summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-07-25 18:51:53 +0200
committerStefan Metzmacher <metze@samba.org>2011-07-26 02:16:08 +0200
commit5a8635bca1b6d60a5b81c602eb4f0b7fd8902d7b (patch)
treea9a73cdf05ce487a174c9ef7ab334007348e7248 /source4/heimdal/lib/krb5
parentf1a59f9d6f45987acd0304ee58e4488333faad18 (diff)
downloadsamba-5a8635bca1b6d60a5b81c602eb4f0b7fd8902d7b.tar.gz
samba-5a8635bca1b6d60a5b81c602eb4f0b7fd8902d7b.tar.bz2
samba-5a8635bca1b6d60a5b81c602eb4f0b7fd8902d7b.zip
s4:heimdal: import lorikeet-heimdal-201107241840 (commit 0fdf11fa3cdb47df9f5393ebf36d9f5742243036)
Diffstat (limited to 'source4/heimdal/lib/krb5')
-rw-r--r--source4/heimdal/lib/krb5/auth_context.c2
-rw-r--r--source4/heimdal/lib/krb5/crypto-aes.c4
-rw-r--r--source4/heimdal/lib/krb5/crypto-arcfour.c2
-rw-r--r--source4/heimdal/lib/krb5/crypto-des.c4
-rw-r--r--source4/heimdal/lib/krb5/crypto-des3.c4
-rw-r--r--source4/heimdal/lib/krb5/crypto-null.c2
-rw-r--r--source4/heimdal/lib/krb5/crypto.c32
-rw-r--r--source4/heimdal/lib/krb5/crypto.h2
-rw-r--r--source4/heimdal/lib/krb5/error_string.c15
-rw-r--r--source4/heimdal/lib/krb5/get_cred.c5
-rw-r--r--source4/heimdal/lib/krb5/get_for_creds.c2
-rw-r--r--source4/heimdal/lib/krb5/get_in_tkt.c2
-rw-r--r--source4/heimdal/lib/krb5/init_creds_pw.c6
-rw-r--r--source4/heimdal/lib/krb5/keyblock.c2
-rw-r--r--source4/heimdal/lib/krb5/krb5.h11
-rw-r--r--source4/heimdal/lib/krb5/mit_glue.c2
-rw-r--r--source4/heimdal/lib/krb5/version-script.map1
17 files changed, 69 insertions, 29 deletions
diff --git a/source4/heimdal/lib/krb5/auth_context.c b/source4/heimdal/lib/krb5/auth_context.c
index 518e19359c..33f4ed283d 100644
--- a/source4/heimdal/lib/krb5/auth_context.c
+++ b/source4/heimdal/lib/krb5/auth_context.c
@@ -58,7 +58,7 @@ krb5_auth_con_init(krb5_context context,
p->remote_address = NULL;
p->local_port = 0;
p->remote_port = 0;
- p->keytype = KEYTYPE_NULL;
+ p->keytype = KRB5_ENCTYPE_NULL;
p->cksumtype = CKSUMTYPE_NONE;
*auth_context = p;
return 0;
diff --git a/source4/heimdal/lib/krb5/crypto-aes.c b/source4/heimdal/lib/krb5/crypto-aes.c
index e8facd85dd..783372b399 100644
--- a/source4/heimdal/lib/krb5/crypto-aes.c
+++ b/source4/heimdal/lib/krb5/crypto-aes.c
@@ -38,7 +38,7 @@
*/
static struct _krb5_key_type keytype_aes128 = {
- KEYTYPE_AES128,
+ KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
"aes-128",
128,
16,
@@ -52,7 +52,7 @@ static struct _krb5_key_type keytype_aes128 = {
};
static struct _krb5_key_type keytype_aes256 = {
- KEYTYPE_AES256,
+ KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
"aes-256",
256,
32,
diff --git a/source4/heimdal/lib/krb5/crypto-arcfour.c b/source4/heimdal/lib/krb5/crypto-arcfour.c
index 82769aea62..1d4f94672a 100644
--- a/source4/heimdal/lib/krb5/crypto-arcfour.c
+++ b/source4/heimdal/lib/krb5/crypto-arcfour.c
@@ -38,7 +38,7 @@
#include "krb5_locl.h"
static struct _krb5_key_type keytype_arcfour = {
- KEYTYPE_ARCFOUR,
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
"arcfour",
128,
16,
diff --git a/source4/heimdal/lib/krb5/crypto-des.c b/source4/heimdal/lib/krb5/crypto-des.c
index 63ce901d92..f6f1c6881c 100644
--- a/source4/heimdal/lib/krb5/crypto-des.c
+++ b/source4/heimdal/lib/krb5/crypto-des.c
@@ -69,7 +69,7 @@ krb5_DES_random_to_key(krb5_context context,
}
static struct _krb5_key_type keytype_des_old = {
- KEYTYPE_DES,
+ ETYPE_DES_CBC_CRC,
"des-old",
56,
8,
@@ -83,7 +83,7 @@ static struct _krb5_key_type keytype_des_old = {
};
static struct _krb5_key_type keytype_des = {
- KEYTYPE_DES,
+ ETYPE_DES_CBC_CRC,
"des",
56,
8,
diff --git a/source4/heimdal/lib/krb5/crypto-des3.c b/source4/heimdal/lib/krb5/crypto-des3.c
index d50c5cebe2..43806038b7 100644
--- a/source4/heimdal/lib/krb5/crypto-des3.c
+++ b/source4/heimdal/lib/krb5/crypto-des3.c
@@ -55,7 +55,7 @@ DES3_random_key(krb5_context context,
#ifdef DES3_OLD_ENCTYPE
static struct _krb5_key_type keytype_des3 = {
- KEYTYPE_DES3,
+ ETYPE_OLD_DES3_CBC_SHA1,
"des3",
168,
24,
@@ -70,7 +70,7 @@ static struct _krb5_key_type keytype_des3 = {
#endif
static struct _krb5_key_type keytype_des3_derived = {
- KEYTYPE_DES3,
+ ETYPE_OLD_DES3_CBC_SHA1,
"des3",
168,
24,
diff --git a/source4/heimdal/lib/krb5/crypto-null.c b/source4/heimdal/lib/krb5/crypto-null.c
index 69d0e7c34e..b647a6d109 100644
--- a/source4/heimdal/lib/krb5/crypto-null.c
+++ b/source4/heimdal/lib/krb5/crypto-null.c
@@ -38,7 +38,7 @@
#endif
static struct _krb5_key_type keytype_null = {
- KEYTYPE_NULL,
+ KRB5_ENCTYPE_NULL,
"null",
0,
0,
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 63aedc4568..732311bec9 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -693,24 +693,36 @@ krb5_enctype_to_keytype(krb5_context context,
return 0;
}
+/**
+ * Check if a enctype is valid, return 0 if it is.
+ *
+ * @param context Kerberos context
+ * @param etype enctype to check if its valid or not
+ *
+ * @return Return an error code for an failure or 0 on success (enctype valid).
+ * @ingroup krb5_crypto
+ */
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_enctype_valid(krb5_context context,
krb5_enctype etype)
{
struct _krb5_encryption_type *e = _krb5_find_enctype(etype);
+ if(e && (e->flags & F_DISABLED) == 0)
+ return 0;
+ if (context == NULL)
+ return KRB5_PROG_ETYPE_NOSUPP;
if(e == NULL) {
krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
N_("encryption type %d not supported", ""),
etype);
return KRB5_PROG_ETYPE_NOSUPP;
}
- if (e->flags & F_DISABLED) {
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("encryption type %s is disabled", ""),
- e->name);
- return KRB5_PROG_ETYPE_NOSUPP;
- }
- return 0;
+ /* Must be (e->flags & F_DISABLED) */
+ krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+ N_("encryption type %s is disabled", ""),
+ e->name);
+ return KRB5_PROG_ETYPE_NOSUPP;
}
/**
@@ -1886,11 +1898,11 @@ _krb5_derive_key(krb5_context context,
/* XXX keytype dependent post-processing */
switch(kt->type) {
- case KEYTYPE_DES3:
+ case KRB5_ENCTYPE_OLD_DES3_CBC_SHA1:
_krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize);
break;
- case KEYTYPE_AES128:
- case KEYTYPE_AES256:
+ case KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+ case KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96:
memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length);
break;
default:
diff --git a/source4/heimdal/lib/krb5/crypto.h b/source4/heimdal/lib/krb5/crypto.h
index bf945875b9..9b95b8f0cb 100644
--- a/source4/heimdal/lib/krb5/crypto.h
+++ b/source4/heimdal/lib/krb5/crypto.h
@@ -69,7 +69,7 @@ struct salt_type {
};
struct _krb5_key_type {
- krb5_keytype type; /* XXX */
+ krb5_enctype type;
const char *name;
size_t bits;
size_t size;
diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c
index 7a7b989b69..bebd4c490e 100644
--- a/source4/heimdal/lib/krb5/error_string.c
+++ b/source4/heimdal/lib/krb5/error_string.c
@@ -59,6 +59,8 @@ krb5_clear_error_message(krb5_context context)
* Set the context full error string for a specific error code.
* The error that is stored should be internationalized.
*
+ * The if context is NULL, no error string is stored.
+ *
* @param context Kerberos 5 context
* @param ret The error code
* @param fmt Error string for the error code
@@ -82,6 +84,8 @@ krb5_set_error_message(krb5_context context, krb5_error_code ret,
/**
* Set the context full error string for a specific error code.
*
+ * The if context is NULL, no error string is stored.
+ *
* @param context Kerberos 5 context
* @param ret The error code
* @param fmt Error string for the error code
@@ -98,6 +102,9 @@ krb5_vset_error_message (krb5_context context, krb5_error_code ret,
{
int r;
+ if (context == NULL)
+ return;
+
HEIMDAL_MUTEX_lock(context->mutex);
if (context->error_string) {
free(context->error_string);
@@ -114,6 +121,8 @@ krb5_vset_error_message (krb5_context context, krb5_error_code ret,
* Prepend the context full error string for a specific error code.
* The error that is stored should be internationalized.
*
+ * The if context is NULL, no error string is stored.
+ *
* @param context Kerberos 5 context
* @param ret The error code
* @param fmt Error string for the error code
@@ -137,6 +146,8 @@ krb5_prepend_error_message(krb5_context context, krb5_error_code ret,
/**
* Prepend the contexts's full error string for a specific error code.
*
+ * The if context is NULL, no error string is stored.
+ *
* @param context Kerberos 5 context
* @param ret The error code
* @param fmt Error string for the error code
@@ -151,6 +162,10 @@ krb5_vprepend_error_message(krb5_context context, krb5_error_code ret,
__attribute__ ((format (printf, 3, 0)))
{
char *str = NULL, *str2 = NULL;
+
+ if (context == NULL)
+ return;
+
HEIMDAL_MUTEX_lock(context->mutex);
if (context->error_code != ret) {
HEIMDAL_MUTEX_unlock(context->mutex);
diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c
index e3bb23a2e9..51550daa4c 100644
--- a/source4/heimdal/lib/krb5/get_cred.c
+++ b/source4/heimdal/lib/krb5/get_cred.c
@@ -543,6 +543,11 @@ get_cred_kdc(krb5_context context,
/* this should go someplace else */
out_creds->times.endtime = in_creds->times.endtime;
+ /*
+ * Windows KDCs always canonicalize the server name
+ */
+ eflags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
+
/* XXX should do better testing */
if (flags.b.constrained_delegation || impersonate_principal)
eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c
index 979fc9b0ae..2ec1c5e41b 100644
--- a/source4/heimdal/lib/krb5/get_for_creds.c
+++ b/source4/heimdal/lib/krb5/get_for_creds.c
@@ -407,7 +407,7 @@ krb5_get_forwarded_creds (krb5_context context,
*/
if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) {
- cred.enc_part.etype = ENCTYPE_NULL;
+ cred.enc_part.etype = KRB5_ENCTYPE_NULL;
cred.enc_part.kvno = NULL;
cred.enc_part.cipher.data = buf;
cred.enc_part.cipher.length = buf_size;
diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c
index 27f4964e61..41618b9616 100644
--- a/source4/heimdal/lib/krb5/get_in_tkt.c
+++ b/source4/heimdal/lib/krb5/get_in_tkt.c
@@ -480,7 +480,7 @@ krb5_get_in_cred(krb5_context context,
}
}
if(pa) {
- salt.salttype = pa->padata_type;
+ salt.salttype = (krb5_salttype)pa->padata_type;
salt.saltvalue = pa->padata_value;
ret = (*key_proc)(context, etype, salt, keyseed, &key);
diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c
index f2185628e5..6c874126ab 100644
--- a/source4/heimdal/lib/krb5/init_creds_pw.c
+++ b/source4/heimdal/lib/krb5/init_creds_pw.c
@@ -859,7 +859,7 @@ pa_pw_or_afs3_salt(krb5_context context,
heim_octet_string *data)
{
krb5_error_code ret;
- if (paid->etype == ENCTYPE_NULL)
+ if (paid->etype == KRB5_ENCTYPE_NULL)
return NULL;
ret = set_paid(paid, context,
paid->etype,
@@ -915,7 +915,7 @@ process_pa_info(krb5_context context,
PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
if (pa == NULL)
continue;
- paid->salt.salttype = pa_prefs[i].type;
+ paid->salt.salttype = (krb5_salttype)pa_prefs[i].type;
p = (*pa_prefs[i].salt_info)(context, client, asreq,
paid, &pa->padata_value);
}
@@ -1204,7 +1204,7 @@ process_pa_data_to_md(krb5_context context,
paid = calloc(1, sizeof(*paid));
- paid->etype = ENCTYPE_NULL;
+ paid->etype = KRB5_ENCTYPE_NULL;
ppaid = process_pa_info(context, creds->client, a, paid, in_md);
if (ppaid)
diff --git a/source4/heimdal/lib/krb5/keyblock.c b/source4/heimdal/lib/krb5/keyblock.c
index 9ba9c4b290..6e781aca78 100644
--- a/source4/heimdal/lib/krb5/keyblock.c
+++ b/source4/heimdal/lib/krb5/keyblock.c
@@ -65,7 +65,7 @@ krb5_free_keyblock_contents(krb5_context context,
if (keyblock->keyvalue.data != NULL)
memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length);
krb5_data_free (&keyblock->keyvalue);
- keyblock->keytype = ENCTYPE_NULL;
+ keyblock->keytype = KRB5_ENCTYPE_NULL;
}
}
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 2224b92e95..9c0f566946 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -326,7 +326,9 @@ typedef HostAddress krb5_address;
typedef HostAddresses krb5_addresses;
-typedef enum krb5_keytype {
+typedef krb5_enctype krb5_keytype;
+
+enum krb5_keytype_old {
KEYTYPE_NULL = ETYPE_NULL,
KEYTYPE_DES = ETYPE_DES_CBC_CRC,
KEYTYPE_DES3 = ETYPE_OLD_DES3_CBC_SHA1,
@@ -334,7 +336,7 @@ typedef enum krb5_keytype {
KEYTYPE_AES256 = ETYPE_AES256_CTS_HMAC_SHA1_96,
KEYTYPE_ARCFOUR = ETYPE_ARCFOUR_HMAC_MD5,
KEYTYPE_ARCFOUR_56 = ETYPE_ARCFOUR_HMAC_MD5_56
-} krb5_keytype;
+};
typedef EncryptionKey krb5_keyblock;
@@ -876,6 +878,11 @@ typedef struct {
typedef krb5_error_code
(KRB5_CALLCONV * krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *);
+typedef struct {
+ krb5_enctype ks_enctype;
+ krb5int32 ks_salttype;
+}krb5_key_salt_tuple;
+
/*
*
*/
diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c
index 803a5bf289..16c230a11f 100644
--- a/source4/heimdal/lib/krb5/mit_glue.c
+++ b/source4/heimdal/lib/krb5/mit_glue.c
@@ -139,7 +139,7 @@ krb5_checksum_free(krb5_context context, krb5_checksum *cksum)
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_c_valid_enctype (krb5_enctype etype)
{
- return krb5_enctype_valid(NULL, etype);
+ return !krb5_enctype_valid(NULL, etype);
}
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
diff --git a/source4/heimdal/lib/krb5/version-script.map b/source4/heimdal/lib/krb5/version-script.map
index fad84ebb5b..818e6e071c 100644
--- a/source4/heimdal/lib/krb5/version-script.map
+++ b/source4/heimdal/lib/krb5/version-script.map
@@ -285,6 +285,7 @@ HEIMDAL_KRB5_2.0 {
krb5_free_creds_contents;
krb5_free_data;
krb5_free_data_contents;
+ krb5_free_default_realm;
krb5_free_error;
krb5_free_error_contents;
krb5_free_error_string;