[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Wed Feb 28 04:46:02 UTC 2024


The branch, master has been updated
       via  2b515b7dcc6 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used
       via  009a4706d23 python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used
       via  724f403d886 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
       via  ea41dccb99b third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d)
      from  f1a83798f01 third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2b515b7dcc655f6be4365cc8adffee999b4354bf
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Feb 27 11:23:03 2024 +1300

    s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224

commit 009a4706d238b7d6107c6adc684a37cd7a3bed0c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Feb 27 11:55:33 2024 +1300

    python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>

commit 724f403d8863bf3f29bff35bff0f274183621bb3
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Feb 27 11:09:38 2024 +1300

    libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
    
    This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
    that PKINIT freshness was used during the AS-REQ.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>

commit ea41dccb99b6448c93c43b8de8d2bcca698f1a7c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Feb 27 14:55:27 2024 +1300

    third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d)
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/dom_sid.h                                  |  1 +
 libcli/security/util_sid.c                                 |  4 ++++
 librpc/idl/security.idl                                    |  8 ++++++++
 python/samba/tests/krb5/pkinit_tests.py                    | 14 +++++++++++++-
 source4/kdc/pac-glue.c                                     | 10 ++++++++++
 source4/kdc/pac-glue.h                                     |  1 +
 source4/kdc/wdc-samba4.c                                   | 10 ++++++++++
 third_party/heimdal/kdc/kdc-accessors.h                    |  7 +++++++
 third_party/heimdal/kdc/kdc_locl.h                         |  1 +
 third_party/heimdal/kdc/libkdc-exports.def                 |  1 +
 third_party/heimdal/kdc/pkinit.c                           |  2 ++
 third_party/heimdal/kdc/version-script.map                 |  1 +
 third_party/heimdal/lib/asn1/asn1_err.et                   |  2 +-
 third_party/heimdal/lib/asn1/asn1_print.c                  |  2 +-
 third_party/heimdal/lib/base/heimbase.c                    |  2 +-
 third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c |  2 +-
 third_party/heimdal/lib/hx509/cert.c                       |  2 +-
 third_party/heimdal/lib/hx509/hx509_err.et                 |  4 ++--
 third_party/heimdal/lib/krb5/crypto.c                      |  8 ++++----
 third_party/heimdal/lib/sqlite/sqlite3.c                   |  2 +-
 third_party/heimdal/po/heim_com_err569856/de.po            |  2 +-
 .../heimdal/po/heim_com_err569856/heim_com_err569856.pot   |  2 +-
 third_party/heimdal/po/heimdal_krb5/de.po                  |  3 +--
 third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot       |  2 +-
 third_party/heimdal/po/heimdal_krb5/sv_SE.po               |  2 +-
 25 files changed, 76 insertions(+), 19 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 343001e87ee..5e1c5d90958 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -43,6 +43,7 @@ extern const struct dom_sid global_sid_Network;
 extern const struct dom_sid global_sid_Asserted_Identity;
 extern const struct dom_sid global_sid_Asserted_Identity_Service;
 extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority;
+extern const struct dom_sid global_sid_Fresh_Public_Key_Identity;
 extern const struct dom_sid global_sid_Creator_Owner;
 extern const struct dom_sid global_sid_Creator_Group;
 extern const struct dom_sid global_sid_Owner_Rights;
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 54a2fc35fda..0942b2fe259 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -83,6 +83,10 @@ const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority =	/*
 const struct dom_sid global_sid_Asserted_Identity_Service =	/* Asserted Identity Service */
 { 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
 
+/* S-1-18-3 */
+const struct dom_sid global_sid_Fresh_Public_Key_Identity =	/* Fresh Public Key Identity */
+{ 1, 1, {0,0,0,0,0,18}, {3,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
 /* S-1-5-2 */
 const struct dom_sid global_sid_Network =			/* Network rids */
 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 8783b678157..d5e65032652 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -324,6 +324,14 @@ interface security
 	 */
 	const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
 
+	/*
+	 * This is added during the AS-REQ/AS-REP exchange after the
+	 * PKINIT Freshness extension is used (shows current
+	 * possession, rather than just a saved signature, of the
+	 * client pulic key).
+	 */
+	const string SID_FRESH_PUBLIC_KEY_IDENTITY = "S-1-18-3";
+
 	const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
 	const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
 
diff --git a/python/samba/tests/krb5/pkinit_tests.py b/python/samba/tests/krb5/pkinit_tests.py
index 3d47c799f86..effc691beba 100755
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -35,9 +35,10 @@ from cryptography.hazmat.primitives.asymmetric import dh, padding
 from cryptography.x509.oid import NameOID
 
 import samba.tests
+from samba.dcerpc import security
 from samba.tests.krb5 import kcrypto
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
-from samba.tests.krb5.raw_testcase import PkInit
+from samba.tests.krb5.raw_testcase import PkInit, RawKerberosTest
 from samba.tests.krb5.rfc4120_constants import (
     DES_EDE3_CBC,
     KDC_ERR_CLIENT_NOT_TRUSTED,
@@ -55,6 +56,8 @@ from samba.tests.krb5.rfc4120_constants import (
 )
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 
+SidType = RawKerberosTest.SidType
+
 global_asn1_print = False
 global_hexdump = False
 
@@ -1159,6 +1162,13 @@ class PkInitTests(KDCBaseTest):
         ticket_decryption_key = self.TicketDecryptionKey_from_creds(
             target_creds)
 
+        if freshness_token is None:
+            expected_groups = None
+            unexpected_groups = {(security.SID_FRESH_PUBLIC_KEY_IDENTITY, SidType.EXTRA_SID, security.SE_GROUP_DEFAULT_FLAGS)}
+        else:
+            expected_groups = {(security.SID_FRESH_PUBLIC_KEY_IDENTITY, SidType.EXTRA_SID, security.SE_GROUP_DEFAULT_FLAGS), ...}
+            unexpected_groups = None
+
         kdc_exchange_dict = self.as_exchange_dict(
             creds=creds,
             client_cert=certificate,
@@ -1167,6 +1177,8 @@ class PkInitTests(KDCBaseTest):
             expected_srealm=target_realm,
             expected_sname=expected_sname,
             expected_supported_etypes=target_creds.tgs_supported_enctypes,
+            expected_groups=expected_groups,
+            unexpected_groups=unexpected_groups,
             ticket_decryption_key=ticket_decryption_key,
             generate_padata_fn=generate_pk_padata,
             check_error_fn=check_error_fn,
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 12465b7644d..58f089f4562 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -824,6 +824,16 @@ NTSTATUS samba_kdc_add_claims_valid(struct auth_user_info_dc *user_info_dc)
 		&user_info_dc->num_sids);
 }
 
+NTSTATUS samba_kdc_add_fresh_public_key_identity(struct auth_user_info_dc *user_info_dc)
+{
+	return add_sid_to_array_attrs_unique(
+		user_info_dc,
+		&global_sid_Fresh_Public_Key_Identity,
+		SE_GROUP_DEFAULT_FLAGS,
+		&user_info_dc->sids,
+		&user_info_dc->num_sids);
+}
+
 static NTSTATUS samba_kdc_add_compounded_auth(struct auth_user_info_dc *user_info_dc)
 {
 	return add_sid_to_array_attrs_unique(
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 1b4444a0aeb..aa022f7b001 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -200,3 +200,4 @@ NTSTATUS samba_kdc_add_asserted_identity(enum samba_asserted_identity ai,
 					 struct auth_user_info_dc *user_info_dc);
 
 NTSTATUS samba_kdc_add_claims_valid(struct auth_user_info_dc *user_info_dc);
+NTSTATUS samba_kdc_add_fresh_public_key_identity(struct auth_user_info_dc *user_info_dc);
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index dc2fffad2e4..d1653a36404 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -165,6 +165,16 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
 		return map_errno_from_nt_status(nt_status);
 	}
 
+	if (kdc_request_get_pkinit_freshness_used(r)) {
+		nt_status = samba_kdc_add_fresh_public_key_identity(user_info_dc_shallow_copy);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			DBG_ERR("Failed to add Fresh Public Key Identity: %s\n",
+				nt_errstr(nt_status));
+			talloc_free(mem_ctx);
+			return map_errno_from_nt_status(nt_status);
+		}
+	}
+
 	ret = samba_kdc_get_claims_data_from_db(server_entry->kdc_db_ctx->samdb,
 						skdc_entry,
 						&auth_claims.user_claims);
diff --git a/third_party/heimdal/kdc/kdc-accessors.h b/third_party/heimdal/kdc/kdc-accessors.h
index c00fd49d60b..8d1305a139e 100644
--- a/third_party/heimdal/kdc/kdc-accessors.h
+++ b/third_party/heimdal/kdc/kdc-accessors.h
@@ -339,6 +339,13 @@ ASTGS_REQUEST_SET_ACCESSOR_PTR(struct krb5_pac_data *, pac, pac)
 
 ASTGS_REQUEST_GET_ACCESSOR(uint64_t, pac_attributes)
 
+/*
+ * unsigned int
+ * kdc_request_get_pkinit_freshness_used(astgs_request_t);
+ */
+
+ASTGS_REQUEST_GET_ACCESSOR(unsigned int, pkinit_freshness_used)
+
 /*
  * void
  * kdc_request_set_pac_attributes(astgs_request_t, uint64_t);
diff --git a/third_party/heimdal/kdc/kdc_locl.h b/third_party/heimdal/kdc/kdc_locl.h
index f2160b72419..d56d6b557b9 100644
--- a/third_party/heimdal/kdc/kdc_locl.h
+++ b/third_party/heimdal/kdc/kdc_locl.h
@@ -155,6 +155,7 @@ struct astgs_request_desc {
 
     /* Only AS */
     const struct kdc_patypes *pa_used;
+    unsigned int pkinit_freshness_used : 1;
 
     /* PA methods can affect both the reply key and the session key (pkinit) */
     krb5_enctype sessionetype;
diff --git a/third_party/heimdal/kdc/libkdc-exports.def b/third_party/heimdal/kdc/libkdc-exports.def
index 1d42b8c570c..1c6997a23c2 100644
--- a/third_party/heimdal/kdc/libkdc-exports.def
+++ b/third_party/heimdal/kdc/libkdc-exports.def
@@ -49,6 +49,7 @@ EXPORTS
 	kdc_request_get_krbtgt_princ
 	kdc_request_get_pac
 	kdc_request_get_pac_attributes
+	kdc_request_get_pkinit_freshness_used
 	kdc_request_get_rep
 	kdc_request_get_reply_key
 	kdc_request_get_req
diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c
index c853359bbc2..9f1f4b106f0 100644
--- a/third_party/heimdal/kdc/pkinit.c
+++ b/third_party/heimdal/kdc/pkinit.c
@@ -1996,6 +1996,8 @@ _kdc_pk_validate_freshness_token(astgs_request_t r,
 	return KRB5_KDC_ERR_PREAUTH_EXPIRED;
     }
 
+    r->pkinit_freshness_used = TRUE;
+
     free_PA_ENC_TS_ENC(&ts_enc);
     return 0;
 }
diff --git a/third_party/heimdal/kdc/version-script.map b/third_party/heimdal/kdc/version-script.map
index c644b30c8e4..508357d0a7d 100644
--- a/third_party/heimdal/kdc/version-script.map
+++ b/third_party/heimdal/kdc/version-script.map
@@ -52,6 +52,7 @@ HEIMDAL_KDC_1.0 {
 		kdc_request_get_krbtgt_princ;
 		kdc_request_get_pac;
 		kdc_request_get_pac_attributes;
+		kdc_request_get_pkinit_freshness_used;
 		kdc_request_get_rep;
 		kdc_request_get_reply_key;
 		kdc_request_get_req;
diff --git a/third_party/heimdal/lib/asn1/asn1_err.et b/third_party/heimdal/lib/asn1/asn1_err.et
index ac7a9ebaa52..dc08a86cf30 100644
--- a/third_party/heimdal/lib/asn1/asn1_err.et
+++ b/third_party/heimdal/lib/asn1/asn1_err.et
@@ -23,7 +23,7 @@ error_code MIN_CONSTRAINT,	"ASN.1 too few elements"
 error_code MAX_CONSTRAINT,	"ASN.1 too many elements"
 error_code EXACT_CONSTRAINT,	"ASN.1 wrong number of elements"
 error_code INDEF_OVERRUN,   	"ASN.1 BER indefinte encoding overrun"
-error_code INDEF_UNDERRUN,   	"ASN.1 BER indefinte encoding underun"
+error_code INDEF_UNDERRUN,   	"ASN.1 BER indefinte encoding underrun"
 error_code GOT_BER,		"ASN.1 got BER encoded when expected DER"
 error_code INDEF_EXTRA_DATA,	"ASN.1 EoC tag contained data"
 end
diff --git a/third_party/heimdal/lib/asn1/asn1_print.c b/third_party/heimdal/lib/asn1/asn1_print.c
index 9ef6ffd23a2..9b598b78cdf 100644
--- a/third_party/heimdal/lib/asn1/asn1_print.c
+++ b/third_party/heimdal/lib/asn1/asn1_print.c
@@ -566,7 +566,7 @@ dotype(unsigned char *buf, size_t len, char **argv, size_t *size)
                  "BER indefinte encoding overun", typename);
         case ASN1_INDEF_UNDERRUN:
             errx(1, "Could not decode and print data as type %s: "
-                 "BER indefinte encoding underun", typename);
+                 "BER indefinte encoding underrun", typename);
         case ASN1_GOT_BER:
             errx(1, "Could not decode and print data as type %s: "
                  "BER encoding when DER expected", typename);
diff --git a/third_party/heimdal/lib/base/heimbase.c b/third_party/heimdal/lib/base/heimbase.c
index 4e9ea1b4b5f..05add641e01 100644
--- a/third_party/heimdal/lib/base/heimbase.c
+++ b/third_party/heimdal/lib/base/heimbase.c
@@ -701,7 +701,7 @@ heim_auto_release(heim_object_t ptr)
     }
 
     if (tls == NULL || (ar = tls->current) == NULL)
-	heim_abort("no auto relase pool in place, would leak");
+	heim_abort("no auto release pool in place, would leak");
 
     HEIMDAL_MUTEX_lock(&ar->pool_mutex);
     HEIM_TAILQ_INSERT_HEAD(&ar->pool, p, autorel);
diff --git a/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c b/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c
index c4ac7455cf6..7a211900fd3 100644
--- a/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -747,7 +747,7 @@ acceptor_start
 	HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
 	return gss_mg_set_error_string(GSS_C_NO_OID, GSS_S_NO_CONTEXT,
 				       *minor_status,
-				       "SPNEGO acceptor didn't find a prefered mechanism");
+				       "SPNEGO acceptor didn't find a preferred mechanism");
     }
 
     /*
diff --git a/third_party/heimdal/lib/hx509/cert.c b/third_party/heimdal/lib/hx509/cert.c
index 4fcb4ba8da9..9c7997dc46e 100644
--- a/third_party/heimdal/lib/hx509/cert.c
+++ b/third_party/heimdal/lib/hx509/cert.c
@@ -1506,7 +1506,7 @@ _hx509_calculate_path(hx509_context context,
 	if (path->len > max_depth) {
 	    hx509_cert_free(current);
 	    hx509_set_error_string(context, 0, HX509_PATH_TOO_LONG,
-				   "Path too long while bulding "
+				   "Path too long while building "
 				   "certificate chain");
 	    return HX509_PATH_TOO_LONG;
 	}
diff --git a/third_party/heimdal/lib/hx509/hx509_err.et b/third_party/heimdal/lib/hx509/hx509_err.et
index 9b816754022..70c747a9cfe 100644
--- a/third_party/heimdal/lib/hx509/hx509_err.et
+++ b/third_party/heimdal/lib/hx509/hx509_err.et
@@ -62,8 +62,8 @@ error_code SIG_INVALID_FORMAT, "Invalid format on signature"
 error_code OID_MISMATCH, "Mismatch between oids"
 error_code NO_PROMPTER, "No prompter function defined"
 error_code SIGNATURE_WITHOUT_SIGNER, "Signature requires signer, but none available"
-error_code RSA_PUBLIC_ENCRYPT, "RSA public encyption failed"
-error_code RSA_PRIVATE_ENCRYPT, "RSA private encyption failed"
+error_code RSA_PUBLIC_ENCRYPT, "RSA public encryption failed"
+error_code RSA_PRIVATE_ENCRYPT, "RSA private encryption failed"
 error_code RSA_PUBLIC_DECRYPT, "RSA public decryption failed"
 error_code RSA_PRIVATE_DECRYPT, "RSA private decryption failed"
 error_code ALGORITHM_BEST_BEFORE, "Algorithm has passed its best before date"
diff --git a/third_party/heimdal/lib/krb5/crypto.c b/third_party/heimdal/lib/krb5/crypto.c
index b52f084669a..af86f7c4575 100644
--- a/third_party/heimdal/lib/krb5/crypto.c
+++ b/third_party/heimdal/lib/krb5/crypto.c
@@ -1226,7 +1226,7 @@ decrypt_internal_derived(krb5_context context,
     if (len < checksum_sz + et->confoundersize) {
 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
 			       N_("Encrypted data shorter then "
-				  "checksum + confunder", ""));
+				  "checksum + confounder", ""));
 	return KRB5_BAD_MSIZE;
     }
 
@@ -1301,7 +1301,7 @@ decrypt_internal_enc_then_cksum(krb5_context context,
     if (len < checksum_sz + et->confoundersize) {
 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
 			       N_("Encrypted data shorter then "
-				  "checksum + confunder", ""));
+				  "checksum + confounder", ""));
 	return KRB5_BAD_MSIZE;
     }
 
@@ -1383,7 +1383,7 @@ decrypt_internal(krb5_context context,
     if (len < checksum_sz + et->confoundersize) {
 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
 			       N_("Encrypted data shorter then "
-				  "checksum + confunder", ""));
+				  "checksum + confounder", ""));
 	return KRB5_BAD_MSIZE;
     }
 
@@ -1445,7 +1445,7 @@ decrypt_internal_special(krb5_context context,
     if (len < cksum_sz + et->confoundersize) {
 	krb5_set_error_message(context, KRB5_BAD_MSIZE,
 			       N_("Encrypted data shorter then "
-				  "checksum + confunder", ""));
+				  "checksum + confounder", ""));
 	return KRB5_BAD_MSIZE;
     }
 
diff --git a/third_party/heimdal/lib/sqlite/sqlite3.c b/third_party/heimdal/lib/sqlite/sqlite3.c
index de55858cb0f..7aaed45e977 100644
--- a/third_party/heimdal/lib/sqlite/sqlite3.c
+++ b/third_party/heimdal/lib/sqlite/sqlite3.c
@@ -95906,7 +95906,7 @@ static int vdbeSorterFlushPMA(VdbeSorter *pSorter){
   ** the background thread from a sub-tasks previous turn is still running,
   ** skip it. If the first (pSorter->nTask-1) sub-tasks are all still busy,
   ** fall back to using the final sub-task. The first (pSorter->nTask-1)
-  ** sub-tasks are prefered as they use background threads - the final
+  ** sub-tasks are preferred as they use background threads - the final
   ** sub-task uses the main thread. */
   for(i=0; i<nWorker; i++){
     int iTest = (pSorter->iPrev + i + 1) % nWorker;
diff --git a/third_party/heimdal/po/heim_com_err569856/de.po b/third_party/heimdal/po/heim_com_err569856/de.po
index 5e6ace5d766..ba2dbf6e93d 100644
--- a/third_party/heimdal/po/heim_com_err569856/de.po
+++ b/third_party/heimdal/po/heim_com_err569856/de.po
@@ -273,7 +273,7 @@ msgstr "Signatur erfordert Unterzeichner, aber keiner verfügbar"
 #. 073
 #. 074
 #: ../lib/hx509/hx509_err.c:84 ../lib/hx509/hx509_err.c:85
-msgid "RSA public encyption failed"
+msgid "RSA public encryption failed"
 msgstr "RSA-Verschlüsselung mit öffentlichem Schlüssel fehlgeschlagen"
 
 #. 075
diff --git a/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot b/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot
index 2913f6bcb9c..2305f21a962 100644
--- a/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot
+++ b/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot
@@ -267,7 +267,7 @@ msgstr ""
 #. 073
 #. 074
 #: ../lib/hx509/hx509_err.c:84 ../lib/hx509/hx509_err.c:85
-msgid "RSA public encyption failed"
+msgid "RSA public encryption failed"
 msgstr ""
 
 #. 075
diff --git a/third_party/heimdal/po/heimdal_krb5/de.po b/third_party/heimdal/po/heimdal_krb5/de.po
index 037cc46c1e5..26efb2934fd 100644
--- a/third_party/heimdal/po/heimdal_krb5/de.po
+++ b/third_party/heimdal/po/heimdal_krb5/de.po
@@ -325,9 +325,8 @@ msgstr "Verschlüsselungstyp %s ist deaktiviert."
 msgid "checksum type %s is disabled"
 msgstr "Prüfsummentyp %s ist deaktiviert."
 
-# FIXME: s/confunder/confounder/
 #: lib/krb5/crypto.c:2958
-msgid "Encrypted data shorter then checksum + confunder"
+msgid "Encrypted data shorter then checksum + confounder"
 msgstr "verschlüsselte Daten kürzer als Prüfsumme + Störfaktor"
 
 #: lib/krb5/crypto.c:3585
diff --git a/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot b/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot
index 9dbaaaf7282..ac3effae614 100644
--- a/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot
+++ b/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot
@@ -549,7 +549,7 @@ msgid "checksum type %s is disabled"
 msgstr ""
 
 #: lib/krb5/crypto.c:2958
-msgid "Encrypted data shorter then checksum + confunder"
+msgid "Encrypted data shorter then checksum + confounder"
 msgstr ""
 
 #: lib/krb5/crypto.c:3585
diff --git a/third_party/heimdal/po/heimdal_krb5/sv_SE.po b/third_party/heimdal/po/heimdal_krb5/sv_SE.po
index ffd1ca7c8d6..8d5caa1a634 100644
--- a/third_party/heimdal/po/heimdal_krb5/sv_SE.po
+++ b/third_party/heimdal/po/heimdal_krb5/sv_SE.po
@@ -540,7 +540,7 @@ msgid "checksum type %s is disabled"
 msgstr ""
 
 #: lib/krb5/crypto.c:2979
-msgid "Encrypted data shorter then checksum + confunder"
+msgid "Encrypted data shorter then checksum + confounder"
 msgstr ""
 
 #: lib/krb5/crypto.c:3589


-- 
Samba Shared Repository



More information about the samba-cvs mailing list