diff --git a/.gitignore b/.gitignore index 15c84b933..4c301811a 100644 --- a/.gitignore +++ b/.gitignore @@ -143,6 +143,7 @@ asn1_*.[cx] /kpasswd/kpasswdd /kuser/copy_cred_cache /kuser/generate-requests +/kuser/kcc /kuser/kdecode_ticket /kuser/kdestroy /kuser/kdigest @@ -172,6 +173,7 @@ asn1_*.[cx] /lib/editline/strlcat.c /lib/editline/testit /lib/gssapi/gss +/lib/gssapi/gsstool /lib/gssapi/krb5/gsskrb5-private.h /lib/gssapi/ntlm/ntlm-private.h /lib/gssapi/spnego/spnego-private.h @@ -183,6 +185,7 @@ asn1_*.[cx] /lib/hdb/hdb-private.h /lib/hdb/test_dbinfo /lib/hdb/test_hdbkeys +/lib/hdb/test_mkey /lib/hx509/data/*.srl /lib/hx509/data/*.req /lib/hx509/data/sub-ca-combined.crt @@ -215,6 +218,7 @@ asn1_*.[cx] /lib/krb5/test_gic /lib/krb5/test_kuserok /lib/krb5/test_renew +/lib/krb5/test_rfc3961 /lib/krb5/verify_krb5_conf /lib/ntlm/heimntlm-protos.h /lib/otp/ndbm_wrap.c diff --git a/doc/ack.texi b/doc/ack.texi index a80def222..9cccd4477 100644 --- a/doc/ack.texi +++ b/doc/ack.texi @@ -58,8 +58,9 @@ Bugfixes, documentation, encouragement, and code has been contributed by: @item Frank van der Linden @item Guido Günther @item Harald Barth -@item Jason McIntyre +@item Jaideep Padhye @item Jan Rekorajski +@item Jason McIntyre @item Johan Gadsjö @item Johan Ihrén @item John Center diff --git a/kdc/kdc.h b/kdc/kdc.h index c353ca1c5..139b5e708 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -41,6 +41,7 @@ #ifndef __KDC_H__ #define __KDC_H__ +#include #include enum krb5_kdc_trpolicy { diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 394f4dec6..a437b9dbd 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1000,9 +1000,8 @@ _kdc_as_rep(krb5_context context, ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } - ret = _kdc_db_fetch(context, config, server_princ, - HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, + HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags, NULL, NULL, &server); if(ret == HDB_ERR_NOT_FOUND_HERE) { kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name); diff --git a/kdc/version-script.map b/kdc/version-script.map index 8234ee2ef..ae16f39fa 100644 --- a/kdc/version-script.map +++ b/kdc/version-script.map @@ -16,6 +16,10 @@ HEIMDAL_KDC_1.0 { krb5_kdc_save_request; krb5_kdc_update_time; krb5_kdc_pk_initialize; + + # needed for digest-service + _kdc_db_fetch; + _kdc_free_ent; local: *; }; diff --git a/kuser/Makefile.am b/kuser/Makefile.am index 7db632f71..0d41343a4 100644 --- a/kuser/Makefile.am +++ b/kuser/Makefile.am @@ -35,7 +35,8 @@ kimpersonate_LDADD = $(kinit_LDADD) kcc_LDADD = \ $(top_builddir)/lib/sl/libsl.la \ - $(kinit_LDADD) + $(kinit_LDADD) \ + $(LIB_readline) dist_kcc_SOURCES = kcc.c klist.c kswitch.c copy_cred_cache.c nodist_kcc_SOURCES = kcc-commands.c diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1 index b9a566de7..78cb5a3b8 100644 --- a/lib/asn1/krb5.asn1 +++ b/lib/asn1/krb5.asn1 @@ -172,6 +172,7 @@ PADATA-TYPE ::= INTEGER { KRB5-PADATA-EPAK-AS-REP(146), KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u + KRB5-PADATA-REQ-ENC-PA-REP(149), -- KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE } @@ -318,7 +319,8 @@ TicketFlags ::= BIT STRING { hw-authent(11), transited-policy-checked(12), ok-as-delegate(13), - anonymous(14) + anonymous(14), + enc-pa-rep(15) } KDCOptions ::= BIT STRING { diff --git a/lib/com_err/lex.h b/lib/com_err/lex.h index 76f3e2b2a..e158816bb 100644 --- a/lib/com_err/lex.h +++ b/lib/com_err/lex.h @@ -33,7 +33,7 @@ /* $Id$ */ -void error_message (const char *, ...) +void _lex_error_message (const char *, ...) __attribute__ ((format (printf, 1, 2))); int yylex(void); diff --git a/lib/com_err/lex.l b/lib/com_err/lex.l index b17c9d67a..eb39e0cfb 100644 --- a/lib/com_err/lex.l +++ b/lib/com_err/lex.l @@ -95,7 +95,7 @@ getstring(void) continue; } if(c == '\n'){ - error_message("unterminated string"); + _lex_error_message("unterminated string"); lineno++; break; } @@ -115,7 +115,7 @@ getstring(void) } void -error_message (const char *format, ...) +_lex_error_message (const char *format, ...) { va_list args; diff --git a/lib/com_err/parse.y b/lib/com_err/parse.y index 3472f82e0..194965c34 100644 --- a/lib/com_err/parse.y +++ b/lib/com_err/parse.y @@ -170,5 +170,5 @@ name2number(const char *str) void yyerror (char *s) { - error_message ("%s\n", s); + _lex_error_message ("%s\n", s); } diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index 307541063..8d2190885 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -208,7 +208,7 @@ nodist_libgssapi_la_SOURCES = \ gkrb5_err.h \ $(BUILT_SOURCES) -libgssapi_la_LDFLAGS = -version-info 2:0:0 +libgssapi_la_LDFLAGS = -version-info 3:0:0 if versionscript libgssapi_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map diff --git a/lib/gssapi/gssapi/gssapi.h b/lib/gssapi/gssapi/gssapi.h index 48d1d14f3..47030580c 100644 --- a/lib/gssapi/gssapi/gssapi.h +++ b/lib/gssapi/gssapi/gssapi.h @@ -261,18 +261,16 @@ typedef OM_uint32 gss_qop_t; #define GSS_IOV_BUFFER_TYPE_STREAM 10 #define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11 -#define GSS_IOV_BUFFER_FLAG_MASK 0xffff0000 -#define GSS_IOV_BUFFER_FLAG_ALLOCATE 0x00010000 -#define GSS_IOV_BUFFER_FLAG_ALLOCATED 0x00020000 +#define GSS_IOV_BUFFER_TYPE_FLAG_MASK 0xffff0000 +#define GSS_IOV_BUFFER_FLAG_ALLOCATE 0x00010000 +#define GSS_IOV_BUFFER_FLAG_ALLOCATED 0x00020000 + +#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE 0x00010000 /* old name */ +#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED 0x00020000 /* old name */ #define GSS_IOV_BUFFER_TYPE(_t) ((_t) & ~GSS_IOV_BUFFER_FLAG_MASK) #define GSS_IOV_BUFFER_FLAGS(_t) ((_t) & GSS_IOV_BUFFER_FLAG_MASK) -/* compatibility macros; will be removed in the next release */ -#define GSS_IOV_BUFFER_TYPE_FLAG_MASK GSS_IOV_BUFFER_FLAG_MASK -#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE GSS_IOV_BUFFER_FLAG_ALLOCATE -#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED GSS_IOV_BUFFER_FLAG_ALLOCATED - GSSAPI_CPP_START #include diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index 8ec3a65a3..a5e9d054c 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -99,6 +99,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor) case ETYPE_DES_CBC_MD4: case ETYPE_DES_CBC_MD5: case ETYPE_DES3_CBC_MD5: + case ETYPE_OLD_DES3_CBC_SHA1: case ETYPE_DES3_CBC_SHA1: case ETYPE_ARCFOUR_HMAC_MD5: case ETYPE_ARCFOUR_HMAC_MD5_56: @@ -263,6 +264,10 @@ send_error_token(OM_uint32 *minor_status, krb5_principal ap_req_server = NULL; krb5_error_code ret; krb5_data outbuf; + /* this e_data value encodes KERB_AP_ERR_TYPE_SKEW_RECOVERY which + tells windows to try again with the corrected timestamp. See + [MS-KILE] 2.2.1 KERB-ERROR-DATA */ + krb5_data e_data = { 7, rk_UNCONST("\x30\x05\xa1\x03\x02\x01\x02") }; /* build server from request if the acceptor had not selected one */ if (server == NULL) { @@ -285,7 +290,7 @@ send_error_token(OM_uint32 *minor_status, server = ap_req_server; } - ret = krb5_mk_error(context, kret, NULL, NULL, NULL, + ret = krb5_mk_error(context, kret, NULL, &e_data, NULL, server, NULL, NULL, &outbuf); if (ap_req_server) krb5_free_principal(context, ap_req_server); diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c index c873da9ba..3bab1802b 100644 --- a/lib/gssapi/krb5/import_sec_context.c +++ b/lib/gssapi/krb5/import_sec_context.c @@ -202,6 +202,8 @@ _gsskrb5_import_sec_context ( krb5_storage_free (sp); + _gsskrb5i_is_cfx(context, ctx, (ctx->more_flags & LOCAL) == 0); + *context_handle = (gss_ctx_id_t)ctx; return GSS_S_COMPLETE; diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c index 93a172e55..7f95ea556 100644 --- a/lib/hx509/cert.c +++ b/lib/hx509/cert.c @@ -310,7 +310,7 @@ int _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key) { if (cert->private_key) - _hx509_private_key_free(&cert->private_key); + hx509_private_key_free(&cert->private_key); cert->private_key = _hx509_private_key_ref(private_key); return 0; } @@ -341,7 +341,7 @@ hx509_cert_free(hx509_cert cert) (cert->release)(cert, cert->ctx); if (cert->private_key) - _hx509_private_key_free(&cert->private_key); + hx509_private_key_free(&cert->private_key); free_Certificate(cert->data); free(cert->data); @@ -1607,7 +1607,7 @@ _hx509_cert_private_decrypt(hx509_context context, return HX509_PRIVATE_KEY_MISSING; } - return _hx509_private_key_private_decrypt(context, + return hx509_private_key_private_decrypt(context, ciphertext, encryption_oid, p->private_key, @@ -1615,7 +1615,7 @@ _hx509_cert_private_decrypt(hx509_context context, } int -_hx509_cert_public_encrypt(hx509_context context, +hx509_cert_public_encrypt(hx509_context context, const heim_octet_string *cleartext, const hx509_cert p, heim_oid *encryption_oid, diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c index 3aefd2651..6e4eefaa1 100644 --- a/lib/hx509/cms.c +++ b/lib/hx509/cms.c @@ -665,7 +665,7 @@ hx509_cms_envelope_1(hx509_context context, goto out; } - ret = _hx509_cert_public_encrypt(context, + ret = hx509_cert_public_encrypt(context, &key, cert, &ri->keyEncryptionAlgorithm.algorithm, &ri->encryptedKey); diff --git a/lib/hx509/collector.c b/lib/hx509/collector.c index 1a44de00a..0cb186399 100644 --- a/lib/hx509/collector.c +++ b/lib/hx509/collector.c @@ -105,7 +105,7 @@ free_private_key(struct private_key *key) { free_AlgorithmIdentifier(&key->alg); if (key->private_key) - _hx509_private_key_free(&key->private_key); + hx509_private_key_free(&key->private_key); der_free_octet_string(&key->localKeyId); free(key); } @@ -143,7 +143,7 @@ _hx509_collector_private_key_add(hx509_context context, if (private_key) { key->private_key = private_key; } else { - ret = _hx509_parse_private_key(context, alg, + ret = hx509_parse_private_key(context, alg, key_data->data, key_data->length, HX509_KEY_FORMAT_DER, &key->private_key); diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c index a38226d94..c69ddfb5d 100644 --- a/lib/hx509/crypto.c +++ b/lib/hx509/crypto.c @@ -1506,8 +1506,8 @@ static struct hx509_private_key_ops *private_algs[] = { NULL }; -static hx509_private_key_ops * -find_private_alg(const heim_oid *oid) +hx509_private_key_ops * +hx509_find_private_alg(const heim_oid *oid) { int i; for (i = 0; private_algs[i]; i++) { @@ -1715,7 +1715,7 @@ _hx509_public_encrypt(hx509_context context, } int -_hx509_private_key_private_decrypt(hx509_context context, +hx509_private_key_private_decrypt(hx509_context context, const heim_octet_string *ciphertext, const heim_oid *encryption_oid, hx509_private_key p, @@ -1758,7 +1758,7 @@ _hx509_private_key_private_decrypt(hx509_context context, int -_hx509_parse_private_key(hx509_context context, +hx509_parse_private_key(hx509_context context, const AlgorithmIdentifier *keyai, const void *data, size_t len, @@ -1770,13 +1770,13 @@ _hx509_parse_private_key(hx509_context context, *private_key = NULL; - ops = find_private_alg(&keyai->algorithm); + ops = hx509_find_private_alg(&keyai->algorithm); if (ops == NULL) { hx509_clear_error_string(context); return HX509_SIG_ALG_NO_SUPPORTED; } - ret = _hx509_private_key_init(private_key, ops, NULL); + ret = hx509_private_key_init(private_key, ops, NULL); if (ret) { hx509_set_error_string(context, 0, ret, "out of memory"); return ret; @@ -1784,7 +1784,7 @@ _hx509_parse_private_key(hx509_context context, ret = (*ops->import)(context, keyai, data, len, format, *private_key); if (ret) - _hx509_private_key_free(private_key); + hx509_private_key_free(private_key); return ret; } @@ -1794,7 +1794,7 @@ _hx509_parse_private_key(hx509_context context, */ int -_hx509_private_key2SPKI(hx509_context context, +hx509_private_key2SPKI(hx509_context context, hx509_private_key private_key, SubjectPublicKeyInfo *spki) { @@ -1865,13 +1865,13 @@ _hx509_generate_private_key(hx509_context context, *private_key = NULL; - ops = find_private_alg(ctx->key_oid); + ops = hx509_find_private_alg(ctx->key_oid); if (ops == NULL) { hx509_clear_error_string(context); return HX509_SIG_ALG_NO_SUPPORTED; } - ret = _hx509_private_key_init(private_key, ops, NULL); + ret = hx509_private_key_init(private_key, ops, NULL); if (ret) { hx509_set_error_string(context, 0, ret, "out of memory"); return ret; @@ -1879,7 +1879,7 @@ _hx509_generate_private_key(hx509_context context, ret = (*ops->generate_private_key)(context, ctx, *private_key); if (ret) - _hx509_private_key_free(private_key); + hx509_private_key_free(private_key); return ret; } @@ -1976,7 +1976,7 @@ const AlgorithmIdentifier * _hx509_crypto_default_secret_alg = */ int -_hx509_private_key_init(hx509_private_key *key, +hx509_private_key_init(hx509_private_key *key, hx509_private_key_ops *ops, void *keydata) { @@ -2007,7 +2007,7 @@ _hx509_private_pem_name(hx509_private_key key) } int -_hx509_private_key_free(hx509_private_key *key) +hx509_private_key_free(hx509_private_key *key) { if (key == NULL || *key == NULL) return 0; @@ -2033,7 +2033,7 @@ _hx509_private_key_free(hx509_private_key *key) } void -_hx509_private_key_assign_rsa(hx509_private_key key, void *ptr) +hx509_private_key_assign_rsa(hx509_private_key key, void *ptr) { if (key->private_key.rsa) RSA_free(key->private_key.rsa); diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h index 1a5e2f308..3954b54b1 100644 --- a/lib/hx509/hx509.h +++ b/lib/hx509/hx509.h @@ -48,6 +48,7 @@ typedef struct hx509_crypto_data *hx509_crypto; typedef struct hx509_lock_data *hx509_lock; typedef struct hx509_name_data *hx509_name; typedef struct hx509_private_key *hx509_private_key; +typedef struct hx509_private_key_ops hx509_private_key_ops; typedef struct hx509_validate_ctx_data *hx509_validate_ctx; typedef struct hx509_verify_ctx_data *hx509_verify_ctx; typedef struct hx509_revoke_ctx_data *hx509_revoke_ctx; diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h index 3e3ab23c6..a0a5235c7 100644 --- a/lib/hx509/hx_locl.h +++ b/lib/hx509/hx_locl.h @@ -82,7 +82,6 @@ typedef struct hx509_path hx509_path; typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *); -typedef struct hx509_private_key_ops hx509_private_key_ops; #include "sel.h" diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c index 54b579921..1770b6095 100644 --- a/lib/hx509/hxtool.c +++ b/lib/hx509/hxtool.c @@ -1294,7 +1294,7 @@ request_create(struct request_create_options *opt, int argc, char **argv) opt->key_bits_integer, &signer); - _hx509_request_init(context, &req); + hx509_request_init(context, &req); if (opt->subject_string) { hx509_name name = NULL; @@ -1302,7 +1302,7 @@ request_create(struct request_create_options *opt, int argc, char **argv) ret = hx509_parse_name(context, opt->subject_string, &name); if (ret) errx(1, "hx509_parse_name: %d\n", ret); - _hx509_request_set_name(context, req, name); + hx509_request_set_name(context, req, name); if (opt->verbose_flag) { char *s; @@ -1327,16 +1327,16 @@ request_create(struct request_create_options *opt, int argc, char **argv) } - ret = _hx509_private_key2SPKI(context, signer, &key); + ret = hx509_private_key2SPKI(context, signer, &key); if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); + errx(1, "hx509_private_key2SPKI: %d\n", ret); - ret = _hx509_request_set_SubjectPublicKeyInfo(context, + ret = hx509_request_set_SubjectPublicKeyInfo(context, req, &key); free_SubjectPublicKeyInfo(&key); if (ret) - hx509_err(context, 1, ret, "_hx509_request_set_SubjectPublicKeyInfo"); + hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo"); ret = _hx509_request_to_pkcs10(context, req, @@ -1345,8 +1345,8 @@ request_create(struct request_create_options *opt, int argc, char **argv) if (ret) hx509_err(context, 1, ret, "_hx509_request_to_pkcs10"); - _hx509_private_key_free(&signer); - _hx509_request_free(&req); + hx509_private_key_free(&signer); + hx509_request_free(&req); if (ret == 0) rk_dumpdata(outfile, request.data, request.length); @@ -1370,7 +1370,7 @@ request_print(struct request_print_options *opt, int argc, char **argv) hx509_err(context, 1, ret, "parse_request: %s", argv[i]); ret = _hx509_request_print(context, req, stdout); - _hx509_request_free(&req); + hx509_request_free(&req); if (ret) hx509_err(context, 1, ret, "Failed to print file %s", argv[i]); } @@ -1814,9 +1814,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) if (ret) err(1, "read_private_key"); - ret = _hx509_private_key2SPKI(context, private_key, &spki); + ret = hx509_private_key2SPKI(context, private_key, &spki); if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); + errx(1, "hx509_private_key2SPKI: %d\n", ret); if (opt->self_signed_flag) cert_key = private_key; @@ -1828,13 +1828,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) ret = _hx509_request_parse(context, opt->req_string, &req); if (ret) hx509_err(context, 1, ret, "parse_request: %s", opt->req_string); - ret = _hx509_request_get_name(context, req, &subject); + ret = hx509_request_get_name(context, req, &subject); if (ret) hx509_err(context, 1, ret, "get name"); - ret = _hx509_request_get_SubjectPublicKeyInfo(context, req, &spki); + ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki); if (ret) hx509_err(context, 1, ret, "get spki"); - _hx509_request_free(&req); + hx509_request_free(&req); } if (opt->generate_key_string) { @@ -1859,9 +1859,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) if (ret) hx509_err(context, 1, ret, "generate private key"); - ret = _hx509_private_key2SPKI(context, cert_key, &spki); + ret = hx509_private_key2SPKI(context, cert_key, &spki); if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); + errx(1, "hx509_private_key2SPKI: %d\n", ret); if (opt->self_signed_flag) private_key = cert_key; @@ -2015,8 +2015,8 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) free_SubjectPublicKeyInfo(&spki); if (private_key != cert_key) - _hx509_private_key_free(&private_key); - _hx509_private_key_free(&cert_key); + hx509_private_key_free(&private_key); + hx509_private_key_free(&cert_key); hx509_ca_tbs_free(&tbs); diff --git a/lib/hx509/keyset.c b/lib/hx509/keyset.c index 465ca1b4d..77cfd42cd 100644 --- a/lib/hx509/keyset.c +++ b/lib/hx509/keyset.c @@ -781,6 +781,6 @@ _hx509_certs_keys_free(hx509_context context, { int i; for (i = 0; keys[i]; i++) - _hx509_private_key_free(&keys[i]); + hx509_private_key_free(&keys[i]); free(keys); } diff --git a/lib/hx509/ks_keychain.c b/lib/hx509/ks_keychain.c index 9c6521790..e64d83c84 100644 --- a/lib/hx509/ks_keychain.c +++ b/lib/hx509/ks_keychain.c @@ -259,7 +259,7 @@ set_private_key(hx509_context context, RSA *rsa; int ret; - ret = _hx509_private_key_init(&key, NULL, NULL); + ret = hx509_private_key_init(&key, NULL, NULL); if (ret) return ret; @@ -302,7 +302,7 @@ set_private_key(hx509_context context, if (ret != 1) _hx509_abort("RSA_set_app_data"); - _hx509_private_key_assign_rsa(key, rsa); + hx509_private_key_assign_rsa(key, rsa); _hx509_cert_assign_key(cert, key); return 0; diff --git a/lib/hx509/ks_mem.c b/lib/hx509/ks_mem.c index 299a3932c..9d3c66b29 100644 --- a/lib/hx509/ks_mem.c +++ b/lib/hx509/ks_mem.c @@ -78,7 +78,7 @@ mem_free(hx509_certs certs, void *data) hx509_cert_free(mem->certs.val[i]); free(mem->certs.val); for (i = 0; mem->keys && mem->keys[i]; i++) - _hx509_private_key_free(&mem->keys[i]); + hx509_private_key_free(&mem->keys[i]); free(mem->keys); free(mem->name); free(mem); @@ -167,7 +167,7 @@ mem_getkeys(hx509_context context, (*keys)[i] = _hx509_private_key_ref(mem->keys[i]); if ((*keys)[i] == NULL) { while (--i >= 0) - _hx509_private_key_free(&(*keys)[i]); + hx509_private_key_free(&(*keys)[i]); hx509_set_error_string(context, 0, ENOMEM, "out of memory"); return ENOMEM; } diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c index 23f6a4826..30f5343b0 100644 --- a/lib/hx509/ks_p11.c +++ b/lib/hx509/ks_p11.c @@ -613,7 +613,7 @@ collect_private_key(hx509_context context, localKeyId.data = query[0].pValue; localKeyId.length = query[0].ulValueLen; - ret = _hx509_private_key_init(&key, NULL, NULL); + ret = hx509_private_key_init(&key, NULL, NULL); if (ret) return ret; @@ -648,7 +648,7 @@ collect_private_key(hx509_context context, if (ret != 1) _hx509_abort("RSA_set_app_data"); - _hx509_private_key_assign_rsa(key, rsa); + hx509_private_key_assign_rsa(key, rsa); ret = _hx509_collector_private_key_add(context, collector, @@ -658,7 +658,7 @@ collect_private_key(hx509_context context, &localKeyId); if (ret) { - _hx509_private_key_free(&key); + hx509_private_key_free(&key); return ret; } return 0; diff --git a/lib/hx509/req.c b/lib/hx509/req.c index 917f08891..e70ab4b6c 100644 --- a/lib/hx509/req.c +++ b/lib/hx509/req.c @@ -46,7 +46,7 @@ struct hx509_request_data { */ int -_hx509_request_init(hx509_context context, hx509_request *req) +hx509_request_init(hx509_context context, hx509_request *req) { *req = calloc(1, sizeof(**req)); if (*req == NULL) @@ -56,7 +56,7 @@ _hx509_request_init(hx509_context context, hx509_request *req) } void -_hx509_request_free(hx509_request *req) +hx509_request_free(hx509_request *req) { if ((*req)->name) hx509_name_free(&(*req)->name); @@ -69,7 +69,7 @@ _hx509_request_free(hx509_request *req) } int -_hx509_request_set_name(hx509_context context, +hx509_request_set_name(hx509_context context, hx509_request req, hx509_name name) { @@ -84,7 +84,7 @@ _hx509_request_set_name(hx509_context context, } int -_hx509_request_get_name(hx509_context context, +hx509_request_get_name(hx509_context context, hx509_request req, hx509_name *name) { @@ -96,7 +96,7 @@ _hx509_request_get_name(hx509_context context, } int -_hx509_request_set_SubjectPublicKeyInfo(hx509_context context, +hx509_request_set_SubjectPublicKeyInfo(hx509_context context, hx509_request req, const SubjectPublicKeyInfo *key) { @@ -105,7 +105,7 @@ _hx509_request_set_SubjectPublicKeyInfo(hx509_context context, } int -_hx509_request_get_SubjectPublicKeyInfo(hx509_context context, +hx509_request_get_SubjectPublicKeyInfo(hx509_context context, hx509_request req, SubjectPublicKeyInfo *key) { @@ -271,7 +271,7 @@ _hx509_request_parse(hx509_context context, return ret; } - ret = _hx509_request_init(context, req); + ret = hx509_request_init(context, req); if (ret) { free_CertificationRequest(&r); return ret; @@ -279,25 +279,25 @@ _hx509_request_parse(hx509_context context, rinfo = &r.certificationRequestInfo; - ret = _hx509_request_set_SubjectPublicKeyInfo(context, *req, + ret = hx509_request_set_SubjectPublicKeyInfo(context, *req, &rinfo->subjectPKInfo); if (ret) { free_CertificationRequest(&r); - _hx509_request_free(req); + hx509_request_free(req); return ret; } ret = _hx509_name_from_Name(&rinfo->subject, &subject); if (ret) { free_CertificationRequest(&r); - _hx509_request_free(req); + hx509_request_free(req); return ret; } - ret = _hx509_request_set_name(context, *req, subject); + ret = hx509_request_set_name(context, *req, subject); hx509_name_free(&subject); free_CertificationRequest(&r); if (ret) { - _hx509_request_free(req); + hx509_request_free(req); return ret; } diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map index c0666d81c..b05198c42 100644 --- a/lib/hx509/version-script.map +++ b/lib/hx509/version-script.map @@ -16,20 +16,12 @@ HEIMDAL_X509_1.2 { _hx509_generate_private_key_is_ca; _hx509_map_file_os; _hx509_name_from_Name; - _hx509_private_key2SPKI; - _hx509_private_key_free; _hx509_private_key_ref; _hx509_request_add_dns_name; _hx509_request_add_email; - _hx509_request_free; - _hx509_request_get_SubjectPublicKeyInfo; - _hx509_request_get_name; - _hx509_request_init; _hx509_request_parse; _hx509_request_print; - _hx509_request_set_SubjectPublicKeyInfo; _hx509_request_set_email; - _hx509_request_set_name; _hx509_request_to_pkcs10; _hx509_request_to_pkcs10; _hx509_unmap_file_os; @@ -82,6 +74,7 @@ HEIMDAL_X509_1.2 { hx509_cert_init; hx509_cert_init_data; hx509_cert_keyusage_print; + hx509_cert_public_encrypt; hx509_cert_ref; hx509_cert_set_friendly_name; hx509_certs_add; @@ -146,6 +139,7 @@ HEIMDAL_X509_1.2 { hx509_err; hx509_free_error_string; hx509_free_octet_string_list; + hx509_find_private_alg; hx509_general_name_unparse; hx509_get_error_string; hx509_get_one_cert; @@ -174,6 +168,7 @@ HEIMDAL_X509_1.2 { hx509_oid_print; hx509_oid_sprint; hx509_parse_name; + hx509_parse_private_key; hx509_peer_info_add_cms_alg; hx509_peer_info_alloc; hx509_peer_info_free; @@ -186,6 +181,11 @@ HEIMDAL_X509_1.2 { hx509_pem_write; hx509_print_stdout; hx509_print_cert; + hx509_private_key_assign_rsa; + hx509_private_key_free; + hx509_private_key_private_decrypt; + hx509_private_key_init; + hx509_private_key2SPKI; hx509_prompt_hidden; hx509_query_alloc; hx509_query_free; @@ -197,6 +197,12 @@ HEIMDAL_X509_1.2 { hx509_query_match_option; hx509_query_statistic_file; hx509_query_unparse_stats; + hx509_request_get_name; + hx509_request_get_SubjectPublicKeyInfo; + hx509_request_free; + hx509_request_init; + hx509_request_set_name; + hx509_request_set_SubjectPublicKeyInfo; hx509_revoke_add_crl; hx509_revoke_add_ocsp; hx509_revoke_free; diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am index ee20520d8..cbe9ef87c 100644 --- a/lib/krb5/Makefile.am +++ b/lib/krb5/Makefile.am @@ -63,28 +63,28 @@ use_sqlite = $(LIB_sqlite3) endif libkrb5_la_LIBADD = \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(top_builddir)/base/libheimbase.la \ $(LIB_pkinit) \ $(use_sqlite) \ $(LIB_com_err) \ $(LIB_hcrypto) \ - $(top_builddir)/lib/asn1/libasn1.la \ - ../ipc/libheim-ipcc.la \ - ../wind/libwind.la \ $(LIB_libintl) \ $(LIBADD_roken) \ - ../../base/libheimbase.la \ $(PTHREAD_LIBADD) \ $(LIB_door_create) \ $(LIB_dlopen) librfc3961_la_LIBADD = \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ $(LIB_pkinit) \ $(use_sqlite) \ $(LIB_com_err) \ $(LIB_hcrypto) \ - $(top_builddir)/lib/asn1/libasn1.la \ - ../ipc/libheim-ipcc.la \ - ../wind/libwind.la \ $(LIB_libintl) \ $(LIBADD_roken) \ $(PTHREAD_LIBADD) \ diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h index dd579f973..8d671e3d3 100644 --- a/lib/krb5/krb5.h +++ b/lib/krb5/krb5.h @@ -241,6 +241,8 @@ typedef enum krb5_key_usage { /* Encryption of the SAM-NONCE-OR-SAD field */ KRB5_KU_PA_PKINIT_KX = 44, /* Encryption type of the kdc session contribution in pk-init */ + KRB5_KU_AS_REQ = 56, + /* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */ KRB5_KU_DIGEST_ENCRYPT = -18, /* Encryption key usage used in the digest encryption field */ KRB5_KU_DIGEST_OPAQUE = -19,