in Heimdal 0.7 and later.
*/
@@ -472,11 +479,13 @@ get_pa_etype_info(krb5_context context,
free_ETYPE_INFO(&pa);
return ret;
}
+ break;
}
}
skip1:;
}
for(i = 0; i < client->keys.len; i++) {
+ /* already added? */
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j])
goto skip2;
@@ -497,7 +506,7 @@ get_pa_etype_info(krb5_context context,
}
if(n < pa.len) {
- /* stripped out newer enctypes */
+ /* stripped out dups, newer enctypes, and not valid enctypes */
pa.len = n;
}
@@ -621,23 +630,29 @@ get_pa_etype_info2(krb5_context context,
if(client->keys.val[i].key.keytype == etypes[j]) {
if (krb5_enctype_valid(context, etypes[j]) != 0)
continue;
+ if (n >= pa.len)
+ krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info2_entry(&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO2(&pa);
return ret;
}
+ break;
}
}
skip1:;
}
- /* send enctypes that the cliene doesn't know about too */
+ /* send enctypes that the client doesn't know about too */
for(i = 0; i < client->keys.len; i++) {
+ /* already added? */
for(j = 0; j < etypes_len; j++) {
if(client->keys.val[i].key.keytype == etypes[j])
goto skip2;
}
if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
continue;
+ if (n >= pa.len)
+ krb5_abortx(context, "internal error: n >= p.len");
if((ret = make_etype_info2_entry(&pa.val[n++],
&client->keys.val[i])) != 0) {
free_ETYPE_INFO2(&pa);
@@ -646,16 +661,8 @@ get_pa_etype_info2(krb5_context context,
skip2:;
}
- if(n != pa.len) {
- char *name;
- ret = krb5_unparse_name(context, client->principal, &name);
- if (ret)
- name = rk_UNCONST("<unparse_name failed>");
- kdc_log(context, config, 0,
- "internal error in get_pa_etype_info2(%s): %d != %d",
- name, n, pa.len);
- if (ret == 0)
- free(name);
+ if(n < pa.len) {
+ /* stripped out dups, and not valid enctypes */
pa.len = n;
}
@@ -1554,6 +1561,10 @@ _kdc_as_rep(krb5_context context,
* otherwise just a dummy lr.
*/
ek.last_req.val = malloc(2 * sizeof(*ek.last_req.val));
+ if (ek.last_req.val == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
ek.last_req.len = 0;
if (client->entry.pw_end
&& (config->kdc_warn_pwexpire == 0
diff --git a/source/heimdal/kdc/krb5tgs.c b/source/heimdal/kdc/krb5tgs.c
index 4d6be60..32bdee9 100644
--- a/source/heimdal/kdc/krb5tgs.c
+++ b/source/heimdal/kdc/krb5tgs.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: krb5tgs.c 21262 2007-06-21 15:18:37Z lha $");
+RCSID("$Id: krb5tgs.c 22071 2007-11-14 20:04:50Z lha $");
/*
* return the realm of a krbtgt-ticket or NULL
@@ -822,7 +822,7 @@ tgs_make_reply(krb5_context context,
if(rspac->length) {
/*
* No not need to filter out the any PAC from the
- * auth_data since its signed by the KDC.
+ * auth_data since it's signed by the KDC.
*/
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
@@ -1099,11 +1099,14 @@ tgs_parse_request(krb5_context context,
ret = hdb_enctype2key(context, &(*krbtgt)->entry,
ap_req.ticket.enc_part.etype, &tkey);
if(ret){
- char *str, *p;
+ char *str = NULL, *p = NULL;
+
krb5_enctype_to_string(context, ap_req.ticket.enc_part.etype, &str);
krb5_unparse_name(context, princ, &p);
- kdc_log(context, config, 0,
- "No server key with enctype %s found for %s", str, p);
+ kdc_log(context, config, 0,
+ "No server key with enctype %s found for %s",
+ str ? str : "<unknown enctype>",
+ p ? p : "<unparse_name failed>");
free(str);
free(p);
ret = KRB5KRB_AP_ERR_BADKEYVER;
@@ -1163,8 +1166,10 @@ tgs_parse_request(krb5_context context,
}
if (b->enc_authorization_data) {
+ unsigned usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
krb5_keyblock *subkey;
krb5_data ad;
+
ret = krb5_auth_con_getremotesubkey(context,
ac,
&subkey);
@@ -1175,6 +1180,7 @@ tgs_parse_request(krb5_context context,
goto out;
}
if(subkey == NULL){
+ usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
ret = krb5_auth_con_getkey(context, ac, &subkey);
if(ret) {
krb5_auth_con_free(context, ac);
@@ -1199,7 +1205,7 @@ tgs_parse_request(krb5_context context,
}
ret = krb5_decrypt_EncryptedData (context,
crypto,
- KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
+ usage,
b->enc_authorization_data,
&ad);
krb5_crypto_destroy(context, crypto);
@@ -1373,6 +1379,7 @@ server_lookup:
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
+ auth_data = NULL; /* ms don't handle AD in referals */
goto server_lookup;
}
}
@@ -1390,6 +1397,7 @@ server_lookup:
if (ret)
goto out;
krb5_free_host_realm(context, realms);
+ auth_data = NULL; /* ms don't handle AD in referals */
goto server_lookup;
}
krb5_free_host_realm(context, realms);
@@ -1431,8 +1439,8 @@ server_lookup:
}
/*
- * Check that service is in the same realm as the krbtgt. If its
- * not the same, its someone that is using a uni-directional trust
+ * Check that service is in the same realm as the krbtgt. If it's
+ * not the same, it's someone that is using a uni-directional trust
* backward.
*/
diff --git a/source/heimdal/kdc/log.c b/source/heimdal/kdc/log.c
index 977b1c9..8cf967f 100644
--- a/source/heimdal/kdc/log.c
+++ b/source/heimdal/kdc/log.c
@@ -32,7 +32,7 @@
*/
#include "kdc_locl.h"
-RCSID("$Id: log.c 15532 2005-06-30 01:54:49Z lha $");
+RCSID("$Id: log.c 22254 2007-12-09 06:01:05Z lha $");
void
kdc_openlog(krb5_context context,
@@ -47,8 +47,12 @@ kdc_openlog(krb5_context context,
for(p = s; *p; p++)
krb5_addlog_dest(context, config->logf, *p);
krb5_config_free_strings(s);
- }else
- krb5_addlog_dest(context, config->logf, DEFAULT_LOG_DEST);
+ }else {
+ char *s;
+ asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
+ krb5_addlog_dest(context, config->logf, s);
+ free(s);
+ }
krb5_set_warn_dest(context, config->logf);
}
diff --git a/source/heimdal/kdc/pkinit.c b/source/heimdal/kdc/pkinit.c
index ead9610..bf248af 100755
--- a/source/heimdal/kdc/pkinit.c
+++ b/source/heimdal/kdc/pkinit.c
@@ -33,7 +33,7 @@
#include "kdc_locl.h"
-RCSID("$Id: pkinit.c 21290 2007-06-25 14:13:23Z lha $");
+RCSID("$Id: pkinit.c 22243 2007-12-08 23:39:30Z lha $");
#ifdef PKINIT
@@ -1248,6 +1248,7 @@ out:
static int
match_rfc_san(krb5_context context,
krb5_kdc_configuration *config,
+ hx509_context hx509ctx,
hx509_cert client_cert,
krb5_const_principal match)
{
@@ -1256,7 +1257,8 @@ match_rfc_san(krb5_context context,
memset(&list, 0 , sizeof(list));
- ret = hx509_cert_find_subjectAltName_otherName(client_cert,
+ ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
+ client_cert,
oid_id_pkinit_san(),
&list);
if (ret)
@@ -1304,6 +1306,7 @@ out:
static int
match_ms_upn_san(krb5_context context,
krb5_kdc_configuration *config,
+ hx509_context hx509ctx,
hx509_cert client_cert,
krb5_const_principal match)
{
@@ -1315,7 +1318,8 @@ match_ms_upn_san(krb5_context context,
memset(&list, 0 , sizeof(list));
- ret = hx509_cert_find_subjectAltName_otherName(client_cert,
+ ret = hx509_cert_find_subjectAltName_otherName(hx509ctx,
+ client_cert,
oid_id_pkinit_ms_san(),
&list);
if (ret)
@@ -1376,7 +1380,7 @@ _kdc_pk_check_client(krb5_context context,
hx509_name name;
int i;
- ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
+ ret = hx509_cert_get_base_subject(kdc_identity->hx509ctx,
client_params->cert,
&name);
if (ret)
@@ -1393,6 +1397,7 @@ _kdc_pk_check_client(krb5_context context,
if (config->pkinit_princ_in_cert) {
ret = match_rfc_san(context, config,
+ kdc_identity->hx509ctx,
client_params->cert,
client->entry.principal);
if (ret == 0) {
@@ -1401,6 +1406,7 @@ _kdc_pk_check_client(krb5_context context,
return 0;
}
ret = match_ms_upn_san(context, config,
+ kdc_identity->hx509ctx,
client_params->cert,
client->entry.principal);
if (ret == 0) {
@@ -1580,7 +1586,8 @@ _kdc_pk_initialize(krb5_context context,
char **pool,
char **revoke_list)
{
- const char *file;
+ const char *file;
+ char *fn = NULL;
krb5_error_code ret;
file = krb5_config_get_string(context, NULL,
@@ -1646,14 +1653,19 @@ _kdc_pk_initialize(krb5_context context,
NULL);
_krb5_pk_allow_proxy_certificate(kdc_identity, ret);
- file = krb5_config_get_string_default(context,
- NULL,
- HDB_DB_DIR "/pki-mapping",
- "kdc",
- "pkinit_mappings_file",
- NULL);
+ file = krb5_config_get_string(context,
+ NULL,
+ "kdc",
+ "pkinit_mappings_file",
+ NULL);
+ if (file == NULL) {
+ asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
+ file = fn;
+ }
load_mappings(context, file);
+ if (fn)
+ free(fn);
return 0;
}
diff --git a/source/heimdal/kuser/kinit.c b/source/heimdal/kuser/kinit.c
index 23fa7a5..2676309 100644
--- a/source/heimdal/kuser/kinit.c
+++ b/source/heimdal/kuser/kinit.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -32,7 +32,7 @@
*/
#include "kuser_locl.h"
-RCSID("$Id: kinit.c 21483 2007-07-10 16:40:46Z lha $");
+RCSID("$Id: kinit.c 22116 2007-12-03 21:22:58Z lha $");
#include "krb5-v4compat.h"
@@ -260,7 +260,7 @@ renew_validate(krb5_context context,
if (renew) {
/*
- * no need to check the error here, its only to be
+ * no need to check the error here, it's only to be
* friendly to the user
*/
krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
@@ -377,6 +377,7 @@ get_new_tickets(krb5_context context,
char *renewstr = NULL;
krb5_enctype *enctype = NULL;
struct ntlm_buf ntlmkey;
+ krb5_ccache tempccache;
memset(&ntlmkey, 0, sizeof(ntlmkey));
passwd[0] = '\0';
@@ -577,16 +578,25 @@ get_new_tickets(krb5_context context,
}
}
- ret = krb5_cc_initialize (context, ccache, cred.client);
+ ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
+ NULL, &tempccache);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_new_unique");
+
+ ret = krb5_cc_initialize (context, tempccache, cred.client);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_initialize");
- ret = krb5_cc_store_cred (context, ccache, &cred);
+ ret = krb5_cc_store_cred (context, tempccache, &cred);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_store_cred");
krb5_free_cred_contents (context, &cred);
--
Samba Shared Repository
