diff options
Diffstat (limited to 'crypto/heimdal/lib/krb5')
| -rw-r--r-- | crypto/heimdal/lib/krb5/crypto-arcfour.c | 2 | ||||
| -rw-r--r-- | crypto/heimdal/lib/krb5/crypto.c | 2 | ||||
| -rw-r--r-- | crypto/heimdal/lib/krb5/eai_to_heim_errno.c | 4 | ||||
| -rw-r--r-- | crypto/heimdal/lib/krb5/krb5.conf.5 | 25 | ||||
| -rw-r--r-- | crypto/heimdal/lib/krb5/pac.c | 67 | ||||
| -rw-r--r-- | crypto/heimdal/lib/krb5/verify_krb5_conf.c | 2 |
6 files changed, 70 insertions, 32 deletions
diff --git a/crypto/heimdal/lib/krb5/crypto-arcfour.c b/crypto/heimdal/lib/krb5/crypto-arcfour.c index 1b369d2..7f7e21d 100644 --- a/crypto/heimdal/lib/krb5/crypto-arcfour.c +++ b/crypto/heimdal/lib/krb5/crypto-arcfour.c @@ -317,7 +317,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = { 8, &keytype_arcfour, &_krb5_checksum_hmac_md5, - NULL, + &_krb5_checksum_hmac_md5, F_SPECIAL, ARCFOUR_encrypt, 0, diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index 4b66035..67ecef6 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -467,7 +467,7 @@ verify_checksum(krb5_context context, return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } kct = crypto->et->keyed_checksum; - if (kct != NULL && kct->type != ct->type) { + if (kct == NULL || kct->type != ct->type) { krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP, N_("Checksum type %s is keyed, but " "the key type %s passed didnt have that checksum " diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c index ef11e37..a6e14ab 100644 --- a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c +++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c @@ -68,6 +68,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) case EAI_NODATA: return HEIM_EAI_NODATA; #endif +#ifdef WSANO_DATA + case WSANO_DATA: + return HEIM_EAI_NODATA; +#endif case EAI_NONAME: return HEIM_EAI_NONAME; case EAI_SERVICE: diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5 index 9e1edc7..77d7f80 100644 --- a/crypto/heimdal/lib/krb5/krb5.conf.5 +++ b/crypto/heimdal/lib/krb5/krb5.conf.5 @@ -412,19 +412,22 @@ Default is the same as Should the kdc answer kdc-requests over http. .It Li enable-kaserver = Va BOOL If this kdc should emulate the AFS kaserver. -.It Li as-use-strongest-session-key = Va BOOL +.It Li tgt-use-strongest-session-key = Va BOOL If this is TRUE then the KDC will prefer the strongest key from the -client's AS-REQ enctype list, that is also supported by the KDC and the -target principal, for the ticket session key. Else it will prefer the -first key from the client's AS-REQ enctype list that is also supported -by the KDC and the target principal. Defaults to TRUE. +client's AS-REQ or TGS-REQ enctype list for the ticket session key that +is supported by the KDC and the target principal when the target +principal is a krbtgt principal. Else it will prefer the first key from +the client's AS-REQ enctype list that is also supported by the KDC and +the target principal. Defaults to TRUE. +.It Li svc-use-strongest-session-key = Va BOOL +Like tgt-use-strongest-session-key, but applies to the session key +enctype of tickets for services other than krbtgt principals. Defaults +to TRUE. .It Li preauth-use-strongest-session-key = Va BOOL -Like as-use-strongest-session-key, but applies to the session key -enctype selection for PA-ETYPE-INFO2 (i.e., for password-based -pre-authentication). Defaults to TRUE. -.It Li tgs-use-strongest-session-key = Va BOOL -Like as-use-strongest-session-key, but applies to the session key -enctype of tickets issued by the TGS. Defaults to TRUE. +If TRUE then select the strongest possible enctype from the client's +AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication). +Else pick the first supported enctype from the client's AS-REQ. Defaults +to TRUE. .It Li use-strongest-server-key = Va BOOL If TRUE then the KDC picks, for the ticket encrypted part's key, the first supported enctype from the target service principal's hdb entry's diff --git a/crypto/heimdal/lib/krb5/pac.c b/crypto/heimdal/lib/krb5/pac.c index f4caadd..91f68d5 100644 --- a/crypto/heimdal/lib/krb5/pac.c +++ b/crypto/heimdal/lib/krb5/pac.c @@ -706,7 +706,7 @@ build_logon_name(krb5_context context, krb5_storage *sp; uint64_t t; char *s, *s2; - size_t i, len; + size_t s2_len; t = unix2nttime(authtime); @@ -726,29 +726,60 @@ build_logon_name(krb5_context context, if (ret) goto out; - len = strlen(s); + { + size_t ucs2_len; + uint16_t *ucs2; + unsigned int flags; - CHECK(ret, krb5_store_uint16(sp, len * 2), out); + ret = wind_utf8ucs2_length(s, &ucs2_len); + if (ret) { + free(s); + krb5_set_error_message(context, ret, "Failed to count length of UTF-8 string"); + return ret; + } -#if 1 /* cheat for now */ - s2 = malloc(len * 2); - if (s2 == NULL) { - ret = krb5_enomem(context); + ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len); + if (ucs2 == NULL) { + free(s); + return krb5_enomem(context); + } + + ret = wind_utf8ucs2(s, ucs2, &ucs2_len); free(s); - goto out; - } - for (i = 0; i < len; i++) { - s2[i * 2] = s[i]; - s2[i * 2 + 1] = 0; + if (ret) { + free(ucs2); + krb5_set_error_message(context, ret, "Failed to convert string to UCS-2"); + return ret; + } + + s2_len = (ucs2_len + 1) * 2; + s2 = malloc(s2_len); + if (ucs2 == NULL) { + free(ucs2); + return krb5_enomem(context); + } + + flags = WIND_RW_LE; + ret = wind_ucs2write(ucs2, ucs2_len, + &flags, s2, &s2_len); + free(ucs2); + if (ret) { + free(s2); + krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer"); + return ret; + } + + /* + * we do not want zero termination + */ + s2_len = ucs2_len * 2; } - free(s); -#else - /* write libwind code here */ -#endif - ret = krb5_storage_write(sp, s2, len * 2); + CHECK(ret, krb5_store_uint16(sp, s2_len), out); + + ret = krb5_storage_write(sp, s2, s2_len); free(s2); - if (ret != (int)(len * 2)) { + if (ret != (int)s2_len) { ret = krb5_enomem(context); goto out; } diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c index d554423..647a311 100644 --- a/crypto/heimdal/lib/krb5/verify_krb5_conf.c +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c @@ -508,7 +508,7 @@ struct entry kdc_entries[] = { { "allow-null-ticket-addresses", krb5_config_string, check_boolean }, { "allow-anonymous", krb5_config_string, check_boolean }, { "v4_realm", krb5_config_string, NULL }, - { "enable-kaserver", krb5_config_string, check_boolean }, + { "enable-kaserver", krb5_config_string, check_boolean, 1 }, { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean }, { "kdc_warn_pwexpire", krb5_config_string, check_time }, { "use_2b", krb5_config_list, NULL }, |
