diff options
| author | Stefan Metzmacher <metze@samba.org> | 2008-08-26 19:35:52 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2008-08-26 19:46:38 +0200 |
| commit | 243321b4bbe273cf3a9105ca132caa2b53e2f263 (patch) | |
| tree | c8588a032720412a9a510d4045d6ca6e5c961ee7 /source4/heimdal/kdc/krb5tgs.c | |
| parent | 455f5c043d1416136a16a0bb6e463d855a913409 (diff) | |
| download | samba-243321b4bbe273cf3a9105ca132caa2b53e2f263.tar.gz | |
heimdal: import heimdal's trunk svn rev 23697 + lorikeet-heimdal patches
This is based on f56a3b1846c7d462542f2e9527f4d0ed8a34748d in my heimdal-wip repo.
metze
(This used to be commit 467a1f2163a63cdf1a4c83a69473db50e8794f53)
Diffstat (limited to 'source4/heimdal/kdc/krb5tgs.c')
| -rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 071a30d5a78..19dff5e01df 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$Id: krb5tgs.c 23316 2008-06-23 04:32:32Z lha $"); +RCSID("$Id$"); /* * return the realm of a krbtgt-ticket or NULL @@ -662,6 +662,7 @@ tgs_make_reply(krb5_context context, krb5_kvno kvno, AuthorizationData *auth_data, hdb_entry_ex *server, + krb5_principal server_principal, const char *server_name, hdb_entry_ex *client, krb5_principal client_principal, @@ -678,6 +679,7 @@ tgs_make_reply(krb5_context context, EncTicketPart et; KDCOptions f = b->kdc_options; krb5_error_code ret; + int is_weak = 0; memset(&rep, 0, sizeof(rep)); memset(&et, 0, sizeof(et)); @@ -729,9 +731,9 @@ tgs_make_reply(krb5_context context, if(ret) goto out; - copy_Realm(krb5_princ_realm(context, server->entry.principal), + copy_Realm(krb5_princ_realm(context, server_principal), &rep.ticket.realm); - _krb5_principal2principalname(&rep.ticket.sname, server->entry.principal); + _krb5_principal2principalname(&rep.ticket.sname, server_principal); copy_Realm(&tgt_name->realm, &rep.crealm); /* if (f.request_anonymous) @@ -885,6 +887,14 @@ tgs_make_reply(krb5_context context, goto out; } + if (krb5_enctype_valid(context, et.key.keytype) != 0 + && _kdc_is_weak_expection(server->entry.principal, et.key.keytype)) + { + krb5_enctype_enable(context, et.key.keytype); + is_weak = 1; + } + + /* It is somewhat unclear where the etype in the following encryption should come from. What we have is a session key in the passed tgt, and a list of preferred etypes @@ -899,6 +909,9 @@ tgs_make_reply(krb5_context context, &rep, &et, &ek, et.key.keytype, kvno, serverkey, 0, &tgt->key, e_text, reply); + if (is_weak) + krb5_enctype_disable(context, et.key.keytype); + out: free_TGS_REP(&rep); free_TransitedEncoding(&et.transited); @@ -1462,7 +1475,8 @@ tgs_build_reply(krb5_context context, */ server_lookup: - ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER, NULL, &server); + ret = _kdc_db_fetch(context, config, sp, HDB_F_GET_SERVER | HDB_F_CANON, + NULL, &server); if(ret){ const char *new_rlm; @@ -1521,7 +1535,8 @@ server_lookup: goto out; } - ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT, NULL, &client); + ret = _kdc_db_fetch(context, config, cp, HDB_F_GET_CLIENT | HDB_F_CANON, + NULL, &client); if(ret) { const char *krbtgt_realm; @@ -1927,6 +1942,7 @@ server_lookup: kvno, *auth_data, server, + sp, spn, client, cp, |