- Update vendor tree of heimdal to 1.5.1.vendor/heimdal/1.5.1

5 files changed, 143 insertions, 61 deletions

diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c
index 616044e67baa..88040cbc6f35 100644
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -464,6 +464,9 @@ environment_changed(krb5_context context)
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_cc_switch(krb5_context context, krb5_ccache id)
 {
+#ifdef _WIN32
+    _krb5_set_default_cc_name_to_registry(context, id);
+#endif
 
     if (id->ops->set_default == NULL)
 	return 0;
@@ -515,7 +518,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
 
 #ifdef _WIN32
         if (e == NULL) {
-            e = p = _krb5_get_default_cc_name_from_registry();
+            e = p = _krb5_get_default_cc_name_from_registry(context);
         }
 #endif
 	if (e == NULL) {
@@ -1702,21 +1705,22 @@ krb5_cc_get_kdc_offset(krb5_context context, krb5_ccache id, krb5_deltat *offset
 
 #ifdef _WIN32
 
+#define REGPATH_MIT_KRB5 "SOFTWARE\\MIT\\Kerberos5"
 char *
-_krb5_get_default_cc_name_from_registry()
+_krb5_get_default_cc_name_from_registry(krb5_context context)
 {
     HKEY hk_k5 = 0;
     LONG code;
     char * ccname = NULL;
 
     code = RegOpenKeyEx(HKEY_CURRENT_USER,
-                        "Software\\MIT\\Kerberos5",
+                        REGPATH_MIT_KRB5,
                         0, KEY_READ, &hk_k5);
 
     if (code != ERROR_SUCCESS)
         return NULL;
 
-    ccname = _krb5_parse_reg_value_as_string(NULL, hk_k5, "ccname",
+    ccname = _krb5_parse_reg_value_as_string(context, hk_k5, "ccname",
                                              REG_NONE, 0);
 
     RegCloseKey(hk_k5);
@@ -1724,4 +1728,36 @@ _krb5_get_default_cc_name_from_registry()
     return ccname;
 }
 
+int
+_krb5_set_default_cc_name_to_registry(krb5_context context, krb5_ccache id)
+{
+    HKEY hk_k5 = 0;
+    LONG code;
+    int ret = -1;
+    char * ccname = NULL;
+
+    code = RegOpenKeyEx(HKEY_CURRENT_USER,
+                        REGPATH_MIT_KRB5,
+                        0, KEY_READ|KEY_WRITE, &hk_k5);
+
+    if (code != ERROR_SUCCESS)
+        return -1;
+
+    ret = asprintf(&ccname, "%s:%s", krb5_cc_get_type(context, id), krb5_cc_get_name(context, id));
+    if (ret < 0)
+        goto cleanup;
+
+    ret = _krb5_store_string_to_reg_value(context, hk_k5, "ccname",
+                                          REG_SZ, ccname, -1, 0);
+
+  cleanup:
+
+    if (ccname)
+        free(ccname);
+
+    RegCloseKey(hk_k5);
+
+    return ret;
+}
+
 #endif
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 37eb2c5460f5..4b66035155dd 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -51,9 +51,33 @@ static void free_key_schedule(krb5_context,
 			      struct _krb5_key_data *,
 			      struct _krb5_encryption_type *);
 
-/************************************************************
- *                                                          *
- ************************************************************/
+/* 
+ * Converts etype to a user readable string and sets as a side effect
+ * the krb5_error_message containing this string. Returns
+ * KRB5_PROG_ETYPE_NOSUPP in not the conversion of the etype failed in
+ * which case the error code of the etype convesion is returned.
+ */
+
+static krb5_error_code
+unsupported_enctype(krb5_context context, krb5_enctype etype)
+{
+    krb5_error_code ret;
+    char *name;
+
+    ret = krb5_enctype_to_string(context, etype, &name);
+    if (ret)
+	return ret;
+
+    krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
+			   N_("Encryption type %s not supported", ""),
+			   name);
+    free(name);
+    return KRB5_PROG_ETYPE_NOSUPP;
+}
+
+/*
+ *
+ */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_enctype_keysize(krb5_context context,
@@ -62,10 +86,7 @@ krb5_enctype_keysize(krb5_context context,
 {
     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL) {
-	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
-			       N_("encryption type %d not supported", ""),
-			       type);
-	return KRB5_PROG_ETYPE_NOSUPP;
+        return unsupported_enctype (context, type);
     }
     *keysize = et->keytype->size;
     return 0;
@@ -78,10 +99,7 @@ krb5_enctype_keybits(krb5_context context,
 {
     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL) {
-	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
-			       "encryption type %d not supported",
-			       type);
-	return KRB5_PROG_ETYPE_NOSUPP;
+        return unsupported_enctype (context, type);
     }
     *keybits = et->keytype->bits;
     return 0;
@@ -95,10 +113,7 @@ krb5_generate_random_keyblock(krb5_context context,
     krb5_error_code ret;
     struct _krb5_encryption_type *et = _krb5_find_enctype(type);
     if(et == NULL) {
-	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
-			       N_("encryption type %d not supported", ""),
-			       type);
-	return KRB5_PROG_ETYPE_NOSUPP;
+        return unsupported_enctype (context, type);
     }
     ret = krb5_data_alloc(&key->keyvalue, et->keytype->size);
     if(ret)
@@ -121,10 +136,8 @@ _key_schedule(krb5_context context,
     struct _krb5_key_type *kt;
 
     if (et == NULL) {
-	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
-				N_("encryption type %d not supported", ""),
-				key->key->keytype);
-	return KRB5_PROG_ETYPE_NOSUPP;
+        return unsupported_enctype (context,
+                               key->key->keytype);
     }
 
     kt = et->keytype;
@@ -684,10 +697,7 @@ krb5_enctype_to_keytype(krb5_context context,
 {
     struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
     if(e == NULL) {
-	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
-				N_("encryption type %d not supported", ""),
-				etype);
-	return KRB5_PROG_ETYPE_NOSUPP;
+        return unsupported_enctype (context, etype);
     }
     *keytype = e->keytype->type; /* XXX */
     return 0;
@@ -713,10 +723,7 @@ krb5_enctype_valid(krb5_context context,
     if (context == NULL)
 	return KRB5_PROG_ETYPE_NOSUPP;
     if(e == NULL) {
-	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
-				N_("encryption type %d not supported", ""),
-				etype);
-	return KRB5_PROG_ETYPE_NOSUPP;
+        return unsupported_enctype (context, etype);
     }
     /* Must be (e->flags & F_DISABLED) */
     krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
@@ -1954,10 +1961,7 @@ krb5_derive_key(krb5_context context,
 
     et = _krb5_find_enctype (etype);
     if (et == NULL) {
-	krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
-			       N_("encryption type %d not supported", ""),
-			       etype);
-	return KRB5_PROG_ETYPE_NOSUPP;
+        return unsupported_enctype (context, etype);
     }
 
     ret = krb5_copy_keyblock(context, key, &d.key);
@@ -2035,10 +2039,7 @@ krb5_crypto_init(krb5_context context,
     if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) {
 	free(*crypto);
 	*crypto = NULL;
-	krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
-				N_("encryption type %d not supported", ""),
-				etype);
-	return KRB5_PROG_ETYPE_NOSUPP;
+	return unsupported_enctype(context, etype);
     }
     if((*crypto)->et->keytype->size != key->keyvalue.length) {
 	free(*crypto);
diff --git a/lib/krb5/error_string.c b/lib/krb5/error_string.c
index bebd4c490ee1..1bfbad0bfb05 100644
--- a/lib/krb5/error_string.c
+++ b/lib/krb5/error_string.c
@@ -241,29 +241,53 @@ krb5_have_error_string(krb5_context context)
 KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
 krb5_get_error_message(krb5_context context, krb5_error_code code)
 {
-    char *str;
-
-    HEIMDAL_MUTEX_lock(context->mutex);
-    if (context->error_string &&
-	(code == context->error_code || context->error_code == 0))
-    {
-	str = strdup(context->error_string);
-	if (str) {
-	    HEIMDAL_MUTEX_unlock(context->mutex);
-	    return str;
-	}
-    }
-    HEIMDAL_MUTEX_unlock(context->mutex);
+    char *str = NULL;
+    const char *cstr = NULL;
+    char buf[128];
+    int free_context = 0;
 
     if (code == 0)
 	return strdup("Success");
+
+    /*
+     * The MIT version of this function ignores the krb5_context
+     * and several widely deployed applications call krb5_get_error_message()
+     * with a NULL context in order to translate an error code as a
+     * replacement for error_message().  Another reason a NULL context
+     * might be provided is if the krb5_init_context() call itself
+     * failed.
+     */
+    if (context)
     {
-	const char *msg;
-	char buf[128];
-	msg = com_right_r(context->et_list, code, buf, sizeof(buf));
-	if (msg)
-	    return strdup(msg);
+        HEIMDAL_MUTEX_lock(context->mutex);
+        if (context->error_string &&
+            (code == context->error_code || context->error_code == 0))
+        {
+            str = strdup(context->error_string);
+        }
+        HEIMDAL_MUTEX_unlock(context->mutex);
+
+        if (str)
+            return str;
     }
+    else
+    {
+        if (krb5_init_context(&context) == 0)
+            free_context = 1;
+    }
+
+    if (context)
+        cstr = com_right_r(context->et_list, code, buf, sizeof(buf));
+
+    if (free_context)
+        krb5_free_context(context);
+
+    if (cstr)
+        return strdup(cstr);
+
+    cstr = error_message(code);
+    if (cstr)
+        return strdup(cstr);
 
     if (asprintf(&str, "<unknown error: %d>", (int)code) == -1 || str == NULL)
 	return NULL;
diff --git a/lib/krb5/keytab_keyfile.c b/lib/krb5/keytab_keyfile.c
index ea74c32780f8..120083215542 100644
--- a/lib/krb5/keytab_keyfile.c
+++ b/lib/krb5/keytab_keyfile.c
@@ -212,9 +212,17 @@ akf_start_seq_get(krb5_context context,
 	return ret;
     }
 
+    c->data = NULL;
     c->sp = krb5_storage_from_fd(c->fd);
+    if (c->sp == NULL) {
+	close(c->fd);
+	krb5_clear_error_message (context);
+	return KRB5_KT_NOTFOUND;
+    }
+    krb5_storage_set_eof_code(c->sp, KRB5_KT_END);
+
     ret = krb5_ret_uint32(c->sp, &d->num_entries);
-    if(ret) {
+    if(ret || d->num_entries > INT_MAX / 8) {
 	krb5_storage_free(c->sp);
 	close(c->fd);
 	krb5_clear_error_message (context);
@@ -255,7 +263,10 @@ akf_next_entry(krb5_context context,
 
     entry->vno = kvno;
 
-    entry->keyblock.keytype         = ETYPE_DES_CBC_MD5;
+    if (cursor->data)
+	entry->keyblock.keytype         = ETYPE_DES_CBC_MD5;
+    else
+	entry->keyblock.keytype         = ETYPE_DES_CBC_CRC;
     entry->keyblock.keyvalue.length = 8;
     entry->keyblock.keyvalue.data   = malloc (8);
     if (entry->keyblock.keyvalue.data == NULL) {
@@ -277,7 +288,11 @@ akf_next_entry(krb5_context context,
     entry->aliases = NULL;
 
  out:
-    krb5_storage_seek(cursor->sp, pos + 4 + 8, SEEK_SET);
+    if (cursor->data) {
+	krb5_storage_seek(cursor->sp, pos + 4 + 8, SEEK_SET);
+	cursor->data = NULL;
+    } else
+	cursor->data = cursor;
     return ret;
 }
 
@@ -288,6 +303,7 @@ akf_end_seq_get(krb5_context context,
 {
     krb5_storage_free(cursor->sp);
     close(cursor->fd);
+    cursor->data = NULL;
     return 0;
 }
 
diff --git a/lib/krb5/krb5-private.h b/lib/krb5/krb5-private.h
index a6500f38e3b5..956e00e4aaf0 100644
--- a/lib/krb5/krb5-private.h
+++ b/lib/krb5/krb5-private.h
@@ -265,7 +265,7 @@ _krb5_get_cred_kdc_any (
 	krb5_creds ***/*ret_tgts*/);
 
 char *
-_krb5_get_default_cc_name_from_registry (void);
+_krb5_get_default_cc_name_from_registry (krb5_context /*context*/);
 
 char *
 _krb5_get_default_config_config_files_from_registry (void);
@@ -555,6 +555,11 @@ _krb5_send_and_recv_tcp (
 	const krb5_data */*req*/,
 	krb5_data */*rep*/);
 
+int
+_krb5_set_default_cc_name_to_registry (
+	krb5_context /*context*/,
+	krb5_ccache /*id*/);
+
 void
 _krb5_unload_plugins (
 	krb5_context /*context*/,