The branch, master has been updated
via bf446bcf612 third_party/heimdal_build: Update fallthrough macro for
switch statements
via ef28247f3bb third_party/heimdal: import
lorikeet-heimdal-202210310104 (commit 0fc20ff4144973047e6aaaeb2fc8708bd75be222)
via ab4c7bda8da heimdal: Fix the 32-bit build on FreeBSD
via 074e9284971 third_party/heimdal: Introduce macro for common plugin
structure elements
via 6353f9e9c47 Add Heimdal test file test_base.c to bi-directional
encoding ignore list
from bdbb38d16c8 s3: libsmbclient: Fix smbc_getxattr() to return 0 on
success.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bf446bcf612791c7fcf8284cca4061b651b7d4f6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 28 14:34:31 2022 +1300
third_party/heimdal_build: Update fallthrough macro for switch statements
This is an adaptation to Heimdal:
commit 133f5174820b34e2a12c3f3412bf554cae2ee22f
Author: Daria Phoebe Brashear <dariapho...@auristor.com>
Date: Fri Sep 16 09:57:24 2022 -0400
rewrite fallthrough to HEIM_FALLTHROUGH to deal with new Apple SDKs
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Nov 2 05:21:29 UTC 2022 on sn-devel-184
commit ef28247f3bbbd7cf9daed7a4dba28855496ce38e
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Oct 31 14:33:09 2022 +1300
third_party/heimdal: import lorikeet-heimdal-202210310104 (commit
0fc20ff4144973047e6aaaeb2fc8708bd75be222)
This commit won't compile on it's own, as we need to fix the build system
to cope in the next commit.
The purpose of this commit is to update to a new lorikeet-heimdal tree
that includes the previous two patches and is rebased on a current
Heimdal master snapshot.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit ab4c7bda8daccdb99adaf6ec7fddf8b5f84be09a
Author: Volker Lendecke <v...@samba.org>
Date: Fri Jul 22 18:38:21 2022 +0200
heimdal: Fix the 32-bit build on FreeBSD
REF: https://github.com/heimdal/heimdal/pull/1004
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15220
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 074e92849715ed3485703cfbba3771d405e4e78a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Sat Oct 22 10:11:53 2022 +1300
third_party/heimdal: Introduce macro for common plugin structure elements
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.
This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6353f9e9c47d02dc0e18585bfaad48b2ce85441d
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Oct 27 13:07:34 2022 +1300
Add Heimdal test file test_base.c to bi-directional encoding ignore list
Heimdal commit c6a46f0c96dde73ef4f3a247a1e904d4cf15aeb2 introduces test data
that triggers our LTR and RTL detection code.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/source_chars.py | 1 +
third_party/heimdal/.github/workflows/osx.yml | 6 +-
third_party/heimdal/.github/workflows/windows.yml | 2 +
third_party/heimdal/admin/Makefile.am | 1 +
third_party/heimdal/admin/add.c | 178 +++-
third_party/heimdal/admin/copy.c | 19 +-
third_party/heimdal/admin/get.c | 38 +-
third_party/heimdal/admin/ktutil-commands.in | 33 +-
third_party/heimdal/admin/ktutil.1 | 72 +-
third_party/heimdal/admin/list.c | 139 ++-
third_party/heimdal/apply_heimdal.sh | 6 +-
third_party/heimdal/configure.ac | 20 +-
third_party/heimdal/doc/Makefile.am | 3 +-
third_party/heimdal/doc/NTMakefile | 1 -
third_party/heimdal/doc/apps.texi | 201 +---
third_party/heimdal/doc/copyright.texi | 2 -
third_party/heimdal/doc/heimdal.texi | 21 +-
third_party/heimdal/doc/hx509.texi | 6 +-
third_party/heimdal/doc/kerberos4.texi | 173 ----
third_party/heimdal/doc/migration.texi | 12 +-
third_party/heimdal/doc/misc.texi | 2 +-
third_party/heimdal/doc/setup.texi | 164 +++-
third_party/heimdal/doc/whatis.texi | 6 +-
third_party/heimdal/doc/win2k.texi | 15 +-
third_party/heimdal/include/config.h.w32 | 4 +-
third_party/heimdal/kadmin/NTMakefile | 28 +-
third_party/heimdal/kadmin/check.c | 15 +-
third_party/heimdal/kadmin/cpw.c | 44 +-
third_party/heimdal/kadmin/del.c | 29 +-
third_party/heimdal/kadmin/ext.c | 12 +-
third_party/heimdal/kadmin/get.c | 31 +-
third_party/heimdal/kadmin/kadmin-commands.in | 13 +
third_party/heimdal/kadmin/kadmin.1 | 48 +-
third_party/heimdal/kadmin/kadmin_locl.h | 1 +
third_party/heimdal/kadmin/kadmind.c | 4 +
third_party/heimdal/kadmin/mod.c | 72 +-
third_party/heimdal/kadmin/rpc.c | 2 +-
third_party/heimdal/kadmin/server.c | 387 +++++++-
third_party/heimdal/kadmin/util.c | 140 ++-
third_party/heimdal/kcm/config.c | 12 +
third_party/heimdal/kcm/events.c | 2 +-
third_party/heimdal/kcm/kcm_locl.h | 1 +
third_party/heimdal/kdc/Makefile.am | 1 +
third_party/heimdal/kdc/bx509d.8 | 257 ++++-
third_party/heimdal/kdc/bx509d.c | 1031 +++++++++++++++++---
third_party/heimdal/kdc/csr_authorizer_plugin.h | 4 +-
third_party/heimdal/kdc/digest-service.c | 2 +-
third_party/heimdal/kdc/digest.c | 2 +-
third_party/heimdal/kdc/gss_preauth.c | 2 +-
.../heimdal/kdc/gss_preauth_authorizer_plugin.h | 4 +-
third_party/heimdal/kdc/httpkadmind.8 | 243 ++++-
third_party/heimdal/kdc/httpkadmind.c | 607 ++++++++++--
third_party/heimdal/kdc/kdc-plugin.h | 4 +-
third_party/heimdal/kdc/process.c | 27 +
third_party/heimdal/kdc/simple_csr_authorizer.c | 8 +-
third_party/heimdal/kdc/token_validator_plugin.h | 4 +-
third_party/heimdal/kuser/Makefile.am | 1 +
third_party/heimdal/kuser/kinit.c | 10 +-
third_party/heimdal/kuser/klist.c | 464 +++++++--
third_party/heimdal/lib/asn1/asn1_compile.1 | 5 +
third_party/heimdal/lib/asn1/gen_copy.c | 2 +-
third_party/heimdal/lib/asn1/gen_encode.c | 4 +-
third_party/heimdal/lib/asn1/gen_free.c | 2 +-
third_party/heimdal/lib/asn1/gen_template.c | 4 +-
third_party/heimdal/lib/asn1/main.c | 8 +
third_party/heimdal/lib/asn1/template.c | 4 +-
third_party/heimdal/lib/base/common_plugin.h | 6 +-
third_party/heimdal/lib/base/heimbase-svc.h | 5 +
third_party/heimdal/lib/base/heimbase.h | 30 +-
third_party/heimdal/lib/base/heimbasepriv.h | 23 -
third_party/heimdal/lib/base/json.c | 864 ++++++++++++++--
third_party/heimdal/lib/base/log.c | 5 +-
third_party/heimdal/lib/base/plugin.c | 2 +-
third_party/heimdal/lib/base/string.c | 5 +-
third_party/heimdal/lib/base/test_base.c | 340 ++++++-
third_party/heimdal/lib/base/version-script.map | 2 +
third_party/heimdal/lib/gssapi/Makefile.am | 12 +-
third_party/heimdal/lib/gssapi/gss-token.c | 6 +-
third_party/heimdal/lib/gssapi/krb5/8003.c | 2 +-
.../heimdal/lib/gssapi/krb5/init_sec_context.c | 2 +-
third_party/heimdal/lib/gssapi/netlogon/crypto.c | 2 +-
third_party/heimdal/lib/gssapi/ntlm/crypto.c | 2 +-
third_party/heimdal/lib/hcrypto/des.c | 2 +-
third_party/heimdal/lib/hcrypto/dh.c | 2 +-
third_party/heimdal/lib/hcrypto/dsa.c | 2 +-
third_party/heimdal/lib/hcrypto/engine.c | 2 +-
third_party/heimdal/lib/hcrypto/evp-openssl.c | 4 +-
third_party/heimdal/lib/hcrypto/evp.c | 10 +-
third_party/heimdal/lib/hcrypto/hmac.c | 6 +-
third_party/heimdal/lib/hcrypto/md2.c | 2 +-
third_party/heimdal/lib/hcrypto/passwd_dlg.c | 4 +-
third_party/heimdal/lib/hcrypto/rand-fortuna.c | 2 +-
third_party/heimdal/lib/hcrypto/rc2.c | 2 +-
third_party/heimdal/lib/hcrypto/rsa.c | 4 +-
third_party/heimdal/lib/hdb/Makefile.am | 4 +-
third_party/heimdal/lib/hdb/common.c | 195 +++-
third_party/heimdal/lib/hdb/hdb-ldap.c | 3 +-
third_party/heimdal/lib/hdb/hdb-mdb.c | 2 +-
third_party/heimdal/lib/hdb/hdb.asn1 | 2 +
third_party/heimdal/lib/hdb/hdb.c | 40 +-
third_party/heimdal/lib/hdb/hdb.h | 4 +-
third_party/heimdal/lib/hdb/hdb.opt | 4 +
third_party/heimdal/lib/hdb/keytab.c | 5 +-
third_party/heimdal/lib/hdb/test_namespace.c | 8 +-
third_party/heimdal/lib/hx509/cert.c | 2 +-
third_party/heimdal/lib/hx509/cms.c | 2 +-
third_party/heimdal/lib/hx509/file.c | 2 +-
third_party/heimdal/lib/hx509/hxtool.1 | 207 ++++
third_party/heimdal/lib/hx509/hxtool.c | 68 +-
third_party/heimdal/lib/hx509/req.c | 8 +-
third_party/heimdal/lib/ipc/server.c | 46 +-
third_party/heimdal/lib/kadm5/ad.c | 38 +-
third_party/heimdal/lib/kadm5/common_glue.c | 15 +
third_party/heimdal/lib/kadm5/context_s.c | 10 +-
third_party/heimdal/lib/kadm5/create_s.c | 8 +
third_party/heimdal/lib/kadm5/destroy_s.c | 12 +-
third_party/heimdal/lib/kadm5/get_c.c | 2 +-
third_party/heimdal/lib/kadm5/get_princs_c.c | 186 +++-
third_party/heimdal/lib/kadm5/get_princs_s.c | 124 ++-
third_party/heimdal/lib/kadm5/init_c.c | 52 +
third_party/heimdal/lib/kadm5/init_s.c | 15 +
third_party/heimdal/lib/kadm5/iprop.8 | 46 +-
third_party/heimdal/lib/kadm5/ipropd_slave.c | 46 +-
third_party/heimdal/lib/kadm5/kadm5-hook.h | 6 +-
.../heimdal/lib/kadm5/libkadm5srv-exports.def | 2 +
third_party/heimdal/lib/kadm5/private.h | 2 +
.../heimdal/lib/kadm5/version-script-client.map | 5 +
third_party/heimdal/lib/kadm5/version-script.map | 2 +
third_party/heimdal/lib/kafs/kafs_locl.h | 1 -
third_party/heimdal/lib/kafs/rxkad_kdf.c | 2 +-
third_party/heimdal/lib/krb5/Makefile.am | 1 -
third_party/heimdal/lib/krb5/NTMakefile | 12 +-
third_party/heimdal/lib/krb5/an2ln_plugin.h | 6 +-
third_party/heimdal/lib/krb5/aname_to_localname.c | 1 +
third_party/heimdal/lib/krb5/changepw.c | 2 +-
third_party/heimdal/lib/krb5/context.c | 115 ++-
third_party/heimdal/lib/krb5/convert_creds.c | 3 -
third_party/heimdal/lib/krb5/db_plugin.h | 6 +-
third_party/heimdal/lib/krb5/kcm.c | 3 +-
third_party/heimdal/lib/krb5/keytab.c | 3 +-
third_party/heimdal/lib/krb5/krb5-v4compat.h | 139 ---
third_party/heimdal/lib/krb5/kuserok_plugin.h | 6 +-
third_party/heimdal/lib/krb5/locate_plugin.h | 6 +-
third_party/heimdal/lib/krb5/pac.c | 5 +-
third_party/heimdal/lib/krb5/pkinit.c | 12 +-
third_party/heimdal/lib/krb5/send_to_kdc.c | 4 +-
third_party/heimdal/lib/krb5/send_to_kdc_plugin.h | 5 +-
third_party/heimdal/lib/krb5/store.c | 2 +
third_party/heimdal/lib/krb5/ticket.c | 2 +-
third_party/heimdal/lib/libedit/config.h.in | 100 +-
third_party/heimdal/lib/ntlm/digest.c | 2 +-
third_party/heimdal/lib/ntlm/ntlm.c | 8 +-
third_party/heimdal/lib/otp/otp_verify.c | 2 +-
third_party/heimdal/lib/roken/Makefile.am | 2 +-
third_party/heimdal/lib/roken/base32.c | 8 +-
third_party/heimdal/lib/roken/dirent-test.c | 4 +-
third_party/heimdal/lib/roken/fnmatch.c | 2 +-
third_party/heimdal/lib/roken/getaddrinfo.c | 4 +-
third_party/heimdal/lib/roken/getuserinfo.c | 2 +-
third_party/heimdal/lib/roken/parse_units.c | 3 +-
third_party/heimdal/lib/roken/parse_units.h | 4 +-
third_party/heimdal/lib/roken/snprintf.c | 2 +-
third_party/heimdal/lib/roken/strftime.c | 2 +-
third_party/heimdal/lib/roken/strptime.c | 2 +-
third_party/heimdal/lib/sl/slc-gram.y | 2 +-
third_party/heimdal/lib/wind/utf8.c | 14 +-
.../heimdal/packages/windows/sdk/NTMakefile | 2 -
third_party/heimdal/tests/gss/krb5.conf.in | 1 +
third_party/heimdal/tests/kdc/check-bx509.in | 283 +++++-
third_party/heimdal/tests/kdc/check-httpkadmind.in | 177 +++-
third_party/heimdal/tests/kdc/check-kadmin.in | 236 +++--
third_party/heimdal/tests/kdc/check-kdc.in | 6 +-
third_party/heimdal/tests/kdc/check-referral.in | 94 +-
.../heimdal/tests/kdc/krb5-httpkadmind.conf.in | 6 +
third_party/heimdal/tests/kdc/krb5.conf.in | 3 +
third_party/heimdal/windows/README.md | 61 +-
third_party/heimdal_build/config.h | 2 +-
177 files changed, 6738 insertions(+), 1821 deletions(-)
delete mode 100644 third_party/heimdal/doc/kerberos4.texi
create mode 100644 third_party/heimdal/lib/hx509/hxtool.1
delete mode 100644 third_party/heimdal/lib/krb5/krb5-v4compat.h
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/source_chars.py
b/python/samba/tests/source_chars.py
index 856a27b0d1a..f0351b67a91 100644
--- a/python/samba/tests/source_chars.py
+++ b/python/samba/tests/source_chars.py
@@ -110,6 +110,7 @@ SAFE_FORMAT_CHARS = {
# In the real world mixing directions would be normal in bilingual
# documents, but it is rare in Samba source code.
BIDI_FILES = {
+ 'third_party/heimdal/lib/base/test_base.c',
'third_party/heimdal/lib/wind/NormalizationTest.txt',
'testdata/source-chars-bidi.py',
}
diff --git a/third_party/heimdal/.github/workflows/osx.yml
b/third_party/heimdal/.github/workflows/osx.yml
index 342f850f1c7..3463e99b6e9 100644
--- a/third_party/heimdal/.github/workflows/osx.yml
+++ b/third_party/heimdal/.github/workflows/osx.yml
@@ -66,7 +66,7 @@ jobs:
echo "bison, flex, ncurses, texinfo, and unzip are in the base
OS."
echo "berkeley-db, perl, python, curl, and jq are installed in
the"
echo "base image already."
- brew install autoconf automake libtool cpanm
+ brew install autoconf automake libtool cpanm texinfo texi2html
sudo cpanm install JSON
- name: Clone repository
uses: actions/checkout@v1
@@ -79,8 +79,10 @@ jobs:
/bin/sh ./autogen.sh
mkdir build
cd build
- ../configure --srcdir=`dirname "$PWD"` --disable-afs-support
--enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst
CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast
-Wno-error=unused-function -Wno-error=unused-result
-Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3"
+ ../configure --srcdir=`dirname "$PWD"`
--disable-heimdal-documentation --disable-afs-support --enable-maintainer-mode
--enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst
CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast
-Wno-error=unused-function -Wno-error=unused-result
-Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3"
ulimit -c unlimited
+ PATH=/usr/local/opt/texinfo/bin:$PATH
+ export PATH
make -j4
#- name: Setup upterm session
# uses: lhotari/action-upterm@v1
diff --git a/third_party/heimdal/.github/workflows/windows.yml
b/third_party/heimdal/.github/workflows/windows.yml
index f1c187c397a..0d3bad83b21 100644
--- a/third_party/heimdal/.github/workflows/windows.yml
+++ b/third_party/heimdal/.github/workflows/windows.yml
@@ -4,6 +4,7 @@ on:
push:
branches:
- 'master'
+ - 'windows-build'
- 'heimdal-7-1-branch'
paths:
- '!docs/**'
@@ -76,6 +77,7 @@ jobs:
pacman --noconfirm -S bison
pacman --noconfirm -S perl
pacman --noconfirm -S perl-JSON
+ pacman --noconfirm -S texinfo
set PATH=%PATH%;%wix%bin
title Heimdal Build %CPU% %dbg__type%
set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program
Files (x86)\HTML Help Workshop"
diff --git a/third_party/heimdal/admin/Makefile.am
b/third_party/heimdal/admin/Makefile.am
index a4a7bb4c0f9..1821d4b2e4b 100644
--- a/third_party/heimdal/admin/Makefile.am
+++ b/third_party/heimdal/admin/Makefile.am
@@ -37,6 +37,7 @@ LDADD = \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
$(top_builddir)/lib/sl/libsl.la \
+ $(LIB_heimbase) \
$(LIB_readline) \
$(LIB_roken)
diff --git a/third_party/heimdal/admin/add.c b/third_party/heimdal/admin/add.c
index 13580b9bb57..5f1920ff8be 100644
--- a/third_party/heimdal/admin/add.c
+++ b/third_party/heimdal/admin/add.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2022 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -32,6 +32,8 @@
*/
#include "ktutil_locl.h"
+#include <heimbase.h>
+#include <base64.h>
RCSID("$Id$");
@@ -153,6 +155,178 @@ kt_add(struct add_options *opt, int argc, char **argv)
krb5_warn(context, ret, "add");
out:
krb5_kt_free_entry(context, &entry);
- krb5_kt_close(context, keytab);
+ if (ret == 0) {
+ ret = krb5_kt_close(context, keytab);
+ if (ret)
+ krb5_warn(context, ret, "Could not write the keytab");
+ } else {
+ krb5_kt_close(context, keytab);
+ }
+ return ret != 0;
+}
+
+/* We might be reading from a pipe, so we can't use rk_undumpdata() */
+static char *
+read_file(FILE *f)
+{
+ size_t alloced;
+ size_t len = 0;
+ size_t bytes;
+ char *res, *end, *p;
+
+ if ((res = malloc(1024)) == NULL)
+ err(1, "Out of memory");
+ alloced = 1024;
+
+ end = res + alloced;
+ p = res;
+ do {
+ if (p == end) {
+ char *tmp;
+
+ if ((tmp = realloc(res, alloced + (alloced > 1))) == NULL)
+ err(1, "Out of memory");
+ alloced += alloced > 1;
+ p = tmp + (p - res);
+ res = tmp;
+ end = res + alloced;
+ }
+ bytes = fread(p, 1, end - p, f);
+ len += bytes;
+ p += bytes;
+ } while (bytes && !feof(f) && !ferror(f));
+
+ if (ferror(f))
+ errx(1, "Could not read all input");
+ if (p == end) {
+ char *tmp;
+
+ if ((tmp = strndup(res, len)) == NULL)
+ err(1, "Out of memory");
+ free(res);
+ res = tmp;
+ }
+ if (strlen(res) != len)
+ err(1, "Embedded NULs in input!");
+ return res;
+}
+
+static void
+json2keytab_entry(heim_dict_t d, krb5_keytab kt, size_t idx)
+{
+ krb5_keytab_entry e;
+ krb5_error_code ret;
+ heim_object_t v;
+ uint64_t u;
+ int64_t i;
+ char *buf = NULL;
+
+ memset(&e, 0, sizeof(e));
+
+ v = heim_dict_get_value(d, HSTR("timestamp"));
+ if (heim_get_tid(v) != HEIM_TID_NUMBER)
+ goto bad;
+ u = heim_number_get_long(v);
+ e.timestamp = u;
+ if (u != (uint64_t)e.timestamp)
+ goto bad;
+
+ v = heim_dict_get_value(d, HSTR("kvno"));
+ if (heim_get_tid(v) != HEIM_TID_NUMBER)
+ goto bad;
+ i = heim_number_get_long(v);
+ e.vno = i;
+ if (i != (int64_t)e.vno)
+ goto bad;
+
+ v = heim_dict_get_value(d, HSTR("enctype_number"));
+ if (heim_get_tid(v) != HEIM_TID_NUMBER)
+ goto bad;
+ i = heim_number_get_long(v);
+ e.keyblock.keytype = i;
+ if (i != (int64_t)e.keyblock.keytype)
+ goto bad;
+
+ v = heim_dict_get_value(d, HSTR("key"));
+ if (heim_get_tid(v) != HEIM_TID_STRING)
+ goto bad;
+ {
+ const char *s = heim_string_get_utf8(v);
+ int declen;
+
+ if ((buf = malloc(strlen(s))) == NULL)
+ err(1, "Out of memory");
+ declen = rk_base64_decode(s, buf);
+ if (declen < 0)
+ goto bad;
+ e.keyblock.keyvalue.data = buf;
+ e.keyblock.keyvalue.length = declen;
+ }
+
+ v = heim_dict_get_value(d, HSTR("principal"));
+ if (heim_get_tid(v) != HEIM_TID_STRING)
+ goto bad;
+ ret = krb5_parse_name(context, heim_string_get_utf8(v), &e.principal);
+ if (ret == 0)
+ ret = krb5_kt_add_entry(context, kt, &e);
+
+ /* For now, ignore aliases; besides, they're never set anywhere in-tree */
+
+ if (ret)
+ krb5_warn(context, ret,
+ "Could not parse or write keytab entry %lu",
+ (unsigned long)idx);
+bad:
+ krb5_free_principal(context, e.principal);
+}
+
+int
+kt_import(void *opt, int argc, char **argv)
+{
+ krb5_error_code ret;
+ krb5_keytab kt;
+ heim_object_t o;
+ heim_error_t json_err = NULL;
+ heim_json_flags_t flags = HEIM_JSON_F_STRICT;
+ FILE *f = argc == 0 ? stdin : fopen(argv[0], "r");
+ size_t alen, i;
+ char *json;
+
+ if (f == NULL)
+ err(1, "Could not open file %s", argv[0]);
+
+ json = read_file(f);
+ o = heim_json_create(json, 10, flags, &json_err);
+ free(json);
+ if (o == NULL) {
+ if (json_err != NULL) {
+ o = heim_error_copy_string(json_err);
+ if (o)
+ errx(1, "Could not parse JSON: %s", heim_string_get_utf8(o));
+ }
+ errx(1, "Could not parse JSON");
+ }
+
+ if (heim_get_tid(o) != HEIM_TID_ARRAY)
+ errx(1, "JSON text must be an array");
+
+ alen = heim_array_get_length(o);
+ if (alen == 0)
+ errx(1, "Empty JSON array; not overwriting keytab");
+
+ if ((kt = ktutil_open_keytab()) == NULL)
+ err(1, "Could not open keytab");
+
+ for (i = 0; i < alen; i++) {
+ heim_object_t e = heim_array_get_value(o, i);
+
+ if (heim_get_tid(e) != HEIM_TID_DICT)
+ warnx("Element %ld of JSON text array is not an object", (long)i);
+ else
+ json2keytab_entry(heim_array_get_value(o, i), kt, i);
+ }
+ ret = krb5_kt_close(context, kt);
+ if (ret)
+ krb5_warn(context, ret, "Could not write the keytab");
return ret != 0;
}
diff --git a/third_party/heimdal/admin/copy.c b/third_party/heimdal/admin/copy.c
index 7b50de1c3cb..8acd6e48ed0 100644
--- a/third_party/heimdal/admin/copy.c
+++ b/third_party/heimdal/admin/copy.c
@@ -47,7 +47,7 @@ compare_keyblock(const krb5_keyblock *a, const krb5_keyblock
*b)
}
int
-kt_copy (void *opt, int argc, char **argv)
+kt_copy (struct copy_options *opt, int argc, char **argv)
{
krb5_error_code ret;
krb5_keytab src_keytab, dst_keytab;
@@ -106,11 +106,18 @@ kt_copy (void *opt, int argc, char **argv)
"already exists for %s, keytype %s, kvno %d",
name_str, etype_str, entry.vno);
}
- krb5_kt_free_entry(context, &dummy);
- krb5_kt_free_entry (context, &entry);
- free(name_str);
- free(etype_str);
- continue;
+ if (!opt->copy_duplicates_flag) {
+ krb5_kt_free_entry(context, &dummy);
+ krb5_kt_free_entry (context, &entry);
+ free(name_str);
+ free(etype_str);
+ continue;
+ }
+ /*
+ * Because we can end up trying all keys that match the enctype,
+ * copying entries with duplicate principal, vno, and enctype, but
+ * different keys, can be useful.
+ */
} else if(ret != KRB5_KT_NOTFOUND) {
krb5_warn (context, ret, "%s: fetching %s/%s/%u",
to, name_str, etype_str, entry.vno);
diff --git a/third_party/heimdal/admin/get.c b/third_party/heimdal/admin/get.c
index f56e50f4359..ecd6f6a160e 100644
--- a/third_party/heimdal/admin/get.c
+++ b/third_party/heimdal/admin/get.c
@@ -197,23 +197,27 @@ kt_get(struct get_options *opt, int argc, char **argv)
break;
}
- ret = kadm5_create_principal(kadm_handle, &princ, mask,
"thisIs_aUseless.password123");
- if(ret == 0)
- created = 1;
- else if(ret != KADM5_DUP) {
- krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
- krb5_free_principal(context, princ_ent);
- failed++;
- continue;
- }
- ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks, ks,
- &keys, &n_keys);
- if (ret) {
- krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
- krb5_free_principal(context, princ_ent);
- failed++;
- continue;
- }
+ if (opt->create_flag) {
+ ret = kadm5_create_principal(kadm_handle, &princ, mask,
"thisIs_aUseless.password123");
+ if(ret == 0)
+ created = 1;
+ else if(ret != KADM5_DUP) {
+ krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
+ krb5_free_principal(context, princ_ent);
+ failed++;
+ continue;
+ }
+ }
+ if (opt->change_keys_flag) {
+ ret = kadm5_randkey_principal_3(kadm_handle, princ_ent, keep, nks,
ks,
+ &keys, &n_keys);
+ if (ret) {
+ krb5_warn(context, ret, "kadm5_randkey_principal(%s)",
argv[a]);
+ krb5_free_principal(context, princ_ent);
+ failed++;
+ continue;
+ }
+ }
ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
diff --git a/third_party/heimdal/admin/ktutil-commands.in
b/third_party/heimdal/admin/ktutil-commands.in
index 2b771e931a1..a85eb5c5715 100644
--- a/third_party/heimdal/admin/ktutil-commands.in
+++ b/third_party/heimdal/admin/ktutil-commands.in
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * Copyright (c) 2004-2022 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -151,11 +151,17 @@ command = {
}
command = {
name = "copy"
+ name = "merge"
function = "kt_copy"
+ option = {
+ long = "copy-duplicates"
+ type = "flag"
+ help = "copy entries for the same principal and kvno, but
different keys"
+ }
argument = "source destination"
min_args = "2"
max_args = "2"
- help = "Copies one keytab to another."
+ help = "Merges one keytab into another."
}
command = {
name = "get"
@@ -166,6 +172,16 @@ command = {
help = "admin principal"
argument = "principal"
}
+ option = {
+ long = "create"
+ type = "-flag"
+ help = "do not create the principal"
+ }
+ option = {
+ long = "change-keys"
+ type = "-flag"
+ help = "do not change the principal's keys"
+ }
option = {
long = "enctypes"
short = "e"
@@ -214,6 +230,14 @@ command = {
argument = "principal..."
help = "Change keys for specified principals, and add them to the
keytab."
}
+command = {
+ name = "import"
+ function = "kt_import"
+ help = "Imports a keytab from JSON output of ktutil list --json --keys."
+ min_args = "0"
+ max_args = "1"
+ argument = "JSON-FILE"
+}
command = {
name = "list"
option = {
@@ -226,6 +250,11 @@ command = {
type = "flag"
help = "show timestamps"
}
+ option = {
+ long = "json"
+ type = "flag"
+ help = "output JSON representation"
+ }
max_args = "0"
function = "kt_list"
help = "Show contents of keytab."
diff --git a/third_party/heimdal/admin/ktutil.1
b/third_party/heimdal/admin/ktutil.1
index 125b5e8f0d5..0036edcbd9b 100644
--- a/third_party/heimdal/admin/ktutil.1
+++ b/third_party/heimdal/admin/ktutil.1
@@ -60,7 +60,7 @@ Verbose output.
.Ar command
can be one of the following:
.Bl -tag -width srvconvert
-.It add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
+.It Nm add Oo Fl p Ar principal Oc Oo Fl Fl principal= Ns Ar principal Oc \
Oo Fl V Ar kvno Oc Oo Fl Fl kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
Oo Fl Fl enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
@@ -72,7 +72,7 @@ principal to add; if what you really want is to add a new
principal to
the keytab, you should consider the
.Ar get
command, which talks to the kadmin server.
-.It change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
+.It Nm change Oo Fl r Ar realm Oc Oo Fl Fl realm= Ns Ar realm Oc \
Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
Oo Fl Fl enctype= Ns Ar enctype Oc \
Oo Fl Fl a Ar host Oc Oo Fl Fl admin-server= Ns Ar host Oc \
@@ -82,30 +82,68 @@ server for the realm of a keytab entry. Otherwise it will
use the
values specified by the options.
.Pp
If no principals are given, all the ones in the keytab are updated.
-.It copy Ar keytab-src Ar keytab-dest
+.It Nm copy Oo Fl Fl copy-duplicates Oc Ar keytab-src Ar keytab-dest
Copies all the entries from
.Ar keytab-src
to
.Ar keytab-dest .
-.It get Oo Fl p Ar admin principal Oc \
+Because entries already in
+.Ar keytab-dest
+are kept, this command functions to merge keytabs.
+Entries for the same principal, key version number, and
+encryption type in the
+.Ar keytab-src
+that are also in the
+.Ar keytab-dest
+will not be copied to the
+.Ar keytab-dest
+unless the
+.Fl Fl copy-duplicates
+option is given.
+.It Nm get Oo Fl p Ar admin principal Oc \
Oo Fl Fl principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
+Oo Fl Fl no-create Oc \
+Oo Fl Fl no-change-keys Oc \
Oo Fl Fl keepold | Fl Fl keepallold | Fl Fl pruneall Oc \
Oo Fl Fl enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
Oo Fl Fl realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
Oo Fl Fl admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
Oo Fl Fl server-port= Ns Ar server port Oc Ar principal ...
+.Pp
For each
.Ar principal ,
-generate a new key for it (creating it if it doesn't already exist),
-and put that key in the keytab.
+get a the principal's keys from the KDC via the kadmin protocol,
+creating the principal if it doesn't exist (unless
+.Fl Fl no-create
+is given), and changing its keys to new random keys (unless
+.Fl Fl no-change-keys
+is given).
.Pp
If no
.Ar realm
is specified, the realm to operate on is taken from the first
principal.
--
Samba Shared Repository
