aboutsummaryrefslogtreecommitdiffstats
path: root/lib/krb5
diff options
context:
space:
mode:
authorStanislav Sedov <stas@FreeBSD.org>2012-04-08 04:47:53 +0000
committerStanislav Sedov <stas@FreeBSD.org>2012-04-08 04:47:53 +0000
commitfeec3621854ef6b1ccd3598df2202c0622929444 (patch)
treeba2f151899a171234df9949cf23e5f8a9bd43bb7 /lib/krb5
parent813b7899c1cf9c5cd1b72c0fb7c6c740aab26929 (diff)
downloadsrc-feec3621854ef6b1ccd3598df2202c0622929444.tar.gz
src-feec3621854ef6b1ccd3598df2202c0622929444.zip
- Update vendor tree of heimdal to 1.5.2.vendor/heimdal/1.5.2
Notes
Notes: svn path=/vendor-crypto/heimdal/dist/; revision=234016 svn path=/vendor-crypto/heimdal/1.5.2/; revision=234017; tag=vendor/heimdal/1.5.2
Diffstat (limited to 'lib/krb5')
-rw-r--r--lib/krb5/crypto-arcfour.c2
-rw-r--r--lib/krb5/crypto.c2
-rw-r--r--lib/krb5/eai_to_heim_errno.c4
-rw-r--r--lib/krb5/krb5.conf.525
-rw-r--r--lib/krb5/krb5.conf.cat528
-rw-r--r--lib/krb5/pac.c67
-rw-r--r--lib/krb5/verify_krb5_conf.c2
7 files changed, 85 insertions, 45 deletions
diff --git a/lib/krb5/crypto-arcfour.c b/lib/krb5/crypto-arcfour.c
index 1b369d2fda14..7f7e21d0d22c 100644
--- a/lib/krb5/crypto-arcfour.c
+++ b/lib/krb5/crypto-arcfour.c
@@ -317,7 +317,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
8,
&keytype_arcfour,
&_krb5_checksum_hmac_md5,
- NULL,
+ &_krb5_checksum_hmac_md5,
F_SPECIAL,
ARCFOUR_encrypt,
0,
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 4b66035155dd..67ecef62e875 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -467,7 +467,7 @@ verify_checksum(krb5_context context,
return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
}
kct = crypto->et->keyed_checksum;
- if (kct != NULL && kct->type != ct->type) {
+ if (kct == NULL || kct->type != ct->type) {
krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
N_("Checksum type %s is keyed, but "
"the key type %s passed didnt have that checksum "
diff --git a/lib/krb5/eai_to_heim_errno.c b/lib/krb5/eai_to_heim_errno.c
index ef11e370f443..a6e14aba31dd 100644
--- a/lib/krb5/eai_to_heim_errno.c
+++ b/lib/krb5/eai_to_heim_errno.c
@@ -68,6 +68,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error)
case EAI_NODATA:
return HEIM_EAI_NODATA;
#endif
+#ifdef WSANO_DATA
+ case WSANO_DATA:
+ return HEIM_EAI_NODATA;
+#endif
case EAI_NONAME:
return HEIM_EAI_NONAME;
case EAI_SERVICE:
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 9e1edc7b6ca1..77d7f808ae47 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -412,19 +412,22 @@ Default is the same as
Should the kdc answer kdc-requests over http.
.It Li enable-kaserver = Va BOOL
If this kdc should emulate the AFS kaserver.
-.It Li as-use-strongest-session-key = Va BOOL
+.It Li tgt-use-strongest-session-key = Va BOOL
If this is TRUE then the KDC will prefer the strongest key from the
-client's AS-REQ enctype list, that is also supported by the KDC and the
-target principal, for the ticket session key. Else it will prefer the
-first key from the client's AS-REQ enctype list that is also supported
-by the KDC and the target principal. Defaults to TRUE.
+client's AS-REQ or TGS-REQ enctype list for the ticket session key that
+is supported by the KDC and the target principal when the target
+principal is a krbtgt principal. Else it will prefer the first key from
+the client's AS-REQ enctype list that is also supported by the KDC and
+the target principal. Defaults to TRUE.
+.It Li svc-use-strongest-session-key = Va BOOL
+Like tgt-use-strongest-session-key, but applies to the session key
+enctype of tickets for services other than krbtgt principals. Defaults
+to TRUE.
.It Li preauth-use-strongest-session-key = Va BOOL
-Like as-use-strongest-session-key, but applies to the session key
-enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
-pre-authentication). Defaults to TRUE.
-.It Li tgs-use-strongest-session-key = Va BOOL
-Like as-use-strongest-session-key, but applies to the session key
-enctype of tickets issued by the TGS. Defaults to TRUE.
+If TRUE then select the strongest possible enctype from the client's
+AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication).
+Else pick the first supported enctype from the client's AS-REQ. Defaults
+to TRUE.
.It Li use-strongest-server-key = Va BOOL
If TRUE then the KDC picks, for the ticket encrypted part's key, the
first supported enctype from the target service principal's hdb entry's
diff --git a/lib/krb5/krb5.conf.cat5 b/lib/krb5/krb5.conf.cat5
index 7d10cae2c3e8..aa5ab91bc5e4 100644
--- a/lib/krb5/krb5.conf.cat5
+++ b/lib/krb5/krb5.conf.cat5
@@ -419,25 +419,27 @@ DDEESSCCRRIIPPTTIIOONN
enable-kaserver = _B_O_O_L
If this kdc should emulate the AFS kaserver.
- as-use-strongest-session-key = _B_O_O_L
+ tgt-use-strongest-session-key = _B_O_O_L
If this is TRUE then the KDC will prefer the
- strongest key from the client's AS-REQ enctype
- list, that is also supported by the KDC and the
- target principal, for the ticket session key. Else
+ strongest key from the client's AS-REQ or TGS-REQ
+ enctype list for the ticket session key that is
+ supported by the KDC and the target principal when
+ the target principal is a krbtgt principal. Else
it will prefer the first key from the client's AS-
REQ enctype list that is also supported by the KDC
and the target principal. Defaults to TRUE.
+ svc-use-strongest-session-key = _B_O_O_L
+ Like tgt-use-strongest-session-key, but applies to
+ the session key enctype of tickets for services
+ other than krbtgt principals. Defaults to TRUE.
+
preauth-use-strongest-session-key = _B_O_O_L
- Like as-use-strongest-session-key, but applies to
- the session key enctype selection for PA-ETYPE-
- INFO2 (i.e., for password-based pre-authentica-
- tion). Defaults to TRUE.
-
- tgs-use-strongest-session-key = _B_O_O_L
- Like as-use-strongest-session-key, but applies to
- the session key enctype of tickets issued by the
- TGS. Defaults to TRUE.
+ If TRUE then select the strongest possible enctype
+ from the client's AS-REQ for PA-ETYPE-INFO2 (i.e.,
+ for password-based pre-authentication). Else pick
+ the first supported enctype from the client's AS-
+ REQ. Defaults to TRUE.
use-strongest-server-key = _B_O_O_L
If TRUE then the KDC picks, for the ticket
diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index f4caaddc264b..91f68d5e00e7 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -706,7 +706,7 @@ build_logon_name(krb5_context context,
krb5_storage *sp;
uint64_t t;
char *s, *s2;
- size_t i, len;
+ size_t s2_len;
t = unix2nttime(authtime);
@@ -726,29 +726,60 @@ build_logon_name(krb5_context context,
if (ret)
goto out;
- len = strlen(s);
+ {
+ size_t ucs2_len;
+ uint16_t *ucs2;
+ unsigned int flags;
- CHECK(ret, krb5_store_uint16(sp, len * 2), out);
+ ret = wind_utf8ucs2_length(s, &ucs2_len);
+ if (ret) {
+ free(s);
+ krb5_set_error_message(context, ret, "Failed to count length of UTF-8 string");
+ return ret;
+ }
-#if 1 /* cheat for now */
- s2 = malloc(len * 2);
- if (s2 == NULL) {
- ret = krb5_enomem(context);
+ ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
+ if (ucs2 == NULL) {
+ free(s);
+ return krb5_enomem(context);
+ }
+
+ ret = wind_utf8ucs2(s, ucs2, &ucs2_len);
free(s);
- goto out;
- }
- for (i = 0; i < len; i++) {
- s2[i * 2] = s[i];
- s2[i * 2 + 1] = 0;
+ if (ret) {
+ free(ucs2);
+ krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
+ return ret;
+ }
+
+ s2_len = (ucs2_len + 1) * 2;
+ s2 = malloc(s2_len);
+ if (ucs2 == NULL) {
+ free(ucs2);
+ return krb5_enomem(context);
+ }
+
+ flags = WIND_RW_LE;
+ ret = wind_ucs2write(ucs2, ucs2_len,
+ &flags, s2, &s2_len);
+ free(ucs2);
+ if (ret) {
+ free(s2);
+ krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer");
+ return ret;
+ }
+
+ /*
+ * we do not want zero termination
+ */
+ s2_len = ucs2_len * 2;
}
- free(s);
-#else
- /* write libwind code here */
-#endif
- ret = krb5_storage_write(sp, s2, len * 2);
+ CHECK(ret, krb5_store_uint16(sp, s2_len), out);
+
+ ret = krb5_storage_write(sp, s2, s2_len);
free(s2);
- if (ret != (int)(len * 2)) {
+ if (ret != (int)s2_len) {
ret = krb5_enomem(context);
goto out;
}
diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c
index d554423a16d1..647a311a2ca6 100644
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -508,7 +508,7 @@ struct entry kdc_entries[] = {
{ "allow-null-ticket-addresses", krb5_config_string, check_boolean },
{ "allow-anonymous", krb5_config_string, check_boolean },
{ "v4_realm", krb5_config_string, NULL },
- { "enable-kaserver", krb5_config_string, check_boolean },
+ { "enable-kaserver", krb5_config_string, check_boolean, 1 },
{ "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean },
{ "kdc_warn_pwexpire", krb5_config_string, check_time },
{ "use_2b", krb5_config_list, NULL },