Merge remote branch 'h-github/master' into win32-port2

* h-github/master: (64 commits)
  refix socket wrappers with rk_
  Patch from Secure Endpoints/Asanka Herath for windows support
  unset KRB5CCNAME
  its really just LIBADD more most of them
  correct quoting
  Use -lpthread for modern freebsd instead
  clean KRB5CCNAME and KRB5_CONFIG, require test to reset them
  more up ${env_setup}
  use PTHREADS_LIBADD for freebsd6 and newer
  add PTHREAD_LIBADD
  add PTHREAD_LIBADD
  add PTHREAD_LIBADD
  switch to PTHREADS_LIBADD
  log what the error string say too
  More debug logging
  sprinkle more 'echo "test failed"'
  sprinkle 'echo "test failed"'
  use calloc(), indent more prettier
  in sh, equal compare is really = for strings, not ==
  Check for duplicates, already loaded mechs
  ...

Conflicts (resolved):
	lib/krb5/auth_context.c
	lib/krb5/changepw.c
	lib/krb5/context.c
	lib/krb5/error_string.c
	lib/krb5/kuserok.c
	lib/krb5/libkrb5-exports.def.in
	lib/krb5/net_write.c
	lib/krb5/store_fd.c
	lib/krb5/test_cc.c
	lib/roken/strerror_r.c

lib/krb5/Makefile.am

@@ -67,6 +67,7 @@ libkrb5_la_LIBADD = \
 	../wind/libwind.la \
 	$(LIB_libintl) \
 	$(LIBADD_roken) \
+	$(PTHREAD_LIBADD) \
 	$(LIB_door_create) \
 	$(LIB_dlopen)
 
@@ -187,7 +188,7 @@ dist_libkrb5_la_SOURCES =			\
 nodist_libkrb5_la_SOURCES =			\
 	$(ERR_FILES)
 
-libkrb5_la_LDFLAGS = -version-info 25:0:0
+libkrb5_la_LDFLAGS = -version-info 26:0:0
 
 if versionscript
 libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map

lib/krb5/acl.c

@@ -257,7 +257,7 @@ krb5_acl_match_file(krb5_context context,
     f = fopen(file, "r");
     if(f == NULL) {
 	int save_errno = errno;
-	strerror_r(save_errno, buf, sizeof(buf));
+	rk_strerror_r(save_errno, buf, sizeof(buf));
 	krb5_set_error_message(context, save_errno,
 			       N_("open(%s): %s", "file, errno"),
 			       file, buf);

lib/krb5/auth_context.c

@@ -173,7 +173,7 @@ krb5_auth_con_genaddrs(krb5_context context,
 	    if(rk_IS_SOCKET_ERROR(getsockname(fd, local, &len))) {
 		char buf[128];
 		ret = rk_SOCK_ERRNO;
-		strerror_r(ret, buf, sizeof(buf));
+		rk_strerror_r(ret, buf, sizeof(buf));
 		krb5_set_error_message(context, ret, "getsockname: %s", buf);
 		goto out;
 	    }
@@ -191,7 +191,7 @@ krb5_auth_con_genaddrs(krb5_context context,
 	if(rk_IS_SOCKET_ERROR(getpeername(fd, remote, &len))) {
 	    char buf[128];
 	    ret = rk_SOCK_ERRNO;
-	    strerror_r(ret, buf, sizeof(buf));
+	    rk_strerror_r(ret, buf, sizeof(buf));
 	    krb5_set_error_message(context, ret, "getpeername: %s", buf);
 	    goto out;
 	}

lib/krb5/changepw.c

@@ -603,7 +603,7 @@ change_password_loop (krb5_context	context,
 		    }
 		}
 
-#ifndef NO_LIMIT_FD_SETSIZE	
+#ifndef NO_LIMIT_FD_SETSIZE
 		if (sock >= FD_SETSIZE) {
 		    ret = ERANGE;
 		    krb5_set_error_message(context, ret,

lib/krb5/context.c

@@ -531,11 +531,23 @@ krb5_free_context(krb5_context context)
     krb5_set_ignore_addresses(context, NULL);
     krb5_set_send_to_kdc_func(context, NULL, NULL);
 
+#ifdef PKINIT
+    hx509_context_free(&context->hx509ctx);
+#endif
+
     HEIMDAL_MUTEX_destroy(context->mutex);
     free(context->mutex);
+<<<<<<< HEAD
     if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
  	rk_SOCK_EXIT();
     }
+=======
+#ifdef NEED_SOCK_INIT
+    if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
+ 	SOCK_EXIT;
+    }
+#endif
+>>>>>>> h-github/master
 
     memset(context, 0, sizeof(*context));
     free(context);

lib/krb5/fcache.c

@@ -99,7 +99,7 @@ _krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive,
 	break;
     default: {
 	char buf[128];
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret,
 			       N_("error locking cache file %s: %s",
 				  "file, error"), filename, buf);
@@ -133,7 +133,7 @@ _krb5_xunlock(krb5_context context, int fd)
 	break;
     default: {
 	char buf[128];
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret,
 			       N_("Failed to unlock file: %s", ""), buf);
 	break;
@@ -397,7 +397,7 @@ fcc_open(krb5_context context,
     if(fd < 0) {
 	char buf[128];
 	ret = errno;
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret, N_("open(%s): %s", "file, error"),
 			       filename, buf);
 	return ret;
@@ -461,7 +461,7 @@ fcc_initialize(krb5_context context,
 	if (ret == 0) {
 	    char buf[128];
 	    ret = errno;
-	    strerror_r(ret, buf, sizeof(buf));
+	    rk_strerror_r(ret, buf, sizeof(buf));
 	    krb5_set_error_message (context, ret, N_("close %s: %s", ""),
 				    FILENAME(id), buf);
 	}
@@ -516,7 +516,7 @@ fcc_store_cred(krb5_context context,
     if (close(fd) < 0) {
 	if (ret == 0) {
 	    char buf[128];
-	    strerror_r(ret, buf, sizeof(buf));
+	    rk_strerror_r(ret, buf, sizeof(buf));
 	    ret = errno;
 	    krb5_set_error_message (context, ret, N_("close %s: %s", ""),
 				    FILENAME(id), buf);
@@ -930,7 +930,7 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
     if (ret && errno != EXDEV) {
 	char buf[128];
 	ret = errno;
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret,
 			       N_("Rename of file from %s "
 				  "to %s failed: %s", ""),
@@ -997,7 +997,7 @@ fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
 	close(fd);
     }
 
-    fcc_destroy(context, from);
+    fcc_close(context, from);
 
     return ret;
 }

lib/krb5/init_creds_pw.c

@@ -1541,6 +1541,7 @@ krb5_init_creds_set_keytab(krb5_context context,
 	    /* remove old list of etype */
 	    if (etypes)
 		free(etypes);
+	    etypes = NULL;
 	    netypes = 0;
 	    kvno = entry.vno;
 	} else if (entry.vno != kvno)

lib/krb5/kcm.c

@@ -78,7 +78,7 @@ kcm_send_request(krb5_context context,
 	ret = heim_ipc_init_context(kcm_ipc_name, &kcm_ipc);
     HEIMDAL_MUTEX_unlock(&kcm_mutex);
     if (ret)
-	return ret;
+	return KRB5_CC_NOSUPP;
 
     ret = krb5_storage_to_data(request, &request_data);
     if (ret) {

lib/krb5/kuserok.c

@@ -221,6 +221,9 @@ match_local_principals(krb5_context context,
  * ignored. Subdirectories are not traversed. Note that this directory
  * may not be checked by other Kerberos implementations.
  *
+ * If no configuration file exists, match user against local domains,
+ * ie luser@LOCAL-REALMS-IN-CONFIGURATION-FILES.
+ *
  * @param context Kerberos 5 context.
  * @param principal principal to check if allowed to login
  * @param luser local user id
@@ -293,10 +296,9 @@ krb5_kuserok (krb5_context context,
 
     return FALSE;
 #else
-    /* On Windows, for now we always return TRUE.  The .k5login file
-       may be on a remote profile and we don't have access to the
-       profile until we have a token handle for the user's
-       credentials. */
-    return TRUE;
+    /* The .k5login file may be on a remote profile and we don't have
+       access to the profile until we have a token handle for the
+       user's credentials. */
+    return match_local_principals(context, principal, luser);
 #endif
 }

lib/krb5/libkrb5-exports.def.in

@@ -57,6 +57,7 @@ EXPORTS
 	krb5_auth_con_setuserkey
 	krb5_auth_getremoteseqnumber
 	krb5_build_ap_req
+	krb5_build_authenticator
 	krb5_build_principal
 	krb5_build_principal_ext
 	krb5_build_principal_va
@@ -137,11 +138,13 @@ EXPORTS
 	krb5_compare_creds
 	krb5_config_file_free
 	krb5_config_free_strings
+	krb5_config_get
 	krb5_config_get_bool
 	krb5_config_get_bool_default
 	krb5_config_get_int
 	krb5_config_get_int_default
 	krb5_config_get_list
+	krb5_config_get_next
 	krb5_config_get_string
 	krb5_config_get_string_default
 	krb5_config_get_strings
@@ -150,11 +153,13 @@ EXPORTS
 	krb5_config_parse_file
 	krb5_config_parse_file_multi
 	krb5_config_parse_string_multi
+	krb5_config_vget
 	krb5_config_vget_bool
 	krb5_config_vget_bool_default
 	krb5_config_vget_int
 	krb5_config_vget_int_default
 	krb5_config_vget_list
+	krb5_config_vget_next
 	krb5_config_vget_string
 	krb5_config_vget_string_default
 	krb5_config_vget_strings
@@ -675,11 +680,12 @@ EXPORTS
 	krb5_write_priv_message
 	krb5_write_safe_message
 	krb5_xfree
+	krb5_cccol_last_change_time
 	krb5_cccol_cursor_new
 	krb5_cccol_cursor_next
 	krb5_cccol_cursor_free
 
-; com_err error tables
+	; com_err error tables
 	initialize_krb5_error_table_r
 	initialize_krb5_error_table
 	initialize_krb_error_table_r
@@ -689,7 +695,7 @@ EXPORTS
 	initialize_k524_error_table_r
 	initialize_k524_error_table
 
-; variables
+        ; variables
 	krb5_mcc_ops            DATA
 	krb5_acc_ops            DATA
 	krb5_fcc_ops            DATA
@@ -699,7 +705,9 @@ EXPORTS
 #ifdef HAVE_KCM
 	krb5_kcm_ops            DATA
 #endif
-;	krb4_fkt_ops            DATA
+#ifdef HAVE_KRB4
+	krb4_fkt_ops            DATA
+#endif
 	krb5_wrfkt_ops          DATA
 	krb5_mkt_ops            DATA
 	krb5_akf_ops            DATA
@@ -714,13 +722,13 @@ EXPORTS
 	krb5_cc_type_kcm        DATA
 	krb5_cc_type_scc        DATA
 
-; Shared with GSSAPI krb5
+        ; Shared with GSSAPI krb5
 	_krb5_crc_init_table		
 	_krb5_crc_update		
 	_krb5_get_krbtgt
 	_krb5_build_authenticator
 
-; V4 compat glue
+        ; V4 compat glue
 	_krb5_krb_tf_setup
 	_krb5_krb_dest_tkt
 	_krb5_krb_life_to_time
@@ -734,7 +742,7 @@ EXPORTS
 	_krb5_krb_time_to_life
 	_krb5_krb_cr_err_reply
 
-; Shared with libkdc
+	; Shared with libkdc
 	_krb5_AES_string_to_default_iterator
 	_krb5_dh_group_ok
 	_krb5_get_host_realm_int
@@ -753,12 +761,13 @@ EXPORTS
 	_krb5_principalname2krb5_principal
 	_krb5_put_int
 	_krb5_s4u2self_to_checksumdata
+	_krb5_expand_path_tokens
 
-; kinit helper
+        ; kinit helper
 	_krb5_get_init_creds_opt_set_pkinit_user_certs
 	_krb5_pk_enterprise_cert
 
-; testing
+	; testing
 ;	_krb5_aes_cts_encrypt
 	_krb5_n_fold
 	_krb5_expand_default_cc_name

lib/krb5/net_write.c

@@ -43,7 +43,6 @@ krb5_net_write (krb5_context context,
     return net_write(fd, buf, len);
 }
 
-KRB5_DEPRECATED
 KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
 krb5_net_write_block(krb5_context context,
 		     void *p_fd,

lib/krb5/replay.c

@@ -135,7 +135,7 @@ krb5_rc_initialize(krb5_context context,
     if(f == NULL) {
 	char buf[128];
 	ret = errno;
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret, "open(%s): %s", id->name, buf);
 	return ret;
     }
@@ -161,7 +161,7 @@ krb5_rc_destroy(krb5_context context,
     if(remove(id->name) < 0) {
 	char buf[128];
 	ret = errno;
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret, "remove(%s): %s", id->name, buf);
 	return ret;
     }
@@ -212,7 +212,7 @@ krb5_rc_store(krb5_context context,
     if(f == NULL) {
 	char buf[128];
 	ret = errno;
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret, "open(%s): %s", id->name, buf);
 	return ret;
     }
@@ -232,7 +232,7 @@ krb5_rc_store(krb5_context context,
 	char buf[128];
 	ret = errno;
 	fclose(f);
-	strerror_r(ret, buf, sizeof(buf));
+	rk_strerror_r(ret, buf, sizeof(buf));
 	krb5_set_error_message(context, ret, "%s: %s",
 			       id->name, buf);
 	return ret;
@@ -241,7 +241,7 @@ krb5_rc_store(krb5_context context,
     f = fopen(id->name, "a");
     if(f == NULL) {
 	char buf[128];
-	strerror_r(errno, buf, sizeof(buf));
+	rk_strerror_r(errno, buf, sizeof(buf));
 	krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
 			       "open(%s): %s", id->name, buf);
 	return KRB5_RC_IO_UNKNOWN;

lib/krb5/send_to_kdc.c

@@ -142,9 +142,9 @@ send_and_recv_tcp(krb5_socket_t fd,
     krb5_data len_data;
 
     _krb5_put_int(len, req->length, 4);
-    if(net_write(fd, len, sizeof(len)) < 0)
+    if(net_write (fd, len, sizeof(len)) < 0)
 	return -1;
-    if(net_write(fd, req->data, req->length) < 0)
+    if(net_write (fd, req->data, req->length) < 0)
 	return -1;
     if (recv_loop (fd, tmout, 0, 4, &len_data) < 0)
 	return -1;

lib/krb5/store_fd.c

@@ -91,7 +91,7 @@ krb5_storage_from_fd(krb5_socket_t fd_in)
     krb5_storage *sp;
     int fd;
 
-#ifdef _WIN32
+#ifdef SOCKET_IS_NOT_AN_FD
 #ifdef _MSC_VER
     if (_get_osfhandle(fd_in) != -1) {
 	fd = dup(fd_in);
@@ -101,7 +101,7 @@ krb5_storage_from_fd(krb5_socket_t fd_in)
 #else
 #error Dont know how to deal with fd that may or may not be a socket.
 #endif
-#else
+#else  /* SOCKET_IS_NOT_AN_FD */
     fd = dup(fd_in);
 #endif
 

lib/krb5/test_cc.c

@@ -77,12 +77,12 @@ test_default_name(krb5_context context)
 	krb5_errx (context, 1, "krb5_cc_default_name 2 failed");
     p3 = estrdup(p);
 
-#ifndef KRB5_USE_PATH_TOKENS    
+#ifndef KRB5_USE_PATH_TOKENS
     /* If we are using path tokens, we don't expect the p3 and
        test_cc_name to match since p3 is going to have expanded
        tokens. */
     if (strcmp(p3, test_cc_name) != 0)
-  	krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
+	krb5_errx (context, 1, "krb5_cc_set_default_name 1 failed");
 #endif
 
     free(p1);

lib/krb5/version-script.map

@@ -39,6 +39,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_auth_con_getlocalseqnumber;
 		krb5_auth_con_getlocalsubkey;
 		krb5_auth_con_getrcache;
+		krb5_auth_con_getremoteseqnumber;
 		krb5_auth_con_getremotesubkey;
 		krb5_auth_con_init;
 		krb5_auth_con_removeflags;
@@ -117,7 +118,7 @@ HEIMDAL_KRB5_2.0 {
 		krb5_cc_set_kdc_offset;
 		krb5_cc_start_seq_get;
 		krb5_cc_store_cred;
-		krb5_cc_support_switch
+		krb5_cc_support_switch;
 		krb5_cc_switch;
  		krb5_cc_set_friendly_name;
 		krb5_change_password;

lib/krb5/version.c

@@ -35,7 +35,5 @@
 
 /* this is just to get a version stamp in the library file */
 
-#define heimdal_version __heimdal_version
-#define heimdal_long_version __heimdal_long_version
 #include "version.h"