- Update vendor tree of heimdal to 1.5.2.vendor/heimdal/1.5.2

7 files changed, 85 insertions, 45 deletions

diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c
index 1b369d2fda14..7f7e21d0d22c 100644
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -317,7 +317,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
     8,
     &keytype_arcfour,
     &_krb5_checksum_hmac_md5,
-    NULL,
+    &_krb5_checksum_hmac_md5,
     F_SPECIAL,
     ARCFOUR_encrypt,
     0,
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 4b66035155dd..67ecef62e875 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -467,7 +467,7 @@ verify_checksum(krb5_context context,
 	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
 	}
 	kct = crypto->et->keyed_checksum;
-	if (kct != NULL && kct->type != ct->type) {
+	if (kct == NULL || kct->type != ct->type) {
 	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
 				   N_("Checksum type %s is keyed, but "
 				      "the key type %s passed didnt have that checksum "
diff --git a/lib/krb5/eai_to_heim_errno.c b/lib/krb5/eai_to_heim_errno.c
index ef11e370f443..a6e14aba31dd 100644
--- a/lib/krb5/eai_to_heim_errno.c
+++ b/lib/krb5/eai_to_heim_errno.c
@@ -68,6 +68,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error)
     case EAI_NODATA:
 	return HEIM_EAI_NODATA;
 #endif
+#ifdef WSANO_DATA
+    case WSANO_DATA:
+	return HEIM_EAI_NODATA;
+#endif
     case EAI_NONAME:
 	return HEIM_EAI_NONAME;
     case EAI_SERVICE:
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 9e1edc7b6ca1..77d7f808ae47 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -412,19 +412,22 @@ Default is the same as
 Should the kdc answer kdc-requests over http.
 .It Li enable-kaserver = Va BOOL
 If this kdc should emulate the AFS kaserver.
-.It Li as-use-strongest-session-key = Va BOOL
+.It Li tgt-use-strongest-session-key = Va BOOL
 If this is TRUE then the KDC will prefer the strongest key from the
-client's AS-REQ enctype list, that is also supported by the KDC and the
-target principal, for the ticket session key. Else it will prefer the
-first key from the client's AS-REQ enctype list that is also supported
-by the KDC and the target principal. Defaults to TRUE.
+client's AS-REQ or TGS-REQ enctype list for the ticket session key that
+is supported by the KDC and the target principal when the target
+principal is a krbtgt principal.  Else it will prefer the first key from
+the client's AS-REQ enctype list that is also supported by the KDC and
+the target principal. Defaults to TRUE.
+.It Li svc-use-strongest-session-key = Va BOOL
+Like tgt-use-strongest-session-key, but applies to the session key
+enctype of tickets for services other than krbtgt principals. Defaults
+to TRUE.
 .It Li preauth-use-strongest-session-key = Va BOOL
-Like as-use-strongest-session-key, but applies to the session key
-enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
-pre-authentication). Defaults to TRUE.
-.It Li tgs-use-strongest-session-key = Va BOOL
-Like as-use-strongest-session-key, but applies to the session key
-enctype of tickets issued by the TGS. Defaults to TRUE.
+If TRUE then select the strongest possible enctype from the client's
+AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication).
+Else pick the first supported enctype from the client's AS-REQ. Defaults
+to TRUE.
 .It Li use-strongest-server-key = Va BOOL
 If TRUE then the KDC picks, for the ticket encrypted part's key, the
 first supported enctype from the target service principal's hdb entry's
diff --git a/lib/krb5/krb5.conf.cat5 b/lib/krb5/krb5.conf.cat5
index 7d10cae2c3e8..aa5ab91bc5e4 100644
--- a/lib/krb5/krb5.conf.cat5
+++ b/lib/krb5/krb5.conf.cat5
@@ -419,25 +419,27 @@ DDEESSCCRRIIPPTTIIOONN
                       enable-kaserver = _B_O_O_L
                            If this kdc should emulate the AFS kaserver.
 
-                      as-use-strongest-session-key = _B_O_O_L
+                      tgt-use-strongest-session-key = _B_O_O_L
                            If this is TRUE then the KDC will prefer the
-                           strongest key from the client's AS-REQ enctype
-                           list, that is also supported by the KDC and the
-                           target principal, for the ticket session key. Else
+                           strongest key from the client's AS-REQ or TGS-REQ
+                           enctype list for the ticket session key that is
+                           supported by the KDC and the target principal when
+                           the target principal is a krbtgt principal.  Else
                            it will prefer the first key from the client's AS-
                            REQ enctype list that is also supported by the KDC
                            and the target principal. Defaults to TRUE.
 
+                      svc-use-strongest-session-key = _B_O_O_L
+                           Like tgt-use-strongest-session-key, but applies to
+                           the session key enctype of tickets for services
+                           other than krbtgt principals. Defaults to TRUE.
+
                       preauth-use-strongest-session-key = _B_O_O_L
-                           Like as-use-strongest-session-key, but applies to
-                           the session key enctype selection for PA-ETYPE-
-                           INFO2 (i.e., for password-based pre-authentica-
-                           tion). Defaults to TRUE.
-
-                      tgs-use-strongest-session-key = _B_O_O_L
-                           Like as-use-strongest-session-key, but applies to
-                           the session key enctype of tickets issued by the
-                           TGS. Defaults to TRUE.
+                           If TRUE then select the strongest possible enctype
+                           from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
+                           for password-based pre-authentication).  Else pick
+                           the first supported enctype from the client's AS-
+                           REQ. Defaults to TRUE.
 
                       use-strongest-server-key = _B_O_O_L
                            If TRUE then the KDC picks, for the ticket
diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index f4caaddc264b..91f68d5e00e7 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -706,7 +706,7 @@ build_logon_name(krb5_context context,
     krb5_storage *sp;
     uint64_t t;
     char *s, *s2;
-    size_t i, len;
+    size_t s2_len;
 
     t = unix2nttime(authtime);
 
@@ -726,29 +726,60 @@ build_logon_name(krb5_context context,
     if (ret)
 	goto out;
 
-    len = strlen(s);
+    {
+	size_t ucs2_len;
+	uint16_t *ucs2;
+	unsigned int flags;
 
-    CHECK(ret, krb5_store_uint16(sp, len * 2), out);
+	ret = wind_utf8ucs2_length(s, &ucs2_len);
+	if (ret) {
+	    free(s);
+	    krb5_set_error_message(context, ret, "Failed to count length of UTF-8 string");
+	    return ret;
+	}
 
-#if 1 /* cheat for now */
-    s2 = malloc(len * 2);
-    if (s2 == NULL) {
-	ret = krb5_enomem(context);
+	ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
+	if (ucs2 == NULL) {
+	    free(s);
+	    return krb5_enomem(context);
+	}
+
+	ret = wind_utf8ucs2(s, ucs2, &ucs2_len);
 	free(s);
-	goto out;
-    }
-    for (i = 0; i < len; i++) {
-	s2[i * 2] = s[i];
-	s2[i * 2 + 1] = 0;
+	if (ret) {
+	    free(ucs2);
+	    krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
+	    return ret;
+	}
+
+	s2_len = (ucs2_len + 1) * 2;
+	s2 = malloc(s2_len);
+	if (ucs2 == NULL) {
+	    free(ucs2);
+	    return krb5_enomem(context);
+	}
+
+	flags = WIND_RW_LE;
+	ret = wind_ucs2write(ucs2, ucs2_len,
+			     &flags, s2, &s2_len);
+	free(ucs2);
+	if (ret) {
+	    free(s2);
+	    krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer");
+	    return ret;
+	}
+
+	/*
+	 * we do not want zero termination
+	 */
+	s2_len = ucs2_len * 2;
     }
-    free(s);
-#else
-    /* write libwind code here */
-#endif
 
-    ret = krb5_storage_write(sp, s2, len * 2);
+    CHECK(ret, krb5_store_uint16(sp, s2_len), out);
+
+    ret = krb5_storage_write(sp, s2, s2_len);
     free(s2);
-    if (ret != (int)(len * 2)) {
+    if (ret != (int)s2_len) {
 	ret = krb5_enomem(context);
 	goto out;
     }
diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c
index d554423a16d1..647a311a2ca6 100644
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -508,7 +508,7 @@ struct entry kdc_entries[] = {
     { "allow-null-ticket-addresses", krb5_config_string, check_boolean },
     { "allow-anonymous", krb5_config_string, check_boolean },
     { "v4_realm", krb5_config_string, NULL },
-    { "enable-kaserver", krb5_config_string, check_boolean },
+    { "enable-kaserver", krb5_config_string, check_boolean, 1 },
     { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean },
     { "kdc_warn_pwexpire", krb5_config_string, check_time },
     { "use_2b", krb5_config_list, NULL },