From: Andrew Bartlett Date: Thu, 12 Oct 2023 22:14:55 +0000 (+1300) Subject: third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627... X-Git-Tag: tevent-0.16.0~89 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=204b1f0c12172eac0d39c7cfebd4f6d87a615ea3;p=thirdparty%2Fsamba.git third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- diff --git a/third_party/heimdal/kdc/kdc-plugin.c b/third_party/heimdal/kdc/kdc-plugin.c index f1d9a1f7579..50015b407dc 100644 --- a/third_party/heimdal/kdc/kdc-plugin.c +++ b/third_party/heimdal/kdc/kdc-plugin.c @@ -147,7 +147,6 @@ struct verify_uc { hdb_entry *krbtgt; EncTicketPart *ticket; krb5_pac pac; - krb5_boolean *is_trusted; }; static krb5_error_code KRB5_LIB_CALL @@ -165,8 +164,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) uc->client_principal, uc->delegated_proxy, uc->client, uc->server, uc->krbtgt, - uc->ticket, uc->pac, - uc->is_trusted); + uc->ticket, uc->pac); return ret; } @@ -178,8 +176,7 @@ _kdc_pac_verify(astgs_request_t r, hdb_entry *server, hdb_entry *krbtgt, EncTicketPart *ticket, - krb5_pac pac, - krb5_boolean *is_trusted) + krb5_pac pac) { struct verify_uc uc; @@ -194,7 +191,6 @@ _kdc_pac_verify(astgs_request_t r, uc.krbtgt = krbtgt; uc.ticket = ticket, uc.pac = pac; - uc.is_trusted = is_trusted; return _krb5_plugin_run_f(r->context, &kdc_plugin_data, 0, &uc, verify); diff --git a/third_party/heimdal/kdc/kdc-plugin.h b/third_party/heimdal/kdc/kdc-plugin.h index 7d44f0a5243..53613498050 100644 --- a/third_party/heimdal/kdc/kdc-plugin.h +++ b/third_party/heimdal/kdc/kdc-plugin.h @@ -57,9 +57,7 @@ typedef krb5_error_code /* * Verify the PAC KDC signatures by fetching the appropriate TGS key - * and calling krb5_pac_verify() with that key. The possibly-NULL - * is_trusted may be set by the plugin to indicate that the PAC was - * issued by a trusted server, and not, for example, by an RODC. + * and calling krb5_pac_verify() with that key. */ typedef krb5_error_code @@ -71,8 +69,7 @@ typedef krb5_error_code hdb_entry *,/* server */ hdb_entry *,/* krbtgt */ EncTicketPart *, /* ticket */ - krb5_pac, /* pac */ - krb5_boolean *); /* is_trusted */ + krb5_pac); /* pac */ /* * Update the KDC PAC buffers. This function may be used after verifying the PAC diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 79dbe6622f4..981327a1c47 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -96,7 +96,6 @@ _kdc_check_pac(astgs_request_t r, krb5_pac pac = NULL; krb5_error_code ret; krb5_boolean signedticket; - krb5_boolean is_trusted = FALSE; *kdc_issued = FALSE; *ppac = NULL; @@ -126,12 +125,8 @@ _kdc_check_pac(astgs_request_t r, /* Verify the KDC signatures. */ ret = _kdc_pac_verify(r, client_principal, delegated_proxy, - client, server, krbtgt, tkt, pac, &is_trusted); + client, server, krbtgt, tkt, pac); if (ret == 0) { - if (is_trusted) { - krb5_pac_set_trusted(pac, TRUE); - } - if (pac_canon_name) { ret = _krb5_pac_get_canon_principal(context, pac, pac_canon_name); if (ret && ret != ENOENT) { diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c index cd5aa9a1df7..471e193f544 100644 --- a/third_party/heimdal/kdc/mssfu.c +++ b/third_party/heimdal/kdc/mssfu.c @@ -106,8 +106,12 @@ check_rbcd(krb5_context context, krb5_kdc_configuration *config, HDB *clientdb, krb5_const_principal s4u_principal, - krb5_const_principal client_principal, + const hdb_entry *client_krbtgt, + const hdb_entry *client, + const hdb_entry *device_krbtgt, + const hdb_entry *device, krb5_const_pac client_pac, + krb5_const_pac device_pac, const hdb_entry *target) { krb5_error_code ret = KRB5KDC_ERR_BADOPTION; @@ -115,9 +119,13 @@ check_rbcd(krb5_context context, if (clientdb->hdb_check_rbcd) { ret = clientdb->hdb_check_rbcd(context, clientdb, + client_krbtgt, + client, + device_krbtgt, + device, s4u_principal, - client_principal, client_pac, + device_pac, target); if (ret == 0) return 0; @@ -520,7 +528,11 @@ _kdc_validate_constrained_delegation(astgs_request_t r) if (rbcd_support) { ret = check_rbcd(r->context, r->config, r->clientdb, - s4u_client_name, r->client_princ, r->pac, r->server); + s4u_client_name, + r->krbtgt, r->client, + r->armor_server, r->armor_client, + r->pac, r->armor_pac, + r->server); } else { ret = KRB5KDC_ERR_BADOPTION; } diff --git a/third_party/heimdal/lib/asn1/gen.c b/third_party/heimdal/lib/asn1/gen.c index a660aaed846..55ec5f647d7 100644 --- a/third_party/heimdal/lib/asn1/gen.c +++ b/third_party/heimdal/lib/asn1/gen.c @@ -937,7 +937,13 @@ getnewbasename(char **newbasename, int typedefp, const char *basename, const cha err(1, "malloc"); } -static void define_type(int, const char *, const char *, Type *, Type *, int, int); +typedef enum define_type_options { + DEF_TYPE_NONE = 0, + DEF_TYPE_PRESERVE = 1, + DEF_TYPE_TYPEDEFP = 2, + DEF_TYPE_EMIT_NAME = 4 +} define_type_options; +static void define_type(int, const char *, const char *, Type *, Type *, define_type_options); /* * Get the SET/SEQUENCE member pair and CLASS field pair defining an open type. @@ -1158,7 +1164,7 @@ define_open_type(int level, const char *newbasename, const char *name, const cha if (asprintf(&n, "*%s", objects[i]->symbol->gen_name) < 0 || n == NULL) err(1, "malloc"); - define_type(level + 2, n, newbasename, NULL, of->type, FALSE, FALSE); + define_type(level + 2, n, newbasename, NULL, of->type, DEF_TYPE_NONE); fprintf(jsonfile, "%s", (i + 1) < nobjs ? "," : ""); free(n); } @@ -1178,7 +1184,8 @@ static const char * const tagclassnames[] = { }; static void -define_type(int level, const char *name, const char *basename, Type *pt, Type *t, int typedefp, int preservep) +define_type(int level, const char *name, const char *basename, + Type *pt, Type *t, define_type_options opts) { const char *label_prefix = NULL; const char *label_prefix_sep = NULL; @@ -1188,7 +1195,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t "\"is_type\":true,\"exported\":%s,\"typedef\":%s,", basename, name, t->symbol && is_export(t->symbol->name) ? "true" : "false", - typedefp ? "true" : "false"); + (opts & DEF_TYPE_TYPEDEFP) ? "true" : "false"); switch (t->type) { case TType: @@ -1214,7 +1221,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t label_prefix = prefix_enum ? name : (enum_prefix ? enum_prefix : ""); label_prefix_sep = prefix_enum ? "_" : ""; - fprintf (headerfile, "enum %s {\n", typedefp ? name : ""); + fprintf (headerfile, "enum %s {\n", (opts & DEF_TYPE_TYPEDEFP) ? name : ""); fprintf(jsonfile, "\"ttype\":\"INTEGER\",\"ctype\":\"enum\"," "\"members\":[\n"); HEIM_TAILQ_FOREACH(m, t->members, members) { @@ -1298,7 +1305,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t fprintf(jsonfile, "\"ctype\":\"heim_bit_string\""); } else { int64_t pos = 0; - getnewbasename(&newbasename, typedefp || level == 0, basename, name); + getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name); fprintf (headerfile, "struct %s {\n", newbasename); fprintf(jsonfile, "\"ctype\":\"struct %s\",\"members\":[\n", newbasename); @@ -1313,7 +1320,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t if (asprintf (&n, "_unused%lld:1", (long long)pos) < 0 || n == NULL) err(1, "malloc"); - define_type(level + 1, n, newbasename, NULL, &i, FALSE, FALSE); + define_type(level + 1, n, newbasename, NULL, &i, DEF_TYPE_EMIT_NAME); fprintf(jsonfile, ","); free(n); pos++; @@ -1322,7 +1329,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t n = NULL; if (asprintf (&n, "%s:1", m->gen_name) < 0 || n == NULL) errx(1, "malloc"); - define_type(level + 1, n, newbasename, NULL, &i, FALSE, FALSE); + define_type(level + 1, n, newbasename, NULL, &i, DEF_TYPE_EMIT_NAME); fprintf(jsonfile, "%s", last_member_p(m)); free (n); n = NULL; @@ -1341,14 +1348,16 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t if (asprintf (&n, "_unused%lld:1", (long long)pos) < 0 || n == NULL) errx(1, "malloc"); - define_type(level + 1, n, newbasename, NULL, &i, FALSE, FALSE); + define_type(level + 1, n, newbasename, NULL, &i, DEF_TYPE_EMIT_NAME); fprintf(jsonfile, "%s", (pos + 1) < bitset_size ? "," : ""); free(n); pos++; } space(level); - fprintf (headerfile, "} %s;\n\n", name); + fprintf(headerfile, "}%s%s;\n\n", + (opts & DEF_TYPE_EMIT_NAME) ? " " : "", + (opts & DEF_TYPE_EMIT_NAME) ? name : ""); fprintf(jsonfile, "]"); } break; @@ -1362,9 +1371,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t label_prefix = prefix_enum ? name : (enum_prefix ? enum_prefix : ""); label_prefix_sep = prefix_enum ? "_" : ""; space(level); - fprintf (headerfile, "enum %s {\n", typedefp ? name : ""); + fprintf (headerfile, "enum %s {\n", (opts & DEF_TYPE_TYPEDEFP) ? name : ""); fprintf(jsonfile, "\"ctype\":\"enum %s\",\"extensible\":%s,\"members\":[\n", - typedefp ? name : "", have_ellipsis(t) ? "true" : "false"); + (opts & DEF_TYPE_TYPEDEFP) ? name : "", have_ellipsis(t) ? "true" : "false"); HEIM_TAILQ_FOREACH(m, t->members, members) { space(level + 1); if (m->ellipsis) { @@ -1379,7 +1388,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t } } space(level); - fprintf (headerfile, "} %s;\n\n", name); + fprintf(headerfile, "}%s%s;\n\n", + (opts & DEF_TYPE_EMIT_NAME) ? " " : "", + (opts & DEF_TYPE_EMIT_NAME) ? name : ""); fprintf(jsonfile, "]"); break; } @@ -1390,7 +1401,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t ssize_t more_deco = -1; int decorated = 0; - getnewbasename(&newbasename, typedefp || level == 0, basename, name); + getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name); space(level); @@ -1399,7 +1410,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t "\"ctype\":\"struct %s\"", t->type == TSet ? "SET" : "SEQUENCE", have_ellipsis(t) ? "true" : "false", newbasename); - if (t->type == TSequence && preservep) { + if (t->type == TSequence && (opts & DEF_TYPE_PRESERVE)) { space(level + 1); fprintf(headerfile, "heim_octet_string _save;\n"); fprintf(jsonfile, ",\"preserve\":true"); @@ -1443,14 +1454,14 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t fprintf(jsonfile, "{\"name\":\"%s\",\"gen_name\":\"%s\"," "\"optional\":%s,\"defval\":%s,\"type\":", m->name, m->gen_name, m->optional ? "true" : "false", defvalp); - define_type(level + 1, namep, newbasename, t, m->type, FALSE, FALSE); + define_type(level + 1, namep, newbasename, t, m->type, DEF_TYPE_EMIT_NAME); fprintf(jsonfile, "}%s", last_member_p(m)); free (n); free (defval); } else { fprintf(jsonfile, "{\"name\":\"%s\",\"gen_name\":\"%s\"," "\"optional\":false,\"type\":", m->name, m->gen_name); - define_type(level + 1, m->gen_name, newbasename, t, m->type, FALSE, FALSE); + define_type(level + 1, m->gen_name, newbasename, t, m->type, DEF_TYPE_EMIT_NAME); fprintf(jsonfile, "}%s", last_member_p(m)); } } @@ -1488,7 +1499,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t if (decorated) fprintf(jsonfile, "]"); space(level); - fprintf (headerfile, "} %s;\n", name); + fprintf(headerfile, "}%s%s;\n", + (opts & DEF_TYPE_EMIT_NAME) ? " " : "", + (opts & DEF_TYPE_EMIT_NAME) ? name : ""); free(deco.field_type); break; } @@ -1497,7 +1510,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t Type i; struct range range = { 0, UINT_MAX }; - getnewbasename(&newbasename, typedefp || level == 0, basename, name); + getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name); memset(&i, 0, sizeof(i)); i.type = TInteger; @@ -1507,11 +1520,13 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t fprintf (headerfile, "struct %s {\n", newbasename); fprintf(jsonfile, "\"ttype\":\"%s\",\"ctype\":\"struct %s\",\"members\":[", t->type == TSetOf ? "SET OF" : "SEQUENCE OF", newbasename); - define_type(level + 1, "len", newbasename, t, &i, FALSE, FALSE); + define_type(level + 1, "len", newbasename, t, &i, DEF_TYPE_NONE); fprintf(jsonfile, ","); - define_type(level + 1, "*val", newbasename, t, t->subtype, FALSE, FALSE); + define_type(level + 1, "*val", newbasename, t, t->subtype, DEF_TYPE_NONE | DEF_TYPE_EMIT_NAME); space(level); - fprintf (headerfile, "} %s;\n", name); + fprintf(headerfile, "}%s%s;\n", + (opts & DEF_TYPE_EMIT_NAME) ? " " : "", + (opts & DEF_TYPE_EMIT_NAME) ? name : ""); fprintf(jsonfile, "]"); break; } @@ -1538,7 +1553,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t tagclassnames[t->tag.tagclass], t->tag.tagvalue, t->tag.tagenv == TE_EXPLICIT ? "EXPLICIT" : "IMPLICIT"); fprintf(jsonfile, "\"ttype\":\n"); - define_type(level, name, basename, t, t->subtype, typedefp, preservep); + define_type(level, name, basename, t, t->subtype, opts); break; case TChoice: { struct decoration deco; @@ -1547,13 +1562,13 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t int first = 1; Member *m; - getnewbasename(&newbasename, typedefp || level == 0, basename, name); + getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name); space(level); fprintf (headerfile, "struct %s {\n", newbasename); fprintf(jsonfile, "\"ttype\":\"CHOICE\",\"ctype\":\"struct %s\"", newbasename); - if (preservep) { + if ((opts & DEF_TYPE_PRESERVE)) { space(level + 1); fprintf(headerfile, "heim_octet_string _save;\n"); fprintf(jsonfile, ",\"preserve\":true"); @@ -1592,11 +1607,11 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t if (asprintf (&n, "*%s", m->gen_name) < 0 || n == NULL) errx(1, "malloc"); fprintf(jsonfile, "{\"optional\":"); - define_type(level + 2, n, newbasename, t, m->type, FALSE, FALSE); + define_type(level + 2, n, newbasename, t, m->type, DEF_TYPE_EMIT_NAME); fprintf(jsonfile, "}%s", last_member_p(m)); free (n); } else { - define_type(level + 2, m->gen_name, newbasename, t, m->type, FALSE, FALSE); + define_type(level + 2, m->gen_name, newbasename, t, m->type, DEF_TYPE_EMIT_NAME); fprintf(jsonfile, "%s", last_member_p(m)); } } @@ -1634,7 +1649,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t fprintf(jsonfile, "]"); space(level); - fprintf (headerfile, "} %s;\n", name); + fprintf(headerfile, "}%s%s;\n", + (opts & DEF_TYPE_EMIT_NAME) ? " " : "", + (opts & DEF_TYPE_EMIT_NAME) ? name : ""); break; } case TUTCTime: @@ -1699,8 +1716,10 @@ declare_type(const Symbol *s, Type *t, int typedefp) switch (t->type) { case TType: - define_type(0, s->gen_name, s->gen_name, NULL, s->type, TRUE, TRUE); - if (template_flag) + define_type(0, s->gen_name, s->gen_name, NULL, s->type, + DEF_TYPE_PRESERVE | DEF_TYPE_TYPEDEFP | + (s->emitted_declaration ? 0 : DEF_TYPE_EMIT_NAME)); + if (template_flag && !s->emitted_declaration) generate_template_type_forward(s->gen_name); emitted_declaration(s); return; @@ -1721,14 +1740,17 @@ declare_type(const Symbol *s, Type *t, int typedefp) case TVisibleString: case TOID : case TNull: - define_type(0, s->gen_name, s->gen_name, NULL, s->type, TRUE, TRUE); - if (template_flag) + define_type(0, s->gen_name, s->gen_name, NULL, s->type, + DEF_TYPE_PRESERVE | DEF_TYPE_TYPEDEFP | + (s->emitted_declaration ? 0 : DEF_TYPE_EMIT_NAME)); + if (template_flag && !s->emitted_declaration) generate_template_type_forward(s->gen_name); emitted_declaration(s); emitted_definition(s); return; case TTag: - declare_type(s, t->subtype, FALSE); + if (!s->emitted_declaration) + declare_type(s, t->subtype, FALSE); emitted_declaration(s); return; default: @@ -1903,10 +1925,13 @@ generate_type_header (const Symbol *s) * member fields are not OPTIONAL/DEFAULTed. */ generate_subtypes_header(s); - fprintf(headerfile, "/*\n"); - fprintf(headerfile, "%s ::= ", s->name); - define_asn1 (0, s->type); - fprintf(headerfile, "\n*/\n\n"); + if (!s->emitted_asn1) { + fprintf(headerfile, "/*\n"); + fprintf(headerfile, "%s ::= ", s->name); + define_asn1 (0, s->type); + fprintf(headerfile, "\n*/\n\n"); + emitted_asn1(s); + } /* * Emit enums for the outermost tag of this type. These are needed for @@ -1963,9 +1988,22 @@ generate_type_header (const Symbol *s) fprintf(symsfile, "ASN1_SYM_TYPE(\"%s\", \"%s\", %s)\n", s->name, s->gen_name, s->gen_name); - fprintf(headerfile, "typedef "); - define_type(0, s->gen_name, s->gen_name, NULL, s->type, TRUE, - preserve_type(s->name) ? TRUE : FALSE); + if (!s->emitted_declaration) { + fprintf(headerfile, "typedef "); + define_type(0, s->gen_name, s->gen_name, NULL, s->type, + DEF_TYPE_TYPEDEFP | DEF_TYPE_EMIT_NAME | + (preserve_type(s->name) ? DEF_TYPE_PRESERVE : 0)); + } else if (s->type->type == TType) { + /* This is a type alias and we've already declared it */ + } else if (s->type->type == TTag && + s->type->subtype != NULL && + s->type->subtype->symbol != NULL) { + /* This is a type alias and we've already declared it */ + } else { + define_type(0, s->gen_name, s->gen_name, NULL, s->type, + DEF_TYPE_TYPEDEFP | + (preserve_type(s->name) ? DEF_TYPE_PRESERVE : 0)); + } fprintf(headerfile, "\n"); emitted_definition(s); diff --git a/third_party/heimdal/lib/asn1/symbol.c b/third_party/heimdal/lib/asn1/symbol.c index 920ed16f7a8..b472ebd281e 100644 --- a/third_party/heimdal/lib/asn1/symbol.c +++ b/third_party/heimdal/lib/asn1/symbol.c @@ -171,3 +171,9 @@ emitted_tag_enums(const Symbol *s) { ((Symbol *)(uintptr_t)s)->emitted_tag_enums = 1; } + +void +emitted_asn1(const Symbol *s) +{ + ((Symbol *)(uintptr_t)s)->emitted_asn1 = 1; +} diff --git a/third_party/heimdal/lib/asn1/symbol.h b/third_party/heimdal/lib/asn1/symbol.h index bce2e1fe421..108749b9287 100644 --- a/third_party/heimdal/lib/asn1/symbol.h +++ b/third_party/heimdal/lib/asn1/symbol.h @@ -238,6 +238,7 @@ struct symbol { IOSObject *object; IOSObjectSet *objectset; HEIM_TAILQ_ENTRY(symbol) symlist; + unsigned int emitted_asn1:1; unsigned int emitted_declaration:1; unsigned int emitted_definition:1; unsigned int emitted_tag_enums:1; @@ -260,6 +261,7 @@ Symbol *getsym(char *name); void output_name (char *); int checkundefined(void); void generate_types(void); +void emitted_asn1(const Symbol *); void emitted_declaration(const Symbol *); void emitted_definition(const Symbol *); void emitted_tag_enums(const Symbol *); diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h index 6534766a18c..15208ac48e8 100644 --- a/third_party/heimdal/lib/hdb/hdb.h +++ b/third_party/heimdal/lib/hdb/hdb.h @@ -289,7 +289,7 @@ typedef struct HDB { /** * Check if resource-based constrained delegation (RBCD) is allowed. */ - krb5_error_code (*hdb_check_rbcd)(krb5_context, struct HDB *, krb5_const_principal, krb5_const_principal, krb5_const_pac, const hdb_entry *); + krb5_error_code (*hdb_check_rbcd)(krb5_context, struct HDB *, const hdb_entry *, const hdb_entry *, const hdb_entry *, const hdb_entry *, krb5_const_principal, krb5_const_pac, krb5_const_pac, const hdb_entry *); /** * Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins diff --git a/third_party/heimdal/lib/krb5/pac.c b/third_party/heimdal/lib/krb5/pac.c index 2f342d9f3c0..dd774950eed 100644 --- a/third_party/heimdal/lib/krb5/pac.c +++ b/third_party/heimdal/lib/krb5/pac.c @@ -1249,7 +1249,7 @@ krb5_pac_verify(krb5_context context, /* * If we are in the KDC, we expect back a full signature in the PAC * - * This is set up as a seperate variable to make it easier if a + * This is set up as a separate variable to make it easier if a * subsequent patch is added to make this configurable in the * krb5.conf (or forced into the krb5_context via Samba) */ @@ -1257,8 +1257,8 @@ krb5_pac_verify(krb5_context context, /* * If we are on the KDC, then we trust we are not in a realm with - * buggy Windows 2008 or similar era DCs that give our HMAC-MD5 - * sigatures over AES keys. DES is also already gone. + * buggy Windows 2008 or similar era DCs that give out HMAC-MD5 + * signatures over AES keys. DES is also already gone. */ krb5_boolean strict_cksumtype_match = expect_full_sig;