heimdal make kvno unisgned internally

The folks at heimdal didn't like the patch in
commit 6379737b7d and insisted
that kvno should remain unsigned internally, even though it is
encoded as signed in packets. This patch reverts some of the
unsigned->signed changes in that commit, and resolves conversion
issues - in order to be aligned with upstream Heimdal.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144

source4/heimdal/kdc/krb5tgs.c

@@ -1174,6 +1174,8 @@ tgs_parse_request(krb5_context context,
     Key *tkey;
     krb5_keyblock *subkey = NULL;
     unsigned usage;
+    krb5uint32 kvno = 0;
+    krb5uint32 *kvno_ptr = NULL;
 
     *auth_data = NULL;
     *csec  = NULL;
@@ -1201,7 +1203,12 @@ tgs_parse_request(krb5_context context,
 				       ap_req.ticket.sname,
 				       ap_req.ticket.realm);
 
-    ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
+    if (ap_req.ticket.enc_part.kvno) {
+	    kvno = *ap_req.ticket.enc_part.kvno;
+	    kvno_ptr = &kvno;
+    }
+    ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, kvno_ptr,
+			NULL, krbtgt);
 
     if(ret == HDB_ERR_NOT_FOUND_HERE) {
 	char *p;
@@ -1541,6 +1548,8 @@ tgs_build_reply(krb5_context context,
 	hdb_entry_ex *uu;
 	krb5_principal p;
 	Key *uukey;
+	krb5uint32 second_kvno = 0;
+	krb5uint32 *kvno_ptr = NULL;
 
 	if(b->additional_tickets == NULL ||
 	   b->additional_tickets->len == 0){
@@ -1557,8 +1566,12 @@ tgs_build_reply(krb5_context context,
 	    goto out;
 	}
 	_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
+	if(t->enc_part.kvno){
+	    second_kvno = *t->enc_part.kvno;
+	    kvno_ptr = &second_kvno;
+	}
 	ret = _kdc_db_fetch(context, config, p,
-			    HDB_F_GET_KRBTGT, t->enc_part.kvno,
+			    HDB_F_GET_KRBTGT, kvno_ptr,
 			    NULL, &uu);
 	krb5_free_principal(context, p);
 	if(ret){

source4/heimdal/kdc/misc.c

@@ -40,7 +40,7 @@ _kdc_db_fetch(krb5_context context,
 	      krb5_kdc_configuration *config,
 	      krb5_const_principal principal,
 	      unsigned flags,
-	      krb5int32 *kvno_ptr,
+	      krb5uint32 *kvno_ptr,
 	      HDB **db,
 	      hdb_entry_ex **h)
 {

source4/torture/rpc/lsa.c

@@ -3183,7 +3183,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
 	const char *old_password = cli_credentials_get_old_password(credentials);
 	int kvno = cli_credentials_get_kvno(credentials);
 	int expected_kvno = 0;
-	krb5int32 t_kvno = 0;
+	krb5uint32 t_kvno = 0;
 	const char *host = torture_setting_string(tctx, "host", NULL);
 	krb5_error_code k5ret;
 	krb5_boolean k5ok;