Changeset 745 for trunk/server/source4/heimdal/lib/krb5

trunk/server

Property svn:mergeinfo changed
/vendor/current merged: 581,587,591,594,597,600,615,618,740

trunk/server/source4/heimdal/lib/krb5/acache.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 #endif
+#ifndef KCM_IS_API_CACHE
 static HEIMDAL_MUTEX acc_mutex = HEIMDAL_MUTEX_INITIALIZER;
 static cc_initialize_func init_func;
+static void (KRB5_CALLCONV *set_target_uid)(uid_t);
+static void (KRB5_CALLCONV *clear_target)(void);
 #ifdef HAVE_DLOPEN
 static void *cc_handle;
 …
 } krb5_acc;
 static krb5_error_code acc_close(krb5_context, krb5_ccache);
+static krb5_error_code KRB5_CALLCONV acc_close(krb5_context, krb5_ccache);
 #define ACACHE(X) ((krb5_acc *)(X)->data.data)
 …
 init_ccapi(krb5_context context)
+{
     const char *lib;
+    const char *lib = NULL;
     HEIMDAL_MUTEX_lock(&acc_mutex);
     if (init_func) {
         HEIMDAL_MUTEX_unlock(&acc_mutex);
+        krb5_clear_error_message(context);
+        if (context)
+            krb5_clear_error_message(context);
         return 0;
+    }
+    lib = krb5_config_get_string(context, NULL,
+                                 "libdefaults", "ccapi_library",
+                                 NULL);
+    if (context)
+        lib = krb5_config_get_string(context, NULL,
+                                     "libdefaults", "ccapi_library",
+                                     NULL);
     if (lib == NULL) {
 #ifdef __APPLE__
         lib = "/System/Library/Frameworks/Kerberos.framework/Kerberos";
+#elif defined(KRB5_USE_PATH_TOKENS) && defined(_WIN32)
+        lib = "%{LIBDIR}/libkrb5_cc.dll";
 #else
         lib = "/usr/lib/libkrb5_cc.so";
 …
 #define RTLD_LAZY 0
 #endif
+    cc_handle = dlopen(lib, RTLD_LAZY);
+#ifndef RTLD_LOCAL
+#define RTLD_LOCAL 0
+#endif
+#ifdef KRB5_USE_PATH_TOKENS
+    {
+      char * explib = NULL;
+      if (_krb5_expand_path_tokens(context, lib, &explib) == 0) {
+        cc_handle = dlopen(explib, RTLD_LAZY|RTLD_LOCAL);
+        free(explib);
+      }
+    }
+#else
+    cc_handle = dlopen(lib, RTLD_LAZY|RTLD_LOCAL);
+#endif
     if (cc_handle == NULL) {
         HEIMDAL_MUTEX_unlock(&acc_mutex);
+        krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                               N_("Failed to load API cache module %s", "file"),
+                               lib);
+        if (context)
+            krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                                   N_("Failed to load API cache module %s", "file"),
+                                   lib);
         return KRB5_CC_NOSUPP;
+    }
     init_func = (cc_initialize_func)dlsym(cc_handle, "cc_initialize");
+    set_target_uid = (void (KRB5_CALLCONV *)(uid_t))
+        dlsym(cc_handle, "krb5_ipc_client_set_target_uid");
+    clear_target = (void (KRB5_CALLCONV *)(void))
+        dlsym(cc_handle, "krb5_ipc_client_clear_target");
     HEIMDAL_MUTEX_unlock(&acc_mutex);
     if (init_func == NULL) {
+        krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                               N_("Failed to find cc_initialize"
+                                 "in %s: %s", "file, error"), lib, dlerror());
+        if (context)
+            krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                                   N_("Failed to find cc_initialize"
+                                      "in %s: %s", "file, error"), lib, dlerror());
         dlclose(cc_handle);
         return KRB5_CC_NOSUPP;
 …
 #else
     HEIMDAL_MUTEX_unlock(&acc_mutex);
+    krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                           N_("no support for shared object", ""));
+    if (context)
+        krb5_set_error_message(context, KRB5_CC_NOSUPP,
+                               N_("no support for shared object", ""));
     return KRB5_CC_NOSUPP;
 #endif
+}
+void
+_heim_krb5_ipc_client_set_target_uid(uid_t uid)
+{
+    init_ccapi(NULL);
+    if (set_target_uid != NULL)
+        (*set_target_uid)(uid);
+}
+void
+_heim_krb5_ipc_client_clear_target(void)
+{
+    init_ccapi(NULL);
+    if (clear_target != NULL)
+        (*clear_target)();
+}
 …
 static const char*
+static const char* KRB5_CALLCONV
 acc_get_name(krb5_context context,
              krb5_ccache id)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_alloc(krb5_context context, krb5_ccache *id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_gen_new(krb5_context context, krb5_ccache *id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_initialize(krb5_context context,
                krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_close(krb5_context context,
           krb5_ccache id)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_destroy(krb5_context context,
             krb5_ccache id)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_store_cred(krb5_context context,
                krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_get_principal(krb5_context context,
                   krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_get_first (krb5_context context,
                krb5_ccache id,
 …
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_get_next (krb5_context context,
               krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_end_get (krb5_context context,
              krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_remove_cred(krb5_context context,
                 krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_set_flags(krb5_context context,
               krb5_ccache id,
 …
+}
 static int
+static int KRB5_CALLCONV
 acc_get_version(krb5_context context,
                 krb5_ccache id)
 …
 };
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_get_default_name(krb5_context context, char **str)
+{
 …
+    }
     asprintf(str, "API:%s", name->data);
+    error = asprintf(str, "API:%s", name->data);
     (*name->func->release)(name);
     (*cc->func->release)(cc);
     if (*str == NULL) {
+    if (error < 0 || *str == NULL) {
         krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
         return ENOMEM;
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_set_default(krb5_context context, krb5_ccache id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 acc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
+{
 …
     acc_lastchange
 };
+#endif

trunk/server/source4/heimdal/lib/krb5/add_et_list.c

r414	r745
48	48	*/
49	49
50		krb5_error_code KRB5_LIB_FUNCTION
	50	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
51	51	krb5_add_et_list (krb5_context context,
52	52	void (func)(struct et_list *))

trunk/server/source4/heimdal/lib/krb5/addr_families.c

-              r414
+              r745
     } else
         p = address;
-#ifdef HAVE_INET_ATON
     if(inet_aton(p, &a) == 0)
         return -1;
-#elif defined(HAVE_INET_ADDR)
-    a.s_addr = inet_addr(p);
-    if(a.s_addr == INADDR_NONE)
-        return -1;
-#else
-    return -1;
-#endif
     addr->addr_type = KRB5_ADDRESS_INET;
     if(krb5_data_alloc(&addr->address, 4) != 0)
 …
+{
     char buf[128], buf2[3];
-#ifdef HAVE_INET_NTOP
     if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL)
-#endif
+        {
             /* XXX this is pretty ugly, but better than abort() */
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sockaddr2address (krb5_context context,
                        const struct sockaddr *sa, krb5_address *addr)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sockaddr2port (krb5_context context,
                     const struct sockaddr *sa, int16_t *port)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_addr2sockaddr (krb5_context context,
                     const krb5_address *addr,
 …
  */
+size_t KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
 krb5_max_sockaddr_size (void)
+{
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_sockaddr_uninteresting(const struct sockaddr *sa)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_h_addr2sockaddr (krb5_context context,
                       int af,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_h_addr2addr (krb5_context context,
                   int af,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_anyaddr (krb5_context context,
               int af,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_print_address (const krb5_address *addr,
                     char *str, size_t len, size_t *ret_len)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_parse_address(krb5_context context,
                    const char *string,
 …
  */
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_address_order(krb5_context context,
                    const krb5_address *addr1,
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_address_compare(krb5_context context,
                      const krb5_address *addr1,
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_address_search(krb5_context context,
                     const krb5_address *addr,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_address(krb5_context context,
                   krb5_address *address)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_addresses(krb5_context context,
                     krb5_addresses *addresses)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_address(krb5_context context,
                   const krb5_address *inaddr,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_addresses(krb5_context context,
                     const krb5_addresses *inaddr,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_append_addresses(krb5_context context,
                       krb5_addresses *dest,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_make_addrport (krb5_context context,
                     krb5_address **res, const krb5_address *addr, int16_t port)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_address_prefixlen_boundary(krb5_context context,
                                 const krb5_address *inaddr,

trunk/server/source4/heimdal/lib/krb5/appdefault.c

-              r414
+              r745
 #include "krb5_locl.h"
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_appdefault_boolean(krb5_context context, const char *appname,
                         krb5_const_realm realm, const char *option,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_appdefault_string(krb5_context context, const char *appname,
                        krb5_const_realm realm, const char *option,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_appdefault_time(krb5_context context, const char *appname,
                      krb5_const_realm realm, const char *option,

trunk/server/source4/heimdal/lib/krb5/asn1_glue.c

-              r414
+              r745
 #include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_principal2principalname (PrincipalName *p,
                                const krb5_principal from)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_principalname2krb5_principal (krb5_context context,
                                     krb5_principal *principal,

trunk/server/source4/heimdal/lib/krb5/auth_context.c

-              r414
+              r745
 #include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_init(krb5_context context,
                    krb5_auth_context *auth_context)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_free(krb5_context context,
                    krb5_auth_context auth_context)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setflags(krb5_context context,
                        krb5_auth_context auth_context,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getflags(krb5_context context,
                        krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_addflags(krb5_context context,
                        krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_removeflags(krb5_context context,
                           krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setaddrs(krb5_context context,
                        krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_genaddrs(krb5_context context,
                        krb5_auth_context auth_context,
                        int fd, int flags)
+                       krb5_socket_t fd, int flags)
+{
     krb5_error_code ret;
 …
         if (auth_context->local_address == NULL) {
             len = sizeof(ss_local);
             if(getsockname(fd, local, &len) < 0) {
                 ret = errno;
                 krb5_set_error_message(context, ret,
                                        "getsockname: %s",
                                        strerror(ret));
+            if(rk_IS_SOCKET_ERROR(getsockname(fd, local, &len))) {
+                char buf[128];
+                ret = rk_SOCK_ERRNO;
+                rk_strerror_r(ret, buf, sizeof(buf));
+                krb5_set_error_message(context, ret, "getsockname: %s", buf);
                 goto out;
+            }
 …
     if(flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR) {
         len = sizeof(ss_remote);
+        if(getpeername(fd, remote, &len) < 0) {
+            ret = errno;
+            krb5_set_error_message(context, ret,
+                                   "getpeername: %s", strerror(ret));
+        if(rk_IS_SOCKET_ERROR(getpeername(fd, remote, &len))) {
+            char buf[128];
+            ret = rk_SOCK_ERRNO;
+            rk_strerror_r(ret, buf, sizeof(buf));
+            krb5_set_error_message(context, ret, "getpeername: %s", buf);
             goto out;
+        }
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setaddrs_from_fd (krb5_context context,
                                 krb5_auth_context auth_context,
                                 void *p_fd)
+{
     int fd = *(int*)p_fd;
+    krb5_socket_t fd = *(krb5_socket_t *)p_fd;
     int flags = 0;
     if(auth_context->local_address == NULL)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getaddrs(krb5_context context,
                        krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getkey(krb5_context context,
                      krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getlocalsubkey(krb5_context context,
                              krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getremotesubkey(krb5_context context,
                               krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setkey(krb5_context context,
                      krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setlocalsubkey(krb5_context context,
                              krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_generatelocalsubkey(krb5_context context,
                                   krb5_auth_context auth_context,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setremotesubkey(krb5_context context,
                               krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setcksumtype(krb5_context context,
                            krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getcksumtype(krb5_context context,
                            krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setkeytype (krb5_context context,
                           krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getkeytype (krb5_context context,
                           krb5_auth_context auth_context,
 …
 #if 0
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setenctype(krb5_context context,
                          krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getenctype(krb5_context context,
                          krb5_auth_context auth_context,
 …
 #endif
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getlocalseqnumber(krb5_context context,
                             krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setlocalseqnumber (krb5_context context,
                              krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
 krb5_auth_getremoteseqnumber(krb5_context context,
                              krb5_auth_context auth_context,
                              int32_t *seqnumber)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_auth_con_getremoteseqnumber(krb5_context context,
+                                 krb5_auth_context auth_context,
+                                 int32_t *seqnumber)
+{
   *seqnumber = auth_context->remote_seqnumber;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setremoteseqnumber (krb5_context context,
                               krb5_auth_context auth_context,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getauthenticator(krb5_context context,
                            krb5_auth_context auth_context,
 …
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_authenticator(krb5_context context,
                         krb5_authenticator *authenticator)
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setuserkey(krb5_context context,
                          krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_getrcache(krb5_context context,
                         krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setrcache(krb5_context context,
                         krb5_auth_context auth_context,
 …
 #if 0 /* not implemented */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_initivector(krb5_context context,
                           krb5_auth_context auth_context)
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_auth_con_setivector(krb5_context context,
                          krb5_auth_context auth_context,

trunk/server/source4/heimdal/lib/krb5/build_ap_req.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_build_ap_req (krb5_context context,
                    krb5_enctype enctype,

trunk/server/source4/heimdal/lib/krb5/build_auth.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
 static krb5_error_code
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_build_authenticator (krb5_context context,
+                          krb5_auth_context auth_context,
+                          krb5_enctype enctype,
+                          krb5_creds *cred,
+                          Checksum *cksum,
+                          Authenticator **auth_result,
+                          krb5_data *result,
+                          krb5_key_usage usage)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_build_authenticator (krb5_context context,
+                           krb5_auth_context auth_context,
+                           krb5_enctype enctype,
+                           krb5_creds *cred,
+                           Checksum *cksum,
+                           krb5_data *result,
+                           krb5_key_usage usage)
+{
     Authenticator *auth;
+    Authenticator auth;
     u_char *buf = NULL;
     size_t buf_size;
 …
     krb5_crypto crypto;
+    auth = calloc(1, sizeof(*auth));
+    if (auth == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    memset(&auth, 0, sizeof(auth));
     auth->authenticator_vno = 5;
     copy_Realm(&cred->client->realm, &auth->crealm);
     copy_PrincipalName(&cred->client->name, &auth->cname);
+    auth.authenticator_vno = 5;
+    copy_Realm(&cred->client->realm, &auth.crealm);
+    copy_PrincipalName(&cred->client->name, &auth.cname);
     krb5_us_timeofday (context, &auth->ctime, &auth->cusec);
+    krb5_us_timeofday (context, &auth.ctime, &auth.cusec);
     ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth->subkey);
+    ret = krb5_auth_con_getlocalsubkey(context, auth_context, &auth.subkey);
     if(ret)
         goto fail;
 …
                                       &cred->session,
                                       &auth_context->local_seqnumber);
         ALLOC(auth->seq_number, 1);
         if(auth->seq_number == NULL) {
+        ALLOC(auth.seq_number, 1);
+        if(auth.seq_number == NULL) {
             ret = ENOMEM;
             goto fail;
+        }
         *auth->seq_number = auth_context->local_seqnumber;
+        *auth.seq_number = auth_context->local_seqnumber;
     } else
+        auth->seq_number = NULL;
+    auth->authorization_data = NULL;
+    auth->cksum = cksum;
+        auth.seq_number = NULL;
+    auth.authorization_data = NULL;
+    if (cksum != NULL && cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+        /*
+         * This is not GSS-API specific, we only enable it for
+         * GSS for now
+         */
+        ret = make_etypelist(context, &auth->authorization_data);
+    if (cksum) {
+        ALLOC(auth.cksum, 1);
+        if (auth.cksum == NULL) {
+            ret = ENOMEM;
+            goto fail;
+        }
+        ret = copy_Checksum(cksum, auth.cksum);
         if (ret)
             goto fail;
+        if (auth.cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+            /*
+             * This is not GSS-API specific, we only enable it for
+             * GSS for now
+             */
+            ret = make_etypelist(context, &auth.authorization_data);
+            if (ret)
+                goto fail;
+        }
+    }
     /* XXX - Copy more to auth_context? */
     auth_context->authenticator->ctime = auth->ctime;
     auth_context->authenticator->cusec = auth->cusec;
+    auth_context->authenticator->ctime = auth.ctime;
+    auth_context->authenticator->cusec = auth.cusec;
     ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, auth, &len, ret);
+    ASN1_MALLOC_ENCODE(Authenticator, buf, buf_size, &auth, &len, ret);
     if (ret)
         goto fail;
 …
                         crypto,
                         usage /* KRB5_KU_AP_REQ_AUTH */,
                         buf + buf_size - len,
+                        buf,
                         len,
                         result);
 …
         goto fail;
+ fail:
+    free_Authenticator (&auth);
     free (buf);
-    if (auth_result)
-        *auth_result = auth;
-    else {
-        /* Don't free the `cksum', it's allocated by the caller */
-        auth->cksum = NULL;
-        free_Authenticator (auth);
-        free (auth);
+    }
-    return ret;
-  fail:
-    free_Authenticator (auth);
-    free (auth);
-    free (buf);
     return ret;
+}

trunk/server/source4/heimdal/lib/krb5/cache.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
         char *principal;
         krb5_unparse_name_short(context, creds.server, &principal);
+        krb5_unparse_name(context, creds.server, &principal);
         printf("principal: %s\\n", principal);
         free(principal);
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_register(krb5_context context,
                  const krb5_cc_ops *ops,
 …
     int i;
     for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
         if(strcmp(context->cc_ops[i].prefix, ops->prefix) == 0) {
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+        if(strcmp(context->cc_ops[i]->prefix, ops->prefix) == 0) {
             if(!override) {
                 krb5_set_error_message(context,
 …
+    }
     if(i == context->num_cc_ops) {
         krb5_cc_ops *o = realloc(context->cc_ops,
                                  (context->num_cc_ops + 1) *
                                  sizeof(*context->cc_ops));
+        const krb5_cc_ops **o = realloc(rk_UNCONST(context->cc_ops),
+                                        (context->num_cc_ops + 1) *
+                                        sizeof(context->cc_ops[0]));
         if(o == NULL) {
             krb5_set_error_message(context, KRB5_CC_NOMEM,
 …
             return KRB5_CC_NOMEM;
+        }
+        context->cc_ops = o;
+        context->cc_ops[context->num_cc_ops] = NULL;
         context->num_cc_ops++;
+        context->cc_ops = o;
+        memset(context->cc_ops + i, 0,
+               (context->num_cc_ops - i) * sizeof(*context->cc_ops));
+    }
+    memcpy(&context->cc_ops[i], ops, sizeof(context->cc_ops[i]));
+    }
+    context->cc_ops[i] = ops;
     return 0;
+}
 …
+{
     krb5_error_code ret;
+    ret = _krb5_cc_allocate(context, ops, id);
+#ifdef KRB5_USE_PATH_TOKENS
+    char * exp_residual = NULL;
+    ret = _krb5_expand_path_tokens(context, residual, &exp_residual);
     if (ret)
         return ret;
+    residual = exp_residual;
+#endif
+    ret = _krb5_cc_allocate(context, ops, id);
+    if (ret) {
+#ifdef KRB5_USE_PATH_TOKENS
+        if (exp_residual)
+            free(exp_residual);
+#endif
+        return ret;
+    }
     ret = (*id)->ops->resolve(context, id, residual);
     if(ret)
+    if(ret) {
         free(*id);
+        *id = NULL;
+    }
+#ifdef KRB5_USE_PATH_TOKENS
+    if (exp_residual)
+        free(exp_residual);
+#endif
     return ret;
+}
+static int
+is_possible_path_name(const char * name)
+{
+    const char * colon;
+    if ((colon = strchr(name, ':')) == NULL)
+        return TRUE;
+#ifdef _WIN32
+    /* <drive letter>:\path\to\cache ? */
+    if (colon == name + 1 &&
+        strchr(colon + 1, ':') == NULL)
+        return TRUE;
+#endif
+    return FALSE;
+}
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_resolve(krb5_context context,
                 const char *name,
 …
     *id = NULL;
     for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
         size_t prefix_len = strlen(context->cc_ops[i].prefix);
         if(strncmp(context->cc_ops[i].prefix, name, prefix_len) == 0
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+        size_t prefix_len = strlen(context->cc_ops[i]->prefix);
+        if(strncmp(context->cc_ops[i]->prefix, name, prefix_len) == 0
            && name[prefix_len] == ':') {
             return allocate_ccache (context, &context->cc_ops[i],
+            return allocate_ccache (context, context->cc_ops[i],
                                     name + prefix_len + 1,
                                     id);
+        }
+    }
     if (strchr (name, ':') == NULL)
+    if (is_possible_path_name(name))
         return allocate_ccache (context, &krb5_fcc_ops, name, id);
     else {
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_new_unique(krb5_context context, const char *type,
                    const char *hint, krb5_ccache *id)
 …
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_cc_get_name(krb5_context context,
                  krb5_ccache id)
 …
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_cc_get_type(krb5_context context,
                  krb5_ccache id)
 …
 /**
+ * Return the complete resolvable name the ccache `id' in `strÂŽ.
+ * `str` should be freed with free(3).
+ * Returns 0 or an error (and then *str is set to NULL).
+ *
+ * @ingroup krb5_ccache
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+ * Return the complete resolvable name the cache
+ * @param context a Keberos context
+ * @param id return pointer to a found credential cache
+ * @param str the returned name of a credential cache, free with krb5_xfree()
+ *
+ * @return Returns 0 or an error (and then *str is set to NULL).
+ *
+ * @ingroup krb5_ccache
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_full_name(krb5_context context,
                       krb5_ccache id,
 …
+const krb5_cc_ops *
+KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
 krb5_cc_get_ops(krb5_context context, krb5_ccache id)
+{
 …
 _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
+{
+    size_t tlen, len = 0;
+    char *tmp, *tmp2, *append;
+    *res = NULL;
+    while (str && *str) {
+        tmp = strstr(str, "%{");
+        if (tmp && tmp != str) {
+            append = malloc((tmp - str) + 1);
+            if (append) {
+                memcpy(append, str, tmp - str);
+                append[tmp - str] = '\0';
+            }
+            str = tmp;
+        } else if (tmp) {
+            tmp2 = strchr(tmp, '}');
+            if (tmp2 == NULL) {
+                free(*res);
+                *res = NULL;
+                krb5_set_error_message(context, KRB5_CONFIG_BADFORMAT,
+                                       "variable missing }");
+                return KRB5_CONFIG_BADFORMAT;
+            }
+            if (strncasecmp(tmp, "%{uid}", 6) == 0)
+                asprintf(&append, "%u", (unsigned)getuid());
+            else if (strncasecmp(tmp, "%{null}", 7) == 0)
+                append = strdup("");
+            else {
+                free(*res);
+                *res = NULL;
+                krb5_set_error_message(context,
+                                       KRB5_CONFIG_BADFORMAT,
+                                       "expand default cache unknown "
+                                       "variable \"%.*s\"",
+                                       (int)(tmp2 - tmp) - 2, tmp + 2);
+                return KRB5_CONFIG_BADFORMAT;
+            }
+            str = tmp2 + 1;
+        } else {
+            append = strdup(str);
+            str = NULL;
+        }
+        if (append == NULL) {
+            free(*res);
+            *res = NULL;
+            krb5_set_error_message(context, ENOMEM,
+                                   N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        tlen = strlen(append);
+        tmp = realloc(*res, len + tlen + 1);
+        if (tmp == NULL) {
+            free(append);
+            free(*res);
+            *res = NULL;
+            krb5_set_error_message(context, ENOMEM,
+                                   N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        *res = tmp;
+        memcpy(*res + len, append, tlen + 1);
+        len = len + tlen;
+        free(append);
+    }
+    return 0;
+    return _krb5_expand_path_tokens(context, str, res);
+}
 …
     if (context->default_cc_name_set)
         return 0;
+    /* XXX performance: always ask KCM/API if default name has changed */
+    if (context->default_cc_name &&
+        (strncmp(context->default_cc_name, "KCM:", 4) == 0 ||
+         strncmp(context->default_cc_name, "API:", 4) == 0))
+        return 1;
     if(issuid())
 …
  */
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_switch(krb5_context context, krb5_ccache id)
+{
 …
 /**
+ * Return true if the default credential cache support switch
+ *
+ * @ingroup krb5_ccache
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_cc_support_switch(krb5_context context, const char *type)
+{
+    const krb5_cc_ops *ops;
+    ops = krb5_cc_get_prefix_ops(context, type);
+    if (ops && ops->set_default)
+        return 1;
+    return FALSE;
+}
+/**
  * Set the default cc name for `context' to `name'.
+ *
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_set_default_name(krb5_context context, const char *name)
+{
     krb5_error_code ret = 0;
     char *p;
+    char *p = NULL, *exp_p = NULL;
     if (name == NULL) {
 …
+            }
+        }
+#ifdef _WIN32
+        if (e == NULL) {
+            e = p = _krb5_get_default_cc_name_from_registry();
+        }
+#endif
         if (e == NULL) {
             e = krb5_config_get_string(context, NULL, "libdefaults",
 …
+    }
+    ret = _krb5_expand_path_tokens(context, p, &exp_p);
+    free(p);
+    if (ret)
+        return ret;
     if (context->default_cc_name)
         free(context->default_cc_name);
     context->default_cc_name = p;
     return ret;
+    context->default_cc_name = exp_p;
+    return 0;
+}
 …
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_cc_default_name(krb5_context context)
+{
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_default(krb5_context context,
                 krb5_ccache *id)
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_initialize(krb5_context context,
                    krb5_ccache id,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_destroy(krb5_context context,
                 krb5_ccache id)
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_close(krb5_context context,
               krb5_ccache id)
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_store_cred(krb5_context context,
                    krb5_ccache id,
 …
  * krb5_free_cred_contents.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+ * @param context A Kerberos 5 context
+ * @param id a Kerberos 5 credential cache
+ * @param whichfields what fields to use for matching credentials, same
+ *        flags as whichfields in krb5_compare_creds()
+ * @param mcreds template credential to use for comparing
+ * @param creds returned credential, free with krb5_free_cred_contents()
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_retrieve_cred(krb5_context context,
                       krb5_ccache id,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_principal(krb5_context context,
                       krb5_ccache id,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_start_seq_get (krb5_context context,
                        const krb5_ccache id,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_next_cred (krb5_context context,
                    const krb5_ccache id,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_end_seq_get (krb5_context context,
                      const krb5_ccache id,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_remove_cred(krb5_context context,
                     krb5_ccache id,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_set_flags(krb5_context context,
                   krb5_ccache id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_flags(krb5_context context,
                   krb5_ccache id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_copy_match_f(krb5_context context,
                      const krb5_ccache from,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_copy_cache(krb5_context context,
                    const krb5_ccache from,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_version(krb5_context context,
                     const krb5_ccache id)
 …
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_cc_clear_mcred(krb5_creds *mcred)
+{
 …
+const krb5_cc_ops *
+KRB5_LIB_FUNCTION const krb5_cc_ops * KRB5_LIB_CALL
 krb5_cc_get_prefix_ops(krb5_context context, const char *prefix)
+{
 …
         *p1 = '\0';
     for(i = 0; i < context->num_cc_ops && context->cc_ops[i].prefix; i++) {
         if(strcmp(context->cc_ops[i].prefix, p) == 0) {
+    for(i = 0; i < context->num_cc_ops && context->cc_ops[i]->prefix; i++) {
+        if(strcmp(context->cc_ops[i]->prefix, p) == 0) {
             free(p);
             return &context->cc_ops[i];
+            return context->cc_ops[i];
+        }
+    }
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_cache_get_first (krb5_context context,
                          const char *type,
 …
  * and advance `cursor'.
+ *
+ * @param context A Kerberos 5 context
+ * @param cursor the iterator cursor, returned by krb5_cc_cache_get_first()
+ * @param id next ccache
+ *
  * @return Return 0 or an error code. Returns KRB5_CC_END when the end
  *         of caches is reached, see krb5_get_error_message().
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_cache_next (krb5_context context,
                    krb5_cc_cache_cursor cursor,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_cache_end_seq_get (krb5_context context,
                            krb5_cc_cache_cursor cursor)
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_cache_match (krb5_context context,
                      krb5_principal client,
 …
  */
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_is_config_principal(krb5_context context,
                          krb5_const_principal principal)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_set_config(krb5_context context, krb5_ccache id,
                    krb5_const_principal principal,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_config(krb5_context context, krb5_ccache id,
                    krb5_const_principal principal,
 …
  */
 struct krb5_cccol_cursor {
+struct krb5_cccol_cursor_data {
     int idx;
     krb5_cc_cache_cursor cursor;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor *cursor)
+{
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor,
                        krb5_ccache *cache)
 …
         if (cursor->cursor == NULL) {
             ret = krb5_cc_cache_get_first (context,
                                            context->cc_ops[cursor->idx].prefix,
+                                           context->cc_ops[cursor->idx]->prefix,
                                            &cursor->cursor);
             if (ret) {
 …
         if (ret != KRB5_CC_END)
             break;
         cursor->idx++;
+    }
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor *cursor)
+{
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_last_change_time(krb5_context context,
                          krb5_ccache id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cccol_last_change_time(krb5_context context,
                             const char *type,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_friendly_name(krb5_context context,
                           krb5_ccache id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_set_friendly_name(krb5_context context,
                           krb5_ccache id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_get_lifetime(krb5_context context, krb5_ccache id, time_t *t)
+{
 …
                 *t = cred.times.endtime - now;
             krb5_free_cred_contents(context, &cred);
             goto out;
+            break;
+        }
         krb5_free_cred_contents(context, &cred);
+    }
- out:
     krb5_cc_end_seq_get(context, id, &cursor);
     return ret;
+}
+/**
+ * Set the time offset betwen the client and the KDC
+ *
+ * If the backend doesn't support KDC offset, use the context global setting.
+ *
+ * @param context A Kerberos 5 context.
+ * @param id a credential cache
+ * @param offset the offset in seconds
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat offset)
+{
+    if (id->ops->set_kdc_offset == NULL) {
+        context->kdc_sec_offset = offset;
+        context->kdc_usec_offset = 0;
+        return 0;
+    }
+    return (*id->ops->set_kdc_offset)(context, id, offset);
+}
+/**
+ * Get the time offset betwen the client and the KDC
+ *
+ * If the backend doesn't support KDC offset, use the context global setting.
+ *
+ * @param context A Kerberos 5 context.
+ * @param id a credential cache
+ * @param offset the offset in seconds
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_ccache
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset)
+{
+    if (id->ops->get_kdc_offset == NULL) {
+        *offset = context->kdc_sec_offset;
+        return 0;
+    }
+    return (*id->ops->get_kdc_offset)(context, id, offset);
+}
+#ifdef _WIN32
+char *
+_krb5_get_default_cc_name_from_registry()
+{
+    HKEY hk_k5 = 0;
+    LONG code;
+    char * ccname = NULL;
+    code = RegOpenKeyEx(HKEY_CURRENT_USER,
+                        "Software\\MIT\\Kerberos5",
+, KEY_READ, &hk_k5);
+    if (code != ERROR_SUCCESS)
+        return NULL;
+    ccname = _krb5_parse_reg_value_as_string(NULL, hk_k5, "ccname",
+                                             REG_NONE, 0);
+    RegCloseKey(hk_k5);
+    return ccname;
+}
+#endif

trunk/server/source4/heimdal/lib/krb5/changepw.c

-              r414
+              r745
 #define KRB5_DEPRECATED
 #include <krb5_locl.h>
+#include "krb5_locl.h"
 #undef __attribute__
 …
                     krb5_principal targprinc,
                     int is_stream,
                     int sock,
+                    rk_socket_t sock,
                     const char *passwd,
                     const char *host)
 …
     iov[2].iov_len     = krb_priv_data.length;
     if (sendmsg (sock, &msghdr, 0) < 0) {
         ret = errno;
+    if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
+        ret = rk_SOCK_ERRNO;
         krb5_set_error_message(context, ret, "sendmsg %s: %s",
                                host, strerror(ret));
 …
                     krb5_principal targprinc,
                     int is_stream,
                     int sock,
+                    rk_socket_t sock,
                     const char *passwd,
                     const char *host)
 …
     iov[2].iov_len     = krb_priv_data.length;
     if (sendmsg (sock, &msghdr, 0) < 0) {
         ret = errno;
+    if (rk_IS_SOCKET_ERROR( sendmsg (sock, &msghdr, 0) )) {
+        ret = rk_SOCK_ERRNO;
         krb5_set_error_message(context, ret, "sendmsg %s: %s",
                                host, strerror(ret));
 …
                krb5_auth_context auth_context,
                int is_stream,
                int sock,
+               rk_socket_t sock,
                int *result_code,
                krb5_data *result_code_string,
 …
             ret = recvfrom (sock, reply + len, sizeof(reply) - len,
 , NULL, NULL);
             if (ret < 0) {
                 save_errno = errno;
+            if (rk_IS_SOCKET_ERROR(ret)) {
+                save_errno = rk_SOCK_ERRNO;
                 krb5_set_error_message(context, save_errno,
                                        "recvfrom %s: %s",
 …
     } else {
         ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
         if (ret < 0) {
             save_errno = errno;
+        if (rk_IS_SOCKET_ERROR(ret)) {
+            save_errno = rk_SOCK_ERRNO;
             krb5_set_error_message(context, save_errno,
                                    "recvfrom %s: %s",
 …
                                               krb5_principal,
                                               int,
                                               int,
+                                              rk_socket_t,
                                               const char *,
                                               const char *);
 …
                                                krb5_auth_context,
                                                int,
                                                int,
+                                               rk_socket_t,
                                                int *,
                                                krb5_data *,
 …
     krb5_krbhst_handle handle = NULL;
     krb5_krbhst_info *hi;
     int sock;
+    rk_socket_t sock;
     unsigned int i;
     int done = 0;
 …
             sock = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
             if (sock < 0)
+            if (rk_IS_BAD_SOCKET(sock))
                 continue;
             rk_cloexec(sock);
             ret = connect(sock, a->ai_addr, a->ai_addrlen);
             if (ret < 0) {
                 close (sock);
+            if (rk_IS_SOCKET_ERROR(ret)) {
+                rk_closesocket (sock);
                 goto out;
+            }
 …
                                           KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR);
             if (ret) {
                 close (sock);
+                rk_closesocket (sock);
                 goto out;
+            }
 …
                                              hi->hostname);
                     if (ret) {
                         close(sock);
+                        rk_closesocket(sock);
                         goto out;
+                    }
+                }
+#ifndef NO_LIMIT_FD_SETSIZE
                 if (sock >= FD_SETSIZE) {
                     ret = ERANGE;
                     krb5_set_error_message(context, ret,
                                            "fd %d too large", sock);
                     close (sock);
+                    rk_closesocket (sock);
                     goto out;
+                }
+#endif
                 FD_ZERO(&fdset);
 …
                 ret = select (sock + 1, &fdset, NULL, NULL, &tv);
                 if (ret < 0 && errno != EINTR) {
                     close(sock);
+                if (rk_IS_SOCKET_ERROR(ret) && rk_SOCK_ERRNO != EINTR) {
+                    rk_closesocket(sock);
                     goto out;
+                }
 …
+                }
+            }
             close (sock);
+            rk_closesocket (sock);
+        }
+    }
 …
 /**
  * krb5_change_password() is deprecated, use krb5_set_password().
+ * Deprecated: krb5_change_password() is deprecated, use krb5_set_password().
+ *
  * @param context a Keberos context
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_change_password (krb5_context      context,
                       krb5_creds        *creds,
 …
                       krb5_data         *result_code_string,
                       krb5_data         *result_string)
-    KRB5_DEPRECATED
+{
     struct kpwd_proc *p = find_chpw_proto("change password");
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_password(krb5_context context,
                   krb5_creds *creds,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_password_using_ccache(krb5_context context,
                                krb5_ccache ccache,
 …
  */
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_passwd_result_to_string (krb5_context context,
                               int result)

trunk/server/source4/heimdal/lib/krb5/codec.c

-              r414
+              r745
 #ifndef HEIMDAL_SMALLER
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_EncTicketPart (krb5_context context,
                            const void *data,
 …
                            EncTicketPart *t,
                            size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_EncTicketPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_EncTicketPart (krb5_context context,
                            void *data,
 …
                            EncTicketPart *t,
                            size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_EncTicketPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_EncASRepPart (krb5_context context,
                           const void *data,
 …
                           EncASRepPart *t,
                           size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_EncASRepPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_EncASRepPart (krb5_context context,
                           void *data,
 …
                           EncASRepPart *t,
                           size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_EncASRepPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_EncTGSRepPart (krb5_context context,
                            const void *data,
 …
                            EncTGSRepPart *t,
                            size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_EncTGSRepPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_EncTGSRepPart (krb5_context context,
                            void *data,
 …
                            EncTGSRepPart *t,
                            size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_EncTGSRepPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_EncAPRepPart (krb5_context context,
                           const void *data,
 …
                           EncAPRepPart *t,
                           size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_EncAPRepPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_EncAPRepPart (krb5_context context,
                           void *data,
 …
                           EncAPRepPart *t,
                           size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_EncAPRepPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_Authenticator (krb5_context context,
                            const void *data,
 …
                            Authenticator *t,
                            size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_Authenticator(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_Authenticator (krb5_context context,
                            void *data,
 …
                            Authenticator *t,
                            size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_Authenticator(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_EncKrbCredPart (krb5_context context,
                             const void *data,
 …
                             EncKrbCredPart *t,
                             size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_EncKrbCredPart(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_EncKrbCredPart (krb5_context context,
                             void *data,
 …
                             EncKrbCredPart *t,
                             size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_EncKrbCredPart (data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_ETYPE_INFO (krb5_context context,
                         const void *data,
 …
                         ETYPE_INFO *t,
                         size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_ETYPE_INFO(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_ETYPE_INFO (krb5_context context,
                         void *data,
 …
                         ETYPE_INFO *t,
                         size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_ETYPE_INFO (data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_ETYPE_INFO2 (krb5_context context,
                         const void *data,
 …
                         ETYPE_INFO2 *t,
                         size_t *len)
-    KRB5_DEPRECATED
+{
     return decode_ETYPE_INFO2(data, length, t, len);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encode_ETYPE_INFO2 (krb5_context context,
                          void *data,
 …
                          ETYPE_INFO2 *t,
                          size_t *len)
-    KRB5_DEPRECATED
+{
     return encode_ETYPE_INFO2 (data, length, t, len);

trunk/server/source4/heimdal/lib/krb5/config_file.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
  */
+#define KRB5_DEPRECATED
 #include "krb5_locl.h"
+#ifdef __APPLE__
+#include <CoreFoundation/CoreFoundation.h>
+#endif
 /* Gaah! I want a portable funopen */
 …
 static krb5_error_code parse_section(char *p, krb5_config_section **s,
                                      krb5_config_section **res,
                                      const char **error_message);
+                                     const char **err_message);
 static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p,
                                      krb5_config_binding **b,
                                      krb5_config_binding **parent,
                                      const char **error_message);
+                                     const char **err_message);
 static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno,
                                   krb5_config_binding **parent,
                                   const char **error_message);
 static krb5_config_section *
 get_entry(krb5_config_section **parent, const char *name, int type)
+                                  const char **err_message);
+krb5_config_section *
+_krb5_config_get_entry(krb5_config_section **parent, const char *name, int type)
+{
     krb5_config_section **q;
 …
  * starting at the line in `p', storing the resulting structure in
  * `s' and hooking it into `parent'.
  * Store the error message in `error_message'.
+ * Store the error message in `err_message'.
  */
 static krb5_error_code
 parse_section(char *p, krb5_config_section **s, krb5_config_section **parent,
               const char **error_message)
+              const char **err_message)
+{
     char *p1;
 …
     p1 = strchr (p + 1, ']');
     if (p1 == NULL) {
         *error_message = "missing ]";
+        *err_message = "missing ]";
         return KRB5_CONFIG_BADFORMAT;
+    }
     *p1 = '\0';
     tmp = get_entry(parent, p + 1, krb5_config_list);
+    tmp = _krb5_config_get_entry(parent, p + 1, krb5_config_list);
     if(tmp == NULL) {
         *error_message = "out of memory";
+        *err_message = "out of memory";
         return KRB5_CONFIG_BADFORMAT;
+    }
 …
  * Parse a brace-enclosed list from `f', hooking in the structure at
  * `parent'.
  * Store the error message in `error_message'.
+ * Store the error message in `err_message'.
  */
 static krb5_error_code
 parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent,
            const char **error_message)
+{
     char buf[BUFSIZ];
+           const char **err_message)
+{
+    char buf[KRB5_BUFSIZ];
     krb5_error_code ret;
     krb5_config_binding *b = NULL;
 …
         if (*p == '\0')
             continue;
         ret = parse_binding (f, lineno, p, &b, parent, error_message);
+        ret = parse_binding (f, lineno, p, &b, parent, err_message);
         if (ret)
             return ret;
+    }
     *lineno = beg_lineno;
     *error_message = "unclosed {";
+    *err_message = "unclosed {";
     return KRB5_CONFIG_BADFORMAT;
+}
 …
 parse_binding(struct fileptr *f, unsigned *lineno, char *p,
               krb5_config_binding **b, krb5_config_binding **parent,
               const char **error_message)
+              const char **err_message)
+{
     krb5_config_binding *tmp;
 …
         ++p;
     if (*p == '\0') {
         *error_message = "missing =";
+        *err_message = "missing =";
         return KRB5_CONFIG_BADFORMAT;
+    }
 …
         ++p;
     if (*p != '=') {
         *error_message = "missing =";
+        *err_message = "missing =";
         return KRB5_CONFIG_BADFORMAT;
+    }
 …
     *p2 = '\0';
     if (*p == '{') {
         tmp = get_entry(parent, p1, krb5_config_list);
+        tmp = _krb5_config_get_entry(parent, p1, krb5_config_list);
         if (tmp == NULL) {
             *error_message = "out of memory";
+            *err_message = "out of memory";
             return KRB5_CONFIG_BADFORMAT;
+        }
         ret = parse_list (f, lineno, &tmp->u.list, error_message);
+        ret = parse_list (f, lineno, &tmp->u.list, err_message);
     } else {
         tmp = get_entry(parent, p1, krb5_config_string);
+        tmp = _krb5_config_get_entry(parent, p1, krb5_config_string);
         if (tmp == NULL) {
             *error_message = "out of memory";
+            *err_message = "out of memory";
             return KRB5_CONFIG_BADFORMAT;
+        }
 …
+}
+#if defined(__APPLE__)
+#if MAC_OS_X_VERSION_MIN_REQUIRED >= 1060
+#define HAVE_CFPROPERTYLISTCREATEWITHSTREAM 1
+#endif
+static char *
+cfstring2cstring(CFStringRef string)
+{
+    CFIndex len;
+    char *str;
+    str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8);
+    if (str)
+        return strdup(str);
+    len = CFStringGetLength(string);
+    len = 1 + CFStringGetMaximumSizeForEncoding(len, kCFStringEncodingUTF8);
+    str = malloc(len);
+    if (str == NULL)
+        return NULL;
+    if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) {
+        free (str);
+        return NULL;
+    }
+    return str;
+}
+static void
+convert_content(const void *key, const void *value, void *context)
+{
+    krb5_config_section *tmp, **parent = context;
+    char *k;
+    if (CFGetTypeID(key) != CFStringGetTypeID())
+        return;
+    k = cfstring2cstring(key);
+    if (k == NULL)
+        return;
+    if (CFGetTypeID(value) == CFStringGetTypeID()) {
+        tmp = _krb5_config_get_entry(parent, k, krb5_config_string);
+        tmp->u.string = cfstring2cstring(value);
+    } else if (CFGetTypeID(value) == CFDictionaryGetTypeID()) {
+        tmp = _krb5_config_get_entry(parent, k, krb5_config_list);
+        CFDictionaryApplyFunction(value, convert_content, &tmp->u.list);
+    } else {
+        /* log */
+    }
+    free(k);
+}
+static krb5_error_code
+parse_plist_config(krb5_context context, const char *path, krb5_config_section **parent)
+{
+    CFReadStreamRef s;
+    CFDictionaryRef d;
+    CFURLRef url;
+    url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE);
+    if (url == NULL) {
+        krb5_clear_error_message(context);
+        return ENOMEM;
+    }
+    s = CFReadStreamCreateWithFile(kCFAllocatorDefault, url);
+    CFRelease(url);
+    if (s == NULL) {
+        krb5_clear_error_message(context);
+        return ENOMEM;
+    }
+    if (!CFReadStreamOpen(s)) {
+        CFRelease(s);
+        krb5_clear_error_message(context);
+        return ENOENT;
+    }
+#ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM
+    d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
+#else
+    d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
+#endif
+    CFRelease(s);
+    if (d == NULL) {
+        krb5_clear_error_message(context);
+        return ENOENT;
+    }
+    CFDictionaryApplyFunction(d, convert_content, parent);
+    CFRelease(d);
+    return 0;
+}
+#endif
 /*
  * Parse the config file `fname', generating the structures into `res'
  * returning error messages in `error_message'
+ * returning error messages in `err_message'
  */
 …
                          krb5_config_section **res,
                          unsigned *lineno,
                          const char **error_message)
+                         const char **err_message)
+{
     krb5_config_section *s = NULL;
     krb5_config_binding *b = NULL;
     char buf[BUFSIZ];
+    char buf[KRB5_BUFSIZ];
     krb5_error_code ret;
 …
             continue;
         if (*p == '[') {
             ret = parse_section(p, &s, res, error_message);
+            ret = parse_section(p, &s, res, err_message);
             if (ret)
                 return ret;
             b = NULL;
         } else if (*p == '}') {
             *error_message = "unmatched }";
+            *err_message = "unmatched }";
             return EINVAL;      /* XXX */
         } else if(*p != '\0') {
             if (s == NULL) {
                 *error_message = "binding before section";
+                *err_message = "binding before section";
                 return EINVAL;
+            }
             ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message);
+            ret = parse_binding(f, lineno, p, &b, &s->u.list, err_message);
             if (ret)
                 return ret;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_config_parse_string_multi(krb5_context context,
+                               const char *string,
+                               krb5_config_section **res)
+{
+    const char *str;
+    unsigned lineno = 0;
+    krb5_error_code ret;
+    struct fileptr f;
+    f.f = NULL;
+    f.s = string;
+    ret = krb5_config_parse_debug (&f, res, &lineno, &str);
+    if (ret) {
+        krb5_set_error_message (context, ret, "%s:%u: %s",
+                                "<constant>", lineno, str);
+        return ret;
+    }
+    return 0;
+static int
+is_plist_file(const char *fname)
+{
+    size_t len = strlen(fname);
+    char suffix[] = ".plist";
+    if (len < sizeof(suffix))
+        return 0;
+    if (strcasecmp(&fname[len - (sizeof(suffix) - 1)], suffix) != 0)
+        return 0;
+    return 1;
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_config_parse_file_multi (krb5_context context,
                               const char *fname,
 …
      * enabled by calling krb5_set_home_dir_access().
      */
+    if (_krb5_homedir_access(context) && fname[0] == '~' && fname[1] == '/') {
+    if (fname[0] == '~' && fname[1] == '/') {
+#ifndef KRB5_USE_PATH_TOKENS
         const char *home = NULL;
+        if (!_krb5_homedir_access(context)) {
+            krb5_set_error_message(context, EPERM,
+                                   "Access to home directory not allowed");
+            return EPERM;
+        }
         if(!issuid())
 …
             fname = newfname;
+        }
+    }
+    f.f = fopen(fname, "r");
+    f.s = NULL;
+    if(f.f == NULL) {
+        ret = errno;
+        krb5_set_error_message (context, ret, "open %s: %s",
+                                fname, strerror(ret));
+#else  /* KRB5_USE_PATH_TOKENS */
+        if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
+            newfname == NULL)
+        {
+            krb5_set_error_message(context, ENOMEM,
+                                   N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        fname = newfname;
+#endif
+    }
+    if (is_plist_file(fname)) {
+#ifdef __APPLE__
+        ret = parse_plist_config(context, fname, res);
+        if (ret) {
+            krb5_set_error_message(context, ret,
+                                   "Failed to parse plist %s", fname);
+            if (newfname)
+                free(newfname);
+            return ret;
+        }
+#else
+        krb5_set_error_message(context, ENOENT,
+                               "no support for plist configuration files");
+        return ENOENT;
+#endif
+    } else {
+#ifdef KRB5_USE_PATH_TOKENS
+        char * exp_fname = NULL;
+        ret = _krb5_expand_path_tokens(context, fname, &exp_fname);
+        if (ret) {
+            if (newfname)
+                free(newfname);
+            return ret;
+        }
         if (newfname)
             free(newfname);
+        return ret;
+    }
+    ret = krb5_config_parse_debug (&f, res, &lineno, &str);
+    fclose(f.f);
+    if (ret) {
+        krb5_set_error_message (context, ret, "%s:%u: %s", fname, lineno, str);
+        if (newfname)
+            free(newfname);
+        return ret;
+    }
+    if (newfname)
+        free(newfname);
+        fname = newfname = exp_fname;
+#endif
+        f.f = fopen(fname, "r");
+        f.s = NULL;
+        if(f.f == NULL) {
+            ret = errno;
+            krb5_set_error_message (context, ret, "open %s: %s",
+                                    fname, strerror(ret));
+            if (newfname)
+                free(newfname);
+            return ret;
+        }
+        ret = krb5_config_parse_debug (&f, res, &lineno, &str);
+        fclose(f.f);
+        if (ret) {
+            krb5_set_error_message (context, ret, "%s:%u: %s",
+                                    fname, lineno, str);
+            if (newfname)
+                free(newfname);
+            return ret;
+        }
+    }
     return 0;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_config_parse_file (krb5_context context,
                         const char *fname,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Free configuration file section, the result of
+ * krb5_config_parse_file() and krb5_config_parse_file_multi().
+ *
+ * @param context A Kerberos 5 context
+ * @param s the configuration section to free
+ *
+ * @return returns 0 on successes, otherwise an error code, see
+ *          krb5_get_error_message()
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_config_file_free (krb5_context context, krb5_config_section *s)
+{
 …
+}
+krb5_error_code
+#ifndef HEIMDAL_SMALLER
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_config_copy(krb5_context context,
                   krb5_config_section *c,
 …
+}
+const void *
 krb5_config_get_next (krb5_context context,
                       const krb5_config_section *c,
                       const krb5_config_binding **pointer,
                       int type,
                       ...)
+#endif /* HEIMDAL_SMALLER */
+KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
+_krb5_config_get_next (krb5_context context,
+                       const krb5_config_section *c,
+                       const krb5_config_binding **pointer,
+                       int type,
+                       ...)
+{
     const char *ret;
 …
     va_start(args, type);
     ret = krb5_config_vget_next (context, c, pointer, type, args);
+    ret = _krb5_config_vget_next (context, c, pointer, type, args);
     va_end(args);
     return ret;
 …
+}
+const void *
 krb5_config_vget_next (krb5_context context,
                        const krb5_config_section *c,
                        const krb5_config_binding **pointer,
                        int type,
                        va_list args)
+KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
+_krb5_config_vget_next (krb5_context context,
+                        const krb5_config_section *c,
+                        const krb5_config_binding **pointer,
+                        int type,
+                        va_list args)
+{
     const krb5_config_binding *b;
 …
+}
+const void *
 krb5_config_get (krb5_context context,
                  const krb5_config_section *c,
                  int type,
                  ...)
+KRB5_LIB_FUNCTION const void * KRB5_LIB_CALL
+_krb5_config_get (krb5_context context,
+                  const krb5_config_section *c,
+                  int type,
+                  ...)
+{
     const void *ret;
 …
     va_start(args, type);
     ret = krb5_config_vget (context, c, type, args);
+    ret = _krb5_config_vget (context, c, type, args);
     va_end(args);
     return ret;
+}
 const void *
 krb5_config_vget (krb5_context context,
                   const krb5_config_section *c,
                   int type,
                   va_list args)
+_krb5_config_vget (krb5_context context,
+                   const krb5_config_section *c,
+                   int type,
+                   va_list args)
+{
     const krb5_config_binding *foo = NULL;
+    return krb5_config_vget_next (context, c, &foo, type, args);
+}
+const krb5_config_binding *
+    return _krb5_config_vget_next (context, c, &foo, type, args);
+}
+/**
+ * Get a list of configuration binding list for more processing
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return NULL if configuration list is not found, a list otherwise
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
 krb5_config_get_list (krb5_context context,
                       const krb5_config_section *c,
 …
+}
+const krb5_config_binding *
+/**
+ * Get a list of configuration binding list for more processing
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return NULL if configuration list is not found, a list otherwise
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION const krb5_config_binding * KRB5_LIB_CALL
 krb5_config_vget_list (krb5_context context,
                        const krb5_config_section *c,
                        va_list args)
+{
+    return krb5_config_vget (context, c, krb5_config_list, args);
+}
+const char* KRB5_LIB_FUNCTION
+    return _krb5_config_vget (context, c, krb5_config_list, args);
+}
+/**
+ * Returns a "const char *" to a string in the configuration database.
+ * The string may not be valid after a reload of the configuration
+ * database so a caller should make a local copy if it needs to keep
+ * the string.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return NULL if configuration string not found, a string otherwise
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_config_get_string (krb5_context context,
                         const krb5_config_section *c,
 …
+}
+const char* KRB5_LIB_FUNCTION
+/**
+ * Like krb5_config_get_string(), but uses a va_list instead of ...
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return NULL if configuration string not found, a string otherwise
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_config_vget_string (krb5_context context,
                          const krb5_config_section *c,
                          va_list args)
+{
+    return krb5_config_vget (context, c, krb5_config_string, args);
+}
+const char* KRB5_LIB_FUNCTION
+    return _krb5_config_vget (context, c, krb5_config_string, args);
+}
+/**
+ * Like krb5_config_vget_string(), but instead of returning NULL,
+ * instead return a default value.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ *        found in the database.
+ * @param args a va_list of arguments
+ *
+ * @return a configuration string
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_config_vget_string_default (krb5_context context,
                                  const krb5_config_section *c,
 …
+}
+const char* KRB5_LIB_FUNCTION
+/**
+ * Like krb5_config_get_string(), but instead of returning NULL,
+ * instead return a default value.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ *        found in the database.
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return a configuration string
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_config_get_string_default (krb5_context context,
                                 const krb5_config_section *c,
 …
+}
+char ** KRB5_LIB_FUNCTION
+static char *
+next_component_string(char * begin, char * delims, char **state)
+{
+    char * end;
+    if (begin == NULL)
+        begin = *state;
+    if (*begin == '\0')
+        return NULL;
+    end = begin;
+    while (*end == '"') {
+        char * t = strchr(end + 1, '"');
+        if (t)
+            end = ++t;
+        else
+            end += strlen(end);
+    }
+    if (*end != '\0') {
+        size_t pos;
+        pos = strcspn(end, delims);
+        end = end + pos;
+    }
+    if (*end != '\0') {
+        *end = '\0';
+        *state = end + 1;
+        if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) {
+            begin++; *(end - 1) = '\0';
+        }
+        return begin;
+    }
+    *state = end;
+    if (*begin == '"' && *(end - 1) == '"' && begin + 1 < end) {
+        begin++; *(end - 1) = '\0';
+    }
+    return begin;
+}
+/**
+ * Get a list of configuration strings, free the result with
+ * krb5_config_free_strings().
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION char ** KRB5_LIB_CALL
 krb5_config_vget_strings(krb5_context context,
                          const krb5_config_section *c,
 …
     const char *p;
     while((p = krb5_config_vget_next(context, c, &b,
                                      krb5_config_string, args))) {
+    while((p = _krb5_config_vget_next(context, c, &b,
+                                      krb5_config_string, args))) {
         char *tmp = strdup(p);
         char *pos = NULL;
 …
         if(tmp == NULL)
             goto cleanup;
         s = strtok_r(tmp, " \t", &pos);
+        s = next_component_string(tmp, " \t", &pos);
         while(s){
             char **tmp2 = realloc(strings, (nstr + 1) * sizeof(*strings));
 …
             if(strings[nstr-1] == NULL)
                 goto cleanup;
             s = strtok_r(NULL, " \t", &pos);
+            s = next_component_string(NULL, " \t", &pos);
+        }
         free(tmp);
 …
+}
+char**
+/**
+ * Get a list of configuration strings, free the result with
+ * krb5_config_free_strings().
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION char** KRB5_LIB_CALL
 krb5_config_get_strings(krb5_context context,
                         const krb5_config_section *c,
 …
+}
+void KRB5_LIB_FUNCTION
+/**
+ * Free the resulting strings from krb5_config-get_strings() and
+ * krb5_config_vget_strings().
+ *
+ * @param strings strings to free
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_config_free_strings(char **strings)
+{
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+/**
+ * Like krb5_config_get_bool_default() but with a va_list list of
+ * configuration selection.
+ *
+ * Configuration value to a boolean value, where yes/true and any
+ * non-zero number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ *        found in the database.
+ * @param args a va_list of arguments
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_config_vget_bool_default (krb5_context context,
                                const krb5_config_section *c,
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+/**
+ * krb5_config_get_bool() will convert the configuration
+ * option value to a boolean value, where yes/true and any non-zero
+ * number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_config_vget_bool  (krb5_context context,
                         const krb5_config_section *c,
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+/**
+ * krb5_config_get_bool_default() will convert the configuration
+ * option value to a boolean value, where yes/true and any non-zero
+ * number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ *        found in the database.
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_config_get_bool_default (krb5_context context,
                               const krb5_config_section *c,
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+/**
+ * Like krb5_config_get_bool() but with a va_list list of
+ * configuration selection.
+ *
+ * Configuration value to a boolean value, where yes/true and any
+ * non-zero number means TRUE and other value is FALSE.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return TRUE or FALSE
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_config_get_bool (krb5_context context,
                       const krb5_config_section *c,
 …
+}
+int KRB5_LIB_FUNCTION
+/**
+ * Get the time from the configuration file using a relative time.
+ *
+ * Like krb5_config_get_time_default() but with a va_list list of
+ * configuration selection.
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ *        found in the database.
+ * @param args a va_list of arguments
+ *
+ * @return parsed the time (or def_value on parse error)
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_vget_time_default (krb5_context context,
                                const krb5_config_section *c,
 …
+}
+int KRB5_LIB_FUNCTION
+/**
+ * Get the time from the configuration file using a relative time, for example: 1h30s
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param args a va_list of arguments
+ *
+ * @return parsed the time or -1 on error
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_vget_time  (krb5_context context,
                         const krb5_config_section *c,
 …
+}
+int KRB5_LIB_FUNCTION
+/**
+ * Get the time from the configuration file using a relative time, for example: 1h30s
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param def_value the default value to return if no configuration
+ *        found in the database.
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return parsed the time (or def_value on parse error)
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_get_time_default (krb5_context context,
                               const krb5_config_section *c,
 …
+}
+int KRB5_LIB_FUNCTION
+/**
+ * Get the time from the configuration file using a relative time, for example: 1h30s
+ *
+ * @param context A Kerberos 5 context.
+ * @param c a configuration section, or NULL to use the section from context
+ * @param ... a list of names, terminated with NULL.
+ *
+ * @return parsed the time or -1 on error
+ *
+ * @ingroup krb5_support
+ */
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_get_time (krb5_context context,
                       const krb5_config_section *c,
 …
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_vget_int_default (krb5_context context,
                               const krb5_config_section *c,
 …
+}
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_vget_int  (krb5_context context,
                        const krb5_config_section *c,
 …
+}
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_get_int_default (krb5_context context,
                              const krb5_config_section *c,
 …
+}
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_config_get_int (krb5_context context,
                      const krb5_config_section *c,
 …
     return ret;
+}
+#ifndef HEIMDAL_SMALLER
+/**
+ * Deprecated: configuration files are not strings
+ *
+ * @ingroup krb5_deprecated
+ */
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_config_parse_string_multi(krb5_context context,
+                               const char *string,
+                               krb5_config_section **res)
+{
+    const char *str;
+    unsigned lineno = 0;
+    krb5_error_code ret;
+    struct fileptr f;
+    f.f = NULL;
+    f.s = string;
+    ret = krb5_config_parse_debug (&f, res, &lineno, &str);
+    if (ret) {
+        krb5_set_error_message (context, ret, "%s:%u: %s",
+                                "<constant>", lineno, str);
+        return ret;
+    }
+    return 0;
+}
+#endif

trunk/server/source4/heimdal/lib/krb5/constants.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 KRB5_LIB_VARIABLE const char *krb5_config_file =
 #ifdef __APPLE__
+"~/Library/Preferences/edu.mit.Kerberos:"
+"/Library/Preferences/edu.mit.Kerberos:"
+"~/Library/Preferences/com.apple.Kerberos.plist" PATH_SEP
+"/Library/Preferences/com.apple.Kerberos.plist" PATH_SEP
+"~/Library/Preferences/edu.mit.Kerberos" PATH_SEP
+"/Library/Preferences/edu.mit.Kerberos" PATH_SEP
+#endif  /* __APPLE__ */
+"~/.krb5/config" PATH_SEP
+SYSCONFDIR "/krb5.conf"
+#ifdef _WIN32
+PATH_SEP "%{COMMON_APPDATA}/Kerberos/krb5.conf"
+PATH_SEP "%{WINDOWS}/krb5.ini"
+#else
+PATH_SEP "/etc/krb5.conf"
 #endif
+SYSCONFDIR "/krb5.conf:/etc/krb5.conf";
+;
 KRB5_LIB_VARIABLE const char *krb5_defkeyname = KEYTAB_DEFAULT;

trunk/server/source4/heimdal/lib/krb5/context.c

-              r414
+              r745
 /*
  * Copyright (c) 1997 - 2005 Kungliga Tekniska HÃ¶gskolan
+ * Copyright (c) 1997 - 2010 Kungliga Tekniska HÃ¶gskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 /*
+ *
- */
-static krb5_error_code
-copy_etypes (krb5_context context,
-             krb5_enctype *enctypes,
-             krb5_enctype **ret_enctypes)
+{
-    unsigned int i;
-    for (i = 0; enctypes[i]; i++)
+        ;
-    i++;
-    *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
-    if (*ret_enctypes == NULL) {
-        krb5_set_error_message(context, ENOMEM,
-                               N_("malloc: out of memory", ""));
-        return ENOMEM;
+    }
-    memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
-    return 0;
+}
-/*
  * read variables from the configuration file and set in `context'
  */
 …
     krb5_error_code ret;
     const char * tmp;
+    char **s;
     krb5_enctype *tmptypes;
 …
     INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
+    ret = krb5_config_get_bool_default(context, NULL, FALSE,
+                                       "libdefaults",
+                                       "allow_weak_crypto", NULL);
+    if (ret) {
+        krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+        krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
+        krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
+        krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
+        krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
+        krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
+    }
     ret = set_etypes (context, "default_etypes", &tmptypes);
 …
     context->default_cc_name_set = 0;
+    ret = krb5_config_get_bool_default(context, NULL, FALSE,
+                                       "libdefaults",
+                                       "allow_weak_crypto", NULL);
+    if (ret) {
+        krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+        krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
+        krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
+        krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
+        krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
+        krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
+    s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
+    if(s) {
+        char **p;
+        krb5_initlog(context, "libkrb5", &context->debug_dest);
+        for(p = s; *p; p++)
+            krb5_addlog_dest(context, context->debug_dest, *p);
+        krb5_config_free_strings(s);
+    }
+    tmp = krb5_config_get_string(context, NULL, "libdefaults",
+                                 "check-rd-req-server", NULL);
+    if (tmp == NULL && !issuid())
+        tmp = getenv("KRB5_CHECK_RD_REQ_SERVER");
+    if(tmp) {
+        if (strcasecmp(tmp, "ignore") == 0)
+            context->flags |= KRB5_CTX_F_RD_REQ_IGNORE;
+    }
 …
     context->num_cc_ops = 0;
+#ifndef KCM_IS_API_CACHE
     krb5_cc_register(context, &krb5_acc_ops, TRUE);
+#endif
     krb5_cc_register(context, &krb5_fcc_ops, TRUE);
     krb5_cc_register(context, &krb5_mcc_ops, TRUE);
+#ifdef HAVE_SCC
     krb5_cc_register(context, &krb5_scc_ops, TRUE);
+#endif
 #ifdef HAVE_KCM
+#ifdef KCM_IS_API_CACHE
+    krb5_cc_register(context, &krb5_akcm_ops, TRUE);
+#endif
     krb5_cc_register(context, &krb5_kcm_ops, TRUE);
 #endif
+    _krb5_load_ccache_plugins(context);
+    return 0;
+}
+static krb5_error_code
+cc_ops_copy(krb5_context context, const krb5_context src_context)
+{
+    const krb5_cc_ops **cc_ops;
+    context->cc_ops = NULL;
+    context->num_cc_ops = 0;
+    if (src_context->num_cc_ops == 0)
+        return 0;
+    cc_ops = malloc(sizeof(cc_ops[0]) * src_context->num_cc_ops);
+    if (cc_ops == NULL) {
+        krb5_set_error_message(context, KRB5_CC_NOMEM,
+                               N_("malloc: out of memory", ""));
+        return KRB5_CC_NOMEM;
+    }
+    memcpy(rk_UNCONST(cc_ops), src_context->cc_ops,
+           sizeof(cc_ops[0]) * src_context->num_cc_ops);
+    context->cc_ops = cc_ops;
+    context->num_cc_ops = src_context->num_cc_ops;
     return 0;
+}
 …
+}
+static krb5_error_code
+kt_ops_copy(krb5_context context, const krb5_context src_context)
+{
+    context->num_kt_types = 0;
+    context->kt_types     = NULL;
+    if (src_context->num_kt_types == 0)
+        return 0;
+    context->kt_types = malloc(sizeof(context->kt_types[0]) * src_context->num_kt_types);
+    if (context->kt_types == NULL) {
+        krb5_set_error_message(context, ENOMEM,
+                               N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    context->num_kt_types = src_context->num_kt_types;
+    memcpy(context->kt_types, src_context->kt_types,
+           sizeof(context->kt_types[0]) * src_context->num_kt_types);
+    return 0;
+}
+static const char *sysplugin_dirs[] =  {
+    LIBDIR "/plugin/krb5",
+#ifdef __APPLE__
+    "/Library/KerberosPlugins/KerberosFrameworkPlugins",
+    "/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
+#endif
+    NULL
+};
+static void
+init_context_once(void *ctx)
+{
+    krb5_context context = ctx;
+    _krb5_load_plugins(context, "krb5", sysplugin_dirs);
+    bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
+}
 /**
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_context(krb5_context *context)
+{
+    static heim_base_once_t init_context = HEIM_BASE_ONCE_INIT;
     krb5_context p;
     krb5_error_code ret;
 …
     *context = NULL;
-    /* should have a run_once */
-    bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
     p = calloc(1, sizeof(*p));
 …
     kt_ops_register(p);
+#ifdef PKINIT
+    ret = hx509_context_init(&p->hx509ctx);
+    if (ret)
+        goto out;
+#endif
+    if (rk_SOCK_INIT())
+        p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
 out:
     if(ret) {
         krb5_free_context(p);
         p = NULL;
+    } else {
+        heim_base_once_f(&init_context, p, init_context_once);
+    }
     *context = p;
 …
+}
+/**
+ * Make a copy for the Kerberos 5 context, allocated krb5_contex shoud
+#ifndef HEIMDAL_SMALLER
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_get_permitted_enctypes(krb5_context context,
+                            krb5_enctype **etypes)
+{
+    return krb5_get_default_in_tkt_etypes(context, etypes);
+}
+/*
+ *
+ */
+static krb5_error_code
+copy_etypes (krb5_context context,
+             krb5_enctype *enctypes,
+             krb5_enctype **ret_enctypes)
+{
+    unsigned int i;
+    for (i = 0; enctypes[i]; i++)
+        ;
+    i++;
+    *ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
+    if (*ret_enctypes == NULL) {
+        krb5_set_error_message(context, ENOMEM,
+                               N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    memcpy(*ret_enctypes, enctypes, sizeof(ret_enctypes[0]) * i);
+    return 0;
+}
+/**
+ * Make a copy for the Kerberos 5 context, the new krb5_context shoud
  * be freed with krb5_free_context().
+ *
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_context(krb5_context context, krb5_context *out)
+{
 …
     /* XXX should copy */
     krb5_init_ets(p);
+    cc_ops_register(p);
+    kt_ops_register(p);
+    cc_ops_copy(p, context);
+    kt_ops_copy(p, context);
 #if 0 /* XXX */
     if(context->warn_dest != NULL)
+        ;
+    if(context->debug_dest != NULL)
+        ;
 #endif
 …
+}
+#endif
 /**
  * Frees the krb5_context allocated by krb5_init_context().
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_context(krb5_context context)
+{
 …
     krb5_config_file_free (context, context->cf);
     free_error_table (context->et_list);
     free(context->cc_ops);
+    free(rk_UNCONST(context->cc_ops));
     free(context->kt_types);
     krb5_clear_error_message(context);
     if(context->warn_dest != NULL)
         krb5_closelog(context, context->warn_dest);
+    if(context->debug_dest != NULL)
+        krb5_closelog(context, context->debug_dest);
     krb5_set_extra_addresses(context, NULL);
     krb5_set_ignore_addresses(context, NULL);
     krb5_set_send_to_kdc_func(context, NULL, NULL);
+#ifdef PKINIT
+    if (context->hx509ctx)
+        hx509_context_free(&context->hx509ctx);
+#endif
     HEIMDAL_MUTEX_destroy(context->mutex);
     free(context->mutex);
+    if (context->flags & KRB5_CTX_F_SOCKETS_INITIALIZED) {
+        rk_SOCK_EXIT();
+    }
     memset(context, 0, sizeof(*context));
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_config_files(krb5_context context, char **filenames)
+{
 …
     while(filenames != NULL && *filenames != NULL && **filenames != '\0') {
         ret = krb5_config_parse_file_multi(context, *filenames, &tmp);
         if(ret != 0 && ret != ENOENT && ret != EACCES) {
+        if(ret != 0 && ret != ENOENT && ret != EACCES && ret != EPERM) {
             krb5_config_file_free(context, tmp);
             return ret;
 …
         return ENXIO;
 #endif
+#ifdef _WIN32
+    _krb5_load_config_from_registry(context, &tmp);
+#endif
     krb5_config_file_free(context, context->cf);
     context->cf = tmp;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp)
+{
 …
         ssize_t l;
         q = p;
         l = strsep_copy(&q, ":", NULL, 0);
+        l = strsep_copy(&q, PATH_SEP, NULL, 0);
         if(l == -1)
             break;
 …
             return ENOMEM;
+        }
         (void)strsep_copy(&p, ":", fn, l + 1);
+        (void)strsep_copy(&p, PATH_SEP, fn, l + 1);
         ret = add_file(&pp, &len, fn);
         if (ret) {
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_prepend_config_files_default(const char *filelist, char ***pfilenames)
+{
 …
+}
+#ifdef _WIN32
+/**
+ * Checks the registry for configuration file location
+ *
+ * Kerberos for Windows and other legacy Kerberos applications expect
+ * to find the configuration file location in the
+ * SOFTWARE\MIT\Kerberos registry key under the value "config".
+ */
+char *
+_krb5_get_default_config_config_files_from_registry()
+{
+    static const char * KeyName = "Software\\MIT\\Kerberos";
+    char *config_file = NULL;
+    LONG rcode;
+    HKEY key;
+    rcode = RegOpenKeyEx(HKEY_CURRENT_USER, KeyName, 0, KEY_READ, &key);
+    if (rcode == ERROR_SUCCESS) {
+        config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
+                                                            REG_NONE, 0, PATH_SEP);
+        RegCloseKey(key);
+    }
+    if (config_file)
+        return config_file;
+    rcode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, KeyName, 0, KEY_READ, &key);
+    if (rcode == ERROR_SUCCESS) {
+        config_file = _krb5_parse_reg_value_as_multi_string(NULL, key, "config",
+                                                            REG_NONE, 0, PATH_SEP);
+        RegCloseKey(key);
+    }
+    return config_file;
+}
+#endif
 /**
  * Get the global configuration list.
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_default_config_files(char ***pfilenames)
+{
 …
     if(!issuid())
         files = getenv("KRB5_CONFIG");
+#ifdef _WIN32
+    if (files == NULL) {
+        char * reg_files;
+        reg_files = _krb5_get_default_config_config_files_from_registry();
+        if (reg_files != NULL) {
+            krb5_error_code code;
+            code = krb5_prepend_config_files(reg_files, NULL, pfilenames);
+            free(reg_files);
+            return code;
+        }
+    }
+#endif
     if (files == NULL)
         files = krb5_config_file;
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_config_files(char **filenames)
+{
 …
  */
+const krb5_enctype * KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const krb5_enctype * KRB5_LIB_CALL
 krb5_kerberos_enctypes(krb5_context context)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_default_in_tkt_etypes(krb5_context context,
                                const krb5_enctype *etypes)
+{
+    krb5_error_code ret;
     krb5_enctype *p = NULL;
     int i;
+    unsigned int n, m;
     if(etypes) {
+        for (i = 0; etypes[i]; ++i) {
+            krb5_error_code ret;
+            ret = krb5_enctype_valid(context, etypes[i]);
+        for (n = 0; etypes[n]; n++)
+            ;
+        n++;
+        ALLOC(p, n);
+        if(!p) {
+            krb5_set_error_message (context, ENOMEM,
+                                    N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        for (n = 0, m = 0; etypes[n]; n++) {
+            ret = krb5_enctype_valid(context, etypes[n]);
             if (ret)
+                return ret;
+        }
+        ++i;
+        ALLOC(p, i);
+        if(!p) {
+            krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        memmove(p, etypes, i * sizeof(krb5_enctype));
+                continue;
+            p[m++] = etypes[n];
+        }
+        p[m] = ETYPE_NULL;
+        if (m == 0) {
+            free(p);
+            krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+                                    N_("no valid enctype set", ""));
+            return KRB5_PROG_ETYPE_NOSUPP;
+        }
+    }
     if(context->etypes)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_default_in_tkt_etypes(krb5_context context,
                                krb5_enctype **etypes)
 …
 /**
- * Return the error string for the error code. The caller must not
- * free the string.
+ *
- * @param context Kerberos 5 context.
- * @param code Kerberos error code.
+ *
- * @return the error message matching code
+ *
- * @ingroup krb5
- */
-const char* KRB5_LIB_FUNCTION
-krb5_get_err_text(krb5_context context, krb5_error_code code)
+{
-    const char *p = NULL;
-    if(context != NULL)
-        p = com_right(context->et_list, code);
-    if(p == NULL)
-        p = strerror(code);
-    if (p == NULL)
-        p = "Unknown error";
-    return p;
+}
-/**
  * Init the built-in ets in the Kerberos library.
+ *
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_init_ets(krb5_context context)
+{
     if(context->et_list == NULL){
         krb5_add_et_list(context, initialize_krb5_error_table_r);
+        krb5_add_et_list(context, initialize_asn1_error_table_r);
+        krb5_add_et_list(context, initialize_heim_error_table_r);
+        krb5_add_et_list(context, initialize_k524_error_table_r);
+#ifdef COM_ERR_BINDDOMAIN_krb5
         bindtextdomain(COM_ERR_BINDDOMAIN_krb5, HEIMDAL_LOCALEDIR);
-        krb5_add_et_list(context, initialize_asn1_error_table_r);
         bindtextdomain(COM_ERR_BINDDOMAIN_asn1, HEIMDAL_LOCALEDIR);
-        krb5_add_et_list(context, initialize_heim_error_table_r);
         bindtextdomain(COM_ERR_BINDDOMAIN_heim, HEIMDAL_LOCALEDIR);
-        krb5_add_et_list(context, initialize_k524_error_table_r);
         bindtextdomain(COM_ERR_BINDDOMAIN_k524, HEIMDAL_LOCALEDIR);
+#endif
 #ifdef PKINIT
         krb5_add_et_list(context, initialize_hx_error_table_r);
+#ifdef COM_ERR_BINDDOMAIN_hx
         bindtextdomain(COM_ERR_BINDDOMAIN_hx, HEIMDAL_LOCALEDIR);
 #endif
+#endif
+    }
+}
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag)
+{
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_get_use_admin_kdc (krb5_context context)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_fcache_version(krb5_context context, int version)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_fcache_version(krb5_context context, int *version)
+{
 …
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_is_thread_safe(void)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_set_dns_canonicalize_hostname (krb5_context context, krb5_boolean flag)
+{
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_get_dns_canonicalize_hostname (krb5_context context)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_kdc_sec_offset (krb5_context context, int32_t *sec, int32_t *usec)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_kdc_sec_offset (krb5_context context, int32_t sec, int32_t usec)
+{
 …
  */
+time_t KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
 krb5_get_max_time_skew (krb5_context context)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_set_max_time_skew (krb5_context context, time_t t)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_etype (krb5_context context,
                  unsigned *len,
 …
     krb5_boolean allow;
+#ifdef HAVE_GETEUID
     /* is never allowed for root */
     if (geteuid() == 0)
         return FALSE;
+#endif
     if (context && (context->flags & KRB5_CTX_F_HOMEDIR_ACCESS) == 0)
 …
  * @return the old value
+ *
+ */
+krb5_boolean
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_set_home_dir_access(krb5_context context, krb5_boolean allow)
+{

trunk/server/source4/heimdal/lib/krb5/convert_creds.c

-              r414
+              r745
  */
+#define KRB5_DEPRECATED
 #include "krb5_locl.h"
 #include "krb5-v4compat.h"
 #ifndef HEIMDAL_SMALLER
-static krb5_error_code
-check_ticket_flags(TicketFlags f)
+{
-    return 0; /* maybe add some more tests here? */
+}
 /**
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb524_convert_creds_kdc(krb5_context context,
                          krb5_creds *in_cred,
                          struct credentials *v4creds)
+{
+    krb5_error_code ret;
+    krb5_data reply;
+    krb5_storage *sp;
+    int32_t tmp;
+    krb5_data ticket;
+    char realm[REALM_SZ];
+    krb5_creds *v5_creds = in_cred;
+    ret = check_ticket_flags(v5_creds->flags.b);
+    if(ret)
+        goto out2;
+    {
+        krb5_krbhst_handle handle;
+        ret = krb5_krbhst_init(context,
+                               krb5_principal_get_realm(context,
+                                                        v5_creds->server),
+                               KRB5_KRBHST_KRB524,
+                               &handle);
+        if (ret)
+            goto out2;
+        ret = krb5_sendto (context,
+                           &v5_creds->ticket,
+                           handle,
+                           &reply);
+        krb5_krbhst_free(context, handle);
+        if (ret)
+            goto out2;
+    }
+    sp = krb5_storage_from_mem(reply.data, reply.length);
+    if(sp == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
+        goto out2;
+    }
+    krb5_ret_int32(sp, &tmp);
+    ret = tmp;
+    if(ret == 0) {
+        memset(v4creds, 0, sizeof(*v4creds));
+        ret = krb5_ret_int32(sp, &tmp);
+        if(ret)
+            goto out;
+        v4creds->kvno = tmp;
+        ret = krb5_ret_data(sp, &ticket);
+        if(ret)
+            goto out;
+        v4creds->ticket_st.length = ticket.length;
+        memcpy(v4creds->ticket_st.dat, ticket.data, ticket.length);
+        krb5_data_free(&ticket);
+        ret = krb5_524_conv_principal(context,
+                                      v5_creds->server,
+                                      v4creds->service,
+                                      v4creds->instance,
+                                      v4creds->realm);
+        if(ret)
+            goto out;
+        v4creds->issue_date = v5_creds->times.starttime;
+        v4creds->lifetime = _krb5_krb_time_to_life(v4creds->issue_date,
+                                                   v5_creds->times.endtime);
+        ret = krb5_524_conv_principal(context, v5_creds->client,
+                                      v4creds->pname,
+                                      v4creds->pinst,
+                                      realm);
+        if(ret)
+            goto out;
+        memcpy(v4creds->session, v5_creds->session.keyvalue.data, 8);
+    } else {
+        krb5_set_error_message (context, ret,
+                                N_("converting credentials: %s",
+                                  "already localized"),
+                                krb5_get_err_text(context, ret));
+    }
+out:
+    krb5_storage_free(sp);
+    krb5_data_free(&reply);
+out2:
+    if (v5_creds != in_cred)
+        krb5_free_creds (context, v5_creds);
+    return ret;
+    memset(v4creds, 0, sizeof(*v4creds));
+    krb5_set_error_message(context, EINVAL,
+                           N_("krb524_convert_creds_kdc not supported", ""));
+    return EINVAL;
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb524_convert_creds_kdc_ccache(krb5_context context,
                                 krb5_ccache ccache,
 …
                                 struct credentials *v4creds)
+{
+    krb5_error_code ret;
+    krb5_creds *v5_creds = in_cred;
+    krb5_keytype keytype;
+    keytype = v5_creds->session.keytype;
+    if (keytype != ENCTYPE_DES_CBC_CRC) {
+        /* MIT krb524d doesn't like nothing but des-cbc-crc tickets,
+           so go get one */
+        krb5_creds template;
+        memset (&template, 0, sizeof(template));
+        template.session.keytype = ENCTYPE_DES_CBC_CRC;
+        ret = krb5_copy_principal (context, in_cred->client, &template.client);
+        if (ret) {
+            krb5_free_cred_contents (context, &template);
+            return ret;
+        }
+        ret = krb5_copy_principal (context, in_cred->server, &template.server);
+        if (ret) {
+            krb5_free_cred_contents (context, &template);
+            return ret;
+        }
+        ret = krb5_get_credentials (context, 0, ccache,
+                                    &template, &v5_creds);
+        krb5_free_cred_contents (context, &template);
+        if (ret)
+            return ret;
+    }
+    ret = krb524_convert_creds_kdc(context, v5_creds, v4creds);
+    if (v5_creds != in_cred)
+        krb5_free_creds (context, v5_creds);
+    return ret;
+    memset(v4creds, 0, sizeof(*v4creds));
+    krb5_set_error_message(context, EINVAL,
+                           N_("krb524_convert_creds_kdc_ccache not supported", ""));
+    return EINVAL;
+}

trunk/server/source4/heimdal/lib/krb5/copy_host_realm.c

r414	r745
47	47	*/
48	48
49		krb5_error_code KRB5_LIB_FUNCTION
	49	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
50	50	krb5_copy_host_realm(krb5_context context,
51	51	const krb5_realm *from,

trunk/server/source4/heimdal/lib/krb5/creds.c

-              r414
+              r745
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_cred_contents (krb5_context context, krb5_creds *c)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_creds_contents (krb5_context context,
                           const krb5_creds *incred,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_creds (krb5_context context,
                  const krb5_creds *incred,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_creds (krb5_context context, krb5_creds *c)
+{
 …
  * determines what equal means).
+ *
+ *
+ * The following flags, set in whichfields affects the comparison:
+ * - KRB5_TC_MATCH_SRV_NAMEONLY Consider all realms equal when comparing the service principal.
+ * - KRB5_TC_MATCH_KEYTYPE Compare enctypes.
+ * - KRB5_TC_MATCH_FLAGS_EXACT Make sure that the ticket flags are identical.
+ * - KRB5_TC_MATCH_FLAGS Make sure that all ticket flags set in mcreds are also present in creds .
+ * - KRB5_TC_MATCH_TIMES_EXACT Compares the ticket times exactly.
+ * - KRB5_TC_MATCH_TIMES Compares only the expiration times of the creds.
+ * - KRB5_TC_MATCH_AUTHDATA Compares the authdata fields.
+ * - KRB5_TC_MATCH_2ND_TKT Compares the second tickets (used by user-to-user authentication).
+ * - KRB5_TC_MATCH_IS_SKEY Compares the existance of the second ticket.
+ *
  * @param context Kerberos 5 context.
  * @param whichfields which fields to compare.
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_compare_creds(krb5_context context, krb5_flags whichfields,
                    const krb5_creds * mcreds, const krb5_creds * creds)
 …
  */
+unsigned long
+KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
 krb5_creds_get_ticket_flags(krb5_creds *creds)
+{

trunk/server/source4/heimdal/lib/krb5/crypto.c

-              r414
+              r745
 #include "krb5_locl.h"
+#include <pkinit_asn1.h>
+#define WEAK_ENCTYPES 1
+struct _krb5_key_usage {
+    unsigned usage;
+    struct _krb5_key_data key;
+};
 #ifndef HEIMDAL_SMALLER
 …
 #endif
-#ifdef HAVE_OPENSSL /* XXX forward decl for hcrypto glue */
-const EVP_CIPHER * _krb5_EVP_hcrypto_aes_128_cts(void);
-const EVP_CIPHER * _krb5_EVP_hcrypto_aes_256_cts(void);
-#define EVP_hcrypto_aes_128_cts _krb5_EVP_hcrypto_aes_128_cts
-#define EVP_hcrypto_aes_256_cts _krb5_EVP_hcrypto_aes_256_cts
-#endif
-struct key_data {
-    krb5_keyblock *key;
-    krb5_data *schedule;
-};
-struct key_usage {
-    unsigned usage;
-    struct key_data key;
-};
-struct krb5_crypto_data {
-    struct encryption_type *et;
-    struct key_data key;
-    int num_key_usage;
-    struct key_usage *key_usage;
-};
-#define CRYPTO_ETYPE(C) ((C)->et->type)
-/* bits for `flags' below */
-#define F_KEYED          1      /* checksum is keyed */
-#define F_CPROOF         2      /* checksum is collision proof */
-#define F_DERIVED        4      /* uses derived keys */
-#define F_VARIANT        8      /* uses `variant' keys (6.4.3) */
-#define F_PSEUDO        16      /* not a real protocol type */
-#define F_SPECIAL       32      /* backwards */
-#define F_DISABLED      64      /* enctype/checksum disabled */
-struct salt_type {
-    krb5_salttype type;
-    const char *name;
-    krb5_error_code (*string_to_key)(krb5_context, krb5_enctype, krb5_data,
-                                     krb5_salt, krb5_data, krb5_keyblock*);
-};
-struct key_type {
-    krb5_keytype type; /* XXX */
-    const char *name;
-    size_t bits;
-    size_t size;
-    size_t schedule_size;
-    void (*random_key)(krb5_context, krb5_keyblock*);
-    void (*schedule)(krb5_context, struct key_type *, struct key_data *);
-    struct salt_type *string_to_key;
-    void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t);
-    void (*cleanup)(krb5_context, struct key_data *);
-    const EVP_CIPHER *(*evp)(void);
-};
-struct checksum_type {
-    krb5_cksumtype type;
-    const char *name;
-    size_t blocksize;
-    size_t checksumsize;
-    unsigned flags;
-    krb5_enctype (*checksum)(krb5_context context,
-                             struct key_data *key,
-                             const void *buf, size_t len,
-                             unsigned usage,
-                             Checksum *csum);
-    krb5_error_code (*verify)(krb5_context context,
-                              struct key_data *key,
-                              const void *buf, size_t len,
-                              unsigned usage,
-                              Checksum *csum);
-};
-struct encryption_type {
-    krb5_enctype type;
-    const char *name;
-    size_t blocksize;
-    size_t padsize;
-    size_t confoundersize;
-    struct key_type *keytype;
-    struct checksum_type *checksum;
-    struct checksum_type *keyed_checksum;
-    unsigned flags;
-    krb5_error_code (*encrypt)(krb5_context context,
-                               struct key_data *key,
-                               void *data, size_t len,
-                               krb5_boolean encryptp,
-                               int usage,
-                               void *ivec);
-    size_t prf_length;
-    krb5_error_code (*prf)(krb5_context,
-                           krb5_crypto, const krb5_data *, krb5_data *);
-};
-#define ENCRYPTION_USAGE(U) (((U) << 8) | 0xAA)
-#define INTEGRITY_USAGE(U) (((U) << 8) | 0x55)
-#define CHECKSUM_USAGE(U) (((U) << 8) | 0x99)
-static struct checksum_type *_find_checksum(krb5_cksumtype type);
-static struct encryption_type *_find_enctype(krb5_enctype type);
 static krb5_error_code _get_derived_key(krb5_context, krb5_crypto,
+                                        unsigned, struct key_data**);
+static struct key_data *_new_derived_key(krb5_crypto crypto, unsigned usage);
+static krb5_error_code derive_key(krb5_context context,
+                                  struct encryption_type *et,
+                                  struct key_data *key,
+                                  const void *constant,
+                                  size_t len);
+static krb5_error_code hmac(krb5_context context,
+                            struct checksum_type *cm,
+                            const void *data,
+                            size_t len,
+                            unsigned usage,
+                            struct key_data *keyblock,
+                            Checksum *result);
+static void free_key_data(krb5_context,
+                          struct key_data *,
+                          struct encryption_type *);
+                                        unsigned, struct _krb5_key_data**);
+static struct _krb5_key_data *_new_derived_key(krb5_crypto crypto, unsigned usage);
 static void free_key_schedule(krb5_context,
+                              struct key_data *,
+                              struct encryption_type *);
+static krb5_error_code usage2arcfour (krb5_context, unsigned *);
+static void xor (DES_cblock *, const unsigned char *);
+                              struct _krb5_key_data *,
+                              struct _krb5_encryption_type *);
 /************************************************************
 …
  ************************************************************/
+struct evp_schedule {
+    EVP_CIPHER_CTX ectx;
+    EVP_CIPHER_CTX dctx;
+};
+static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER;
+#ifdef WEAK_ENCTYPES
+static void
+krb5_DES_random_key(krb5_context context,
+                    krb5_keyblock *key)
+{
+    DES_cblock *k = key->keyvalue.data;
+    do {
+        krb5_generate_random_block(k, sizeof(DES_cblock));
+        DES_set_odd_parity(k);
+    } while(DES_is_weak_key(k));
+}
+static void
+krb5_DES_schedule_old(krb5_context context,
+                      struct key_type *kt,
+                      struct key_data *key)
+{
+    DES_set_key_unchecked(key->key->keyvalue.data, key->schedule->data);
+}
+#ifdef ENABLE_AFS_STRING_TO_KEY
+/* This defines the Andrew string_to_key function.  It accepts a password
+ * string as input and converts it via a one-way encryption algorithm to a DES
+ * encryption key.  It is compatible with the original Andrew authentication
+ * service password database.
+ */
+/*
+ * Short passwords, i.e 8 characters or less.
+ */
+static void
+krb5_DES_AFS3_CMU_string_to_key (krb5_data pw,
+                                 krb5_data cell,
+                                 DES_cblock *key)
+{
+    char  password[8+1];        /* crypt is limited to 8 chars anyway */
+    int   i;
+    for(i = 0; i < 8; i++) {
+        char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
+            ((i < cell.length) ?
+             tolower(((unsigned char*)cell.data)[i]) : 0);
+        password[i] = c ? c : 'X';
+    }
+    password[8] = '\0';
+    memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock));
+    /* parity is inserted into the LSB so left shift each byte up one
+       bit. This allows ascii characters with a zero MSB to retain as
+       much significance as possible. */
+    for (i = 0; i < sizeof(DES_cblock); i++)
+        ((unsigned char*)key)[i] <<= 1;
+    DES_set_odd_parity (key);
+}
+/*
+ * Long passwords, i.e 9 characters or more.
+ */
+static void
+krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw,
+                                      krb5_data cell,
+                                      DES_cblock *key)
+{
+    DES_key_schedule schedule;
+    DES_cblock temp_key;
+    DES_cblock ivec;
+    char password[512];
+    size_t passlen;
+    memcpy(password, pw.data, min(pw.length, sizeof(password)));
+    if(pw.length < sizeof(password)) {
+        int len = min(cell.length, sizeof(password) - pw.length);
+        int i;
+        memcpy(password + pw.length, cell.data, len);
+        for (i = pw.length; i < pw.length + len; ++i)
+            password[i] = tolower((unsigned char)password[i]);
+    }
+    passlen = min(sizeof(password), pw.length + cell.length);
+    memcpy(&ivec, "kerberos", 8);
+    memcpy(&temp_key, "kerberos", 8);
+    DES_set_odd_parity (&temp_key);
+    DES_set_key_unchecked (&temp_key, &schedule);
+    DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec);
+    memcpy(&temp_key, &ivec, 8);
+    DES_set_odd_parity (&temp_key);
+    DES_set_key_unchecked (&temp_key, &schedule);
+    DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec);
+    memset(&schedule, 0, sizeof(schedule));
+    memset(&temp_key, 0, sizeof(temp_key));
+    memset(&ivec, 0, sizeof(ivec));
+    memset(password, 0, sizeof(password));
+    DES_set_odd_parity (key);
+}
+static krb5_error_code
+DES_AFS3_string_to_key(krb5_context context,
+                       krb5_enctype enctype,
+                       krb5_data password,
+                       krb5_salt salt,
+                       krb5_data opaque,
+                       krb5_keyblock *key)
+{
+    DES_cblock tmp;
+    if(password.length > 8)
+        krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp);
+    else
+        krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp);
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
+    memset(&key, 0, sizeof(key));
+    return 0;
+}
+#endif /* ENABLE_AFS_STRING_TO_KEY */
+static void
+DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key)
+{
+    DES_key_schedule schedule;
+    int i;
+    int reverse = 0;
+    unsigned char *p;
+    unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe,
+x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf };
+    memset(key, 0, 8);
+    p = (unsigned char*)key;
+    for (i = 0; i < length; i++) {
+        unsigned char tmp = data[i];
+        if (!reverse)
+            *p++ ^= (tmp << 1);
+        else
+            *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4];
+        if((i % 8) == 7)
+            reverse = !reverse;
+    }
+    DES_set_odd_parity(key);
+    if(DES_is_weak_key(key))
+        (*key)[7] ^= 0xF0;
+    DES_set_key_unchecked(key, &schedule);
+    DES_cbc_cksum((void*)data, key, length, &schedule, key);
+    memset(&schedule, 0, sizeof(schedule));
+    DES_set_odd_parity(key);
+    if(DES_is_weak_key(key))
+        (*key)[7] ^= 0xF0;
+}
+static krb5_error_code
+krb5_DES_string_to_key(krb5_context context,
+                       krb5_enctype enctype,
+                       krb5_data password,
+                       krb5_salt salt,
+                       krb5_data opaque,
+                       krb5_keyblock *key)
+{
+    unsigned char *s;
+    size_t len;
+    DES_cblock tmp;
+#ifdef ENABLE_AFS_STRING_TO_KEY
+    if (opaque.length == 1) {
+        unsigned long v;
+        _krb5_get_int(opaque.data, &v, 1);
+        if (v == 1)
+            return DES_AFS3_string_to_key(context, enctype, password,
+                                          salt, opaque, key);
+    }
+#endif
+    len = password.length + salt.saltvalue.length;
+    s = malloc(len);
+    if(len > 0 && s == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    memcpy(s, password.data, password.length);
+    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    DES_string_to_key_int(s, len, &tmp);
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
+    memset(&tmp, 0, sizeof(tmp));
+    memset(s, 0, len);
+    free(s);
+    return 0;
+}
+static void
+krb5_DES_random_to_key(krb5_context context,
+                       krb5_keyblock *key,
+                       const void *data,
+                       size_t size)
+{
+    DES_cblock *k = key->keyvalue.data;
+    memcpy(k, data, key->keyvalue.length);
+    DES_set_odd_parity(k);
+    if(DES_is_weak_key(k))
+        xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0");
+}
+#endif
+/*
+ *
+ */
+static void
+DES3_random_key(krb5_context context,
+                krb5_keyblock *key)
+{
+    DES_cblock *k = key->keyvalue.data;
+    do {
+        krb5_generate_random_block(k, 3 * sizeof(DES_cblock));
+        DES_set_odd_parity(&k[0]);
+        DES_set_odd_parity(&k[1]);
+        DES_set_odd_parity(&k[2]);
+    } while(DES_is_weak_key(&k[0]) ||
+            DES_is_weak_key(&k[1]) ||
+            DES_is_weak_key(&k[2]));
+}
+/*
+ * A = A xor B. A & B are 8 bytes.
+ */
+static void
+xor (DES_cblock *key, const unsigned char *b)
+{
+    unsigned char *a = (unsigned char*)key;
+    a[0] ^= b[0];
+    a[1] ^= b[1];
+    a[2] ^= b[2];
+    a[3] ^= b[3];
+    a[4] ^= b[4];
+    a[5] ^= b[5];
+    a[6] ^= b[6];
+    a[7] ^= b[7];
+}
+#ifdef DES3_OLD_ENCTYPE
+static krb5_error_code
+DES3_string_to_key(krb5_context context,
+                   krb5_enctype enctype,
+                   krb5_data password,
+                   krb5_salt salt,
+                   krb5_data opaque,
+                   krb5_keyblock *key)
+{
+    char *str;
+    size_t len;
+    unsigned char tmp[24];
+    DES_cblock keys[3];
+    krb5_error_code ret;
+    len = password.length + salt.saltvalue.length;
+    str = malloc(len);
+    if(len != 0 && str == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    memcpy(str, password.data, password.length);
+    memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    {
+        DES_cblock ivec;
+        DES_key_schedule s[3];
+        int i;
+        ret = _krb5_n_fold(str, len, tmp, 24);
+        if (ret) {
+            memset(str, 0, len);
+            free(str);
+            krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+            return ret;
+        }
+        for(i = 0; i < 3; i++){
+            memcpy(keys + i, tmp + i * 8, sizeof(keys[i]));
+            DES_set_odd_parity(keys + i);
+            if(DES_is_weak_key(keys + i))
+                xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0");
+            DES_set_key_unchecked(keys + i, &s[i]);
+        }
+        memset(&ivec, 0, sizeof(ivec));
+        DES_ede3_cbc_encrypt(tmp,
+                             tmp, sizeof(tmp),
+                             &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT);
+        memset(s, 0, sizeof(s));
+        memset(&ivec, 0, sizeof(ivec));
+        for(i = 0; i < 3; i++){
+            memcpy(keys + i, tmp + i * 8, sizeof(keys[i]));
+            DES_set_odd_parity(keys + i);
+            if(DES_is_weak_key(keys + i))
+                xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0");
+        }
+        memset(tmp, 0, sizeof(tmp));
+    }
+    key->keytype = enctype;
+    krb5_data_copy(&key->keyvalue, keys, sizeof(keys));
+    memset(keys, 0, sizeof(keys));
+    memset(str, 0, len);
+    free(str);
+    return 0;
+}
+#endif
+static krb5_error_code
+DES3_string_to_key_derived(krb5_context context,
+                           krb5_enctype enctype,
+                           krb5_data password,
+                           krb5_salt salt,
+                           krb5_data opaque,
+                           krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    size_t len = password.length + salt.saltvalue.length;
+    char *s;
+    s = malloc(len);
+    if(len != 0 && s == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    memcpy(s, password.data, password.length);
+    memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
+    ret = krb5_string_to_key_derived(context,
+                                     s,
+                                     len,
+                                     enctype,
+                                     key);
+    memset(s, 0, len);
+    free(s);
+    return ret;
+}
+static void
+DES3_random_to_key(krb5_context context,
+                   krb5_keyblock *key,
+                   const void *data,
+                   size_t size)
+{
+    unsigned char *x = key->keyvalue.data;
+    const u_char *q = data;
+    DES_cblock *k;
+    int i, j;
+    memset(x, 0, sizeof(x));
+    for (i = 0; i < 3; ++i) {
+        unsigned char foo;
+        for (j = 0; j < 7; ++j) {
+            unsigned char b = q[7 * i + j];
+            x[8 * i + j] = b;
+        }
+        foo = 0;
+        for (j = 6; j >= 0; --j) {
+            foo |= q[7 * i + j] & 1;
+            foo <<= 1;
+        }
+        x[8 * i + 7] = foo;
+    }
+    k = key->keyvalue.data;
+    for (i = 0; i < 3; i++) {
+        DES_set_odd_parity(&k[i]);
+        if(DES_is_weak_key(&k[i]))
+            xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0");
+    }
+}
+/*
+ * ARCFOUR
+ */
+static void
+ARCFOUR_schedule(krb5_context context,
+                 struct key_type *kt,
+                 struct key_data *kd)
+{
+    RC4_set_key (kd->schedule->data,
+                 kd->key->keyvalue.length, kd->key->keyvalue.data);
+}
+static krb5_error_code
+ARCFOUR_string_to_key(krb5_context context,
+                      krb5_enctype enctype,
+                      krb5_data password,
+                      krb5_salt salt,
+                      krb5_data opaque,
+                      krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    uint16_t *s = NULL;
+    size_t len, i;
+    EVP_MD_CTX *m;
+    m = EVP_MD_CTX_create();
+    if (m == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        goto out;
+    }
+    EVP_DigestInit_ex(m, EVP_md4(), NULL);
+    ret = wind_utf8ucs2_length(password.data, &len);
+    if (ret) {
+        krb5_set_error_message (context, ret,
+                                N_("Password not an UCS2 string", ""));
+        goto out;
+    }
+    s = malloc (len * sizeof(s[0]));
+    if (len != 0 && s == NULL) {
+        krb5_set_error_message (context, ENOMEM,
+                                N_("malloc: out of memory", ""));
+        ret = ENOMEM;
+        goto out;
+    }
+    ret = wind_utf8ucs2(password.data, s, &len);
+    if (ret) {
+        krb5_set_error_message (context, ret,
+                                N_("Password not an UCS2 string", ""));
+        goto out;
+    }
+    /* LE encoding */
+    for (i = 0; i < len; i++) {
+        unsigned char p;
+        p = (s[i] & 0xff);
+        EVP_DigestUpdate (m, &p, 1);
+        p = (s[i] >> 8) & 0xff;
+        EVP_DigestUpdate (m, &p, 1);
+    }
+    key->keytype = enctype;
+    ret = krb5_data_alloc (&key->keyvalue, 16);
+    if (ret) {
+        krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
+        goto out;
+    }
+    EVP_DigestFinal_ex (m, key->keyvalue.data, NULL);
+ out:
+    EVP_MD_CTX_destroy(m);
+    if (s)
+        memset (s, 0, len);
+    free (s);
+    return ret;
+}
+/*
+ * AES
+ */
+int _krb5_AES_string_to_default_iterator = 4096;
+static krb5_error_code
+AES_string_to_key(krb5_context context,
+                  krb5_enctype enctype,
+                  krb5_data password,
+                  krb5_salt salt,
+                  krb5_data opaque,
+                  krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    uint32_t iter;
+    struct encryption_type *et;
+    struct key_data kd;
+    if (opaque.length == 0)
+        iter = _krb5_AES_string_to_default_iterator;
+    else if (opaque.length == 4) {
+        unsigned long v;
+        _krb5_get_int(opaque.data, &v, 4);
+        iter = ((uint32_t)v);
+    } else
+        return KRB5_PROG_KEYTYPE_NOSUPP; /* XXX */
+    et = _find_enctype(enctype);
+    if (et == NULL)
+        return KRB5_PROG_KEYTYPE_NOSUPP;
+    kd.schedule = NULL;
+    ALLOC(kd.key, 1);
+    if(kd.key == NULL) {
+        krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    kd.key->keytype = enctype;
+    ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size);
+    if (ret) {
+        krb5_set_error_message (context, ret, N_("malloc: out of memory", ""));
+        return ret;
+    }
+    ret = PKCS5_PBKDF2_HMAC_SHA1(password.data, password.length,
+                                 salt.saltvalue.data, salt.saltvalue.length,
+                                 iter,
+                                 et->keytype->size, kd.key->keyvalue.data);
+    if (ret != 1) {
+        free_key_data(context, &kd, et);
+        krb5_set_error_message(context, KRB5_PROG_KEYTYPE_NOSUPP,
+                               "Error calculating s2k");
+        return KRB5_PROG_KEYTYPE_NOSUPP;
+    }
+    ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos"));
+    if (ret == 0)
+        ret = krb5_copy_keyblock_contents(context, kd.key, key);
+    free_key_data(context, &kd, et);
+    return ret;
+}
+static void
+evp_schedule(krb5_context context, struct key_type *kt, struct key_data *kd)
+{
+    struct evp_schedule *key = kd->schedule->data;
+    const EVP_CIPHER *c = (*kt->evp)();
+    EVP_CIPHER_CTX_init(&key->ectx);
+    EVP_CIPHER_CTX_init(&key->dctx);
+    EVP_CipherInit_ex(&key->ectx, c, NULL, kd->key->keyvalue.data, NULL, 1);
+    EVP_CipherInit_ex(&key->dctx, c, NULL, kd->key->keyvalue.data, NULL, 0);
+}
+static void
+evp_cleanup(krb5_context context, struct key_data *kd)
+{
+    struct evp_schedule *key = kd->schedule->data;
+    EVP_CIPHER_CTX_cleanup(&key->ectx);
+    EVP_CIPHER_CTX_cleanup(&key->dctx);
+}
+/*
+ *
+ */
+#ifdef WEAK_ENCTYPES
+static struct salt_type des_salt[] = {
+    {
+        KRB5_PW_SALT,
+        "pw-salt",
+        krb5_DES_string_to_key
+    },
+#ifdef ENABLE_AFS_STRING_TO_KEY
+    {
+        KRB5_AFS3_SALT,
+        "afs3-salt",
+        DES_AFS3_string_to_key
+    },
+#endif
+    { 0 }
+};
+#endif
+#ifdef DES3_OLD_ENCTYPE
+static struct salt_type des3_salt[] = {
+    {
+        KRB5_PW_SALT,
+        "pw-salt",
+        DES3_string_to_key
+    },
+    { 0 }
+};
+#endif
+static struct salt_type des3_salt_derived[] = {
+    {
+        KRB5_PW_SALT,
+        "pw-salt",
+        DES3_string_to_key_derived
+    },
+    { 0 }
+};
+static struct salt_type AES_salt[] = {
+    {
+        KRB5_PW_SALT,
+        "pw-salt",
+        AES_string_to_key
+    },
+    { 0 }
+};
+static struct salt_type arcfour_salt[] = {
+    {
+        KRB5_PW_SALT,
+        "pw-salt",
+        ARCFOUR_string_to_key
+    },
+    { 0 }
+};
+/*
+ *
+ */
+static struct key_type keytype_null = {
+    KEYTYPE_NULL,
+    "null",
+,
+,
+,
+    NULL,
+    NULL,
+    NULL
+};
+#ifdef WEAK_ENCTYPES
+static struct key_type keytype_des_old = {
+    KEYTYPE_DES,
+    "des-old",
+,
+,
+    sizeof(DES_key_schedule),
+    krb5_DES_random_key,
+    krb5_DES_schedule_old,
+    des_salt,
+    krb5_DES_random_to_key
+};
+static struct key_type keytype_des = {
+    KEYTYPE_DES,
+    "des",
+,
+,
+    sizeof(struct evp_schedule),
+    krb5_DES_random_key,
+    evp_schedule,
+    des_salt,
+    krb5_DES_random_to_key,
+    evp_cleanup,
+    EVP_des_cbc
+};
+#endif /* WEAK_ENCTYPES */
+#ifdef DES3_OLD_ENCTYPE
+static struct key_type keytype_des3 = {
+    KEYTYPE_DES3,
+    "des3",
+,
+,
+    sizeof(struct evp_schedule),
+    DES3_random_key,
+    evp_schedule,
+    des3_salt,
+    DES3_random_to_key,
+    evp_cleanup,
+    EVP_des_ede3_cbc
+};
+#endif
+static struct key_type keytype_des3_derived = {
+    KEYTYPE_DES3,
+    "des3",
+,
+,
+    sizeof(struct evp_schedule),
+    DES3_random_key,
+    evp_schedule,
+    des3_salt_derived,
+    DES3_random_to_key,
+    evp_cleanup,
+    EVP_des_ede3_cbc
+};
+static struct key_type keytype_aes128 = {
+    KEYTYPE_AES128,
+    "aes-128",
+,
+,
+    sizeof(struct evp_schedule),
+    NULL,
+    evp_schedule,
+    AES_salt,
+    NULL,
+    evp_cleanup,
+    EVP_hcrypto_aes_128_cts
+};
+static struct key_type keytype_aes256 = {
+    KEYTYPE_AES256,
+    "aes-256",
+,
+,
+    sizeof(struct evp_schedule),
+    NULL,
+    evp_schedule,
+    AES_salt,
+    NULL,
+    evp_cleanup,
+    EVP_hcrypto_aes_256_cts
+};
+static struct key_type keytype_arcfour = {
+    KEYTYPE_ARCFOUR,
+    "arcfour",
+,
+,
+    sizeof(RC4_KEY),
+    NULL,
+    ARCFOUR_schedule,
+    arcfour_salt
+};
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_salttype_to_string (krb5_context context,
+                         krb5_enctype etype,
+                         krb5_salttype stype,
+                         char **string)
+{
+    struct encryption_type *e;
+    struct salt_type *st;
+    e = _find_enctype (etype);
+    if (e == NULL) {
+        krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+                               "encryption type %d not supported",
+                               etype);
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    for (st = e->keytype->string_to_key; st && st->type; st++) {
+        if (st->type == stype) {
+            *string = strdup (st->name);
+            if (*string == NULL) {
+                krb5_set_error_message (context, ENOMEM,
+                                        N_("malloc: out of memory", ""));
+                return ENOMEM;
+            }
+            return 0;
+        }
+    }
+    krb5_set_error_message (context, HEIM_ERR_SALTTYPE_NOSUPP,
+                            "salttype %d not supported", stype);
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_salttype (krb5_context context,
+                         krb5_enctype etype,
+                         const char *string,
+                         krb5_salttype *salttype)
+{
+    struct encryption_type *e;
+    struct salt_type *st;
+    e = _find_enctype (etype);
+    if (e == NULL) {
+        krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+                               N_("encryption type %d not supported", ""),
+                               etype);
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    for (st = e->keytype->string_to_key; st && st->type; st++) {
+        if (strcasecmp (st->name, string) == 0) {
+            *salttype = st->type;
+            return 0;
+        }
+    }
+    krb5_set_error_message(context, HEIM_ERR_SALTTYPE_NOSUPP,
+                           N_("salttype %s not supported", ""), string);
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_pw_salt(krb5_context context,
+                 krb5_const_principal principal,
+                 krb5_salt *salt)
+{
+    size_t len;
+    int i;
+    krb5_error_code ret;
+    char *p;
+    salt->salttype = KRB5_PW_SALT;
+    len = strlen(principal->realm);
+    for (i = 0; i < principal->name.name_string.len; ++i)
+        len += strlen(principal->name.name_string.val[i]);
+    ret = krb5_data_alloc (&salt->saltvalue, len);
+    if (ret)
+        return ret;
+    p = salt->saltvalue.data;
+    memcpy (p, principal->realm, strlen(principal->realm));
+    p += strlen(principal->realm);
+    for (i = 0; i < principal->name.name_string.len; ++i) {
+        memcpy (p,
+                principal->name.name_string.val[i],
+                strlen(principal->name.name_string.val[i]));
+        p += strlen(principal->name.name_string.val[i]);
+    }
+    return 0;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_free_salt(krb5_context context,
+               krb5_salt salt)
+{
+    krb5_data_free(&salt.saltvalue);
+    return 0;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key_data (krb5_context context,
+                         krb5_enctype enctype,
+                         krb5_data password,
+                         krb5_principal principal,
+                         krb5_keyblock *key)
+{
+    krb5_error_code ret;
+    krb5_salt salt;
+    ret = krb5_get_pw_salt(context, principal, &salt);
+    if(ret)
+        return ret;
+    ret = krb5_string_to_key_data_salt(context, enctype, password, salt, key);
+    krb5_free_salt(context, salt);
+    return ret;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key (krb5_context context,
+                    krb5_enctype enctype,
+                    const char *password,
+                    krb5_principal principal,
+                    krb5_keyblock *key)
+{
+    krb5_data pw;
+    pw.data = rk_UNCONST(password);
+    pw.length = strlen(password);
+    return krb5_string_to_key_data(context, enctype, pw, principal, key);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key_data_salt (krb5_context context,
+                              krb5_enctype enctype,
+                              krb5_data password,
+                              krb5_salt salt,
+                              krb5_keyblock *key)
+{
+    krb5_data opaque;
+    krb5_data_zero(&opaque);
+    return krb5_string_to_key_data_salt_opaque(context, enctype, password,
+                                               salt, opaque, key);
+}
+/*
+ * Do a string -> key for encryption type `enctype' operation on
+ * `password' (with salt `salt' and the enctype specific data string
+ * `opaque'), returning the resulting key in `key'
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key_data_salt_opaque (krb5_context context,
+                                     krb5_enctype enctype,
+                                     krb5_data password,
+                                     krb5_salt salt,
+                                     krb5_data opaque,
+                                     krb5_keyblock *key)
+{
+    struct encryption_type *et =_find_enctype(enctype);
+    struct salt_type *st;
+    if(et == NULL) {
+        krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+                               N_("encryption type %d not supported", ""),
+                               enctype);
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    for(st = et->keytype->string_to_key; st && st->type; st++)
+        if(st->type == salt.salttype)
+            return (*st->string_to_key)(context, enctype, password,
+                                        salt, opaque, key);
+    krb5_set_error_message(context, HEIM_ERR_SALTTYPE_NOSUPP,
+                           N_("salt type %d not supported", ""),
+                           salt.salttype);
+    return HEIM_ERR_SALTTYPE_NOSUPP;
+}
+/*
+ * Do a string -> key for encryption type `enctype' operation on the
+ * string `password' (with salt `salt'), returning the resulting key
+ * in `key'
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key_salt (krb5_context context,
+                         krb5_enctype enctype,
+                         const char *password,
+                         krb5_salt salt,
+                         krb5_keyblock *key)
+{
+    krb5_data pw;
+    pw.data = rk_UNCONST(password);
+    pw.length = strlen(password);
+    return krb5_string_to_key_data_salt(context, enctype, pw, salt, key);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key_salt_opaque (krb5_context context,
+                                krb5_enctype enctype,
+                                const char *password,
+                                krb5_salt salt,
+                                krb5_data opaque,
+                                krb5_keyblock *key)
+{
+    krb5_data pw;
+    pw.data = rk_UNCONST(password);
+    pw.length = strlen(password);
+    return krb5_string_to_key_data_salt_opaque(context, enctype,
+                                               pw, salt, opaque, key);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_keysize(krb5_context context,
                      krb5_enctype type,
                      size_t *keysize)
+{
     struct encryption_type *et = _find_enctype(type);
+    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL) {
         krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_keybits(krb5_context context,
                      krb5_enctype type,
                      size_t *keybits)
+{
     struct encryption_type *et = _find_enctype(type);
+    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL) {
         krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_generate_random_keyblock(krb5_context context,
                               krb5_enctype type,
 …
+{
     krb5_error_code ret;
     struct encryption_type *et = _find_enctype(type);
+    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL) {
         krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
 …
 static krb5_error_code
 _key_schedule(krb5_context context,
               struct key_data *key)
+              struct _krb5_key_data *key)
+{
     krb5_error_code ret;
     struct encryption_type *et = _find_enctype(key->key->keytype);
     struct key_type *kt;
+    struct _krb5_encryption_type *et = _krb5_find_enctype(key->key->keytype);
+    struct _krb5_key_type *kt;
     if (et == NULL) {
 …
 static krb5_error_code
 NONE_checksum(krb5_context context,
               struct key_data *key,
+SHA1_checksum(krb5_context context,
+              struct _krb5_key_data *key,
               const void *data,
               size_t len,
 …
               Checksum *C)
+{
+    return 0;
+}
+static krb5_error_code
+CRC32_checksum(krb5_context context,
+               struct key_data *key,
+               const void *data,
+               size_t len,
+               unsigned usage,
+               Checksum *C)
+{
+    uint32_t crc;
+    unsigned char *r = C->checksum.data;
+    _krb5_crc_init_table ();
+    crc = _krb5_crc_update (data, len, 0);
+    r[0] = crc & 0xff;
+    r[1] = (crc >> 8)  & 0xff;
+    r[2] = (crc >> 16) & 0xff;
+    r[3] = (crc >> 24) & 0xff;
+    return 0;
+}
+static krb5_error_code
+RSA_MD4_checksum(krb5_context context,
+                 struct key_data *key,
+                 const void *data,
+                 size_t len,
+                 unsigned usage,
+                 Checksum *C)
+{
+    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md4(), NULL) != 1)
+        krb5_abortx(context, "md4 checksum failed");
+    return 0;
+}
+static krb5_error_code
+des_checksum(krb5_context context,
+             const EVP_MD *evp_md,
+             struct key_data *key,
+             const void *data,
+             size_t len,
+             Checksum *cksum)
+{
+    struct evp_schedule *ctx = key->schedule->data;
+    EVP_MD_CTX *m;
+    DES_cblock ivec;
+    unsigned char *p = cksum->checksum.data;
+    krb5_generate_random_block(p, 8);
+    m = EVP_MD_CTX_create();
+    if (m == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    EVP_DigestInit_ex(m, evp_md, NULL);
+    EVP_DigestUpdate(m, p, 8);
+    EVP_DigestUpdate(m, data, len);
+    EVP_DigestFinal_ex (m, p + 8, NULL);
+    EVP_MD_CTX_destroy(m);
+    memset (&ivec, 0, sizeof(ivec));
+    EVP_CipherInit_ex(&ctx->ectx, NULL, NULL, NULL, (void *)&ivec, -1);
+    EVP_Cipher(&ctx->ectx, p, p, 24);
+    return 0;
+}
+static krb5_error_code
+des_verify(krb5_context context,
+           const EVP_MD *evp_md,
+           struct key_data *key,
+           const void *data,
+           size_t len,
+           Checksum *C)
+{
+    struct evp_schedule *ctx = key->schedule->data;
+    EVP_MD_CTX *m;
+    unsigned char tmp[24];
+    unsigned char res[16];
+    DES_cblock ivec;
+    krb5_error_code ret = 0;
+    m = EVP_MD_CTX_create();
+    if (m == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    memset(&ivec, 0, sizeof(ivec));
+    EVP_CipherInit_ex(&ctx->dctx, NULL, NULL, NULL, (void *)&ivec, -1);
+    EVP_Cipher(&ctx->dctx, tmp, C->checksum.data, 24);
+    EVP_DigestInit_ex(m, evp_md, NULL);
+    EVP_DigestUpdate(m, tmp, 8); /* confounder */
+    EVP_DigestUpdate(m, data, len);
+    EVP_DigestFinal_ex (m, res, NULL);
+    EVP_MD_CTX_destroy(m);
+    if(memcmp(res, tmp + 8, sizeof(res)) != 0) {
+        krb5_clear_error_message (context);
+        ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    }
+    memset(tmp, 0, sizeof(tmp));
+    memset(res, 0, sizeof(res));
+    return ret;
+}
+static krb5_error_code
+RSA_MD4_DES_checksum(krb5_context context,
+                     struct key_data *key,
+                     const void *data,
+                     size_t len,
+                     unsigned usage,
+                     Checksum *cksum)
+{
+    return des_checksum(context, EVP_md4(), key, data, len, cksum);
+}
+static krb5_error_code
+RSA_MD4_DES_verify(krb5_context context,
+                   struct key_data *key,
+                   const void *data,
+                   size_t len,
+                   unsigned usage,
+                   Checksum *C)
+{
+    return des_verify(context, EVP_md5(), key, data, len, C);
+}
+static krb5_error_code
+RSA_MD5_checksum(krb5_context context,
+                 struct key_data *key,
+                 const void *data,
+                 size_t len,
+                 unsigned usage,
+                 Checksum *C)
+{
+    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_md5(), NULL) != 1)
+        krb5_abortx(context, "md5 checksum failed");
+    return 0;
+}
+static krb5_error_code
+RSA_MD5_DES_checksum(krb5_context context,
+                     struct key_data *key,
+                     const void *data,
+                     size_t len,
+                     unsigned usage,
+                     Checksum *C)
+{
+    return des_checksum(context, EVP_md5(), key, data, len, C);
+}
+static krb5_error_code
+RSA_MD5_DES_verify(krb5_context context,
+                   struct key_data *key,
+                   const void *data,
+                   size_t len,
+                   unsigned usage,
+                   Checksum *C)
+{
+    return des_verify(context, EVP_md5(), key, data, len, C);
+}
+#ifdef DES3_OLD_ENCTYPE
+static krb5_error_code
+RSA_MD5_DES3_checksum(krb5_context context,
+                      struct key_data *key,
+                      const void *data,
+                      size_t len,
+                      unsigned usage,
+                      Checksum *C)
+{
+    return des_checksum(context, EVP_md5(), key, data, len, C);
+}
+static krb5_error_code
+RSA_MD5_DES3_verify(krb5_context context,
+                    struct key_data *key,
+    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1)
+        krb5_abortx(context, "sha1 checksum failed");
+    return 0;
+}
+/* HMAC according to RFC2104 */
+krb5_error_code
+_krb5_internal_hmac(krb5_context context,
+                    struct _krb5_checksum_type *cm,
                     const void *data,
                     size_t len,
                     unsigned usage,
+                    Checksum *C)
+{
+    return des_verify(context, EVP_md5(), key, data, len, C);
+}
+#endif
+static krb5_error_code
+SHA1_checksum(krb5_context context,
+              struct key_data *key,
+              const void *data,
+              size_t len,
+              unsigned usage,
+              Checksum *C)
+{
+    if (EVP_Digest(data, len, C->checksum.data, NULL, EVP_sha1(), NULL) != 1)
+        krb5_abortx(context, "sha1 checksum failed");
+    return 0;
+}
+/* HMAC according to RFC2104 */
+static krb5_error_code
+hmac(krb5_context context,
+     struct checksum_type *cm,
+     const void *data,
+     size_t len,
+     unsigned usage,
+     struct key_data *keyblock,
+     Checksum *result)
+                    struct _krb5_key_data *keyblock,
+                    Checksum *result)
+{
     unsigned char *ipad, *opad;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_hmac(krb5_context context,
           krb5_cksumtype cktype,
 …
           Checksum *result)
+{
     struct checksum_type *c = _find_checksum(cktype);
     struct key_data kd;
+    struct _krb5_checksum_type *c = _krb5_find_checksum(cktype);
+    struct _krb5_key_data kd;
     krb5_error_code ret;
 …
     kd.schedule = NULL;
     ret = hmac(context, c, data, len, usage, &kd, result);
+    ret = _krb5_internal_hmac(context, c, data, len, usage, &kd, result);
     if (kd.schedule)
 …
+}
 static krb5_error_code
 SP_HMAC_SHA1_checksum(krb5_context context,
                       struct key_data *key,
                       const void *data,
                       size_t len,
                       unsigned usage,
                       Checksum *result)
+{
     struct checksum_type *c = _find_checksum(CKSUMTYPE_SHA1);
+krb5_error_code
+_krb5_SP_HMAC_SHA1_checksum(krb5_context context,
+                            struct _krb5_key_data *key,
+                            const void *data,
+                            size_t len,
+                            unsigned usage,
+                            Checksum *result)
+{
+    struct _krb5_checksum_type *c = _krb5_find_checksum(CKSUMTYPE_SHA1);
     Checksum res;
     char sha1_data[20];
 …
     res.checksum.length = sizeof(sha1_data);
     ret = hmac(context, c, data, len, usage, key, &res);
+    ret = _krb5_internal_hmac(context, c, data, len, usage, key, &res);
     if (ret)
         krb5_abortx(context, "hmac failed");
 …
+}
+/*
+ * checksum according to section 5. of draft-brezak-win2k-krb-rc4-hmac-03.txt
+ */
+static krb5_error_code
+HMAC_MD5_checksum(krb5_context context,
+                  struct key_data *key,
+                  const void *data,
+                  size_t len,
+                  unsigned usage,
+                  Checksum *result)
+{
+    EVP_MD_CTX *m;
+    struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
+    const char signature[] = "signaturekey";
+    Checksum ksign_c;
+    struct key_data ksign;
+    krb5_keyblock kb;
+    unsigned char t[4];
+    unsigned char tmp[16];
+    unsigned char ksign_c_data[16];
+    krb5_error_code ret;
+    m = EVP_MD_CTX_create();
+    if (m == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    ksign_c.checksum.length = sizeof(ksign_c_data);
+    ksign_c.checksum.data   = ksign_c_data;
+    ret = hmac(context, c, signature, sizeof(signature), 0, key, &ksign_c);
+    if (ret) {
+        EVP_MD_CTX_destroy(m);
+        return ret;
+    }
+    ksign.key = &kb;
+    kb.keyvalue = ksign_c.checksum;
+    EVP_DigestInit_ex(m, EVP_md5(), NULL);
+    t[0] = (usage >>  0) & 0xFF;
+    t[1] = (usage >>  8) & 0xFF;
+    t[2] = (usage >> 16) & 0xFF;
+    t[3] = (usage >> 24) & 0xFF;
+    EVP_DigestUpdate(m, t, 4);
+    EVP_DigestUpdate(m, data, len);
+    EVP_DigestFinal_ex (m, tmp, NULL);
+    EVP_MD_CTX_destroy(m);
+    ret = hmac(context, c, tmp, sizeof(tmp), 0, &ksign, result);
+    if (ret)
+        return ret;
+    return 0;
+}
+static struct checksum_type checksum_none = {
+    CKSUMTYPE_NONE,
+    "none",
+,
+,
+,
+    NONE_checksum,
+    NULL
+};
+static struct checksum_type checksum_crc32 = {
+    CKSUMTYPE_CRC32,
+    "crc32",
+,
+,
+,
+    CRC32_checksum,
+    NULL
+};
+static struct checksum_type checksum_rsa_md4 = {
+    CKSUMTYPE_RSA_MD4,
+    "rsa-md4",
+,
+,
+    F_CPROOF,
+    RSA_MD4_checksum,
+    NULL
+};
+static struct checksum_type checksum_rsa_md4_des = {
+    CKSUMTYPE_RSA_MD4_DES,
+    "rsa-md4-des",
+,
+,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD4_DES_checksum,
+    RSA_MD4_DES_verify
+};
+static struct checksum_type checksum_rsa_md5 = {
+    CKSUMTYPE_RSA_MD5,
+    "rsa-md5",
+,
+,
+    F_CPROOF,
+    RSA_MD5_checksum,
+    NULL
+};
+static struct checksum_type checksum_rsa_md5_des = {
+    CKSUMTYPE_RSA_MD5_DES,
+    "rsa-md5-des",
+,
+,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD5_DES_checksum,
+    RSA_MD5_DES_verify
+};
+#ifdef DES3_OLD_ENCTYPE
+static struct checksum_type checksum_rsa_md5_des3 = {
+    CKSUMTYPE_RSA_MD5_DES3,
+    "rsa-md5-des3",
+,
+,
+    F_KEYED | F_CPROOF | F_VARIANT,
+    RSA_MD5_DES3_checksum,
+    RSA_MD5_DES3_verify
+};
+#endif
+static struct checksum_type checksum_sha1 = {
+struct _krb5_checksum_type _krb5_checksum_sha1 = {
     CKSUMTYPE_SHA1,
     "sha1",
 …
     NULL
 };
+static struct checksum_type checksum_hmac_sha1_des3 = {
+    CKSUMTYPE_HMAC_SHA1_DES3,
+    "hmac-sha1-des3",
+,
+,
+    F_KEYED | F_CPROOF | F_DERIVED,
+    SP_HMAC_SHA1_checksum,
+    NULL
+};
+static struct checksum_type checksum_hmac_sha1_aes128 = {
+    CKSUMTYPE_HMAC_SHA1_96_AES_128,
+    "hmac-sha1-96-aes128",
+,
+,
+    F_KEYED | F_CPROOF | F_DERIVED,
+    SP_HMAC_SHA1_checksum,
+    NULL
+};
+static struct checksum_type checksum_hmac_sha1_aes256 = {
+    CKSUMTYPE_HMAC_SHA1_96_AES_256,
+    "hmac-sha1-96-aes256",
+,
+,
+    F_KEYED | F_CPROOF | F_DERIVED,
+    SP_HMAC_SHA1_checksum,
+    NULL
+};
+static struct checksum_type checksum_hmac_md5 = {
+    CKSUMTYPE_HMAC_MD5,
+    "hmac-md5",
+,
+,
+    F_KEYED | F_CPROOF,
+    HMAC_MD5_checksum,
+    NULL
+};
+static struct checksum_type *checksum_types[] = {
+    &checksum_none,
+    &checksum_crc32,
+    &checksum_rsa_md4,
+    &checksum_rsa_md4_des,
+    &checksum_rsa_md5,
+    &checksum_rsa_md5_des,
+#ifdef DES3_OLD_ENCTYPE
+    &checksum_rsa_md5_des3,
+#endif
+    &checksum_sha1,
+    &checksum_hmac_sha1_des3,
+    &checksum_hmac_sha1_aes128,
+    &checksum_hmac_sha1_aes256,
+    &checksum_hmac_md5
+};
+static int num_checksums = sizeof(checksum_types) / sizeof(checksum_types[0]);
+static struct checksum_type *
+_find_checksum(krb5_cksumtype type)
+struct _krb5_checksum_type *
+_krb5_find_checksum(krb5_cksumtype type)
+{
     int i;
     for(i = 0; i < num_checksums; i++)
         if(checksum_types[i]->type == type)
             return checksum_types[i];
+    for(i = 0; i < _krb5_num_checksums; i++)
+        if(_krb5_checksum_types[i]->type == type)
+            return _krb5_checksum_types[i];
     return NULL;
+}
 …
                  krb5_crypto crypto,
                  unsigned usage,  /* not krb5_key_usage */
                  struct checksum_type *ct,
                  struct key_data **key)
+                 struct _krb5_checksum_type *ct,
+                 struct _krb5_key_data **key)
+{
     krb5_error_code ret = 0;
 …
 static krb5_error_code
 create_checksum (krb5_context context,
                  struct checksum_type *ct,
+                 struct _krb5_checksum_type *ct,
                  krb5_crypto crypto,
                  unsigned usage,
 …
+{
     krb5_error_code ret;
     struct key_data *dkey;
+    struct _krb5_key_data *dkey;
     int keyed_checksum;
 …
 static int
 arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto)
+arcfour_checksum_p(struct _krb5_checksum_type *ct, krb5_crypto crypto)
+{
     return (ct->type == CKSUMTYPE_HMAC_MD5) &&
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_create_checksum(krb5_context context,
                      krb5_crypto crypto,
 …
                      Checksum *result)
+{
     struct checksum_type *ct = NULL;
+    struct _krb5_checksum_type *ct = NULL;
     unsigned keyusage;
     /* type 0 -> pick from crypto */
     if (type) {
         ct = _find_checksum(type);
+        ct = _krb5_find_checksum(type);
     } else if (crypto) {
         ct = crypto->et->keyed_checksum;
 …
     if (arcfour_checksum_p(ct, crypto)) {
         keyusage = usage;
         usage2arcfour(context, &keyusage);
+        _krb5_usage2arcfour(context, &keyusage);
     } else
         keyusage = CHECKSUM_USAGE(usage);
 …
+{
     krb5_error_code ret;
     struct key_data *dkey;
+    struct _krb5_key_data *dkey;
     int keyed_checksum;
     Checksum c;
     struct checksum_type *ct;
     ct = _find_checksum(cksum->cksumtype);
+    struct _krb5_checksum_type *ct;
+    ct = _krb5_find_checksum(cksum->cksumtype);
     if (ct == NULL || (ct->flags & F_DISABLED)) {
         krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
 …
     if(ct->checksumsize != cksum->checksum.length) {
         krb5_clear_error_message (context);
+        krb5_set_error_message(context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
+                               N_("Decrypt integrity check failed for checksum type %s, "
+                                  "length was %u, expected %u", ""),
+                               ct->name, (unsigned)cksum->checksum.length,
+                               (unsigned)ct->checksumsize);
         return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
+    }
     keyed_checksum = (ct->flags & F_KEYED) != 0;
     if(keyed_checksum) {
         struct checksum_type *kct;
+        struct _krb5_checksum_type *kct;
         if (crypto == NULL) {
             krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
                                     N_("Checksum type %s is keyed but no "
                                        "crypto context (key) was passed in", ""),
                                     ct->name);
+            krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
+                                   N_("Checksum type %s is keyed but no "
+                                      "crypto context (key) was passed in", ""),
+                                   ct->name);
             return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
+        }
         kct = crypto->et->keyed_checksum;
         if (kct != NULL && kct->type != ct->type) {
             krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
                                     N_("Checksum type %s is keyed, but "
                                        "the key type %s passed didnt have that checksum "
                                        "type as the keyed type", ""),
+            krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
+                                   N_("Checksum type %s is keyed, but "
+                                      "the key type %s passed didnt have that checksum "
+                                      "type as the keyed type", ""),
                                     ct->name, crypto->et->name);
             return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
 …
     } else
         dkey = NULL;
+    if(ct->verify)
+        return (*ct->verify)(context, dkey, data, len, usage, cksum);
+    /*
+     * If checksum have a verify function, lets use that instead of
+     * calling ->checksum and then compare result.
+     */
+    if(ct->verify) {
+        ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
+        if (ret)
+            krb5_set_error_message(context, ret,
+                                   N_("Decrypt integrity check failed for checksum "
+                                      "type %s, key type %s", ""),
+                                   ct->name, (crypto != NULL)? crypto->et->name : "(none)");
+        return ret;
+    }
     ret = krb5_data_alloc (&c.checksum, ct->checksumsize);
 …
+    }
+    if(c.checksum.length != cksum->checksum.length ||
+       memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
+        krb5_clear_error_message (context);
+    if(krb5_data_ct_cmp(&c.checksum, &cksum->checksum) != 0) {
         ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+        krb5_set_error_message(context, ret,
+                               N_("Decrypt integrity check failed for checksum "
+                                  "type %s, key type %s", ""),
+                               ct->name, crypto ? crypto->et->name : "(unkeyed)");
     } else {
         ret = 0;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verify_checksum(krb5_context context,
                      krb5_crypto crypto,
 …
                      Checksum *cksum)
+{
     struct checksum_type *ct;
+    struct _krb5_checksum_type *ct;
     unsigned keyusage;
     ct = _find_checksum(cksum->cksumtype);
+    ct = _krb5_find_checksum(cksum->cksumtype);
     if(ct == NULL) {
         krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
 …
     if (arcfour_checksum_p(ct, crypto)) {
         keyusage = usage;
         usage2arcfour(context, &keyusage);
+        _krb5_usage2arcfour(context, &keyusage);
     } else
         keyusage = CHECKSUM_USAGE(usage);
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_get_checksum_type(krb5_context context,
                               krb5_crypto crypto,
                               krb5_cksumtype *type)
+{
     struct checksum_type *ct = NULL;
+    struct _krb5_checksum_type *ct = NULL;
     if (crypto != NULL) {
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_checksumsize(krb5_context context,
                   krb5_cksumtype type,
                   size_t *size)
+{
     struct checksum_type *ct = _find_checksum(type);
+    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
     if(ct == NULL) {
         krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_checksum_is_keyed(krb5_context context,
                        krb5_cksumtype type)
+{
     struct checksum_type *ct = _find_checksum(type);
+    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
     if(ct == NULL) {
         if (context)
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_checksum_is_collision_proof(krb5_context context,
                                  krb5_cksumtype type)
+{
     struct checksum_type *ct = _find_checksum(type);
+    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
     if(ct == NULL) {
         if (context)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_checksum_disable(krb5_context context,
                       krb5_cksumtype type)
+{
     struct checksum_type *ct = _find_checksum(type);
+    struct _krb5_checksum_type *ct = _krb5_find_checksum(type);
     if(ct == NULL) {
         if (context)
 …
  ************************************************************/
+static krb5_error_code
+NULL_encrypt(krb5_context context,
+             struct key_data *key,
+             void *data,
+             size_t len,
+             krb5_boolean encryptp,
+             int usage,
+             void *ivec)
+{
+    return 0;
+}
+static krb5_error_code
+evp_encrypt(krb5_context context,
+            struct key_data *key,
+            void *data,
+            size_t len,
+            krb5_boolean encryptp,
+            int usage,
+            void *ivec)
+{
+    struct evp_schedule *ctx = key->schedule->data;
+    EVP_CIPHER_CTX *c;
+    c = encryptp ? &ctx->ectx : &ctx->dctx;
+    if (ivec == NULL) {
+        /* alloca ? */
+        size_t len = EVP_CIPHER_CTX_iv_length(c);
+        void *loiv = malloc(len);
+        if (loiv == NULL) {
+            krb5_clear_error_message(context);
+            return ENOMEM;
+        }
+        memset(loiv, 0, len);
+        EVP_CipherInit_ex(c, NULL, NULL, NULL, loiv, -1);
+        free(loiv);
+    } else
+        EVP_CipherInit_ex(c, NULL, NULL, NULL, ivec, -1);
+    EVP_Cipher(c, data, data, len);
+    return 0;
+}
+#ifdef WEAK_ENCTYPES
+static krb5_error_code
+evp_des_encrypt_null_ivec(krb5_context context,
+                          struct key_data *key,
+                          void *data,
+                          size_t len,
+                          krb5_boolean encryptp,
+                          int usage,
+                          void *ignore_ivec)
+{
+    struct evp_schedule *ctx = key->schedule->data;
+    EVP_CIPHER_CTX *c;
+    DES_cblock ivec;
+    memset(&ivec, 0, sizeof(ivec));
+    c = encryptp ? &ctx->ectx : &ctx->dctx;
+    EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1);
+    EVP_Cipher(c, data, data, len);
+    return 0;
+}
+static krb5_error_code
+evp_des_encrypt_key_ivec(krb5_context context,
+                         struct key_data *key,
+                         void *data,
+                         size_t len,
+                         krb5_boolean encryptp,
+                         int usage,
+                         void *ignore_ivec)
+{
+    struct evp_schedule *ctx = key->schedule->data;
+    EVP_CIPHER_CTX *c;
+    DES_cblock ivec;
+    memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec));
+    c = encryptp ? &ctx->ectx : &ctx->dctx;
+    EVP_CipherInit_ex(c, NULL, NULL, NULL, (void *)&ivec, -1);
+    EVP_Cipher(c, data, data, len);
+    return 0;
+}
+static krb5_error_code
+DES_CFB64_encrypt_null_ivec(krb5_context context,
+                            struct key_data *key,
+                            void *data,
+                            size_t len,
+                            krb5_boolean encryptp,
+                            int usage,
+                            void *ignore_ivec)
+{
+    DES_cblock ivec;
+    int num = 0;
+    DES_key_schedule *s = key->schedule->data;
+    memset(&ivec, 0, sizeof(ivec));
+    DES_cfb64_encrypt(data, data, len, s, &ivec, &num, encryptp);
+    return 0;
+}
+static krb5_error_code
+DES_PCBC_encrypt_key_ivec(krb5_context context,
+                          struct key_data *key,
+                          void *data,
+                          size_t len,
+                          krb5_boolean encryptp,
+                          int usage,
+                          void *ignore_ivec)
+{
+    DES_cblock ivec;
+    DES_key_schedule *s = key->schedule->data;
+    memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec));
+    DES_pcbc_encrypt(data, data, len, s, &ivec, encryptp);
+    return 0;
+}
+#endif
+/*
+ * section 6 of draft-brezak-win2k-krb-rc4-hmac-03
+ *
+ * warning: not for small children
+ */
+static krb5_error_code
+ARCFOUR_subencrypt(krb5_context context,
+                   struct key_data *key,
+                   void *data,
+                   size_t len,
+                   unsigned usage,
+                   void *ivec)
+{
+    struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
+    Checksum k1_c, k2_c, k3_c, cksum;
+    struct key_data ke;
+    krb5_keyblock kb;
+    unsigned char t[4];
+    RC4_KEY rc4_key;
+    unsigned char *cdata = data;
+    unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
+    krb5_error_code ret;
+    t[0] = (usage >>  0) & 0xFF;
+    t[1] = (usage >>  8) & 0xFF;
+    t[2] = (usage >> 16) & 0xFF;
+    t[3] = (usage >> 24) & 0xFF;
+    k1_c.checksum.length = sizeof(k1_c_data);
+    k1_c.checksum.data   = k1_c_data;
+    ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
+    if (ret)
+        krb5_abortx(context, "hmac failed");
+    memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
+    k2_c.checksum.length = sizeof(k2_c_data);
+    k2_c.checksum.data   = k2_c_data;
+    ke.key = &kb;
+    kb.keyvalue = k2_c.checksum;
+    cksum.checksum.length = 16;
+    cksum.checksum.data   = data;
+    ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
+    if (ret)
+        krb5_abortx(context, "hmac failed");
+    ke.key = &kb;
+    kb.keyvalue = k1_c.checksum;
+    k3_c.checksum.length = sizeof(k3_c_data);
+    k3_c.checksum.data   = k3_c_data;
+    ret = hmac(NULL, c, data, 16, 0, &ke, &k3_c);
+    if (ret)
+        krb5_abortx(context, "hmac failed");
+    RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
+    RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
+    memset (k1_c_data, 0, sizeof(k1_c_data));
+    memset (k2_c_data, 0, sizeof(k2_c_data));
+    memset (k3_c_data, 0, sizeof(k3_c_data));
+    return 0;
+}
+static krb5_error_code
+ARCFOUR_subdecrypt(krb5_context context,
+                   struct key_data *key,
+                   void *data,
+                   size_t len,
+                   unsigned usage,
+                   void *ivec)
+{
+    struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5);
+    Checksum k1_c, k2_c, k3_c, cksum;
+    struct key_data ke;
+    krb5_keyblock kb;
+    unsigned char t[4];
+    RC4_KEY rc4_key;
+    unsigned char *cdata = data;
+    unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
+    unsigned char cksum_data[16];
+    krb5_error_code ret;
+    t[0] = (usage >>  0) & 0xFF;
+    t[1] = (usage >>  8) & 0xFF;
+    t[2] = (usage >> 16) & 0xFF;
+    t[3] = (usage >> 24) & 0xFF;
+    k1_c.checksum.length = sizeof(k1_c_data);
+    k1_c.checksum.data   = k1_c_data;
+    ret = hmac(NULL, c, t, sizeof(t), 0, key, &k1_c);
+    if (ret)
+        krb5_abortx(context, "hmac failed");
+    memcpy (k2_c_data, k1_c_data, sizeof(k1_c_data));
+    k2_c.checksum.length = sizeof(k2_c_data);
+    k2_c.checksum.data   = k2_c_data;
+    ke.key = &kb;
+    kb.keyvalue = k1_c.checksum;
+    k3_c.checksum.length = sizeof(k3_c_data);
+    k3_c.checksum.data   = k3_c_data;
+    ret = hmac(NULL, c, cdata, 16, 0, &ke, &k3_c);
+    if (ret)
+        krb5_abortx(context, "hmac failed");
+    RC4_set_key (&rc4_key, k3_c.checksum.length, k3_c.checksum.data);
+    RC4 (&rc4_key, len - 16, cdata + 16, cdata + 16);
+    ke.key = &kb;
+    kb.keyvalue = k2_c.checksum;
+    cksum.checksum.length = 16;
+    cksum.checksum.data   = cksum_data;
+    ret = hmac(NULL, c, cdata + 16, len - 16, 0, &ke, &cksum);
+    if (ret)
+        krb5_abortx(context, "hmac failed");
+    memset (k1_c_data, 0, sizeof(k1_c_data));
+    memset (k2_c_data, 0, sizeof(k2_c_data));
+    memset (k3_c_data, 0, sizeof(k3_c_data));
+    if (memcmp (cksum.checksum.data, data, 16) != 0) {
+        krb5_clear_error_message (context);
+        return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+    } else {
+        return 0;
+    }
+}
+/*
+ * convert the usage numbers used in
+ * draft-ietf-cat-kerb-key-derivation-00.txt to the ones in
+ * draft-brezak-win2k-krb-rc4-hmac-04.txt
+ */
+static krb5_error_code
+usage2arcfour (krb5_context context, unsigned *usage)
+{
+    switch (*usage) {
+    case KRB5_KU_AS_REP_ENC_PART : /* 3 */
+    case KRB5_KU_TGS_REP_ENC_PART_SUB_KEY : /* 9 */
+        *usage = 8;
+        return 0;
+    case KRB5_KU_USAGE_SEAL :  /* 22 */
+        *usage = 13;
+        return 0;
+    case KRB5_KU_USAGE_SIGN : /* 23 */
+        *usage = 15;
+        return 0;
+    case KRB5_KU_USAGE_SEQ: /* 24 */
+        *usage = 0;
+        return 0;
+    default :
+        return 0;
+    }
+}
+static krb5_error_code
+ARCFOUR_encrypt(krb5_context context,
+                struct key_data *key,
+                void *data,
+                size_t len,
+                krb5_boolean encryptp,
+                int usage,
+                void *ivec)
+{
+    krb5_error_code ret;
+    unsigned keyusage = usage;
+    if((ret = usage2arcfour (context, &keyusage)) != 0)
+        return ret;
+    if (encryptp)
+        return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec);
+    else
+        return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec);
+}
+/*
+ *
+ */
+static krb5_error_code
+AES_PRF(krb5_context context,
+        krb5_crypto crypto,
+        const krb5_data *in,
+        krb5_data *out)
+{
+    struct checksum_type *ct = crypto->et->checksum;
+    krb5_error_code ret;
+    Checksum result;
+    krb5_keyblock *derived;
+    result.cksumtype = ct->type;
+    ret = krb5_data_alloc(&result.checksum, ct->checksumsize);
+    if (ret) {
+        krb5_set_error_message(context, ret, N_("malloc: out memory", ""));
+        return ret;
+    }
+    ret = (*ct->checksum)(context, NULL, in->data, in->length, 0, &result);
+    if (ret) {
+        krb5_data_free(&result.checksum);
+        return ret;
+    }
+    if (result.checksum.length < crypto->et->blocksize)
+        krb5_abortx(context, "internal prf error");
+    derived = NULL;
+    ret = krb5_derive_key(context, crypto->key.key,
+                          crypto->et->type, "prf", 3, &derived);
+    if (ret)
+        krb5_abortx(context, "krb5_derive_key");
+    ret = krb5_data_alloc(out, crypto->et->blocksize);
+    if (ret)
+        krb5_abortx(context, "malloc failed");
+    {
+        const EVP_CIPHER *c = (*crypto->et->keytype->evp)();
+        EVP_CIPHER_CTX ctx;
+        EVP_CIPHER_CTX_init(&ctx); /* ivec all zero */
+        EVP_CipherInit_ex(&ctx, c, NULL, derived->keyvalue.data, NULL, 1);
+        EVP_Cipher(&ctx, out->data, result.checksum.data,
+                   crypto->et->blocksize);
+        EVP_CIPHER_CTX_cleanup(&ctx);
+    }
+    krb5_data_free(&result.checksum);
+    krb5_free_keyblock(context, derived);
+    return ret;
+}
+/*
+ * these should currently be in reverse preference order.
+ * (only relevant for !F_PSEUDO) */
+static struct encryption_type enctype_null = {
+    ETYPE_NULL,
+    "null",
+,
+,
+,
+    &keytype_null,
+    &checksum_none,
+    NULL,
+    F_DISABLED,
+    NULL_encrypt,
+,
+    NULL
+};
+static struct encryption_type enctype_arcfour_hmac_md5 = {
+    ETYPE_ARCFOUR_HMAC_MD5,
+    "arcfour-hmac-md5",
+,
+,
+,
+    &keytype_arcfour,
+    &checksum_hmac_md5,
+    NULL,
+    F_SPECIAL,
+    ARCFOUR_encrypt,
+,
+    NULL
+};
+#ifdef DES3_OLD_ENCTYPE
+static struct encryption_type enctype_des3_cbc_md5 = {
+    ETYPE_DES3_CBC_MD5,
+    "des3-cbc-md5",
+,
+,
+,
+    &keytype_des3,
+    &checksum_rsa_md5,
+    &checksum_rsa_md5_des3,
+,
+    evp_encrypt,
+,
+    NULL
+};
+#endif
+static struct encryption_type enctype_des3_cbc_sha1 = {
+    ETYPE_DES3_CBC_SHA1,
+    "des3-cbc-sha1",
+,
+,
+,
+    &keytype_des3_derived,
+    &checksum_sha1,
+    &checksum_hmac_sha1_des3,
+    F_DERIVED,
+    evp_encrypt,
+,
+    NULL
+};
+#ifdef DES3_OLD_ENCTYPE
+static struct encryption_type enctype_old_des3_cbc_sha1 = {
+    ETYPE_OLD_DES3_CBC_SHA1,
+    "old-des3-cbc-sha1",
+,
+,
+,
+    &keytype_des3,
+    &checksum_sha1,
+    &checksum_hmac_sha1_des3,
+,
+    evp_encrypt,
+,
+    NULL
+};
+#endif
+static struct encryption_type enctype_aes128_cts_hmac_sha1 = {
+    ETYPE_AES128_CTS_HMAC_SHA1_96,
+    "aes128-cts-hmac-sha1-96",
+,
+,
+,
+    &keytype_aes128,
+    &checksum_sha1,
+    &checksum_hmac_sha1_aes128,
+    F_DERIVED,
+    evp_encrypt,
+,
+    AES_PRF
+};
+static struct encryption_type enctype_aes256_cts_hmac_sha1 = {
+    ETYPE_AES256_CTS_HMAC_SHA1_96,
+    "aes256-cts-hmac-sha1-96",
+,
+,
+,
+    &keytype_aes256,
+    &checksum_sha1,
+    &checksum_hmac_sha1_aes256,
+    F_DERIVED,
+    evp_encrypt,
+,
+    AES_PRF
+};
+static struct encryption_type enctype_des3_cbc_none = {
+    ETYPE_DES3_CBC_NONE,
+    "des3-cbc-none",
+,
+,
+,
+    &keytype_des3_derived,
+    &checksum_none,
+    NULL,
+    F_PSEUDO,
+    evp_encrypt,
+,
+    NULL
+};
+#ifdef WEAK_ENCTYPES
+static struct encryption_type enctype_des_cbc_crc = {
+    ETYPE_DES_CBC_CRC,
+    "des-cbc-crc",
+,
+,
+,
+    &keytype_des,
+    &checksum_crc32,
+    NULL,
+    F_DISABLED,
+    evp_des_encrypt_key_ivec,
+,
+    NULL
+};
+static struct encryption_type enctype_des_cbc_md4 = {
+    ETYPE_DES_CBC_MD4,
+    "des-cbc-md4",
+,
+,
+,
+    &keytype_des,
+    &checksum_rsa_md4,
+    &checksum_rsa_md4_des,
+    F_DISABLED,
+    evp_des_encrypt_null_ivec,
+,
+    NULL
+};
+static struct encryption_type enctype_des_cbc_md5 = {
+    ETYPE_DES_CBC_MD5,
+    "des-cbc-md5",
+,
+,
+,
+    &keytype_des,
+    &checksum_rsa_md5,
+    &checksum_rsa_md5_des,
+    F_DISABLED,
+    evp_des_encrypt_null_ivec,
+,
+    NULL
+};
+static struct encryption_type enctype_des_cbc_none = {
+    ETYPE_DES_CBC_NONE,
+    "des-cbc-none",
+,
+,
+,
+    &keytype_des,
+    &checksum_none,
+    NULL,
+    F_PSEUDO|F_DISABLED,
+    evp_des_encrypt_null_ivec,
+,
+    NULL
+};
+static struct encryption_type enctype_des_cfb64_none = {
+    ETYPE_DES_CFB64_NONE,
+    "des-cfb64-none",
+,
+,
+,
+    &keytype_des_old,
+    &checksum_none,
+    NULL,
+    F_PSEUDO|F_DISABLED,
+    DES_CFB64_encrypt_null_ivec,
+,
+    NULL
+};
+static struct encryption_type enctype_des_pcbc_none = {
+    ETYPE_DES_PCBC_NONE,
+    "des-pcbc-none",
+,
+,
+,
+    &keytype_des_old,
+    &checksum_none,
+    NULL,
+    F_PSEUDO|F_DISABLED,
+    DES_PCBC_encrypt_key_ivec,
+,
+    NULL
+};
+#endif /* WEAK_ENCTYPES */
+static struct encryption_type *etypes[] = {
+    &enctype_aes256_cts_hmac_sha1,
+    &enctype_aes128_cts_hmac_sha1,
+    &enctype_des3_cbc_sha1,
+    &enctype_des3_cbc_none, /* used by the gss-api mech */
+    &enctype_arcfour_hmac_md5,
+#ifdef DES3_OLD_ENCTYPE
+    &enctype_des3_cbc_md5,
+    &enctype_old_des3_cbc_sha1,
+#endif
+#ifdef WEAK_ENCTYPES
+    &enctype_des_cbc_crc,
+    &enctype_des_cbc_md4,
+    &enctype_des_cbc_md5,
+    &enctype_des_cbc_none,
+    &enctype_des_cfb64_none,
+    &enctype_des_pcbc_none,
+#endif
+    &enctype_null
+};
+static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]);
+static struct encryption_type *
+_find_enctype(krb5_enctype type)
+struct _krb5_encryption_type *
+_krb5_find_enctype(krb5_enctype type)
+{
     int i;
     for(i = 0; i < num_etypes; i++)
         if(etypes[i]->type == type)
             return etypes[i];
+    for(i = 0; i < _krb5_num_etypes; i++)
+        if(_krb5_etypes[i]->type == type)
+            return _krb5_etypes[i];
     return NULL;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_to_string(krb5_context context,
                        krb5_enctype etype,
                        char **string)
+{
     struct encryption_type *e;
     e = _find_enctype(etype);
+    struct _krb5_encryption_type *e;
+    e = _krb5_find_enctype(etype);
     if(e == NULL) {
         krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_string_to_enctype(krb5_context context,
                        const char *string,
 …
+{
     int i;
     for(i = 0; i < num_etypes; i++)
         if(strcasecmp(etypes[i]->name, string) == 0){
             *etype = etypes[i]->type;
+    for(i = 0; i < _krb5_num_etypes; i++)
+        if(strcasecmp(_krb5_etypes[i]->name, string) == 0){
+            *etype = _krb5_etypes[i]->type;
             return 0;
+        }
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_to_keytype(krb5_context context,
                         krb5_enctype etype,
                         krb5_keytype *keytype)
+{
     struct encryption_type *e = _find_enctype(etype);
+    struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
     if(e == NULL) {
         krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_valid(krb5_context context,
                    krb5_enctype etype)
+{
     struct encryption_type *e = _find_enctype(etype);
+    struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
     if(e == NULL) {
         krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cksumtype_to_enctype(krb5_context context,
                           krb5_cksumtype ctype,
 …
     *etype = ETYPE_NULL;
     for(i = 0; i < num_etypes; i++) {
         if(etypes[i]->keyed_checksum &&
            etypes[i]->keyed_checksum->type == ctype)
+    for(i = 0; i < _krb5_num_etypes; i++) {
+        if(_krb5_etypes[i]->keyed_checksum &&
+           _krb5_etypes[i]->keyed_checksum->type == ctype)
+            {
                 *etype = etypes[i]->type;
+                *etype = _krb5_etypes[i]->type;
                 return 0;
+            }
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cksumtype_valid(krb5_context context,
                      krb5_cksumtype ctype)
+{
     struct checksum_type *c = _find_checksum(ctype);
+    struct _krb5_checksum_type *c = _krb5_find_checksum(ctype);
     if (c == NULL) {
         krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
 …
     unsigned char *p, *q;
     krb5_error_code ret;
     struct key_data *dkey;
     const struct encryption_type *et = crypto->et;
+    struct _krb5_key_data *dkey;
+    const struct _krb5_encryption_type *et = crypto->et;
     checksum_sz = CHECKSUMSIZE(et->keyed_checksum);
 …
     unsigned char *p, *q;
     krb5_error_code ret;
     const struct encryption_type *et = crypto->et;
+    const struct _krb5_encryption_type *et = crypto->et;
     checksum_sz = CHECKSUMSIZE(et->checksum);
 …
                          void *ivec)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     size_t cksum_sz = CHECKSUMSIZE(et->checksum);
     size_t sz = len + cksum_sz + et->confoundersize;
 …
     unsigned char *p;
     krb5_error_code ret;
     struct key_data *dkey;
     struct encryption_type *et = crypto->et;
+    struct _krb5_key_data *dkey;
+    struct _krb5_encryption_type *et = crypto->et;
     unsigned long l;
 …
     Checksum cksum;
     size_t checksum_sz, l;
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     if ((len % et->padsize) != 0) {
 …
         return KRB5_BAD_MSIZE;
+    }
     checksum_sz = CHECKSUMSIZE(et->checksum);
+    if (len < checksum_sz + et->confoundersize) {
+        krb5_set_error_message(context, KRB5_BAD_MSIZE,
+                               N_("Encrypted data shorter then "
+                                  "checksum + confunder", ""));
+        return KRB5_BAD_MSIZE;
+    }
     p = malloc(len);
     if(len != 0 && p == NULL) {
 …
                          void *ivec)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     size_t cksum_sz = CHECKSUMSIZE(et->checksum);
     size_t sz = len - cksum_sz - et->confoundersize;
 …
     if ((len % et->padsize) != 0) {
         krb5_clear_error_message(context);
+        return KRB5_BAD_MSIZE;
+    }
+    if (len < cksum_sz + et->confoundersize) {
+        krb5_set_error_message(context, KRB5_BAD_MSIZE,
+                               N_("Encrypted data shorter then "
+                                  "checksum + confunder", ""));
         return KRB5_BAD_MSIZE;
+    }
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encrypt_iov_ivec(krb5_context context,
                       krb5_crypto crypto,
 …
     unsigned char *p, *q;
     krb5_error_code ret;
     struct key_data *dkey;
     const struct encryption_type *et = crypto->et;
+    struct _krb5_key_data *dkey;
+    const struct _krb5_encryption_type *et = crypto->et;
     krb5_crypto_iov *tiv, *piv, *hiv;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decrypt_iov_ivec(krb5_context context,
                       krb5_crypto crypto,
 …
     unsigned char *p, *q;
     krb5_error_code ret;
     struct key_data *dkey;
     struct encryption_type *et = crypto->et;
+    struct _krb5_key_data *dkey;
+    struct _krb5_encryption_type *et = crypto->et;
     krb5_crypto_iov *tiv, *hiv;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_create_checksum_iov(krb5_context context,
                          krb5_crypto crypto,
 …
  * @param data array of buffers to process
  * @param num_data length of array
+ * @param type return checksum type if not NULL
+ *
  * @return Return an error code or 0.
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verify_checksum_iov(krb5_context context,
                          krb5_crypto crypto,
 …
                          krb5_cksumtype *type)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     Checksum cksum;
     krb5_crypto_iov *civ;
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_length(krb5_context context,
                    krb5_crypto crypto,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_length_iov(krb5_context context,
                        krb5_crypto crypto,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encrypt_ivec(krb5_context context,
                   krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encrypt(krb5_context context,
              krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_encrypt_EncryptedData(krb5_context context,
                            krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decrypt_ivec(krb5_context context,
                   krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decrypt(krb5_context context,
              krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decrypt_EncryptedData(krb5_context context,
                            krb5_crypto crypto,
 …
  ************************************************************/
+#define ENTROPY_NEEDED 128
+static int
+seed_something(void)
+{
+    char buf[1024], seedfile[256];
+    /* If there is a seed file, load it. But such a file cannot be trusted,
+       so use 0 for the entropy estimate */
+    if (RAND_file_name(seedfile, sizeof(seedfile))) {
+        int fd;
+        fd = open(seedfile, O_RDONLY | O_BINARY | O_CLOEXEC);
+        if (fd >= 0) {
+            ssize_t ret;
+            rk_cloexec(fd);
+            ret = read(fd, buf, sizeof(buf));
+            if (ret > 0)
+                RAND_add(buf, ret, 0.0);
+            close(fd);
+        } else
+            seedfile[0] = '\0';
+    } else
+        seedfile[0] = '\0';
+    /* Calling RAND_status() will try to use /dev/urandom if it exists so
+       we do not have to deal with it. */
+    if (RAND_status() != 1) {
+        krb5_context context;
+        const char *p;
+        /* Try using egd */
+        if (!krb5_init_context(&context)) {
+            p = krb5_config_get_string(context, NULL, "libdefaults",
+                                       "egd_socket", NULL);
+            if (p != NULL)
+                RAND_egd_bytes(p, ENTROPY_NEEDED);
+            krb5_free_context(context);
+        }
+    }
+    if (RAND_status() == 1)     {
+        /* Update the seed file */
+        if (seedfile[0])
+            RAND_write_file(seedfile);
+        return 0;
+    } else
+        return -1;
+}
+void KRB5_LIB_FUNCTION
+krb5_generate_random_block(void *buf, size_t len)
+{
+    static int rng_initialized = 0;
+    HEIMDAL_MUTEX_lock(&crypto_mutex);
+    if (!rng_initialized) {
+        if (seed_something())
+            krb5_abortx(NULL, "Fatal: could not seed the "
+                        "random number generator");
+        rng_initialized = 1;
+    }
+    HEIMDAL_MUTEX_unlock(&crypto_mutex);
+    if (RAND_bytes(buf, len) != 1)
+        krb5_abortx(NULL, "Failed to generate random block");
+}
+static krb5_error_code
+derive_key(krb5_context context,
+           struct encryption_type *et,
+           struct key_data *key,
+           const void *constant,
+           size_t len)
+krb5_error_code
+_krb5_derive_key(krb5_context context,
+                 struct _krb5_encryption_type *et,
+                 struct _krb5_key_data *key,
+                 const void *constant,
+                 size_t len)
+{
     unsigned char *k = NULL;
     unsigned int nblocks = 0, i;
     krb5_error_code ret = 0;
     struct key_type *kt = et->keytype;
+    struct _krb5_key_type *kt = et->keytype;
     ret = _key_schedule(context, key);
 …
     switch(kt->type) {
     case KEYTYPE_DES3:
         DES3_random_to_key(context, key->key, k, nblocks * et->blocksize);
+        _krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize);
         break;
     case KEYTYPE_AES128:
 …
+}
 static struct key_data *
+static struct _krb5_key_data *
 _new_derived_key(krb5_crypto crypto, unsigned usage)
+{
     struct key_usage *d = crypto->key_usage;
+    struct _krb5_key_usage *d = crypto->key_usage;
     d = realloc(d, (crypto->num_key_usage + 1) * sizeof(*d));
     if(d == NULL)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_derive_key(krb5_context context,
                 const krb5_keyblock *key,
 …
+{
     krb5_error_code ret;
     struct encryption_type *et;
     struct key_data d;
+    struct _krb5_encryption_type *et;
+    struct _krb5_key_data d;
     *derived_key = NULL;
     et = _find_enctype (etype);
+    et = _krb5_find_enctype (etype);
     if (et == NULL) {
         krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
 …
     d.schedule = NULL;
     ret = derive_key(context, et, &d, constant, constant_len);
+    ret = _krb5_derive_key(context, et, &d, constant, constant_len);
     if (ret == 0)
         ret = krb5_copy_keyblock(context, d.key, derived_key);
     free_key_data(context, &d, et);
+    _krb5_free_key_data(context, &d, et);
     return ret;
+}
 …
                  krb5_crypto crypto,
                  unsigned usage,
                  struct key_data **key)
+                 struct _krb5_key_data **key)
+{
     int i;
     struct key_data *d;
+    struct _krb5_key_data *d;
     unsigned char constant[5];
 …
     krb5_copy_keyblock(context, crypto->key.key, &d->key);
     _krb5_put_int(constant, usage, 5);
     derive_key(context, crypto->et, d, constant, sizeof(constant));
+    _krb5_derive_key(context, crypto->et, d, constant, sizeof(constant));
     *key = d;
     return 0;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Create a crypto context used for all encryption and signature
+ * operation. The encryption type to use is taken from the key, but
+ * can be overridden with the enctype parameter.  This can be useful
+ * for encryptions types which is compatiable (DES for example).
+ *
+ * To free the crypto context, use krb5_crypto_destroy().
+ *
+ * @param context Kerberos context
+ * @param key the key block information with all key data
+ * @param etype the encryption type
+ * @param crypto the resulting crypto context
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_init(krb5_context context,
                  const krb5_keyblock *key,
 …
     if(etype == ETYPE_NULL)
         etype = key->keytype;
     (*crypto)->et = _find_enctype(etype);
+    (*crypto)->et = _krb5_find_enctype(etype);
     if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) {
         free(*crypto);
 …
 static void
 free_key_schedule(krb5_context context,
                   struct key_data *key,
                   struct encryption_type *et)
+                  struct _krb5_key_data *key,
+                  struct _krb5_encryption_type *et)
+{
     if (et->keytype->cleanup)
 …
+}
 static void
 free_key_data(krb5_context context, struct key_data *key,
               struct encryption_type *et)
+void
+_krb5_free_key_data(krb5_context context, struct _krb5_key_data *key,
+              struct _krb5_encryption_type *et)
+{
     krb5_free_keyblock(context, key->key);
 …
 static void
+free_key_usage(krb5_context context, struct key_usage *ku,
+               struct encryption_type *et)
+{
+    free_key_data(context, &ku->key, et);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+free_key_usage(krb5_context context, struct _krb5_key_usage *ku,
+               struct _krb5_encryption_type *et)
+{
+    _krb5_free_key_data(context, &ku->key, et);
+}
+/**
+ * Free a crypto context created by krb5_crypto_init().
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to free
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_destroy(krb5_context context,
                     krb5_crypto crypto)
 …
         free_key_usage(context, &crypto->key_usage[i], crypto->et);
     free(crypto->key_usage);
     free_key_data(context, &crypto->key, crypto->et);
+    _krb5_free_key_data(context, &crypto->key, crypto->et);
     free (crypto);
     return 0;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Return the blocksize used algorithm referenced by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param blocksize the resulting blocksize
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_getblocksize(krb5_context context,
                          krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Return the encryption type used by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param enctype the resulting encryption type
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_getenctype(krb5_context context,
                        krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Return the padding size used by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param padsize the return padding size
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_getpadsize(krb5_context context,
                        krb5_crypto crypto,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Return the confounder size used by the crypto context
+ *
+ * @param context Kerberos context
+ * @param crypto crypto context to query
+ * @param confoundersize the returned confounder size
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_getconfoundersize(krb5_context context,
                               krb5_crypto crypto,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_disable(krb5_context context,
                      krb5_enctype enctype)
+{
     struct encryption_type *et = _find_enctype(enctype);
+    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
     if(et == NULL) {
         if (context)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_enable(krb5_context context,
                     krb5_enctype enctype)
+{
     struct encryption_type *et = _find_enctype(enctype);
+    struct _krb5_encryption_type *et = _krb5_find_enctype(enctype);
     if(et == NULL) {
         if (context)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_string_to_key_derived(krb5_context context,
+                           const void *str,
+                           size_t len,
+                           krb5_enctype etype,
+                           krb5_keyblock *key)
+{
+    struct encryption_type *et = _find_enctype(etype);
+    krb5_error_code ret;
+    struct key_data kd;
+    size_t keylen;
+    u_char *tmp;
+    if(et == NULL) {
+        krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+                                N_("encryption type %d not supported", ""),
+                                etype);
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    keylen = et->keytype->bits / 8;
+    ALLOC(kd.key, 1);
+    if(kd.key == NULL) {
+        krb5_set_error_message (context, ENOMEM,
+                                N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size);
+    if(ret) {
+        free(kd.key);
+        return ret;
+    }
+    kd.key->keytype = etype;
+    tmp = malloc (keylen);
+    if(tmp == NULL) {
+        krb5_free_keyblock(context, kd.key);
+        krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    ret = _krb5_n_fold(str, len, tmp, keylen);
+    if (ret) {
+        free(tmp);
+        krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
+        return ret;
+    }
+    kd.schedule = NULL;
+    DES3_random_to_key(context, kd.key, tmp, keylen);
+    memset(tmp, 0, keylen);
+    free(tmp);
+    ret = derive_key(context,
+                     et,
+                     &kd,
+                     "kerberos", /* XXX well known constant */
+                     strlen("kerberos"));
+    if (ret) {
+        free_key_data(context, &kd, et);
+        return ret;
+    }
+    ret = krb5_copy_keyblock_contents(context, kd.key, key);
+    free_key_data(context, &kd, et);
+    return ret;
+/**
+ * Enable or disable all weak encryption types
+ *
+ * @param context Kerberos 5 context
+ * @param enable true to enable, false to disable
+ *
+ * @return Return an error code or 0.
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_allow_weak_crypto(krb5_context context,
+                       krb5_boolean enable)
+{
+    int i;
+    for(i = 0; i < _krb5_num_etypes; i++)
+        if(_krb5_etypes[i]->flags & F_WEAK) {
+            if(enable)
+                _krb5_etypes[i]->flags &= ~F_DISABLED;
+            else
+                _krb5_etypes[i]->flags |= F_DISABLED;
+        }
+    return 0;
+}
 …
                 size_t       data_len)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     size_t padsize = et->padsize;
     size_t checksumsize = CHECKSUMSIZE(et->checksum);
 …
                         size_t       data_len)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     size_t padsize = et->padsize;
     size_t res;
 …
  */
+size_t
+KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
 krb5_get_wrapped_length (krb5_context context,
                          krb5_crypto  crypto,
 …
                  krb5_crypto  crypto)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     size_t res;
 …
                          krb5_crypto  crypto)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     size_t res;
 …
+}
+size_t
+KRB5_LIB_FUNCTION size_t KRB5_LIB_CALL
 krb5_crypto_overhead (krb5_context context, krb5_crypto crypto)
+{
 …
  * @param type the enctype resulting key will be of
  * @param data input random data to convert to a key
  * @param data size of input random data, at least krb5_enctype_keysize() long
  * @param data key, output key, free with krb5_free_keyblock_contents()
+ * @param size size of input random data, at least krb5_enctype_keysize() long
+ * @param key key, output key, free with krb5_free_keyblock_contents()
+ *
  * @return Return an error code or 0.
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_random_to_key(krb5_context context,
                    krb5_enctype type,
 …
+{
     krb5_error_code ret;
     struct encryption_type *et = _find_enctype(type);
+    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL) {
         krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
 …
+}
+krb5_error_code
+_krb5_pk_octetstring2key(krb5_context context,
+                         krb5_enctype type,
+                         const void *dhdata,
+                         size_t dhsize,
+                         const heim_octet_string *c_n,
+                         const heim_octet_string *k_n,
+                         krb5_keyblock *key)
+{
+    struct encryption_type *et = _find_enctype(type);
+    krb5_error_code ret;
+    size_t keylen, offset;
+    void *keydata;
+    unsigned char counter;
+    unsigned char shaoutput[SHA_DIGEST_LENGTH];
+    if(et == NULL) {
+        krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+                               N_("encryption type %d not supported", ""),
+                               type);
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    keylen = (et->keytype->bits + 7) / 8;
+    keydata = malloc(keylen);
+    if (keydata == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    counter = 0;
+    offset = 0;
+    do {
+        SHA_CTX m;
+        SHA1_Init(&m);
+        SHA1_Update(&m, &counter, 1);
+        SHA1_Update(&m, dhdata, dhsize);
+        if (c_n)
+            SHA1_Update(&m, c_n->data, c_n->length);
+        if (k_n)
+            SHA1_Update(&m, k_n->data, k_n->length);
+        SHA1_Final(shaoutput, &m);
+        memcpy((unsigned char *)keydata + offset,
+               shaoutput,
+               min(keylen - offset, sizeof(shaoutput)));
+        offset += sizeof(shaoutput);
+        counter++;
+    } while(offset < keylen);
+    memset(shaoutput, 0, sizeof(shaoutput));
+    ret = krb5_random_to_key(context, type, keydata, keylen, key);
+    memset(keydata, 0, sizeof(keylen));
+    free(keydata);
+    return ret;
+}
+static krb5_error_code
+encode_uvinfo(krb5_context context, krb5_const_principal p, krb5_data *data)
+{
+    KRB5PrincipalName pn;
+    krb5_error_code ret;
+    size_t size;
+    pn.principalName = p->name;
+    pn.realm = p->realm;
+    ASN1_MALLOC_ENCODE(KRB5PrincipalName, data->data, data->length,
+                       &pn, &size, ret);
+    if (ret) {
+        krb5_data_zero(data);
+        krb5_set_error_message(context, ret,
+                               N_("Failed to encode KRB5PrincipalName", ""));
+        return ret;
+    }
+    if (data->length != size)
+        krb5_abortx(context, "asn1 compiler internal error");
+    return 0;
+}
+static krb5_error_code
+encode_otherinfo(krb5_context context,
+                 const AlgorithmIdentifier *ai,
+                 krb5_const_principal client,
+                 krb5_const_principal server,
+                 krb5_enctype enctype,
+                 const krb5_data *as_req,
+                 const krb5_data *pk_as_rep,
+                 const Ticket *ticket,
+                 krb5_data *other)
+{
+    PkinitSP80056AOtherInfo otherinfo;
+    PkinitSuppPubInfo pubinfo;
+    krb5_error_code ret;
+    krb5_data pub;
+    size_t size;
+    krb5_data_zero(other);
+    memset(&otherinfo, 0, sizeof(otherinfo));
+    memset(&pubinfo, 0, sizeof(pubinfo));
+    pubinfo.enctype = enctype;
+    pubinfo.as_REQ = *as_req;
+    pubinfo.pk_as_rep = *pk_as_rep;
+    pubinfo.ticket = *ticket;
+    ASN1_MALLOC_ENCODE(PkinitSuppPubInfo, pub.data, pub.length,
+                       &pubinfo, &size, ret);
+    if (ret) {
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        return ret;
+    }
+    if (pub.length != size)
+        krb5_abortx(context, "asn1 compiler internal error");
+    ret = encode_uvinfo(context, client, &otherinfo.partyUInfo);
+    if (ret) {
+        free(pub.data);
+        return ret;
+    }
+    ret = encode_uvinfo(context, server, &otherinfo.partyVInfo);
+    if (ret) {
+        free(otherinfo.partyUInfo.data);
+        free(pub.data);
+        return ret;
+    }
+    otherinfo.algorithmID = *ai;
+    otherinfo.suppPubInfo = &pub;
+    ASN1_MALLOC_ENCODE(PkinitSP80056AOtherInfo, other->data, other->length,
+                       &otherinfo, &size, ret);
+    free(otherinfo.partyUInfo.data);
+    free(otherinfo.partyVInfo.data);
+    free(pub.data);
+    if (ret) {
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        return ret;
+    }
+    if (other->length != size)
+        krb5_abortx(context, "asn1 compiler internal error");
+    return 0;
+}
+krb5_error_code
+_krb5_pk_kdf(krb5_context context,
+             const struct AlgorithmIdentifier *ai,
+             const void *dhdata,
+             size_t dhsize,
+             krb5_const_principal client,
+             krb5_const_principal server,
+             krb5_enctype enctype,
+             const krb5_data *as_req,
+             const krb5_data *pk_as_rep,
+             const Ticket *ticket,
+             krb5_keyblock *key)
+{
+    struct encryption_type *et;
+    krb5_error_code ret;
+    krb5_data other;
+    size_t keylen, offset;
+    uint32_t counter;
+    unsigned char *keydata;
+    unsigned char shaoutput[SHA_DIGEST_LENGTH];
+    if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) {
+        krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+                               N_("KDF not supported", ""));
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    if (ai->parameters != NULL &&
+        (ai->parameters->length != 2 ||
+         memcmp(ai->parameters->data, "\x05\x00", 2) != 0))
+        {
+            krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+                                   N_("kdf params not NULL or the NULL-type",
+                                      ""));
+            return KRB5_PROG_ETYPE_NOSUPP;
+        }
+    et = _find_enctype(enctype);
+    if(et == NULL) {
+        krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+                               N_("encryption type %d not supported", ""),
+                               enctype);
+        return KRB5_PROG_ETYPE_NOSUPP;
+    }
+    keylen = (et->keytype->bits + 7) / 8;
+    keydata = malloc(keylen);
+    if (keydata == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    ret = encode_otherinfo(context, ai, client, server,
+                           enctype, as_req, pk_as_rep, ticket, &other);
+    if (ret) {
+        free(keydata);
+        return ret;
+    }
+    offset = 0;
+    counter = 1;
+    do {
+        unsigned char cdata[4];
+        SHA_CTX m;
+        SHA1_Init(&m);
+        _krb5_put_int(cdata, counter, 4);
+        SHA1_Update(&m, cdata, 4);
+        SHA1_Update(&m, dhdata, dhsize);
+        SHA1_Update(&m, other.data, other.length);
+        SHA1_Final(shaoutput, &m);
+        memcpy((unsigned char *)keydata + offset,
+               shaoutput,
+               min(keylen - offset, sizeof(shaoutput)));
+        offset += sizeof(shaoutput);
+        counter++;
+    } while(offset < keylen);
+    memset(shaoutput, 0, sizeof(shaoutput));
+    free(other.data);
+    ret = krb5_random_to_key(context, enctype, keydata, keylen, key);
+    memset(keydata, 0, sizeof(keylen));
+    free(keydata);
+    return ret;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_prf_length(krb5_context context,
                        krb5_enctype type,
                        size_t *length)
+{
     struct encryption_type *et = _find_enctype(type);
+    struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL || et->prf_length == 0) {
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_prf(krb5_context context,
                 const krb5_crypto crypto,
 …
                 krb5_data *output)
+{
     struct encryption_type *et = crypto->et;
+    struct _krb5_encryption_type *et = crypto->et;
     krb5_data_zero(output);
 …
  * @param crypto2 second key to combine
  * @param pepper1 factor to combine with first key to garante uniqueness
  * @param pepper1 factor to combine with second key to garante uniqueness
+ * @param pepper2 factor to combine with second key to garante uniqueness
  * @param enctype the encryption type of the resulting key
  * @param res allocated key, free with krb5_free_keyblock_contents()
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_crypto_fx_cf2(krb5_context context,
                    const krb5_crypto crypto1,
 …
 #ifndef HEIMDAL_SMALLER
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Deprecated: keytypes doesn't exists, they are really enctypes.
+ *
+ * @ingroup krb5_deprecated
+ */
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_keytype_to_enctypes (krb5_context context,
                           krb5_keytype keytype,
                           unsigned *len,
                           krb5_enctype **val)
-    KRB5_DEPRECATED
+{
     int i;
 …
     krb5_enctype *ret;
     for (i = num_etypes - 1; i >= 0; --i) {
         if (etypes[i]->keytype->type == keytype
             && !(etypes[i]->flags & F_PSEUDO)
             && krb5_enctype_valid(context, etypes[i]->type) == 0)
+    for (i = _krb5_num_etypes - 1; i >= 0; --i) {
+        if (_krb5_etypes[i]->keytype->type == keytype
+            && !(_krb5_etypes[i]->flags & F_PSEUDO)
+            && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0)
             ++n;
+    }
 …
+    }
     n = 0;
     for (i = num_etypes - 1; i >= 0; --i) {
         if (etypes[i]->keytype->type == keytype
             && !(etypes[i]->flags & F_PSEUDO)
             && krb5_enctype_valid(context, etypes[i]->type) == 0)
             ret[n++] = etypes[i]->type;
+    for (i = _krb5_num_etypes - 1; i >= 0; --i) {
+        if (_krb5_etypes[i]->keytype->type == keytype
+            && !(_krb5_etypes[i]->flags & F_PSEUDO)
+            && krb5_enctype_valid(context, _krb5_etypes[i]->type) == 0)
+            ret[n++] = _krb5_etypes[i]->type;
+    }
     *len = n;
 …
+}
+/**
+ * Deprecated: keytypes doesn't exists, they are really enctypes.
+ *
+ * @ingroup krb5_deprecated
+ */
 /* if two enctypes have compatible keys */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_enctypes_compatible_keys(krb5_context context,
                               krb5_enctype etype1,
                               krb5_enctype etype2)
+    KRB5_DEPRECATED
+{
+    struct encryption_type *e1 = _find_enctype(etype1);
+    struct encryption_type *e2 = _find_enctype(etype2);
+{
+    struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1);
+    struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2);
     return e1 != NULL && e2 != NULL && e1->keytype == e2->keytype;
+}

trunk/server/source4/heimdal/lib/krb5/data.c

-              r414
+              r745
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_data_zero(krb5_data *p)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_data_free(krb5_data *p)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_data(krb5_context context,
                krb5_data *p)
 …
  * Allocate data of and krb5_data.
+ *
  * @param p krb5_data to free.
+ * @param p krb5_data to allocate.
  * @param len size to allocate.
+ *
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_data_alloc(krb5_data *p, int len)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_data_realloc(krb5_data *p, int len)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_data_copy(krb5_data *p, const void *data, size_t len)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_data(krb5_context context,
                const krb5_data *indata,
 …
  */
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_data_cmp(const krb5_data *data1, const krb5_data *data2)
+{
 …
     return memcmp(data1->data, data2->data, data1->length);
+}
+/**
+ * Compare to data not exposing timing information from the checksum data
+ *
+ * @param data1 krb5_data to compare
+ * @param data2 krb5_data to compare
+ *
+ * @return returns zero for same data, otherwise non zero.
+ *
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
+krb5_data_ct_cmp(const krb5_data *data1, const krb5_data *data2)
+{
+    if (data1->length != data2->length)
+        return data1->length - data2->length;
+    return ct_memcmp(data1->data, data2->data, data1->length);
+}

trunk/server/source4/heimdal/lib/krb5/eai_to_heim_errno.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
 /**
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_eai_to_heim_errno(int eai_errno, int system_error)
+{
 …
     case EAI_SOCKTYPE:
         return HEIM_EAI_SOCKTYPE;
+#ifdef EAI_SYSTEM
     case EAI_SYSTEM:
         return system_error;
+#endif
     default:
         return HEIM_EAI_UNKNOWN; /* XXX */
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_h_errno_to_heim_errno(int eai_errno)
+{

trunk/server/source4/heimdal/lib/krb5/error_string.c

-              r414
+              r745
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_clear_error_message(krb5_context context)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_set_error_message(krb5_context context, krb5_error_code ret,
                        const char *fmt, ...)
 …
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_vset_error_message (krb5_context context, krb5_error_code ret,
                          const char *fmt, va_list args)
     __attribute__ ((format (printf, 3, 0)))
+{
+    krb5_clear_error_message(context);
+    HEIMDAL_MUTEX_lock(context->mutex);
+    int r;
+    HEIMDAL_MUTEX_lock(context->mutex);
+    if (context->error_string) {
+        free(context->error_string);
+        context->error_string = NULL;
+    }
     context->error_code = ret;
+    vasprintf(&context->error_string, fmt, args);
+    r = vasprintf(&context->error_string, fmt, args);
+    if (r < 0)
+        context->error_string = NULL;
+    HEIMDAL_MUTEX_unlock(context->mutex);
+}
+/**
+ * Prepend the context full error string for a specific error code.
+ * The error that is stored should be internationalized.
+ *
+ * @param context Kerberos 5 context
+ * @param ret The error code
+ * @param fmt Error string for the error code
+ * @param ... printf(3) style parameters.
+ *
+ * @ingroup krb5_error
+ */
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_prepend_error_message(krb5_context context, krb5_error_code ret,
+                           const char *fmt, ...)
+    __attribute__ ((format (printf, 3, 4)))
+{
+    va_list ap;
+    va_start(ap, fmt);
+    krb5_vprepend_error_message(context, ret, fmt, ap);
+    va_end(ap);
+}
+/**
+ * Prepend the contexts's full error string for a specific error code.
+ *
+ * @param context Kerberos 5 context
+ * @param ret The error code
+ * @param fmt Error string for the error code
+ * @param args printf(3) style parameters.
+ *
+ * @ingroup krb5_error
+ */
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_vprepend_error_message(krb5_context context, krb5_error_code ret,
+                            const char *fmt, va_list args)
+    __attribute__ ((format (printf, 3, 0)))
+{
+    char *str = NULL, *str2 = NULL;
+    HEIMDAL_MUTEX_lock(context->mutex);
+    if (context->error_code != ret) {
+        HEIMDAL_MUTEX_unlock(context->mutex);
+        return;
+    }
+    if (vasprintf(&str, fmt, args) < 0 || str == NULL) {
+        HEIMDAL_MUTEX_unlock(context->mutex);
+        return;
+    }
+    if (context->error_string) {
+        int e;
+        e = asprintf(&str2, "%s: %s", str, context->error_string);
+        free(context->error_string);
+        if (e < 0 || str2 == NULL)
+            context->error_string = NULL;
+        else
+            context->error_string = str2;
+        free(str);
+    } else
+        context->error_string = str;
     HEIMDAL_MUTEX_unlock(context->mutex);
+}
 …
  */
+char * KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION char * KRB5_LIB_CALL
 krb5_get_error_string(krb5_context context)
+{
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_have_error_string(krb5_context context)
+{
 …
  */
+const char * KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
 krb5_get_error_message(krb5_context context, krb5_error_code code)
+{
-    const char *cstr;
     char *str;
 …
     if (code == 0)
         return strdup("Success");
+    cstr = krb5_get_err_text(context, code);
+    if (cstr)
+        return strdup(cstr);
+    if (asprintf(&str, "<unknown error: %d>", (int)code) == -1)
+    {
+        const char *msg;
+        char buf[128];
+        msg = com_right_r(context->et_list, code, buf, sizeof(buf));
+        if (msg)
+            return strdup(msg);
+    }
+    if (asprintf(&str, "<unknown error: %d>", (int)code) == -1 || str == NULL)
         return NULL;
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_error_message(krb5_context context, const char *msg)
+{
     free(rk_UNCONST(msg));
+}
+/**
+ * Return the error string for the error code. The caller must not
+ * free the string.
+ *
+ * This function is deprecated since its not threadsafe.
+ *
+ * @param context Kerberos 5 context.
+ * @param code Kerberos error code.
+ *
+ * @return the error message matching code
+ *
+ * @ingroup krb5
+ */
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
+krb5_get_err_text(krb5_context context, krb5_error_code code)
+{
+    const char *p = NULL;
+    if(context != NULL)
+        p = com_right(context->et_list, code);
+    if(p == NULL)
+        p = strerror(code);
+    if (p == NULL)
+        p = "Unknown error";
+    return p;
+}

trunk/server/source4/heimdal/lib/krb5/expand_hostname.c

-              r414
+              r745
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_expand_hostname (krb5_context context,
                       const char *orig_hostname,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_expand_hostname_realms (krb5_context context,
                              const char *orig_hostname,

trunk/server/source4/heimdal/lib/krb5/fcache.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 #define FCC_CURSOR(C) ((struct fcc_cursor*)(C))
 static const char*
+static const char* KRB5_CALLCONV
 fcc_get_name(krb5_context context,
              krb5_ccache id)
 …
                                filename);
         break;
+    default:
+    default: {
+        char buf[128];
+        rk_strerror_r(ret, buf, sizeof(buf));
         krb5_set_error_message(context, ret,
                                N_("error locking cache file %s: %s",
                                   "file, error"),
                                filename, strerror(ret));
+        break;
+                                  "file, error"), filename, buf);
+        break;
+    }
+    }
     return ret;
 …
         ret = 0;
         break;
+    default:
+    default: {
+        char buf[128];
+        rk_strerror_r(ret, buf, sizeof(buf));
         krb5_set_error_message(context, ret,
                                N_("Failed to unlock file: %s", ""),
                                strerror(ret));
+        break;
+                               N_("Failed to unlock file: %s", ""), buf);
+        break;
+    }
+    }
     return ret;
 …
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_lock(krb5_context context, krb5_ccache id,
          int fd, krb5_boolean exclusive)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_unlock(krb5_context context, int fd)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
 …
         pos -= tmp;
+    }
+#ifdef _MSC_VER
+    _commit (fd);
+#else
     fsync (fd);
+#endif
     return 0;
+}
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_gen_new(krb5_context context, krb5_ccache *id)
+{
+    char *file = NULL, *exp_file = NULL;
+    krb5_error_code ret;
     krb5_fcache *f;
     int fd;
-    char *file;
     f = malloc(sizeof(*f));
 …
         return KRB5_CC_NOMEM;
+    }
     asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT);
     if(file == NULL) {
+    ret = asprintf (&file, "%sXXXXXX", KRB5_DEFAULT_CCFILE_ROOT);
+    if(ret < 0 || file == NULL) {
         free(f);
         krb5_set_error_message(context, KRB5_CC_NOMEM,
 …
         return KRB5_CC_NOMEM;
+    }
+    fd = mkstemp(file);
+    ret = _krb5_expand_path_tokens(context, file, &exp_file);
+    free(file);
+    if (ret)
+        return ret;
+    file = exp_file;
+    fd = mkstemp(exp_file);
     if(fd < 0) {
         int ret = errno;
         krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), file);
+        krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file);
         free(f);
         free(file);
+        free(exp_file);
         return ret;
+    }
     close(fd);
     f->filename = file;
+    f->filename = exp_file;
     f->version = 0;
     (*id)->data.data = f;
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_open(krb5_context context,
          krb5_ccache id,
 …
     fd = open(filename, flags, mode);
     if(fd < 0) {
+        char buf[128];
         ret = errno;
+        rk_strerror_r(ret, buf, sizeof(buf));
         krb5_set_error_message(context, ret, N_("open(%s): %s", "file, error"),
                                filename, strerror(ret));
+                               filename, buf);
         return ret;
+    }
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_initialize(krb5_context context,
                krb5_ccache id,
 …
     if (close(fd) < 0)
         if (ret == 0) {
+            char buf[128];
             ret = errno;
+            rk_strerror_r(ret, buf, sizeof(buf));
             krb5_set_error_message (context, ret, N_("close %s: %s", ""),
                                     FILENAME(id), strerror(ret));
+                                    FILENAME(id), buf);
+        }
     return ret;
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_close(krb5_context context,
           krb5_ccache id)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_destroy(krb5_context context,
             krb5_ccache id)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_store_cred(krb5_context context,
                krb5_ccache id,
 …
     if (close(fd) < 0) {
         if (ret == 0) {
+            char buf[128];
+            rk_strerror_r(ret, buf, sizeof(buf));
             ret = errno;
             krb5_set_error_message (context, ret, N_("close %s: %s", ""),
                                     FILENAME(id), strerror(ret));
+                                    FILENAME(id), buf);
+        }
+    }
 …
           krb5_ccache id,
           krb5_storage **ret_sp,
+          int *ret_fd)
+          int *ret_fd,
+          krb5_deltat *kdc_offset)
+{
     int fd;
 …
     krb5_storage *sp;
     krb5_error_code ret;
+    if (kdc_offset)
+        *kdc_offset = 0;
     ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY | O_CLOEXEC, 0);
 …
+            }
             switch (dtag) {
+            case FCC_TAG_DELTATIME :
+                ret = krb5_ret_int32 (sp, &context->kdc_sec_offset);
+            case FCC_TAG_DELTATIME : {
+                int32_t offset;
+                ret = krb5_ret_int32 (sp, &offset);
+                ret |= krb5_ret_int32 (sp, &context->kdc_usec_offset);
                 if(ret) {
                     ret = KRB5_CC_FORMAT;
 …
                     goto out;
+                }
+                ret = krb5_ret_int32 (sp, &context->kdc_usec_offset);
+                if(ret) {
+                    ret = KRB5_CC_FORMAT;
+                    krb5_set_error_message(context, ret,
+                                           N_("Error reading kdc_usec in "
+                                              "cache file: %s", ""),
+                                           FILENAME(id));
+                    goto out;
+                }
+                context->kdc_sec_offset = offset;
+                if (kdc_offset)
+                    *kdc_offset = offset;
                 break;
+            }
             default :
                 for (i = 0; i < data_len; ++i) {
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_get_principal(krb5_context context,
                   krb5_ccache id,
 …
     krb5_storage *sp;
     ret = init_fcc (context, id, &sp, &fd);
+    ret = init_fcc (context, id, &sp, &fd, NULL);
     if (ret)
         return ret;
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_end_get (krb5_context context,
              krb5_ccache id,
              krb5_cc_cursor *cursor);
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_get_first (krb5_context context,
                krb5_ccache id,
 …
     ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp,
                     &FCC_CURSOR(*cursor)->fd);
+                    &FCC_CURSOR(*cursor)->fd, NULL);
     if (ret) {
         free(*cursor);
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_get_next (krb5_context context,
               krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_end_get (krb5_context context,
              krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_remove_cred(krb5_context context,
                  krb5_ccache id,
 …
     krb5_error_code ret;
     krb5_ccache copy, newfile;
     char *newname;
+    char *newname = NULL;
     int fd;
 …
+    }
     asprintf(&newname, "FILE:%s.XXXXXX", FILENAME(id));
     if (newname == NULL) {
+    ret = asprintf(&newname, "FILE:%s.XXXXXX", FILENAME(id));
+    if (ret < 0 || newname == NULL) {
         krb5_cc_destroy(context, copy);
         return ret;
+        return ENOMEM;
+    }
 …
+    }
     ret = rename(&newname[5], FILENAME(id));
+    ret = rk_rename(&newname[5], FILENAME(id));
     if (ret)
         ret = errno;
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_set_flags(krb5_context context,
               krb5_ccache id,
 …
+}
 static int
+static int KRB5_CALLCONV
 fcc_get_version(krb5_context context,
                 krb5_ccache id)
 …
 };
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
 …
         fn = expandedfn;
+    }
+    /* check if file exists, don't return a non existant "next" */
+    if (strncasecmp(fn, "FILE:", 5) == 0) {
+        struct stat sb;
+        ret = stat(fn + 5, &sb);
+        if (ret) {
+            ret = KRB5_CC_END;
+            goto out;
+        }
+    }
     ret = krb5_cc_resolve(context, fn, id);
+ out:
     if (expandedfn)
         free(expandedfn);
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
     krb5_error_code ret = 0;
+    ret = rename(FILENAME(from), FILENAME(to));
+    ret = rk_rename(FILENAME(from), FILENAME(to));
     if (ret && errno != EXDEV) {
+        char buf[128];
         ret = errno;
+        rk_strerror_r(ret, buf, sizeof(buf));
         krb5_set_error_message(context, ret,
                                N_("Rename of file from %s "
                                   "to %s failed: %s", ""),
+                               FILENAME(from), FILENAME(to),
+                               strerror(ret));
+                               FILENAME(from), FILENAME(to), buf);
         return ret;
     } else if (ret && errno == EXDEV) {
 …
         krb5_storage *sp;
         int fd;
+        ret = init_fcc (context, to, &sp, &fd);
+        if (sp)
+            krb5_storage_free(sp);
+        fcc_unlock(context, fd);
+        close(fd);
+    }
+    fcc_destroy(context, from);
+    return ret;
+}
+static krb5_error_code
+        if ((ret = init_fcc (context, to, &sp, &fd, NULL)) == 0) {
+            if (sp)
+                krb5_storage_free(sp);
+            fcc_unlock(context, fd);
+            close(fd);
+        }
+    }
+    fcc_close(context, from);
+    return ret;
+}
+static krb5_error_code KRB5_CALLCONV
 fcc_get_default_name(krb5_context context, char **str)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 fcc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
+{
 …
     return 0;
+}
+static krb5_error_code KRB5_CALLCONV
+fcc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset)
+{
+    return 0;
+}
+static krb5_error_code KRB5_CALLCONV
+fcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset)
+{
+    krb5_error_code ret;
+    krb5_storage *sp = NULL;
+    int fd;
+    ret = init_fcc(context, id, &sp, &fd, kdc_offset);
+    if (sp)
+        krb5_storage_free(sp);
+    fcc_unlock(context, fd);
+    close(fd);
+    return ret;
+}
 /**
 …
     fcc_get_default_name,
     NULL,
+    fcc_lastchange
+    fcc_lastchange,
+    fcc_set_kdc_offset,
+    fcc_get_kdc_offset
 };

trunk/server/source4/heimdal/lib/krb5/free.c

r414	r745
34	34	#include "krb5_locl.h"
35	35
36		krb5_error_code KRB5_LIB_FUNCTION
	36	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
37	37	krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *rep)
38	38	{
…	…
44	44	}
45	45
46		krb5_error_code KRB5_LIB_FUNCTION
	46	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
47	47	krb5_xfree (void *ptr)
48	48	{

trunk/server/source4/heimdal/lib/krb5/free_host_realm.c

r414	r745
45	45	*/
46	46
47		krb5_error_code KRB5_LIB_FUNCTION
	47	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
48	48	krb5_free_host_realm(krb5_context context,
49	49	krb5_realm *realmlist)

trunk/server/source4/heimdal/lib/krb5/generate_seq_number.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_generate_seq_number(krb5_context context,
                          const krb5_keyblock *key,
                          uint32_t *seqno)
+{
+    krb5_error_code ret;
+    krb5_keyblock *subkey;
+    uint32_t q;
+    u_char *p;
+    int i;
+    ret = krb5_generate_subkey (context, key, &subkey);
+    if (ret)
+        return ret;
+    q = 0;
+    for (p = (u_char *)subkey->keyvalue.data, i = 0;
+         i < subkey->keyvalue.length;
+         ++i, ++p)
+        q = (q << 8) | *p;
+    q &= 0xffffffff;
+    *seqno = q;
+    krb5_free_keyblock (context, subkey);
+    if (RAND_bytes((void *)seqno, sizeof(*seqno)) <= 0)
+        krb5_abortx(context, "Failed to generate random block");
+    /* MIT used signed numbers, lets not stomp into that space directly */
+    *seqno &= 0x3fffffff;
+    if (*seqno == 0)
+        *seqno = 1;
     return 0;
+}

trunk/server/source4/heimdal/lib/krb5/generate_subkey.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_generate_subkey(krb5_context context,
+                     const krb5_keyblock *key,
+                     krb5_keyblock **subkey)
+{
+    return krb5_generate_subkey_extended(context, key, key->keytype, subkey);
+}
+/**
+ * Generate subkey, from keyblock
+ *
+ * @param context kerberos context
+ * @param key session key
+ * @param etype encryption type of subkey, if ETYPE_NULL, use key's enctype
+ * @param subkey returned new, free with krb5_free_keyblock().
+ *
+ * @return 0 on success or a Kerberos 5 error code
+ *
+* @ingroup krb5_crypto
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_generate_subkey_extended(krb5_context context,
                               const krb5_keyblock *key,

trunk/server/source4/heimdal/lib/krb5/get_addrs.c

-              r414
+              r745
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_all_client_addrs (krb5_context context, krb5_addresses *res)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_all_server_addrs (krb5_context context, krb5_addresses *res)
+{

trunk/server/source4/heimdal/lib/krb5/get_cred.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
  */
+#include <krb5_locl.h>
+#include "krb5_locl.h"
+#include <assert.h>
+static krb5_error_code
+get_cred_kdc_capath(krb5_context, krb5_kdc_flags,
+                    krb5_ccache, krb5_creds *, krb5_principal,
+                    Ticket *, krb5_creds **, krb5_creds ***);
 /*
 …
                KDC_REQ_BODY *req_body,
                krb5_authdata *authdata,
                krb5_keyblock *key)
+               krb5_keyblock *subkey)
+{
     if(authdata->len) {
 …
             return ENOMEM;
+        }
         ret = krb5_crypto_init(context, key, 0, &crypto);
+        ret = krb5_crypto_init(context, subkey, 0, &crypto);
         if (ret) {
             free (buf);
 …
                                    crypto,
                                    KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY,
-                                   /* KRB5_KU_TGS_REQ_AUTH_DAT_SESSION? */
                                    buf,
                                    len,
 …
               TGS_REQ *t)
+{
+    krb5_auth_context ac = NULL;
     krb5_error_code ret = 0;
 …
+    }
+    {
+        krb5_auth_context ac;
+        krb5_keyblock *key = NULL;
+        ret = krb5_auth_con_init(context, &ac);
+        if(ret)
+            goto fail;
+        if (krb5_config_get_bool_default(context, NULL, FALSE,
+                                         "realms",
+                                         krbtgt->server->realm,
+                                         "tgs_require_subkey",
+                                         NULL))
+        {
+            ret = krb5_generate_subkey (context, &krbtgt->session, &key);
+            if (ret) {
+                krb5_auth_con_free (context, ac);
+                goto fail;
+            }
+            ret = krb5_auth_con_setlocalsubkey(context, ac, key);
+            if (ret) {
+                if (key)
+                    krb5_free_keyblock (context, key);
+                krb5_auth_con_free (context, ac);
+                goto fail;
+            }
+        }
+        ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
+                             key ? key : &krbtgt->session);
+        if (ret) {
+            if (key)
+                krb5_free_keyblock (context, key);
+            krb5_auth_con_free (context, ac);
+            goto fail;
+        }
+        ret = make_pa_tgs_req(context,
+                              ac,
+                              &t->req_body,
+                              &t->padata->val[0],
+                              krbtgt);
+        if(ret) {
+            if (key)
+                krb5_free_keyblock (context, key);
+            krb5_auth_con_free(context, ac);
+            goto fail;
+        }
+        *subkey = key;
+    ret = krb5_auth_con_init(context, &ac);
+    if(ret)
+        goto fail;
+    ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
+    if (ret)
+        goto fail;
+    ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
+                         ac->local_subkey);
+    if (ret)
+        goto fail;
+    ret = make_pa_tgs_req(context,
+                          ac,
+                          &t->req_body,
+                          &t->padata->val[0],
+                          krbtgt);
+    if(ret)
+        goto fail;
+    ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
+    if (ret)
+        goto fail;
+fail:
+    if (ac)
         krb5_auth_con_free(context, ac);
+    }
-fail:
     if (ret) {
         t->req_body.addresses = NULL;
 …
 /* DCE compatible decrypt proc */
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 decrypt_tkt_with_subkey (krb5_context context,
                          krb5_keyblock *key,
                          krb5_key_usage usage,
                          krb5_const_pointer subkey,
+                         krb5_const_pointer skey,
                          krb5_kdc_rep *dec_rep)
+{
+    krb5_error_code ret;
+    const krb5_keyblock *subkey = skey;
+    krb5_error_code ret = 0;
     krb5_data data;
     size_t size;
     krb5_crypto crypto;
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+        return ret;
+    ret = krb5_decrypt_EncryptedData (context,
+                                      crypto,
+                                      usage,
+                                      &dec_rep->kdc_rep.enc_part,
+                                      &data);
+    krb5_crypto_destroy(context, crypto);
+    if(ret && subkey){
+        /* DCE compat -- try to decrypt with subkey */
+    assert(usage == 0);
+    /*
+     * start out with trying with subkey if we have one
+     */
+    if (subkey) {
         ret = krb5_crypto_init(context, subkey, 0, &crypto);
         if (ret)
 …
                                           crypto,
                                           KRB5_KU_TGS_REP_ENC_PART_SUB_KEY,
+                                          &dec_rep->kdc_rep.enc_part,
+                                          &data);
+        /*
+         * If the is Windows 2000 DC, we need to retry with key usage
+         * 8 when doing ARCFOUR.
+         */
+        if (ret && subkey->keytype == ETYPE_ARCFOUR_HMAC_MD5) {
+            ret = krb5_decrypt_EncryptedData(context,
+                                             crypto,
+,
+                                             &dec_rep->kdc_rep.enc_part,
+                                             &data);
+        }
+        krb5_crypto_destroy(context, crypto);
+    }
+    if (subkey == NULL || ret) {
+        ret = krb5_crypto_init(context, key, 0, &crypto);
+        if (ret)
+            return ret;
+        ret = krb5_decrypt_EncryptedData (context,
+                                          crypto,
+                                          KRB5_KU_TGS_REP_ENC_PART_SESSION,
                                           &dec_rep->kdc_rep.enc_part,
                                           &data);
 …
                                    &krbtgt->session,
                                    NULL,
                                    KRB5_KU_TGS_REP_ENC_PART_SESSION,
+,
                                    &krbtgt->addresses,
                                    nonce,
 …
     krb5_data_free(&resp);
     krb5_data_free(&enc);
+    if(subkey){
+        krb5_free_keyblock_contents(context, subkey);
+        free(subkey);
+    }
+    if(subkey)
+        krb5_free_keyblock(context, subkey);
     return ret;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_kdc_cred(krb5_context context,
                   krb5_ccache id,
 …
+}
-/*
-get_cred(server)
-        creds = cc_get_cred(server)
-        if(creds) return creds
-        tgt = cc_get_cred(krbtgt/server_realm@any_realm)
-        if(tgt)
-                return get_cred_tgt(server, tgt)
-        if(client_realm == server_realm)
-                return NULL
-        tgt = get_cred(krbtgt/server_realm@client_realm)
-        while(tgt_inst != server_realm)
-                tgt = get_cred(krbtgt/server_realm@tgt_inst)
-        return get_cred_tgt(server, tgt)
-        */
 static krb5_error_code
+get_cred_kdc_capath(krb5_context context,
+                    krb5_kdc_flags flags,
+                    krb5_ccache ccache,
+                    krb5_creds *in_creds,
+                    krb5_principal impersonate_principal,
+                    Ticket *second_ticket,
+                    krb5_creds **out_creds,
+                    krb5_creds ***ret_tgts)
+get_cred_kdc_capath_worker(krb5_context context,
+                           krb5_kdc_flags flags,
+                           krb5_ccache ccache,
+                           krb5_creds *in_creds,
+                           krb5_const_realm try_realm,
+                           krb5_principal impersonate_principal,
+                           Ticket *second_ticket,
+                           krb5_creds **out_creds,
+                           krb5_creds ***ret_tgts)
+{
     krb5_error_code ret;
     krb5_creds *tgt, tmp_creds;
     krb5_const_realm client_realm, server_realm, try_realm;
+    krb5_const_realm client_realm, server_realm;
     int ok_as_delegate = 1;
 …
     if(ret)
         return ret;
-    try_realm = krb5_config_get_string(context, NULL, "capaths",
-                                       client_realm, server_realm, NULL);
-    if (try_realm == NULL)
-        try_realm = client_realm;
     ret = krb5_make_principal(context,
 …
                         *ret_tgts, &tgts);
         if(ret == 0){
+            if (try_realm != client_realm)
+            /* only allow implicit ok_as_delegate if the realm is the clients realm */
+            if (strcmp(try_realm, client_realm) != 0 || strcmp(try_realm, server_realm) != 0)
                 ok_as_delegate = tgts.flags.b.ok_as_delegate;
 …
     krb5_free_creds(context, tgt);
     return ret;
+}
+/*
+get_cred(server)
+        creds = cc_get_cred(server)
+        if(creds) return creds
+        tgt = cc_get_cred(krbtgt/server_realm@any_realm)
+        if(tgt)
+                return get_cred_tgt(server, tgt)
+        if(client_realm == server_realm)
+                return NULL
+        tgt = get_cred(krbtgt/server_realm@client_realm)
+        while(tgt_inst != server_realm)
+                tgt = get_cred(krbtgt/server_realm@tgt_inst)
+        return get_cred_tgt(server, tgt)
+        */
+static krb5_error_code
+get_cred_kdc_capath(krb5_context context,
+                    krb5_kdc_flags flags,
+                    krb5_ccache ccache,
+                    krb5_creds *in_creds,
+                    krb5_principal impersonate_principal,
+                    Ticket *second_ticket,
+                    krb5_creds **out_creds,
+                    krb5_creds ***ret_tgts)
+{
+    krb5_error_code ret;
+    krb5_const_realm client_realm, server_realm, try_realm;
+    client_realm = krb5_principal_get_realm(context, in_creds->client);
+    server_realm = krb5_principal_get_realm(context, in_creds->server);
+    try_realm = client_realm;
+    ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds, try_realm,
+                                     impersonate_principal, second_ticket, out_creds,
+                                     ret_tgts);
+    if (ret == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
+        try_realm = krb5_config_get_string(context, NULL, "capaths",
+                                           client_realm, server_realm, NULL);
+        if (try_realm != NULL && strcmp(try_realm, client_realm)) {
+            ret = get_cred_kdc_capath_worker(context, flags, ccache, in_creds,
+                                             try_realm, impersonate_principal,
+                                             second_ticket, out_creds, ret_tgts);
+        }
+    }
+    return ret;
+}
 …
     int loop = 0;
     int ok_as_delegate = 1;
+    if (in_creds->server->name.name_string.len < 2 && !flags.b.canonicalize) {
+        krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED,
+                               N_("Name too short to do referals, skipping", ""));
+        return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
+    }
     memset(&tgt, 0, sizeof(tgt));
 …
         if (ret) {
             ret = get_cred_kdc_address (context, ccache, flags, NULL,
                                         &referral, &tgt, impersonate_principal,
                                         second_ticket, &ticket);
+            ret = get_cred_kdc_address(context, ccache, flags, NULL,
+                                       &referral, &tgt, impersonate_principal,
+                                       second_ticket, &ticket);
             if (ret)
                 goto out;
 …
             break;
+        if (ticket.server->name.name_string.len != 2 &&
+            strcmp(ticket.server->name.name_string.val[0], KRB5_TGS_NAME) != 0)
+        {
+        if (!krb5_principal_is_krbtgt(context, ticket.server)) {
             krb5_set_error_message(context, KRB5KRB_AP_ERR_NOT_US,
                                    N_("Got back an non krbtgt "
                                       "ticket referrals", ""));
             krb5_free_cred_contents(context, &ticket);
             return KRB5KRB_AP_ERR_NOT_US;
+            ret = KRB5KRB_AP_ERR_NOT_US;
+            goto out;
+        }
 …
                                        tgt.server->realm,
                                        referral_realm);
                 krb5_free_cred_contents(context, &ticket);
                 return KRB5_GET_IN_TKT_LOOP;
+                ret = KRB5_GET_IN_TKT_LOOP;
+                goto out;
+            }
             tickets++;
 …
         ret = add_cred(context, &ticket, ret_tgts);
+        if (ret) {
+            krb5_free_cred_contents(context, &ticket);
+        if (ret)
             goto out;
+        }
         /* try realm in the referral */
 …
     krb5_free_principal(context, referral.server);
     krb5_free_cred_contents(context, &tgt);
+    krb5_free_cred_contents(context, &ticket);
     return ret;
+}
 …
+{
     krb5_error_code ret;
+    krb5_deltat offset;
+    ret = krb5_cc_get_kdc_offset(context, ccache, &offset);
+    if (ret) {
+        context->kdc_sec_offset = offset;
+        context->kdc_usec_offset = 0;
+    }
     ret = get_cred_kdc_referral(context,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_credentials_with_flags(krb5_context context,
                                 krb5_flags options,
 …
     krb5_creds *res_creds;
     int i;
+    if (in_creds->session.keytype) {
+        ret = krb5_enctype_valid(context, in_creds->session.keytype);
+        if (ret)
+            return ret;
+    }
     *out_creds = NULL;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_credentials(krb5_context context,
                      krb5_flags options,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_creds_opt_alloc(krb5_context context, krb5_get_creds_opt *opt)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_creds_opt_free(krb5_context context, krb5_get_creds_opt opt)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_creds_opt_set_options(krb5_context context,
                                krb5_get_creds_opt opt,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_creds_opt_add_options(krb5_context context,
                                krb5_get_creds_opt opt,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_creds_opt_set_enctype(krb5_context context,
                                krb5_get_creds_opt opt,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_creds_opt_set_impersonate(krb5_context context,
                                    krb5_get_creds_opt opt,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_creds_opt_set_ticket(krb5_context context,
                               krb5_get_creds_opt opt,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_creds(krb5_context context,
                krb5_get_creds_opt opt,
 …
     int i;
+    if (opt && opt->enctype) {
+        ret = krb5_enctype_valid(context, opt->enctype);
+        if (ret)
+            return ret;
+    }
     memset(&in_creds, 0, sizeof(in_creds));
     in_creds.server = rk_UNCONST(inprinc);
 …
         return ret;
+    options = opt->options;
+    if (opt)
+        options = opt->options;
+    else
+        options = 0;
     flags.i = 0;
 …
+    }
     if (opt->enctype) {
+    if (opt && opt->enctype) {
         in_creds.session.keytype = opt->enctype;
         options |= KRB5_TC_MATCH_KEYTYPE;
 …
     ret = krb5_cc_retrieve_cred(context,
                                 ccache,
                                 opt->enctype ? KRB5_TC_MATCH_KEYTYPE : 0,
+                                options & KRB5_TC_MATCH_KEYTYPE,
                                 &in_creds, res_creds);
     /*
 …
             *out_creds = res_creds;
             krb5_free_principal(context, in_creds.client);
             return 0;
+            goto out;
+        }
 …
             *out_creds = res_creds;
             krb5_free_principal(context, in_creds.client);
             return 0;
+            goto out;
+        }
         if(options & KRB5_GC_CACHED)
 …
         free(res_creds);
         krb5_free_principal(context, in_creds.client);
         return ret;
+        goto out;
+    }
     free(res_creds);
     if(options & KRB5_GC_CACHED) {
         krb5_free_principal(context, in_creds.client);
+        return not_found(context, in_creds.server, KRB5_CC_NOTFOUND);
+        ret = not_found(context, in_creds.server, KRB5_CC_NOTFOUND);
+        goto out;
+    }
     if(options & KRB5_GC_USER_USER) {
 …
     if(ret == 0 && (options & KRB5_GC_NO_STORE) == 0)
         krb5_cc_store_cred(context, ccache, *out_creds);
+ out:
+    _krb5_debug(context, 5, "krb5_get_creds: ret = %d", ret);
     return ret;
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_renewed_creds(krb5_context context,
                        krb5_creds *creds,

trunk/server/source4/heimdal/lib/krb5/get_default_principal.c

-              r414
+              r745
+}
+#ifndef _WIN32
 /*
  * Will only use operating-system dependant operation to get the
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+#else  /* _WIN32 */
+#define SECURITY_WIN32
+#include <security.h>
+krb5_error_code
+_krb5_get_default_principal_local(krb5_context context,
+                                  krb5_principal *princ)
+{
+    /* See if we can get the principal first.  We only expect this to
+       work if logged into a domain. */
+    {
+        char username[1024];
+        ULONG sz = sizeof(username);
+        if (GetUserNameEx(NameUserPrincipal, username, &sz)) {
+            return krb5_parse_name_flags(context, username,
+                                         KRB5_PRINCIPAL_PARSE_ENTERPRISE,
+                                         princ);
+        }
+    }
+    /* Just get the Windows username.  This should pretty much always
+       work. */
+    {
+        char username[1024];
+        DWORD dsz = sizeof(username);
+        if (GetUserName(username, &dsz)) {
+            return krb5_make_principal(context, princ, NULL, username, NULL);
+        }
+    }
+    /* Failing that, we look at the environment */
+    {
+        const char * username = get_env_user();
+        if (username == NULL) {
+            krb5_set_error_string(context,
+                                  "unable to figure out current principal");
+            return ENOTTY;      /* Really? */
+        }
+        return krb5_make_principal(context, princ, NULL, username, NULL);
+    }
+}
+#endif
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_default_principal (krb5_context context,
                             krb5_principal *princ)

trunk/server/source4/heimdal/lib/krb5/get_default_realm.c

-              r414
+              r745
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_default_realms (krb5_context context,
                          krb5_realm **realms)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_default_realm(krb5_context context,
                        krb5_realm *realm)

trunk/server/source4/heimdal/lib/krb5/get_for_creds.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
 static krb5_error_code
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_fwd_tgt_creds (krb5_context        context,
                     krb5_auth_context   auth_context,
 …
     creds.client = client;
+    ret = krb5_build_principal(context,
+                               &creds.server,
+                               strlen(client_realm),
+                               client_realm,
+                               KRB5_TGS_NAME,
+                               client_realm,
+                               NULL);
+    ret = krb5_make_principal(context,
+                              &creds.server,
+                              client_realm,
+                              KRB5_TGS_NAME,
+                              client_realm,
+                              NULL);
     if (ret)
         return ret;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_forwarded_creds (krb5_context      context,
                           krb5_auth_context auth_context,

trunk/server/source4/heimdal/lib/krb5/get_host_realm.c

-              r414
+              r745
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_get_host_realm_int (krb5_context context,
                           const char *host,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_host_realm(krb5_context context,
                     const char *targethost,

trunk/server/source4/heimdal/lib/krb5/get_in_tkt.c

-              r414
+              r745
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_in_cred(krb5_context context,
                  krb5_flags options,
 …
                  krb5_creds *creds,
                  krb5_kdc_rep *ret_as_reply)
-    KRB5_DEPRECATED
+{
     krb5_error_code ret;
 …
+    {
         unsigned flags = 0;
+        unsigned flags = EXTRACT_TICKET_TIMESYNC;
         if (opts.request_anonymous)
             flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_in_tkt(krb5_context context,
                 krb5_flags options,
 …
                 krb5_ccache ccache,
                 krb5_kdc_rep *ret_as_reply)
-    KRB5_DEPRECATED
+{
     krb5_error_code ret;

trunk/server/source4/heimdal/lib/krb5/get_port.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_getportbyname (krb5_context context,
                     const char *service,

trunk/server/source4/heimdal/lib/krb5/init_creds.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_alloc(krb5_context context,
                               krb5_get_init_creds_opt **opt)
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_free(krb5_context context,
                              krb5_get_init_creds_opt *opt)
 …
 static krb5_boolean
 get_config_bool (krb5_context context,
+                 krb5_boolean def_value,
                  const char *realm,
                  const char *name)
+{
     return krb5_config_get_bool (context,
+                                 NULL,
                                  "realms",
                                  realm,
+                                 name,
                                  NULL)
         || krb5_config_get_bool (context,
                                  NULL,
+                                 "libdefaults",
                                  name,
                                  NULL);
+    krb5_boolean b;
+    b = krb5_config_get_bool_default(context, NULL, def_value,
+                                     "realms", realm, name, NULL);
+    if (b != def_value)
+        return b;
+    b = krb5_config_get_bool_default (context, NULL, def_value,
+                                      "libdefaults", name, NULL);
+    if (b != def_value)
+        return b;
+    return def_value;
+}
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_default_flags(krb5_context context,
                                           const char *appname,
 …
     time_t t;
+    b = get_config_bool (context, realm, "forwardable");
+    b = get_config_bool (context, KRB5_FORWARDABLE_DEFAULT,
+                         realm, "forwardable");
     krb5_appdefault_boolean(context, appname, realm, "forwardable", b, &b);
     krb5_get_init_creds_opt_set_forwardable(opt, b);
     b = get_config_bool (context, realm, "proxiable");
+    b = get_config_bool (context, FALSE, realm, "proxiable");
     krb5_appdefault_boolean(context, appname, realm, "proxiable", b, &b);
     krb5_get_init_creds_opt_set_proxiable (opt, b);
 …
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
                                      krb5_deltat tkt_life)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
                                        krb5_deltat renew_life)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
                                         int forwardable)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
                                       int proxiable)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
                                        krb5_enctype *etype_list,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
                                          krb5_addresses *addresses)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
                                          krb5_preauthtype *preauth_list,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
                                  krb5_data *salt)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
                                       int anonymous)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_pa_password(krb5_context context,
                                         krb5_get_init_creds_opt *opt,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_pac_request(krb5_context context,
                                         krb5_get_init_creds_opt *opt,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_addressless(krb5_context context,
                                         krb5_get_init_creds_opt *opt,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_canonicalize(krb5_context context,
                                          krb5_get_init_creds_opt *opt,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_win2k(krb5_context context,
                                   krb5_get_init_creds_opt *opt,
 …
     if (ret)
         return ret;
     if (req)
+    if (req) {
         opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_CANON_CHECK;
+    else
+        opt->opt_private->flags |= KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
+    } else {
         opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_CANON_CHECK;
+    return 0;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+        opt->opt_private->flags &= ~KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
+    }
+    return 0;
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_process_last_req(krb5_context context,
                                              krb5_get_init_creds_opt *opt,
 …
 #ifndef HEIMDAL_SMALLER
+void KRB5_LIB_FUNCTION
+/**
+ * Deprecated: use krb5_get_init_creds_opt_alloc().
+ *
+ * The reason krb5_get_init_creds_opt_init() is deprecated is that
+ * krb5_get_init_creds_opt is a static structure and for ABI reason it
+ * can't grow, ie can't add new functionality.
+ *
+ * @ingroup krb5_deprecated
+ */
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
-    KRB5_DEPRECATED
+{
     memset (opt, 0, sizeof(*opt));
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_get_error(krb5_context context,
                                   krb5_get_init_creds_opt *opt,
                                   KRB_ERROR **error)
-    KRB5_DEPRECATED
+{
     *error = calloc(1, sizeof(**error));

trunk/server/source4/heimdal/lib/krb5/init_creds_pw.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
     int ic_flags;
+    int used_pa_types;
+#define  USED_PKINIT    1
+#define  USED_PKINIT_W2K        2
+#define  USED_ENC_TS_GUESS      4
+#define  USED_ENC_TS_INFO       8
     METHOD_DATA md;
     KRB_ERROR error;
 …
     void *prompter_data;
+    struct pa_info_data *ppaid;
 } krb5_get_init_creds_ctx;
+static krb5_error_code
+struct pa_info_data {
+    krb5_enctype etype;
+    krb5_salt salt;
+    krb5_data *s2kparams;
+};
+static void
+free_paid(krb5_context context, struct pa_info_data *ppaid)
+{
+    krb5_free_salt(context, ppaid->salt);
+    if (ppaid->s2kparams)
+        krb5_free_data(context, ppaid->s2kparams);
+}
+static krb5_error_code KRB5_CALLCONV
 default_s2k_func(krb5_context context, krb5_enctype type,
                  krb5_const_pointer keyseed,
 …
     krb5_data password;
     krb5_data opaque;
+    _krb5_debug(context, 5, "krb5_get_init_creds: using default_s2k_func");
     password.data = rk_UNCONST(keyseed);
 …
     if (ctx->keytab_data)
         free(ctx->keytab_data);
+    if (ctx->password) {
+        memset(ctx->password, 0, strlen(ctx->password));
+        free(ctx->password);
+    }
     krb5_data_free(&ctx->req_buffer);
     krb5_free_cred_contents(context, &ctx->cred);
 …
     free_KRB_ERROR(&ctx->error);
     free_AS_REQ(&ctx->as_req);
+    if (ctx->ppaid) {
+        free_paid(context, ctx->ppaid);
+        free(ctx->ppaid);
+    }
     memset(ctx, 0, sizeof(*ctx));
+}
 …
                    time_t now)
+{
+    char *p;
+    asprintf (&p, "%s%s", str, ctime(&now));
+    (*prompter) (context, data, NULL, p, 0, NULL);
+    free (p);
+    char *p = NULL;
+    if (asprintf(&p, "%s%s", str, ctime(&now)) < 0 || p == NULL)
+        return;
+    (*prompter)(context, data, NULL, p, 0, NULL);
+    free(p);
+}
 …
+    }
     if (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST) {
+        if (ctx->etypes)
+            free(ctx->etypes);
         etypes = malloc((options->etype_list_length + 1)
                         * sizeof(krb5_enctype));
 …
     if (ret)
         goto out;
+    asprintf (&p, "%s: %.*s\n",
+              result_code ? "Error" : "Success",
+              (int)result_string.length,
+              result_string.length > 0 ? (char*)result_string.data : "");
+    if (asprintf(&p, "%s: %.*s\n",
+                 result_code ? "Error" : "Success",
+                 (int)result_string.length,
+                 result_string.length > 0 ? (char*)result_string.data : "") < 0)
+    {
+        ret = ENOMEM;
+        goto out;
+    }
     /* return the result */
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_keyblock_key_proc (krb5_context context,
                         krb5_keytype type,
 …
     memset(a, 0, sizeof(*a));
     return ret;
+}
-struct pa_info_data {
-    krb5_enctype etype;
-    krb5_salt salt;
-    krb5_data *s2kparams;
-};
-static void
-free_paid(krb5_context context, struct pa_info_data *ppaid)
+{
-    krb5_free_salt(context, ppaid->salt);
-    if (ppaid->s2kparams)
-        krb5_free_data(context, ppaid->s2kparams);
+}
 …
         krb5_keyblock *key;
+        _krb5_debug(context, 5, "krb5_get_init_creds: using ENC-TS with enctype %d", enctypes[i]);
         ret = (*keyproc)(context, enctypes[i], keyseed,
                          *salt, s2kparams, &key);
 …
         krb5_salt salt;
+        _krb5_debug(context, 5, "krb5_get_init_creds: pa-info not found, guessing salt");
         /* make a v5 salted pa-data */
         add_enc_ts_padata(context, md, client,
 …
                      const AS_REQ *a,
                      const krb5_principal client,
+                     int win2k,
                      krb5_get_init_creds_ctx *ctx,
                      METHOD_DATA *md)
 …
 #ifdef PKINIT
     return _krb5_pk_mk_padata(context,
+                             ctx->pk_init_ctx,
+                             &a->req_body,
+                             ctx->pk_nonce,
+                             md);
+                              ctx->pk_init_ctx,
+                              ctx->ic_flags,
+                              win2k,
+                              &a->req_body,
+                              ctx->pk_nonce,
+                              md);
 #else
     krb5_set_error_message(context, EINVAL,
 …
     (*out_md)->val = NULL;
+    if (_krb5_have_debug(context, 5)) {
+        unsigned i;
+        _krb5_debug(context, 5, "KDC send %d patypes", in_md->len);
+        for (i = 0; i < in_md->len; i++)
+            _krb5_debug(context, 5, "KDC send PA-DATA type: %d", in_md->val[i].padata_type);
+    }
     /*
      * Make sure we don't sent both ENC-TS and PK-INIT pa data, no
 …
     if (ctx->pk_init_ctx) {
+        ret = pa_data_to_md_pkinit(context, a, creds->client, ctx, *out_md);
+        _krb5_debug(context, 5, "krb5_get_init_creds: "
+                    "prepareing PKINIT padata (%s)",
+                    (ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf");
+        if (ctx->used_pa_types & USED_PKINIT_W2K) {
+            krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+                                   "Already tried pkinit, looping");
+            return KRB5_GET_IN_TKT_LOOP;
+        }
+        ret = pa_data_to_md_pkinit(context, a, creds->client,
+                                   (ctx->used_pa_types & USED_PKINIT),
+                                   ctx, *out_md);
         if (ret)
             return ret;
+        if (ctx->used_pa_types & USED_PKINIT)
+            ctx->used_pa_types |= USED_PKINIT_W2K;
+        else
+            ctx->used_pa_types |= USED_PKINIT;
     } else if (in_md->len != 0) {
+        struct pa_info_data paid, *ppaid;
+        memset(&paid, 0, sizeof(paid));
+        paid.etype = ENCTYPE_NULL;
+        ppaid = process_pa_info(context, creds->client, a, &paid, in_md);
+        struct pa_info_data *paid, *ppaid;
+        unsigned flag;
+        paid = calloc(1, sizeof(*paid));
+        paid->etype = ENCTYPE_NULL;
+        ppaid = process_pa_info(context, creds->client, a, paid, in_md);
+        if (ppaid)
+            flag = USED_ENC_TS_INFO;
+        else
+            flag = USED_ENC_TS_GUESS;
+        if (ctx->used_pa_types & flag) {
+            if (ppaid)
+                free_paid(context, ppaid);
+            krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
+                                   "Already tried ENC-TS-%s, looping",
+                                   flag == USED_ENC_TS_INFO ? "info" : "guess");
+            return KRB5_GET_IN_TKT_LOOP;
+        }
         pa_data_to_md_ts_enc(context, a, creds->client, ctx, ppaid, *out_md);
+        if (ppaid)
+            free_paid(context, ppaid);
+        ctx->used_pa_types |= flag;
+        if (ppaid) {
+            if (ctx->ppaid) {
+                free_paid(context, ctx->ppaid);
+                free(ctx->ppaid);
+            }
+            ctx->ppaid = ppaid;
+        } else
+            free(paid);
+    }
 …
                                 rep->padata);
+    }
+    if (ppaid == NULL)
+        ppaid = ctx->ppaid;
     if (ppaid == NULL) {
         ret = krb5_get_pw_salt (context, creds->client, &paid.salt);
 …
         paid.etype = etype;
         paid.s2kparams = NULL;
+        ppaid = &paid;
+    }
 …
     if (pa && ctx->pk_init_ctx) {
 #ifdef PKINIT
+        _krb5_debug(context, 5, "krb5_get_init_creds: using PKINIT");
         ret = _krb5_pk_rd_pa_reply(context,
                                    a->req_body.realm,
 …
         krb5_set_error_message(context, ret, N_("no support for PKINIT compiled in", ""));
 #endif
+    } else if (ctx->keyseed)
+    } else if (ctx->keyseed) {
+        _krb5_debug(context, 5, "krb5_get_init_creds: using keyproc");
         ret = pa_data_to_key_plain(context, creds->client, ctx,
                                    paid.salt, paid.s2kparams, etype, key);
     else {
+                                   ppaid->salt, ppaid->s2kparams, etype, key);
+    } else {
         ret = EINVAL;
         krb5_set_error_message(context, ret, N_("No usable pa data type", ""));
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_init(krb5_context context,
                      krb5_principal client,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_set_service(krb5_context context,
                             krb5_init_creds_context ctx,
 …
             return ret;
+    }
+    /*
+     * This is for Windows RODC that are picky about what name type
+     * the server principal have, and the really strange part is that
+     * they are picky about the AS-REQ name type and not the TGS-REQ
+     * later. Oh well.
+     */
+    if (krb5_principal_is_krbtgt(context, principal))
+        krb5_principal_set_type(context, principal, KRB5_NT_SRV_INST);
     krb5_free_principal(context, ctx->cred.server);
     ctx->cred.server = principal;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_set_password(krb5_context context,
                              krb5_init_creds_context ctx,
                              const char *password)
+{
     if (ctx->password)
+    if (ctx->password) {
         memset(ctx->password, 0, strlen(ctx->password));
+        free(ctx->password);
+    }
     if (password) {
         ctx->password = strdup(password);
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 keytab_key_proc(krb5_context context, krb5_enctype enctype,
                 krb5_const_pointer keyseed,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_set_keytab(krb5_context context,
                            krb5_init_creds_context ctx,
 …
+{
     krb5_keytab_key_proc_args *a;
+    krb5_keytab_entry entry;
+    krb5_kt_cursor cursor;
+    krb5_enctype *etypes = NULL;
+    krb5_error_code ret;
+    size_t netypes = 0;
+    int kvno = 0;
     a = malloc(sizeof(*a));
     if (a == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        krb5_set_error_message(context, ENOMEM,
+                               N_("malloc: out of memory", ""));
         return ENOMEM;
+    }
 …
     ctx->keyproc = keytab_key_proc;
+    /*
+     * We need to the KDC what enctypes we support for this keytab,
+     * esp if the keytab is really a password based entry, then the
+     * KDC might have more enctypes in the database then what we have
+     * in the keytab.
+     */
+    ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if(ret)
+        goto out;
+    while(krb5_kt_next_entry(context, keytab, &entry, &cursor) == 0){
+        void *ptr;
+        if (!krb5_principal_compare(context, entry.principal, ctx->cred.client))
+            goto next;
+        /* check if we ahve this kvno already */
+        if (entry.vno > kvno) {
+            /* remove old list of etype */
+            if (etypes)
+                free(etypes);
+            etypes = NULL;
+            netypes = 0;
+            kvno = entry.vno;
+        } else if (entry.vno != kvno)
+            goto next;
+        /* check if enctype is supported */
+        if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0)
+            goto next;
+        /* add enctype to supported list */
+        ptr = realloc(etypes, sizeof(etypes[0]) * (netypes + 2));
+        if (ptr == NULL)
+            goto next;
+        etypes = ptr;
+        etypes[netypes] = entry.keyblock.keytype;
+        etypes[netypes + 1] = ETYPE_NULL;
+        netypes++;
+    next:
+        krb5_kt_free_entry(context, &entry);
+    }
+    krb5_kt_end_seq_get(context, keytab, &cursor);
+    if (etypes) {
+        if (ctx->etypes)
+            free(ctx->etypes);
+        ctx->etypes = etypes;
+    }
+ out:
     return 0;
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 keyblock_key_proc(krb5_context context, krb5_enctype enctype,
                   krb5_const_pointer keyseed,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_set_keyblock(krb5_context context,
                              krb5_init_creds_context ctx,
 …
  * @param out reply to KDC.
  * @param hostinfo KDC address info, first round it can be NULL.
+ * @param flags status of the round, if 1 is set, continue one more round.
+ * @param flags status of the round, if
+ *        KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
+ *
  * @return 0 for success, or an Kerberos 5 error code, see
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_step(krb5_context context,
                      krb5_init_creds_context ctx,
 …
     ctx->pa_counter++;
+    _krb5_debug(context, 5, "krb5_get_init_creds: loop %d", ctx->pa_counter);
     /* Lets process the input packet */
     if (in && in->length) {
 …
         memset(&rep, 0, sizeof(rep));
+        _krb5_debug(context, 5, "krb5_get_init_creds: processing input");
         ret = decode_AS_REP(in->data, in->length, &rep.kdc_rep, &size);
         if (ret == 0) {
             krb5_keyblock *key = NULL;
             unsigned eflags = EXTRACT_TICKET_AS_REQ;
+            unsigned eflags = EXTRACT_TICKET_AS_REQ | EXTRACT_TICKET_TIMESYNC;
             if (ctx->flags.canonicalize) {
 …
                 goto out;
+            }
+            _krb5_debug(context, 5, "krb5_get_init_creds: extracting ticket");
             ret = _krb5_extract_ticket(context,
 …
             /* let's try to parse it as a KRB-ERROR */
+            _krb5_debug(context, 5, "krb5_get_init_creds: got an error");
             free_KRB_ERROR(&ctx->error);
 …
             if(ret && in->length && ((char*)in->data)[0] == 4)
                 ret = KRB5KRB_AP_ERR_V4_REPLY;
+            if (ret)
+            if (ret) {
+                _krb5_debug(context, 5, "krb5_get_init_creds: failed to read error");
                 goto out;
+            }
             ret = krb5_error_from_rd_error(context, &ctx->error, &ctx->cred);
+            _krb5_debug(context, 5, "krb5_get_init_creds: KRB-ERROR %d", ret);
             /*
 …
                 if (context->kdc_sec_offset)
                     ret = 0;
+                _krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d",
+                            context->kdc_sec_offset);
+                ctx->used_pa_types = 0;
             } else if (ret == KRB5_KDC_ERR_WRONG_REALM && ctx->flags.canonicalize) {
                 /* client referal to a new realm */
                 if (ctx->error.crealm == NULL) {
                     krb5_set_error_message(context, ret,
 …
                     goto out;
+                }
+                _krb5_debug(context, 5,
+                            "krb5_get_init_creds: got referal to realm %s",
+                            *ctx->error.crealm);
                 ret = krb5_principal_set_realm(context,
                                                ctx->cred.client,
                                                *ctx->error.crealm);
+                ctx->used_pa_types = 0;
+            }
             if (ret)
 …
     out->length = ctx->req_buffer.length;
     *flags = 1;
+    *flags = KRB5_INIT_CREDS_STEP_FLAG_CONTINUE;
     return 0;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_get_creds(krb5_context context,
                           krb5_init_creds_context ctx,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_get_error(krb5_context context,
                           krb5_init_creds_context ctx,
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_init_creds_free(krb5_context context,
                      krb5_init_creds_context ctx)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
+{
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_password(krb5_context context,
                              krb5_creds *creds,
 …
     if (ret == KRB5KDC_ERR_KEY_EXPIRED && chpw == 0) {
         char buf[1024];
+        char buf2[1024];
         /* try to avoid recursion */
 …
                                client,
                                ctx->password,
                                buf,
+                               buf2,
                                sizeof(buf),
                                prompter,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_keyblock(krb5_context context,
                              krb5_creds *creds,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_keytab(krb5_context context,
                            krb5_creds *creds,

trunk/server/source4/heimdal/lib/krb5/kcm.c

-              r414
+              r745
  * Copyright (c) 2005, PADL Software Pty Ltd.
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
  */
-#ifdef HAVE_SYS_UN_H
-#include <sys/un.h>
-#endif
 #include "kcm.h"
+#include <heim-ipc.h>
+static krb5_error_code
+kcm_set_kdc_offset(krb5_context, krb5_ccache, krb5_deltat);
+static const char *kcm_ipc_name = "ANY:org.h5l.kcm";
 typedef struct krb5_kcmcache {
     char *name;
-    struct sockaddr_un path;
-    char *door_path;
 } krb5_kcmcache;
 …
 #define KCMCURSOR(C)    ((krb5_kcm_cursor)(C))
+#ifdef HAVE_DOOR_CREATE
+static krb5_error_code
+try_door(krb5_context context,
+         krb5_kcmcache *k,
+         krb5_data *request_data,
+         krb5_data *response_data)
+{
+    door_arg_t arg;
+    int fd;
+    int ret;
+    memset(&arg, 0, sizeof(arg));
+    fd = open(k->door_path, O_RDWR);
+    if (fd < 0)
+        return KRB5_CC_IO;
+    rk_cloexec(fd);
+    arg.data_ptr = request_data->data;
+    arg.data_size = request_data->length;
+    arg.desc_ptr = NULL;
+    arg.desc_num = 0;
+    arg.rbuf = NULL;
+    arg.rsize = 0;
+    ret = door_call(fd, &arg);
+    close(fd);
+    if (ret != 0)
+        return KRB5_CC_IO;
+    ret = krb5_data_copy(response_data, arg.rbuf, arg.rsize);
+    munmap(arg.rbuf, arg.rsize);
+    if (ret)
+        return ret;
+    return 0;
+}
+#endif /* HAVE_DOOR_CREATE */
+static krb5_error_code
+try_unix_socket(krb5_context context,
+                krb5_kcmcache *k,
+                krb5_data *request_data,
+                krb5_data *response_data)
+{
+    krb5_error_code ret;
+    int fd;
+    fd = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
+    if (fd < 0)
+        return KRB5_CC_IO;
+    rk_cloexec(fd);
+    if (connect(fd, rk_UNCONST(&k->path), sizeof(k->path)) != 0) {
+        close(fd);
+        return KRB5_CC_IO;
+    }
+    ret = _krb5_send_and_recv_tcp(fd, context->kdc_timeout,
+                                  request_data, response_data);
+    close(fd);
+    return ret;
+}
+static HEIMDAL_MUTEX kcm_mutex = HEIMDAL_MUTEX_INITIALIZER;
+static heim_ipc kcm_ipc = NULL;
 static krb5_error_code
 kcm_send_request(krb5_context context,
-                 krb5_kcmcache *k,
                  krb5_storage *request,
                  krb5_data *response_data)
+{
     krb5_error_code ret;
+    krb5_error_code ret = 0;
     krb5_data request_data;
+    int i;
+    response_data->data = NULL;
+    response_data->length = 0;
+    HEIMDAL_MUTEX_lock(&kcm_mutex);
+    if (kcm_ipc == NULL)
+        ret = heim_ipc_init_context(kcm_ipc_name, &kcm_ipc);
+    HEIMDAL_MUTEX_unlock(&kcm_mutex);
+    if (ret)
+        return KRB5_CC_NOSUPP;
     ret = krb5_storage_to_data(request, &request_data);
 …
+    }
+    ret = KRB5_CC_NOSUPP;
+    for (i = 0; i < context->max_retries; i++) {
+#ifdef HAVE_DOOR_CREATE
+        ret = try_door(context, k, &request_data, response_data);
+        if (ret == 0 && response_data->length != 0)
+            break;
+#endif
+        ret = try_unix_socket(context, k, &request_data, response_data);
+        if (ret == 0 && response_data->length != 0)
+            break;
+    }
+    ret = heim_ipc_call(kcm_ipc, &request_data, response_data, NULL);
     krb5_data_free(&request_data);
 …
+}
+static krb5_error_code
 kcm_storage_request(krb5_context context,
                     kcm_operation opcode,
                     krb5_storage **storage_p)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_kcm_storage_request(krb5_context context,
+                         uint16_t opcode,
+                         krb5_storage **storage_p)
+{
     krb5_storage *sp;
 …
+{
     krb5_kcmcache *k;
-    const char *path;
     k = malloc(sizeof(*k));
 …
     } else
         k->name = NULL;
+    path = krb5_config_get_string_default(context, NULL,
+                                          _PATH_KCM_SOCKET,
+                                          "libdefaults",
+                                          "kcm_socket",
+                                          NULL);
+    k->path.sun_family = AF_UNIX;
+    strlcpy(k->path.sun_path, path, sizeof(k->path.sun_path));
+    path = krb5_config_get_string_default(context, NULL,
+                                          _PATH_KCM_DOOR,
+                                          "libdefaults",
+                                          "kcm_door",
+                                          NULL);
+    k->door_path = strdup(path);
     (*id)->data.data = k;
     (*id)->data.length = sizeof(*k);
 …
+}
+static krb5_error_code
+kcm_call(krb5_context context,
+         krb5_kcmcache *k,
+         krb5_storage *request,
+         krb5_storage **response_p,
+         krb5_data *response_data_p)
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_kcm_call(krb5_context context,
+              krb5_storage *request,
+              krb5_storage **response_p,
+              krb5_data *response_data_p)
+{
     krb5_data response_data;
 …
         *response_p = NULL;
+    ret = kcm_send_request(context, k, request, &response_data);
+    if (ret) {
+        return ret;
+    }
+    krb5_data_zero(&response_data);
+    ret = kcm_send_request(context, request, &response_data);
+    if (ret)
+        return ret;
     response = krb5_storage_from_data(&response_data);
 …
         if (k->name != NULL)
             free(k->name);
-        if (k->door_path)
-            free(k->door_path);
         memset(k, 0, sizeof(*k));
         krb5_data_free(&(*id)->data);
 …
     k = KCMCACHE(*id);
     ret = kcm_storage_request(context, KCM_OP_GEN_NEW, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_GEN_NEW, &request);
     if (ret) {
         kcm_free(context, id);
 …
+    }
     ret = kcm_call(context, k, request, &response, &response_data);
+    ret = krb5_kcm_call(context, request, &response, &response_data);
     if (ret) {
         krb5_storage_free(request);
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_INITIALIZE, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_INITIALIZE, &request);
     if (ret)
         return ret;
 …
+    }
+    ret = kcm_call(context, k, request, NULL, NULL);
+    krb5_storage_free(request);
+    ret = krb5_kcm_call(context, request, NULL, NULL);
+    krb5_storage_free(request);
+    if (context->kdc_sec_offset)
+        kcm_set_kdc_offset(context, id, context->kdc_sec_offset);
     return ret;
+}
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_DESTROY, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_DESTROY, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, NULL, NULL);
+    ret = krb5_kcm_call(context, request, NULL, NULL);
     krb5_storage_free(request);
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_STORE, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_STORE, &request);
     if (ret)
         return ret;
 …
+    }
+    ret = kcm_call(context, k, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
+    ret = krb5_kcm_call(context, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
+#if 0
 /*
  * Request:
 …
     krb5_data response_data;
     ret = kcm_storage_request(context, KCM_OP_RETRIEVE, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_RETRIEVE, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, &response, &response_data);
+    ret = krb5_kcm_call(context, request, &response, &response_data);
     if (ret) {
         krb5_storage_free(request);
 …
     return ret;
+}
+#endif
 /*
 …
     krb5_data response_data;
     ret = kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_PRINCIPAL, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, &response, &response_data);
+    ret = krb5_kcm_call(context, request, &response, &response_data);
     if (ret) {
         krb5_storage_free(request);
 …
     krb5_data response_data;
     ret = kcm_storage_request(context, KCM_OP_GET_FIRST, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_CRED_UUID_LIST, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, &response, &response_data);
+    ret = krb5_kcm_call(context, request, &response, &response_data);
     krb5_storage_free(request);
     if (ret)
 …
         return KRB5_CC_END;
     ret = kcm_storage_request(context, KCM_OP_GET_NEXT, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_CRED_BY_UUID, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, &response, &response_data);
+    ret = krb5_kcm_call(context, request, &response, &response_data);
     krb5_storage_free(request);
     if (ret == KRB5_CC_END) {
 …
              krb5_cc_cursor *cursor)
+{
-    krb5_error_code ret;
-    krb5_kcmcache *k = KCMCACHE(id);
     krb5_kcm_cursor c = KCMCURSOR(*cursor);
-    krb5_storage *request;
-    ret = kcm_storage_request(context, KCM_OP_END_GET, &request);
-    if (ret)
-        return ret;
-    ret = krb5_store_stringz(request, k->name);
-    if (ret) {
-        krb5_storage_free(request);
-        return ret;
+    }
-    ret = kcm_call(context, k, request, NULL, NULL);
-    krb5_storage_free(request);
-    if (ret)
-        return ret;
     free(c->uuids);
 …
     *cursor = NULL;
     return ret;
+    return 0;
+}
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_REMOVE_CRED, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_REMOVE_CRED, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, NULL, NULL);
+    ret = krb5_kcm_call(context, request, NULL, NULL);
     krb5_storage_free(request);
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_SET_FLAGS, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_SET_FLAGS, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, NULL, NULL);
+    ret = krb5_kcm_call(context, request, NULL, NULL);
     krb5_storage_free(request);
 …
+}
+/*
+ * Send nothing
+ * get back list of uuids
+ */
+static krb5_error_code
+kcm_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
+    krb5_error_code ret;
+    krb5_kcm_cursor c;
+    krb5_storage *request, *response;
+    krb5_data response_data;
+    *cursor = NULL;
+    c = calloc(1, sizeof(*c));
+    if (c == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message(context, ret,
+                               N_("malloc: out of memory", ""));
+        goto out;
+    }
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_CACHE_UUID_LIST, &request);
+    if (ret)
+        goto out;
+    ret = krb5_kcm_call(context, request, &response, &response_data);
+    krb5_storage_free(request);
+    if (ret)
+        goto out;
+    while (1) {
+        ssize_t sret;
+        kcmuuid_t uuid;
+        void *ptr;
+        sret = krb5_storage_read(response, &uuid, sizeof(uuid));
+        if (sret == 0) {
+            ret = 0;
+            break;
+        } else if (sret != sizeof(uuid)) {
+            ret = EINVAL;
+            goto out;
+        }
+        ptr = realloc(c->uuids, sizeof(c->uuids[0]) * (c->length + 1));
+        if (ptr == NULL) {
+            ret = ENOMEM;
+            krb5_set_error_message(context, ret,
+                                   N_("malloc: out of memory", ""));
+            goto out;
+        }
+        c->uuids = ptr;
+        memcpy(&c->uuids[c->length], &uuid, sizeof(uuid));
+        c->length += 1;
+    }
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+ out:
+    if (ret && c) {
+        free(c->uuids);
+        free(c);
+    } else
+        *cursor = c;
+    return ret;
+}
+/*
+ * Send uuid
+ * Recv cache name
+ */
+static krb5_error_code
+kcm_get_cache_next(krb5_context context, krb5_cc_cursor cursor, const krb5_cc_ops *ops, krb5_ccache *id)
+{
+    krb5_error_code ret;
+    krb5_kcm_cursor c = KCMCURSOR(cursor);
+    krb5_storage *request, *response;
+    krb5_data response_data;
+    ssize_t sret;
+    char *name;
+    *id = NULL;
+ again:
+    if (c->offset >= c->length)
+        return KRB5_CC_END;
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_CACHE_BY_UUID, &request);
+    if (ret)
+        return ret;
+    sret = krb5_storage_write(request,
+                              &c->uuids[c->offset],
+                              sizeof(c->uuids[c->offset]));
+    c->offset++;
+    if (sret != sizeof(c->uuids[c->offset])) {
+        krb5_storage_free(request);
+        krb5_clear_error_message(context);
+        return ENOMEM;
+    }
+    ret = krb5_kcm_call(context, request, &response, &response_data);
+    krb5_storage_free(request);
+    if (ret == KRB5_CC_END)
+        goto again;
+    ret = krb5_ret_stringz(response, &name);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+    if (ret == 0) {
+        ret = _krb5_cc_allocate(context, ops, id);
+        if (ret == 0)
+            ret = kcm_alloc(context, name, id);
+        krb5_xfree(name);
+    }
+    return ret;
+}
+static krb5_error_code
+kcm_get_cache_next_kcm(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
+#ifndef KCM_IS_API_CACHE
+    return kcm_get_cache_next(context, cursor, &krb5_kcm_ops, id);
+#else
+    return KRB5_CC_END;
+#endif
+}
+static krb5_error_code
+kcm_get_cache_next_api(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
+    return kcm_get_cache_next(context, cursor, &krb5_akcm_ops, id);
+}
+static krb5_error_code
+kcm_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
+    krb5_kcm_cursor c = KCMCURSOR(cursor);
+    free(c->uuids);
+    free(c);
+    return 0;
+}
 static krb5_error_code
 kcm_move(krb5_context context, krb5_ccache from, krb5_ccache to)
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_MOVE_CACHE, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_MOVE_CACHE, &request);
     if (ret)
         return ret;
 …
         return ret;
+    }
+    ret = kcm_call(context, oldk, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
+static krb5_error_code
+kcm_default_name(krb5_context context, char **str)
+{
+    return _krb5_expand_default_cc_name(context,
+                                        KRB5_DEFAULT_CCNAME_KCM,
+                                        str);
+    ret = krb5_kcm_call(context, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
+static krb5_error_code
+kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
+                     const char *defstr, char **str)
+{
+    krb5_error_code ret;
+    krb5_storage *request, *response;
+    krb5_data response_data;
+    char *name;
+    *str = NULL;
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_DEFAULT_CACHE, &request);
+    if (ret)
+        return ret;
+    ret = krb5_kcm_call(context, request, &response, &response_data);
+    krb5_storage_free(request);
+    if (ret)
+        return _krb5_expand_default_cc_name(context, defstr, str);
+    ret = krb5_ret_stringz(response, &name);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+    if (ret)
+        return ret;
+    asprintf(str, "%s:%s", ops->prefix, name);
+    free(name);
+    if (str == NULL)
+        return ENOMEM;
+    return 0;
+}
+static krb5_error_code
+kcm_get_default_name_api(krb5_context context, char **str)
+{
+    return kcm_get_default_name(context, &krb5_akcm_ops,
+                                KRB5_DEFAULT_CCNAME_KCM_API, str);
+}
+static krb5_error_code
+kcm_get_default_name_kcm(krb5_context context, char **str)
+{
+    return kcm_get_default_name(context, &krb5_kcm_ops,
+                                KRB5_DEFAULT_CCNAME_KCM_KCM, str);
+}
+static krb5_error_code
+kcm_set_default(krb5_context context, krb5_ccache id)
+{
+    krb5_error_code ret;
+    krb5_storage *request;
+    krb5_kcmcache *k = KCMCACHE(id);
+    ret = krb5_kcm_storage_request(context, KCM_OP_SET_DEFAULT_CACHE, &request);
+    if (ret)
+        return ret;
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = krb5_kcm_call(context, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
 …
+{
     *mtime = time(NULL);
+    return 0;
+}
+static krb5_error_code
+kcm_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset)
+{
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_error_code ret;
+    krb5_storage *request;
+    ret = krb5_kcm_storage_request(context, KCM_OP_SET_KDC_OFFSET, &request);
+    if (ret)
+        return ret;
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = krb5_store_int32(request, kdc_offset);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = krb5_kcm_call(context, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
+static krb5_error_code
+kcm_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset)
+{
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_error_code ret;
+    krb5_storage *request, *response;
+    krb5_data response_data;
+    int32_t offset;
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_KDC_OFFSET, &request);
+    if (ret)
+        return ret;
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = krb5_kcm_call(context, request, &response, &response_data);
+    krb5_storage_free(request);
+    if (ret)
+        return ret;
+    ret = krb5_ret_int32(response, &offset);
+    krb5_storage_free(response);
+    krb5_data_free(&response_data);
+    if (ret)
+        return ret;
+    *kdc_offset = offset;
     return 0;
+}
 …
     kcm_close,
     kcm_store_cred,
     kcm_retrieve,
+    NULL /* kcm_retrieve */,
     kcm_get_principal,
     kcm_get_first,
 …
     kcm_set_flags,
     kcm_get_version,
     NULL,
     NULL,
     NULL,
+    kcm_get_cache_first,
+    kcm_get_cache_next_kcm,
+    kcm_end_cache_get,
     kcm_move,
+    kcm_default_name,
+    NULL,
+    kcm_get_default_name_kcm,
+    kcm_set_default,
+    kcm_lastchange,
+    kcm_set_kdc_offset,
+    kcm_get_kdc_offset
+};
+KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = {
+    KRB5_CC_OPS_VERSION,
+    "API",
+    kcm_get_name,
+    kcm_resolve,
+    kcm_gen_new,
+    kcm_initialize,
+    kcm_destroy,
+    kcm_close,
+    kcm_store_cred,
+    NULL /* kcm_retrieve */,
+    kcm_get_principal,
+    kcm_get_first,
+    kcm_get_next,
+    kcm_end_get,
+    kcm_remove_cred,
+    kcm_set_flags,
+    kcm_get_version,
+    kcm_get_cache_first,
+    kcm_get_cache_next_api,
+    kcm_end_cache_get,
+    kcm_move,
+    kcm_get_default_name_api,
+    kcm_set_default,
     kcm_lastchange
 };
 krb5_boolean
 …
+{
     krb5_error_code ret;
-    krb5_kcmcache *k = KCMCACHE(id);
     krb5_storage *request;
+    ret = kcm_storage_request(context, KCM_OP_NOOP, &request);
+    if (ret)
+        return ret;
+    ret = kcm_call(context, k, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
+/*
+ * Request:
+ *      NameZ
+ *      Mode
+ *
+ * Response:
+ *
+ */
+krb5_error_code
+_krb5_kcm_chmod(krb5_context context,
+                krb5_ccache id,
+                uint16_t mode)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+    ret = kcm_storage_request(context, KCM_OP_CHMOD, &request);
+    if (ret)
+        return ret;
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = krb5_store_int16(request, mode);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = kcm_call(context, k, request, NULL, NULL);
+    krb5_storage_free(request);
+    return ret;
+}
+/*
+ * Request:
+ *      NameZ
+ *      UID
+ *      GID
+ *
+ * Response:
+ *
+ */
+krb5_error_code
+_krb5_kcm_chown(krb5_context context,
+                krb5_ccache id,
+                uint32_t uid,
+                uint32_t gid)
+{
+    krb5_error_code ret;
+    krb5_kcmcache *k = KCMCACHE(id);
+    krb5_storage *request;
+    ret = kcm_storage_request(context, KCM_OP_CHOWN, &request);
+    if (ret)
+        return ret;
+    ret = krb5_store_stringz(request, k->name);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = krb5_store_int32(request, uid);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = krb5_store_int32(request, gid);
+    if (ret) {
+        krb5_storage_free(request);
+        return ret;
+    }
+    ret = kcm_call(context, k, request, NULL, NULL);
+    ret = krb5_kcm_storage_request(context, KCM_OP_NOOP, &request);
+    if (ret)
+        return ret;
+    ret = krb5_kcm_call(context, request, NULL, NULL);
     krb5_storage_free(request);
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_GET_INITIAL_TICKET, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_INITIAL_TICKET, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, NULL, NULL);
+    ret = krb5_kcm_call(context, request, NULL, NULL);
     krb5_storage_free(request);
 …
     krb5_storage *request;
     ret = kcm_storage_request(context, KCM_OP_GET_TICKET, &request);
+    ret = krb5_kcm_storage_request(context, KCM_OP_GET_TICKET, &request);
     if (ret)
         return ret;
 …
+    }
     ret = kcm_call(context, k, request, NULL, NULL);
+    ret = krb5_kcm_call(context, request, NULL, NULL);
     krb5_storage_free(request);

trunk/server/source4/heimdal/lib/krb5/keyblock.c

-              r414
+              r745
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_keyblock_zero(krb5_keyblock *keyblock)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_keyblock_contents(krb5_context context,
                             krb5_keyblock *keyblock)
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_keyblock(krb5_context context,
                    krb5_keyblock *keyblock)
 …
  * @param to the output key.
+ *
  * @param 0 on success or a Kerberos 5 error code
+ *
  * @ingroup krb5_crypto
  */
+krb5_error_code KRB5_LIB_FUNCTION
+ * @return 0 on success or a Kerberos 5 error code
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_keyblock_contents (krb5_context context,
                              const krb5_keyblock *inblock,
 …
  * @param to the output key.
+ *
  * @param 0 on success or a Kerberos 5 error code
+ *
  * @ingroup krb5_crypto
  */
+krb5_error_code KRB5_LIB_FUNCTION
+ * @return 0 on success or a Kerberos 5 error code
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_keyblock (krb5_context context,
                     const krb5_keyblock *inblock,
 …
  */
+krb5_enctype
+KRB5_LIB_FUNCTION krb5_enctype KRB5_LIB_CALL
 krb5_keyblock_get_enctype(const krb5_keyblock *block)
+{
 …
  * `size'. Key should be freed using krb5_free_keyblock_contents().
+ *
+ * @ingroup krb5_crypto
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+ * @return 0 on success or a Kerberos 5 error code
+ *
+ * @ingroup krb5_crypto
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_keyblock_init(krb5_context context,
                    krb5_enctype type,

trunk/server/source4/heimdal/lib/krb5/keytab.c

-              r414
+              r745
  *   the type's name is AFSKEYFILE. The residual part is a filename.
+ *
- * - krb4
- *   the keytab is a Kerberos 4 srvtab that is on-the-fly converted to
- *   a keytab. The type's name is krb4 The residual part is a
- *   filename.
+ *
  * - memory
  *   The keytab is stored in a memory segment. This allows sensitive
 …
  *   is MEMORY. Each MEMORY keytab is referenced counted by and
  *   opened by the residual name, so two handles can point to the
+ *   same memory area.  When the last user closes the entry, it
+ *   disappears.
+ *   same memory area.  When the last user closes using krb5_kt_close()
+ *   the keytab, the keys in they keytab is memset() to zero and freed
+ *   and can no longer be looked up by name.
+ *
+ *
 …
         krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
     while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
         krb5_unparse_name_short(context, entry.principal, &principal);
+        krb5_unparse_name(context, entry.principal, &principal);
         printf("principal: %s\n", principal);
         free(principal);
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_register(krb5_context context,
                  const krb5_kt_ops *ops)
 …
+}
+static const char *
+keytab_name(const char * name, const char ** ptype, size_t * ptype_len)
+{
+    const char * residual;
+    residual = strchr(name, ':');
+    if (residual == NULL
+#ifdef _WIN32
+        /* Avoid treating <drive>:<path> as a keytab type
+         * specification */
+        || name + 1 == residual
+#endif
+        ) {
+        *ptype = "FILE";
+        *ptype_len = strlen(*ptype);
+        residual = name;
+    } else {
+        *ptype = name;
+        *ptype_len = residual - name;
+        residual++;
+    }
+    return residual;
+}
 /**
  * Resolve the keytab name (of the form `type:residual') in `name'
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_resolve(krb5_context context,
                 const char *name,
 …
     krb5_error_code ret;
+    residual = strchr(name, ':');
+    if(residual == NULL) {
+        type = "FILE";
+        type_len = strlen(type);
+        residual = name;
+    } else {
+        type = name;
+        type_len = residual - name;
+        residual++;
+    }
+    residual = keytab_name(name, &type, &type_len);
     for(i = 0; i < context->num_kt_types; i++) {
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_default_name(krb5_context context, char *name, size_t namesize)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_default_modify_name(krb5_context context, char *name, size_t namesize)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_default(krb5_context context, krb5_keytab *id)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_read_service_key(krb5_context context,
                          krb5_pointer keyprocarg,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_get_type(krb5_context context,
                  krb5_keytab keytab,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_get_name(krb5_context context,
                  krb5_keytab keytab,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_get_full_name(krb5_context context,
                       krb5_keytab keytab,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_close(krb5_context context,
               krb5_keytab id)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_destroy(krb5_context context,
                 krb5_keytab id)
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_kt_compare(krb5_context context,
                 krb5_keytab_entry *entry,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_get_entry(krb5_context context,
                   krb5_keytab id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_copy_entry_contents(krb5_context context,
                             const krb5_keytab_entry *in,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_free_entry(krb5_context context,
                    krb5_keytab_entry *entry)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_start_seq_get(krb5_context context,
                       krb5_keytab id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_next_entry(krb5_context context,
                    krb5_keytab id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_end_seq_get(krb5_context context,
                     krb5_keytab id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_add_entry(krb5_context context,
                   krb5_keytab id,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_kt_remove_entry(krb5_context context,
                      krb5_keytab id,

trunk/server/source4/heimdal/lib/krb5/keytab_any.c

-              r414
+              r745
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
 …
     while (strsep_copy(&name, ",", buf, sizeof(buf)) != -1) {
         a = malloc(sizeof(*a));
+        a = calloc(1, sizeof(*a));
         if (a == NULL) {
             ret = ENOMEM;
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_get_name (krb5_context context,
               krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_close (krb5_context context,
            krb5_keytab id)
 …
 };
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_start_seq_get(krb5_context context,
                   krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_next_entry (krb5_context context,
                 krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_end_seq_get(krb5_context context,
                 krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_add_entry(krb5_context context,
               krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 any_remove_entry(krb5_context context,
                  krb5_keytab id,

trunk/server/source4/heimdal/lib/krb5/keytab_file.c

r414	r745
287	287	}
288	288
289		static krb5_error_code
	289	static krb5_error_code KRB5_CALLCONV
290	290	fkt_resolve(krb5_context context, const char *name, krb5_keytab id)
291	291	{
…	…
308	308	}
309	309
310		static krb5_error_code
	310	static krb5_error_code KRB5_CALLCONV
311	311	fkt_resolve_java14(krb5_context context, const char *name, krb5_keytab id)
312	312	{
…	…
321	321	}
322	322
323		static krb5_error_code
	323	static krb5_error_code KRB5_CALLCONV
324	324	fkt_close(krb5_context context, krb5_keytab id)
325	325	{
…	…
330	330	}
331	331
332		static krb5_error_code
	332	static krb5_error_code KRB5_CALLCONV
333	333	fkt_destroy(krb5_context context, krb5_keytab id)
334	334	{
…	…
338	338	}
339	339
340		static krb5_error_code
	340	static krb5_error_code KRB5_CALLCONV
341	341	fkt_get_name(krb5_context context,
342	342	krb5_keytab id,
…	…
431	431	}
432	432
433		static krb5_error_code
	433	static krb5_error_code KRB5_CALLCONV
434	434	fkt_start_seq_get(krb5_context context,
435	435	krb5_keytab id,
…	…
504	504	}
505	505
506		static krb5_error_code
	506	static krb5_error_code KRB5_CALLCONV
507	507	fkt_next_entry(krb5_context context,
508	508	krb5_keytab id,
…	…
513	513	}
514	514
515		static krb5_error_code
	515	static krb5_error_code KRB5_CALLCONV
516	516	fkt_end_seq_get(krb5_context context,
517	517	krb5_keytab id,
…	…
524	524	}
525	525
526		static krb5_error_code
	526	static krb5_error_code KRB5_CALLCONV
527	527	fkt_setup_keytab(krb5_context context,
528	528	krb5_keytab id,
…	…
538	538	}
539	539
540		static krb5_error_code
	540	static krb5_error_code KRB5_CALLCONV
541	541	fkt_add_entry(krb5_context context,
542	542	krb5_keytab id,
…	…
724	724	}
725	725
726		static krb5_error_code
	726	static krb5_error_code KRB5_CALLCONV
727	727	fkt_remove_entry(krb5_context context,
728	728	krb5_keytab id,

trunk/server/source4/heimdal/lib/krb5/keytab_keyfile.c

-              r414
+              r745
  */
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 akf_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
 …
  */
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 akf_close(krb5_context context, krb5_keytab id)
+{
 …
  */
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 akf_get_name(krb5_context context,
              krb5_keytab id,
 …
  */
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 akf_start_seq_get(krb5_context context,
                   krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 akf_next_entry(krb5_context context,
                krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 akf_end_seq_get(krb5_context context,
                 krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 akf_add_entry(krb5_context context,
               krb5_keytab id,

trunk/server/source4/heimdal/lib/krb5/keytab_memory.c

-              r414
+              r745
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_resolve(krb5_context context, const char *name, krb5_keytab id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_close(krb5_context context, krb5_keytab id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_get_name(krb5_context context,
              krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_start_seq_get(krb5_context context,
                   krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_next_entry(krb5_context context,
                krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_end_seq_get(krb5_context context,
                 krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_add_entry(krb5_context context,
               krb5_keytab id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mkt_remove_entry(krb5_context context,
                  krb5_keytab id,

trunk/server/source4/heimdal/lib/krb5/krb5-v4compat.h

-              r414
+              r745
 #ifndef TKT_ROOT
+#ifdef KRB5_USE_PATH_TOKENS
+#define TKT_ROOT "%{TEMP}/tkt"
+#else
 #define TKT_ROOT "/tmp/tkt"
+#endif
 #endif
 …
 };
+time_t          _krb5_krb_life_to_time (int, int);
+int             _krb5_krb_time_to_life (time_t, time_t);
+krb5_error_code _krb5_krb_tf_setup (krb5_context, struct credentials *,
+                                    const char *, int);
+krb5_error_code _krb5_krb_dest_tkt(krb5_context, const char *);
+KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
+_krb5_krb_life_to_time (int, int);
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
+_krb5_krb_time_to_life (time_t, time_t);
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_krb_tf_setup (krb5_context, struct credentials *,
+                    const char *, int);
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_krb_dest_tkt(krb5_context, const char *);
 #define krb_time_to_life        _krb5_krb_time_to_life

trunk/server/source4/heimdal/lib/krb5/krb5.h

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 #endif
+#ifdef _WIN32
+#define KRB5_CALLCONV __stdcall
+#else
+#define KRB5_CALLCONV
+#endif
 /* simple constants */
 …
 typedef int32_t krb5_error_code;
 typedef int krb5_kvno;
+typedef int32_t krb5_kvno;
 typedef uint32_t krb5_flags;
 …
     KRB5_KU_PA_PKINIT_KX = 44,
     /* Encryption type of the kdc session contribution in pk-init */
+    KRB5_KU_AS_REQ = 56,
+    /* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */
     KRB5_KU_DIGEST_ENCRYPT = -18,
     /* Encryption key usage used in the digest encryption field */
 …
 struct krb5_cc_ops;
+#ifdef _WIN32
+#define KRB5_USE_PATH_TOKENS 1
+#endif
+#ifdef KRB5_USE_PATH_TOKENS
+#define KRB5_DEFAULT_CCFILE_ROOT "%{TEMP}/krb5cc_"
+#else
 #define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
+#endif
 #define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
 …
 typedef void *krb5_cc_cursor;
 typedef struct krb5_cccol_cursor *krb5_cccol_cursor;
+typedef struct krb5_cccol_cursor_data *krb5_cccol_cursor;
 typedef struct krb5_ccache_data {
 …
 #define KRB5_TC_MATCH_IS_SKEY           (1 << 22)
+/* constants for get_flags and set_flags */
+#define KRB5_TC_OPENCLOSE 0x00000001
+#define KRB5_TC_NOTICKET  0x00000002
 typedef AuthorizationData krb5_authdata;
 …
 typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor;
 #define KRB5_CC_OPS_VERSION 2
+#define KRB5_CC_OPS_VERSION 3
 typedef struct krb5_cc_ops {
     int version;
     const char *prefix;
+    const char* (*get_name)(krb5_context, krb5_ccache);
+    krb5_error_code (*resolve)(krb5_context, krb5_ccache *, const char *);
+    krb5_error_code (*gen_new)(krb5_context, krb5_ccache *);
+    krb5_error_code (*init)(krb5_context, krb5_ccache, krb5_principal);
+    krb5_error_code (*destroy)(krb5_context, krb5_ccache);
+    krb5_error_code (*close)(krb5_context, krb5_ccache);
+    krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*);
+    krb5_error_code (*retrieve)(krb5_context, krb5_ccache,
+                                krb5_flags, const krb5_creds*, krb5_creds *);
+    krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*);
+    krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *);
+    krb5_error_code (*get_next)(krb5_context, krb5_ccache,
+                                krb5_cc_cursor*, krb5_creds*);
+    krb5_error_code (*end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*);
+    krb5_error_code (*remove_cred)(krb5_context, krb5_ccache,
+                                   krb5_flags, krb5_creds*);
+    krb5_error_code (*set_flags)(krb5_context, krb5_ccache, krb5_flags);
+    int (*get_version)(krb5_context, krb5_ccache);
+    krb5_error_code (*get_cache_first)(krb5_context, krb5_cc_cursor *);
+    krb5_error_code (*get_cache_next)(krb5_context, krb5_cc_cursor, krb5_ccache *);
+    krb5_error_code (*end_cache_get)(krb5_context, krb5_cc_cursor);
+    krb5_error_code (*move)(krb5_context, krb5_ccache, krb5_ccache);
+    krb5_error_code (*get_default_name)(krb5_context, char **);
+    krb5_error_code (*set_default)(krb5_context, krb5_ccache);
+    krb5_error_code (*lastchange)(krb5_context, krb5_ccache, krb5_timestamp *);
+    const char* (KRB5_CALLCONV * get_name)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV * resolve)(krb5_context, krb5_ccache *, const char *);
+    krb5_error_code (KRB5_CALLCONV * gen_new)(krb5_context, krb5_ccache *);
+    krb5_error_code (KRB5_CALLCONV * init)(krb5_context, krb5_ccache, krb5_principal);
+    krb5_error_code (KRB5_CALLCONV * destroy)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV * close)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV * store)(krb5_context, krb5_ccache, krb5_creds*);
+    krb5_error_code (KRB5_CALLCONV * retrieve)(krb5_context, krb5_ccache,
+                                               krb5_flags, const krb5_creds*, krb5_creds *);
+    krb5_error_code (KRB5_CALLCONV * get_princ)(krb5_context, krb5_ccache, krb5_principal*);
+    krb5_error_code (KRB5_CALLCONV * get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *);
+    krb5_error_code (KRB5_CALLCONV * get_next)(krb5_context, krb5_ccache,
+                                               krb5_cc_cursor*, krb5_creds*);
+    krb5_error_code (KRB5_CALLCONV * end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*);
+    krb5_error_code (KRB5_CALLCONV * remove_cred)(krb5_context, krb5_ccache,
+                                                  krb5_flags, krb5_creds*);
+    krb5_error_code (KRB5_CALLCONV * set_flags)(krb5_context, krb5_ccache, krb5_flags);
+    int (KRB5_CALLCONV * get_version)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV * get_cache_first)(krb5_context, krb5_cc_cursor *);
+    krb5_error_code (KRB5_CALLCONV * get_cache_next)(krb5_context, krb5_cc_cursor,
+                                                     krb5_ccache *);
+    krb5_error_code (KRB5_CALLCONV * end_cache_get)(krb5_context, krb5_cc_cursor);
+    krb5_error_code (KRB5_CALLCONV * move)(krb5_context, krb5_ccache, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV * get_default_name)(krb5_context, char **);
+    krb5_error_code (KRB5_CALLCONV * set_default)(krb5_context, krb5_ccache);
+    krb5_error_code (KRB5_CALLCONV * lastchange)(krb5_context, krb5_ccache, krb5_timestamp *);
+    krb5_error_code (KRB5_CALLCONV * set_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat);
+    krb5_error_code (KRB5_CALLCONV * get_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat *);
 } krb5_cc_ops;
 …
 struct krb5_keytab_data {
     const char *prefix;
     krb5_error_code (*resolve)(krb5_context, const char*, krb5_keytab);
     krb5_error_code (*get_name)(krb5_context, krb5_keytab, char*, size_t);
     krb5_error_code (*close)(krb5_context, krb5_keytab);
     krb5_error_code (*destroy)(krb5_context, krb5_keytab);
     krb5_error_code (*get)(krb5_context, krb5_keytab, krb5_const_principal,
                            krb5_kvno, krb5_enctype, krb5_keytab_entry*);
     krb5_error_code (*start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
     krb5_error_code (*next_entry)(krb5_context, krb5_keytab,
                                   krb5_keytab_entry*, krb5_kt_cursor*);
     krb5_error_code (*end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
     krb5_error_code (*add)(krb5_context, krb5_keytab, krb5_keytab_entry*);
     krb5_error_code (*remove)(krb5_context, krb5_keytab, krb5_keytab_entry*);
+    krb5_error_code (KRB5_CALLCONV * resolve)(krb5_context, const char*, krb5_keytab);
+    krb5_error_code (KRB5_CALLCONV * get_name)(krb5_context, krb5_keytab, char*, size_t);
+    krb5_error_code (KRB5_CALLCONV * close)(krb5_context, krb5_keytab);
+    krb5_error_code (KRB5_CALLCONV * destroy)(krb5_context, krb5_keytab);
+    krb5_error_code (KRB5_CALLCONV * get)(krb5_context, krb5_keytab, krb5_const_principal,
+                                          krb5_kvno, krb5_enctype, krb5_keytab_entry*);
+    krb5_error_code (KRB5_CALLCONV * start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
+    krb5_error_code (KRB5_CALLCONV * next_entry)(krb5_context, krb5_keytab,
+                                                 krb5_keytab_entry*, krb5_kt_cursor*);
+    krb5_error_code (KRB5_CALLCONV * end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*);
+    krb5_error_code (KRB5_CALLCONV * add)(krb5_context, krb5_keytab, krb5_keytab_entry*);
+    krb5_error_code (KRB5_CALLCONV * remove)(krb5_context, krb5_keytab, krb5_keytab_entry*);
     void *data;
     int32_t version;
 …
 extern const char *heimdal_version, *heimdal_long_version;
 typedef void (*krb5_log_log_func_t)(const char*, const char*, void*);
 typedef void (*krb5_log_close_func_t)(void*);
+typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(const char*, const char*, void*);
+typedef void (KRB5_CALLCONV * krb5_log_close_func_t)(void*);
 typedef struct krb5_log_facility {
 …
 } krb5_prompt;
 typedef int (*krb5_prompter_fct)(krb5_context /*context*/,
                                  void * /*data*/,
                                  const char * /*name*/,
                                  const char * /*banner*/,
                                  int /*num_prompts*/,
                                  krb5_prompt /*prompts*/[]);
 typedef krb5_error_code (*krb5_key_proc)(krb5_context /*context*/,
                                          krb5_enctype /*type*/,
                                          krb5_salt /*salt*/,
                                          krb5_const_pointer /*keyseed*/,
                                          krb5_keyblock ** /*key*/);
 typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context /*context*/,
                                              krb5_keyblock * /*key*/,
                                              krb5_key_usage /*usage*/,
                                              krb5_const_pointer /*decrypt_arg*/,
                                              krb5_kdc_rep * /*dec_rep*/);
 typedef krb5_error_code (*krb5_s2k_proc)(krb5_context /*context*/,
                                          krb5_enctype /*type*/,
                                          krb5_const_pointer /*keyseed*/,
                                          krb5_salt /*salt*/,
                                          krb5_data * /*s2kparms*/,
                                          krb5_keyblock ** /*key*/);
+typedef int (KRB5_CALLCONV * krb5_prompter_fct)(krb5_context /*context*/,
+                                                void * /*data*/,
+                                                const char * /*name*/,
+                                                const char * /*banner*/,
+                                                int /*num_prompts*/,
+                                                krb5_prompt /*prompts*/[]);
+typedef krb5_error_code (KRB5_CALLCONV * krb5_key_proc)(krb5_context /*context*/,
+                                                        krb5_enctype /*type*/,
+                                                        krb5_salt /*salt*/,
+                                                        krb5_const_pointer /*keyseed*/,
+                                                        krb5_keyblock ** /*key*/);
+typedef krb5_error_code (KRB5_CALLCONV * krb5_decrypt_proc)(krb5_context /*context*/,
+                                                            krb5_keyblock * /*key*/,
+                                                            krb5_key_usage /*usage*/,
+                                                            krb5_const_pointer /*decrypt_arg*/,
+                                                            krb5_kdc_rep * /*dec_rep*/);
+typedef krb5_error_code (KRB5_CALLCONV * krb5_s2k_proc)(krb5_context /*context*/,
+                                                        krb5_enctype /*type*/,
+                                                        krb5_const_pointer /*keyseed*/,
+                                                        krb5_salt /*salt*/,
+                                                        krb5_data * /*s2kparms*/,
+                                                        krb5_keyblock ** /*key*/);
 struct _krb5_get_init_creds_opt_private;
 …
 #define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK 0x0200
+/* krb5_init_creds_step flags argument */
+#define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE      0x0001
 typedef struct _krb5_verify_init_creds_opt {
     krb5_flags flags;
 …
 };
+typedef krb5_error_code (*krb5_send_to_kdc_func)(krb5_context,
+                                                 void *,
+                                                 krb5_krbhst_info *,
+                                                 time_t,
+                                                 const krb5_data *,
+                                                 krb5_data *);
+typedef krb5_error_code
+(KRB5_CALLCONV * krb5_send_to_kdc_func)(krb5_context, void *, krb5_krbhst_info *, time_t,
+                                        const krb5_data *, krb5_data *);
 /** flags for krb5_parse_name_flags */
 …
 #define KRB5_SENDTO_CONTINUE    2
+typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *);
+typedef krb5_error_code
+(KRB5_CALLCONV * krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *,
+                                       const krb5_data *, int *);
 struct krb5_plugin;
 …
 typedef krb5_error_code
 (*krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *);
+(KRB5_CALLCONV * krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *);
 /*
+ *
  */
+struct hx509_certs_data;
 #include <krb5-protos.h>
 …
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops;
+extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops;
 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops;
 …
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_mkt_ops;
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_akf_ops;
-extern KRB5_LIB_VARIABLE const krb5_kt_ops krb4_fkt_ops;
-extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_srvtab_fkt_ops;
 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_any_ops;

trunk/server/source4/heimdal/lib/krb5/krb5_locl.h

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 #include <limits.h>
+#include <krb5-types.h>
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 …
 #include <sys/file.h>
 #endif
+#include <com_err.h>
+#include <heimbase.h>
 #define HEIMDAL_TEXTDOMAIN "heimdal_krb5"
 …
 /* XXX glue for pkinit */
+struct hx509_certs_data;
 struct krb5_pk_identity;
 struct krb5_pk_cert;
 …
 #include <hx509.h>
 #endif
+#include "crypto.h"
 #include <krb5-private.h>
 …
 #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
 #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
+#ifndef PATH_SEP
+#define PATH_SEP ":"
+#endif
 /* should this be public? */
 …
 #define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab"
 #define MODULI_FILE SYSCONFDIR "/krb5.moduli"
 …
 #define KRB5_BUFSIZ 1024
+#define KRB5_BUFSIZ 2048
 typedef enum {
 …
 #define KRB5_INIT_CREDS_CANONICALIZE            1
 #define KRB5_INIT_CREDS_NO_C_CANON_CHECK        2
+#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK       4
     struct {
         krb5_gic_process_last_req func;
 …
     struct et_list *et_list;
     struct krb5_log_facility *warn_dest;
+    krb5_cc_ops *cc_ops;
+    struct krb5_log_facility *debug_dest;
+    const krb5_cc_ops **cc_ops;
     int num_cc_ops;
     const char *http_proxy;
 …
 #define KRB5_CTX_F_CHECK_PAC                    2
 #define KRB5_CTX_F_HOMEDIR_ACCESS               4
+#define KRB5_CTX_F_SOCKETS_INITIALIZED          8
+#define KRB5_CTX_F_RD_REQ_IGNORE                16
     struct send_to_kdc *send_to_kdc;
+#ifdef PKINIT
+    hx509_context hx509ctx;
+#endif
 } krb5_context_data;
+#ifndef KRB5_USE_PATH_TOKENS
 #define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}"
+#else
+#define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}"
+#endif
 #define KRB5_DEFAULT_CCNAME_API "API:"
+#define KRB5_DEFAULT_CCNAME_KCM "KCM:%{uid}"
+#define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}"
+#define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}"
 #define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH             1
 …
 #define EXTRACT_TICKET_MATCH_REALM                      4
 #define EXTRACT_TICKET_AS_REQ                           8
+#define EXTRACT_TICKET_TIMESYNC                         16
 /*
 …
 #endif
+#ifndef KRB5_FORWARDABLE_DEFAULT
+#define KRB5_FORWARDABLE_DEFAULT TRUE
+#endif
 #ifdef PKINIT
 struct krb5_pk_identity {
-    hx509_context hx509ctx;
     hx509_verify_ctx verify_ctx;
     hx509_certs certs;
 …
     hx509_certs certpool;
     hx509_revoke_ctx revokectx;
+    int flags;
+#define PKINIT_BTMM 1
 };

trunk/server/source4/heimdal/lib/krb5/krbhst.c

-              r414
+              r745
     r = rk_dns_lookup(domain, dns_type);
+    if(r == NULL)
+    if(r == NULL) {
+        _krb5_debug(context, 0,
+                    "DNS lookup failed domain: %s", domain);
         return KRB5_KDC_UNREACH;
+    }
     for(num_srv = 0, rr = r->head; rr; rr = rr->next)
 …
+}
+/*
+ *
+ */
+const char *
+_krb5_krbhst_get_realm(krb5_krbhst_handle handle)
+{
+    return handle->realm;
+}
 /*
 …
                const char *spec, int def_port, int port)
+{
     const char *p = spec;
+    const char *p = spec, *q;
     struct krb5_krbhst_info *hi;
 …
+    }
+    if(strsep_copy(&p, ":", hi->hostname, strlen(spec) + 1) < 0) {
+    if (p[0] == '[' && (q = strchr(p, ']')) != NULL) {
+        /* if address looks like [foo:bar] or [foo:bar]: its a ipv6
+           adress, strip of [] */
+        memcpy(hi->hostname, &p[1], q - p - 1);
+        hi->hostname[q - p - 1] = '\0';
+        p = q + 1;
+        /* get trailing : */
+        if (p[0] == ':')
+            p++;
+    } else if(strsep_copy(&p, ":", hi->hostname, strlen(spec) + 1) < 0) {
+        /* copy everything before : */
         free(hi);
         return NULL;
 …
     hi->port = hi->def_port = def_port;
     if(p != NULL) {
+    if(p != NULL && p[0]) {
         char *end;
         hi->port = strtol(p, &end, 0);
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host,
                           char *hostname, size_t hostlen)
 …
+}
+/*
+ * return an `struct addrinfo *' in `ai' corresponding to the information
+ * in `host'.  free:ing is handled by krb5_krbhst_free.
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Return an `struct addrinfo *' for a KDC host.
+ *
+ * Returns an the struct addrinfo in in that corresponds to the
+ * information in `host'.  free:ing is handled by krb5_krbhst_free, so
+ * the returned ai must not be released.
+ *
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
                          struct addrinfo **ai)
+{
+    struct addrinfo hints;
+    char portstr[NI_MAXSERV];
+    int ret;
+    int ret = 0;
     if (host->ai == NULL) {
+        struct addrinfo hints;
+        char portstr[NI_MAXSERV];
+        char *hostname = host->hostname;
+        snprintf (portstr, sizeof(portstr), "%d", host->port);
         make_hints(&hints, host->proto);
+        snprintf (portstr, sizeof(portstr), "%d", host->port);
+        /**
+         * First try this as an IP address, this allows us to add a
+         * dot at the end to stop using the search domains.
+         */
+        hints.ai_flags |= AI_NUMERICHOST | AI_NUMERICSERV;
         ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai);
+        if (ret)
+            return krb5_eai_to_heim_errno(ret, errno);
+    }
+        if (ret == 0)
+            goto out;
+        /**
+         * If the hostname contains a dot, assumes it's a FQDN and
+         * don't use search domains since that might be painfully slow
+         * when machine is disconnected from that network.
+         */
+        hints.ai_flags &= ~(AI_NUMERICHOST);
+        if (strchr(hostname, '.') && hostname[strlen(hostname) - 1] != '.') {
+            ret = asprintf(&hostname, "%s.", host->hostname);
+            if (ret < 0 || hostname == NULL)
+                return ENOMEM;
+        }
+        ret = getaddrinfo(hostname, portstr, &hints, &host->ai);
+        if (hostname != host->hostname)
+            free(hostname);
+        if (ret) {
+            ret = krb5_eai_to_heim_errno(ret, errno);
+            goto out;
+        }
+    }
+ out:
     *ai = host->ai;
     return 0;
+    return ret;
+}
 …
               const char *proto, const char *service)
+{
+    krb5_error_code ret;
     krb5_krbhst_info **res;
     int count, i;
+    if (srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
+                       kd->port))
+    ret = srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service,
+                         kd->port);
+    _krb5_debug(context, 2, "searching DNS for realm %s %s.%s -> %d",
+                kd->realm, proto, service, ret);
+    if (ret)
         return;
     for(i = 0; i < count; i++)
 …
+{
     int i;
     char **hostlist;
     hostlist = krb5_config_get_strings(context, NULL,
                                        "realms", kd->realm, conf_string, NULL);
+    _krb5_debug(context, 2, "configuration file for realm %s%s found",
+                kd->realm, hostlist ? "" : " not");
     if(hostlist == NULL)
 …
                    const char *serv_string, int port, int proto)
+{
     char *host;
+    char *host = NULL;
     int ret;
     struct addrinfo *ai;
     struct addrinfo hints;
     char portstr[NI_MAXSERV];
+    _krb5_debug(context, 2, "fallback lookup %d for realm %s (service %s)",
+                kd->fallback_count, kd->realm, serv_string);
     /*
 …
     if(kd->fallback_count == 0)
         asprintf(&host, "%s.%s.", serv_string, kd->realm);
+        ret = asprintf(&host, "%s.%s.", serv_string, kd->realm);
     else
         asprintf(&host, "%s-%d.%s.",
                  serv_string, kd->fallback_count, kd->realm);
     if (host == NULL)
+        ret = asprintf(&host, "%s-%d.%s.",
+                       serv_string, kd->fallback_count, kd->realm);
+    if (ret < 0 || host == NULL)
         return ENOMEM;
 …
                                    kd->realm, ret);
             break;
+        } else if (ret == 0)
+        } else if (ret == 0) {
+            _krb5_debug(context, 2, "plugin found result for realm %s", kd->realm);
             kd->flags |= KD_CONFIG_EXISTS;
+        }
+    }
 …
+    }
+    if (kd->flags & KD_CONFIG_EXISTS)
+        return KRB5_KDC_UNREACH; /* XXX */
+    if (kd->flags & KD_CONFIG_EXISTS) {
+        _krb5_debug(context, 1,
+                    "Configuration exists for realm %s, wont go to DNS",
+                    kd->realm);
+        return KRB5_KDC_UNREACH;
+    }
     if(context->srv_lookup) {
 …
+    }
+    _krb5_debug(context, 0, "No KDC entries found for %s", kd->realm);
     return KRB5_KDC_UNREACH; /* XXX */
+}
 …
+    }
+    if (kd->flags & KD_CONFIG_EXISTS)
+        return KRB5_KDC_UNREACH; /* XXX */
+    if (kd->flags & KD_CONFIG_EXISTS) {
+        _krb5_debug(context, 1,
+                    "Configuration exists for realm %s, wont go to DNS",
+                    kd->realm);
+        return KRB5_KDC_UNREACH;
+    }
     if(context->srv_lookup) {
 …
+    }
+    _krb5_debug(context, 0, "No admin entries found for realm %s", kd->realm);
     return KRB5_KDC_UNREACH;    /* XXX */
+}
 …
+    }
+    if (kd->flags & KD_CONFIG_EXISTS)
+        return KRB5_KDC_UNREACH; /* XXX */
+    if (kd->flags & KD_CONFIG_EXISTS) {
+        _krb5_debug(context, 1,
+                    "Configuration exists for realm %s, wont go to DNS",
+                    kd->realm);
+        return KRB5_KDC_UNREACH;
+    }
     if(context->srv_lookup) {
 …
+    }
+    return KRB5_KDC_UNREACH; /* XXX */
+    _krb5_debug(context, 0, "No kpasswd entries found for realm %s", kd->realm);
+    return KRB5_KDC_UNREACH;
+}
 …
+    }
+    if (kd->flags & KD_CONFIG_EXISTS)
+        return KRB5_KDC_UNREACH; /* XXX */
+    if (kd->flags & KD_CONFIG_EXISTS) {
+        _krb5_debug(context, 1,
+                    "Configuration exists for realm %s, wont go to DNS",
+                    kd->realm);
+        return KRB5_KDC_UNREACH;
+    }
     if(context->srv_lookup) {
 …
+    }
+    return KRB5_KDC_UNREACH; /* XXX */
+    _krb5_debug(context, 0, "No kpasswd entries found for realm %s", kd->realm);
+    return KRB5_KDC_UNREACH;
+}
 static struct krb5_krbhst_data*
 common_init(krb5_context context,
+            const char *service,
             const char *realm,
             int flags)
 …
         return NULL;
+    }
+    _krb5_debug(context, 2, "Trying to find service %s for realm %s flags %x",
+                service, realm, flags);
     /* For 'realms' without a . do not even think of going to DNS */
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_krbhst_init(krb5_context context,
                  const char *realm,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_krbhst_init_flags(krb5_context context,
                        const char *realm,
 …
                             krb5_krbhst_info **);
     int def_port;
+    const char *service;
     switch(type) {
 …
         next = kdc_get_next;
         def_port = ntohs(krb5_getportbyname (context, "kerberos", "udp", 88));
+        service = "kdc";
         break;
     case KRB5_KRBHST_ADMIN:
 …
         def_port = ntohs(krb5_getportbyname (context, "kerberos-adm",
                                              "tcp", 749));
+        service = "admin";
         break;
     case KRB5_KRBHST_CHANGEPW:
 …
         def_port = ntohs(krb5_getportbyname (context, "kpasswd", "udp",
                                              KPASSWD_PORT));
+        service = "change_password";
         break;
     case KRB5_KRBHST_KRB524:
         next = krb524_get_next;
         def_port = ntohs(krb5_getportbyname (context, "krb524", "udp", 4444));
+        service = "524";
         break;
     default:
 …
         return ENOTTY;
+    }
     if((kd = common_init(context, realm, flags)) == NULL)
+    if((kd = common_init(context, service, realm, flags)) == NULL)
         return ENOMEM;
     kd->get_next = next;
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_krbhst_next(krb5_context context,
                  krb5_krbhst_handle handle,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_krbhst_next_as_string(krb5_context context,
                            krb5_krbhst_handle handle,
 …
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_krb_admin_hst (krb5_context context,
                         const krb5_realm *realm,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_krb_changepw_hst (krb5_context context,
                            const krb5_realm *realm,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_krb524hst (krb5_context context,
                     const krb5_realm *realm,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_krbhst (krb5_context context,
                  const krb5_realm *realm,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_krbhst (krb5_context context,
                   char **hostlist)

trunk/server/source4/heimdal/lib/krb5/log.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_initlog(krb5_context context,
              const char *program,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_addlog_func(krb5_context context,
                  krb5_log_facility *fac,
 …
 };
 static void
+static void KRB5_CALLCONV
 log_syslog(const char *timestr,
            const char *msg,
 …
+}
 static void
+static void KRB5_CALLCONV
 close_syslog(void *data)
+{
 …
 };
 static void
+static void KRB5_CALLCONV
 log_file(const char *timestr,
          const char *msg,
 …
+}
 static void
+static void KRB5_CALLCONV
 close_file(void *data)
+{
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig)
+{
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_openlog(krb5_context context,
              const char *program,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_closelog(krb5_context context,
               krb5_log_facility *fac)
 …
 #define __attribute__(X)
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vlog_msg(krb5_context context,
               krb5_log_facility *fac,
 …
+            }
             if(actual == NULL) {
                 vasprintf(&msg, fmt, ap);
                 if(msg == NULL)
+                int ret = vasprintf(&msg, fmt, ap);
+                if(ret < 0 || msg == NULL)
                     actual = fmt;
                 else
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vlog(krb5_context context,
           krb5_log_facility *fac,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_log_msg(krb5_context context,
              krb5_log_facility *fac,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_log(krb5_context context,
          krb5_log_facility *fac,
 …
+}
+void KRB5_LIB_FUNCTION
+_krb5_debug(krb5_context context,
+            int level,
+            const char *fmt,
+            ...)
+    __attribute__((format (printf, 3, 4)))
+{
+    va_list ap;
+    if (context == NULL || context->debug_dest == NULL)
+        return;
+    va_start(ap, fmt);
+    krb5_vlog(context, context->debug_dest, level, fmt, ap);
+    va_end(ap);
+}
+krb5_boolean KRB5_LIB_FUNCTION
+_krb5_have_debug(krb5_context context, int level)
+{
+    if (context == NULL || context->debug_dest == NULL)
+        return 0 ;
+    return 1;
+}

trunk/server/source4/heimdal/lib/krb5/mcache.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
     struct krb5_mcache *next;
     time_t mtime;
+    krb5_deltat kdc_offset;
 } krb5_mcache;
 …
 #define MISDEAD(X)      ((X)->dead)
 static const char*
+static const char* KRB5_CALLCONV
 mcc_get_name(krb5_context context,
              krb5_ccache id)
 …
+}
 static krb5_mcache *
+static krb5_mcache * KRB5_CALLCONV
 mcc_alloc(const char *name)
+{
     krb5_mcache *m, *m_c;
+    int ret = 0;
     ALLOC(m, 1);
 …
         return NULL;
     if(name == NULL)
         asprintf(&m->name, "%p", m);
+        ret = asprintf(&m->name, "%p", m);
     else
         m->name = strdup(name);
     if(m->name == NULL) {
+    if(ret < 0 || m->name == NULL) {
         free(m);
         return NULL;
 …
     m->creds = NULL;
     m->mtime = time(NULL);
+    m->kdc_offset = 0;
     m->next = mcc_head;
     mcc_head = m;
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_resolve(krb5_context context, krb5_ccache *id, const char *res)
+{
 …
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_gen_new(krb5_context context, krb5_ccache *id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_initialize(krb5_context context,
                krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_close(krb5_context context,
           krb5_ccache id)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_destroy(krb5_context context,
             krb5_ccache id)
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_store_cred(krb5_context context,
                krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_get_principal(krb5_context context,
                   krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_get_first (krb5_context context,
                krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_get_next (krb5_context context,
               krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_end_get (krb5_context context,
              krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_remove_cred(krb5_context context,
                  krb5_ccache id,
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_set_flags(krb5_context context,
               krb5_ccache id,
 …
 };
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_get_cache_first(krb5_context context, krb5_cc_cursor *cursor)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_get_cache_next(krb5_context context, krb5_cc_cursor cursor, krb5_ccache *id)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_move(krb5_context context, krb5_ccache from, krb5_ccache to)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_default_name(krb5_context context, char **str)
+{
 …
+}
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 mcc_lastchange(krb5_context context, krb5_ccache id, krb5_timestamp *mtime)
+{
     *mtime = MCACHE(id)->mtime;
+    return 0;
+}
+static krb5_error_code KRB5_CALLCONV
+mcc_set_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat kdc_offset)
+{
+    krb5_mcache *m = MCACHE(id);
+    m->kdc_offset = kdc_offset;
+    return 0;
+}
+static krb5_error_code KRB5_CALLCONV
+mcc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *kdc_offset)
+{
+    krb5_mcache *m = MCACHE(id);
+    *kdc_offset = m->kdc_offset;
     return 0;
+}
 …
     mcc_default_name,
     NULL,
+    mcc_lastchange
+    mcc_lastchange,
+    mcc_set_kdc_offset,
+    mcc_get_kdc_offset
 };

trunk/server/source4/heimdal/lib/krb5/misc.c

-              r414
+              r745
 #include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_s4u2self_to_checksumdata(krb5_context context,
                                const PA_S4U2Self *self,
 …
     return ret;
+}
+krb5_error_code
+krb5_enomem(krb5_context context)
+{
+    krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+    return ENOMEM;
+}

trunk/server/source4/heimdal/lib/krb5/mit_glue.c

-              r414
+              r745
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_make_checksum(krb5_context context,
                      krb5_cksumtype cksumtype,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
                        krb5_keyusage usage, const krb5_data *data,
 …
     if (data_cksum.cksumtype == cksum->cksumtype
+        && data_cksum.checksum.length == cksum->checksum.length
+        && memcmp(data_cksum.checksum.data, cksum->checksum.data, cksum->checksum.length) == 0)
+        && krb5_data_ct_cmp(&data_cksum.checksum, &cksum->checksum) == 0)
         *valid = 1;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_get_checksum(krb5_context context, const krb5_checksum *cksum,
                     krb5_cksumtype *type, krb5_data **data)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_set_checksum(krb5_context context, krb5_checksum *cksum,
                     krb5_cksumtype type, const krb5_data *data)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_checksum (krb5_context context, krb5_checksum *cksum)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_checksum_contents(krb5_context context, krb5_checksum *cksum)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_checksum_free(krb5_context context, krb5_checksum *cksum)
+{
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_c_valid_enctype (krb5_enctype etype)
+{
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_c_valid_cksumtype(krb5_cksumtype ctype)
+{
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype)
+{
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_c_is_keyed_cksum(krb5_cksumtype ctype)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_checksum (krb5_context context,
                     const krb5_checksum *old,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_checksum_length (krb5_context context, krb5_cksumtype cksumtype,
                         size_t *length)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_block_size(krb5_context context,
                   krb5_enctype enctype,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_decrypt(krb5_context context,
                const krb5_keyblock key,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_encrypt(krb5_context context,
                const krb5_keyblock *key,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_encrypt_length(krb5_context context,
                       krb5_enctype enctype,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Deprecated: keytypes doesn't exists, they are really enctypes.
+ *
+ * @ingroup krb5_deprecated
+ */
+KRB5_DEPRECATED
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_enctype_compare(krb5_context context,
                        krb5_enctype e1,
                        krb5_enctype e2,
                        krb5_boolean *similar)
-    KRB5_DEPRECATED
+{
     *similar = (e1 == e2);
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_make_random_key(krb5_context context,
                        krb5_enctype enctype,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_keylengths(krb5_context context,
                   krb5_enctype enctype,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_prf_length(krb5_context context,
                   krb5_enctype type,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_c_prf(krb5_context context,
            const krb5_keyblock *key,
 …
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_c_random_make_octets(krb5_context context, krb5_data * data)
+{
+    return krb5_generate_random_keyblock(context, data->length, data->data);
+}
 /**
  * MIT compat glue
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_copy_creds(krb5_context context,
                    const krb5_ccache from,
 …
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_auth_con_getsendsubkey(krb5_context context, krb5_auth_context auth_context,
+                            krb5_keyblock **keyblock)
+{
+    return krb5_auth_con_getlocalsubkey(context, auth_context, keyblock);
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_auth_con_getrecvsubkey(krb5_context context, krb5_auth_context auth_context,
+                            krb5_keyblock **keyblock)
+{
+    return krb5_auth_con_getremotesubkey(context, auth_context, keyblock);
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_auth_con_setsendsubkey(krb5_context context, krb5_auth_context auth_context,
+                            krb5_keyblock *keyblock)
+{
+    return krb5_auth_con_setlocalsubkey(context, auth_context, keyblock);
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_auth_con_setrecvsubkey(krb5_context context, krb5_auth_context auth_context,
+                            krb5_keyblock *keyblock)
+{
+    return krb5_auth_con_setremotesubkey(context, auth_context, keyblock);
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_free_default_realm(krb5_context context, krb5_realm realm)
+{
+    return krb5_xfree(realm);
+}
 #endif /* HEIMDAL_SMALLER */

trunk/server/source4/heimdal/lib/krb5/mk_error.c

-              r414
+              r745
 #include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_mk_error(krb5_context context,
               krb5_error_code error_code,
 …
               krb5_data *reply)
+{
+    const char *e_text2 = NULL;
     KRB_ERROR msg;
     krb5_timestamp sec;
 …
     if(error_code < KRB5KDC_ERR_NONE || error_code >= KRB5_ERR_RCSID) {
         if(e_text == NULL)
             e_text = krb5_get_err_text(context, error_code);
+            e_text = e_text2 = krb5_get_error_message(context, error_code);
         error_code = KRB5KRB_ERR_GENERIC;
+    }
 …
     ASN1_MALLOC_ENCODE(KRB_ERROR, reply->data, reply->length, &msg, &len, ret);
+    if (e_text2)
+        krb5_free_error_message(context, e_text2);
     if (ret)
         return ret;

trunk/server/source4/heimdal/lib/krb5/mk_priv.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_mk_priv(krb5_context context,
              krb5_auth_context auth_context,

trunk/server/source4/heimdal/lib/krb5/mk_rep.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_mk_rep(krb5_context context,
             krb5_auth_context auth_context,

trunk/server/source4/heimdal/lib/krb5/mk_req.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_mk_req_exact(krb5_context context,
                   krb5_auth_context *auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_mk_req(krb5_context context,
             krb5_auth_context *auth_context,

trunk/server/source4/heimdal/lib/krb5/mk_req_ext.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
 krb5_error_code
 …
         goto out;
     ret = krb5_build_authenticator (context,
+    ret = _krb5_build_authenticator(context,
                                     ac,
                                     ac->keyblock->keytype,
                                     in_creds,
                                     c_opt,
-                                    NULL,
                                     &authenticator,
                                     encrypt_usage);
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_mk_req_extended(krb5_context context,
                      krb5_auth_context *auth_context,

trunk/server/source4/heimdal/lib/krb5/n-fold.c

r414	r745
97	97	}
98	98
99		krb5_error_code KRB5_LIB_FUNCTION
	99	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
100	100	_krb5_n_fold(const void str, size_t len, void key, size_t size)
101	101	{

trunk/server/source4/heimdal/lib/krb5/pac.c

-              r414
+              r745
 /*
+ *
+ * HMAC-MD5 checksum over any key (needed for the PAC routines)
  */
+krb5_error_code
+static krb5_error_code
+HMAC_MD5_any_checksum(krb5_context context,
+                      const krb5_keyblock *key,
+                      const void *data,
+                      size_t len,
+                      unsigned usage,
+                      Checksum *result)
+{
+    struct _krb5_key_data local_key;
+    krb5_error_code ret;
+    memset(&local_key, 0, sizeof(local_key));
+    ret = krb5_copy_keyblock(context, key, &local_key.key);
+    if (ret)
+        return ret;
+    ret = krb5_data_alloc (&result->checksum, 16);
+    if (ret) {
+        krb5_free_keyblock(context, local_key.key);
+        return ret;
+    }
+    result->cksumtype = CKSUMTYPE_HMAC_MD5;
+    ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result);
+    if (ret)
+        krb5_data_free(&result->checksum);
+    krb5_free_keyblock(context, local_key.key);
+    return ret;
+}
+/*
+ *
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
                krb5_pac *pac)
 …
     p = calloc(1, sizeof(*p));
     if (p == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        ret = krb5_enomem(context);
         goto out;
+    }
 …
     sp = krb5_storage_from_readonly_mem(ptr, len);
     if (sp == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        ret = krb5_enomem(context);
         goto out;
+    }
 …
                     sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (tmp - 1)));
     if (p->pac == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        ret = krb5_enomem(context);
         goto out;
+    }
 …
+}
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_init(krb5_context context, krb5_pac *pac)
+{
 …
     p = calloc(1, sizeof(*p));
     if (p == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+        return krb5_enomem(context);
+    }
 …
     if (p->pac == NULL) {
         free(p);
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+        return krb5_enomem(context);
+    }
 …
         free (p->pac);
         free(p);
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        return ret;
+    }
+        return krb5_enomem(context);
+    }
     *pac = p;
 …
+}
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_add_buffer(krb5_context context, krb5_pac p,
                     uint32_t type, const krb5_data *data)
 …
     ptr = realloc(p->pac,
                   sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * len));
+    if (ptr == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    if (ptr == NULL)
+        return krb5_enomem(context);
     p->pac = ptr;
 …
  */
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_get_buffer(krb5_context context, krb5_pac p,
                     uint32_t type, krb5_data *data)
 …
  */
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_get_types(krb5_context context,
                    krb5_pac p,
 …
     if (*types == NULL) {
         *len = 0;
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+        return krb5_enomem(context);
+    }
     for (i = 0; i < p->pac->numbuffers; i++)
 …
  */
+void
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_pac_free(krb5_context context, krb5_pac pac)
+{
 …
                 const krb5_keyblock *key)
+{
-    krb5_crypto crypto = NULL;
     krb5_storage *sp = NULL;
     uint32_t type;
 …
     sp = krb5_storage_from_mem((char *)data->data + sig->offset_lo,
                                sig->buffersize);
+    if (sp == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    if (sp == NULL)
+        return krb5_enomem(context);
     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
 …
     cksum.checksum.data = malloc(cksum.checksum.length);
     if (cksum.checksum.data == NULL) {
+        ret = ENOMEM;
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        ret = krb5_enomem(context);
         goto out;
+    }
 …
+    }
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+        goto out;
+    ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM,
+                               ptr, len, &cksum);
+    /* If the checksum is HMAC-MD5, the checksum type is not tied to
+     * the key type, instead the HMAC-MD5 checksum is applied blindly
+     * on whatever key is used for this connection, avoiding issues
+     * with unkeyed checksums on des-cbc-md5 and des-cbc-crc.  See
+     * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
+     * for the same issue in MIT, and
+     * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
+     * for Microsoft's explaination */
+    if (cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
+        Checksum local_checksum;
+        memset(&local_checksum, 0, sizeof(local_checksum));
+        ret = HMAC_MD5_any_checksum(context, key, ptr, len,
+                                    KRB5_KU_OTHER_CKSUM, &local_checksum);
+        if (ret != 0 || krb5_data_ct_cmp(&local_checksum.checksum, &cksum.checksum) != 0) {
+            ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+            krb5_set_error_message(context, ret,
+                                   N_("PAC integrity check failed for "
+                                      "hmac-md5 checksum", ""));
+        }
+        krb5_data_free(&local_checksum.checksum);
+   } else {
+        krb5_crypto crypto = NULL;
+        ret = krb5_crypto_init(context, key, 0, &crypto);
+        if (ret)
+                goto out;
+        ret = krb5_verify_checksum(context, crypto, KRB5_KU_OTHER_CKSUM,
+                                   ptr, len, &cksum);
+        krb5_crypto_destroy(context, crypto);
+    }
     free(cksum.checksum.data);
-    krb5_crypto_destroy(context, crypto);
     krb5_storage_free(sp);
 …
     if (sp)
         krb5_storage_free(sp);
-    if (crypto)
-        krb5_crypto_destroy(context, crypto);
     return ret;
+}
 …
 create_checksum(krb5_context context,
                 const krb5_keyblock *key,
+                uint32_t cksumtype,
                 void *data, size_t datalen,
                 void *sig, size_t siglen)
 …
     Checksum cksum;
+    ret = krb5_crypto_init(context, key, 0, &crypto);
+    if (ret)
+        return ret;
+    ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0,
+                               data, datalen, &cksum);
+    krb5_crypto_destroy(context, crypto);
+    if (ret)
+        return ret;
+    /* If the checksum is HMAC-MD5, the checksum type is not tied to
+     * the key type, instead the HMAC-MD5 checksum is applied blindly
+     * on whatever key is used for this connection, avoiding issues
+     * with unkeyed checksums on des-cbc-md5 and des-cbc-crc.  See
+     * http://comments.gmane.org/gmane.comp.encryption.kerberos.devel/8743
+     * for the same issue in MIT, and
+     * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
+     * for Microsoft's explaination */
+    if (cksumtype == CKSUMTYPE_HMAC_MD5) {
+        ret = HMAC_MD5_any_checksum(context, key, data, datalen,
+                                    KRB5_KU_OTHER_CKSUM, &cksum);
+    } else {
+        ret = krb5_crypto_init(context, key, 0, &crypto);
+        if (ret)
+            return ret;
+        ret = krb5_create_checksum(context, crypto, KRB5_KU_OTHER_CKSUM, 0,
+                                   data, datalen, &cksum);
+        krb5_crypto_destroy(context, crypto);
+        if (ret)
+            return ret;
+    }
     if (cksum.checksum.length != siglen) {
         krb5_set_error_message(context, EINVAL, "pac checksum wrong length");
 …
     sp = krb5_storage_from_readonly_mem((const char *)data->data + logon_name->offset_lo,
                                         logon_name->buffersize);
+    if (sp == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    if (sp == NULL)
+        return krb5_enomem(context);
     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
 …
     if (s == NULL) {
         krb5_storage_free(sp);
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+        return krb5_enomem(context);
+    }
     ret = krb5_storage_read(sp, s, len);
 …
         ucs2 = malloc(sizeof(ucs2[0]) * ucs2len);
+        if (ucs2 == NULL) {
+            krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        if (ucs2 == NULL)
+            return krb5_enomem(context);
         ret = wind_ucs2read(s, len, &flags, ucs2, &ucs2len);
         free(s);
 …
         if (s == NULL) {
             free(ucs2);
+            krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+            return ENOMEM;
+            return krb5_enomem(context);
+        }
         ret = wind_ucs2utf8(ucs2, ucs2len, s, &u8len);
 …
     sp = krb5_storage_emem();
+    if (sp == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    if (sp == NULL)
+        return krb5_enomem(context);
     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
 …
     s2 = malloc(len * 2);
     if (s2 == NULL) {
         ret = ENOMEM;
+        ret = krb5_enomem(context);
         free(s);
         goto out;
 …
     free(s2);
     if (ret != len * 2) {
         ret = ENOMEM;
+        ret = krb5_enomem(context);
         goto out;
+    }
 …
  */
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_pac_verify(krb5_context context,
                 const krb5_pac pac,
 …
             l = sizeof(zeros);
         sret = krb5_storage_write(sp, zeros, l);
+        if (sret <= 0) {
+            krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        if (sret <= 0)
+            return krb5_enomem(context);
         len -= sret;
+    }
 …
     if (krb5_checksum_is_keyed(context, cktype) == FALSE) {
         krb5_set_error_message(context, EINVAL, "PAC checksum type is not keyed");
         return EINVAL;
+        *cksumtype = CKSUMTYPE_HMAC_MD5;
+        *cksumsize = 16;
+    }
 …
         ptr = realloc(p->pac, sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (p->pac->numbuffers + num - 1)));
+        if (ptr == NULL) {
+            krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+            return ENOMEM;
+        }
+        if (ptr == NULL)
+            return krb5_enomem(context);
         p->pac = ptr;
 …
     /* Encode PAC */
     sp = krb5_storage_emem();
+    if (sp == NULL) {
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+    }
+    if (sp == NULL)
+        return krb5_enomem(context);
     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
 …
     if (spdata == NULL) {
         krb5_storage_free(sp);
+        krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
+        return ENOMEM;
+        return krb5_enomem(context);
+    }
     krb5_storage_set_flags(spdata, KRB5_STORAGE_BYTEORDER_LE);
 …
             sret = krb5_storage_write(spdata, ptr, len);
             if (sret != len) {
+                ret = ENOMEM;
+                krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+                ret = krb5_enomem(context);
                 goto out;
+            }
 …
     if (ret != d.length) {
         krb5_data_free(&d);
+        ret = ENOMEM;
+        krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        ret = krb5_enomem(context);
         goto out;
+    }
 …
     ret = krb5_storage_to_data(sp, &d);
     if (ret) {
         krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
+        ret = krb5_enomem(context);
         goto out;
+    }
     /* sign */
+    ret = create_checksum(context, server_key,
+    ret = create_checksum(context, server_key, server_cksumtype,
                           d.data, d.length,
                           (char *)d.data + server_offset, server_size);
 …
         goto out;
+    }
+    ret = create_checksum(context, priv_key,
+    ret = create_checksum(context, priv_key, priv_cksumtype,
                           (char *)d.data + server_offset, server_size,
                           (char *)d.data + priv_offset, priv_size);

trunk/server/source4/heimdal/lib/krb5/padata.c

-              r414
+              r745
 #include "krb5_locl.h"
+PA_DATA *
+KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL
 krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx)
+{
 …
+}
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_padata_add(krb5_context context, METHOD_DATA *md,
                 int type, void *buf, size_t len)

trunk/server/source4/heimdal/lib/krb5/pkinit.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
     unsigned int require_hostname_match:1;
     unsigned int trustedCertifiers:1;
+    unsigned int anonymous:1;
 };
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 _krb5_pk_cert_free(struct krb5_pk_cert *cert)
+{
 …
           hx509_query *q, hx509_cert *cert)
+{
+    struct certfind cf[3] = {
+    struct certfind cf[4] = {
+        { "MobileMe EKU" },
         { "PKINIT EKU" },
         { "MS EKU" },
         { "any (or no)" }
     };
+    int i, ret;
+    cf[0].oid = &asn1_oid_id_pkekuoid;
+    cf[1].oid = &asn1_oid_id_pkinit_ms_eku;
+    cf[2].oid = NULL;
+    for (i = 0; i < sizeof(cf)/sizeof(cf[0]); i++) {
+    int i, ret, start = 1;
+    unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 };
+    const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids };
+    if (id->flags & PKINIT_BTMM)
+        start = 0;
+    cf[0].oid = &mobileMe;
+    cf[1].oid = &asn1_oid_id_pkekuoid;
+    cf[2].oid = &asn1_oid_id_pkinit_ms_eku;
+    cf[3].oid = NULL;
+    for (i = start; i < sizeof(cf)/sizeof(cf[0]); i++) {
         ret = hx509_query_match_eku(q, cf[i].oid);
         if (ret) {
             pk_copy_error(context, id->hx509ctx, ret,
+            pk_copy_error(context, context->hx509ctx, ret,
                           "Failed setting %s OID", cf[i].type);
             return ret;
+        }
         ret = hx509_certs_find(id->hx509ctx, id->certs, q, cert);
+        ret = hx509_certs_find(context->hx509ctx, id->certs, q, cert);
         if (ret == 0)
             break;
         pk_copy_error(context, id->hx509ctx, ret,
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Failed finding certificate with %s OID", cf[i].type);
+    }
 …
         flags |= HX509_CMS_SIGNATURE_NO_SIGNER;
     ret = hx509_cms_create_signed_1(id->hx509ctx,
+    ret = hx509_cms_create_signed_1(context->hx509ctx,
                                     flags,
                                     eContentType,
 …
                                     sd_data);
     if (ret) {
         pk_copy_error(context, id->hx509ctx, ret,
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Create CMS signedData");
         return ret;
 …
           ExternalPrincipalIdentifiers *ids)
+{
     return hx509_certs_iter(hx509ctx, certs, cert2epi, ids);
+    return hx509_certs_iter_f(hx509ctx, certs, cert2epi, ids);
+}
 …
             return ENOMEM;
         ret = hx509_crypto_available(ctx->id->hx509ctx, HX509_SELECT_ALL, NULL,
+        ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL,
                                      &a->supportedCMSTypes->val,
                                      &a->supportedCMSTypes->len);
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_pk_mk_ContentInfo(krb5_context context,
                         const krb5_data *buf,
 …
                 goto out;
+            }
             ret = build_edi(context, ctx->id->hx509ctx,
+            ret = build_edi(context, context->hx509ctx,
                             ctx->id->anchors, req.trustedCertifiers);
             if (ret) {
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_pk_mk_padata(krb5_context context,
                    void *c,
+                   int ic_flags,
+                   int win2k,
                    const KDC_REQ_BODY *req_body,
                    unsigned nonce,
 …
     int win2k_compat;
+    if (ctx->id->certs == NULL && ctx->anonymous == 0) {
+        krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY,
+                               N_("PKINIT: No user certificate given", ""));
+        return HEIM_PKINIT_NO_PRIVATE_KEY;
+    }
     win2k_compat = krb5_config_get_bool_default(context, NULL,
                                                 FALSE,
+                                                win2k,
                                                 "realms",
                                                 req_body->realm,
 …
         ctx->require_binding =
             krb5_config_get_bool_default(context, NULL,
                                          FALSE,
+                                         TRUE,
                                          "realms",
                                          req_body->realm,
 …
                                      "pkinit_require_eku",
                                      NULL);
+    if (ic_flags & KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK)
+        ctx->require_eku = 0;
+    if (ctx->id->flags & PKINIT_BTMM)
+        ctx->require_eku = 0;
     ctx->require_krbtgt_otherName =
         krb5_config_get_bool_default(context, NULL,
 …
+{
     hx509_certs signer_certs;
+    int ret;
+    int ret, flags = 0;
+    /* BTMM is broken in Leo and SnowLeo */
+    if (id->flags & PKINIT_BTMM) {
+        flags |= HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH;
+        flags |= HX509_CMS_VS_NO_KU_CHECK;
+        flags |= HX509_CMS_VS_NO_VALIDATE;
+    }
     *signer = NULL;
     ret = hx509_cms_verify_signed(id->hx509ctx,
+    ret = hx509_cms_verify_signed(context->hx509ctx,
                                   id->verify_ctx,
                                   HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH|HX509_CMS_VS_NO_KU_CHECK,
+                                  flags,
                                   data,
                                   length,
 …
                                   &signer_certs);
     if (ret) {
         pk_copy_error(context, id->hx509ctx, ret,
+        pk_copy_error(context, context->hx509ctx, ret,
                       "CMS verify signed failed");
         return ret;
 …
+    }
     ret = hx509_get_one_cert(id->hx509ctx, signer_certs, &(*signer)->cert);
     if (ret) {
         pk_copy_error(context, id->hx509ctx, ret,
+    ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert);
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Failed to get on of the signer certs");
         goto out;
 …
     if (ctx->require_eku) {
         ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
+        ret = hx509_cert_check_eku(context->hx509ctx, host->cert,
                                    &asn1_oid_id_pkkdcekuoid, 0);
         if (ret) {
 …
         int i;
         ret = hx509_cert_find_subjectAltName_otherName(ctx->id->hx509ctx,
+        ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx,
                                                        host->cert,
                                                        &asn1_oid_id_pkinit_san,
 …
     if (hi) {
         ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
+        ret = hx509_verify_hostname(context->hx509ctx, host->cert,
                                     ctx->require_hostname_match,
                                     HX509_HN_HOSTNAME,
 …
         flags |= HX509_CMS_UE_ALLOW_WEAK;
     ret = hx509_cms_unenvelope(ctx->id->hx509ctx,
+    ret = hx509_cms_unenvelope(context->hx509ctx,
                                ctx->id->certs,
                                flags,
 …
                                &content);
     if (ret) {
         pk_copy_error(context, ctx->id->hx509ctx, ret,
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Failed to unenvelope CMS data in PK-INIT reply");
         return ret;
 …
     der_free_oid(&contentType);
-#if 0 /* windows LH with interesting CMS packets, leaks memory */
+    {
-        size_t ph = 1 + der_length_len (length);
-        unsigned char *ptr = malloc(length + ph);
-        size_t l;
-        memcpy(ptr + ph, p, length);
-        ret = der_put_length_and_tag (ptr + ph - 1, ph, length,
-                                      ASN1_C_UNIV, CONS, UT_Sequence, &l);
-        if (ret)
-            return ret;
-        ptr += ph - l;
-        length += l;
-        p = ptr;
+    }
-#endif
     /* win2k uses ContentInfo */
     if (type == PKINIT_WIN2K) {
         heim_oid type;
+        heim_oid type2;
         heim_octet_string out;
+        ret = hx509_cms_unwrap_ContentInfo(&content, &type, &out, NULL);
+        if (ret)
+            goto out;
+        if (der_heim_oid_cmp(&type, &asn1_oid_id_pkcs7_signedData)) {
+        ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+        if (ret) {
+            /* windows LH with interesting CMS packets */
+            size_t ph = 1 + der_length_len(content.length);
+            unsigned char *ptr = malloc(content.length + ph);
+            size_t l;
+            memcpy(ptr + ph, content.data, content.length);
+            ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length,
+                                          ASN1_C_UNIV, CONS, UT_Sequence, &l);
+            if (ret)
+                return ret;
+            free(content.data);
+            content.data = ptr;
+            content.length += ph;
+            ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+            if (ret)
+                goto out;
+        }
+        if (der_heim_oid_cmp(&type2, &asn1_oid_id_pkcs7_signedData)) {
             ret = EINVAL; /* XXX */
             krb5_set_error_message(context, ret,
                                    N_("PKINIT: Invalid content type", ""));
             der_free_oid(&type);
+            der_free_oid(&type2);
             der_free_octet_string(&out);
             goto out;
+        }
         der_free_oid(&type);
+        der_free_oid(&type2);
         krb5_data_free(&content);
         ret = krb5_data_copy(&content, out.data, out.length);
 …
+        dh_gen_keylen = DH_size(ctx->u.dh);
+        size = BN_num_bytes(ctx->u.dh->p);
+        if (size < dh_gen_keylen)
+            size = dh_gen_keylen;
+        size = DH_size(ctx->u.dh);
         dh_gen_key = malloc(size);
 …
             goto out;
+        }
-        memset(dh_gen_key, 0, size - dh_gen_keylen);
+        dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen),
+                                       kdc_dh_pubkey, ctx->u.dh);
+        dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh);
         if (dh_gen_keylen == -1) {
             ret = KRB5KRB_ERR_GENERIC;
 …
             goto out;
+        }
+        if (dh_gen_keylen < size) {
+            size -= dh_gen_keylen;
+            memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
+            memset(dh_gen_key, 0, size);
+        }
     } else {
 #ifdef HAVE_OPENSSL
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_pk_rd_pa_reply(krb5_context context,
                      const char *realm,
 …
         switch (rep.element) {
         case choice_PA_PK_AS_REP_dhInfo:
+            _krb5_debug(context, 5, "krb5_get_init_creds: using pkinit dh");
             os = rep.u.dhInfo.dhSignedData;
             break;
         case choice_PA_PK_AS_REP_encKeyPack:
+            _krb5_debug(context, 5, "krb5_get_init_creds: using kinit enc reply key");
             os = rep.u.encKeyPack;
             break;
 …
             memset(&rep, 0, sizeof(rep));
+            _krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key");
             ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data,
                                            pa->padata_value.length,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+static krb5_error_code
+_krb5_pk_set_user_id(krb5_context context,
+                     krb5_principal principal,
+                     krb5_pk_init_ctx ctx,
+                     struct hx509_certs_data *certs)
+{
+    hx509_certs c = hx509_certs_ref(certs);
+    hx509_query *q = NULL;
+    int ret;
+    if (ctx->id->certs)
+        hx509_certs_free(&ctx->id->certs);
+    if (ctx->id->cert) {
+        hx509_cert_free(ctx->id->cert);
+        ctx->id->cert = NULL;
+    }
+    ctx->id->certs = c;
+    ctx->anonymous = 0;
+    ret = hx509_query_alloc(context->hx509ctx, &q);
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
+                      "Allocate query to find signing certificate");
+        return ret;
+    }
+    hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+    hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+    if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) {
+        ctx->id->flags |= PKINIT_BTMM;
+    }
+    ret = find_cert(context, ctx->id, q, &ctx->id->cert);
+    hx509_query_free(context->hx509ctx, q);
+    if (ret == 0 && _krb5_have_debug(context, 2)) {
+        hx509_name name;
+        char *str, *sn;
+        heim_integer i;
+        ret = hx509_cert_get_subject(ctx->id->cert, &name);
+        if (ret)
+            goto out;
+        ret = hx509_name_to_string(name, &str);
+        hx509_name_free(&name);
+        if (ret)
+            goto out;
+        ret = hx509_cert_get_serialnumber(ctx->id->cert, &i);
+        if (ret) {
+            free(str);
+            goto out;
+        }
+        ret = der_print_hex_heim_integer(&i, &sn);
+        der_free_heim_integer(&i);
+        if (ret) {
+            free(name);
+            goto out;
+        }
+        _krb5_debug(context, 2, "using cert: subject: %s sn: %s", str, sn);
+        free(str);
+        free(sn);
+    }
+ out:
+    return ret;
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_pk_load_id(krb5_context context,
                  struct krb5_pk_identity **ret_id,
-                 int flags,
                  const char *user_id,
                  const char *anchor_id,
 …
+{
     struct krb5_pk_identity *id = NULL;
-    hx509_lock lock = NULL;
     struct prompter p;
     int ret;
 …
                                N_("PKINIT: No anchor given", ""));
         return HEIM_PKINIT_NO_VALID_CA;
+    }
-    if (user_id == NULL && (flags & 4) == 0) {
-        krb5_set_error_message(context, HEIM_PKINIT_NO_PRIVATE_KEY,
-                               N_("PKINIT: No user certificate given", ""));
-        return HEIM_PKINIT_NO_PRIVATE_KEY;
+    }
 …
+    }
-    ret = hx509_context_init(&id->hx509ctx);
-    if (ret)
-        goto out;
-    ret = hx509_lock_init(id->hx509ctx, &lock);
-    if (ret) {
-        pk_copy_error(context, id->hx509ctx, ret, "Failed init lock");
-        goto out;
+    }
-    if (password && password[0])
-        hx509_lock_add_password(lock, password);
-    if (prompter) {
-        p.context = context;
-        p.prompter = prompter;
-        p.prompter_data = prompter_data;
-        ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
-        if (ret)
-            goto out;
+    }
     if (user_id) {
+        ret = hx509_certs_init(id->hx509ctx, user_id, 0, lock, &id->certs);
+        if (ret) {
+            pk_copy_error(context, id->hx509ctx, ret,
+        hx509_lock lock;
+        ret = hx509_lock_init(context->hx509ctx, &lock);
+        if (ret) {
+            pk_copy_error(context, context->hx509ctx, ret, "Failed init lock");
+            goto out;
+        }
+        if (password && password[0])
+            hx509_lock_add_password(lock, password);
+        if (prompter) {
+            p.context = context;
+            p.prompter = prompter;
+            p.prompter_data = prompter_data;
+            ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
+            if (ret) {
+                hx509_lock_free(lock);
+                goto out;
+            }
+        }
+        ret = hx509_certs_init(context->hx509ctx, user_id, 0, lock, &id->certs);
+        hx509_lock_free(lock);
+        if (ret) {
+            pk_copy_error(context, context->hx509ctx, ret,
                           "Failed to init cert certs");
             goto out;
 …
+    }
     ret = hx509_certs_init(id->hx509ctx, anchor_id, 0, NULL, &id->anchors);
     if (ret) {
         pk_copy_error(context, id->hx509ctx, ret,
+    ret = hx509_certs_init(context->hx509ctx, anchor_id, 0, NULL, &id->anchors);
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Failed to init anchors");
         goto out;
+    }
     ret = hx509_certs_init(id->hx509ctx, "MEMORY:pkinit-cert-chain",
+    ret = hx509_certs_init(context->hx509ctx, "MEMORY:pkinit-cert-chain",
 , NULL, &id->certpool);
     if (ret) {
         pk_copy_error(context, id->hx509ctx, ret,
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Failed to init chain");
         goto out;
 …
     while (chain_list && *chain_list) {
         ret = hx509_certs_append(id->hx509ctx, id->certpool,
+        ret = hx509_certs_append(context->hx509ctx, id->certpool,
                                  NULL, *chain_list);
         if (ret) {
             pk_copy_error(context, id->hx509ctx, ret,
+            pk_copy_error(context, context->hx509ctx, ret,
                           "Failed to laod chain %s",
                           *chain_list);
 …
     if (revoke_list) {
         ret = hx509_revoke_init(id->hx509ctx, &id->revokectx);
         if (ret) {
             pk_copy_error(context, id->hx509ctx, ret,
+        ret = hx509_revoke_init(context->hx509ctx, &id->revokectx);
+        if (ret) {
+            pk_copy_error(context, context->hx509ctx, ret,
                           "Failed init revoke list");
             goto out;
 …
         while (*revoke_list) {
             ret = hx509_revoke_add_crl(id->hx509ctx,
+            ret = hx509_revoke_add_crl(context->hx509ctx,
                                        id->revokectx,
                                        *revoke_list);
             if (ret) {
                 pk_copy_error(context, id->hx509ctx, ret,
+                pk_copy_error(context, context->hx509ctx, ret,
                               "Failed load revoke list");
                 goto out;
 …
+        }
     } else
         hx509_context_set_missing_revoke(id->hx509ctx, 1);
     ret = hx509_verify_init_ctx(id->hx509ctx, &id->verify_ctx);
     if (ret) {
         pk_copy_error(context, id->hx509ctx, ret,
+        hx509_context_set_missing_revoke(context->hx509ctx, 1);
+    ret = hx509_verify_init_ctx(context->hx509ctx, &id->verify_ctx);
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Failed init verify context");
         goto out;
 …
         hx509_certs_free(&id->certpool);
         hx509_revoke_free(&id->revokectx);
-        hx509_context_free(&id->hx509ctx);
         free(id);
     } else
         *ret_id = id;
-    if (lock)
-        hx509_lock_free(lock);
     return ret;
 …
     va_list va;
     char *s, *f;
+    int ret;
     va_start(va, fmt);
     vasprintf(&f, fmt, va);
+    ret = vasprintf(&f, fmt, va);
     va_end(va);
     if (f == NULL) {
+    if (ret == -1 || f == NULL) {
         krb5_clear_error_message(context);
         return;
 …
         file = MODULI_FILE;
+#ifdef KRB5_USE_PATH_TOKENS
+    {
+        char * exp_file;
+        if (_krb5_expand_path_tokens(context, file, &exp_file) == 0) {
+            f = fopen(exp_file, "r");
+            krb5_xfree(exp_file);
+        } else {
+            f = NULL;
+        }
+    }
+#else
     f = fopen(file, "r");
+#endif
     if (f == NULL) {
         *moduli = m;
 …
 #endif /* PKINIT */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 _krb5_get_init_creds_opt_free_pkinit(krb5_get_init_creds_opt *opt)
+{
 …
     switch (ctx->keyex) {
     case USE_DH:
+        DH_free(ctx->u.dh);
+        if (ctx->u.dh)
+            DH_free(ctx->u.dh);
         break;
     case USE_RSA:
 …
     case USE_ECDH:
 #ifdef HAVE_OPENSSL
+        EC_KEY_free(ctx->u.eckey);
+        if (ctx->u.eckey)
+            EC_KEY_free(ctx->u.eckey);
 #endif
         break;
 …
         hx509_certs_free(&ctx->id->anchors);
         hx509_certs_free(&ctx->id->certpool);
-        hx509_context_free(&ctx->id->hx509ctx);
         if (ctx->clientDHNonce) {
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_init_creds_opt_set_pkinit(krb5_context context,
                                    krb5_get_init_creds_opt *opt,
 …
+    }
+    if (flags & 4)
+        opt->opt_private->pk_init_ctx->anonymous = 1;
     ret = _krb5_pk_load_id(context,
                            &opt->opt_private->pk_init_ctx->id,
-                           flags,
                            user_id,
                            x509_anchors,
 …
     if (opt->opt_private->pk_init_ctx->id->certs) {
+        hx509_query *q = NULL;
+        hx509_cert cert = NULL;
+        hx509_context hx509ctx = opt->opt_private->pk_init_ctx->id->hx509ctx;
+        ret = hx509_query_alloc(hx509ctx, &q);
+        if (ret) {
+            pk_copy_error(context, hx509ctx, ret,
+                          "Allocate query to find signing certificate");
+            return ret;
+        }
+        hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
+        hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
+        ret = find_cert(context, opt->opt_private->pk_init_ctx->id, q, &cert);
+        hx509_query_free(hx509ctx, q);
+        if (ret)
+            return ret;
+        opt->opt_private->pk_init_ctx->id->cert = cert;
+        _krb5_pk_set_user_id(context,
+                             principal,
+                             opt->opt_private->pk_init_ctx,
+                             opt->opt_private->pk_init_ctx->id->certs);
     } else
         opt->opt_private->pk_init_ctx->id->cert = NULL;
     if ((flags & 2) == 0) {
         hx509_context hx509ctx = opt->opt_private->pk_init_ctx->id->hx509ctx;
+        hx509_context hx509ctx = context->hx509ctx;
         hx509_cert cert = opt->opt_private->pk_init_ctx->id->cert;
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_get_init_creds_opt_set_pkinit_user_certs(krb5_context context,
+                                              krb5_get_init_creds_opt *opt,
+                                              struct hx509_certs_data *certs)
+{
+#ifdef PKINIT
+    if (opt->opt_private == NULL) {
+        krb5_set_error_message(context, EINVAL,
+                               N_("PKINIT: on non extendable opt", ""));
+        return EINVAL;
+    }
+    if (opt->opt_private->pk_init_ctx == NULL) {
+        krb5_set_error_message(context, EINVAL,
+                               N_("PKINIT: on pkinit context", ""));
+        return EINVAL;
+    }
+    _krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
+    return 0;
+#else
+    krb5_set_error_message(context, EINVAL,
+                           N_("no support for PKINIT compiled in", ""));
+    return EINVAL;
+#endif
+}
 #ifdef PKINIT
 …
  */
+krb5_error_code  KRB5_LIB_FUNCTION
+_krb5_pk_enterprise_cert(krb5_context context,
+                         const char *user_id,
+                         krb5_const_realm realm,
+                         krb5_principal *principal)
+KRB5_LIB_FUNCTION krb5_error_code  KRB5_LIB_CALL
+krb5_pk_enterprise_cert(krb5_context context,
+                        const char *user_id,
+                        krb5_const_realm realm,
+                        krb5_principal *principal,
+                        struct hx509_certs_data **res)
+{
 #ifdef PKINIT
     krb5_error_code ret;
-    hx509_context hx509ctx;
     hx509_certs certs, result;
     hx509_cert cert;
 …
     *principal = NULL;
+    if (res)
+        *res = NULL;
+    if (user_id == NULL)
+    if (user_id == NULL) {
+        krb5_set_error_message(context, ENOENT, "no user id");
         return ENOENT;
+    ret = hx509_context_init(&hx509ctx);
+    if (ret)
+        return ret;
+    ret = hx509_certs_init(hx509ctx, user_id, 0, NULL, &certs);
+    if (ret) {
+        pk_copy_error(context, hx509ctx, ret,
+    }
+    ret = hx509_certs_init(context->hx509ctx, user_id, 0, NULL, &certs);
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
                       "Failed to init cert certs");
+        return ret;
+    }
+    ret = hx509_query_alloc(hx509ctx, &q);
+    if (ret) {
+        goto out;
+    }
+    ret = hx509_query_alloc(context->hx509ctx, &q);
+    if (ret) {
+        krb5_set_error_message(context, ret, "out of memory");
         hx509_certs_free(&certs);
         return ret;
+        goto out;
+    }
 …
     hx509_query_match_cmp_func(q, find_ms_san, NULL);
     ret = hx509_certs_filter(hx509ctx, certs, q, &result);
     hx509_query_free(hx509ctx, q);
+    ret = hx509_certs_filter(context->hx509ctx, certs, q, &result);
+    hx509_query_free(context->hx509ctx, q);
     hx509_certs_free(&certs);
+    if (ret)
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
+                      "Failed to find PKINIT certificate");
         return ret;
+    }
     ret = hx509_get_one_cert(hx509ctx, result, &cert);
+    ret = hx509_get_one_cert(context->hx509ctx, result, &cert);
     hx509_certs_free(&result);
+    if (ret)
+        return ret;
+    ret = get_ms_san(hx509ctx, cert, &name);
+    if (ret)
+        return ret;
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
+                      "Failed to get one cert");
+        goto out;
+    }
+    ret = get_ms_san(context->hx509ctx, cert, &name);
+    if (ret) {
+        pk_copy_error(context, context->hx509ctx, ret,
+                      "Failed to get MS SAN");
+        goto out;
+    }
     ret = krb5_make_principal(context, principal, realm, name, NULL);
     free(name);
-    hx509_context_free(&hx509ctx);
     if (ret)
         return ret;
+        goto out;
     krb5_principal_set_type(context, *principal, KRB5_NT_ENTERPRISE_PRINCIPAL);
+    if (res) {
+        ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res);
+        if (ret) {
+            hx509_cert_free(cert);
+            goto out;
+        }
+        ret = hx509_certs_add(context->hx509ctx, *res, cert);
+        if (ret) {
+            hx509_certs_free(res);
+            goto out;
+        }
+    }
+ out:
+    hx509_cert_free(cert);
     return ret;
 #else

trunk/server/source4/heimdal/lib/krb5/plugin.c

-              r414
+              r745
  */
+krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_plugin_register(krb5_context context,
                      enum krb5_plugin_type type,
 …
+}
+static int
+is_valid_plugin_filename(const char * n)
+{
+    if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
+        return 0;
+#ifdef _WIN32
+    /* On Windows, we only attempt to load .dll files as plug-ins. */
+    {
+        const char * ext;
+        ext = strrchr(n, '.');
+        if (ext == NULL)
+            return 0;
+        return !stricmp(ext, ".dll");
+    }
+#endif
+    return 1;
+}
+static void
+trim_trailing_slash(char * path)
+{
+    size_t l;
+    l = strlen(path);
+    while (l > 0 && (path[l - 1] == '/'
+#ifdef BACKSLASH_PATH_DELIM
+                     || path[l - 1] == '\\'
+#endif
+               )) {
+        path[--l] = '\0';
+    }
+}
 static krb5_error_code
 load_plugins(krb5_context context)
 …
     for (di = dirs; *di != NULL; di++) {
+        d = opendir(*di);
+        char * dir = *di;
+#ifdef KRB5_USE_PATH_TOKENS
+        if (_krb5_expand_path_tokens(context, *di, &dir))
+            goto next_dir;
+#endif
+        trim_trailing_slash(dir);
+        d = opendir(dir);
         if (d == NULL)
+            continue;
+        rk_cloexec(dirfd(d));
+            goto next_dir;
+        rk_cloexec_dir(d);
         while ((entry = readdir(d)) != NULL) {
 …
             /* skip . and .. */
             if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
+            if (!is_valid_plugin_filename(n))
                 continue;
             path = NULL;
+            ret = 0;
 #ifdef __APPLE__
             { /* support loading bundles on MacOS */
                 size_t len = strlen(n);
                 if (len > 7 && strcmp(&n[len - 7],  ".bundle") == 0)
                     asprintf(&path, "%s/%s/Contents/MacOS/%.*s", *di, n, (int)(len - 7), n);
+                    ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", dir, n, (int)(len - 7), n);
+            }
 #endif
             if (path == NULL)
                 asprintf(&path, "%s/%s", *di, n);
             if (path == NULL) {
+            if (ret < 0 || path == NULL)
+                ret = asprintf(&path, "%s/%s", dir, n);
+            if (ret < 0 || path == NULL) {
                 ret = ENOMEM;
                 krb5_set_error_message(context, ret, "malloc: out of memory");
 …
+        }
         closedir(d);
+    next_dir:
+        if (dir != *di)
+            free(dir);
+    }
     if (dirs != rk_UNCONST(sysplugin_dirs))
 …
+    }
+}
+/*
+ * module - dict of {
+ *      ModuleName = [
+ *          plugin = object{
+ *              array = { ptr, ctx }
+ *          }
+ *      ]
+ * }
+ */
+static heim_dict_t modules;
+struct plugin2 {
+    heim_string_t path;
+    void *dsohandle;
+    heim_dict_t names;
+};
+static void
+plug_dealloc(void *ptr)
+{
+    struct plugin2 *p = ptr;
+    heim_release(p->path);
+    heim_release(p->names);
+    if (p->dsohandle)
+        dlclose(p->dsohandle);
+}
+void
+_krb5_load_plugins(krb5_context context, const char *name, const char **paths)
+{
+#ifdef HAVE_DLOPEN
+    heim_string_t s = heim_string_create(name);
+    heim_dict_t module;
+    struct dirent *entry;
+    krb5_error_code ret;
+    const char **di;
+    DIR *d;
+    HEIMDAL_MUTEX_lock(&plugin_mutex);
+    if (modules == NULL) {
+        modules = heim_dict_create(11);
+        if (modules == NULL) {
+            HEIMDAL_MUTEX_unlock(&plugin_mutex);
+            return;
+        }
+    }
+    module = heim_dict_copy_value(modules, s);
+    if (module == NULL) {
+        module = heim_dict_create(11);
+        if (module == NULL) {
+            HEIMDAL_MUTEX_unlock(&plugin_mutex);
+            heim_release(s);
+            return;
+        }
+        heim_dict_add_value(modules, s, module);
+    }
+    heim_release(s);
+    for (di = paths; *di != NULL; di++) {
+        d = opendir(*di);
+        if (d == NULL)
+            continue;
+        rk_cloexec_dir(d);
+        while ((entry = readdir(d)) != NULL) {
+            char *n = entry->d_name;
+            char *path = NULL;
+            heim_string_t spath;
+            struct plugin2 *p;
+            /* skip . and .. */
+            if (n[0] == '.' && (n[1] == '\0' || (n[1] == '.' && n[2] == '\0')))
+                continue;
+            ret = 0;
+#ifdef __APPLE__
+            { /* support loading bundles on MacOS */
+                size_t len = strlen(n);
+                if (len > 7 && strcmp(&n[len - 7],  ".bundle") == 0)
+                    ret = asprintf(&path, "%s/%s/Contents/MacOS/%.*s", *di, n, (int)(len - 7), n);
+            }
+#endif
+            if (ret < 0 || path == NULL)
+                ret = asprintf(&path, "%s/%s", *di, n);
+            if (ret < 0 || path == NULL)
+                continue;
+            spath = heim_string_create(n);
+            if (spath == NULL) {
+                free(path);
+                continue;
+            }
+            /* check if already cached */
+            p = heim_dict_copy_value(module, spath);
+            if (p == NULL) {
+                p = heim_alloc(sizeof(*p), "krb5-plugin", plug_dealloc);
+                if (p)
+                    p->dsohandle = dlopen(path, RTLD_LOCAL|RTLD_LAZY);
+                if (p->dsohandle) {
+                    p->path = heim_retain(spath);
+                    p->names = heim_dict_create(11);
+                    heim_dict_add_value(module, spath, p);
+                }
+            }
+            heim_release(spath);
+            heim_release(p);
+            free(path);
+        }
+        closedir(d);
+    }
+    heim_release(module);
+    HEIMDAL_MUTEX_unlock(&plugin_mutex);
+#endif /* HAVE_DLOPEN */
+}
+void
+_krb5_unload_plugins(krb5_context context, const char *name)
+{
+    HEIMDAL_MUTEX_lock(&plugin_mutex);
+    heim_release(modules);
+    modules = NULL;
+    HEIMDAL_MUTEX_unlock(&plugin_mutex);
+}
+/*
+ *
+ */
+struct common_plugin_method {
+    int                 version;
+    krb5_error_code     (*init)(krb5_context, void **);
+    void                (*fini)(void *);
+};
+struct plug {
+    void *dataptr;
+    void *ctx;
+};
+static void
+plug_free(void *ptr)
+{
+    struct plug *pl = ptr;
+    if (pl->dataptr) {
+        struct common_plugin_method *cpm = pl->dataptr;
+        cpm->fini(pl->ctx);
+    }
+}
+struct iter_ctx {
+    krb5_context context;
+    heim_string_t n;
+    const char *name;
+    int min_version;
+    heim_array_t result;
+    krb5_error_code (*func)(krb5_context, const void *, void *, void *);
+    void *userctx;
+    krb5_error_code ret;
+};
+static void
+search_modules(void *ctx, heim_object_t key, heim_object_t value)
+{
+    struct iter_ctx *s = ctx;
+    struct plugin2 *p = value;
+    struct plug *pl = heim_dict_copy_value(p->names, s->n);
+    struct common_plugin_method *cpm;
+    if (pl == NULL) {
+        if (p->dsohandle == NULL)
+            return;
+        pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free);
+        cpm = pl->dataptr = dlsym(p->dsohandle, s->name);
+        if (cpm) {
+            int ret;
+            ret = cpm->init(s->context, &pl->ctx);
+            if (ret)
+                cpm = pl->dataptr = NULL;
+        }
+        heim_dict_add_value(p->names, s->n, pl);
+    } else {
+        cpm = pl->dataptr;
+    }
+    if (cpm && cpm->version >= s->min_version)
+        heim_array_append_value(s->result, pl);
+    heim_release(pl);
+}
+static void
+eval_results(heim_object_t value, void *ctx)
+{
+    struct plug *pl = value;
+    struct iter_ctx *s = ctx;
+    if (s->ret != KRB5_PLUGIN_NO_HANDLE)
+        return;
+    s->ret = s->func(s->context, pl->dataptr, pl->ctx, s->userctx);
+}
+krb5_error_code
+_krb5_plugin_run_f(krb5_context context,
+                   const char *module,
+                   const char *name,
+                   int min_version,
+                   int flags,
+                   void *userctx,
+                   krb5_error_code (*func)(krb5_context, const void *, void *, void *))
+{
+    heim_string_t m = heim_string_create(module);
+    heim_dict_t dict;
+    struct iter_ctx s;
+    HEIMDAL_MUTEX_lock(&plugin_mutex);
+    dict = heim_dict_copy_value(modules, m);
+    heim_release(m);
+    if (dict == NULL) {
+        HEIMDAL_MUTEX_unlock(&plugin_mutex);
+        return KRB5_PLUGIN_NO_HANDLE;
+    }
+    s.context = context;
+    s.name = name;
+    s.n = heim_string_create(name);
+    s.min_version = min_version;
+    s.result = heim_array_create();
+    s.func = func;
+    s.userctx = userctx;
+    heim_dict_iterate_f(dict, search_modules, &s);
+    heim_release(dict);
+    HEIMDAL_MUTEX_unlock(&plugin_mutex);
+    s.ret = KRB5_PLUGIN_NO_HANDLE;
+    heim_array_iterate_f(s.result, eval_results, &s);
+    heim_release(s.result);
+    heim_release(s.n);
+    return s.ret;
+}

trunk/server/source4/heimdal/lib/krb5/principal.c

-              r414
+              r745
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_principal(krb5_context context,
                     krb5_principal p)
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_principal_set_type(krb5_context context,
                         krb5_principal principal,
 …
+}
+int KRB5_LIB_FUNCTION
+/**
+ * Get the type of the principal
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to get the type for
+ *
+ * @return the type of principal
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_principal_get_type(krb5_context context,
                         krb5_const_principal principal)
 …
+}
+const char* KRB5_LIB_FUNCTION
+/**
+ * Get the realm of the principal
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to get the realm for
+ *
+ * @return realm of the principal, don't free or use after krb5_principal is freed
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_principal_get_realm(krb5_context context,
                          krb5_const_principal principal)
 …
+}
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_principal_get_comp_string(krb5_context context,
                                krb5_const_principal principal,
 …
  */
+unsigned int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION unsigned int KRB5_LIB_CALL
 krb5_principal_get_num_comp(krb5_context context,
                             krb5_const_principal principal)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Parse a name into a krb5_principal structure, flags controls the behavior.
+ *
+ * @param context Kerberos 5 context
+ * @param name name to parse into a Kerberos principal
+ * @param flags flags to control the behavior
+ * @param principal returned principal, free with krb5_free_principal().
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_parse_name_flags(krb5_context context,
                       const char *name,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Parse a name into a krb5_principal structure
+ *
+ * @param context Kerberos 5 context
+ * @param name name to parse into a Kerberos principal
+ * @param principal returned principal, free with krb5_free_principal().
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_parse_name(krb5_context context,
                 const char *name,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Unparse the principal name to a fixed buffer
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param name buffer to write name to
+ * @param len length of buffer
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_unparse_name_fixed(krb5_context context,
                         krb5_const_principal principal,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Unparse the principal name to a fixed buffer. The realm is skipped
+ * if its a default realm.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param name buffer to write name to
+ * @param len length of buffer
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_unparse_name_fixed_short(krb5_context context,
                               krb5_const_principal principal,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Unparse the principal name with unparse flags to a fixed buffer.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param flags unparse flags
+ * @param name buffer to write name to
+ * @param len length of buffer
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_unparse_name_fixed_flags(krb5_context context,
                               krb5_const_principal principal,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_unparse_name(krb5_context context,
                   krb5_const_principal principal,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_unparse_name_flags(krb5_context context,
                         krb5_const_principal principal,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Unparse the principal name to a allocated buffer. The realm is
+ * skipped if its a default realm.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal to unparse
+ * @param name returned buffer, free with krb5_xfree()
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_unparse_name_short(krb5_context context,
                         krb5_const_principal principal,
 …
+}
+#if 0 /* not implemented */
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_unparse_name_ext(krb5_context context,
+                      krb5_const_principal principal,
+                      char **name,
+                      size_t *size)
+{
     krb5_abortx(context, "unimplemented krb5_unparse_name_ext called");
+}
+#endif
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Set a new realm for a principal, and as a side-effect free the
+ * previous realm.
+ *
+ * @param context A Kerberos context.
+ * @param principal principal set the realm for
+ * @param realm the new realm to set
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_principal_set_realm(krb5_context context,
                          krb5_principal principal,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+#ifndef HEIMDAL_SMALLER
+/**
+ * Build a principal using vararg style building
+ *
+ * @param context A Kerberos context.
+ * @param principal returned principal
+ * @param rlen length of realm
+ * @param realm realm name
+ * @param ... a list of components ended with NULL.
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_build_principal(krb5_context context,
                      krb5_principal *principal,
 …
     ret = krb5_build_principal_va(context, principal, rlen, realm, ap);
     va_end(ap);
+    return ret;
+}
+#endif
+/**
+ * Build a principal using vararg style building
+ *
+ * @param context A Kerberos context.
+ * @param principal returned principal
+ * @param realm realm name
+ * @param ... a list of components ended with NULL.
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+krb5_make_principal(krb5_context context,
+                    krb5_principal *principal,
+                    krb5_const_realm realm,
+                    ...)
+{
+    krb5_error_code ret;
+    krb5_realm r = NULL;
+    va_list ap;
+    if(realm == NULL) {
+        ret = krb5_get_default_realm(context, &r);
+        if(ret)
+            return ret;
+        realm = r;
+    }
+    va_start(ap, realm);
+    ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
+    va_end(ap);
+    if(r)
+        free(r);
     return ret;
+}
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+krb5_make_principal(krb5_context context,
+                    krb5_principal *principal,
+                    krb5_const_realm realm,
+                    ...)
+{
+    krb5_error_code ret;
+    krb5_realm r = NULL;
+    va_list ap;
+    if(realm == NULL) {
+        ret = krb5_get_default_realm(context, &r);
+        if(ret)
+            return ret;
+        realm = r;
+    }
+    va_start(ap, realm);
+    ret = krb5_build_principal_va(context, principal, strlen(realm), realm, ap);
+    va_end(ap);
+    if(r)
+        free(r);
+    return ret;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_build_principal_va(krb5_context context,
                         krb5_principal *principal,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_build_principal_va_ext(krb5_context context,
                             krb5_principal *principal,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_build_principal_ext(krb5_context context,
                          krb5_principal *principal,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Copy a principal
+ *
+ * @param context A Kerberos context.
+ * @param inprinc principal to copy
+ * @param outprinc copied principal, free with krb5_free_principal()
+ *
+ * @return An krb5 error code, see krb5_get_error_message().
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_principal(krb5_context context,
                     krb5_const_principal inprinc,
 …
+ *
  * @ingroup krb5_principal
+ */
+krb5_boolean KRB5_LIB_FUNCTION
+ * @see krb5_principal_compare()
+ * @see krb5_realm_compare()
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_principal_compare_any_realm(krb5_context context,
                                  krb5_const_principal princ1,
 …
+}
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 _krb5_principal_compare_PrincipalName(krb5_context context,
                                       krb5_const_principal princ1,
 …
+/**
+ * Compares the two principals, including realm of the principals and returns
+ * TRUE if they are the same and FALSE if not.
+ *
+ * @param context Kerberos 5 context
+ * @param princ1 first principal to compare
+ * @param princ2 second principal to compare
+ *
+ * @ingroup krb5_principal
+ * @see krb5_principal_compare_any_realm()
+ * @see krb5_realm_compare()
+ */
 /*
  * return TRUE iff princ1 == princ2
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_principal_compare(krb5_context context,
                        krb5_const_principal princ1,
 …
+}
 /*
+/**
  * return TRUE iff realm(princ1) == realm(princ2)
+ */
+krb5_boolean KRB5_LIB_FUNCTION
+ *
+ * @param context Kerberos 5 context
+ * @param princ1 first principal to compare
+ * @param princ2 second principal to compare
+ *
+ * @ingroup krb5_principal
+ * @see krb5_principal_compare_any_realm()
+ * @see krb5_principal_compare()
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_realm_compare(krb5_context context,
                    krb5_const_principal princ1,
 …
+}
 /*
+/**
  * return TRUE iff princ matches pattern
+ */
+krb5_boolean KRB5_LIB_FUNCTION
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_principal_match(krb5_context context,
                      krb5_const_principal princ,
 …
+}
-#if defined(KRB4) || !defined(HEIMDAL_SMALLER)
-static struct v4_name_convert {
-    const char *from;
-    const char *to;
-} default_v4_name_convert[] = {
-    { "ftp",    "ftp" },
-    { "hprop",  "hprop" },
-    { "pop",    "pop" },
-    { "imap",   "imap" },
-    { "rcmd",   "host" },
-    { "smtp",   "smtp" },
-    { NULL, NULL }
-};
-#endif
-#ifdef KRB4
-/*
- * return the converted instance name of `name' in `realm'.
- * look in the configuration file and then in the default set above.
- * return NULL if no conversion is appropriate.
- */
-static const char*
-get_name_conversion(krb5_context context, const char *realm, const char *name)
+{
-    struct v4_name_convert *q;
-    const char *p;
-    p = krb5_config_get_string(context, NULL, "realms", realm,
-                               "v4_name_convert", "host", name, NULL);
-    if(p == NULL)
-        p = krb5_config_get_string(context, NULL, "libdefaults",
-                                   "v4_name_convert", "host", name, NULL);
-    if(p)
-        return p;
-    /* XXX should be possible to override default list */
-    p = krb5_config_get_string(context, NULL,
-                               "realms",
-                               realm,
-                               "v4_name_convert",
-                               "plain",
-                               name,
-                               NULL);
-    if(p)
-        return NULL;
-    p = krb5_config_get_string(context, NULL,
-                               "libdefaults",
-                               "v4_name_convert",
-                               "plain",
-                               name,
-                               NULL);
-    if(p)
-        return NULL;
-    for(q = default_v4_name_convert; q->from; q++)
-        if(strcmp(q->from, name) == 0)
-            return q->to;
-    return NULL;
+}
-/*
- * convert the v4 principal `name.instance@realm' to a v5 principal in `princ'.
- * if `resolve', use DNS.
- * if `func', use that function for validating the conversion
- */
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_425_conv_principal_ext2(krb5_context context,
-                             const char *name,
-                             const char *instance,
-                             const char *realm,
-                             krb5_boolean (*func)(krb5_context,
-                                                  void *, krb5_principal),
-                             void *funcctx,
-                             krb5_boolean resolve,
-                             krb5_principal *princ)
+{
-    const char *p;
-    krb5_error_code ret;
-    krb5_principal pr;
-    char host[MAXHOSTNAMELEN];
-    char local_hostname[MAXHOSTNAMELEN];
-    /* do the following: if the name is found in the
-       `v4_name_convert:host' part, is assumed to be a `host' type
-       principal, and the instance is looked up in the
-       `v4_instance_convert' part. if not found there the name is
-       (optionally) looked up as a hostname, and if that doesn't yield
-       anything, the `default_domain' is appended to the instance
-       */
-    if(instance == NULL)
-        goto no_host;
-    if(instance[0] == 0){
-        instance = NULL;
-        goto no_host;
+    }
-    p = get_name_conversion(context, realm, name);
-    if(p == NULL)
-        goto no_host;
-    name = p;
-    p = krb5_config_get_string(context, NULL, "realms", realm,
-                               "v4_instance_convert", instance, NULL);
-    if(p){
-        instance = p;
-        ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
-        if (ret)
-            return ret;
-        if(func == NULL || (*func)(context, funcctx, pr)){
-            *princ = pr;
-            return 0;
+        }
-        krb5_free_principal(context, pr);
-        *princ = NULL;
-        krb5_clear_error_message (context);
-        return HEIM_ERR_V4_PRINC_NO_CONV;
+    }
-    if(resolve){
-        krb5_boolean passed = FALSE;
-        char *inst = NULL;
-#ifdef USE_RESOLVER
-        struct rk_dns_reply *r;
-        r = rk_dns_lookup(instance, "aaaa");
-        if (r) {
-            if (r->head && r->head->type == rk_ns_t_aaaa) {
-                inst = strdup(r->head->domain);
-                passed = TRUE;
+            }
-            rk_dns_free_data(r);
-        } else {
-            r = rk_dns_lookup(instance, "a");
-            if (r) {
-                if(r->head && r->head->type == rk_ns_t_a) {
-                    inst = strdup(r->head->domain);
-                    passed = TRUE;
+                }
-                rk_dns_free_data(r);
+            }
+        }
-#else
-        struct addrinfo hints, *ai;
-        memset (&hints, 0, sizeof(hints));
-        hints.ai_flags = AI_CANONNAME;
-        ret = getaddrinfo(instance, NULL, &hints, &ai);
-        if (ret == 0) {
-            const struct addrinfo *a;
-            for (a = ai; a != NULL; a = a->ai_next) {
-                if (a->ai_canonname != NULL) {
-                    inst = strdup (a->ai_canonname);
-                    passed = TRUE;
-                    break;
+                }
+            }
-            freeaddrinfo (ai);
+        }
-#endif
-        if (passed) {
-            if (inst == NULL) {
-                krb5_set_error_message(context, ENOMEM,
-                                       N_("malloc: out of memory", ""));
-                return ENOMEM;
+            }
-            strlwr(inst);
-            ret = krb5_make_principal(context, &pr, realm, name, inst,
-                                      NULL);
-            free (inst);
-            if(ret == 0) {
-                if(func == NULL || (*func)(context, funcctx, pr)){
-                    *princ = pr;
-                    return 0;
+                }
-                krb5_free_principal(context, pr);
+            }
+        }
+    }
-    if(func != NULL) {
-        snprintf(host, sizeof(host), "%s.%s", instance, realm);
-        strlwr(host);
-        ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
-        if (ret)
-            return ret;
-        if((*func)(context, funcctx, pr)){
-            *princ = pr;
-            return 0;
+        }
-        krb5_free_principal(context, pr);
+    }
-    /*
-     * if the instance is the first component of the local hostname,
-     * the converted host should be the long hostname.
-     */
-    if (func == NULL &&
-        gethostname (local_hostname, sizeof(local_hostname)) == 0 &&
-        strncmp(instance, local_hostname, strlen(instance)) == 0 &&
-        local_hostname[strlen(instance)] == '.') {
-        strlcpy(host, local_hostname, sizeof(host));
-        goto local_host;
+    }
+    {
-        char **domains, **d;
-        domains = krb5_config_get_strings(context, NULL, "realms", realm,
-                                          "v4_domains", NULL);
-        for(d = domains; d && *d; d++){
-            snprintf(host, sizeof(host), "%s.%s", instance, *d);
-            ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
-            if (ret) {
-                krb5_config_free_strings(domains);
-                return ret;
+            }
-            if(func == NULL || (*func)(context, funcctx, pr)){
-                *princ = pr;
-                krb5_config_free_strings(domains);
-                return 0;
+            }
-            krb5_free_principal(context, pr);
+        }
-        krb5_config_free_strings(domains);
+    }
-    p = krb5_config_get_string(context, NULL, "realms", realm,
-                               "default_domain", NULL);
-    if(p == NULL){
-        /* this should be an error, just faking a name is not good */
-        krb5_clear_error_message (context);
-        return HEIM_ERR_V4_PRINC_NO_CONV;
+    }
-    if (*p == '.')
-        ++p;
-    snprintf(host, sizeof(host), "%s.%s", instance, p);
-local_host:
-    ret = krb5_make_principal(context, &pr, realm, name, host, NULL);
-    if (ret)
-        return ret;
-    if(func == NULL || (*func)(context, funcctx, pr)){
-        *princ = pr;
-        return 0;
+    }
-    krb5_free_principal(context, pr);
-    krb5_clear_error_message (context);
-    return HEIM_ERR_V4_PRINC_NO_CONV;
-no_host:
-    p = krb5_config_get_string(context, NULL,
-                               "realms",
-                               realm,
-                               "v4_name_convert",
-                               "plain",
-                               name,
-                               NULL);
-    if(p == NULL)
-        p = krb5_config_get_string(context, NULL,
-                                   "libdefaults",
-                                   "v4_name_convert",
-                                   "plain",
-                                   name,
-                                   NULL);
-    if(p)
-        name = p;
-    ret = krb5_make_principal(context, &pr, realm, name, instance, NULL);
-    if (ret)
-        return ret;
-    if(func == NULL || (*func)(context, funcctx, pr)){
-        *princ = pr;
-        return 0;
+    }
-    krb5_free_principal(context, pr);
-    krb5_clear_error_message (context);
-    return HEIM_ERR_V4_PRINC_NO_CONV;
+}
-#endif /* KRB4 */
-#ifndef HEIMDAL_SMALLER
-static int
-check_list(const krb5_config_binding *l, const char *name, const char **out)
+{
-    while(l){
-        if (l->type != krb5_config_string)
-            continue;
-        if(strcmp(name, l->u.string) == 0) {
-            *out = l->name;
-            return 1;
+        }
-        l = l->next;
+    }
-    return 0;
+}
-static int
-name_convert(krb5_context context, const char *name, const char *realm,
-             const char **out)
+{
-    const krb5_config_binding *l;
-    l = krb5_config_get_list (context,
-                              NULL,
-                              "realms",
-                              realm,
-                              "v4_name_convert",
-                              "host",
-                              NULL);
-    if(l && check_list(l, name, out))
-        return KRB5_NT_SRV_HST;
-    l = krb5_config_get_list (context,
-                              NULL,
-                              "libdefaults",
-                              "v4_name_convert",
-                              "host",
-                              NULL);
-    if(l && check_list(l, name, out))
-        return KRB5_NT_SRV_HST;
-    l = krb5_config_get_list (context,
-                              NULL,
-                              "realms",
-                              realm,
-                              "v4_name_convert",
-                              "plain",
-                              NULL);
-    if(l && check_list(l, name, out))
-        return KRB5_NT_UNKNOWN;
-    l = krb5_config_get_list (context,
-                              NULL,
-                              "libdefaults",
-                              "v4_name_convert",
-                              "host",
-                              NULL);
-    if(l && check_list(l, name, out))
-        return KRB5_NT_UNKNOWN;
-    /* didn't find it in config file, try built-in list */
-#ifdef KRB4
+    {
-        struct v4_name_convert *q;
-        for(q = default_v4_name_convert; q->from; q++) {
-            if(strcmp(name, q->to) == 0) {
-                *out = q->from;
-                return KRB5_NT_SRV_HST;
+            }
+        }
+    }
-#endif
-    return -1;
+}
-/*
- * convert the v5 principal in `principal' into a v4 corresponding one
- * in `name, instance, realm'
- * this is limited interface since there's no length given for these
- * three parameters.  They have to be 40 bytes each (ANAME_SZ).
- */
-krb5_error_code KRB5_LIB_FUNCTION
-krb5_524_conv_principal(krb5_context context,
-                        const krb5_principal principal,
-                        char *name,
-                        char *instance,
-                        char *realm)
+{
-    const char *n, *i, *r;
-    char tmpinst[40];
-    int type = princ_type(principal);
-    const int aname_sz = 40;
-    r = principal->realm;
-    switch(principal->name.name_string.len){
-    case 1:
-        n = principal->name.name_string.val[0];
-        i = "";
-        break;
-    case 2:
-        n = principal->name.name_string.val[0];
-        i = principal->name.name_string.val[1];
-        break;
-    default:
-        krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
-                               N_("cannot convert a %d "
-                                  "component principal", ""),
-                               principal->name.name_string.len);
-        return KRB5_PARSE_MALFORMED;
+    }
+    {
-        const char *tmp;
-        int t = name_convert(context, n, r, &tmp);
-        if(t >= 0) {
-            type = t;
-            n = tmp;
+        }
+    }
-    if(type == KRB5_NT_SRV_HST){
-        char *p;
-        strlcpy (tmpinst, i, sizeof(tmpinst));
-        p = strchr(tmpinst, '.');
-        if(p)
-            *p = 0;
-        i = tmpinst;
+    }
-    if (strlcpy (name, n, aname_sz) >= aname_sz) {
-        krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
-                               N_("too long name component to convert", ""));
-        return KRB5_PARSE_MALFORMED;
+    }
-    if (strlcpy (instance, i, aname_sz) >= aname_sz) {
-        krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
-                               N_("too long instance component to convert", ""));
-        return KRB5_PARSE_MALFORMED;
+    }
-    if (strlcpy (realm, r, aname_sz) >= aname_sz) {
-        krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
-                               N_("too long realm component to convert", ""));
-        return KRB5_PARSE_MALFORMED;
+    }
-    return 0;
+}
-#endif /* !HEIMDAL_SMALLER */
 /**
  * Create a principal for the service running on hostname. If
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sname_to_principal (krb5_context context,
                          const char *hostname,
 …
 };
+krb5_error_code
+/**
+ * Parse nametype string and return a nametype integer
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_parse_nametype(krb5_context context, const char *str, int32_t *nametype)
+{
 …
     return KRB5_PARSE_MALFORMED;
+}
+/**
+ * Check if the cname part of the principal is a krbtgt principal
+ *
+ * @ingroup krb5_principal
+ */
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principal_is_krbtgt(krb5_context context, krb5_const_principal p)
+{
+    return p->name.name_string.len == 2 &&
+        strcmp(p->name.name_string.val[0], KRB5_TGS_NAME) == 0;
+}

trunk/server/source4/heimdal/lib/krb5/prog_setup.c

-              r414
+              r745
 #include <err.h>
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_std_usage(int code, struct getargs *args, int num_args)
+{
 …
+}
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_program_setup(krb5_context *context, int argc, char **argv,
                    struct getargs *args, int num_args,
                    void (*usage)(int, struct getargs*, int))
+                   void (KRB5_LIB_CALL *usage)(int, struct getargs*, int))
+{
     krb5_error_code ret;

trunk/server/source4/heimdal/lib/krb5/prompter_posix.c

r414	r745
34	34	#include "krb5_locl.h"
35	35
36		int KRB5_LIB_FUNCTION
	36	KRB5_LIB_FUNCTION int KRB5_CALLCONV
37	37	krb5_prompter_posix (krb5_context context,
38	38	void *data,

trunk/server/source4/heimdal/lib/krb5/rd_cred.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
 static krb5_error_code
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_cred(krb5_context context,
              krb5_auth_context auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_cred2 (krb5_context      context,
                krb5_auth_context auth_context,

trunk/server/source4/heimdal/lib/krb5/rd_error.c

-              r414
+              r745
 #include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_error(krb5_context context,
               const krb5_data *msg,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_error_contents (krb5_context context,
                           krb5_error *error)
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_error (krb5_context context,
                  krb5_error *error)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_error_from_rd_error(krb5_context context,
                          const krb5_error *error,

trunk/server/source4/heimdal/lib/krb5/rd_priv.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_priv(krb5_context context,
              krb5_auth_context auth_context,

trunk/server/source4/heimdal/lib/krb5/rd_rep.c

-              r414
+              r745
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_rep(krb5_context context,
             krb5_auth_context auth_context,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_free_ap_rep_enc_part (krb5_context context,
                            krb5_ap_rep_enc_part *val)

trunk/server/source4/heimdal/lib/krb5/rd_req.c

-              r414
+              r745
 /*
  * Copyright (c) 1997 - 2007 Kungliga Tekniska HÃ¶gskolan
 …
  */
 #include <krb5_locl.h>
+#include "krb5_locl.h"
 static krb5_error_code
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decode_ap_req(krb5_context context,
                    const krb5_data *inbuf,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_decrypt_ticket(krb5_context context,
                     Ticket *ticket,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verify_authenticator_checksum(krb5_context context,
                                    krb5_auth_context ac,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verify_ap_req(krb5_context context,
                    krb5_auth_context *auth_context,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verify_ap_req2(krb5_context context,
                     krb5_auth_context *auth_context,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_in_ctx_alloc(krb5_context context, krb5_rd_req_in_ctx *ctx)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_in_set_keytab(krb5_context context,
                           krb5_rd_req_in_ctx in,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_in_set_pac_check(krb5_context context,
                              krb5_rd_req_in_ctx in,
 …
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_in_set_keyblock(krb5_context context,
                             krb5_rd_req_in_ctx in,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_out_get_ap_req_options(krb5_context context,
                                    krb5_rd_req_out_ctx out,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_out_get_ticket(krb5_context context,
                             krb5_rd_req_out_ctx out,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_out_get_keyblock(krb5_context context,
                             krb5_rd_req_out_ctx out,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_out_get_server(krb5_context context,
                             krb5_rd_req_out_ctx out,
 …
+}
+void  KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_rd_req_in_ctx_free(krb5_context context, krb5_rd_req_in_ctx ctx)
+{
 …
  */
+void  KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_rd_req_out_ctx_free(krb5_context context, krb5_rd_req_out_ctx ctx)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req(krb5_context context,
             krb5_auth_context *auth_context,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_with_keyblock(krb5_context context,
                           krb5_auth_context *auth_context,
 …
+ *
  * @param server the server with authenticate as, if NULL the function
  *        will try to find any avaiable credentintial in the keytab
+ *        will try to find any available credential in the keytab
  *        that will verify the reply. The function will prefer the
  *        server the server client specified in the AP-REQ, but if
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rd_req_ctx(krb5_context context,
                 krb5_auth_context *auth_context,
 …
         if (ret) {
             /* If caller specified a server, fail. */
             if (service == NULL)
+            if (service == NULL && (context->flags & KRB5_CTX_F_RD_REQ_IGNORE) == 0)
                 goto out;
             /* Otherwise, fall back to iterating over the keytab. This

trunk/server/source4/heimdal/lib/krb5/replay.c

-              r414
+              r745
 };
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_resolve(krb5_context context,
                 krb5_rcache id,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_resolve_type(krb5_context context,
                      krb5_rcache *id,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_resolve_full(krb5_context context,
                      krb5_rcache *id,
 …
+}
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_rc_default_name(krb5_context context)
+{
 …
+}
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_rc_default_type(krb5_context context)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_default(krb5_context context,
                 krb5_rcache *id)
 …
 };
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_initialize(krb5_context context,
                    krb5_rcache id,
 …
     if(f == NULL) {
+        char buf[128];
         ret = errno;
         krb5_set_error_message(context, ret, "open(%s): %s", id->name,
                                strerror(ret));
+        rk_strerror_r(ret, buf, sizeof(buf));
+        krb5_set_error_message(context, ret, "open(%s): %s", id->name, buf);
         return ret;
+    }
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_recover(krb5_context context,
                 krb5_rcache id)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_destroy(krb5_context context,
                 krb5_rcache id)
 …
     if(remove(id->name) < 0) {
+        char buf[128];
         ret = errno;
         krb5_set_error_message(context, ret, "remove(%s): %s", id->name,
                                strerror(ret));
+        rk_strerror_r(ret, buf, sizeof(buf));
+        krb5_set_error_message(context, ret, "remove(%s): %s", id->name, buf);
         return ret;
+    }
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_close(krb5_context context,
               krb5_rcache id)
 …
 checksum_authenticator(Authenticator *auth, void *data)
+{
+    MD5_CTX md5;
+    int i;
+    MD5_Init (&md5);
+    MD5_Update (&md5, auth->crealm, strlen(auth->crealm));
+    EVP_MD_CTX *m = EVP_MD_CTX_create();
+    unsigned i;
+    EVP_DigestInit_ex(m, EVP_md5(), NULL);
+    EVP_DigestUpdate(m, auth->crealm, strlen(auth->crealm));
     for(i = 0; i < auth->cname.name_string.len; i++)
         MD5_Update(&md5, auth->cname.name_string.val[i],
+        EVP_DigestUpdate(m, auth->cname.name_string.val[i],
                    strlen(auth->cname.name_string.val[i]));
+    MD5_Update (&md5, &auth->ctime, sizeof(auth->ctime));
+    MD5_Update (&md5, &auth->cusec, sizeof(auth->cusec));
+    MD5_Final (data, &md5);
+}
+krb5_error_code KRB5_LIB_FUNCTION
+    EVP_DigestUpdate(m, &auth->ctime, sizeof(auth->ctime));
+    EVP_DigestUpdate(m, &auth->cusec, sizeof(auth->cusec));
+    EVP_DigestFinal_ex(m, data, NULL);
+    EVP_MD_CTX_destroy(m);
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_store(krb5_context context,
               krb5_rcache id,
 …
     f = fopen(id->name, "r");
     if(f == NULL) {
+        char buf[128];
         ret = errno;
         krb5_set_error_message(context, ret, "open(%s): %s", id->name,
                                strerror(ret));
+        rk_strerror_r(ret, buf, sizeof(buf));
+        krb5_set_error_message(context, ret, "open(%s): %s", id->name, buf);
         return ret;
+    }
 …
+    }
     if(ferror(f)){
+        char buf[128];
         ret = errno;
         fclose(f);
+        rk_strerror_r(ret, buf, sizeof(buf));
         krb5_set_error_message(context, ret, "%s: %s",
                                id->name, strerror(ret));
+                               id->name, buf);
         return ret;
+    }
 …
     f = fopen(id->name, "a");
     if(f == NULL) {
+        char buf[128];
+        rk_strerror_r(errno, buf, sizeof(buf));
         krb5_set_error_message(context, KRB5_RC_IO_UNKNOWN,
+                               "open(%s): %s", id->name,
+                               strerror(errno));
+                               "open(%s): %s", id->name, buf);
         return KRB5_RC_IO_UNKNOWN;
+    }
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_expunge(krb5_context context,
                 krb5_rcache id)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_rc_get_lifespan(krb5_context context,
                      krb5_rcache id,
 …
+}
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_rc_get_name(krb5_context context,
                  krb5_rcache id)
 …
+}
+const char* KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
 krb5_rc_get_type(krb5_context context,
                  krb5_rcache id)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_get_server_rcache(krb5_context context,
                        const krb5_data *piece,
 …
     strvisx(tmp, piece->data, piece->length, VIS_WHITE | VIS_OCTAL);
 #ifdef HAVE_GETEUID
     asprintf(&name, "FILE:rc_%s_%u", tmp, (unsigned)geteuid());
+    ret = asprintf(&name, "FILE:rc_%s_%u", tmp, (unsigned)geteuid());
 #else
     asprintf(&name, "FILE:rc_%s", tmp);
+    ret = asprintf(&name, "FILE:rc_%s", tmp);
 #endif
     free(tmp);
     if(name == NULL) {
+    if(ret < 0 || name == NULL) {
         krb5_set_error_message(context, ENOMEM,
                                N_("malloc: out of memory", ""));

trunk/server/source4/heimdal/lib/krb5/send_to_kdc.c

-              r414
+              r745
 static int
 recv_loop (int fd,
+recv_loop (krb5_socket_t fd,
            time_t tmout,
            int udp,
 …
      int nbytes;
+#ifndef NO_LIMIT_FD_SETSIZE
      if (fd >= FD_SETSIZE) {
          return -1;
+     }
+#endif
      krb5_data_zero(rep);
 …
              void *tmp;
              if (ioctl (fd, FIONREAD, &nbytes) < 0) {
+             if (rk_SOCK_IOCTL (fd, FIONREAD, &nbytes) < 0) {
                  krb5_data_free (rep);
                  return -1;
 …
 static int
 send_and_recv_udp(int fd,
+send_and_recv_udp(krb5_socket_t fd,
                   time_t tmout,
                   const krb5_data *req,
 …
 static int
 send_and_recv_tcp(int fd,
+send_and_recv_tcp(krb5_socket_t fd,
                   time_t tmout,
                   const krb5_data *req,
 …
     _krb5_put_int(len, req->length, 4);
     if(net_write(fd, len, sizeof(len)) < 0)
         return -1;
     if(net_write(fd, req->data, req->length) < 0)
+    if(net_write (fd, len, sizeof(len)) < 0)
+        return -1;
+    if(net_write (fd, req->data, req->length) < 0)
         return -1;
     if (recv_loop (fd, tmout, 0, 4, &len_data) < 0)
 …
 int
 _krb5_send_and_recv_tcp(int fd,
+_krb5_send_and_recv_tcp(krb5_socket_t fd,
                         time_t tmout,
                         const krb5_data *req,
 …
 static int
 send_and_recv_http(int fd,
+send_and_recv_http(krb5_socket_t fd,
                    time_t tmout,
                    const char *prefix,
 …
                    krb5_data *rep)
+{
     char *request;
+    char *request = NULL;
     char *str;
     int ret;
 …
     if(len < 0)
         return -1;
     asprintf(&request, "GET %s%s HTTP/1.0\r\n\r\n", prefix, str);
+    ret = asprintf(&request, "GET %s%s HTTP/1.0\r\n\r\n", prefix, str);
     free(str);
     if (request == NULL)
+    if (ret < 0 || request == NULL)
         return -1;
     ret = net_write (fd, request, strlen(request));
 …
     char *proxy2 = strdup(context->http_proxy);
     char *proxy  = proxy2;
     char *prefix;
+    char *prefix = NULL;
     char *colon;
     struct addrinfo hints;
     struct addrinfo *ai, *a;
     int ret;
     int s = -1;
+    krb5_socket_t s = rk_INVALID_SOCKET;
     char portstr[NI_MAXSERV];
 …
     for (a = ai; a != NULL; a = a->ai_next) {
         s = socket (a->ai_family, a->ai_socktype, a->ai_protocol | SOCK_CLOEXEC);
+        s = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
         if (s < 0)
             continue;
         rk_cloexec(s);
         if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
             close (s);
+            rk_closesocket (s);
             continue;
+        }
 …
     freeaddrinfo (ai);
     asprintf(&prefix, "http://%s/", hi->hostname);
     if(prefix == NULL) {
+    ret = asprintf(&prefix, "http://%s/", hi->hostname);
+    if(ret < 0 || prefix == NULL) {
         close(s);
         return 1;
 …
     ret = send_and_recv_http(s, context->kdc_timeout,
                              prefix, send_data, receive);
     close (s);
+    rk_closesocket (s);
     free(prefix);
     if(ret == 0 && receive->length != 0)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sendto (krb5_context context,
              const krb5_data *send_data,
 …
+{
      krb5_error_code ret;
      int fd;
+     krb5_socket_t fd;
      int i;
 …
          while (krb5_krbhst_next(context, handle, &hi) == 0) {
              struct addrinfo *ai, *a;
+             _krb5_debug(context, 2,
+                         "trying to communicate with host %s in realm %s",
+                         hi->hostname, _krb5_krbhst_get_realm(handle));
              if (context->send_to_kdc) {
 …
              for (a = ai; a != NULL; a = a->ai_next) {
                  fd = socket (a->ai_family, a->ai_socktype | SOCK_CLOEXEC, a->ai_protocol);
                  if (fd < 0)
+                 if (rk_IS_BAD_SOCKET(fd))
                      continue;
                  rk_cloexec(fd);
                  if (connect (fd, a->ai_addr, a->ai_addrlen) < 0) {
                      close (fd);
+                     rk_closesocket (fd);
                      continue;
+                 }
 …
                      break;
+                 }
                  close (fd);
+                 rk_closesocket (fd);
                  if(ret == 0 && receive->length != 0)
                      goto out;
 …
      ret = KRB5_KDC_UNREACH;
 out:
+     _krb5_debug(context, 2,
+                 "result of trying to talk to realm %s = %d",
+                 _krb5_krbhst_get_realm(handle), ret);
      return ret;
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sendto_kdc(krb5_context context,
                 const krb5_data *send_data,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sendto_kdc_flags(krb5_context context,
                       const krb5_data *send_data,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_send_to_kdc_func(krb5_context context,
                           krb5_send_to_kdc_func func,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 _krb5_copy_send_to_kdc_func(krb5_context context, krb5_context to)
+{
 …
 };
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sendto_ctx_alloc(krb5_context context, krb5_sendto_ctx *ctx)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_sendto_ctx_add_flags(krb5_sendto_ctx ctx, int flags)
+{
 …
+}
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_sendto_ctx_get_flags(krb5_sendto_ctx ctx)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_sendto_ctx_set_type(krb5_sendto_ctx ctx, int type)
+{
 …
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_sendto_ctx_set_func(krb5_sendto_ctx ctx,
                          krb5_sendto_ctx_func func,
 …
+}
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_sendto_ctx_free(krb5_context context, krb5_sendto_ctx ctx)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_sendto_context(krb5_context context,
                     krb5_sendto_ctx ctx,
 …
+}
 krb5_error_code
+krb5_error_code KRB5_CALLCONV
 _krb5_kdc_retry(krb5_context context, krb5_sendto_ctx ctx, void *data,
                 const krb5_data *reply, int *action)

trunk/server/source4/heimdal/lib/krb5/set_default_realm.c

r414	r745
66	66	*/
67	67
68		krb5_error_code KRB5_LIB_FUNCTION
	68	KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
69	69	krb5_set_default_realm(krb5_context context,
70	70	const char *realm)

trunk/server/source4/heimdal/lib/krb5/store.c

-              r414
+              r745
                                krb5_storage_is_flags((SP), KRB5_STORAGE_HOST_BYTEORDER))
+void KRB5_LIB_FUNCTION
+/**
+ * Add the flags on a storage buffer by or-ing in the flags to the buffer.
+ *
+ * @param sp the storage buffer to set the flags on
+ * @param flags the flags to set
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_storage_set_flags(krb5_storage *sp, krb5_flags flags)
+{
 …
+}
+void KRB5_LIB_FUNCTION
+/**
+ * Clear the flags on a storage buffer
+ *
+ * @param sp the storage buffer to clear the flags on
+ * @param flags the flags to clear
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_storage_clear_flags(krb5_storage *sp, krb5_flags flags)
+{
 …
  */
+krb5_boolean KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
 krb5_storage_is_flags(krb5_storage *sp, krb5_flags flags)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_storage_set_byteorder(krb5_storage *sp, krb5_flags byteorder)
+{
 …
  */
+krb5_flags KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_flags KRB5_LIB_CALL
 krb5_storage_get_byteorder(krb5_storage *sp)
+{
 …
  */
+off_t KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION off_t KRB5_LIB_CALL
 krb5_storage_seek(krb5_storage *sp, off_t offset, int whence)
+{
 …
  */
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_storage_truncate(krb5_storage *sp, off_t offset)
+{
 …
  */
+krb5_ssize_t KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
 krb5_storage_read(krb5_storage *sp, void *buf, size_t len)
+{
 …
  */
+krb5_ssize_t KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
 krb5_storage_write(krb5_storage *sp, const void *buf, size_t len)
+{
 …
  */
+void KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
 krb5_storage_set_eof_code(krb5_storage *sp, int code)
+{
 …
  */
+int KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION int KRB5_LIB_CALL
 krb5_storage_get_eof_code(krb5_storage *sp)
+{
 …
+}
-krb5_ssize_t KRB5_LIB_FUNCTION
-_krb5_put_int(void *buffer, unsigned long value, size_t size)
+{
-    unsigned char *p = buffer;
-    int i;
-    for (i = size - 1; i >= 0; i--) {
-        p[i] = value & 0xff;
-        value >>= 8;
+    }
-    return size;
+}
-krb5_ssize_t KRB5_LIB_FUNCTION
-_krb5_get_int(void *buffer, unsigned long *value, size_t size)
+{
-    unsigned char *p = buffer;
-    unsigned long v = 0;
-    int i;
-    for (i = 0; i < size; i++)
-        v = (v << 8) + p[i];
-    *value = v;
-    return size;
+}
 /**
  * Free a krb5 storage.
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_storage_free(krb5_storage *sp)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_int32(krb5_storage *sp,
                  int32_t value)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_uint32(krb5_storage *sp,
                   uint32_t value)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a int32 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_int32(krb5_storage *sp,
                int32_t *value)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a uint32 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_uint32(krb5_storage *sp,
                 uint32_t *value)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_int16(krb5_storage *sp,
                  int16_t value)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_uint16(krb5_storage *sp,
                   uint16_t value)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a int16 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_int16(krb5_storage *sp,
                int16_t *value)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a int16 from storage, byte order is controlled by the settings
+ * on the storage, see krb5_storage_set_byteorder().
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_uint16(krb5_storage *sp,
                 uint16_t *value)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_int8(krb5_storage *sp,
                 int8_t value)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_uint8(krb5_storage *sp,
                  uint8_t value)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a int8 from storage
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_int8(krb5_storage *sp,
               int8_t *value)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a uint8 from storage
+ *
+ * @param sp the storage to write too
+ * @param value the value read from the buffer
+ *
+ * @return 0 for success, or a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_uint8(krb5_storage *sp,
                uint8_t *value)
 …
 /**
+ * Store a data to the storage.
+ * Store a data to the storage. The data is stored with an int32 as
+ * lenght plus the data (not padded).
+ *
  * @param sp the storage buffer to write to
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_data(krb5_storage *sp,
                 krb5_data data)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_data(krb5_storage *sp,
               krb5_data *data)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Store a string to the buffer. The data is formated as an len:uint32
+ * plus the string itself (not padded).
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_string(krb5_storage *sp, const char *s)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Parse a string from the storage.
+ *
+ * @param sp the storage buffer to read from
+ * @param string the parsed string
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_string(krb5_storage *sp,
                 char **string)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Store a zero terminated string to the buffer. The data is stored
+ * one character at a time until a NUL is stored.
+ *
+ * @param sp the storage buffer to write to
+ * @param s the string to store.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_stringz(krb5_storage *sp, const char *s)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Parse zero terminated string from the storage.
+ *
+ * @param sp the storage buffer to read from
+ * @param string the parsed string
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_stringz(krb5_storage *sp,
                 char **string)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_stringnl(krb5_storage *sp, const char *s)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_stringnl(krb5_storage *sp,
                   char **string)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Write a principal block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param p the principal block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_principal(krb5_storage *sp,
                      krb5_const_principal p)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Parse principal from the storage.
+ *
+ * @param sp the storage buffer to read from
+ * @param princ the parsed principal
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_principal(krb5_storage *sp,
                    krb5_principal *princ)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_keyblock(krb5_storage *sp, krb5_keyblock p)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_keyblock(krb5_storage *sp, krb5_keyblock *p)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_times(krb5_storage *sp, krb5_times times)
+{
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_times(krb5_storage *sp, krb5_times *times)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Write a address block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param p the address block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_address(krb5_storage *sp, krb5_address p)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a address block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param adr the address block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_address(krb5_storage *sp, krb5_address *adr)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Write a addresses block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param p the addresses block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a addresses block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param adr the addresses block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Write a auth data block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param auth the auth data block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a auth data from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param auth the auth data block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth)
+{
 …
+}
+/*
+ *
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Write a credentials block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the creds block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_creds(krb5_storage *sp, krb5_creds *creds)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a credentials block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the credentials block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_creds(krb5_storage *sp, krb5_creds *creds)
+{
 …
 #define SC_ADDRESSES                0x0040
+/*
+ *
+ */
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Write a tagged credentials block to storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the creds block to write.
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_store_creds_tag(krb5_storage *sp, krb5_creds *creds)
+{
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Read a tagged credentials block from the storage.
+ *
+ * @param sp the storage buffer to write to
+ * @param creds the credentials block read from storage
+ *
+ * @return 0 on success, a Kerberos 5 error code on failure.
+ *
+ * @ingroup krb5_storage
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ret_creds_tag(krb5_storage *sp,
                    krb5_creds *creds)

trunk/server/source4/heimdal/lib/krb5/store_emem.c

r414	r745
159	159	*/
160	160
161		krb5_storage * KRB5_LIB_FUNCTION
	161	KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
162	162	krb5_storage_emem(void)
163	163	{

trunk/server/source4/heimdal/lib/krb5/store_fd.c

-              r414
+              r745
  */
+krb5_storage * KRB5_LIB_FUNCTION
 krb5_storage_from_fd(int fd)
+KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
+krb5_storage_from_fd(krb5_socket_t fd_in)
+{
     krb5_storage *sp;
+    int fd;
+    fd = dup(fd);
+#ifdef SOCKET_IS_NOT_AN_FD
+#ifdef _MSC_VER
+    if (_get_osfhandle(fd_in) != -1) {
+        fd = dup(fd_in);
+    } else {
+        fd = _open_osfhandle(fd_in, 0);
+    }
+#else
+#error Dont know how to deal with fd that may or may not be a socket.
+#endif
+#else  /* SOCKET_IS_NOT_AN_FD */
+    fd = dup(fd_in);
+#endif
     if (fd < 0)
         return NULL;

trunk/server/source4/heimdal/lib/krb5/store_mem.c

-              r414
+              r745
 /**
+ *
+ * Create a fixed size memory storage block
+ *
  * @return A krb5_storage on success, or NULL on out of memory error.
 …
  */
+krb5_storage * KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
 krb5_storage_from_mem(void *buf, size_t len)
+{
 …
 /**
+ *
+ * Create a fixed size memory storage block
+ *
  * @return A krb5_storage on success, or NULL on out of memory error.
 …
  */
+krb5_storage * KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
 krb5_storage_from_data(krb5_data *data)
+{
 …
 /**
+ *
+ * Create a fixed size memory storage block that is read only
+ *
  * @return A krb5_storage on success, or NULL on out of memory error.
 …
  */
+krb5_storage * KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_storage * KRB5_LIB_CALL
 krb5_storage_from_readonly_mem(const void *buf, size_t len)
+{

trunk/server/source4/heimdal/lib/krb5/ticket.c

-              r414
+              r745
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
+ *
+ * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
 …
 #include "krb5_locl.h"
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Free ticket and content
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to free
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_free_ticket(krb5_context context,
                  krb5_ticket *ticket)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Copy ticket and content
+ *
+ * @param context a Kerberos 5 context
+ * @param from ticket to copy
+ * @param to new copy of ticket, free with krb5_free_ticket()
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_copy_ticket(krb5_context context,
                  const krb5_ticket *from,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Return client principal in ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ * @param client client principal, free with krb5_free_principal()
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ticket_get_client(krb5_context context,
                        const krb5_ticket *ticket,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+/**
+ * Return server principal in ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ * @param server server principal, free with krb5_free_principal()
+ *
+ * @return Returns 0 to indicate success.  Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ticket_get_server(krb5_context context,
                        const krb5_ticket *ticket,
 …
+}
+time_t KRB5_LIB_FUNCTION
+/**
+ * Return end time of ticket
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket ticket to copy
+ *
+ * @return end time of ticket
+ *
+ * @ingroup krb5
+ */
+KRB5_LIB_FUNCTION time_t KRB5_LIB_CALL
 krb5_ticket_get_endtime(krb5_context context,
                         const krb5_ticket *ticket)
 …
  * @ingroup krb5_ticket
  */
+unsigned long
+KRB5_LIB_FUNCTION unsigned long KRB5_LIB_CALL
 krb5_ticket_get_flags(krb5_context context,
                       const krb5_ticket *ticket)
 …
+}
+/*
+ * Extract the authorization data type of `type' from the
+ * 'ticket'. Store the field in `data'. This function is to use for
+ * kerberos applications.
+/**
+ * Extract the authorization data type of type from the ticket. Store
+ * the field in data. This function is to use for kerberos
+ * applications.
+ *
+ * @param context a Kerberos 5 context
+ * @param ticket Kerberos ticket
+ * @param type type to fetch
+ * @param data returned data, free with krb5_data_free()
+ *
+ * @ingroup krb5
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_ticket_get_authorization_data_type(krb5_context context,
                                         krb5_ticket *ticket,
 …
+    }
+    if (returned->name.name_string.len == 2 &&
+        strcmp(returned->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+    {
+    if (krb5_principal_is_krbtgt(context, returned)) {
         const char *realm = returned->name.name_string.val[1];
 …
     return ret;
 noreferral:
+    if (krb5_principal_compare(context, requested, returned) == FALSE) {
+    /*
+     * Expect excact match or that we got a krbtgt
+     */
+    if (krb5_principal_compare(context, requested, returned) != TRUE &&
+        (krb5_realm_compare(context, requested, returned) != TRUE &&
+         krb5_principal_is_krbtgt(context, returned) != TRUE))
+    {
         krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
                                N_("Not same server principal returned "
 …
 static krb5_error_code
+static krb5_error_code KRB5_CALLCONV
 decrypt_tkt (krb5_context context,
              krb5_keyblock *key,
 …
     krb5_timeofday (context, &sec_now);
     if (rep->enc_part.flags.initial
+        && (flags & EXTRACT_TICKET_TIMESYNC)
         && context->kdc_sec_offset == 0
         && krb5_config_get_bool (context, NULL,

trunk/server/source4/heimdal/lib/krb5/time.c

-              r414
+              r745
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_real_time (krb5_context context,
                     krb5_timestamp sec,
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_timeofday (krb5_context context,
                 krb5_timestamp *timeret)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_us_timeofday (krb5_context context,
                    krb5_timestamp *sec,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_format_time(krb5_context context, time_t t,
                  char *s, size_t len, krb5_boolean include_time)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_string_to_deltat(const char *string, krb5_deltat *deltat)
+{

trunk/server/source4/heimdal/lib/krb5/transited.c

-              r414
+              r745
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_domain_x500_decode(krb5_context context,
                         krb5_data tr, char ***realms, unsigned int *num_realms,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_domain_x500_encode(char **realms, unsigned int num_realms,
                         krb5_data *encoding)
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_check_transited(krb5_context context,
                      krb5_const_realm client_realm,
 …
+}
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_check_transited_realms(krb5_context context,
                             const char *const *realms,

trunk/server/source4/heimdal/lib/krb5/version.c

r414	r745
36	36	/* this is just to get a version stamp in the library file */
37	37
38		~~#define heimdal_version __heimdal_version~~
39		~~#define heimdal_long_version __heimdal_long_version~~
40	38	#include "version.h"
41	39

trunk/server/source4/heimdal/lib/krb5/warn.c

-              r414
+              r745
     char *msg = NULL;
     const char *err_str = NULL;
+    krb5_error_code ret;
     args[0] = args[1] = NULL;
 …
         if(do_errtext)
             strlcat(xfmt, ": ", sizeof(xfmt));
         vasprintf(&msg, fmt, ap);
         if(msg == NULL)
+        ret = vasprintf(&msg, fmt, ap);
+        if(ret < 0 || msg == NULL)
             return ENOMEM;
         *arg++ = msg;
+    }
     if(context && do_errtext){
-        const char *err_msg;
         strlcat(xfmt, "%s", sizeof(xfmt));
 …
             *arg = err_str;
         } else {
+            err_msg = krb5_get_err_text(context, code);
+            if (err_msg)
+                *arg = err_msg;
+            else
+                *arg= "<unknown error>";
+            *arg= "<unknown error>";
+        }
+    }
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vwarn(krb5_context context, krb5_error_code code,
            const char *fmt, va_list ap)
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...)
      __attribute__ ((format (printf, 3, 4)))
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vwarnx(krb5_context context, const char *fmt, va_list ap)
      __attribute__ ((format (printf, 2, 0)))
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_warnx(krb5_context context, const char *fmt, ...)
      __attribute__ ((format (printf, 2, 3)))
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verr(krb5_context context, int eval, krb5_error_code code,
           const char *fmt, va_list ap)
 …
     _warnerr(context, 1, code, 0, fmt, ap);
     exit(eval);
+    UNREACHABLE(return 0);
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_err(krb5_context context, int eval, krb5_error_code code,
          const char *fmt, ...)
 …
     FUNC(1, code, 0);
     exit(eval);
+    UNREACHABLE(return 0);
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 3, 0)))
 …
     _warnerr(context, 0, 0, 0, fmt, ap);
     exit(eval);
+    UNREACHABLE(return 0);
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_errx(krb5_context context, int eval, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 3, 4)))
 …
     FUNC(0, 0, 0);
     exit(eval);
+    UNREACHABLE(return 0);
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vabort(krb5_context context, krb5_error_code code,
             const char *fmt, va_list ap)
 …
     _warnerr(context, 1, code, 0, fmt, ap);
     abort();
+}
+/**
+ * Log a warning to the log, default stderr, include bthe error from
+    UNREACHABLE(return 0);
+}
+/**
+ * Log a warning to the log, default stderr, include the error from
  * the last failure and then abort.
+ *
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 3, 4)))
 …
     FUNC(1, code, 0);
     abort();
+}
+krb5_error_code KRB5_LIB_FUNCTION
+    UNREACHABLE(return 0);
+}
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_vabortx(krb5_context context, const char *fmt, va_list ap)
      __attribute__ ((noreturn, format (printf, 2, 0)))
 …
     _warnerr(context, 0, 0, 0, fmt, ap);
     abort();
+    UNREACHABLE(return 0);
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_abortx(krb5_context context, const char *fmt, ...)
      __attribute__ ((noreturn, format (printf, 2, 3)))
 …
     FUNC(0, 0, 0);
     abort();
+    UNREACHABLE(return 0);
+}
 …
  */
+krb5_error_code KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac)
+{
 …
  */
+krb5_log_facility * KRB5_LIB_FUNCTION
+KRB5_LIB_FUNCTION krb5_log_facility * KRB5_LIB_CALL
 krb5_get_warn_dest(krb5_context context)
+{

Context Navigation

Legend:

Download in other formats: