Merge branch 'master' of github.com:heimdal/heimdal

Conflicts:
	lib/gssapi/gssapi/gssapi.h
	lib/gssapi/mech/gss_mech_switch.c

.gitignore

@@ -143,6 +143,7 @@ asn1_*.[cx]
 /kpasswd/kpasswdd
 /kuser/copy_cred_cache
 /kuser/generate-requests
+/kuser/kcc
 /kuser/kdecode_ticket
 /kuser/kdestroy
 /kuser/kdigest
@@ -172,6 +173,7 @@ asn1_*.[cx]
 /lib/editline/strlcat.c
 /lib/editline/testit
 /lib/gssapi/gss
+/lib/gssapi/gsstool
 /lib/gssapi/krb5/gsskrb5-private.h
 /lib/gssapi/ntlm/ntlm-private.h
 /lib/gssapi/spnego/spnego-private.h
@@ -183,6 +185,7 @@ asn1_*.[cx]
 /lib/hdb/hdb-private.h
 /lib/hdb/test_dbinfo
 /lib/hdb/test_hdbkeys
+/lib/hdb/test_mkey
 /lib/hx509/data/*.srl
 /lib/hx509/data/*.req
 /lib/hx509/data/sub-ca-combined.crt
@@ -215,6 +218,7 @@ asn1_*.[cx]
 /lib/krb5/test_gic
 /lib/krb5/test_kuserok
 /lib/krb5/test_renew
+/lib/krb5/test_rfc3961
 /lib/krb5/verify_krb5_conf
 /lib/ntlm/heimntlm-protos.h
 /lib/otp/ndbm_wrap.c

doc/ack.texi

@@ -58,8 +58,9 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
 @item Frank van der Linden
 @item Guido Günther
 @item Harald Barth
-@item Jason McIntyre
+@item Jaideep Padhye
 @item Jan Rekorajski
+@item Jason McIntyre
 @item Johan Gadsjö
 @item Johan Ihrén
 @item John Center

kdc/kdc.h

@@ -41,6 +41,7 @@
 #ifndef __KDC_H__
 #define __KDC_H__
 
+#include <hdb.h>
 #include <krb5.h>
 
 enum krb5_kdc_trpolicy {

kdc/kerberos5.c

@@ -1000,9 +1000,8 @@ _kdc_as_rep(krb5_context context,
 	ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 	goto out;
     }
-
     ret = _kdc_db_fetch(context, config, server_princ,
-			HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
+			HDB_F_GET_SERVER|HDB_F_GET_KRBTGT | flags,
 			NULL, NULL, &server);
     if(ret == HDB_ERR_NOT_FOUND_HERE) {
 	kdc_log(context, config, 5, "target %s does not have secrets at this KDC, need to proxy", server_name);

kdc/version-script.map

@@ -16,6 +16,10 @@ HEIMDAL_KDC_1.0 {
 		krb5_kdc_save_request;
 		krb5_kdc_update_time;
 		krb5_kdc_pk_initialize;
+
+		# needed for digest-service
+		_kdc_db_fetch;
+		_kdc_free_ent;
 	local:
 		*;
 };

kuser/Makefile.am

@@ -35,7 +35,8 @@ kimpersonate_LDADD = $(kinit_LDADD)
 
 kcc_LDADD = \
 	$(top_builddir)/lib/sl/libsl.la \
-	$(kinit_LDADD)
+	$(kinit_LDADD) \
+	$(LIB_readline)
 
 dist_kcc_SOURCES = kcc.c klist.c kswitch.c copy_cred_cache.c
 nodist_kcc_SOURCES = kcc-commands.c

lib/asn1/krb5.asn1

@@ -172,6 +172,7 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-EPAK-AS-REP(146),
 	KRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
 	KRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
+	KRB5-PADATA-REQ-ENC-PA-REP(149),	--
 	KRB5-PADATA-SUPPORTED-ETYPES(165)	-- MS-KILE
 }
 
@@ -318,7 +319,8 @@ TicketFlags ::= BIT STRING {
 	hw-authent(11),
 	transited-policy-checked(12),
 	ok-as-delegate(13),
-	anonymous(14)
+	anonymous(14),
+	enc-pa-rep(15)
 }
 
 KDCOptions ::= BIT STRING {

lib/com_err/lex.h

@@ -33,7 +33,7 @@
 
 /* $Id$ */
 
-void error_message (const char *, ...)
+void _lex_error_message (const char *, ...)
 __attribute__ ((format (printf, 1, 2)));
 
 int yylex(void);

lib/com_err/lex.l

@@ -95,7 +95,7 @@ getstring(void)
 	    continue;
 	}
 	if(c == '\n'){
-	    error_message("unterminated string");
+	    _lex_error_message("unterminated string");
 	    lineno++;
 	    break;
 	}
@@ -115,7 +115,7 @@ getstring(void)
 }
 
 void
-error_message (const char *format, ...)
+_lex_error_message (const char *format, ...)
 {
      va_list args;
 

lib/com_err/parse.y

@@ -170,5 +170,5 @@ name2number(const char *str)
 void
 yyerror (char *s)
 {
-     error_message ("%s\n", s);
+     _lex_error_message ("%s\n", s);
 }

lib/gssapi/Makefile.am

@@ -208,7 +208,7 @@ nodist_libgssapi_la_SOURCES  = \
 	gkrb5_err.h \
 	$(BUILT_SOURCES)
 
-libgssapi_la_LDFLAGS = -version-info 2:0:0
+libgssapi_la_LDFLAGS = -version-info 3:0:0
 
 if versionscript
 libgssapi_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map

lib/gssapi/gssapi/gssapi.h

@@ -261,18 +261,16 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_IOV_BUFFER_TYPE_STREAM 10
 #define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11
 
-#define GSS_IOV_BUFFER_FLAG_MASK 0xffff0000
+#define GSS_IOV_BUFFER_TYPE_FLAG_MASK		0xffff0000
 #define GSS_IOV_BUFFER_FLAG_ALLOCATE		0x00010000
 #define GSS_IOV_BUFFER_FLAG_ALLOCATED		0x00020000
 
+#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE	0x00010000 /* old name */
+#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED	0x00020000 /* old name */
+
 #define GSS_IOV_BUFFER_TYPE(_t) ((_t) & ~GSS_IOV_BUFFER_FLAG_MASK)
 #define GSS_IOV_BUFFER_FLAGS(_t) ((_t) & GSS_IOV_BUFFER_FLAG_MASK)
 
-/* compatibility macros; will be removed in the next release */
-#define GSS_IOV_BUFFER_TYPE_FLAG_MASK GSS_IOV_BUFFER_FLAG_MASK
-#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATE GSS_IOV_BUFFER_FLAG_ALLOCATE
-#define GSS_IOV_BUFFER_TYPE_FLAG_ALLOCATED GSS_IOV_BUFFER_FLAG_ALLOCATED
-
 GSSAPI_CPP_START
 
 #include <gssapi/gssapi_oid.h>

lib/gssapi/krb5/accept_sec_context.c

@@ -99,6 +99,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
     case ETYPE_DES_CBC_MD4:
     case ETYPE_DES_CBC_MD5:
     case ETYPE_DES3_CBC_MD5:
+    case ETYPE_OLD_DES3_CBC_SHA1:
     case ETYPE_DES3_CBC_SHA1:
     case ETYPE_ARCFOUR_HMAC_MD5:
     case ETYPE_ARCFOUR_HMAC_MD5_56:
@@ -263,6 +264,10 @@ send_error_token(OM_uint32 *minor_status,
     krb5_principal ap_req_server = NULL;
     krb5_error_code ret;
     krb5_data outbuf;
+    /* this e_data value encodes KERB_AP_ERR_TYPE_SKEW_RECOVERY which
+       tells windows to try again with the corrected timestamp. See
+       [MS-KILE] 2.2.1 KERB-ERROR-DATA */
+    krb5_data e_data = { 7, rk_UNCONST("\x30\x05\xa1\x03\x02\x01\x02") };
 
     /* build server from request if the acceptor had not selected one */
     if (server == NULL) {
@@ -285,7 +290,7 @@ send_error_token(OM_uint32 *minor_status,
 	server = ap_req_server;
     }
 
-    ret = krb5_mk_error(context, kret, NULL, NULL, NULL,
+    ret = krb5_mk_error(context, kret, NULL, &e_data, NULL,
 			server, NULL, NULL, &outbuf);
     if (ap_req_server)
 	krb5_free_principal(context, ap_req_server);

lib/gssapi/krb5/import_sec_context.c

@@ -202,6 +202,8 @@ _gsskrb5_import_sec_context (
 
     krb5_storage_free (sp);
 
+    _gsskrb5i_is_cfx(context, ctx, (ctx->more_flags & LOCAL) == 0);
+
     *context_handle = (gss_ctx_id_t)ctx;
 
     return GSS_S_COMPLETE;

lib/hx509/cert.c

@@ -310,7 +310,7 @@ int
 _hx509_cert_assign_key(hx509_cert cert, hx509_private_key private_key)
 {
     if (cert->private_key)
-	_hx509_private_key_free(&cert->private_key);
+	hx509_private_key_free(&cert->private_key);
     cert->private_key = _hx509_private_key_ref(private_key);
     return 0;
 }
@@ -341,7 +341,7 @@ hx509_cert_free(hx509_cert cert)
 	(cert->release)(cert, cert->ctx);
 
     if (cert->private_key)
-	_hx509_private_key_free(&cert->private_key);
+	hx509_private_key_free(&cert->private_key);
 
     free_Certificate(cert->data);
     free(cert->data);
@@ -1607,7 +1607,7 @@ _hx509_cert_private_decrypt(hx509_context context,
 	return HX509_PRIVATE_KEY_MISSING;
     }
 
-    return _hx509_private_key_private_decrypt(context,
+    return hx509_private_key_private_decrypt(context,
 					      ciphertext,
 					      encryption_oid,
 					      p->private_key,
@@ -1615,7 +1615,7 @@ _hx509_cert_private_decrypt(hx509_context context,
 }
 
 int
-_hx509_cert_public_encrypt(hx509_context context,
+hx509_cert_public_encrypt(hx509_context context,
 			   const heim_octet_string *cleartext,
 			   const hx509_cert p,
 			   heim_oid *encryption_oid,

lib/hx509/cms.c

@@ -665,7 +665,7 @@ hx509_cms_envelope_1(hx509_context context,
 	goto out;
     }
 
-    ret = _hx509_cert_public_encrypt(context,
+    ret = hx509_cert_public_encrypt(context,
 				     &key, cert,
 				     &ri->keyEncryptionAlgorithm.algorithm,
 				     &ri->encryptedKey);

lib/hx509/collector.c

@@ -105,7 +105,7 @@ free_private_key(struct private_key *key)
 {
     free_AlgorithmIdentifier(&key->alg);
     if (key->private_key)
-	_hx509_private_key_free(&key->private_key);
+	hx509_private_key_free(&key->private_key);
     der_free_octet_string(&key->localKeyId);
     free(key);
 }
@@ -143,7 +143,7 @@ _hx509_collector_private_key_add(hx509_context context,
     if (private_key) {
 	key->private_key = private_key;
     } else {
-	ret = _hx509_parse_private_key(context, alg,
+	ret = hx509_parse_private_key(context, alg,
 				       key_data->data, key_data->length,
 				       HX509_KEY_FORMAT_DER,
 				       &key->private_key);

lib/hx509/crypto.c

@@ -1506,8 +1506,8 @@ static struct hx509_private_key_ops *private_algs[] = {
     NULL
 };
 
-static hx509_private_key_ops *
+hx509_private_key_ops *
-find_private_alg(const heim_oid *oid)
+hx509_find_private_alg(const heim_oid *oid)
 {
     int i;
     for (i = 0; private_algs[i]; i++) {
@@ -1715,7 +1715,7 @@ _hx509_public_encrypt(hx509_context context,
 }
 
 int
-_hx509_private_key_private_decrypt(hx509_context context,
+hx509_private_key_private_decrypt(hx509_context context,
 				   const heim_octet_string *ciphertext,
 				   const heim_oid *encryption_oid,
 				   hx509_private_key p,
@@ -1758,7 +1758,7 @@ _hx509_private_key_private_decrypt(hx509_context context,
 
 
 int
-_hx509_parse_private_key(hx509_context context,
+hx509_parse_private_key(hx509_context context,
 			 const AlgorithmIdentifier *keyai,
 			 const void *data,
 			 size_t len,
@@ -1770,13 +1770,13 @@ _hx509_parse_private_key(hx509_context context,
 
     *private_key = NULL;
 
-    ops = find_private_alg(&keyai->algorithm);
+    ops = hx509_find_private_alg(&keyai->algorithm);
     if (ops == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_SIG_ALG_NO_SUPPORTED;
     }
 
-    ret = _hx509_private_key_init(private_key, ops, NULL);
+    ret = hx509_private_key_init(private_key, ops, NULL);
     if (ret) {
 	hx509_set_error_string(context, 0, ret, "out of memory");
 	return ret;
@@ -1784,7 +1784,7 @@ _hx509_parse_private_key(hx509_context context,
 
     ret = (*ops->import)(context, keyai, data, len, format, *private_key);
     if (ret)
-	_hx509_private_key_free(private_key);
+	hx509_private_key_free(private_key);
 
     return ret;
 }
@@ -1794,7 +1794,7 @@ _hx509_parse_private_key(hx509_context context,
  */
 
 int
-_hx509_private_key2SPKI(hx509_context context,
+hx509_private_key2SPKI(hx509_context context,
 			hx509_private_key private_key,
 			SubjectPublicKeyInfo *spki)
 {
@@ -1865,13 +1865,13 @@ _hx509_generate_private_key(hx509_context context,
 
     *private_key = NULL;
 
-    ops = find_private_alg(ctx->key_oid);
+    ops = hx509_find_private_alg(ctx->key_oid);
     if (ops == NULL) {
 	hx509_clear_error_string(context);
 	return HX509_SIG_ALG_NO_SUPPORTED;
     }
 
-    ret = _hx509_private_key_init(private_key, ops, NULL);
+    ret = hx509_private_key_init(private_key, ops, NULL);
     if (ret) {
 	hx509_set_error_string(context, 0, ret, "out of memory");
 	return ret;
@@ -1879,7 +1879,7 @@ _hx509_generate_private_key(hx509_context context,
 
     ret = (*ops->generate_private_key)(context, ctx, *private_key);
     if (ret)
-	_hx509_private_key_free(private_key);
+	hx509_private_key_free(private_key);
 
     return ret;
 }
@@ -1976,7 +1976,7 @@ const AlgorithmIdentifier * _hx509_crypto_default_secret_alg =
  */
 
 int
-_hx509_private_key_init(hx509_private_key *key,
+hx509_private_key_init(hx509_private_key *key,
 			hx509_private_key_ops *ops,
 			void *keydata)
 {
@@ -2007,7 +2007,7 @@ _hx509_private_pem_name(hx509_private_key key)
 }
 
 int
-_hx509_private_key_free(hx509_private_key *key)
+hx509_private_key_free(hx509_private_key *key)
 {
     if (key == NULL || *key == NULL)
 	return 0;
@@ -2033,7 +2033,7 @@ _hx509_private_key_free(hx509_private_key *key)
 }
 
 void
-_hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
+hx509_private_key_assign_rsa(hx509_private_key key, void *ptr)
 {
     if (key->private_key.rsa)
 	RSA_free(key->private_key.rsa);

lib/hx509/hx509.h

@@ -48,6 +48,7 @@ typedef struct hx509_crypto_data *hx509_crypto;
 typedef struct hx509_lock_data *hx509_lock;
 typedef struct hx509_name_data *hx509_name;
 typedef struct hx509_private_key *hx509_private_key;
+typedef struct hx509_private_key_ops hx509_private_key_ops;
 typedef struct hx509_validate_ctx_data *hx509_validate_ctx;
 typedef struct hx509_verify_ctx_data *hx509_verify_ctx;
 typedef struct hx509_revoke_ctx_data *hx509_revoke_ctx;

lib/hx509/hx_locl.h

@@ -82,7 +82,6 @@ typedef struct hx509_path hx509_path;
 
 typedef void (*_hx509_cert_release_func)(struct hx509_cert_data *, void *);
 
-typedef struct hx509_private_key_ops hx509_private_key_ops;
 
 #include "sel.h"
 

lib/hx509/hxtool.c

@@ -1294,7 +1294,7 @@ request_create(struct request_create_options *opt, int argc, char **argv)
 	    opt->key_bits_integer,
 	    &signer);
 
-    _hx509_request_init(context, &req);
+    hx509_request_init(context, &req);
 
     if (opt->subject_string) {
 	hx509_name name = NULL;
@@ -1302,7 +1302,7 @@ request_create(struct request_create_options *opt, int argc, char **argv)
 	ret = hx509_parse_name(context, opt->subject_string, &name);
 	if (ret)
 	    errx(1, "hx509_parse_name: %d\n", ret);
-	_hx509_request_set_name(context, req, name);
+	hx509_request_set_name(context, req, name);
 
 	if (opt->verbose_flag) {
 	    char *s;
@@ -1327,16 +1327,16 @@ request_create(struct request_create_options *opt, int argc, char **argv)
     }
 
 
-    ret = _hx509_private_key2SPKI(context, signer, &key);
+    ret = hx509_private_key2SPKI(context, signer, &key);
     if (ret)
-	errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+	errx(1, "hx509_private_key2SPKI: %d\n", ret);
 
-    ret = _hx509_request_set_SubjectPublicKeyInfo(context,
+    ret = hx509_request_set_SubjectPublicKeyInfo(context,
 						  req,
 						  &key);
     free_SubjectPublicKeyInfo(&key);
     if (ret)
-	hx509_err(context, 1, ret, "_hx509_request_set_SubjectPublicKeyInfo");
+	hx509_err(context, 1, ret, "hx509_request_set_SubjectPublicKeyInfo");
 
     ret = _hx509_request_to_pkcs10(context,
 				   req,
@@ -1345,8 +1345,8 @@ request_create(struct request_create_options *opt, int argc, char **argv)
     if (ret)
 	hx509_err(context, 1, ret, "_hx509_request_to_pkcs10");
 
-    _hx509_private_key_free(&signer);
+    hx509_private_key_free(&signer);
-    _hx509_request_free(&req);
+    hx509_request_free(&req);
 
     if (ret == 0)
 	rk_dumpdata(outfile, request.data, request.length);
@@ -1370,7 +1370,7 @@ request_print(struct request_print_options *opt, int argc, char **argv)
 	    hx509_err(context, 1, ret, "parse_request: %s", argv[i]);
 
 	ret = _hx509_request_print(context, req, stdout);
-	_hx509_request_free(&req);
+	hx509_request_free(&req);
 	if (ret)
 	    hx509_err(context, 1, ret, "Failed to print file %s", argv[i]);
     }
@@ -1814,9 +1814,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	if (ret)
 	    err(1, "read_private_key");
 
-	ret = _hx509_private_key2SPKI(context, private_key, &spki);
+	ret = hx509_private_key2SPKI(context, private_key, &spki);
 	if (ret)
-	    errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+	    errx(1, "hx509_private_key2SPKI: %d\n", ret);
 
 	if (opt->self_signed_flag)
 	    cert_key = private_key;
@@ -1828,13 +1828,13 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	ret = _hx509_request_parse(context, opt->req_string, &req);
 	if (ret)
 	    hx509_err(context, 1, ret, "parse_request: %s", opt->req_string);
-	ret = _hx509_request_get_name(context, req, &subject);
+	ret = hx509_request_get_name(context, req, &subject);
 	if (ret)
 	    hx509_err(context, 1, ret, "get name");
-	ret = _hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
+	ret = hx509_request_get_SubjectPublicKeyInfo(context, req, &spki);
 	if (ret)
 	    hx509_err(context, 1, ret, "get spki");
-	_hx509_request_free(&req);
+	hx509_request_free(&req);
     }
 
     if (opt->generate_key_string) {
@@ -1859,9 +1859,9 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	if (ret)
 	    hx509_err(context, 1, ret, "generate private key");
 	
-	ret = _hx509_private_key2SPKI(context, cert_key, &spki);
+	ret = hx509_private_key2SPKI(context, cert_key, &spki);
 	if (ret)
-	    errx(1, "_hx509_private_key2SPKI: %d\n", ret);
+	    errx(1, "hx509_private_key2SPKI: %d\n", ret);
 
 	if (opt->self_signed_flag)
 	    private_key = cert_key;
@@ -2015,8 +2015,8 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     free_SubjectPublicKeyInfo(&spki);
 
     if (private_key != cert_key)
-	_hx509_private_key_free(&private_key);
+	hx509_private_key_free(&private_key);
-    _hx509_private_key_free(&cert_key);
+    hx509_private_key_free(&cert_key);
 
     hx509_ca_tbs_free(&tbs);
 

lib/hx509/keyset.c

@@ -781,6 +781,6 @@ _hx509_certs_keys_free(hx509_context context,
 {
     int i;
     for (i = 0; keys[i]; i++)
-	_hx509_private_key_free(&keys[i]);
+	hx509_private_key_free(&keys[i]);
     free(keys);
 }

lib/hx509/ks_keychain.c

@@ -259,7 +259,7 @@ set_private_key(hx509_context context,
     RSA *rsa;
     int ret;
 
-    ret = _hx509_private_key_init(&key, NULL, NULL);
+    ret = hx509_private_key_init(&key, NULL, NULL);
     if (ret)
 	return ret;
 
@@ -302,7 +302,7 @@ set_private_key(hx509_context context,
     if (ret != 1)
 	_hx509_abort("RSA_set_app_data");
 
-    _hx509_private_key_assign_rsa(key, rsa);
+    hx509_private_key_assign_rsa(key, rsa);
     _hx509_cert_assign_key(cert, key);
 
     return 0;

lib/hx509/ks_mem.c

@@ -78,7 +78,7 @@ mem_free(hx509_certs certs, void *data)
 	hx509_cert_free(mem->certs.val[i]);
     free(mem->certs.val);
     for (i = 0; mem->keys && mem->keys[i]; i++)
-	_hx509_private_key_free(&mem->keys[i]);
+	hx509_private_key_free(&mem->keys[i]);
     free(mem->keys);
     free(mem->name);
     free(mem);
@@ -167,7 +167,7 @@ mem_getkeys(hx509_context context,
 	(*keys)[i] = _hx509_private_key_ref(mem->keys[i]);
 	if ((*keys)[i] == NULL) {
 	    while (--i >= 0)
-		_hx509_private_key_free(&(*keys)[i]);
+		hx509_private_key_free(&(*keys)[i]);
 	    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
 	    return ENOMEM;
 	}

lib/hx509/ks_p11.c

@@ -613,7 +613,7 @@ collect_private_key(hx509_context context,
     localKeyId.data = query[0].pValue;
     localKeyId.length = query[0].ulValueLen;
 
-    ret = _hx509_private_key_init(&key, NULL, NULL);
+    ret = hx509_private_key_init(&key, NULL, NULL);
     if (ret)
 	return ret;
 
@@ -648,7 +648,7 @@ collect_private_key(hx509_context context,
     if (ret != 1)
 	_hx509_abort("RSA_set_app_data");
 
-    _hx509_private_key_assign_rsa(key, rsa);
+    hx509_private_key_assign_rsa(key, rsa);
 
     ret = _hx509_collector_private_key_add(context,
 					   collector,
@@ -658,7 +658,7 @@ collect_private_key(hx509_context context,
 					   &localKeyId);
 
     if (ret) {
-	_hx509_private_key_free(&key);
+	hx509_private_key_free(&key);
 	return ret;
     }
     return 0;

lib/hx509/req.c

@@ -46,7 +46,7 @@ struct hx509_request_data {
  */
 
 int
-_hx509_request_init(hx509_context context, hx509_request *req)
+hx509_request_init(hx509_context context, hx509_request *req)
 {
     *req = calloc(1, sizeof(**req));
     if (*req == NULL)
@@ -56,7 +56,7 @@ _hx509_request_init(hx509_context context, hx509_request *req)
 }
 
 void
-_hx509_request_free(hx509_request *req)
+hx509_request_free(hx509_request *req)
 {
     if ((*req)->name)
 	hx509_name_free(&(*req)->name);
@@ -69,7 +69,7 @@ _hx509_request_free(hx509_request *req)
 }
 
 int
-_hx509_request_set_name(hx509_context context,
+hx509_request_set_name(hx509_context context,
 			hx509_request req,
 			hx509_name name)
 {
@@ -84,7 +84,7 @@ _hx509_request_set_name(hx509_context context,
 }
 
 int
-_hx509_request_get_name(hx509_context context,
+hx509_request_get_name(hx509_context context,
 			hx509_request req,
 			hx509_name *name)
 {
@@ -96,7 +96,7 @@ _hx509_request_get_name(hx509_context context,
 }
 
 int
-_hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
+hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
 					hx509_request req,
 					const SubjectPublicKeyInfo *key)
 {
@@ -105,7 +105,7 @@ _hx509_request_set_SubjectPublicKeyInfo(hx509_context context,
 }
 
 int
-_hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
+hx509_request_get_SubjectPublicKeyInfo(hx509_context context,
 					hx509_request req,
 					SubjectPublicKeyInfo *key)
 {
@@ -271,7 +271,7 @@ _hx509_request_parse(hx509_context context,
 	return ret;
     }
 
-    ret = _hx509_request_init(context, req);
+    ret = hx509_request_init(context, req);
     if (ret) {
 	free_CertificationRequest(&r);
 	return ret;
@@ -279,25 +279,25 @@ _hx509_request_parse(hx509_context context,
 
     rinfo = &r.certificationRequestInfo;
 
-    ret = _hx509_request_set_SubjectPublicKeyInfo(context, *req,
+    ret = hx509_request_set_SubjectPublicKeyInfo(context, *req,
 						  &rinfo->subjectPKInfo);
     if (ret) {
 	free_CertificationRequest(&r);
-	_hx509_request_free(req);
+	hx509_request_free(req);
 	return ret;
     }
 
     ret = _hx509_name_from_Name(&rinfo->subject, &subject);
     if (ret) {
 	free_CertificationRequest(&r);
-	_hx509_request_free(req);
+	hx509_request_free(req);
 	return ret;
     }
-    ret = _hx509_request_set_name(context, *req, subject);
+    ret = hx509_request_set_name(context, *req, subject);
     hx509_name_free(&subject);
     free_CertificationRequest(&r);
     if (ret) {
-	_hx509_request_free(req);
+	hx509_request_free(req);
 	return ret;
     }
 

lib/hx509/version-script.map

@@ -16,20 +16,12 @@ HEIMDAL_X509_1.2 {
 		_hx509_generate_private_key_is_ca;
 		_hx509_map_file_os;
 		_hx509_name_from_Name;
-		_hx509_private_key2SPKI;
-		_hx509_private_key_free;
 		_hx509_private_key_ref;
 		_hx509_request_add_dns_name;
 		_hx509_request_add_email;
-		_hx509_request_free;
-		_hx509_request_get_SubjectPublicKeyInfo;
-		_hx509_request_get_name;
-		_hx509_request_init;
 		_hx509_request_parse;
 		_hx509_request_print;
-		_hx509_request_set_SubjectPublicKeyInfo;
 		_hx509_request_set_email;
-		_hx509_request_set_name;
 		_hx509_request_to_pkcs10;
 		_hx509_request_to_pkcs10;
 		_hx509_unmap_file_os;
@@ -82,6 +74,7 @@ HEIMDAL_X509_1.2 {
 		hx509_cert_init;
 		hx509_cert_init_data;
 		hx509_cert_keyusage_print;
+		hx509_cert_public_encrypt;
 		hx509_cert_ref;
 		hx509_cert_set_friendly_name;
 		hx509_certs_add;
@@ -146,6 +139,7 @@ HEIMDAL_X509_1.2 {
 		hx509_err;
 		hx509_free_error_string;
 		hx509_free_octet_string_list;
+		hx509_find_private_alg;
 		hx509_general_name_unparse;
 		hx509_get_error_string;
 		hx509_get_one_cert;
@@ -174,6 +168,7 @@ HEIMDAL_X509_1.2 {
 		hx509_oid_print;
 		hx509_oid_sprint;
 		hx509_parse_name;
+		hx509_parse_private_key;
 		hx509_peer_info_add_cms_alg;
 		hx509_peer_info_alloc;
 		hx509_peer_info_free;
@@ -186,6 +181,11 @@ HEIMDAL_X509_1.2 {
 		hx509_pem_write;
 		hx509_print_stdout;
 		hx509_print_cert;
+		hx509_private_key_assign_rsa;
+		hx509_private_key_free;
+		hx509_private_key_private_decrypt;
+		hx509_private_key_init;
+		hx509_private_key2SPKI;
 		hx509_prompt_hidden;
 		hx509_query_alloc;
 		hx509_query_free;
@@ -197,6 +197,12 @@ HEIMDAL_X509_1.2 {
 		hx509_query_match_option;
 		hx509_query_statistic_file;
 		hx509_query_unparse_stats;
+		hx509_request_get_name;
+		hx509_request_get_SubjectPublicKeyInfo;
+		hx509_request_free;
+		hx509_request_init;
+		hx509_request_set_name;
+		hx509_request_set_SubjectPublicKeyInfo;
 		hx509_revoke_add_crl;
 		hx509_revoke_add_ocsp;
 		hx509_revoke_free;

lib/krb5/Makefile.am

@@ -63,28 +63,28 @@ use_sqlite = $(LIB_sqlite3)
 endif
 
 libkrb5_la_LIBADD = \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/ipc/libheim-ipcc.la \
+	$(top_builddir)/lib/wind/libwind.la \
+	$(top_builddir)/base/libheimbase.la \
 	$(LIB_pkinit) \
 	$(use_sqlite) \
 	$(LIB_com_err) \
 	$(LIB_hcrypto) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	../ipc/libheim-ipcc.la \
-	../wind/libwind.la \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
-	../../base/libheimbase.la \
 	$(PTHREAD_LIBADD) \
 	$(LIB_door_create) \
 	$(LIB_dlopen)
 
 librfc3961_la_LIBADD = \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(top_builddir)/lib/ipc/libheim-ipcc.la \
+	$(top_builddir)/lib/wind/libwind.la \
 	$(LIB_pkinit) \
 	$(use_sqlite) \
 	$(LIB_com_err) \
 	$(LIB_hcrypto) \
-	$(top_builddir)/lib/asn1/libasn1.la \
-	../ipc/libheim-ipcc.la \
-	../wind/libwind.la \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
 	$(PTHREAD_LIBADD) \

lib/krb5/krb5.h

@@ -241,6 +241,8 @@ typedef enum krb5_key_usage {
     /* Encryption of the SAM-NONCE-OR-SAD field */
     KRB5_KU_PA_PKINIT_KX = 44,
     /* Encryption type of the kdc session contribution in pk-init */
+    KRB5_KU_AS_REQ = 56,
+    /* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */
     KRB5_KU_DIGEST_ENCRYPT = -18,
     /* Encryption key usage used in the digest encryption field */
     KRB5_KU_DIGEST_OPAQUE = -19,