s4:heimdal: import lorikeet-heimdal-201010022046 (commit 1bea031b9404b14114b0272ecbe56e60c567af5c)

4 files changed, 96 insertions, 70 deletions

diff --git a/source4/heimdal/lib/krb5/context.c b/source4/heimdal/lib/krb5/context.c
index 0897c5e7a0..f68ab46cec 100644
--- a/source4/heimdal/lib/krb5/context.c
+++ b/source4/heimdal/lib/krb5/context.c
@@ -104,6 +104,18 @@ init_context_from_config_file(krb5_context context)
 
     INIT_FIELD(context, string, http_proxy, NULL, "http_proxy");
 
+    ret = krb5_config_get_bool_default(context, NULL, FALSE,
+				       "libdefaults",
+				       "allow_weak_crypto", NULL);
+    if (ret) {
+	krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
+	krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
+	krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
+	krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
+	krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
+	krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
+    }
+
     ret = set_etypes (context, "default_etypes", &tmptypes);
     if(ret)
 	return ret;
@@ -194,18 +206,6 @@ init_context_from_config_file(krb5_context context)
     context->default_cc_name = NULL;
     context->default_cc_name_set = 0;
 
-    ret = krb5_config_get_bool_default(context, NULL, FALSE,
-				       "libdefaults",
-				       "allow_weak_crypto", NULL);
-    if (ret) {
-	krb5_enctype_enable(context, ETYPE_DES_CBC_CRC);
-	krb5_enctype_enable(context, ETYPE_DES_CBC_MD4);
-	krb5_enctype_enable(context, ETYPE_DES_CBC_MD5);
-	krb5_enctype_enable(context, ETYPE_DES_CBC_NONE);
-	krb5_enctype_enable(context, ETYPE_DES_CFB64_NONE);
-	krb5_enctype_enable(context, ETYPE_DES_PCBC_NONE);
-    }
-
     s = krb5_config_get_strings(context, NULL, "logging", "krb5", NULL);
     if(s) {
 	char **p;
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 47f910260e..2502cc672f 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -1847,9 +1847,11 @@ verify_checksum(krb5_context context,
     }
     if(ct->checksumsize != cksum->checksum.length) {
 	krb5_clear_error_message (context);
-	krb5_set_error_message (context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
-				N_("Decrypt integrity check failed for checksum type %s, length was %u, expected %u", ""),
-				ct->name, (unsigned)cksum->checksum.length, (unsigned)ct->checksumsize);
+	krb5_set_error_message(context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
+			       N_("Decrypt integrity check failed for checksum type %s, "
+				  "length was %u, expected %u", ""),
+			       ct->name, (unsigned)cksum->checksum.length,
+			       (unsigned)ct->checksumsize);
 
 	return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
     }
@@ -1857,18 +1859,18 @@ verify_checksum(krb5_context context,
     if(keyed_checksum) {
 	struct checksum_type *kct;
 	if (crypto == NULL) {
-	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
-				    N_("Checksum type %s is keyed but no "
-				       "crypto context (key) was passed in", ""),
-				    ct->name);
+	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
+				   N_("Checksum type %s is keyed but no "
+				      "crypto context (key) was passed in", ""),
+				   ct->name);
 	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
 	}
 	kct = crypto->et->keyed_checksum;
 	if (kct != NULL && kct->type != ct->type) {
-	    krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
-				    N_("Checksum type %s is keyed, but "
-				       "the key type %s passed didnt have that checksum "
-				       "type as the keyed type", ""),
+	    krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
+				   N_("Checksum type %s is keyed, but "
+				      "the key type %s passed didnt have that checksum "
+				      "type as the keyed type", ""),
 				    ct->name, crypto->et->name);
 	    return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
 	}
@@ -1878,13 +1880,20 @@ verify_checksum(krb5_context context,
 	    return ret;
     } else
 	dkey = NULL;
+
+    /*
+     * If checksum have a verify function, lets use that instead of
+     * calling ->checksum and then compare result.
+     */
+
     if(ct->verify) {
 	ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
-	if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
-	    krb5_set_error_message (context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
-				    N_("Decrypt integrity check failed for checksum type %s, key type %s", ""),
-				    ct->name, crypto->et->name);
-	}
+	if (ret)
+	    krb5_set_error_message(context, ret, 
+				   N_("Decrypt integrity check failed for checksum "
+				      "type %s, key type %s", ""),
+				   ct->name, crypto->et->name);
+	return ret;
     }
 
     ret = krb5_data_alloc (&c.checksum, ct->checksumsize);
@@ -1900,10 +1909,11 @@ verify_checksum(krb5_context context,
     if(c.checksum.length != cksum->checksum.length ||
        ct_memcmp(c.checksum.data, cksum->checksum.data, c.checksum.length)) {
 	krb5_clear_error_message (context);
-	krb5_set_error_message (context, KRB5KRB_AP_ERR_BAD_INTEGRITY,
-				N_("Decrypt integrity check failed for checksum type %s, key type %s", ""),
-				ct->name, crypto->et->name);
 	ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+	krb5_set_error_message(context, ret,
+			       N_("Decrypt integrity check failed for checksum "
+				  "type %s, key type %s", ""),
+			       ct->name, crypto->et->name);
     } else {
 	ret = 0;
     }
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index 869687aa63..29b882d053 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -1418,6 +1418,17 @@ krb5_init_creds_set_service(krb5_context context,
 	if (ret)
 	    return ret;
     }
+
+    /*
+     * This is for Windows RODC that are picky about what name type
+     * the server principal have, and the really strange part is that
+     * they are picky about the AS-REQ name type and not the TGS-REQ
+     * later. Oh well.
+     */
+
+    if (krb5_principal_is_krbtgt(context, principal))
+	krb5_principal_set_type(context, principal, KRB5_NT_SRV_INST);
+
     krb5_free_principal(context, ctx->cred.server);
     ctx->cred.server = principal;
 
diff --git a/source4/heimdal/lib/krb5/krbhst.c b/source4/heimdal/lib/krb5/krbhst.c
index d8646f0537..7d11157848 100644
--- a/source4/heimdal/lib/krb5/krbhst.c
+++ b/source4/heimdal/lib/krb5/krbhst.c
@@ -356,61 +356,66 @@ make_hints(struct addrinfo *hints, int proto)
     }
 }
 
-/*
- * return an `struct addrinfo *' in `ai' corresponding to the information
- * in `host'.  free:ing is handled by krb5_krbhst_free.
+/**
+ * Return an `struct addrinfo *' for a KDC host.
+ *
+ * Returns an the struct addrinfo in in that corresponds to the
+ * information in `host'.  free:ing is handled by krb5_krbhst_free, so
+ * the returned ai must not be released.
+ *
+ * @ingroup krb5
  */
 
 KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
 krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host,
 			 struct addrinfo **ai)
 {
-    struct addrinfo hints;
-    char portstr[NI_MAXSERV];
-    int ret;
+    int ret = 0;
 
     if (host->ai == NULL) {
-	make_hints(&hints, host->proto);
-	hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV;
+	struct addrinfo hints;
+	char portstr[NI_MAXSERV];
+	char *hostname = host->hostname;
+
 	snprintf (portstr, sizeof(portstr), "%d", host->port);
+	make_hints(&hints, host->proto);
+
+	/**
+	 * First try this as an IP address, this allows us to add a
+	 * dot at the end to stop using the search domains.
+	 */
+
+	hints.ai_flags |= AI_NUMERICHOST | AI_NUMERICSERV;
 
-	/* First try this as an IP address - the flags we have set
-	 * will prevent it from looking up a name */
 	ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai);
-	if (ret == 0) {
-		*ai = host->ai;
-		return 0;
+	if (ret == 0)
+	    goto out;
+
+	/**
+	 * If the hostname contains a dot, assumes it's a FQDN and
+	 * don't use search domains since that might be painfully slow
+	 * when machine is disconnected from that network.
+	 */
+
+	hints.ai_flags &= ~(AI_NUMERICHOST);
+
+	if (strchr(hostname, '.') && hostname[strlen(hostname) - 1] != '.') {
+	    ret = asprintf(&hostname, "%s.", host->hostname);
+	    if (ret < 0 || hostname == NULL)
+		return ENOMEM;
 	}
 
-	hints.ai_flags &= ~AI_NUMERICHOST;
-
-	/* Now that we know it's not an IP, we can manipulate
-	   it as a dotted-name, to add a final . if we think
-	   it's a fully qualified DNS name */
-	if (strchr(host->hostname, '.') &&
-	    host->hostname[strlen(host->hostname)-1] != '.') {
-		char *hostname_dot = NULL;
-
-		/* avoid expansion of search domains from resolv.conf
-		   - these can be very slow if the DNS server is not up
-		   for the searched domain */
-		hostname_dot = malloc(strlen(host->hostname)+2);
-		if (hostname_dot) {
-			strcpy(hostname_dot, host->hostname);
-			hostname_dot[strlen(host->hostname)] = '.';
-			hostname_dot[strlen(host->hostname)+1] = 0;
-		}
-		ret = getaddrinfo(hostname_dot?hostname_dot:host->hostname, portstr, &hints, &host->ai);
-		if (hostname_dot)
-			free(hostname_dot);
-	} else {
-		ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai);
+	ret = getaddrinfo(hostname, portstr, &hints, &host->ai);
+	if (hostname != host->hostname)
+	    free(hostname);
+	if (ret) {
+	    ret = krb5_eai_to_heim_errno(ret, errno);
+	    goto out;
 	}
-	if (ret)
-	    return krb5_eai_to_heim_errno(ret, errno);
     }
+ out:
     *ai = host->ai;
-    return 0;
+    return ret;
 }
 
 static krb5_boolean