revert 21003

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21004 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-06-08 01:53:10 +00:00
parent 12df8538af
commit 9df9f6a9da
46 changed files with 58 additions and 229 deletions
--- a/cf/Makefile.am.common
+++ b/cf/Makefile.am.common
@@ -132,14 +132,11 @@ check-local::
 	  echo "$$dashes"; \
 	fi

-SUFFIXES += .x .z
+SUFFIXES += .x

 .x.c:
 	@cmp -s $< $@ 2> /dev/null || cp $< $@

-.z.c:
-	@cmp -s $< $@ 2> /dev/null || cp $< $@
-
 SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8

 NROFF_MAN = groff -mandoc -Tascii
--- a/configure.in
+++ b/configure.in
@@ -464,7 +464,6 @@ AC_CONFIG_FILES(Makefile 		\
 	lib/roken/Makefile		\
 	lib/sl/Makefile			\
 	lib/vers/Makefile		\
-	lib/wind/Makefile		\
 	kuser/Makefile			\
 	kpasswd/Makefile		\
 	kadmin/Makefile			\
--- a/kuser/kgetcred.c
+++ b/kuser/kgetcred.c
@@ -41,10 +41,9 @@ static char *delegation_cred_str;
 static char *etype_str;
 static int transit_flag = 1;
 static int forwardable_flag;
-static char *impersonate_str;
-static int server_flag;
 static int version_flag;
 static int help_flag;
+static char *impersonate_str;

 struct getargs args[] = {
    { "cache",		'c', arg_string, &cache_str,
@@ -60,7 +59,6 @@ struct getargs args[] = {
      "encryption type to use", "enctype"},
    { "impersonate",	0,   arg_string, &impersonate_str,
      "client to impersonate", "principal"},
-    { "server",		0,   arg_flag, &server_flag },
    { "version", 	0,   arg_flag, &version_flag },
    { "help",		0,   arg_flag, &help_flag }
 };
@@ -187,9 +185,6 @@ main(int argc, char **argv)
    if (ret)
 	krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);

-    if (server_flag)
-	server->name.name_type = KRB5_NT_SRV_INST;
-
    ret = krb5_get_creds(context, opt, cache, server, &out);
    if (ret)
 	krb5_err (context, 1, ret, "krb5_get_creds");
--- a/lib/asn1/k5.asn1
+++ b/lib/asn1/k5.asn1
@@ -649,26 +649,6 @@ PA-SvrReferralData ::= SEQUENCE {
 	referred-realm  [0] Realm
 }

-- Kerberos remote encryption
-
-K5REncEncryptDecryptREQ ::= SEQUENCE {
-	id		[0] krb5int32,
-	encrypt		[1] BOOLEAN,
-	principal	[2] Principal,
-	kvno		[3] krb5int32 OPTIONAL,
-	etype		[4] krb5int32,
-	usage		[5] krb5int32,
-	ivec		[6] OCTET STRING OPTIONAL,
-	data		[7] OCTET STRING
-}
-
-K5REncEncryptDecryptREP ::= SEQUENCE {
-	id		[0] krb5int32,
-	data		[1] OCTET STRING,
-	error-code	[2] krb5int32 OPTIONAL
-}
-
-
 END

 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
--- a/lib/asn1/pkinit.asn1
+++ b/lib/asn1/pkinit.asn1
@@ -160,7 +160,7 @@ KDCDHKeyInfo-Win2k ::= SEQUENCE {

 ReplyKeyPack-Win2k ::= SEQUENCE {
        replyKey                [0] EncryptionKey,
-        nonce                   [1] INTEGER (-2147483648..2147483647),
+        nonce                   [1] INTEGER (0..4294967295),
 	...
 }

--- a/lib/gssapi/ChangeLog
+++ b/lib/gssapi/ChangeLog
@@ -1,7 +1,3 @@
-2007-06-04  Love H<>rnquist <20>strand  <lha@it.su.se>
-
-	* ntlm/digest.c: Free memory when done.
-	
 2007-06-02  Love H<>rnquist <20>strand  <lha@it.su.se>

 	* test_ntlm.c: Test both with and without keyex.
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
@@ -168,8 +168,7 @@ ntlmsrc = \
 	ntlm/process_context_token.c \
 	ntlm/release_cred.c \
 	ntlm/release_name.c \
-	ntlm/digest.c \
-	ntlm/winbind.c
+	ntlm/digest.c

 $(srcdir)/ntlm/ntlm-private.h:
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p ntlm/ntlm-private.h $(ntlmsrc) || rm -f ntlm/ntlm-private.h
--- a/lib/gssapi/gssapi/gssapi.h
+++ b/lib/gssapi/gssapi/gssapi.h
@@ -798,71 +798,6 @@ gss_decapsulate_token(gss_buffer_t /* input_token */,
 		      gss_buffer_t /* output_token */);


-/*
- * GSS_Unwrap() with support for associated data.
- *
- * Notes:
- *
- *	token_header_buffer contains the GSS-API token as
- *	received from the peer
- *
- *	associated_data_buffer contains the complete data
- *	over which the checksum is to be verified;
- *
- *	input_message_buffer contains the complete data to
- *	be decrypted if confidentiality was requested;
- *
- *	input_message_buffer value must point into the value
- *	of associated_data_buffer (hence input_message_buffer
- *	just specifies a span within associated_data_buffer).
- *
- *	On returning GSS_S_COMPLETE, output_message_buffer
- *	will contain input_message_buffer after unwrapping and;
- *
- *	associated_data_buffer will have been authenticated
- *
- */
-
-OM_uint32
-gss_unwrap_ex(OM_uint32 *minor_status,
-	      const gss_ctx_id_t context_handle,
-	      const gss_buffer_t token_header_buffer,
-	      const gss_buffer_t associated_data_buffer,
-	      const gss_buffer_t input_message_buffer,
-	      gss_buffer_t output_message_buffer,
-	      int *conf_state,
-	      gss_qop_t *qop_state);
-    
-/*
- * GSS_Wrap() with support for associated data.
- *
- * Notes:
- *
- *	associated_data_buffer contains the complete data
- *	over which the checksum is to be verified;
- *
- *	input_message_buffer contains the data to be
- *	encrypted if conf_req_flag == TRUE.
- *
- *	On returning GSS_S_COMPLETE, output_token_buffer
- *	will contain the GSS-API tokenheader, and;
- *
- *	output_message_buffer will contain input_message_buffer
- *	after wrapping (including any padding)
- */
-
-OM_uint32
-gss_wrap_ex(OM_uint32 *minor_status,
-	    const gss_ctx_id_t context_handle,
-	    int conf_req_flag,
-	    gss_qop_t qop_req,
-	    const gss_buffer_t associated_data_buffer,
-	    const gss_buffer_t input_message_buffer,
-	    int *conf_state,
-	    gss_buffer_t output_token_buffer,
-	    gss_buffer_t output_message_buffer);
-
-

 #ifdef __cplusplus
 }
--- a/lib/hx509/test_windows.in
+++ b/lib/hx509/test_windows.in
@@ -77,7 +77,7 @@ ${hxtool} issue-certificate \
    --generate-key=rsa \
    --subject="CN=User,DC=heimdal,DC=pki" \
    --ms-upn="user@heimdal.pki" \
-    --crl-uri="http://people.su.se/~lha/wcrl.crl" \
+    --crl-uri="http://www.test.h5l.se/test-hemdal-pki-crl1.crl" \
    --certificate="FILE:wuser.pem" \
    --ca-certificate=FILE:wca.pem || exit 1

--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -724,41 +724,16 @@ add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt)
 /*
 get_cred(server)
 	creds = cc_get_cred(server)
-	if(creds)
-		return creds
-	# XXX check referrals cache
-	try-realm = ca-paths
-	if (try-realm == NULL)
-		try_realm = client.realm;
-	server-realm = server.realm
-	tgt = find_cred(krbtgt/{try-realm}@ANY)
-	while (num-referrals++ < max-num-referrals) {
-		req-server = server.service@server_realm
-		creds = get_cred(tgt, req-server)
-		if (creds == NULL)
-			break
-		add-traversed(server_realm)
-		if (referral?(creds, secure?, &referral)) {
-			if (referral && check-name(creds, req-server))
-				return NULL(bad-name)
-			if (tgt?(creds)) {
-				if (traversed-before(creds.realm))
-					return NULL(eloop)
-				server_realm = creds.realm
-				tgt = creds
-				if (referral && referral.true-name)
-					server = referral.true-name
-			} else {
-				return creds
-			}
-		} else if (match(server, creds)) {
-			return creds
-		} else {
-			break
-		}
-	}
-	return NULL(enotfound)
-
+	if(creds) return creds
+	tgt = cc_get_cred(krbtgt/server_realm@any_realm)
+	if(tgt)
+		return get_cred_tgt(server, tgt)
+	if(client_realm == server_realm)
+		return NULL
+	tgt = get_cred(krbtgt/server_realm@client_realm)
+	while(tgt_inst != server_realm)
+		tgt = get_cred(krbtgt/server_realm@tgt_inst)
+	return get_cred_tgt(server, tgt)
 	*/

 static krb5_error_code
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 - 2007 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 2003 - 2006 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -826,15 +826,14 @@ krb5_rd_req_ctx(krb5_context context,
 	    goto out;
    }

-    ret = krb5_verify_ap_req2(context,
-			      auth_context,
-			      &ap_req,
-			      server,
-			      o->keyblock,
-			      0,
-			      &o->ap_req_options,
-			      &o->ticket,
-			      KRB5_KU_AP_REQ_AUTH);
+    ret = krb5_verify_ap_req(context,
+			     auth_context,
+			     &ap_req,
+			     server,
+			     o->keyblock,
+			     0,
+			     &o->ap_req_options,
+			     &o->ticket);

    if (ret)
 	goto out;
--- a/lib/roken/base64-test.c
+++ b/lib/roken/base64-test.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif

-#include "roken.h"
+#include <roken.h>
 #include <base64.h>

 int
--- a/lib/roken/closefrom.c
+++ b/lib/roken/closefrom.c
@@ -43,7 +43,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #endif

-#include "roken.h"
+#include <roken.h>

 int ROKEN_LIB_FUNCTION
 closefrom(int fd)
--- a/lib/roken/dumpdata.c
+++ b/lib/roken/dumpdata.c
@@ -38,7 +38,7 @@ RCSID("$Id$");

 #include <unistd.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Write datablob to a filename, don't care about errors.
--- a/lib/roken/ecalloc.c
+++ b/lib/roken/ecalloc.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like calloc but never fails.
--- a/lib/roken/emalloc.c
+++ b/lib/roken/emalloc.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like malloc but never fails.
--- a/lib/roken/eread.c
+++ b/lib/roken/eread.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <err.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like read but never fails (and never returns partial data).
--- a/lib/roken/erealloc.c
+++ b/lib/roken/erealloc.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like realloc but never fails.
--- a/lib/roken/estrdup.c
+++ b/lib/roken/estrdup.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like strdup but never fails.
--- a/lib/roken/ewrite.c
+++ b/lib/roken/ewrite.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <err.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like write but never fails (and never returns partial data).
--- a/lib/roken/get_window_size.c
+++ b/lib/roken/get_window_size.c
@@ -58,7 +58,7 @@ RCSID("$Id$");
 #include <termios.h>
 #endif

-#include "roken.h"
+#include <roken.h>

 int ROKEN_LIB_FUNCTION
 get_window_size(int fd, struct winsize *wp)
--- a/lib/roken/getarg.c
+++ b/lib/roken/getarg.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include "roken.h"
+#include <roken.h>
 #include "getarg.h"

 #define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag)
--- a/lib/roken/getusershell.c
+++ b/lib/roken/getusershell.c
@@ -59,7 +59,7 @@ struct aud_rec;
 #ifdef HAVE_USERCONF_H
 #include <userconf.h>
 #endif
-#include "roken.h"
+#include <roken.h>

 #ifndef _PATH_SHELLS
 #define _PATH_SHELLS "/etc/shells"
--- a/lib/roken/hex-test.c
+++ b/lib/roken/hex-test.c
@@ -37,7 +37,7 @@
 RCSID("$Id$");
 #endif

-#include "roken.h"
+#include <roken.h>
 #include <hex.h>

 int
--- a/lib/roken/inet_ntop.c
+++ b/lib/roken/inet_ntop.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif

-#include "roken.h"
+#include <roken.h>

 /*
 *
--- a/lib/roken/inet_pton.c
+++ b/lib/roken/inet_pton.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif

-#include "roken.h"
+#include <roken.h>

 int ROKEN_LIB_FUNCTION
 inet_pton(int af, const char *src, void *dst)
--- a/lib/roken/net_read.c
+++ b/lib/roken/net_read.c
@@ -40,7 +40,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <errno.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like read but never return partial data.
--- a/lib/roken/net_write.c
+++ b/lib/roken/net_write.c
@@ -40,7 +40,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <errno.h>

-#include "roken.h"
+#include <roken.h>

 /*
 * Like write but never return partial data.
--- a/lib/roken/parse_units.c
+++ b/lib/roken/parse_units.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdio.h>
 #include <ctype.h>
 #include <string.h>
-#include "roken.h"
+#include <roken.h>
 #include "parse_units.h"

 /*
--- a/lib/roken/roken_gethostby.c
+++ b/lib/roken/roken_gethostby.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif

-#include "roken.h"
+#include <roken.h>

 #undef roken_gethostbyname
 #undef roken_gethostbyaddr
--- a/lib/roken/simple_exec.c
+++ b/lib/roken/simple_exec.c
@@ -49,7 +49,7 @@ RCSID("$Id$");
 #endif
 #include <errno.h>

-#include "roken.h"
+#include <roken.h>

 #define EX_NOEXEC	126
 #define EX_NOTFOUND	127
--- a/lib/roken/snprintf.c
+++ b/lib/roken/snprintf.c
@@ -43,7 +43,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
-#include "roken.h"
+#include <roken.h>
 #include <assert.h>

 enum format_flags {
--- a/lib/roken/socket.c
+++ b/lib/roken/socket.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif

-#include "roken.h"
+#include <roken.h>
 #include <err.h>

 /*
--- a/lib/roken/socket_wrapper.c
+++ b/lib/roken/socket_wrapper.c
@@ -88,7 +88,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <stdio.h>
-#include "roken.h"
+#include <roken.h>

 #include "socket_wrapper.h"

--- a/lib/roken/strcollect.c
+++ b/lib/roken/strcollect.c
@@ -40,7 +40,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
-#include "roken.h"
+#include <roken.h>

 enum { initial = 10, increment = 5 };

--- a/lib/roken/strlwr.c
+++ b/lib/roken/strlwr.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <string.h>
 #include <ctype.h>

-#include "roken.h"
+#include <roken.h>

 #ifndef HAVE_STRLWR
 char * ROKEN_LIB_FUNCTION
--- a/lib/roken/strndup.c
+++ b/lib/roken/strndup.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <string.h>

-#include "roken.h"
+#include <roken.h>

 #ifndef HAVE_STRNDUP
 char * ROKEN_LIB_FUNCTION
--- a/lib/roken/strpool.c
+++ b/lib/roken/strpool.c
@@ -38,7 +38,7 @@ RCSID("$Id$");

 #include <stdarg.h>
 #include <stdlib.h>
-#include "roken.h"
+#include <roken.h>

 struct rk_strpool {
    char *str;
--- a/lib/roken/strupr.c
+++ b/lib/roken/strupr.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <string.h>
 #include <ctype.h>

-#include "roken.h"
+#include <roken.h>

 #ifndef HAVE_STRUPR
 char * ROKEN_LIB_FUNCTION
--- a/lib/roken/test-mem.c
+++ b/lib/roken/test-mem.c
@@ -40,7 +40,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>

 #include "test-mem.h"

--- a/lib/roken/unvis.c
+++ b/lib/roken/unvis.c
@@ -34,7 +34,7 @@
 #include <config.h>
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #ifndef _DIAGASSERT
 #define _DIAGASSERT(X)
 #endif
--- a/lib/roken/vis.c
+++ b/lib/roken/vis.c
@@ -67,7 +67,7 @@
 #include <config.h>
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #ifndef _DIAGASSERT
 #define _DIAGASSERT(X)
 #endif
--- a/lib/roken/write_pid.c
+++ b/lib/roken/write_pid.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include "roken.h"
+#include <roken.h>

 #include "roken.h"

--- a/tests/kdc/check-referral.in
+++ b/tests/kdc/check-referral.in
@@ -43,12 +43,8 @@ testfailed="echo test failed; cat messages.log; exit 1"
 # If there is no useful db support compile in, disable test
 ../db/have-db || exit 77

-exit 77
-
 R=TEST.H5L.SE
-R2=SUB.TEST.H5L.SE
-
-service=ldap/host.sub.test.h5l.se
+R2=TEST2.H5L.SE

 port=@port@

@@ -63,6 +59,7 @@ kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
 kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"


+
 KRB5_CONFIG="${objdir}/krb5.conf"
 export KRB5_CONFIG

@@ -87,8 +84,6 @@ ${kadmin} \
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
 ${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1

-${kadmin} add -p foo --use-defaults  ${service}@${R2} || exit 1
-
 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1

@@ -112,14 +107,6 @@ trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT

 ec=0

-echo "Getting client (no canon)"; > messages.log
-${kinit} --password-file=${objdir}/foopassword foo@${R} || \
-	{ ec=1 ; eval "${testfailed}"; }
-echo "checking that we go back right principal"
-${klist} | grep "Principal: foo@${R}" > /dev/null || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kdestroy}
-
 echo "Getting client alias1 tickets"; > messages.log
 ${kinit} --canonicalize \
 	--password-file=${objdir}/foopassword alias1@${R}@${R} || \
@@ -154,32 +141,6 @@ echo "Remove alias"
 ${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; }


-echo "Getting client for ${service}@${R} (kdc referral)"
-> messages.log
-${kinit} --password-file=${objdir}/foopassword foo@${R} || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kgetcred} --server ${service}@${R} ||
-	{ ec=1 ; eval "${testfailed}"; }
-${klist}
-echo "checking that we go back right principal"
-${klist} | grep "${service}@${R2}" > /dev/null || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kdestroy}
-
-echo "Getting client for ${service}@${R2} (client side guessing)"
-> messages.log
-${kinit} --password-file=${objdir}/foopassword foo@${R} || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kgetcred} --server ${service}@${R2} ||
-	{ ec=1 ; eval "${testfailed}"; }
-${klist}
-echo "checking that we go back right principal"
-${klist} | grep "${service}@${R2}" > /dev/null || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kdestroy}
-
-
-
 echo "killing kdc (${kdcpid})"
 kill $kdcpid || exit 1

--- a/tests/kdc/krb5.conf.in
+++ b/tests/kdc/krb5.conf.in
@@ -11,17 +11,10 @@
 	TEST.H5L.SE = {
 		kdc = localhost:@port@
 	}
-	SUB.TEST.H5L.SE = {
-		kdc = localhost:@port@
-	}
 	TEST2.H5L.SE = {
 		kdc = localhost:@port@
 	}

-[domain_realms]
-	.sub.test.h5l.se = SUB.TEST.H5L.SE
-	
-
 [kdc]
 	enable-digest = true
 	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2