The branch, master has been updated via bf446bcf612 third_party/heimdal_build: Update fallthrough macro for switch statements via ef28247f3bb third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222) via ab4c7bda8da heimdal: Fix the 32-bit build on FreeBSD via 074e9284971 third_party/heimdal: Introduce macro for common plugin structure elements via 6353f9e9c47 Add Heimdal test file test_base.c to bi-directional encoding ignore list from bdbb38d16c8 s3: libsmbclient: Fix smbc_getxattr() to return 0 on success.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit bf446bcf612791c7fcf8284cca4061b651b7d4f6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Sep 28 14:34:31 2022 +1300 third_party/heimdal_build: Update fallthrough macro for switch statements This is an adaptation to Heimdal: commit 133f5174820b34e2a12c3f3412bf554cae2ee22f Author: Daria Phoebe Brashear <dariapho...@auristor.com> Date: Fri Sep 16 09:57:24 2022 -0400 rewrite fallthrough to HEIM_FALLTHROUGH to deal with new Apple SDKs Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Nov 2 05:21:29 UTC 2022 on sn-devel-184 commit ef28247f3bbbd7cf9daed7a4dba28855496ce38e Author: Andrew Bartlett <abart...@samba.org> Date: Mon Oct 31 14:33:09 2022 +1300 third_party/heimdal: import lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222) This commit won't compile on it's own, as we need to fix the build system to cope in the next commit. The purpose of this commit is to update to a new lorikeet-heimdal tree that includes the previous two patches and is rebased on a current Heimdal master snapshot. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit ab4c7bda8daccdb99adaf6ec7fddf8b5f84be09a Author: Volker Lendecke <v...@samba.org> Date: Fri Jul 22 18:38:21 2022 +0200 heimdal: Fix the 32-bit build on FreeBSD REF: https://github.com/heimdal/heimdal/pull/1004 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 074e92849715ed3485703cfbba3771d405e4e78a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Sat Oct 22 10:11:53 2022 +1300 third_party/heimdal: Introduce macro for common plugin structure elements Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon it, doesn't work on 32-bit builds due to structure fields being arranged in the wrong order. This problem presents itself in the form of segmentation faults on 32-bit systems, but goes unnoticed on 64-bit builds thanks to extra structure padding absorbing the errant fields. This commit reorders the HDB plugin structure fields to prevent crashes and introduces a common macro to ensure every plugin presents a consistent interface. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6353f9e9c47d02dc0e18585bfaad48b2ce85441d Author: Andrew Bartlett <abart...@samba.org> Date: Thu Oct 27 13:07:34 2022 +1300 Add Heimdal test file test_base.c to bi-directional encoding ignore list Heimdal commit c6a46f0c96dde73ef4f3a247a1e904d4cf15aeb2 introduces test data that triggers our LTR and RTL detection code. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: python/samba/tests/source_chars.py | 1 + third_party/heimdal/.github/workflows/osx.yml | 6 +- third_party/heimdal/.github/workflows/windows.yml | 2 + third_party/heimdal/admin/Makefile.am | 1 + third_party/heimdal/admin/add.c | 178 +++- third_party/heimdal/admin/copy.c | 19 +- third_party/heimdal/admin/get.c | 38 +- third_party/heimdal/admin/ktutil-commands.in | 33 +- third_party/heimdal/admin/ktutil.1 | 72 +- third_party/heimdal/admin/list.c | 139 ++- third_party/heimdal/apply_heimdal.sh | 6 +- third_party/heimdal/configure.ac | 20 +- third_party/heimdal/doc/Makefile.am | 3 +- third_party/heimdal/doc/NTMakefile | 1 - third_party/heimdal/doc/apps.texi | 201 +--- third_party/heimdal/doc/copyright.texi | 2 - third_party/heimdal/doc/heimdal.texi | 21 +- third_party/heimdal/doc/hx509.texi | 6 +- third_party/heimdal/doc/kerberos4.texi | 173 ---- third_party/heimdal/doc/migration.texi | 12 +- third_party/heimdal/doc/misc.texi | 2 +- third_party/heimdal/doc/setup.texi | 164 +++- third_party/heimdal/doc/whatis.texi | 6 +- third_party/heimdal/doc/win2k.texi | 15 +- third_party/heimdal/include/config.h.w32 | 4 +- third_party/heimdal/kadmin/NTMakefile | 28 +- third_party/heimdal/kadmin/check.c | 15 +- third_party/heimdal/kadmin/cpw.c | 44 +- third_party/heimdal/kadmin/del.c | 29 +- third_party/heimdal/kadmin/ext.c | 12 +- third_party/heimdal/kadmin/get.c | 31 +- third_party/heimdal/kadmin/kadmin-commands.in | 13 + third_party/heimdal/kadmin/kadmin.1 | 48 +- third_party/heimdal/kadmin/kadmin_locl.h | 1 + third_party/heimdal/kadmin/kadmind.c | 4 + third_party/heimdal/kadmin/mod.c | 72 +- third_party/heimdal/kadmin/rpc.c | 2 +- third_party/heimdal/kadmin/server.c | 387 +++++++- third_party/heimdal/kadmin/util.c | 140 ++- third_party/heimdal/kcm/config.c | 12 + third_party/heimdal/kcm/events.c | 2 +- third_party/heimdal/kcm/kcm_locl.h | 1 + third_party/heimdal/kdc/Makefile.am | 1 + third_party/heimdal/kdc/bx509d.8 | 257 ++++- third_party/heimdal/kdc/bx509d.c | 1031 +++++++++++++++++--- third_party/heimdal/kdc/csr_authorizer_plugin.h | 4 +- third_party/heimdal/kdc/digest-service.c | 2 +- third_party/heimdal/kdc/digest.c | 2 +- third_party/heimdal/kdc/gss_preauth.c | 2 +- .../heimdal/kdc/gss_preauth_authorizer_plugin.h | 4 +- third_party/heimdal/kdc/httpkadmind.8 | 243 ++++- third_party/heimdal/kdc/httpkadmind.c | 607 ++++++++++-- third_party/heimdal/kdc/kdc-plugin.h | 4 +- third_party/heimdal/kdc/process.c | 27 + third_party/heimdal/kdc/simple_csr_authorizer.c | 8 +- third_party/heimdal/kdc/token_validator_plugin.h | 4 +- third_party/heimdal/kuser/Makefile.am | 1 + third_party/heimdal/kuser/kinit.c | 10 +- third_party/heimdal/kuser/klist.c | 464 +++++++-- third_party/heimdal/lib/asn1/asn1_compile.1 | 5 + third_party/heimdal/lib/asn1/gen_copy.c | 2 +- third_party/heimdal/lib/asn1/gen_encode.c | 4 +- third_party/heimdal/lib/asn1/gen_free.c | 2 +- third_party/heimdal/lib/asn1/gen_template.c | 4 +- third_party/heimdal/lib/asn1/main.c | 8 + third_party/heimdal/lib/asn1/template.c | 4 +- third_party/heimdal/lib/base/common_plugin.h | 6 +- third_party/heimdal/lib/base/heimbase-svc.h | 5 + third_party/heimdal/lib/base/heimbase.h | 30 +- third_party/heimdal/lib/base/heimbasepriv.h | 23 - third_party/heimdal/lib/base/json.c | 864 ++++++++++++++-- third_party/heimdal/lib/base/log.c | 5 +- third_party/heimdal/lib/base/plugin.c | 2 +- third_party/heimdal/lib/base/string.c | 5 +- third_party/heimdal/lib/base/test_base.c | 340 ++++++- third_party/heimdal/lib/base/version-script.map | 2 + third_party/heimdal/lib/gssapi/Makefile.am | 12 +- third_party/heimdal/lib/gssapi/gss-token.c | 6 +- third_party/heimdal/lib/gssapi/krb5/8003.c | 2 +- .../heimdal/lib/gssapi/krb5/init_sec_context.c | 2 +- third_party/heimdal/lib/gssapi/netlogon/crypto.c | 2 +- third_party/heimdal/lib/gssapi/ntlm/crypto.c | 2 +- third_party/heimdal/lib/hcrypto/des.c | 2 +- third_party/heimdal/lib/hcrypto/dh.c | 2 +- third_party/heimdal/lib/hcrypto/dsa.c | 2 +- third_party/heimdal/lib/hcrypto/engine.c | 2 +- third_party/heimdal/lib/hcrypto/evp-openssl.c | 4 +- third_party/heimdal/lib/hcrypto/evp.c | 10 +- third_party/heimdal/lib/hcrypto/hmac.c | 6 +- third_party/heimdal/lib/hcrypto/md2.c | 2 +- third_party/heimdal/lib/hcrypto/passwd_dlg.c | 4 +- third_party/heimdal/lib/hcrypto/rand-fortuna.c | 2 +- third_party/heimdal/lib/hcrypto/rc2.c | 2 +- third_party/heimdal/lib/hcrypto/rsa.c | 4 +- third_party/heimdal/lib/hdb/Makefile.am | 4 +- third_party/heimdal/lib/hdb/common.c | 195 +++- third_party/heimdal/lib/hdb/hdb-ldap.c | 3 +- third_party/heimdal/lib/hdb/hdb-mdb.c | 2 +- third_party/heimdal/lib/hdb/hdb.asn1 | 2 + third_party/heimdal/lib/hdb/hdb.c | 40 +- third_party/heimdal/lib/hdb/hdb.h | 4 +- third_party/heimdal/lib/hdb/hdb.opt | 4 + third_party/heimdal/lib/hdb/keytab.c | 5 +- third_party/heimdal/lib/hdb/test_namespace.c | 8 +- third_party/heimdal/lib/hx509/cert.c | 2 +- third_party/heimdal/lib/hx509/cms.c | 2 +- third_party/heimdal/lib/hx509/file.c | 2 +- third_party/heimdal/lib/hx509/hxtool.1 | 207 ++++ third_party/heimdal/lib/hx509/hxtool.c | 68 +- third_party/heimdal/lib/hx509/req.c | 8 +- third_party/heimdal/lib/ipc/server.c | 46 +- third_party/heimdal/lib/kadm5/ad.c | 38 +- third_party/heimdal/lib/kadm5/common_glue.c | 15 + third_party/heimdal/lib/kadm5/context_s.c | 10 +- third_party/heimdal/lib/kadm5/create_s.c | 8 + third_party/heimdal/lib/kadm5/destroy_s.c | 12 +- third_party/heimdal/lib/kadm5/get_c.c | 2 +- third_party/heimdal/lib/kadm5/get_princs_c.c | 186 +++- third_party/heimdal/lib/kadm5/get_princs_s.c | 124 ++- third_party/heimdal/lib/kadm5/init_c.c | 52 + third_party/heimdal/lib/kadm5/init_s.c | 15 + third_party/heimdal/lib/kadm5/iprop.8 | 46 +- third_party/heimdal/lib/kadm5/ipropd_slave.c | 46 +- third_party/heimdal/lib/kadm5/kadm5-hook.h | 6 +- .../heimdal/lib/kadm5/libkadm5srv-exports.def | 2 + third_party/heimdal/lib/kadm5/private.h | 2 + .../heimdal/lib/kadm5/version-script-client.map | 5 + third_party/heimdal/lib/kadm5/version-script.map | 2 + third_party/heimdal/lib/kafs/kafs_locl.h | 1 - third_party/heimdal/lib/kafs/rxkad_kdf.c | 2 +- third_party/heimdal/lib/krb5/Makefile.am | 1 - third_party/heimdal/lib/krb5/NTMakefile | 12 +- third_party/heimdal/lib/krb5/an2ln_plugin.h | 6 +- third_party/heimdal/lib/krb5/aname_to_localname.c | 1 + third_party/heimdal/lib/krb5/changepw.c | 2 +- third_party/heimdal/lib/krb5/context.c | 115 ++- third_party/heimdal/lib/krb5/convert_creds.c | 3 - third_party/heimdal/lib/krb5/db_plugin.h | 6 +- third_party/heimdal/lib/krb5/kcm.c | 3 +- third_party/heimdal/lib/krb5/keytab.c | 3 +- third_party/heimdal/lib/krb5/krb5-v4compat.h | 139 --- third_party/heimdal/lib/krb5/kuserok_plugin.h | 6 +- third_party/heimdal/lib/krb5/locate_plugin.h | 6 +- third_party/heimdal/lib/krb5/pac.c | 5 +- third_party/heimdal/lib/krb5/pkinit.c | 12 +- third_party/heimdal/lib/krb5/send_to_kdc.c | 4 +- third_party/heimdal/lib/krb5/send_to_kdc_plugin.h | 5 +- third_party/heimdal/lib/krb5/store.c | 2 + third_party/heimdal/lib/krb5/ticket.c | 2 +- third_party/heimdal/lib/libedit/config.h.in | 100 +- third_party/heimdal/lib/ntlm/digest.c | 2 +- third_party/heimdal/lib/ntlm/ntlm.c | 8 +- third_party/heimdal/lib/otp/otp_verify.c | 2 +- third_party/heimdal/lib/roken/Makefile.am | 2 +- third_party/heimdal/lib/roken/base32.c | 8 +- third_party/heimdal/lib/roken/dirent-test.c | 4 +- third_party/heimdal/lib/roken/fnmatch.c | 2 +- third_party/heimdal/lib/roken/getaddrinfo.c | 4 +- third_party/heimdal/lib/roken/getuserinfo.c | 2 +- third_party/heimdal/lib/roken/parse_units.c | 3 +- third_party/heimdal/lib/roken/parse_units.h | 4 +- third_party/heimdal/lib/roken/snprintf.c | 2 +- third_party/heimdal/lib/roken/strftime.c | 2 +- third_party/heimdal/lib/roken/strptime.c | 2 +- third_party/heimdal/lib/sl/slc-gram.y | 2 +- third_party/heimdal/lib/wind/utf8.c | 14 +- .../heimdal/packages/windows/sdk/NTMakefile | 2 - third_party/heimdal/tests/gss/krb5.conf.in | 1 + third_party/heimdal/tests/kdc/check-bx509.in | 283 +++++- third_party/heimdal/tests/kdc/check-httpkadmind.in | 177 +++- third_party/heimdal/tests/kdc/check-kadmin.in | 236 +++-- third_party/heimdal/tests/kdc/check-kdc.in | 6 +- third_party/heimdal/tests/kdc/check-referral.in | 94 +- .../heimdal/tests/kdc/krb5-httpkadmind.conf.in | 6 + third_party/heimdal/tests/kdc/krb5.conf.in | 3 + third_party/heimdal/windows/README.md | 61 +- third_party/heimdal_build/config.h | 2 +- 177 files changed, 6738 insertions(+), 1821 deletions(-) delete mode 100644 third_party/heimdal/doc/kerberos4.texi create mode 100644 third_party/heimdal/lib/hx509/hxtool.1 delete mode 100644 third_party/heimdal/lib/krb5/krb5-v4compat.h Changeset truncated at 500 lines: diff --git a/python/samba/tests/source_chars.py b/python/samba/tests/source_chars.py index 856a27b0d1a..f0351b67a91 100644 --- a/python/samba/tests/source_chars.py +++ b/python/samba/tests/source_chars.py @@ -110,6 +110,7 @@ SAFE_FORMAT_CHARS = { # In the real world mixing directions would be normal in bilingual # documents, but it is rare in Samba source code. BIDI_FILES = { + 'third_party/heimdal/lib/base/test_base.c', 'third_party/heimdal/lib/wind/NormalizationTest.txt', 'testdata/source-chars-bidi.py', } diff --git a/third_party/heimdal/.github/workflows/osx.yml b/third_party/heimdal/.github/workflows/osx.yml index 342f850f1c7..3463e99b6e9 100644 --- a/third_party/heimdal/.github/workflows/osx.yml +++ b/third_party/heimdal/.github/workflows/osx.yml @@ -66,7 +66,7 @@ jobs: echo "bison, flex, ncurses, texinfo, and unzip are in the base OS." echo "berkeley-db, perl, python, curl, and jq are installed in the" echo "base image already." - brew install autoconf automake libtool cpanm + brew install autoconf automake libtool cpanm texinfo texi2html sudo cpanm install JSON - name: Clone repository uses: actions/checkout@v1 @@ -79,8 +79,10 @@ jobs: /bin/sh ./autogen.sh mkdir build cd build - ../configure --srcdir=`dirname "$PWD"` --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3" + ../configure --srcdir=`dirname "$PWD"` --disable-heimdal-documentation --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3" ulimit -c unlimited + PATH=/usr/local/opt/texinfo/bin:$PATH + export PATH make -j4 #- name: Setup upterm session # uses: lhotari/action-upterm@v1 diff --git a/third_party/heimdal/.github/workflows/windows.yml b/third_party/heimdal/.github/workflows/windows.yml index f1c187c397a..0d3bad83b21 100644 --- a/third_party/heimdal/.github/workflows/windows.yml +++ b/third_party/heimdal/.github/workflows/windows.yml @@ -4,6 +4,7 @@ on: push: branches: - 'master' + - 'windows-build' - 'heimdal-7-1-branch' paths: - '!docs/**' @@ -76,6 +77,7 @@ jobs: pacman --noconfirm -S bison pacman --noconfirm -S perl pacman --noconfirm -S perl-JSON + pacman --noconfirm -S texinfo set PATH=%PATH%;%wix%bin title Heimdal Build %CPU% %dbg__type% set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop" diff --git a/third_party/heimdal/admin/Makefile.am b/third_party/heimdal/admin/Makefile.am index a4a7bb4c0f9..1821d4b2e4b 100644 --- a/third_party/heimdal/admin/Makefile.am +++ b/third_party/heimdal/admin/Makefile.am @@ -37,6 +37,7 @@ LDADD = \ $(LIB_hcrypto) \ $(top_builddir)/lib/asn1/libasn1.la \ $(top_builddir)/lib/sl/libsl.la \ + $(LIB_heimbase) \ $(LIB_readline) \ $(LIB_roken) diff --git a/third_party/heimdal/admin/add.c b/third_party/heimdal/admin/add.c index 13580b9bb57..5f1920ff8be 100644 --- a/third_party/heimdal/admin/add.c +++ b/third_party/heimdal/admin/add.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2022 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,6 +32,8 @@ */ #include "ktutil_locl.h" +#include <heimbase.h> +#include <base64.h> RCSID("$Id$"); @@ -153,6 +155,178 @@ kt_add(struct add_options *opt, int argc, char **argv) krb5_warn(context, ret, "add"); out: krb5_kt_free_entry(context, &entry); - krb5_kt_close(context, keytab); + if (ret == 0) { + ret = krb5_kt_close(context, keytab); + if (ret) + krb5_warn(context, ret, "Could not write the keytab"); + } else { + krb5_kt_close(context, keytab); + } + return ret != 0; +} + +/* We might be reading from a pipe, so we can't use rk_undumpdata() */ +static char * +read_file(FILE *f) +{ + size_t alloced; + size_t len = 0; + size_t bytes; + char *res, *end, *p; + + if ((res = malloc(1024)) == NULL) + err(1, "Out of memory"); + alloced = 1024; + + end = res + alloced; + p = res; + do { + if (p == end) { + char *tmp; + + if ((tmp = realloc(res, alloced + (alloced > 1))) == NULL) + err(1, "Out of memory"); + alloced += alloced > 1; + p = tmp + (p - res); + res = tmp; + end = res + alloced; + } + bytes = fread(p, 1, end - p, f); + len += bytes; + p += bytes; + } while (bytes && !feof(f) && !ferror(f)); + + if (ferror(f)) + errx(1, "Could not read all input"); + if (p == end) { + char *tmp; + + if ((tmp = strndup(res, len)) == NULL) + err(1, "Out of memory"); + free(res); + res = tmp; + } + if (strlen(res) != len) + err(1, "Embedded NULs in input!"); + return res; +} + +static void +json2keytab_entry(heim_dict_t d, krb5_keytab kt, size_t idx) +{ + krb5_keytab_entry e; + krb5_error_code ret; + heim_object_t v; + uint64_t u; + int64_t i; + char *buf = NULL; + + memset(&e, 0, sizeof(e)); + + v = heim_dict_get_value(d, HSTR("timestamp")); + if (heim_get_tid(v) != HEIM_TID_NUMBER) + goto bad; + u = heim_number_get_long(v); + e.timestamp = u; + if (u != (uint64_t)e.timestamp) + goto bad; + + v = heim_dict_get_value(d, HSTR("kvno")); + if (heim_get_tid(v) != HEIM_TID_NUMBER) + goto bad; + i = heim_number_get_long(v); + e.vno = i; + if (i != (int64_t)e.vno) + goto bad; + + v = heim_dict_get_value(d, HSTR("enctype_number")); + if (heim_get_tid(v) != HEIM_TID_NUMBER) + goto bad; + i = heim_number_get_long(v); + e.keyblock.keytype = i; + if (i != (int64_t)e.keyblock.keytype) + goto bad; + + v = heim_dict_get_value(d, HSTR("key")); + if (heim_get_tid(v) != HEIM_TID_STRING) + goto bad; + { + const char *s = heim_string_get_utf8(v); + int declen; + + if ((buf = malloc(strlen(s))) == NULL) + err(1, "Out of memory"); + declen = rk_base64_decode(s, buf); + if (declen < 0) + goto bad; + e.keyblock.keyvalue.data = buf; + e.keyblock.keyvalue.length = declen; + } + + v = heim_dict_get_value(d, HSTR("principal")); + if (heim_get_tid(v) != HEIM_TID_STRING) + goto bad; + ret = krb5_parse_name(context, heim_string_get_utf8(v), &e.principal); + if (ret == 0) + ret = krb5_kt_add_entry(context, kt, &e); + + /* For now, ignore aliases; besides, they're never set anywhere in-tree */ + + if (ret) + krb5_warn(context, ret, + "Could not parse or write keytab entry %lu", + (unsigned long)idx); +bad: + krb5_free_principal(context, e.principal); +} + +int +kt_import(void *opt, int argc, char **argv) +{ + krb5_error_code ret; + krb5_keytab kt; + heim_object_t o; + heim_error_t json_err = NULL; + heim_json_flags_t flags = HEIM_JSON_F_STRICT; + FILE *f = argc == 0 ? stdin : fopen(argv[0], "r"); + size_t alen, i; + char *json; + + if (f == NULL) + err(1, "Could not open file %s", argv[0]); + + json = read_file(f); + o = heim_json_create(json, 10, flags, &json_err); + free(json); + if (o == NULL) { + if (json_err != NULL) { + o = heim_error_copy_string(json_err); + if (o) + errx(1, "Could not parse JSON: %s", heim_string_get_utf8(o)); + } + errx(1, "Could not parse JSON"); + } + + if (heim_get_tid(o) != HEIM_TID_ARRAY) + errx(1, "JSON text must be an array"); + + alen = heim_array_get_length(o); + if (alen == 0) + errx(1, "Empty JSON array; not overwriting keytab"); + + if ((kt = ktutil_open_keytab()) == NULL) + err(1, "Could not open keytab"); + + for (i = 0; i < alen; i++) { + heim_object_t e = heim_array_get_value(o, i); + + if (heim_get_tid(e) != HEIM_TID_DICT) + warnx("Element %ld of JSON text array is not an object", (long)i); + else + json2keytab_entry(heim_array_get_value(o, i), kt, i); + } + ret = krb5_kt_close(context, kt); + if (ret) + krb5_warn(context, ret, "Could not write the keytab"); return ret != 0; } diff --git a/third_party/heimdal/admin/copy.c b/third_party/heimdal/admin/copy.c index 7b50de1c3cb..8acd6e48ed0 100644 --- a/third_party/heimdal/admin/copy.c +++ b/third_party/heimdal/admin/copy.c @@ -47,7 +47,7 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock *b) } int -kt_copy (void *opt, int argc, char **argv) +kt_copy (struct copy_options *opt, int argc, char **argv) { krb5_error_code ret; krb5_keytab src_keytab, dst_keytab; @@ -106,11 +106,18 @@ kt_copy (void *opt, int argc, char **argv) "already exists for %s, keytype %s, kvno %d", name_str, etype_str, entry.vno); } - krb5_kt_free_entry(context, &dummy); - krb5_kt_free_entry (context, &entry); - free(name_str); - free(etype_str); - continue; + if (!opt->copy_duplicates_flag) { + krb5_kt_free_entry(context, &dummy); + krb5_kt_free_entry (context, &entry); + free(name_str); + free(etype_str); + continue; + } + /* + * Because we can end up trying all keys that match the enctype, + * copying entries with duplicate principal, vno, and enctype, but + * different keys, can be useful. + */ } else if(ret != KRB5_KT_NOTFOUND) { krb5_warn (context, ret, "%s: fetching %s/%s/%u", to, name_str, etype_str, entry.vno); diff --git a/third_party/heimdal/admin/get.c b/third_party/heimdal/admin/get.c index f56e50f4359..ecd6f6a160e 100644 --- a/third_party/heimdal/admin/get.c +++ b/third_party/heimdal/admin/get.c @@ -197,23 +197,27 @@ kt_get(struct get_options *opt, int argc, char **argv) break; } - ret = kadm5_create_principal(kadm_handle, &princ, mask, "thisIs_aUseless.password123"); - if(ret == 0) - created = 1; - else if(ret != KADM5_DUP) { - krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]); - krb5_free_principal(context, princ_ent); - failed++; - continue; - } - ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks, ks, - &keys, &n_keys); - if (ret) { - krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]); - krb5_free_principal(context, princ_ent); - failed++; - continue; - } + if (opt->create_flag) { + ret = kadm5_create_principal(kadm_handle, &princ, mask, "thisIs_aUseless.password123"); + if(ret == 0) + created = 1; + else if(ret != KADM5_DUP) { + krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]); + krb5_free_principal(context, princ_ent); + failed++; + continue; + } + } + if (opt->change_keys_flag) { + ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks, ks, + &keys, &n_keys); + if (ret) { + krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]); + krb5_free_principal(context, princ_ent); + failed++; + continue; + } + } ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); diff --git a/third_party/heimdal/admin/ktutil-commands.in b/third_party/heimdal/admin/ktutil-commands.in index 2b771e931a1..a85eb5c5715 100644 --- a/third_party/heimdal/admin/ktutil-commands.in +++ b/third_party/heimdal/admin/ktutil-commands.in @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004 Kungliga Tekniska Högskolan + * Copyright (c) 2004-2022 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -151,11 +151,17 @@ command = { } command = { name = "copy" + name = "merge" function = "kt_copy" + option = { + long = "copy-duplicates" + type = "flag" + help = "copy entries for the same principal and kvno, but different keys" + } argument = "source destination" min_args = "2" max_args = "2" - help = "Copies one keytab to another." + help = "Merges one keytab into another." } command = { name = "get" @@ -166,6 +172,16 @@ command = { help = "admin principal" argument = "principal" } + option = { + long = "create" + type = "-flag" + help = "do not create the principal" + } + option = { + long = "change-keys" + type = "-flag" + help = "do not change the principal's keys" + } option = { long = "enctypes" short = "e" @@ -214,6 +230,14 @@ command = { argument = "principal..." help = "Change keys for specified principals, and add them to the keytab." } +command = { + name = "import" + function = "kt_import" + help = "Imports a keytab from JSON output of ktutil list --json --keys." + min_args = "0" + max_args = "1" + argument = "JSON-FILE" +} command = { name = "list" option = { @@ -226,6 +250,11 @@ command = { type = "flag" help = "show timestamps" } + option = { + long = "json" + type = "flag" + help = "output JSON representation" + } max_args = "0" function = "kt_list" help = "Show contents of keytab." diff --git a/third_party/heimdal/admin/ktutil.1 b/third_party/heimdal/admin/ktutil.1 index 125b5e8f0d5..0036edcbd9b 100644 --- a/third_party/heimdal/admin/ktutil.1 +++ b/third_party/heimdal/admin/ktutil.1 @@ -60,7 +60,7 @@ Verbose output. .Ar command can be one of the following: .Bl -tag -width srvconvert -.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \ +.It Nm add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \ Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \ Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \ Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \ @@ -72,7 +72,7 @@ principal to add; if what you really want is to add a new principal to the keytab, you should consider the .Ar get command, which talks to the kadmin server. -.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \ +.It Nm change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \ Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \ Oo Fl Fl enctype= Ns Ar enctype Oc \ Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \ @@ -82,30 +82,68 @@ server for the realm of a keytab entry. Otherwise it will use the values specified by the options. .Pp If no principals are given, all the ones in the keytab are updated. -.It copy Ar keytab-src Ar keytab-dest +.It Nm copy Oo Fl Fl copy-duplicates Oc Ar keytab-src Ar keytab-dest Copies all the entries from .Ar keytab-src to .Ar keytab-dest . -.It get Oo Fl p Ar admin principal Oc \ +Because entries already in +.Ar keytab-dest +are kept, this command functions to merge keytabs. +Entries for the same principal, key version number, and +encryption type in the +.Ar keytab-src +that are also in the +.Ar keytab-dest +will not be copied to the +.Ar keytab-dest +unless the +.Fl Fl copy-duplicates +option is given. +.It Nm get Oo Fl p Ar admin principal Oc \ Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \ +Oo Fl Fl no-create Oc \ +Oo Fl Fl no-change-keys Oc \ Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \ Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \ Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \ Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \ Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ... +.Pp For each .Ar principal , -generate a new key for it (creating it if it doesn't already exist), -and put that key in the keytab. +get a the principal's keys from the KDC via the kadmin protocol, +creating the principal if it doesn't exist (unless +.Fl Fl no-create +is given), and changing its keys to new random keys (unless +.Fl Fl no-change-keys +is given). .Pp If no .Ar realm is specified, the realm to operate on is taken from the first principal. -- Samba Shared Repository