From 243321b4bbe273cf3a9105ca132caa2b53e2f263 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Aug 2008 19:35:52 +0200
Subject: heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal
 patches

This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo.

metze
(This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
---
 source4/heimdal/kdc/krb5tgs.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

(limited to 'source4/heimdal/kdc/krb5tgs.c')

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 071a30d5a7..19dff5e01d 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: krb5tgs.c 23316 2008-06-23 04:32:32Z lha $");
+RCSID("$Id$");
 
 /*
  * return the realm of a krbtgt-ticket or NULL
@@ -662,6 +662,7 @@ tgs_make_reply(krb5_context context,
 	       krb5_kvno kvno,
 	       AuthorizationData *auth_data,
 	       hdb_entry_ex *server,
+	       krb5_principal server_principal,
 	       const char *server_name,
 	       hdb_entry_ex *client,
 	       krb5_principal client_principal,
@@ -678,6 +679,7 @@ tgs_make_reply(krb5_context context,
     EncTicketPart et;
     KDCOptions f = b->kdc_options;
     krb5_error_code ret;
+    int is_weak = 0;
 
     memset(&rep, 0, sizeof(rep));
     memset(&et, 0, sizeof(et));
@@ -729,9 +731,9 @@ tgs_make_reply(krb5_context context,
     if(ret)
 	goto out;
 
-    copy_Realm(krb5_princ_realm(context, server->entry.principal),
+    copy_Realm(krb5_princ_realm(context, server_principal),
 	       &rep.ticket.realm);
-    _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal);
+    _krb5_principal2principalname(&rep.ticket.sname, server_principal);
     copy_Realm(&tgt_name->realm, &rep.crealm);
 /*
     if (f.request_anonymous)
@@ -885,6 +887,14 @@ tgs_make_reply(krb5_context context,
 	    goto out;
     }
 
+    if (krb5_enctype_valid(context, et.key.keytype) != 0
+	&& _kdc_is_weak_expection(server->entry.principal, et.key.keytype)) 
+    {
+	krb5_enctype_enable(context, et.key.keytype);
+	is_weak = 1;
+    }
+
+
     /* It is somewhat unclear where the etype in the following
        encryption should come from. What we have is a session
        key in the passed tgt, and a list of preferred etypes
@@ -899,6 +909,9 @@ tgs_make_reply(krb5_context context,
 			    &rep, &et, &ek, et.key.keytype,
 			    kvno,
 			    serverkey, 0, &tgt->key, e_text, reply);
+    if (is_weak)
+	krb5_enctype_disable(context, et.key.keytype);
+
 out:
     free_TGS_REP(&rep);
     free_TransitedEncoding(&et.transited);
@@ -1462,7 +1475,8 @@ tgs_build_reply(krb5_context context,
      */
 
 server_lookup:
-    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server);
+    ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON,
+			NULL, &server);
 
     if(ret){
 	const char *new_rlm;
@@ -1521,7 +1535,8 @@ server_lookup:
 	goto out;
     }
 
-    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client);
+    ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON,
+			NULL, &client);
     if(ret) {
 	const char *krbtgt_realm;
 
@@ -1927,6 +1942,7 @@ server_lookup:
 			 kvno,
 			 *auth_data,
 			 server,
+			 sp,
 			 spn,
 			 client,
 			 cp,
-- 
cgit