diff options
| author | Stefan Metzmacher <metze@samba.org> | 2008-08-26 19:35:52 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2008-08-26 19:46:38 +0200 |
| commit | 243321b4bbe273cf3a9105ca132caa2b53e2f263 (patch) | |
| tree | c8588a032720412a9a510d4045d6ca6e5c961ee7 /source4/heimdal/kdc | |
| parent | 455f5c043d1416136a16a0bb6e463d855a913409 (diff) | |
| download | samba-243321b4bbe273cf3a9105ca132caa2b53e2f263.tar.gz samba-243321b4bbe273cf3a9105ca132caa2b53e2f263.tar.bz2 samba-243321b4bbe273cf3a9105ca132caa2b53e2f263.zip | |
heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patches
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo.
metze
(This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
Diffstat (limited to 'source4/heimdal/kdc')
| -rw-r--r-- | source4/heimdal/kdc/524.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/default_config.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/digest.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/headers.h | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kaserver.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc.h | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kdc_locl.h | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos4.c | 23 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kerberos5.c | 23 | ||||
| -rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 26 | ||||
| -rw-r--r-- | source4/heimdal/kdc/kx509.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/log.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/misc.c | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | source4/heimdal/kdc/pkinit.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/process.c | 8 | ||||
| -rw-r--r-- | source4/heimdal/kdc/rx.h | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/windc.c | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/windc_plugin.h | 2 |
18 files changed, 66 insertions, 42 deletions
diff --git a/source4/heimdal/kdc/524.c b/source4/heimdal/kdc/524.c index 3e4ad29253..a46c9175b0 100644 --- a/source4/heimdal/kdc/524.c +++ b/source4/heimdal/kdc/524.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: 524.c 18270 2006-10-06 17:06:30Z lha $"); +RCSID("$Id$"); #include <krb5-v4compat.h> diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index 33a2c297fa..87952ca6eb 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -36,7 +36,7 @@ #include <getarg.h> #include <parse_bytes.h> -RCSID("$Id: default_config.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); krb5_error_code krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) diff --git a/source4/heimdal/kdc/digest.c b/source4/heimdal/kdc/digest.c index bf1e45b328..401ca1db11 100644 --- a/source4/heimdal/kdc/digest.c +++ b/source4/heimdal/kdc/digest.c @@ -34,7 +34,7 @@ #include "kdc_locl.h" #include <hex.h> -RCSID("$Id: digest.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); #define MS_CHAP_V2 0x20 #define CHAP_MD5 0x10 diff --git a/source4/heimdal/kdc/headers.h b/source4/heimdal/kdc/headers.h index 64f6b6e438..c2bd4c5b4f 100644 --- a/source4/heimdal/kdc/headers.h +++ b/source4/heimdal/kdc/headers.h @@ -32,7 +32,7 @@ */ /* - * $Id: headers.h 19658 2007-01-04 00:15:34Z lha $ + * $Id$ */ #ifndef __HEADERS_H__ diff --git a/source4/heimdal/kdc/kaserver.c b/source4/heimdal/kdc/kaserver.c index 4f257d717e..8f3c3e02ea 100644 --- a/source4/heimdal/kdc/kaserver.c +++ b/source4/heimdal/kdc/kaserver.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kaserver.c 23110 2008-04-27 18:51:17Z lha $"); +RCSID("$Id$"); #include <krb5-v4compat.h> #include <rx.h> diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h index 6c129f38f5..f0edae721f 100644 --- a/source4/heimdal/kdc/kdc.h +++ b/source4/heimdal/kdc/kdc.h @@ -35,7 +35,7 @@ */ /* - * $Id: kdc.h 21287 2007-06-25 14:09:03Z lha $ + * $Id$ */ #ifndef __KDC_H__ diff --git a/source4/heimdal/kdc/kdc_locl.h b/source4/heimdal/kdc/kdc_locl.h index fe0523665a..6ce4a9f40f 100644 --- a/source4/heimdal/kdc/kdc_locl.h +++ b/source4/heimdal/kdc/kdc_locl.h @@ -32,7 +32,7 @@ */ /* - * $Id: kdc_locl.h 22247 2007-12-08 23:49:41Z lha $ + * $Id$ */ #ifndef __KDC_LOCL_H__ diff --git a/source4/heimdal/kdc/kerberos4.c b/source4/heimdal/kdc/kerberos4.c index cbba64945b..3e9a70057e 100644 --- a/source4/heimdal/kdc/kerberos4.c +++ b/source4/heimdal/kdc/kerberos4.c @@ -35,7 +35,7 @@ #include <krb5-v4compat.h> -RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $"); +RCSID("$Id$"); #ifndef swap32 static uint32_t @@ -134,7 +134,7 @@ _kdc_do_version4(krb5_context context, struct sockaddr_in *addr) { krb5_storage *sp; - krb5_error_code ret; + krb5_error_code ret = EINVAL; hdb_entry_ex *client = NULL, *server = NULL; Key *ckey, *skey; int8_t pvno; @@ -162,6 +162,7 @@ _kdc_do_version4(krb5_context context, kdc_log(context, config, 0, "Protocol version mismatch (krb4) (%d)", pvno); make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch"); + ret = KRB4ET_KDC_PKT_VER; goto out; } RCHECK(krb5_ret_int8(sp, &msg_type), out); @@ -258,20 +259,6 @@ _kdc_do_version4(krb5_context context, goto out1; } -#if 0 - /* this is not necessary with the new code in libkrb */ - /* find a properly salted key */ - while(ckey->salt == NULL || ckey->salt->salt.length != 0) - ret = hdb_next_keytype2key(context, &client->entry, KEYTYPE_DES, &ckey); - if(ret){ - kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s", - name, inst, realm); - make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY, - "No version-4 salted key in database"); - goto out1; - } -#endif - ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey); if(ret){ kdc_log(context, config, 0, "no suitable DES key for server"); @@ -624,12 +611,14 @@ _kdc_do_version4(krb5_context context, break; } case AUTH_MSG_ERR_REPLY: + ret = EINVAL; break; default: kdc_log(context, config, 0, "Unknown message type (krb4): %d from %s", msg_type, from); make_err_reply(context, reply, KFAILURE, "Unknown message type"); + ret = EINVAL; } out: if(name) @@ -647,7 +636,7 @@ _kdc_do_version4(krb5_context context, if(server) _kdc_free_ent(context, server); krb5_storage_free(sp); - return 0; + return ret; } krb5_error_code diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 2a2c48c233..7930ef42e4 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: kerberos5.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -85,6 +85,24 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type) } /* + * This is a hack to allow predefined weak services, like afs to + * still use weak types + */ + +krb5_boolean +_kdc_is_weak_expection(krb5_principal principal, krb5_enctype etype) +{ + if (principal->name.name_string.len > 0 && + strcmp(principal->name.name_string.val[0], "afs") == 0 && + (etype == ETYPE_DES_CBC_CRC + || etype == ETYPE_DES_CBC_MD4 + || etype == ETYPE_DES_CBC_MD5)) + return TRUE; + return FALSE; +} + + +/* * Detect if `key' is the using the the precomputed `default_salt'. */ @@ -120,7 +138,8 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, for(i = 0; ret != 0 && i < len ; i++) { Key *key = NULL; - if (krb5_enctype_valid(context, etypes[i]) != 0) + if (krb5_enctype_valid(context, etypes[i]) != 0 && + !_kdc_is_weak_expection(princ->entry.principal, etypes[i])) continue; while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) { diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 071a30d5a7..19dff5e01d 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: krb5tgs.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); /* * return the realm of a krbtgt-ticket or NULL @@ -662,6 +662,7 @@ tgs_make_reply(krb5_context context, krb5_kvno kvno, AuthorizationData *auth_data, hdb_entry_ex *server, + krb5_principal server_principal, const char *server_name, hdb_entry_ex *client, krb5_principal client_principal, @@ -678,6 +679,7 @@ tgs_make_reply(krb5_context context, EncTicketPart et; KDCOptions f = b->kdc_options; krb5_error_code ret; + int is_weak = 0; memset(&rep, 0, sizeof(rep)); memset(&et, 0, sizeof(et)); @@ -729,9 +731,9 @@ tgs_make_reply(krb5_context context, if(ret) goto out; - copy_Realm(krb5_princ_realm(context, server->entry.principal), + copy_Realm(krb5_princ_realm(context, server_principal), &rep.ticket.realm); - _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); + _krb5_principal2principalname(&rep.ticket.sname, server_principal); copy_Realm(&tgt_name->realm, &rep.crealm); /* if (f.request_anonymous) @@ -885,6 +887,14 @@ tgs_make_reply(krb5_context context, goto out; } + if (krb5_enctype_valid(context, et.key.keytype) != 0 + && _kdc_is_weak_expection(server->entry.principal, et.key.keytype)) + { + krb5_enctype_enable(context, et.key.keytype); + is_weak = 1; + } + + /* It is somewhat unclear where the etype in the following encryption should come from. What we have is a session key in the passed tgt, and a list of preferred etypes @@ -899,6 +909,9 @@ tgs_make_reply(krb5_context context, &rep, &et, &ek, et.key.keytype, kvno, serverkey, 0, &tgt->key, e_text, reply); + if (is_weak) + krb5_enctype_disable(context, et.key.keytype); + out: free_TGS_REP(&rep); free_TransitedEncoding(&et.transited); @@ -1462,7 +1475,8 @@ tgs_build_reply(krb5_context context, */ server_lookup: - ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server); + ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON, + NULL, &server); if(ret){ const char *new_rlm; @@ -1521,7 +1535,8 @@ server_lookup: goto out; } - ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client); + ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, + NULL, &client); if(ret) { const char *krbtgt_realm; @@ -1927,6 +1942,7 @@ server_lookup: kvno, *auth_data, server, + sp, spn, client, cp, diff --git a/source4/heimdal/kdc/kx509.c b/source4/heimdal/kdc/kx509.c index 8f117cebc0..33991d1907 100644 --- a/source4/heimdal/kdc/kx509.c +++ b/source4/heimdal/kdc/kx509.c @@ -36,7 +36,7 @@ #include <rfc2459_asn1.h> #include <hx509.h> -RCSID("$Id: kx509.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); /* * diff --git a/source4/heimdal/kdc/log.c b/source4/heimdal/kdc/log.c index 8cf967fbfb..98b25b92db 100644 --- a/source4/heimdal/kdc/log.c +++ b/source4/heimdal/kdc/log.c @@ -32,7 +32,7 @@ */ #include "kdc_locl.h" -RCSID("$Id: log.c 22254 2007-12-09 06:01:05Z lha $"); +RCSID("$Id$"); void kdc_openlog(krb5_context context, diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 528b9e6a3b..0c64dd568e 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: misc.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); struct timeval _kdc_now; diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 9f6d57f588..57767c4f48 100755..100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: pkinit.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); #ifdef PKINIT diff --git a/source4/heimdal/kdc/process.c b/source4/heimdal/kdc/process.c index 550bfb04b2..1a0c7c72ce 100644 --- a/source4/heimdal/kdc/process.c +++ b/source4/heimdal/kdc/process.c @@ -34,7 +34,7 @@ #include "kdc_locl.h" -RCSID("$Id: process.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); /* * @@ -100,9 +100,9 @@ krb5_kdc_process_request(krb5_context context, return ret; } else if(_kdc_maybe_version4(buf, len)){ *prependlength = FALSE; /* elbitapmoc sdrawkcab XXX */ - _kdc_do_version4(context, config, buf, len, reply, from, - (struct sockaddr_in*)addr); - return 0; + ret = _kdc_do_version4(context, config, buf, len, reply, from, + (struct sockaddr_in*)addr); + return ret; } else if (config->enable_kaserver) { ret = _kdc_do_kaserver(context, config, buf, len, reply, from, (struct sockaddr_in*)addr); diff --git a/source4/heimdal/kdc/rx.h b/source4/heimdal/kdc/rx.h index 18806d79da..a84e5ec5f5 100644 --- a/source4/heimdal/kdc/rx.h +++ b/source4/heimdal/kdc/rx.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: rx.h 17447 2006-05-05 10:52:01Z lha $ */ +/* $Id$ */ #ifndef __RX_H__ #define __RX_H__ diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index 621757f6dc..e057a3e6fb 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: windc.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); static krb5plugin_windc_ftable *windcft; static void *windcctx; diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index 44aab9e22b..3780258ad0 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: windc_plugin.h 22693 2008-03-19 08:57:49Z lha $ */ +/* $Id$ */ #ifndef HEIMDAL_KRB5_PAC_PLUGIN_H #define HEIMDAL_KRB5_PAC_PLUGIN_H 1 |