diff options
author | Stanislav Sedov <stas@FreeBSD.org> | 2012-04-08 08:19:17 +0000 |
---|---|---|
committer | Stanislav Sedov <stas@FreeBSD.org> | 2012-04-08 08:19:17 +0000 |
commit | cf771f223b1a69e11fd1b70b0a274a73fe844335 (patch) | |
tree | b776209adefb14f82be8f607e6cc465dfddd90c3 /crypto/heimdal/lib | |
parent | 85121b0979d1b34404bda3d96036de84025ae5bf (diff) | |
parent | feec3621854ef6b1ccd3598df2202c0622929444 (diff) | |
download | src-cf771f223b1a69e11fd1b70b0a274a73fe844335.tar.gz src-cf771f223b1a69e11fd1b70b0a274a73fe844335.zip |
- Update FreeBSD's Heimdal distribution to 1.5.2. This is a bugfix
release, which fixes a DoS issue in libkrb5.
Notes
Notes:
svn path=/head/; revision=234027
Diffstat (limited to 'crypto/heimdal/lib')
23 files changed, 103 insertions, 56 deletions
diff --git a/crypto/heimdal/lib/gssapi/krb5/verify_mic.c b/crypto/heimdal/lib/gssapi/krb5/verify_mic.c index 3123787ff474..3814ef7062c1 100644 --- a/crypto/heimdal/lib/gssapi/krb5/verify_mic.c +++ b/crypto/heimdal/lib/gssapi/krb5/verify_mic.c @@ -251,6 +251,14 @@ retry: csum.checksum.length = 20; csum.checksum.data = p + 8; + krb5_crypto_destroy (context, crypto); + ret = krb5_crypto_init(context, key, + ETYPE_DES3_CBC_SHA1, &crypto); + if (ret){ + *minor_status = ret; + return GSS_S_FAILURE; + } + ret = krb5_verify_checksum (context, crypto, KRB5_KU_USAGE_SIGN, tmp, message_buffer->length + 8, diff --git a/crypto/heimdal/lib/hx509/sel-lex.l b/crypto/heimdal/lib/hx509/sel-lex.l index 4c9396750a34..bb7e8374c7d1 100644 --- a/crypto/heimdal/lib/hx509/sel-lex.l +++ b/crypto/heimdal/lib/hx509/sel-lex.l @@ -50,6 +50,7 @@ unsigned lineno = 1; static char * handle_string(void); static int lex_input(char *, int); +static int lex_classic_input(void); struct hx_expr_input _hx509_expr_input; diff --git a/crypto/heimdal/lib/kadm5/password_quality.c b/crypto/heimdal/lib/kadm5/password_quality.c index a6f0b3ef67ee..eb72ba6182ee 100644 --- a/crypto/heimdal/lib/kadm5/password_quality.c +++ b/crypto/heimdal/lib/kadm5/password_quality.c @@ -34,8 +34,6 @@ #include "kadm5_locl.h" #include "kadm5-pwcheck.h" -RCSID("$Id$"); - #ifdef HAVE_SYS_WAIT_H #include <sys/wait.h> #endif @@ -473,7 +471,8 @@ kadm5_check_password_quality (krb5_context context, NULL); if (v == NULL) { msg = (*passwd_quality_check) (context, principal, pwd_data); - krb5_set_error_message(context, 0, "password policy failed: %s", msg); + if (msg) + krb5_set_error_message(context, 0, "password policy failed: %s", msg); return msg; } diff --git a/crypto/heimdal/lib/krb5/crypto-arcfour.c b/crypto/heimdal/lib/krb5/crypto-arcfour.c index 1b369d2fda14..7f7e21d0d22c 100644 --- a/crypto/heimdal/lib/krb5/crypto-arcfour.c +++ b/crypto/heimdal/lib/krb5/crypto-arcfour.c @@ -317,7 +317,7 @@ struct _krb5_encryption_type _krb5_enctype_arcfour_hmac_md5 = { 8, &keytype_arcfour, &_krb5_checksum_hmac_md5, - NULL, + &_krb5_checksum_hmac_md5, F_SPECIAL, ARCFOUR_encrypt, 0, diff --git a/crypto/heimdal/lib/krb5/crypto.c b/crypto/heimdal/lib/krb5/crypto.c index 4b66035155dd..67ecef62e875 100644 --- a/crypto/heimdal/lib/krb5/crypto.c +++ b/crypto/heimdal/lib/krb5/crypto.c @@ -467,7 +467,7 @@ verify_checksum(krb5_context context, return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */ } kct = crypto->et->keyed_checksum; - if (kct != NULL && kct->type != ct->type) { + if (kct == NULL || kct->type != ct->type) { krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP, N_("Checksum type %s is keyed, but " "the key type %s passed didnt have that checksum " diff --git a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c index ef11e370f443..a6e14aba31dd 100644 --- a/crypto/heimdal/lib/krb5/eai_to_heim_errno.c +++ b/crypto/heimdal/lib/krb5/eai_to_heim_errno.c @@ -68,6 +68,10 @@ krb5_eai_to_heim_errno(int eai_errno, int system_error) case EAI_NODATA: return HEIM_EAI_NODATA; #endif +#ifdef WSANO_DATA + case WSANO_DATA: + return HEIM_EAI_NODATA; +#endif case EAI_NONAME: return HEIM_EAI_NONAME; case EAI_SERVICE: diff --git a/crypto/heimdal/lib/krb5/krb5.conf.5 b/crypto/heimdal/lib/krb5/krb5.conf.5 index 9e1edc7b6ca1..77d7f808ae47 100644 --- a/crypto/heimdal/lib/krb5/krb5.conf.5 +++ b/crypto/heimdal/lib/krb5/krb5.conf.5 @@ -412,19 +412,22 @@ Default is the same as Should the kdc answer kdc-requests over http. .It Li enable-kaserver = Va BOOL If this kdc should emulate the AFS kaserver. -.It Li as-use-strongest-session-key = Va BOOL +.It Li tgt-use-strongest-session-key = Va BOOL If this is TRUE then the KDC will prefer the strongest key from the -client's AS-REQ enctype list, that is also supported by the KDC and the -target principal, for the ticket session key. Else it will prefer the -first key from the client's AS-REQ enctype list that is also supported -by the KDC and the target principal. Defaults to TRUE. +client's AS-REQ or TGS-REQ enctype list for the ticket session key that +is supported by the KDC and the target principal when the target +principal is a krbtgt principal. Else it will prefer the first key from +the client's AS-REQ enctype list that is also supported by the KDC and +the target principal. Defaults to TRUE. +.It Li svc-use-strongest-session-key = Va BOOL +Like tgt-use-strongest-session-key, but applies to the session key +enctype of tickets for services other than krbtgt principals. Defaults +to TRUE. .It Li preauth-use-strongest-session-key = Va BOOL -Like as-use-strongest-session-key, but applies to the session key -enctype selection for PA-ETYPE-INFO2 (i.e., for password-based -pre-authentication). Defaults to TRUE. -.It Li tgs-use-strongest-session-key = Va BOOL -Like as-use-strongest-session-key, but applies to the session key -enctype of tickets issued by the TGS. Defaults to TRUE. +If TRUE then select the strongest possible enctype from the client's +AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication). +Else pick the first supported enctype from the client's AS-REQ. Defaults +to TRUE. .It Li use-strongest-server-key = Va BOOL If TRUE then the KDC picks, for the ticket encrypted part's key, the first supported enctype from the target service principal's hdb entry's diff --git a/crypto/heimdal/lib/krb5/pac.c b/crypto/heimdal/lib/krb5/pac.c index f4caaddc264b..91f68d5e00e7 100644 --- a/crypto/heimdal/lib/krb5/pac.c +++ b/crypto/heimdal/lib/krb5/pac.c @@ -706,7 +706,7 @@ build_logon_name(krb5_context context, krb5_storage *sp; uint64_t t; char *s, *s2; - size_t i, len; + size_t s2_len; t = unix2nttime(authtime); @@ -726,29 +726,60 @@ build_logon_name(krb5_context context, if (ret) goto out; - len = strlen(s); + { + size_t ucs2_len; + uint16_t *ucs2; + unsigned int flags; - CHECK(ret, krb5_store_uint16(sp, len * 2), out); + ret = wind_utf8ucs2_length(s, &ucs2_len); + if (ret) { + free(s); + krb5_set_error_message(context, ret, "Failed to count length of UTF-8 string"); + return ret; + } -#if 1 /* cheat for now */ - s2 = malloc(len * 2); - if (s2 == NULL) { - ret = krb5_enomem(context); + ucs2 = malloc(sizeof(ucs2[0]) * ucs2_len); + if (ucs2 == NULL) { + free(s); + return krb5_enomem(context); + } + + ret = wind_utf8ucs2(s, ucs2, &ucs2_len); free(s); - goto out; - } - for (i = 0; i < len; i++) { - s2[i * 2] = s[i]; - s2[i * 2 + 1] = 0; + if (ret) { + free(ucs2); + krb5_set_error_message(context, ret, "Failed to convert string to UCS-2"); + return ret; + } + + s2_len = (ucs2_len + 1) * 2; + s2 = malloc(s2_len); + if (ucs2 == NULL) { + free(ucs2); + return krb5_enomem(context); + } + + flags = WIND_RW_LE; + ret = wind_ucs2write(ucs2, ucs2_len, + &flags, s2, &s2_len); + free(ucs2); + if (ret) { + free(s2); + krb5_set_error_message(context, ret, "Failed to write to UCS-2 buffer"); + return ret; + } + + /* + * we do not want zero termination + */ + s2_len = ucs2_len * 2; } - free(s); -#else - /* write libwind code here */ -#endif - ret = krb5_storage_write(sp, s2, len * 2); + CHECK(ret, krb5_store_uint16(sp, s2_len), out); + + ret = krb5_storage_write(sp, s2, s2_len); free(s2); - if (ret != (int)(len * 2)) { + if (ret != (int)s2_len) { ret = krb5_enomem(context); goto out; } diff --git a/crypto/heimdal/lib/krb5/verify_krb5_conf.c b/crypto/heimdal/lib/krb5/verify_krb5_conf.c index d554423a16d1..647a311a2ca6 100644 --- a/crypto/heimdal/lib/krb5/verify_krb5_conf.c +++ b/crypto/heimdal/lib/krb5/verify_krb5_conf.c @@ -508,7 +508,7 @@ struct entry kdc_entries[] = { { "allow-null-ticket-addresses", krb5_config_string, check_boolean }, { "allow-anonymous", krb5_config_string, check_boolean }, { "v4_realm", krb5_config_string, NULL }, - { "enable-kaserver", krb5_config_string, check_boolean }, + { "enable-kaserver", krb5_config_string, check_boolean, 1 }, { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean }, { "kdc_warn_pwexpire", krb5_config_string, check_time }, { "use_2b", krb5_config_list, NULL }, diff --git a/crypto/heimdal/lib/wind/bidi_table.c b/crypto/heimdal/lib/wind/bidi_table.c index 7d703f64dca1..31de1ee6372b 100644 --- a/crypto/heimdal/lib/wind/bidi_table.c +++ b/crypto/heimdal/lib/wind/bidi_table.c @@ -1,5 +1,5 @@ /* ./bidi_table.c */ -/* Automatically generated at 2011-09-30T15:24:58.936201 */ +/* Automatically generated at 2012-01-11T14:07:00.535499 */ #include <stdlib.h> diff --git a/crypto/heimdal/lib/wind/bidi_table.h b/crypto/heimdal/lib/wind/bidi_table.h index 45556a3ff398..c317b4dc4d42 100644 --- a/crypto/heimdal/lib/wind/bidi_table.h +++ b/crypto/heimdal/lib/wind/bidi_table.h @@ -1,5 +1,5 @@ /* ./bidi_table.h */ -/* Automatically generated at 2011-09-30T15:24:58.927315 */ +/* Automatically generated at 2012-01-11T14:07:00.534628 */ #ifndef BIDI_TABLE_H #define BIDI_TABLE_H 1 diff --git a/crypto/heimdal/lib/wind/combining_table.c b/crypto/heimdal/lib/wind/combining_table.c index 814e39eb1904..4a1677230adc 100644 --- a/crypto/heimdal/lib/wind/combining_table.c +++ b/crypto/heimdal/lib/wind/combining_table.c @@ -1,5 +1,5 @@ /* ./combining_table.c */ -/* Automatically generated at 2011-09-30T15:24:59.280091 */ +/* Automatically generated at 2012-01-11T14:07:00.838826 */ #include <stdlib.h> diff --git a/crypto/heimdal/lib/wind/combining_table.h b/crypto/heimdal/lib/wind/combining_table.h index 05a790b37db6..47599ccaff65 100644 --- a/crypto/heimdal/lib/wind/combining_table.h +++ b/crypto/heimdal/lib/wind/combining_table.h @@ -1,5 +1,5 @@ /* ./combining_table.h */ -/* Automatically generated at 2011-09-30T15:24:59.272235 */ +/* Automatically generated at 2012-01-11T14:07:00.836450 */ #ifndef COMBINING_TABLE_H #define COMBINING_TABLE_H 1 diff --git a/crypto/heimdal/lib/wind/errorlist_table.c b/crypto/heimdal/lib/wind/errorlist_table.c index 7456cb478d6a..d2d57182d483 100644 --- a/crypto/heimdal/lib/wind/errorlist_table.c +++ b/crypto/heimdal/lib/wind/errorlist_table.c @@ -1,5 +1,5 @@ /* ./errorlist_table.c */ -/* Automatically generated at 2011-09-30T15:24:59.470044 */ +/* Automatically generated at 2012-01-11T14:07:01.014764 */ #include <stdlib.h> diff --git a/crypto/heimdal/lib/wind/errorlist_table.h b/crypto/heimdal/lib/wind/errorlist_table.h index fc1739efc8d8..b822454c03be 100644 --- a/crypto/heimdal/lib/wind/errorlist_table.h +++ b/crypto/heimdal/lib/wind/errorlist_table.h @@ -1,5 +1,5 @@ /* ./errorlist_table.h */ -/* Automatically generated at 2011-09-30T15:24:59.457950 */ +/* Automatically generated at 2012-01-11T14:07:01.014378 */ #ifndef ERRORLIST_TABLE_H #define ERRORLIST_TABLE_H 1 diff --git a/crypto/heimdal/lib/wind/map_table.c b/crypto/heimdal/lib/wind/map_table.c index 5491b7d1b5ec..7363e54616eb 100644 --- a/crypto/heimdal/lib/wind/map_table.c +++ b/crypto/heimdal/lib/wind/map_table.c @@ -1,5 +1,5 @@ /* ./map_table.c */ -/* Automatically generated at 2011-09-30T15:24:59.641639 */ +/* Automatically generated at 2012-01-11T14:07:01.097758 */ #include "map_table.h" diff --git a/crypto/heimdal/lib/wind/map_table.h b/crypto/heimdal/lib/wind/map_table.h index ac3d564b36a6..ebfa7256d726 100644 --- a/crypto/heimdal/lib/wind/map_table.h +++ b/crypto/heimdal/lib/wind/map_table.h @@ -1,5 +1,5 @@ /* ./map_table.h */ -/* Automatically generated at 2011-09-30T15:24:59.631690 */ +/* Automatically generated at 2012-01-11T14:07:01.097337 */ #ifndef MAP_TABLE_H #define MAP_TABLE_H 1 diff --git a/crypto/heimdal/lib/wind/normalize_table.c b/crypto/heimdal/lib/wind/normalize_table.c index 7e0ec2eefa8a..a37e180a4acd 100644 --- a/crypto/heimdal/lib/wind/normalize_table.c +++ b/crypto/heimdal/lib/wind/normalize_table.c @@ -1,5 +1,5 @@ /* ./normalize_table.c */ -/* Automatically generated at 2011-09-30T15:25:00.420261 */ +/* Automatically generated at 2012-01-11T14:07:01.714581 */ #include <stdlib.h> diff --git a/crypto/heimdal/lib/wind/normalize_table.h b/crypto/heimdal/lib/wind/normalize_table.h index 88816309c40b..b0d0d11850e6 100644 --- a/crypto/heimdal/lib/wind/normalize_table.h +++ b/crypto/heimdal/lib/wind/normalize_table.h @@ -1,5 +1,5 @@ /* ./normalize_table.h */ -/* Automatically generated at 2011-09-30T15:25:00.412374 */ +/* Automatically generated at 2012-01-11T14:07:01.713967 */ #ifndef NORMALIZE_TABLE_H #define NORMALIZE_TABLE_H 1 diff --git a/crypto/heimdal/lib/wind/punycode_examples.c b/crypto/heimdal/lib/wind/punycode_examples.c index 50ccc4847c7c..d12368040a17 100644 --- a/crypto/heimdal/lib/wind/punycode_examples.c +++ b/crypto/heimdal/lib/wind/punycode_examples.c @@ -1,5 +1,5 @@ /* ./punycode_examples.c */ -/* Automatically generated at 2011-09-30T15:25:05.829535 */ +/* Automatically generated at 2012-01-11T14:07:08.539522 */ #ifndef PUNYCODE_EXAMPLES_C #define PUNYCODE_EXAMPLES_C 1 diff --git a/crypto/heimdal/lib/wind/punycode_examples.h b/crypto/heimdal/lib/wind/punycode_examples.h index 832234da3560..3e90edc763af 100644 --- a/crypto/heimdal/lib/wind/punycode_examples.h +++ b/crypto/heimdal/lib/wind/punycode_examples.h @@ -1,5 +1,5 @@ /* ./punycode_examples.h */ -/* Automatically generated at 2011-09-30T15:25:05.815268 */ +/* Automatically generated at 2012-01-11T14:07:08.539140 */ #ifndef PUNYCODE_EXAMPLES_H #define PUNYCODE_EXAMPLES_H 1 diff --git a/crypto/heimdal/lib/wind/utf8.c b/crypto/heimdal/lib/wind/utf8.c index 6907b3c9d3ab..e1a1eb7b2b45 100644 --- a/crypto/heimdal/lib/wind/utf8.c +++ b/crypto/heimdal/lib/wind/utf8.c @@ -204,13 +204,13 @@ wind_ucs4utf8(const uint32_t *in, size_t in_len, char *out, size_t *out_len) switch(len) { case 4: out[3] = (ch | 0x80) & 0xbf; - ch = ch << 6; + ch = ch >> 6; case 3: out[2] = (ch | 0x80) & 0xbf; - ch = ch << 6; + ch = ch >> 6; case 2: out[1] = (ch | 0x80) & 0xbf; - ch = ch << 6; + ch = ch >> 6; case 1: out[0] = ch | first_char[len - 1]; } @@ -346,8 +346,8 @@ wind_ucs2write(const uint16_t *in, size_t in_len, unsigned int *flags, return WIND_ERR_OVERRUN; if ((*flags) & WIND_RW_LE) { - p[0] = (bom >> 8) & 0xff; - p[1] = (bom ) & 0xff; + p[0] = (bom ) & 0xff; + p[1] = (bom >> 8) & 0xff; } else { p[1] = (bom ) & 0xff; p[0] = (bom >> 8) & 0xff; @@ -360,8 +360,8 @@ wind_ucs2write(const uint16_t *in, size_t in_len, unsigned int *flags, if (len < 2) return WIND_ERR_OVERRUN; if ((*flags) & WIND_RW_LE) { - p[0] = (in[0] >> 8) & 0xff; - p[1] = (in[0] ) & 0xff; + p[0] = (in[0] ) & 0xff; + p[1] = (in[0] >> 8) & 0xff; } else { p[1] = (in[0] ) & 0xff; p[0] = (in[0] >> 8) & 0xff; @@ -479,10 +479,10 @@ wind_ucs2utf8(const uint16_t *in, size_t in_len, char *out, size_t *out_len) switch(len) { case 3: out[2] = (ch | 0x80) & 0xbf; - ch = ch << 6; + ch = ch >> 6; case 2: out[1] = (ch | 0x80) & 0xbf; - ch = ch << 6; + ch = ch >> 6; case 1: out[0] = ch | first_char[len - 1]; } diff --git a/crypto/heimdal/lib/wind/version-script.map b/crypto/heimdal/lib/wind/version-script.map index a6ca3ae54943..6b5abb5ee2a5 100644 --- a/crypto/heimdal/lib/wind/version-script.map +++ b/crypto/heimdal/lib/wind/version-script.map @@ -14,6 +14,7 @@ HEIMDAL_WIND_1.0 { wind_utf8ucs2_length; wind_ucs2utf8_length; wind_ucs2read; + wind_ucs2write; # testing _wind_combining_class; _wind_stringprep_testbidi; |