diff options
author | stas <stas@FreeBSD.org> | 2012-04-08 08:19:17 +0000 |
---|---|---|
committer | stas <stas@FreeBSD.org> | 2012-04-08 08:19:17 +0000 |
commit | e98d05b4f007c4c6849229bc6c5f1586d0207896 (patch) | |
tree | b776209adefb14f82be8f607e6cc465dfddd90c3 /crypto/heimdal/kdc | |
parent | 614fd4fe5e7e76da2328df84ca390b36dad17e79 (diff) | |
download | FreeBSD-src-e98d05b4f007c4c6849229bc6c5f1586d0207896.zip FreeBSD-src-e98d05b4f007c4c6849229bc6c5f1586d0207896.tar.gz |
- Update FreeBSD's Heimdal distribution to 1.5.2. This is a bugfix
release, which fixes a DoS issue in libkrb5.
Diffstat (limited to 'crypto/heimdal/kdc')
-rw-r--r-- | crypto/heimdal/kdc/default_config.c | 16 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kdc.8 | 3 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kdc.h | 4 | ||||
-rw-r--r-- | crypto/heimdal/kdc/kerberos5.c | 5 | ||||
-rw-r--r-- | crypto/heimdal/kdc/krb5tgs.c | 4 |
5 files changed, 17 insertions, 15 deletions
diff --git a/crypto/heimdal/kdc/default_config.c b/crypto/heimdal/kdc/default_config.c index 6fbf5fd..9a33a7f 100644 --- a/crypto/heimdal/kdc/default_config.c +++ b/crypto/heimdal/kdc/default_config.c @@ -51,9 +51,9 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->require_preauth = TRUE; c->kdc_warn_pwexpire = 0; c->encode_as_rep_as_tgs_rep = FALSE; - c->as_use_strongest_session_key = FALSE; + c->tgt_use_strongest_session_key = FALSE; c->preauth_use_strongest_session_key = FALSE; - c->tgs_use_strongest_session_key = FALSE; + c->svc_use_strongest_session_key = FALSE; c->use_strongest_server_key = TRUE; c->check_ticket_addresses = TRUE; c->allow_null_ticket_addresses = TRUE; @@ -120,21 +120,21 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } #endif - c->as_use_strongest_session_key = + c->tgt_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, - c->as_use_strongest_session_key, + c->tgt_use_strongest_session_key, "kdc", - "as-use-strongest-session-key", NULL); + "tgt-use-strongest-session-key", NULL); c->preauth_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, c->preauth_use_strongest_session_key, "kdc", "preauth-use-strongest-session-key", NULL); - c->tgs_use_strongest_session_key = + c->svc_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, - c->tgs_use_strongest_session_key, + c->svc_use_strongest_session_key, "kdc", - "tgs-use-strongest-session-key", NULL); + "svc-use-strongest-session-key", NULL); c->use_strongest_server_key = krb5_config_get_bool_default(context, NULL, c->use_strongest_server_key, diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8 index 4a69bda..171c426 100644 --- a/crypto/heimdal/kdc/kdc.8 +++ b/crypto/heimdal/kdc/kdc.8 @@ -54,7 +54,6 @@ .Fl Fl v4-realm= Ns Ar string .Xc .Oc -.Op Fl K | Fl Fl kaserver .Oo Fl P Ar portspec \*(Ba Xo .Fl Fl ports= Ns Ar portspec .Xc @@ -112,8 +111,6 @@ The default is whatever is returned by .Fn krb_get_lrealm . This option is only available if the KDC has been compiled with version 4 support. -.It Fl K , Fl Fl kaserver -Enable kaserver emulation (in case it's compiled in). .It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec Specifies the set of ports the KDC should listen on. It is given as a diff --git a/crypto/heimdal/kdc/kdc.h b/crypto/heimdal/kdc/kdc.h index 9d52fd4..ab643ec 100644 --- a/crypto/heimdal/kdc/kdc.h +++ b/crypto/heimdal/kdc/kdc.h @@ -59,9 +59,9 @@ typedef struct krb5_kdc_configuration { krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ - krb5_boolean as_use_strongest_session_key; + krb5_boolean tgt_use_strongest_session_key; krb5_boolean preauth_use_strongest_session_key; - krb5_boolean tgs_use_strongest_session_key; + krb5_boolean svc_use_strongest_session_key; krb5_boolean use_strongest_server_key; krb5_boolean check_ticket_addresses; diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c index c13abb7..ee6baf0 100644 --- a/crypto/heimdal/kdc/kerberos5.c +++ b/crypto/heimdal/kdc/kerberos5.c @@ -1094,7 +1094,10 @@ _kdc_as_rep(krb5_context context, * enctype that an older version of a KDC in the same realm can't * decrypt. */ - ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE, + ret = _kdc_find_etype(context, + krb5_principal_is_krbtgt(context, server_princ) ? + config->tgt_use_strongest_session_key : + config->svc_use_strongest_session_key, FALSE, client, b->etype.val, b->etype.len, &sessionetype, NULL); if (ret) { diff --git a/crypto/heimdal/kdc/krb5tgs.c b/crypto/heimdal/kdc/krb5tgs.c index 5bf68cd..87e3393 100644 --- a/crypto/heimdal/kdc/krb5tgs.c +++ b/crypto/heimdal/kdc/krb5tgs.c @@ -1699,7 +1699,9 @@ server_lookup: Key *skey; ret = _kdc_find_etype(context, - config->tgs_use_strongest_session_key, FALSE, + krb5_principal_is_krbtgt(context, sp) ? + config->tgt_use_strongest_session_key : + config->svc_use_strongest_session_key, FALSE, server, b->etype.val, b->etype.len, NULL, &skey); if(ret) { |