revert 21003

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21004 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-06-08 01:53:10 +00:00
parent 12df8538af
commit 9df9f6a9da
46 changed files with 58 additions and 229 deletions
--- a/cf/Makefile.am.common
+++ b/cf/Makefile.am.common
@@ -132,14 +132,11 @@ check-local::
 	  echo "$$dashes"; \
 	fi
-SUFFIXES += .x .z
+SUFFIXES += .x
 .x.c:
 	@cmp -s $< $@ 2> /dev/null || cp $< $@
 .z.c:
 	@cmp -s $< $@ 2> /dev/null || cp $< $@
 SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8
 NROFF_MAN = groff -mandoc -Tascii
--- a/configure.in
+++ b/configure.in
@@ -464,7 +464,6 @@ AC_CONFIG_FILES(Makefile 		\
 	lib/roken/Makefile		\
 	lib/sl/Makefile			\
 	lib/vers/Makefile		\
 	lib/wind/Makefile		\
 	kuser/Makefile			\
 	kpasswd/Makefile		\
 	kadmin/Makefile			\
--- a/kuser/kgetcred.c
+++ b/kuser/kgetcred.c
@@ -41,10 +41,9 @@ static char *delegation_cred_str;
 static char *etype_str;
 static int transit_flag = 1;
 static int forwardable_flag;
 static char *impersonate_str;
 static int server_flag;
 static int version_flag;
 static int help_flag;
 static char *impersonate_str;
 struct getargs args[] = {
    { "cache",		'c', arg_string, &cache_str,
@@ -60,7 +59,6 @@ struct getargs args[] = {
      "encryption type to use", "enctype"},
    { "impersonate",	0,   arg_string, &impersonate_str,
      "client to impersonate", "principal"},
    { "server",		0,   arg_flag, &server_flag },
    { "version", 	0,   arg_flag, &version_flag },
    { "help",		0,   arg_flag, &help_flag }
 };
@@ -187,9 +185,6 @@ main(int argc, char **argv)
    if (ret)
 	krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]);
    if (server_flag)
 	server->name.name_type = KRB5_NT_SRV_INST;
    ret = krb5_get_creds(context, opt, cache, server, &out);
    if (ret)
 	krb5_err (context, 1, ret, "krb5_get_creds");
--- a/lib/asn1/k5.asn1
+++ b/lib/asn1/k5.asn1
@@ -649,26 +649,6 @@ PA-SvrReferralData ::= SEQUENCE {
 	referred-realm  [0] Realm
 }
 -- Kerberos remote encryption
 K5REncEncryptDecryptREQ ::= SEQUENCE {
 	id		[0] krb5int32,
 	encrypt		[1] BOOLEAN,
 	principal	[2] Principal,
 	kvno		[3] krb5int32 OPTIONAL,
 	etype		[4] krb5int32,
 	usage		[5] krb5int32,
 	ivec		[6] OCTET STRING OPTIONAL,
 	data		[7] OCTET STRING
 }
 K5REncEncryptDecryptREP ::= SEQUENCE {
 	id		[0] krb5int32,
 	data		[1] OCTET STRING,
 	error-code	[2] krb5int32 OPTIONAL
 }
 END
 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1
--- a/lib/asn1/pkinit.asn1
+++ b/lib/asn1/pkinit.asn1
@@ -160,7 +160,7 @@ KDCDHKeyInfo-Win2k ::= SEQUENCE {
 ReplyKeyPack-Win2k ::= SEQUENCE {
        replyKey                [0] EncryptionKey,
-        nonce                   [1] INTEGER (-2147483648..2147483647),
+        nonce                   [1] INTEGER (0..4294967295),
 	...
 }
--- a/lib/gssapi/ChangeLog
+++ b/lib/gssapi/ChangeLog
@@ -1,7 +1,3 @@
 2007-06-04  Love H<>rnquist <20>strand  <lha@it.su.se>
 	* ntlm/digest.c: Free memory when done.
 2007-06-02  Love H<>rnquist <20>strand  <lha@it.su.se>
 	* test_ntlm.c: Test both with and without keyex.
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
@@ -168,8 +168,7 @@ ntlmsrc = \
 	ntlm/process_context_token.c \
 	ntlm/release_cred.c \
 	ntlm/release_name.c \
-	ntlm/digest.c \
+	ntlm/digest.c
 	ntlm/winbind.c
 $(srcdir)/ntlm/ntlm-private.h:
 	cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p ntlm/ntlm-private.h $(ntlmsrc) || rm -f ntlm/ntlm-private.h
--- a/lib/gssapi/gssapi/gssapi.h
+++ b/lib/gssapi/gssapi/gssapi.h
@@ -798,71 +798,6 @@ gss_decapsulate_token(gss_buffer_t /* input_token */,
 		      gss_buffer_t /* output_token */);
 /*
 * GSS_Unwrap() with support for associated data.
 *
 * Notes:
 *
 *	token_header_buffer contains the GSS-API token as
 *	received from the peer
 *
 *	associated_data_buffer contains the complete data
 *	over which the checksum is to be verified;
 *
 *	input_message_buffer contains the complete data to
 *	be decrypted if confidentiality was requested;
 *
 *	input_message_buffer value must point into the value
 *	of associated_data_buffer (hence input_message_buffer
 *	just specifies a span within associated_data_buffer).
 *
 *	On returning GSS_S_COMPLETE, output_message_buffer
 *	will contain input_message_buffer after unwrapping and;
 *
 *	associated_data_buffer will have been authenticated
 *
 */
 OM_uint32
 gss_unwrap_ex(OM_uint32 *minor_status,
 	      const gss_ctx_id_t context_handle,
 	      const gss_buffer_t token_header_buffer,
 	      const gss_buffer_t associated_data_buffer,
 	      const gss_buffer_t input_message_buffer,
 	      gss_buffer_t output_message_buffer,
 	      int *conf_state,
 	      gss_qop_t *qop_state);
 /*
 * GSS_Wrap() with support for associated data.
 *
 * Notes:
 *
 *	associated_data_buffer contains the complete data
 *	over which the checksum is to be verified;
 *
 *	input_message_buffer contains the data to be
 *	encrypted if conf_req_flag == TRUE.
 *
 *	On returning GSS_S_COMPLETE, output_token_buffer
 *	will contain the GSS-API tokenheader, and;
 *
 *	output_message_buffer will contain input_message_buffer
 *	after wrapping (including any padding)
 */
 OM_uint32
 gss_wrap_ex(OM_uint32 *minor_status,
 	    const gss_ctx_id_t context_handle,
 	    int conf_req_flag,
 	    gss_qop_t qop_req,
 	    const gss_buffer_t associated_data_buffer,
 	    const gss_buffer_t input_message_buffer,
 	    int *conf_state,
 	    gss_buffer_t output_token_buffer,
 	    gss_buffer_t output_message_buffer);
 #ifdef __cplusplus
 }
--- a/lib/hx509/test_windows.in
+++ b/lib/hx509/test_windows.in
@@ -77,7 +77,7 @@ ${hxtool} issue-certificate \
    --generate-key=rsa \
    --subject="CN=User,DC=heimdal,DC=pki" \
    --ms-upn="user@heimdal.pki" \
-    --crl-uri="http://people.su.se/~lha/wcrl.crl" \
+    --crl-uri="http://www.test.h5l.se/test-hemdal-pki-crl1.crl" \
    --certificate="FILE:wuser.pem" \
    --ca-certificate=FILE:wca.pem || exit 1
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -724,41 +724,16 @@ add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt)
 /*
 get_cred(server)
 	creds = cc_get_cred(server)
-	if(creds)
+	if(creds) return creds
-		return creds
+	tgt = cc_get_cred(krbtgt/server_realm@any_realm)
-	# XXX check referrals cache
+	if(tgt)
-	try-realm = ca-paths
+		return get_cred_tgt(server, tgt)
-	if (try-realm == NULL)
+	if(client_realm == server_realm)
-		try_realm = client.realm;
+		return NULL
-	server-realm = server.realm
+	tgt = get_cred(krbtgt/server_realm@client_realm)
-	tgt = find_cred(krbtgt/{try-realm}@ANY)
+	while(tgt_inst != server_realm)
-	while (num-referrals++ < max-num-referrals) {
+		tgt = get_cred(krbtgt/server_realm@tgt_inst)
-		req-server = server.service@server_realm
+	return get_cred_tgt(server, tgt)
 		creds = get_cred(tgt, req-server)
 		if (creds == NULL)
 			break
 		add-traversed(server_realm)
 		if (referral?(creds, secure?, &referral)) {
 			if (referral && check-name(creds, req-server))
 				return NULL(bad-name)
 			if (tgt?(creds)) {
 				if (traversed-before(creds.realm))
 					return NULL(eloop)
 				server_realm = creds.realm
 				tgt = creds
 				if (referral && referral.true-name)
 					server = referral.true-name
 			} else {
 				return creds
 			}
 		} else if (match(server, creds)) {
 			return creds
 		} else {
 			break
 		}
 	}
 	return NULL(enotfound)
 	*/
 static krb5_error_code
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003 - 2007 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 2003 - 2006 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -826,15 +826,14 @@ krb5_rd_req_ctx(krb5_context context,
 	    goto out;
    }
-    ret = krb5_verify_ap_req2(context,
+    ret = krb5_verify_ap_req(context,
-			      auth_context,
+			     auth_context,
-			      &ap_req,
+			     &ap_req,
-			      server,
+			     server,
-			      o->keyblock,
+			     o->keyblock,
-			      0,
+			     0,
-			      &o->ap_req_options,
+			     &o->ap_req_options,
-			      &o->ticket,
+			     &o->ticket);
 			      KRB5_KU_AP_REQ_AUTH);
    if (ret)
 	goto out;
--- a/lib/roken/base64-test.c
+++ b/lib/roken/base64-test.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #include <base64.h>
 int
--- a/lib/roken/closefrom.c
+++ b/lib/roken/closefrom.c
@@ -43,7 +43,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #endif
-#include "roken.h"
+#include <roken.h>
 int ROKEN_LIB_FUNCTION
 closefrom(int fd)
--- a/lib/roken/dumpdata.c
+++ b/lib/roken/dumpdata.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <unistd.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Write datablob to a filename, don't care about errors.
--- a/lib/roken/ecalloc.c
+++ b/lib/roken/ecalloc.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like calloc but never fails.
--- a/lib/roken/emalloc.c
+++ b/lib/roken/emalloc.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like malloc but never fails.
--- a/lib/roken/eread.c
+++ b/lib/roken/eread.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like read but never fails (and never returns partial data).
--- a/lib/roken/erealloc.c
+++ b/lib/roken/erealloc.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like realloc but never fails.
--- a/lib/roken/estrdup.c
+++ b/lib/roken/estrdup.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like strdup but never fails.
--- a/lib/roken/ewrite.c
+++ b/lib/roken/ewrite.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like write but never fails (and never returns partial data).
--- a/lib/roken/get_window_size.c
+++ b/lib/roken/get_window_size.c
@@ -58,7 +58,7 @@ RCSID("$Id$");
 #include <termios.h>
 #endif
-#include "roken.h"
+#include <roken.h>
 int ROKEN_LIB_FUNCTION
 get_window_size(int fd, struct winsize *wp)
--- a/lib/roken/getarg.c
+++ b/lib/roken/getarg.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include "roken.h"
+#include <roken.h>
 #include "getarg.h"
 #define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag)
--- a/lib/roken/getusershell.c
+++ b/lib/roken/getusershell.c
@@ -59,7 +59,7 @@ struct aud_rec;
 #ifdef HAVE_USERCONF_H
 #include <userconf.h>
 #endif
-#include "roken.h"
+#include <roken.h>
 #ifndef _PATH_SHELLS
 #define _PATH_SHELLS "/etc/shells"
--- a/lib/roken/hex-test.c
+++ b/lib/roken/hex-test.c
@@ -37,7 +37,7 @@
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #include <hex.h>
 int
--- a/lib/roken/inet_ntop.c
+++ b/lib/roken/inet_ntop.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 /*
 *
--- a/lib/roken/inet_pton.c
+++ b/lib/roken/inet_pton.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 int ROKEN_LIB_FUNCTION
 inet_pton(int af, const char *src, void *dst)
--- a/lib/roken/net_read.c
+++ b/lib/roken/net_read.c
@@ -40,7 +40,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <errno.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like read but never return partial data.
--- a/lib/roken/net_write.c
+++ b/lib/roken/net_write.c
@@ -40,7 +40,7 @@ RCSID("$Id$");
 #include <unistd.h>
 #include <errno.h>
-#include "roken.h"
+#include <roken.h>
 /*
 * Like write but never return partial data.
--- a/lib/roken/parse_units.c
+++ b/lib/roken/parse_units.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdio.h>
 #include <ctype.h>
 #include <string.h>
-#include "roken.h"
+#include <roken.h>
 #include "parse_units.h"
 /*
--- a/lib/roken/roken_gethostby.c
+++ b/lib/roken/roken_gethostby.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #undef roken_gethostbyname
 #undef roken_gethostbyaddr
--- a/lib/roken/simple_exec.c
+++ b/lib/roken/simple_exec.c
@@ -49,7 +49,7 @@ RCSID("$Id$");
 #endif
 #include <errno.h>
-#include "roken.h"
+#include <roken.h>
 #define EX_NOEXEC	126
 #define EX_NOTFOUND	127
--- a/lib/roken/snprintf.c
+++ b/lib/roken/snprintf.c
@@ -43,7 +43,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
-#include "roken.h"
+#include <roken.h>
 #include <assert.h>
 enum format_flags {
--- a/lib/roken/socket.c
+++ b/lib/roken/socket.c
@@ -36,7 +36,7 @@
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #include <err.h>
 /*
--- a/lib/roken/socket_wrapper.c
+++ b/lib/roken/socket_wrapper.c
@@ -88,7 +88,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <stdio.h>
-#include "roken.h"
+#include <roken.h>
 #include "socket_wrapper.h"
--- a/lib/roken/strcollect.c
+++ b/lib/roken/strcollect.c
@@ -40,7 +40,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
-#include "roken.h"
+#include <roken.h>
 enum { initial = 10, increment = 5 };
--- a/lib/roken/strlwr.c
+++ b/lib/roken/strlwr.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <string.h>
 #include <ctype.h>
-#include "roken.h"
+#include <roken.h>
 #ifndef HAVE_STRLWR
 char * ROKEN_LIB_FUNCTION
--- a/lib/roken/strndup.c
+++ b/lib/roken/strndup.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <stdlib.h>
 #include <string.h>
-#include "roken.h"
+#include <roken.h>
 #ifndef HAVE_STRNDUP
 char * ROKEN_LIB_FUNCTION
--- a/lib/roken/strpool.c
+++ b/lib/roken/strpool.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <stdarg.h>
 #include <stdlib.h>
-#include "roken.h"
+#include <roken.h>
 struct rk_strpool {
    char *str;
--- a/lib/roken/strupr.c
+++ b/lib/roken/strupr.c
@@ -38,7 +38,7 @@ RCSID("$Id$");
 #include <string.h>
 #include <ctype.h>
-#include "roken.h"
+#include <roken.h>
 #ifndef HAVE_STRUPR
 char * ROKEN_LIB_FUNCTION
--- a/lib/roken/test-mem.c
+++ b/lib/roken/test-mem.c
@@ -40,7 +40,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <err.h>
-#include "roken.h"
+#include <roken.h>
 #include "test-mem.h"
--- a/lib/roken/unvis.c
+++ b/lib/roken/unvis.c
@@ -34,7 +34,7 @@
 #include <config.h>
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #ifndef _DIAGASSERT
 #define _DIAGASSERT(X)
 #endif
--- a/lib/roken/vis.c
+++ b/lib/roken/vis.c
@@ -67,7 +67,7 @@
 #include <config.h>
 RCSID("$Id$");
 #endif
-#include "roken.h"
+#include <roken.h>
 #ifndef _DIAGASSERT
 #define _DIAGASSERT(X)
 #endif
--- a/lib/roken/write_pid.c
+++ b/lib/roken/write_pid.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
 #include <stdio.h>
 #include <sys/types.h>
 #include <unistd.h>
-#include "roken.h"
+#include <roken.h>
 #include "roken.h"
--- a/tests/kdc/check-referral.in
+++ b/tests/kdc/check-referral.in
@@ -43,12 +43,8 @@ testfailed="echo test failed; cat messages.log; exit 1"
 # If there is no useful db support compile in, disable test
 ../db/have-db || exit 77
 exit 77
 R=TEST.H5L.SE
-R2=SUB.TEST.H5L.SE
+R2=TEST2.H5L.SE
 service=ldap/host.sub.test.h5l.se
 port=@port@
@@ -63,6 +59,7 @@ kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
 kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
 KRB5_CONFIG="${objdir}/krb5.conf"
 export KRB5_CONFIG
@@ -87,8 +84,6 @@ ${kadmin} \
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
 ${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1
 ${kadmin} add -p foo --use-defaults  ${service}@${R2} || exit 1
 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
@@ -112,14 +107,6 @@ trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
 ec=0
 echo "Getting client (no canon)"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 echo "checking that we go back right principal"
 ${klist} | grep "Principal: foo@${R}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 echo "Getting client alias1 tickets"; > messages.log
 ${kinit} --canonicalize \
 	--password-file=${objdir}/foopassword alias1@${R}@${R} || \
@@ -154,32 +141,6 @@ echo "Remove alias"
 ${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; }
 echo "Getting client for ${service}@${R} (kdc referral)"
 > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} --server ${service}@${R} ||
 	{ ec=1 ; eval "${testfailed}"; }
 ${klist}
 echo "checking that we go back right principal"
 ${klist} | grep "${service}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 echo "Getting client for ${service}@${R2} (client side guessing)"
 > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} --server ${service}@${R2} ||
 	{ ec=1 ; eval "${testfailed}"; }
 ${klist}
 echo "checking that we go back right principal"
 ${klist} | grep "${service}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 echo "killing kdc (${kdcpid})"
 kill $kdcpid || exit 1
--- a/tests/kdc/krb5.conf.in
+++ b/tests/kdc/krb5.conf.in
@@ -11,17 +11,10 @@
 	TEST.H5L.SE = {
 		kdc = localhost:@port@
 	}
 	SUB.TEST.H5L.SE = {
 		kdc = localhost:@port@
 	}
 	TEST2.H5L.SE = {
 		kdc = localhost:@port@
 	}
 [domain_realms]
 	.sub.test.h5l.se = SUB.TEST.H5L.SE
 [kdc]
 	enable-digest = true
 	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2