- Update FreeBSD's Heimdal distribution to 1.5.2. This is a bugfix

  release, which fixes a DoS issue in libkrb5.

23 files changed, 103 insertions, 56 deletions

diff --git a/crypto/heimdal/lib/gssapi/krb5/verify_mic.c b/crypto/heimdal/lib/gssapi/krb5/verify_mic.c
index 3123787..3814ef7 100644
--- a/crypto/heimdal/lib/gssapi/krb5/verify_mic.c
+++ b/crypto/heimdal/lib/gssapi/krb5/verify_mic.c
@@ -251,6 +251,14 @@ retry:
   csum.checksum.length = 20;
   csum.checksum.data   = p + 8;
 
+  krb5_crypto_destroy (context, crypto);
+  ret = krb5_crypto_init(context, key,
+			 ETYPE_DES3_CBC_SHA1, &crypto);
+  if (ret){
+      *minor_status = ret;
+      return GSS_S_FAILURE;
+  }
+
   ret = krb5_verify_checksum (context, crypto,
 			      KRB5_KU_USAGE_SIGN,
 			      tmp, message_buffer->length + 8,
diff --git a/crypto/heimdal/lib/hx509/sel-lex.l b/crypto/heimdal/lib/hx509/sel-lex.l
index 4c93967..bb7e837 100644
--- a/crypto/heimdal/lib/hx509/sel-lex.l
+++ b/crypto/heimdal/lib/hx509/sel-lex.l
@@ -50,6 +50,7 @@ unsigned lineno = 1;
 
 static char * handle_string(void);
 static int lex_input(char *, int);
+static int lex_classic_input(void);
 
 struct hx_expr_input _hx509_expr_input;
 
diff --git a/crypto/heimdal/lib/kadm5/password_quality.c b/crypto/heimdal/lib/kadm5/password_quality.c
index a6f0b3e..eb72ba6 100644
--- a/crypto/heimdal/lib/kadm5/password_quality.c
+++ b/crypto/heimdal/lib/kadm5/password_quality.c
@@ -34,8 +34,6 @@
 #include "kadm5_locl.h"
 #include "kadm5-pwcheck.h"
 
-RCSID("$Id$");
-
 #ifdef HAVE_SYS_WAIT_H
 #include <sys/wait.h>
 #endif
@@ -473,7 +471,8 @@ kadm5_check_password_quality (krb5_context context,
 				NULL);
     if (v == NULL) {
 	msg = (*passwd_quality_check) (context, principal, pwd_data);
-	krb5_set_error_message(context, 0, "password policy failed: %s", msg);
+	if (msg)
+	    krb5_set_error_message(context, 0, "password policy failed: %s", msg);
 	return msg;
     }
 
diff --git a/crypto/heimdal/lib/krb5/crypto-arcfour.c b/crypto/heimdal/lib/krb5/crypto-arcfour.c
index 1b369d2..7f7e21d 100644
--- a/crypto/heimdal/lib/krb5/crypto-arcfour.c
+++ b/crypto/heimdal/lib/krb5/crypto-arcfour.c
@@ -317,7 +317,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = {
     8,
     &keytype_arcfour,
     &_krb5_checksum_hmac_md5,
-    NULL,
+    &_krb5_checksum_hmac_md5,
     F_SPECIAL,
     ARCFOUR_encrypt,
     0,
diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c
index 4b66035..67ecef6 100644
--- a/crypto/heimdal/lib/krb5/crypto.c
+++ b/crypto/heimdal/lib/krb5/crypto.c
@@ -467,7 +467,7 @@ verify_checksum(krb5_context context,
 	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
 	}
 	kct = crypto->et->keyed_checksum;
-	if (kct != NULL && kct->type != ct->type) {
+	if (kct == NULL || kct->type != ct->type) {
 	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
 				   N_("Checksum type %s is keyed, but "
 				      "the key type %s passed didnt have that checksum "
diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
index ef11e37..a6e14ab 100644
--- a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
+++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c
@@ -68,6 +68,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error)
     case EAI_NODATA:
 	return HEIM_EAI_NODATA;
 #endif
+#ifdef WSANO_DATA
+    case WSANO_DATA:
+	return HEIM_EAI_NODATA;
+#endif
     case EAI_NONAME:
 	return HEIM_EAI_NONAME;
     case EAI_SERVICE:
diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5
index 9e1edc7..77d7f80 100644
--- a/crypto/heimdal/lib/krb5/krb5.conf.5
+++ b/crypto/heimdal/lib/krb5/krb5.conf.5
@@ -412,19 +412,22 @@ Default is the same as
 Should the kdc answer kdc-requests over http.
 .It Li enable-kaserver = Va BOOL
 If this kdc should emulate the AFS kaserver.
-.It Li as-use-strongest-session-key = Va BOOL
+.It Li tgt-use-strongest-session-key = Va BOOL
 If this is TRUE then the KDC will prefer the strongest key from the
-client's AS-REQ enctype list, that is also supported by the KDC and the
-target principal, for the ticket session key. Else it will prefer the
-first key from the client's AS-REQ enctype list that is also supported
-by the KDC and the target principal. Defaults to TRUE.
+client's AS-REQ or TGS-REQ enctype list for the ticket session key that
+is supported by the KDC and the target principal when the target
+principal is a krbtgt principal.  Else it will prefer the first key from
+the client's AS-REQ enctype list that is also supported by the KDC and
+the target principal. Defaults to TRUE.
+.It Li svc-use-strongest-session-key = Va BOOL
+Like tgt-use-strongest-session-key, but applies to the session key
+enctype of tickets for services other than krbtgt principals. Defaults
+to TRUE.
 .It Li preauth-use-strongest-session-key = Va BOOL
-Like as-use-strongest-session-key, but applies to the session key
-enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
-pre-authentication). Defaults to TRUE.
-.It Li tgs-use-strongest-session-key = Va BOOL
-Like as-use-strongest-session-key, but applies to the session key
-enctype of tickets issued by the TGS. Defaults to TRUE.
+If TRUE then select the strongest possible enctype from the client's
+AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication).
+Else pick the first supported enctype from the client's AS-REQ. Defaults
+to TRUE.
 .It Li use-strongest-server-key = Va BOOL
 If TRUE then the KDC picks, for the ticket encrypted part's key, the
 first supported enctype from the target service principal's hdb entry's
diff --git a/crypto/heimdal/lib/krb5/pac.c b/crypto/heimdal/lib/krb5/pac.c
index f4caadd..91f68d5 100644
--- a/crypto/heimdal/lib/krb5/pac.c
+++ b/crypto/heimdal/lib/krb5/pac.c
@@ -706,7 +706,7 @@ build_logon_name(krb5_context context,
     krb5_storage *sp;
     uint64_t t;
     char *s, *s2;
-    size_t i, len;
+    size_t s2_len;
 
     t = unix2nttime(authtime);
 
@@ -726,29 +726,60 @@ build_logon_name(krb5_context context,
     if (ret)
 	goto out;
 
-    len = strlen(s);
+    {
+	size_t ucs2_len;
+	uint16_t *ucs2;
+	unsigned int flags;
 
-    CHECK(ret, krb5_store_uint16(sp, len * 2), out);
+	ret = wind_utf8ucs2_length(s, &ucs2_len);
+	if (ret) {
+	    free(s);
+	    krb5_set_error_message(context, ret, "Failed to count length of UTF-8 string");
+	    return ret;
+	}
 
-#if 1 /* cheat for now */
-    s2 = malloc(len * 2);
-    if (s2 == NULL) {
-	ret = krb5_enomem(context);
+	ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len);
+	if (ucs2 == NULL) {
+	    free(s);
+	    return krb5_enomem(context);
+	}
+
+	ret = wind_utf8ucs2(s, ucs2, &ucs2_len);
 	free(s);
-	goto out;
-    }
-    for (i = 0; i < len; i++) {
-	s2[i * 2] = s[i];
-	s2[i * 2 + 1] = 0;
+	if (ret) {
+	    free(ucs2);
+	    krb5_set_error_message(context, ret, "Failed to convert string to UCS-2");
+	    return ret;
+	}
+
+	s2_len = (ucs2_len + 1) * 2;
+	s2 = malloc(s2_len);
+	if (ucs2 == NULL) {
+	    free(ucs2);
+	    return krb5_enomem(context);
+	}
+
+	flags = WIND_RW_LE;
+	ret = wind_ucs2write(ucs2, ucs2_len,
+			     &flags, s2, &s2_len);
+	free(ucs2);
+	if (ret) {
+	    free(s2);
+	    krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer");
+	    return ret;
+	}
+
+	/*
+	 * we do not want zero termination
+	 */
+	s2_len = ucs2_len * 2;
     }
-    free(s);
-#else
-    /* write libwind code here */
-#endif
 
-    ret = krb5_storage_write(sp, s2, len * 2);
+    CHECK(ret, krb5_store_uint16(sp, s2_len), out);
+
+    ret = krb5_storage_write(sp, s2, s2_len);
     free(s2);
-    if (ret != (int)(len * 2)) {
+    if (ret != (int)s2_len) {
 	ret = krb5_enomem(context);
 	goto out;
     }
diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
index d554423..647a311 100644
--- a/crypto/heimdal/lib/krb5/verify_krb5_conf.c
+++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c
@@ -508,7 +508,7 @@ struct entry kdc_entries[] = {
     { "allow-null-ticket-addresses", krb5_config_string, check_boolean },
     { "allow-anonymous", krb5_config_string, check_boolean },
     { "v4_realm", krb5_config_string, NULL },
-    { "enable-kaserver", krb5_config_string, check_boolean },
+    { "enable-kaserver", krb5_config_string, check_boolean, 1 },
     { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean },
     { "kdc_warn_pwexpire", krb5_config_string, check_time },
     { "use_2b", krb5_config_list, NULL },
diff --git a/crypto/heimdal/lib/wind/bidi_table.c b/crypto/heimdal/lib/wind/bidi_table.c
index 7d703f6..31de1ee 100644
--- a/crypto/heimdal/lib/wind/bidi_table.c
+++ b/crypto/heimdal/lib/wind/bidi_table.c
@@ -1,5 +1,5 @@
 /* ./bidi_table.c */
-/* Automatically generated at 2011-09-30T15:24:58.936201 */
+/* Automatically generated at 2012-01-11T14:07:00.535499 */
 
 
 #include <stdlib.h>
diff --git a/crypto/heimdal/lib/wind/bidi_table.h b/crypto/heimdal/lib/wind/bidi_table.h
index 45556a3..c317b4d 100644
--- a/crypto/heimdal/lib/wind/bidi_table.h
+++ b/crypto/heimdal/lib/wind/bidi_table.h
@@ -1,5 +1,5 @@
 /* ./bidi_table.h */
-/* Automatically generated at 2011-09-30T15:24:58.927315 */
+/* Automatically generated at 2012-01-11T14:07:00.534628 */
 
 #ifndef BIDI_TABLE_H
 #define BIDI_TABLE_H 1
diff --git a/crypto/heimdal/lib/wind/combining_table.c b/crypto/heimdal/lib/wind/combining_table.c
index 814e39e..4a16772 100644
--- a/crypto/heimdal/lib/wind/combining_table.c
+++ b/crypto/heimdal/lib/wind/combining_table.c
@@ -1,5 +1,5 @@
 /* ./combining_table.c */
-/* Automatically generated at 2011-09-30T15:24:59.280091 */
+/* Automatically generated at 2012-01-11T14:07:00.838826 */
 
 
 #include <stdlib.h>
diff --git a/crypto/heimdal/lib/wind/combining_table.h b/crypto/heimdal/lib/wind/combining_table.h
index 05a790b..47599cc 100644
--- a/crypto/heimdal/lib/wind/combining_table.h
+++ b/crypto/heimdal/lib/wind/combining_table.h
@@ -1,5 +1,5 @@
 /* ./combining_table.h */
-/* Automatically generated at 2011-09-30T15:24:59.272235 */
+/* Automatically generated at 2012-01-11T14:07:00.836450 */
 
 #ifndef COMBINING_TABLE_H
 #define COMBINING_TABLE_H 1
diff --git a/crypto/heimdal/lib/wind/errorlist_table.c b/crypto/heimdal/lib/wind/errorlist_table.c
index 7456cb4..d2d5718 100644
--- a/crypto/heimdal/lib/wind/errorlist_table.c
+++ b/crypto/heimdal/lib/wind/errorlist_table.c
@@ -1,5 +1,5 @@
 /* ./errorlist_table.c */
-/* Automatically generated at 2011-09-30T15:24:59.470044 */
+/* Automatically generated at 2012-01-11T14:07:01.014764 */
 
 
 #include <stdlib.h>
diff --git a/crypto/heimdal/lib/wind/errorlist_table.h b/crypto/heimdal/lib/wind/errorlist_table.h
index fc1739e..b822454 100644
--- a/crypto/heimdal/lib/wind/errorlist_table.h
+++ b/crypto/heimdal/lib/wind/errorlist_table.h
@@ -1,5 +1,5 @@
 /* ./errorlist_table.h */
-/* Automatically generated at 2011-09-30T15:24:59.457950 */
+/* Automatically generated at 2012-01-11T14:07:01.014378 */
 
 #ifndef ERRORLIST_TABLE_H
 #define ERRORLIST_TABLE_H 1
diff --git a/crypto/heimdal/lib/wind/map_table.c b/crypto/heimdal/lib/wind/map_table.c
index 5491b7d..7363e54 100644
--- a/crypto/heimdal/lib/wind/map_table.c
+++ b/crypto/heimdal/lib/wind/map_table.c
@@ -1,5 +1,5 @@
 /* ./map_table.c */
-/* Automatically generated at 2011-09-30T15:24:59.641639 */
+/* Automatically generated at 2012-01-11T14:07:01.097758 */
 
 
 #include "map_table.h"
diff --git a/crypto/heimdal/lib/wind/map_table.h b/crypto/heimdal/lib/wind/map_table.h
index ac3d564..ebfa725 100644
--- a/crypto/heimdal/lib/wind/map_table.h
+++ b/crypto/heimdal/lib/wind/map_table.h
@@ -1,5 +1,5 @@
 /* ./map_table.h */
-/* Automatically generated at 2011-09-30T15:24:59.631690 */
+/* Automatically generated at 2012-01-11T14:07:01.097337 */
 
 #ifndef MAP_TABLE_H
 #define MAP_TABLE_H 1
diff --git a/crypto/heimdal/lib/wind/normalize_table.c b/crypto/heimdal/lib/wind/normalize_table.c
index 7e0ec2e..a37e180 100644
--- a/crypto/heimdal/lib/wind/normalize_table.c
+++ b/crypto/heimdal/lib/wind/normalize_table.c
@@ -1,5 +1,5 @@
 /* ./normalize_table.c */
-/* Automatically generated at 2011-09-30T15:25:00.420261 */
+/* Automatically generated at 2012-01-11T14:07:01.714581 */
 
 
 #include <stdlib.h>
diff --git a/crypto/heimdal/lib/wind/normalize_table.h b/crypto/heimdal/lib/wind/normalize_table.h
index 8881630..b0d0d11 100644
--- a/crypto/heimdal/lib/wind/normalize_table.h
+++ b/crypto/heimdal/lib/wind/normalize_table.h
@@ -1,5 +1,5 @@
 /* ./normalize_table.h */
-/* Automatically generated at 2011-09-30T15:25:00.412374 */
+/* Automatically generated at 2012-01-11T14:07:01.713967 */
 
 #ifndef NORMALIZE_TABLE_H
 #define NORMALIZE_TABLE_H 1
diff --git a/crypto/heimdal/lib/wind/punycode_examples.c b/crypto/heimdal/lib/wind/punycode_examples.c
index 50ccc48..d123680 100644
--- a/crypto/heimdal/lib/wind/punycode_examples.c
+++ b/crypto/heimdal/lib/wind/punycode_examples.c
@@ -1,5 +1,5 @@
 /* ./punycode_examples.c */
-/* Automatically generated at 2011-09-30T15:25:05.829535 */
+/* Automatically generated at 2012-01-11T14:07:08.539522 */
 
 #ifndef PUNYCODE_EXAMPLES_C
 #define PUNYCODE_EXAMPLES_C 1
diff --git a/crypto/heimdal/lib/wind/punycode_examples.h b/crypto/heimdal/lib/wind/punycode_examples.h
index 832234d..3e90edc 100644
--- a/crypto/heimdal/lib/wind/punycode_examples.h
+++ b/crypto/heimdal/lib/wind/punycode_examples.h
@@ -1,5 +1,5 @@
 /* ./punycode_examples.h */
-/* Automatically generated at 2011-09-30T15:25:05.815268 */
+/* Automatically generated at 2012-01-11T14:07:08.539140 */
 
 #ifndef PUNYCODE_EXAMPLES_H
 #define PUNYCODE_EXAMPLES_H 1
diff --git a/crypto/heimdal/lib/wind/utf8.c b/crypto/heimdal/lib/wind/utf8.c
index 6907b3c..e1a1eb7 100644
--- a/crypto/heimdal/lib/wind/utf8.c
+++ b/crypto/heimdal/lib/wind/utf8.c
@@ -204,13 +204,13 @@ wind_ucs4utf8(const uint32_t *in, size_t in_len, char *out, size_t *out_len)
 	    switch(len) {
 	    case 4:
 		out[3] = (ch | 0x80) & 0xbf;
-		ch = ch << 6;
+		ch = ch >> 6;
 	    case 3:
 		out[2] = (ch | 0x80) & 0xbf;
-		ch = ch << 6;
+		ch = ch >> 6;
 	    case 2:
 		out[1] = (ch | 0x80) & 0xbf;
-		ch = ch << 6;
+		ch = ch >> 6;
 	    case 1:
 		out[0] = ch | first_char[len - 1];
 	    }
@@ -346,8 +346,8 @@ wind_ucs2write(const uint16_t *in, size_t in_len, unsigned int *flags,
 	    return WIND_ERR_OVERRUN;
 
 	if ((*flags) & WIND_RW_LE) {
-	    p[0] = (bom >> 8) & 0xff;
-	    p[1] = (bom     ) & 0xff;
+	    p[0] = (bom     ) & 0xff;
+	    p[1] = (bom >> 8) & 0xff;
 	} else {
 	    p[1] = (bom     ) & 0xff;
 	    p[0] = (bom >> 8) & 0xff;
@@ -360,8 +360,8 @@ wind_ucs2write(const uint16_t *in, size_t in_len, unsigned int *flags,
 	if (len < 2)
 	    return WIND_ERR_OVERRUN;
 	if ((*flags) & WIND_RW_LE) {
-	    p[0] = (in[0] >> 8) & 0xff;
-	    p[1] = (in[0]     ) & 0xff;
+	    p[0] = (in[0]     ) & 0xff;
+	    p[1] = (in[0] >> 8) & 0xff;
 	} else {
 	    p[1] = (in[0]     ) & 0xff;
 	    p[0] = (in[0] >> 8) & 0xff;
@@ -479,10 +479,10 @@ wind_ucs2utf8(const uint16_t *in, size_t in_len, char *out, size_t *out_len)
 	    switch(len) {
 	    case 3:
 		out[2] = (ch | 0x80) & 0xbf;
-		ch = ch << 6;
+		ch = ch >> 6;
 	    case 2:
 		out[1] = (ch | 0x80) & 0xbf;
-		ch = ch << 6;
+		ch = ch >> 6;
 	    case 1:
 		out[0] = ch | first_char[len - 1];
 	    }
diff --git a/crypto/heimdal/lib/wind/version-script.map b/crypto/heimdal/lib/wind/version-script.map
index a6ca3ae..6b5abb5 100644
--- a/crypto/heimdal/lib/wind/version-script.map
+++ b/crypto/heimdal/lib/wind/version-script.map
@@ -14,6 +14,7 @@ HEIMDAL_WIND_1.0 {
 		wind_utf8ucs2_length;
 		wind_ucs2utf8_length;
 		wind_ucs2read;
+		wind_ucs2write;
 		# testing
 		_wind_combining_class;
 		_wind_stringprep_testbidi;