From 5a8635bca1b6d60a5b81c602eb4f0b7fd8902d7b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 25 Jul 2011 18:51:53 +0200 Subject: s4:heimdal: import lorikeet-heimdal-201107241840 (commit 0fdf11fa3cdb47df9f5393ebf36d9f5742243036) --- source4/heimdal/lib/krb5/auth_context.c | 2 +- source4/heimdal/lib/krb5/crypto-aes.c | 4 ++-- source4/heimdal/lib/krb5/crypto-arcfour.c | 2 +- source4/heimdal/lib/krb5/crypto-des.c | 4 ++-- source4/heimdal/lib/krb5/crypto-des3.c | 4 ++-- source4/heimdal/lib/krb5/crypto-null.c | 2 +- source4/heimdal/lib/krb5/crypto.c | 32 ++++++++++++++++++++--------- source4/heimdal/lib/krb5/crypto.h | 2 +- source4/heimdal/lib/krb5/error_string.c | 15 ++++++++++++++ source4/heimdal/lib/krb5/get_cred.c | 5 +++++ source4/heimdal/lib/krb5/get_for_creds.c | 2 +- source4/heimdal/lib/krb5/get_in_tkt.c | 2 +- source4/heimdal/lib/krb5/init_creds_pw.c | 6 +++--- source4/heimdal/lib/krb5/keyblock.c | 2 +- source4/heimdal/lib/krb5/krb5.h | 11 ++++++++-- source4/heimdal/lib/krb5/mit_glue.c | 2 +- source4/heimdal/lib/krb5/version-script.map | 1 + 17 files changed, 69 insertions(+), 29 deletions(-) (limited to 'source4/heimdal/lib/krb5') diff --git a/source4/heimdal/lib/krb5/auth_context.c b/source4/heimdal/lib/krb5/auth_context.c index 518e19359c..33f4ed283d 100644 --- a/source4/heimdal/lib/krb5/auth_context.c +++ b/source4/heimdal/lib/krb5/auth_context.c @@ -58,7 +58,7 @@ krb5_auth_con_init(krb5_context context, p->remote_address = NULL; p->local_port = 0; p->remote_port = 0; - p->keytype = KEYTYPE_NULL; + p->keytype = KRB5_ENCTYPE_NULL; p->cksumtype = CKSUMTYPE_NONE; *auth_context = p; return 0; diff --git a/source4/heimdal/lib/krb5/crypto-aes.c b/source4/heimdal/lib/krb5/crypto-aes.c index e8facd85dd..783372b399 100644 --- a/source4/heimdal/lib/krb5/crypto-aes.c +++ b/source4/heimdal/lib/krb5/crypto-aes.c @@ -38,7 +38,7 @@ */ static struct _krb5_key_type keytype_aes128 = { - KEYTYPE_AES128, + KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96, "aes-128", 128, 16, @@ -52,7 +52,7 @@ static struct _krb5_key_type keytype_aes128 = { }; static struct _krb5_key_type keytype_aes256 = { - KEYTYPE_AES256, + KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96, "aes-256", 256, 32, diff --git a/source4/heimdal/lib/krb5/crypto-arcfour.c b/source4/heimdal/lib/krb5/crypto-arcfour.c index 82769aea62..1d4f94672a 100644 --- a/source4/heimdal/lib/krb5/crypto-arcfour.c +++ b/source4/heimdal/lib/krb5/crypto-arcfour.c @@ -38,7 +38,7 @@ #include "krb5_locl.h" static struct _krb5_key_type keytype_arcfour = { - KEYTYPE_ARCFOUR, + KRB5_ENCTYPE_ARCFOUR_HMAC_MD5, "arcfour", 128, 16, diff --git a/source4/heimdal/lib/krb5/crypto-des.c b/source4/heimdal/lib/krb5/crypto-des.c index 63ce901d92..f6f1c6881c 100644 --- a/source4/heimdal/lib/krb5/crypto-des.c +++ b/source4/heimdal/lib/krb5/crypto-des.c @@ -69,7 +69,7 @@ krb5_DES_random_to_key(krb5_context context, } static struct _krb5_key_type keytype_des_old = { - KEYTYPE_DES, + ETYPE_DES_CBC_CRC, "des-old", 56, 8, @@ -83,7 +83,7 @@ static struct _krb5_key_type keytype_des_old = { }; static struct _krb5_key_type keytype_des = { - KEYTYPE_DES, + ETYPE_DES_CBC_CRC, "des", 56, 8, diff --git a/source4/heimdal/lib/krb5/crypto-des3.c b/source4/heimdal/lib/krb5/crypto-des3.c index d50c5cebe2..43806038b7 100644 --- a/source4/heimdal/lib/krb5/crypto-des3.c +++ b/source4/heimdal/lib/krb5/crypto-des3.c @@ -55,7 +55,7 @@ DES3_random_key(krb5_context context, #ifdef DES3_OLD_ENCTYPE static struct _krb5_key_type keytype_des3 = { - KEYTYPE_DES3, + ETYPE_OLD_DES3_CBC_SHA1, "des3", 168, 24, @@ -70,7 +70,7 @@ static struct _krb5_key_type keytype_des3 = { #endif static struct _krb5_key_type keytype_des3_derived = { - KEYTYPE_DES3, + ETYPE_OLD_DES3_CBC_SHA1, "des3", 168, 24, diff --git a/source4/heimdal/lib/krb5/crypto-null.c b/source4/heimdal/lib/krb5/crypto-null.c index 69d0e7c34e..b647a6d109 100644 --- a/source4/heimdal/lib/krb5/crypto-null.c +++ b/source4/heimdal/lib/krb5/crypto-null.c @@ -38,7 +38,7 @@ #endif static struct _krb5_key_type keytype_null = { - KEYTYPE_NULL, + KRB5_ENCTYPE_NULL, "null", 0, 0, diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c index 63aedc4568..732311bec9 100644 --- a/source4/heimdal/lib/krb5/crypto.c +++ b/source4/heimdal/lib/krb5/crypto.c @@ -693,24 +693,36 @@ krb5_enctype_to_keytype(krb5_context context, return 0; } +/** + * Check if a enctype is valid, return 0 if it is. + * + * @param context Kerberos context + * @param etype enctype to check if its valid or not + * + * @return Return an error code for an failure or 0 on success (enctype valid). + * @ingroup krb5_crypto + */ + KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_enctype_valid(krb5_context context, krb5_enctype etype) { struct _krb5_encryption_type *e = _krb5_find_enctype(etype); + if(e && (e->flags & F_DISABLED) == 0) + return 0; + if (context == NULL) + return KRB5_PROG_ETYPE_NOSUPP; if(e == NULL) { krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, N_("encryption type %d not supported", ""), etype); return KRB5_PROG_ETYPE_NOSUPP; } - if (e->flags & F_DISABLED) { - krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, - N_("encryption type %s is disabled", ""), - e->name); - return KRB5_PROG_ETYPE_NOSUPP; - } - return 0; + /* Must be (e->flags & F_DISABLED) */ + krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP, + N_("encryption type %s is disabled", ""), + e->name); + return KRB5_PROG_ETYPE_NOSUPP; } /** @@ -1886,11 +1898,11 @@ _krb5_derive_key(krb5_context context, /* XXX keytype dependent post-processing */ switch(kt->type) { - case KEYTYPE_DES3: + case KRB5_ENCTYPE_OLD_DES3_CBC_SHA1: _krb5_DES3_random_to_key(context, key->key, k, nblocks * et->blocksize); break; - case KEYTYPE_AES128: - case KEYTYPE_AES256: + case KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96: + case KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96: memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length); break; default: diff --git a/source4/heimdal/lib/krb5/crypto.h b/source4/heimdal/lib/krb5/crypto.h index bf945875b9..9b95b8f0cb 100644 --- a/source4/heimdal/lib/krb5/crypto.h +++ b/source4/heimdal/lib/krb5/crypto.h @@ -69,7 +69,7 @@ struct salt_type { }; struct _krb5_key_type { - krb5_keytype type; /* XXX */ + krb5_enctype type; const char *name; size_t bits; size_t size; diff --git a/source4/heimdal/lib/krb5/error_string.c b/source4/heimdal/lib/krb5/error_string.c index 7a7b989b69..bebd4c490e 100644 --- a/source4/heimdal/lib/krb5/error_string.c +++ b/source4/heimdal/lib/krb5/error_string.c @@ -59,6 +59,8 @@ krb5_clear_error_message(krb5_context context) * Set the context full error string for a specific error code. * The error that is stored should be internationalized. * + * The if context is NULL, no error string is stored. + * * @param context Kerberos 5 context * @param ret The error code * @param fmt Error string for the error code @@ -82,6 +84,8 @@ krb5_set_error_message(krb5_context context, krb5_error_code ret, /** * Set the context full error string for a specific error code. * + * The if context is NULL, no error string is stored. + * * @param context Kerberos 5 context * @param ret The error code * @param fmt Error string for the error code @@ -98,6 +102,9 @@ krb5_vset_error_message (krb5_context context, krb5_error_code ret, { int r; + if (context == NULL) + return; + HEIMDAL_MUTEX_lock(context->mutex); if (context->error_string) { free(context->error_string); @@ -114,6 +121,8 @@ krb5_vset_error_message (krb5_context context, krb5_error_code ret, * Prepend the context full error string for a specific error code. * The error that is stored should be internationalized. * + * The if context is NULL, no error string is stored. + * * @param context Kerberos 5 context * @param ret The error code * @param fmt Error string for the error code @@ -137,6 +146,8 @@ krb5_prepend_error_message(krb5_context context, krb5_error_code ret, /** * Prepend the contexts's full error string for a specific error code. * + * The if context is NULL, no error string is stored. + * * @param context Kerberos 5 context * @param ret The error code * @param fmt Error string for the error code @@ -151,6 +162,10 @@ krb5_vprepend_error_message(krb5_context context, krb5_error_code ret, __attribute__ ((format (printf, 3, 0))) { char *str = NULL, *str2 = NULL; + + if (context == NULL) + return; + HEIMDAL_MUTEX_lock(context->mutex); if (context->error_code != ret) { HEIMDAL_MUTEX_unlock(context->mutex); diff --git a/source4/heimdal/lib/krb5/get_cred.c b/source4/heimdal/lib/krb5/get_cred.c index e3bb23a2e9..51550daa4c 100644 --- a/source4/heimdal/lib/krb5/get_cred.c +++ b/source4/heimdal/lib/krb5/get_cred.c @@ -543,6 +543,11 @@ get_cred_kdc(krb5_context context, /* this should go someplace else */ out_creds->times.endtime = in_creds->times.endtime; + /* + * Windows KDCs always canonicalize the server name + */ + eflags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH; + /* XXX should do better testing */ if (flags.b.constrained_delegation || impersonate_principal) eflags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH; diff --git a/source4/heimdal/lib/krb5/get_for_creds.c b/source4/heimdal/lib/krb5/get_for_creds.c index 979fc9b0ae..2ec1c5e41b 100644 --- a/source4/heimdal/lib/krb5/get_for_creds.c +++ b/source4/heimdal/lib/krb5/get_for_creds.c @@ -407,7 +407,7 @@ krb5_get_forwarded_creds (krb5_context context, */ if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) { - cred.enc_part.etype = ENCTYPE_NULL; + cred.enc_part.etype = KRB5_ENCTYPE_NULL; cred.enc_part.kvno = NULL; cred.enc_part.cipher.data = buf; cred.enc_part.cipher.length = buf_size; diff --git a/source4/heimdal/lib/krb5/get_in_tkt.c b/source4/heimdal/lib/krb5/get_in_tkt.c index 27f4964e61..41618b9616 100644 --- a/source4/heimdal/lib/krb5/get_in_tkt.c +++ b/source4/heimdal/lib/krb5/get_in_tkt.c @@ -480,7 +480,7 @@ krb5_get_in_cred(krb5_context context, } } if(pa) { - salt.salttype = pa->padata_type; + salt.salttype = (krb5_salttype)pa->padata_type; salt.saltvalue = pa->padata_value; ret = (*key_proc)(context, etype, salt, keyseed, &key); diff --git a/source4/heimdal/lib/krb5/init_creds_pw.c b/source4/heimdal/lib/krb5/init_creds_pw.c index f2185628e5..6c874126ab 100644 --- a/source4/heimdal/lib/krb5/init_creds_pw.c +++ b/source4/heimdal/lib/krb5/init_creds_pw.c @@ -859,7 +859,7 @@ pa_pw_or_afs3_salt(krb5_context context, heim_octet_string *data) { krb5_error_code ret; - if (paid->etype == ENCTYPE_NULL) + if (paid->etype == KRB5_ENCTYPE_NULL) return NULL; ret = set_paid(paid, context, paid->etype, @@ -915,7 +915,7 @@ process_pa_info(krb5_context context, PA_DATA *pa = find_pa_data(md, pa_prefs[i].type); if (pa == NULL) continue; - paid->salt.salttype = pa_prefs[i].type; + paid->salt.salttype = (krb5_salttype)pa_prefs[i].type; p = (*pa_prefs[i].salt_info)(context, client, asreq, paid, &pa->padata_value); } @@ -1204,7 +1204,7 @@ process_pa_data_to_md(krb5_context context, paid = calloc(1, sizeof(*paid)); - paid->etype = ENCTYPE_NULL; + paid->etype = KRB5_ENCTYPE_NULL; ppaid = process_pa_info(context, creds->client, a, paid, in_md); if (ppaid) diff --git a/source4/heimdal/lib/krb5/keyblock.c b/source4/heimdal/lib/krb5/keyblock.c index 9ba9c4b290..6e781aca78 100644 --- a/source4/heimdal/lib/krb5/keyblock.c +++ b/source4/heimdal/lib/krb5/keyblock.c @@ -65,7 +65,7 @@ krb5_free_keyblock_contents(krb5_context context, if (keyblock->keyvalue.data != NULL) memset(keyblock->keyvalue.data, 0, keyblock->keyvalue.length); krb5_data_free (&keyblock->keyvalue); - keyblock->keytype = ENCTYPE_NULL; + keyblock->keytype = KRB5_ENCTYPE_NULL; } } diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h index 2224b92e95..9c0f566946 100644 --- a/source4/heimdal/lib/krb5/krb5.h +++ b/source4/heimdal/lib/krb5/krb5.h @@ -326,7 +326,9 @@ typedef HostAddress krb5_address; typedef HostAddresses krb5_addresses; -typedef enum krb5_keytype { +typedef krb5_enctype krb5_keytype; + +enum krb5_keytype_old { KEYTYPE_NULL = ETYPE_NULL, KEYTYPE_DES = ETYPE_DES_CBC_CRC, KEYTYPE_DES3 = ETYPE_OLD_DES3_CBC_SHA1, @@ -334,7 +336,7 @@ typedef enum krb5_keytype { KEYTYPE_AES256 = ETYPE_AES256_CTS_HMAC_SHA1_96, KEYTYPE_ARCFOUR = ETYPE_ARCFOUR_HMAC_MD5, KEYTYPE_ARCFOUR_56 = ETYPE_ARCFOUR_HMAC_MD5_56 -} krb5_keytype; +}; typedef EncryptionKey krb5_keyblock; @@ -876,6 +878,11 @@ typedef struct { typedef krb5_error_code (KRB5_CALLCONV * krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *); +typedef struct { + krb5_enctype ks_enctype; + krb5int32 ks_salttype; +}krb5_key_salt_tuple; + /* * */ diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c index 803a5bf289..16c230a11f 100644 --- a/source4/heimdal/lib/krb5/mit_glue.c +++ b/source4/heimdal/lib/krb5/mit_glue.c @@ -139,7 +139,7 @@ krb5_checksum_free(krb5_context context, krb5_checksum *cksum) KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL krb5_c_valid_enctype (krb5_enctype etype) { - return krb5_enctype_valid(NULL, etype); + return !krb5_enctype_valid(NULL, etype); } KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL diff --git a/source4/heimdal/lib/krb5/version-script.map b/source4/heimdal/lib/krb5/version-script.map index fad84ebb5b..818e6e071c 100644 --- a/source4/heimdal/lib/krb5/version-script.map +++ b/source4/heimdal/lib/krb5/version-script.map @@ -285,6 +285,7 @@ HEIMDAL_KRB5_2.0 { krb5_free_creds_contents; krb5_free_data; krb5_free_data_contents; + krb5_free_default_realm; krb5_free_error; krb5_free_error_contents; krb5_free_error_string; -- cgit