From 0b4f6bbfc2ac786eef78a8bc45c3183494dc15d3 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 3 Jan 2011 14:05:47 +1100 Subject: [PATCH 01/23] Use RTLD_GROUP Signed-off-by: Love Hornquist Astrand --- lib/gssapi/mech/gss_mech_switch.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/gssapi/mech/gss_mech_switch.c b/lib/gssapi/mech/gss_mech_switch.c index 48444a8fa..a68d345e3 100644 --- a/lib/gssapi/mech/gss_mech_switch.c +++ b/lib/gssapi/mech/gss_mech_switch.c @@ -276,7 +276,11 @@ _gss_load_mech(void) #define RTLD_LOCAL 0 #endif - so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL); +#ifndef RTLD_GROUP +#define RTLD_GROUP 0 +#endif + + so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP); if (!so) { /* fprintf(stderr, "dlopen: %s\n", dlerror()); */ free(mech_oid.elements); From 21c59870181caf5aa02da9ebd64776975b922b49 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 3 Jan 2011 22:13:20 +1100 Subject: [PATCH 02/23] Rename GSS_IOV_BUFFER_TYPE_FLAG to GSS_IOV_BUFFER_FLAG Signed-off-by: Love Hornquist Astrand --- lib/gssapi/krb5/cfx.c | 8 ++++---- lib/gssapi/mech/gss_aeap.c | 6 +++--- lib/gssapi/netlogon/crypto.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c index 1a6e97527..1189718ad 100755 --- a/lib/gssapi/krb5/cfx.c +++ b/lib/gssapi/krb5/cfx.c @@ -216,7 +216,7 @@ _gk_find_buffer(gss_iov_buffer_desc *iov, int iov_count, OM_uint32 type) OM_uint32 _gk_allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t size) { - if (buffer->type & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED) { + if (buffer->type & GSS_IOV_BUFFER_FLAG_ALLOCATED) { if (buffer->buffer.length == size) return GSS_S_COMPLETE; free(buffer->buffer.value); @@ -228,7 +228,7 @@ _gk_allocate_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *buffer, size_t *minor_status = ENOMEM; return GSS_S_FAILURE; } - buffer->type |= GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED; + buffer->type |= GSS_IOV_BUFFER_FLAG_ALLOCATED; return GSS_S_COMPLETE; } @@ -391,7 +391,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, rrc -= ec; gsshsize += gsstsize; gsstsize = 0; - } else if (GSS_IOV_BUFFER_FLAGS(trailer->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) { + } else if (GSS_IOV_BUFFER_FLAGS(trailer->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) { major_status = _gk_allocate_buffer(minor_status, trailer, gsstsize); if (major_status) goto failure; @@ -406,7 +406,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, * */ - if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) { + if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) { major_status = _gk_allocate_buffer(minor_status, header, gsshsize); if (major_status != GSS_S_COMPLETE) goto failure; diff --git a/lib/gssapi/mech/gss_aeap.c b/lib/gssapi/mech/gss_aeap.c index e98ba970d..141b6ae5a 100644 --- a/lib/gssapi/mech/gss_aeap.c +++ b/lib/gssapi/mech/gss_aeap.c @@ -157,7 +157,7 @@ gss_wrap_iov_length(OM_uint32 * minor_status, /** * Free all buffer allocated by gss_wrap_iov() or gss_unwrap_iov() by - * looking at the GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED flag. + * looking at the GSS_IOV_BUFFER_FLAG_ALLOCATED flag. * * @ingroup gssapi */ @@ -176,10 +176,10 @@ gss_release_iov_buffer(OM_uint32 *minor_status, return GSS_S_CALL_INACCESSIBLE_READ; for (i = 0; i < iov_count; i++) { - if ((iov[i].type & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED) == 0) + if ((iov[i].type & GSS_IOV_BUFFER_FLAG_ALLOCATED) == 0) continue; gss_release_buffer(&junk, &iov[i].buffer); - iov[i].type &= ~GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED; + iov[i].type &= ~GSS_IOV_BUFFER_FLAG_ALLOCATED; } return GSS_S_COMPLETE; } diff --git a/lib/gssapi/netlogon/crypto.c b/lib/gssapi/netlogon/crypto.c index d79871cd6..79a82b800 100644 --- a/lib/gssapi/netlogon/crypto.c +++ b/lib/gssapi/netlogon/crypto.c @@ -479,7 +479,7 @@ _netlogon_wrap_iov(OM_uint32 * minor_status, size = _netlogon_signature_length(ctx->SignatureAlgorithm, conf_req_flag); - if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE) { + if (GSS_IOV_BUFFER_FLAGS(header->type) & GSS_IOV_BUFFER_FLAG_ALLOCATE) { ret = _gss_mg_allocate_buffer(minor_status, header, size); if (GSS_ERROR(ret)) return ret; @@ -669,7 +669,7 @@ OM_uint32 _netlogon_get_mic iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; iov[0].buffer = *message_buffer; - iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE; + iov[1].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[1].buffer.length = 0; iov[1].buffer.value = NULL; From d083ae19af03443ab491949a1c2160ef2283b1d1 Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Sat, 2 Oct 2010 21:21:57 +0400 Subject: [PATCH 03/23] export hx509_private_key_ops export hx509_private_key_ops Signed-off-by: Love Hornquist Astrand --- lib/hx509/hx509.h | 1 + lib/hx509/hx_locl.h | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h index 1a5e2f308..3954b54b1 100644 --- a/lib/hx509/hx509.h +++ b/lib/hx509/hx509.h @@ -48,6 +48,7 @@ typedef struct hx509_crypto_data *hx509_crypto; typedef struct hx509_lock_data *hx509_lock; typedef struct hx509_name_data *hx509_name; typedef struct hx509_private_key *hx509_private_key; +typedef struct hx509_private_key_ops hx509_private_key_ops; typedef struct hx509_validate_ctx_data *hx509_validate_ctx; typedef struct hx509_verify_ctx_data *hx509_verify_ctx; typedef struct hx509_revoke_ctx_data *hx509_revoke_ctx; diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h index 3e3ab23c6..a0a5235c7 100644 --- a/lib/hx509/hx_locl.h +++ b/lib/hx509/hx_locl.h @@ -82,7 +82,6 @@ typedef struct hx509_path hx509_path; typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *); -typedef struct hx509_private_key_ops hx509_private_key_ops; #include "sel.h" From 49ca1a40fadfa389d0d6f41643e32be33a325ccb Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 12 Jan 2011 17:49:12 +0100 Subject: [PATCH 04/23] export hx509_find_private_alg --- lib/hx509/crypto.c | 8 ++++---- lib/hx509/version-script.map | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c index a38226d94..5d66b681d 100644 --- a/lib/hx509/crypto.c +++ b/lib/hx509/crypto.c @@ -1506,8 +1506,8 @@ static struct hx509_private_key_ops *private_algs[] = { NULL }; -static hx509_private_key_ops * -find_private_alg(const heim_oid *oid) +hx509_private_key_ops * +hx509_find_private_alg(const heim_oid *oid) { int i; for (i = 0; private_algs[i]; i++) { @@ -1770,7 +1770,7 @@ _hx509_parse_private_key(hx509_context context, *private_key = NULL; - ops = find_private_alg(&keyai->algorithm); + ops = hx509_find_private_alg(&keyai->algorithm); if (ops == NULL) { hx509_clear_error_string(context); return HX509_SIG_ALG_NO_SUPPORTED; @@ -1865,7 +1865,7 @@ _hx509_generate_private_key(hx509_context context, *private_key = NULL; - ops = find_private_alg(ctx->key_oid); + ops = hx509_find_private_alg(ctx->key_oid); if (ops == NULL) { hx509_clear_error_string(context); return HX509_SIG_ALG_NO_SUPPORTED; diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map index c0666d81c..1207af942 100644 --- a/lib/hx509/version-script.map +++ b/lib/hx509/version-script.map @@ -146,6 +146,7 @@ HEIMDAL_X509_1.2 { hx509_err; hx509_free_error_string; hx509_free_octet_string_list; + hx509_find_private_alg; hx509_general_name_unparse; hx509_get_error_string; hx509_get_one_cert; From 4be5db6a32670a21e706f3eb9bb07fac6d432f37 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Tue, 18 Jan 2011 16:49:03 +0100 Subject: [PATCH 05/23] define GSS_IOV_BUFFER_FLAG_ALLOCATE and friends --- lib/gssapi/gssapi/gssapi.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/gssapi/gssapi/gssapi.h b/lib/gssapi/gssapi/gssapi.h index 12833ebe1..c67b0a80d 100644 --- a/lib/gssapi/gssapi/gssapi.h +++ b/lib/gssapi/gssapi/gssapi.h @@ -261,9 +261,12 @@ typedef OM_uint32 gss_qop_t; #define GSS_IOV_BUFFER_TYPE_STREAM 10 #define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11 -#define GSS_IOV_BUFFER_TYPE_FLAG_MASK 0xffff0000 -#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE 0x00010000 -#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED 0x00020000 +#define GSS_IOV_BUFFER_TYPE_FLAG_MASK 0xffff0000 +#define GSS_IOV_BUFFER_FLAG_ALLOCATE 0x00010000 +#define GSS_IOV_BUFFER_FLAG_ALLOCATED 0x00020000 + +#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE 0x00010000 /* old name */ +#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED 0x00020000 /* old name */ #define GSS_IOV_BUFFER_TYPE(_t) ((_t) & ~GSS_IOV_BUFFER_TYPE_FLAG_MASK) #define GSS_IOV_BUFFER_FLAGS(_t) ((_t) & GSS_IOV_BUFFER_TYPE_FLAG_MASK) From 5ff461d0aff3bd37d13583e4595e67dcca36e83d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 25 Jan 2011 15:23:14 -0800 Subject: [PATCH 06/23] kcc: Add explicitly link against LIB_readline. Fixes linking when using binutils-gold (used by e.g. Ubuntu natty). Signed-off-by: Love Hornquist Astrand --- kuser/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kuser/Makefile.am b/kuser/Makefile.am index 7db632f71..0d41343a4 100644 --- a/kuser/Makefile.am +++ b/kuser/Makefile.am @@ -35,7 +35,8 @@ kimpersonate_LDADD = $(kinit_LDADD) kcc_LDADD = \ $(top_builddir)/lib/sl/libsl.la \ - $(kinit_LDADD) + $(kinit_LDADD) \ + $(LIB_readline) dist_kcc_SOURCES = kcc.c klist.c kswitch.c copy_cred_cache.c nodist_kcc_SOURCES = kcc-commands.c From 995d305f8ceb8a275aa4b749bbfc94d918e21a64 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Jan 2011 18:27:12 -0800 Subject: [PATCH 07/23] lib/com_err only use error_message for the exported libcom_err This avoids using the same function name in compile_et internally Andrew Bartlett Signed-off-by: Love Hornquist Astrand --- lib/com_err/lex.h | 2 +- lib/com_err/lex.l | 4 ++-- lib/com_err/parse.y | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/com_err/lex.h b/lib/com_err/lex.h index 76f3e2b2a..e158816bb 100644 --- a/lib/com_err/lex.h +++ b/lib/com_err/lex.h @@ -33,7 +33,7 @@ /* $Id$ */ -void error_message (const char *, ...) +void _lex_error_message (const char *, ...) __attribute__ ((format (printf, 1, 2))); int yylex(void); diff --git a/lib/com_err/lex.l b/lib/com_err/lex.l index b17c9d67a..eb39e0cfb 100644 --- a/lib/com_err/lex.l +++ b/lib/com_err/lex.l @@ -95,7 +95,7 @@ getstring(void) continue; } if(c == '\n'){ - error_message("unterminated string"); + _lex_error_message("unterminated string"); lineno++; break; } @@ -115,7 +115,7 @@ getstring(void) } void -error_message (const char *format, ...) +_lex_error_message (const char *format, ...) { va_list args; diff --git a/lib/com_err/parse.y b/lib/com_err/parse.y index 3472f82e0..194965c34 100644 --- a/lib/com_err/parse.y +++ b/lib/com_err/parse.y @@ -170,5 +170,5 @@ name2number(const char *str) void yyerror (char *s) { - error_message ("%s\n", s); + _lex_error_message ("%s\n", s); } From 4c507594d3d6f0bdf077371cead3e1f38b7c225d Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Thu, 13 Jan 2011 23:57:15 +0300 Subject: [PATCH 08/23] heimdal: make hx509_cert_public_encrypt public Signed-off-by: Love Hornquist Astrand --- lib/hx509/version-script.map | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map index 1207af942..f76365c35 100644 --- a/lib/hx509/version-script.map +++ b/lib/hx509/version-script.map @@ -4,6 +4,7 @@ HEIMDAL_X509_1.2 { global: _hx509_cert_assign_key; _hx509_cert_private_key; + _hx509_cert_public_encrypt; _hx509_certs_keys_free; _hx509_certs_keys_get; _hx509_expr_eval; From 8ce821c38744b30e226ff024f675668b991b984d Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Thu, 13 Jan 2011 23:49:02 +0300 Subject: [PATCH 09/23] heimdal: make some private key manipulation function public Signed-off-by: Love Hornquist Astrand --- lib/hx509/version-script.map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map index f76365c35..4748fa1d0 100644 --- a/lib/hx509/version-script.map +++ b/lib/hx509/version-script.map @@ -17,8 +17,12 @@ HEIMDAL_X509_1.2 { _hx509_generate_private_key_is_ca; _hx509_map_file_os; _hx509_name_from_Name; + _hx509_parse_private_key; + _hx509_private_key_assign_rsa; _hx509_private_key2SPKI; _hx509_private_key_free; + _hx509_private_key_init; + _hx509_private_key_private_decrypt; _hx509_private_key_ref; _hx509_request_add_dns_name; _hx509_request_add_email; From 9e1d467534abf97a0409d9af6ac8ea89c0e9555d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 28 Jan 2011 10:55:31 +0100 Subject: [PATCH 10/23] s4-heimdal: implement KERB_AP_ERR_TYPE_SKEW_RECOVERY this e_data field in a kerberos error packet tells windows to do clock skew recovery. See [MS-KILE] 2.2.1 KERB-ERROR-DATA Pair-Programmed-With: Andrew Bartlett Signed-off-by: Love Hornquist Astrand --- lib/gssapi/krb5/accept_sec_context.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index 8ec3a65a3..0e8fbe837 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -263,6 +263,10 @@ send_error_token(OM_uint32 *minor_status, krb5_principal ap_req_server = NULL; krb5_error_code ret; krb5_data outbuf; + /* this e_data value encodes KERB_AP_ERR_TYPE_SKEW_RECOVERY which + tells windows to try again with the corrected timestamp. See + [MS-KILE] 2.2.1 KERB-ERROR-DATA */ + krb5_data e_data = { 7, rk_UNCONST("\x30\x05\xa1\x03\x02\x01\x02") }; /* build server from request if the acceptor had not selected one */ if (server == NULL) { @@ -285,7 +289,7 @@ send_error_token(OM_uint32 *minor_status, server = ap_req_server; } - ret = krb5_mk_error(context, kret, NULL, NULL, NULL, + ret = krb5_mk_error(context, kret, NULL, &e_data, NULL, server, NULL, NULL, &outbuf); if (ap_req_server) krb5_free_principal(context, ap_req_server); From b746f1ce343f93e648698951a8c9553ee585d5c6 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 30 Jan 2011 12:12:30 -0800 Subject: [PATCH 11/23] add _kdc_db_fetch and _kdc_free_ent for digest-service --- kdc/version-script.map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kdc/version-script.map b/kdc/version-script.map index 8234ee2ef..ae16f39fa 100644 --- a/kdc/version-script.map +++ b/kdc/version-script.map @@ -16,6 +16,10 @@ HEIMDAL_KDC_1.0 { krb5_kdc_save_request; krb5_kdc_update_time; krb5_kdc_pk_initialize; + + # needed for digest-service + _kdc_db_fetch; + _kdc_free_ent; local: *; }; From 7e1ba19fda62e8348c00fd4f2d48696cd088149f Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 2 Feb 2011 21:37:26 -0800 Subject: [PATCH 12/23] setup cfx context, found by Jaideep Padhye --- lib/gssapi/krb5/import_sec_context.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/gssapi/krb5/import_sec_context.c b/lib/gssapi/krb5/import_sec_context.c index c873da9ba..3bab1802b 100644 --- a/lib/gssapi/krb5/import_sec_context.c +++ b/lib/gssapi/krb5/import_sec_context.c @@ -202,6 +202,8 @@ _gsskrb5_import_sec_context ( krb5_storage_free (sp); + _gsskrb5i_is_cfx(context, ctx, (ctx->more_flags & LOCAL) == 0); + *context_handle = (gss_ctx_id_t)ctx; return GSS_S_COMPLETE; From 9c7c6eadd3e89d653f675d71a8d3936dfe740215 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 2 Feb 2011 21:38:02 -0800 Subject: [PATCH 13/23] add Jaideep Padhye and sort --- doc/ack.texi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/ack.texi b/doc/ack.texi index a80def222..9cccd4477 100644 --- a/doc/ack.texi +++ b/doc/ack.texi @@ -58,8 +58,9 @@ Bugfixes, documentation, encouragement, and code has been contributed by: @item Frank van der Linden @item Guido Günther @item Harald Barth -@item Jason McIntyre +@item Jaideep Padhye @item Jan Rekorajski +@item Jason McIntyre @item Johan Gadsjö @item Johan Ihrén @item John Center From fb29123dfdd66106643e20a3d925e39a1b1e70c7 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 6 Feb 2011 16:28:48 -0800 Subject: [PATCH 14/23] add KRB5-PADATA-REQ-ENC-PA-REP --- lib/asn1/krb5.asn1 | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1 index b9a566de7..8e3601289 100644 --- a/lib/asn1/krb5.asn1 +++ b/lib/asn1/krb5.asn1 @@ -172,6 +172,7 @@ PADATA-TYPE ::= INTEGER { KRB5-PADATA-EPAK-AS-REP(146), KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u + KRB5-PADATA-REQ-ENC-PA-REP(149), -- KRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE } From 2fb63b37e7ec6f418d02603ee8168644fdecd62e Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 6 Feb 2011 16:35:10 -0800 Subject: [PATCH 15/23] add KRB5_KU_AS_REQ --- lib/krb5/krb5.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/krb5/krb5.h b/lib/krb5/krb5.h index dd579f973..8d671e3d3 100644 --- a/lib/krb5/krb5.h +++ b/lib/krb5/krb5.h @@ -241,6 +241,8 @@ typedef enum krb5_key_usage { /* Encryption of the SAM-NONCE-OR-SAD field */ KRB5_KU_PA_PKINIT_KX = 44, /* Encryption type of the kdc session contribution in pk-init */ + KRB5_KU_AS_REQ = 56, + /* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */ KRB5_KU_DIGEST_ENCRYPT = -18, /* Encryption key usage used in the digest encryption field */ KRB5_KU_DIGEST_OPAQUE = -19, From 8704b871ff5e6934cfd4cc9eefe2651a47e6aa5e Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 6 Feb 2011 16:35:36 -0800 Subject: [PATCH 16/23] add enc-pa-rep(15) to ticket flags --- lib/asn1/krb5.asn1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/asn1/krb5.asn1 b/lib/asn1/krb5.asn1 index 8e3601289..78cb5a3b8 100644 --- a/lib/asn1/krb5.asn1 +++ b/lib/asn1/krb5.asn1 @@ -319,7 +319,8 @@ TicketFlags ::= BIT STRING { hw-authent(11), transited-policy-checked(12), ok-as-delegate(13), - anonymous(14) + anonymous(14), + enc-pa-rep(15) } KDCOptions ::= BIT STRING { From 1f59fe0edf0b7ba43762e8d976be45be388d1def Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 12 Feb 2011 09:49:35 -0800 Subject: [PATCH 17/23] move up internal framework to avoid using already installed frameworks --- lib/krb5/Makefile.am | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am index ee20520d8..cbe9ef87c 100644 --- a/lib/krb5/Makefile.am +++ b/lib/krb5/Makefile.am @@ -63,28 +63,28 @@ use_sqlite = $(LIB_sqlite3) endif libkrb5_la_LIBADD = \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ + $(top_builddir)/base/libheimbase.la \ $(LIB_pkinit) \ $(use_sqlite) \ $(LIB_com_err) \ $(LIB_hcrypto) \ - $(top_builddir)/lib/asn1/libasn1.la \ - ../ipc/libheim-ipcc.la \ - ../wind/libwind.la \ $(LIB_libintl) \ $(LIBADD_roken) \ - ../../base/libheimbase.la \ $(PTHREAD_LIBADD) \ $(LIB_door_create) \ $(LIB_dlopen) librfc3961_la_LIBADD = \ + $(top_builddir)/lib/asn1/libasn1.la \ + $(top_builddir)/lib/ipc/libheim-ipcc.la \ + $(top_builddir)/lib/wind/libwind.la \ $(LIB_pkinit) \ $(use_sqlite) \ $(LIB_com_err) \ $(LIB_hcrypto) \ - $(top_builddir)/lib/asn1/libasn1.la \ - ../ipc/libheim-ipcc.la \ - ../wind/libwind.la \ $(LIB_libintl) \ $(LIBADD_roken) \ $(PTHREAD_LIBADD) \ From 6ee82593ec4f4d57c6a8e8597c5c7e74b301631f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 17 Feb 2011 11:52:46 +1100 Subject: [PATCH 18/23] heimdal Pass F_CANON down to the hdb layer for servers in AS-REP as well This fixes Win2003 domain logons against Samba4, which need a canonicalised reply, and helpfully do set that flag. Specifically, they need that realm in krbtgt/realm@realm that these both match exactly in the reply. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Thu Feb 17 06:40:53 CET 2011 on sn-devel-104 Signed-off-by: Love Hornquist Astrand --- kdc/kerberos5.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 394f4dec6..a437b9dbd 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1000,9 +1000,8 @@ _kdc_as_rep(krb5_context context, ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; goto out; } - ret = _kdc_db_fetch(context, config, server_princ, - HDB_F_GET_SERVER|HDB_F_GET_KRBTGT, + HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags, NULL, NULL, &server); if(ret == HDB_ERR_NOT_FOUND_HERE) { kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name); From 36ade8b5097f0a4e1a3766edfc78e91ebc0b7efe Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Feb 2011 18:50:50 +0100 Subject: [PATCH 19/23] hx509: Make various functions used by Samba public. * hx509_cert_public_encrypt * hx509_parse_private_key * hx509_private_key_assign_rsa * hx509_private_key_free * hx509_private_key_private_decrypt * hx509_private_key_init * hx509_private_key2SPKI * hx509_request_get_name * hx509_request_get_SubjectPublicKeyInfo * hx509_request_free * hx509_request_init * hx509_request_set_name * hx509_request_set_SubjectPublicKeyInfo Signed-off-by: Love Hornquist Astrand --- lib/hx509/cert.c | 8 ++++---- lib/hx509/cms.c | 2 +- lib/hx509/collector.c | 4 ++-- lib/hx509/crypto.c | 20 ++++++++++---------- lib/hx509/hxtool.c | 36 ++++++++++++++++++------------------ lib/hx509/keyset.c | 2 +- lib/hx509/ks_keychain.c | 4 ++-- lib/hx509/ks_mem.c | 4 ++-- lib/hx509/ks_p11.c | 6 +++--- lib/hx509/req.c | 24 ++++++++++++------------ lib/hx509/version-script.map | 26 +++++++++++++------------- 11 files changed, 68 insertions(+), 68 deletions(-) diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c index 93a172e55..7f95ea556 100644 --- a/lib/hx509/cert.c +++ b/lib/hx509/cert.c @@ -310,7 +310,7 @@ int _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key) { if (cert->private_key) - _hx509_private_key_free(&cert->private_key); + hx509_private_key_free(&cert->private_key); cert->private_key = _hx509_private_key_ref(private_key); return 0; } @@ -341,7 +341,7 @@ hx509_cert_free(hx509_cert cert) (cert->release)(cert, cert->ctx); if (cert->private_key) - _hx509_private_key_free(&cert->private_key); + hx509_private_key_free(&cert->private_key); free_Certificate(cert->data); free(cert->data); @@ -1607,7 +1607,7 @@ _hx509_cert_private_decrypt(hx509_context context, return HX509_PRIVATE_KEY_MISSING; } - return _hx509_private_key_private_decrypt(context, + return hx509_private_key_private_decrypt(context, ciphertext, encryption_oid, p->private_key, @@ -1615,7 +1615,7 @@ _hx509_cert_private_decrypt(hx509_context context, } int -_hx509_cert_public_encrypt(hx509_context context, +hx509_cert_public_encrypt(hx509_context context, const heim_octet_string *cleartext, const hx509_cert p, heim_oid *encryption_oid, diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c index 3aefd2651..6e4eefaa1 100644 --- a/lib/hx509/cms.c +++ b/lib/hx509/cms.c @@ -665,7 +665,7 @@ hx509_cms_envelope_1(hx509_context context, goto out; } - ret = _hx509_cert_public_encrypt(context, + ret = hx509_cert_public_encrypt(context, &key, cert, &ri->keyEncryptionAlgorithm.algorithm, &ri->encryptedKey); diff --git a/lib/hx509/collector.c b/lib/hx509/collector.c index 1a44de00a..0cb186399 100644 --- a/lib/hx509/collector.c +++ b/lib/hx509/collector.c @@ -105,7 +105,7 @@ free_private_key(struct private_key *key) { free_AlgorithmIdentifier(&key->alg); if (key->private_key) - _hx509_private_key_free(&key->private_key); + hx509_private_key_free(&key->private_key); der_free_octet_string(&key->localKeyId); free(key); } @@ -143,7 +143,7 @@ _hx509_collector_private_key_add(hx509_context context, if (private_key) { key->private_key = private_key; } else { - ret = _hx509_parse_private_key(context, alg, + ret = hx509_parse_private_key(context, alg, key_data->data, key_data->length, HX509_KEY_FORMAT_DER, &key->private_key); diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c index 5d66b681d..c69ddfb5d 100644 --- a/lib/hx509/crypto.c +++ b/lib/hx509/crypto.c @@ -1715,7 +1715,7 @@ _hx509_public_encrypt(hx509_context context, } int -_hx509_private_key_private_decrypt(hx509_context context, +hx509_private_key_private_decrypt(hx509_context context, const heim_octet_string *ciphertext, const heim_oid *encryption_oid, hx509_private_key p, @@ -1758,7 +1758,7 @@ _hx509_private_key_private_decrypt(hx509_context context, int -_hx509_parse_private_key(hx509_context context, +hx509_parse_private_key(hx509_context context, const AlgorithmIdentifier *keyai, const void *data, size_t len, @@ -1776,7 +1776,7 @@ _hx509_parse_private_key(hx509_context context, return HX509_SIG_ALG_NO_SUPPORTED; } - ret = _hx509_private_key_init(private_key, ops, NULL); + ret = hx509_private_key_init(private_key, ops, NULL); if (ret) { hx509_set_error_string(context, 0, ret, "out of memory"); return ret; @@ -1784,7 +1784,7 @@ _hx509_parse_private_key(hx509_context context, ret = (*ops->import)(context, keyai, data, len, format, *private_key); if (ret) - _hx509_private_key_free(private_key); + hx509_private_key_free(private_key); return ret; } @@ -1794,7 +1794,7 @@ _hx509_parse_private_key(hx509_context context, */ int -_hx509_private_key2SPKI(hx509_context context, +hx509_private_key2SPKI(hx509_context context, hx509_private_key private_key, SubjectPublicKeyInfo *spki) { @@ -1871,7 +1871,7 @@ _hx509_generate_private_key(hx509_context context, return HX509_SIG_ALG_NO_SUPPORTED; } - ret = _hx509_private_key_init(private_key, ops, NULL); + ret = hx509_private_key_init(private_key, ops, NULL); if (ret) { hx509_set_error_string(context, 0, ret, "out of memory"); return ret; @@ -1879,7 +1879,7 @@ _hx509_generate_private_key(hx509_context context, ret = (*ops->generate_private_key)(context, ctx, *private_key); if (ret) - _hx509_private_key_free(private_key); + hx509_private_key_free(private_key); return ret; } @@ -1976,7 +1976,7 @@ const AlgorithmIdentifier * _hx509_crypto_default_secret_alg = */ int -_hx509_private_key_init(hx509_private_key *key, +hx509_private_key_init(hx509_private_key *key, hx509_private_key_ops *ops, void *keydata) { @@ -2007,7 +2007,7 @@ _hx509_private_pem_name(hx509_private_key key) } int -_hx509_private_key_free(hx509_private_key *key) +hx509_private_key_free(hx509_private_key *key) { if (key == NULL || *key == NULL) return 0; @@ -2033,7 +2033,7 @@ _hx509_private_key_free(hx509_private_key *key) } void -_hx509_private_key_assign_rsa(hx509_private_key key, void *ptr) +hx509_private_key_assign_rsa(hx509_private_key key, void *ptr) { if (key->private_key.rsa) RSA_free(key->private_key.rsa); diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c index 54b579921..1770b6095 100644 --- a/lib/hx509/hxtool.c +++ b/lib/hx509/hxtool.c @@ -1294,7 +1294,7 @@ request_create(struct request_create_options *opt, int argc, char **argv) opt->key_bits_integer, &signer); - _hx509_request_init(context, &req); + hx509_request_init(context, &req); if (opt->subject_string) { hx509_name name = NULL; @@ -1302,7 +1302,7 @@ request_create(struct request_create_options *opt, int argc, char **argv) ret = hx509_parse_name(context, opt->subject_string, &name); if (ret) errx(1, "hx509_parse_name: %d\n", ret); - _hx509_request_set_name(context, req, name); + hx509_request_set_name(context, req, name); if (opt->verbose_flag) { char *s; @@ -1327,16 +1327,16 @@ request_create(struct request_create_options *opt, int argc, char **argv) } - ret = _hx509_private_key2SPKI(context, signer, &key); + ret = hx509_private_key2SPKI(context, signer, &key); if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); + errx(1, "hx509_private_key2SPKI: %d\n", ret); - ret = _hx509_request_set_SubjectPublicKeyInfo(context, + ret = hx509_request_set_SubjectPublicKeyInfo(context, req, &key); free_SubjectPublicKeyInfo(&key); if (ret) - hx509_err(context, 1, ret, "_hx509_request_set_SubjectPublicKeyInfo"); + hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo"); ret = _hx509_request_to_pkcs10(context, req, @@ -1345,8 +1345,8 @@ request_create(struct request_create_options *opt, int argc, char **argv) if (ret) hx509_err(context, 1, ret, "_hx509_request_to_pkcs10"); - _hx509_private_key_free(&signer); - _hx509_request_free(&req); + hx509_private_key_free(&signer); + hx509_request_free(&req); if (ret == 0) rk_dumpdata(outfile, request.data, request.length); @@ -1370,7 +1370,7 @@ request_print(struct request_print_options *opt, int argc, char **argv) hx509_err(context, 1, ret, "parse_request: %s", argv[i]); ret = _hx509_request_print(context, req, stdout); - _hx509_request_free(&req); + hx509_request_free(&req); if (ret) hx509_err(context, 1, ret, "Failed to print file %s", argv[i]); } @@ -1814,9 +1814,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) if (ret) err(1, "read_private_key"); - ret = _hx509_private_key2SPKI(context, private_key, &spki); + ret = hx509_private_key2SPKI(context, private_key, &spki); if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); + errx(1, "hx509_private_key2SPKI: %d\n", ret); if (opt->self_signed_flag) cert_key = private_key; @@ -1828,13 +1828,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) ret = _hx509_request_parse(context, opt->req_string, &req); if (ret) hx509_err(context, 1, ret, "parse_request: %s", opt->req_string); - ret = _hx509_request_get_name(context, req, &subject); + ret = hx509_request_get_name(context, req, &subject); if (ret) hx509_err(context, 1, ret, "get name"); - ret = _hx509_request_get_SubjectPublicKeyInfo(context, req, &spki); + ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki); if (ret) hx509_err(context, 1, ret, "get spki"); - _hx509_request_free(&req); + hx509_request_free(&req); } if (opt->generate_key_string) { @@ -1859,9 +1859,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) if (ret) hx509_err(context, 1, ret, "generate private key"); - ret = _hx509_private_key2SPKI(context, cert_key, &spki); + ret = hx509_private_key2SPKI(context, cert_key, &spki); if (ret) - errx(1, "_hx509_private_key2SPKI: %d\n", ret); + errx(1, "hx509_private_key2SPKI: %d\n", ret); if (opt->self_signed_flag) private_key = cert_key; @@ -2015,8 +2015,8 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv) free_SubjectPublicKeyInfo(&spki); if (private_key != cert_key) - _hx509_private_key_free(&private_key); - _hx509_private_key_free(&cert_key); + hx509_private_key_free(&private_key); + hx509_private_key_free(&cert_key); hx509_ca_tbs_free(&tbs); diff --git a/lib/hx509/keyset.c b/lib/hx509/keyset.c index 465ca1b4d..77cfd42cd 100644 --- a/lib/hx509/keyset.c +++ b/lib/hx509/keyset.c @@ -781,6 +781,6 @@ _hx509_certs_keys_free(hx509_context context, { int i; for (i = 0; keys[i]; i++) - _hx509_private_key_free(&keys[i]); + hx509_private_key_free(&keys[i]); free(keys); } diff --git a/lib/hx509/ks_keychain.c b/lib/hx509/ks_keychain.c index 9c6521790..e64d83c84 100644 --- a/lib/hx509/ks_keychain.c +++ b/lib/hx509/ks_keychain.c @@ -259,7 +259,7 @@ set_private_key(hx509_context context, RSA *rsa; int ret; - ret = _hx509_private_key_init(&key, NULL, NULL); + ret = hx509_private_key_init(&key, NULL, NULL); if (ret) return ret; @@ -302,7 +302,7 @@ set_private_key(hx509_context context, if (ret != 1) _hx509_abort("RSA_set_app_data"); - _hx509_private_key_assign_rsa(key, rsa); + hx509_private_key_assign_rsa(key, rsa); _hx509_cert_assign_key(cert, key); return 0; diff --git a/lib/hx509/ks_mem.c b/lib/hx509/ks_mem.c index 299a3932c..9d3c66b29 100644 --- a/lib/hx509/ks_mem.c +++ b/lib/hx509/ks_mem.c @@ -78,7 +78,7 @@ mem_free(hx509_certs certs, void *data) hx509_cert_free(mem->certs.val[i]); free(mem->certs.val); for (i = 0; mem->keys && mem->keys[i]; i++) - _hx509_private_key_free(&mem->keys[i]); + hx509_private_key_free(&mem->keys[i]); free(mem->keys); free(mem->name); free(mem); @@ -167,7 +167,7 @@ mem_getkeys(hx509_context context, (*keys)[i] = _hx509_private_key_ref(mem->keys[i]); if ((*keys)[i] == NULL) { while (--i >= 0) - _hx509_private_key_free(&(*keys)[i]); + hx509_private_key_free(&(*keys)[i]); hx509_set_error_string(context, 0, ENOMEM, "out of memory"); return ENOMEM; } diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c index 23f6a4826..30f5343b0 100644 --- a/lib/hx509/ks_p11.c +++ b/lib/hx509/ks_p11.c @@ -613,7 +613,7 @@ collect_private_key(hx509_context context, localKeyId.data = query[0].pValue; localKeyId.length = query[0].ulValueLen; - ret = _hx509_private_key_init(&key, NULL, NULL); + ret = hx509_private_key_init(&key, NULL, NULL); if (ret) return ret; @@ -648,7 +648,7 @@ collect_private_key(hx509_context context, if (ret != 1) _hx509_abort("RSA_set_app_data"); - _hx509_private_key_assign_rsa(key, rsa); + hx509_private_key_assign_rsa(key, rsa); ret = _hx509_collector_private_key_add(context, collector, @@ -658,7 +658,7 @@ collect_private_key(hx509_context context, &localKeyId); if (ret) { - _hx509_private_key_free(&key); + hx509_private_key_free(&key); return ret; } return 0; diff --git a/lib/hx509/req.c b/lib/hx509/req.c index 917f08891..e70ab4b6c 100644 --- a/lib/hx509/req.c +++ b/lib/hx509/req.c @@ -46,7 +46,7 @@ struct hx509_request_data { */ int -_hx509_request_init(hx509_context context, hx509_request *req) +hx509_request_init(hx509_context context, hx509_request *req) { *req = calloc(1, sizeof(**req)); if (*req == NULL) @@ -56,7 +56,7 @@ _hx509_request_init(hx509_context context, hx509_request *req) } void -_hx509_request_free(hx509_request *req) +hx509_request_free(hx509_request *req) { if ((*req)->name) hx509_name_free(&(*req)->name); @@ -69,7 +69,7 @@ _hx509_request_free(hx509_request *req) } int -_hx509_request_set_name(hx509_context context, +hx509_request_set_name(hx509_context context, hx509_request req, hx509_name name) { @@ -84,7 +84,7 @@ _hx509_request_set_name(hx509_context context, } int -_hx509_request_get_name(hx509_context context, +hx509_request_get_name(hx509_context context, hx509_request req, hx509_name *name) { @@ -96,7 +96,7 @@ _hx509_request_get_name(hx509_context context, } int -_hx509_request_set_SubjectPublicKeyInfo(hx509_context context, +hx509_request_set_SubjectPublicKeyInfo(hx509_context context, hx509_request req, const SubjectPublicKeyInfo *key) { @@ -105,7 +105,7 @@ _hx509_request_set_SubjectPublicKeyInfo(hx509_context context, } int -_hx509_request_get_SubjectPublicKeyInfo(hx509_context context, +hx509_request_get_SubjectPublicKeyInfo(hx509_context context, hx509_request req, SubjectPublicKeyInfo *key) { @@ -271,7 +271,7 @@ _hx509_request_parse(hx509_context context, return ret; } - ret = _hx509_request_init(context, req); + ret = hx509_request_init(context, req); if (ret) { free_CertificationRequest(&r); return ret; @@ -279,25 +279,25 @@ _hx509_request_parse(hx509_context context, rinfo = &r.certificationRequestInfo; - ret = _hx509_request_set_SubjectPublicKeyInfo(context, *req, + ret = hx509_request_set_SubjectPublicKeyInfo(context, *req, &rinfo->subjectPKInfo); if (ret) { free_CertificationRequest(&r); - _hx509_request_free(req); + hx509_request_free(req); return ret; } ret = _hx509_name_from_Name(&rinfo->subject, &subject); if (ret) { free_CertificationRequest(&r); - _hx509_request_free(req); + hx509_request_free(req); return ret; } - ret = _hx509_request_set_name(context, *req, subject); + ret = hx509_request_set_name(context, *req, subject); hx509_name_free(&subject); free_CertificationRequest(&r); if (ret) { - _hx509_request_free(req); + hx509_request_free(req); return ret; } diff --git a/lib/hx509/version-script.map b/lib/hx509/version-script.map index 4748fa1d0..b05198c42 100644 --- a/lib/hx509/version-script.map +++ b/lib/hx509/version-script.map @@ -4,7 +4,6 @@ HEIMDAL_X509_1.2 { global: _hx509_cert_assign_key; _hx509_cert_private_key; - _hx509_cert_public_encrypt; _hx509_certs_keys_free; _hx509_certs_keys_get; _hx509_expr_eval; @@ -17,24 +16,12 @@ HEIMDAL_X509_1.2 { _hx509_generate_private_key_is_ca; _hx509_map_file_os; _hx509_name_from_Name; - _hx509_parse_private_key; - _hx509_private_key_assign_rsa; - _hx509_private_key2SPKI; - _hx509_private_key_free; - _hx509_private_key_init; - _hx509_private_key_private_decrypt; _hx509_private_key_ref; _hx509_request_add_dns_name; _hx509_request_add_email; - _hx509_request_free; - _hx509_request_get_SubjectPublicKeyInfo; - _hx509_request_get_name; - _hx509_request_init; _hx509_request_parse; _hx509_request_print; - _hx509_request_set_SubjectPublicKeyInfo; _hx509_request_set_email; - _hx509_request_set_name; _hx509_request_to_pkcs10; _hx509_request_to_pkcs10; _hx509_unmap_file_os; @@ -87,6 +74,7 @@ HEIMDAL_X509_1.2 { hx509_cert_init; hx509_cert_init_data; hx509_cert_keyusage_print; + hx509_cert_public_encrypt; hx509_cert_ref; hx509_cert_set_friendly_name; hx509_certs_add; @@ -180,6 +168,7 @@ HEIMDAL_X509_1.2 { hx509_oid_print; hx509_oid_sprint; hx509_parse_name; + hx509_parse_private_key; hx509_peer_info_add_cms_alg; hx509_peer_info_alloc; hx509_peer_info_free; @@ -192,6 +181,11 @@ HEIMDAL_X509_1.2 { hx509_pem_write; hx509_print_stdout; hx509_print_cert; + hx509_private_key_assign_rsa; + hx509_private_key_free; + hx509_private_key_private_decrypt; + hx509_private_key_init; + hx509_private_key2SPKI; hx509_prompt_hidden; hx509_query_alloc; hx509_query_free; @@ -203,6 +197,12 @@ HEIMDAL_X509_1.2 { hx509_query_match_option; hx509_query_statistic_file; hx509_query_unparse_stats; + hx509_request_get_name; + hx509_request_get_SubjectPublicKeyInfo; + hx509_request_free; + hx509_request_init; + hx509_request_set_name; + hx509_request_set_SubjectPublicKeyInfo; hx509_revoke_add_crl; hx509_revoke_add_ocsp; hx509_revoke_free; From a7b851fad0d64cd29e2e39dd56c0ddc0a6312296 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Feb 2011 20:27:12 +0100 Subject: [PATCH 20/23] gitignore: Ignore generated binaries. Signed-off-by: Love Hornquist Astrand --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 15c84b933..4c301811a 100644 --- a/.gitignore +++ b/.gitignore @@ -143,6 +143,7 @@ asn1_*.[cx] /kpasswd/kpasswdd /kuser/copy_cred_cache /kuser/generate-requests +/kuser/kcc /kuser/kdecode_ticket /kuser/kdestroy /kuser/kdigest @@ -172,6 +173,7 @@ asn1_*.[cx] /lib/editline/strlcat.c /lib/editline/testit /lib/gssapi/gss +/lib/gssapi/gsstool /lib/gssapi/krb5/gsskrb5-private.h /lib/gssapi/ntlm/ntlm-private.h /lib/gssapi/spnego/spnego-private.h @@ -183,6 +185,7 @@ asn1_*.[cx] /lib/hdb/hdb-private.h /lib/hdb/test_dbinfo /lib/hdb/test_hdbkeys +/lib/hdb/test_mkey /lib/hx509/data/*.srl /lib/hx509/data/*.req /lib/hx509/data/sub-ca-combined.crt @@ -215,6 +218,7 @@ asn1_*.[cx] /lib/krb5/test_gic /lib/krb5/test_kuserok /lib/krb5/test_renew +/lib/krb5/test_rfc3961 /lib/krb5/verify_krb5_conf /lib/ntlm/heimntlm-protos.h /lib/otp/ndbm_wrap.c From c5d0acb8598bf6c4993458cb149341bbc0622705 Mon Sep 17 00:00:00 2001 From: Derrick Brashear Date: Mon, 6 Dec 2010 09:47:42 -0500 Subject: [PATCH 21/23] Correct "not newer" etypes per RFC 4121 Section 1 of RFC 4121 describes behavior which applies when using "newer" etypes, then goes on in table form to list etypes which are not newer. While it specifies it is ok to use new token formats when both initiator and acceptor are known to handle them, this code makes no such verification, and encoded an incorrect set of etypes as "not newer". Correct the list. Signed-off-by: Love Hornquist Astrand --- lib/gssapi/krb5/accept_sec_context.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index 0e8fbe837..a5e9d054c 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -99,6 +99,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor) case ETYPE_DES_CBC_MD4: case ETYPE_DES_CBC_MD5: case ETYPE_DES3_CBC_MD5: + case ETYPE_OLD_DES3_CBC_SHA1: case ETYPE_DES3_CBC_SHA1: case ETYPE_ARCFOUR_HMAC_MD5: case ETYPE_ARCFOUR_HMAC_MD5_56: From e380769729573c67baacf674a94cf1d6a54e12fc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 28 Jan 2011 10:55:32 +0100 Subject: [PATCH 22/23] kdc.h: Include hdb.h first, so kdc.h can be included standalone. This makes it a bit easier to find libhdb in e.g. configure tests and is consistent with the main header files for the other Heimdal libraries, none of which has any prerequisite other headers. Signed-off-by: Love Hornquist Astrand --- kdc/kdc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/kdc/kdc.h b/kdc/kdc.h index c353ca1c5..139b5e708 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -41,6 +41,7 @@ #ifndef __KDC_H__ #define __KDC_H__ +#include #include enum krb5_kdc_trpolicy { From 1ec5eff4754cd12d35ce827614b90c0d7bae6b98 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 26 Feb 2011 13:10:06 -0800 Subject: [PATCH 23/23] bump version of libgssapi, from Eray Aslan --- lib/gssapi/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index c74906103..949241fbf 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -198,7 +198,7 @@ nodist_libgssapi_la_SOURCES = \ gkrb5_err.h \ $(BUILT_SOURCES) -libgssapi_la_LDFLAGS = -version-info 2:0:0 +libgssapi_la_LDFLAGS = -version-info 3:0:0 if versionscript libgssapi_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map