The branch, master has been updated
via 2b515b7dcc6 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT
freshness used
via 009a4706d23 python/samba/tests/krb5: Expect
SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used
via 724f403d886 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
via ea41dccb99b third_party/heimdal: import
lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d)
from f1a83798f01 third_party/heimdal: Import
lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2)
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2b515b7dcc655f6be4365cc8adffee999b4354bf
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 27 11:23:03 2024 +1300
s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jo Sutton <josut...@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224
commit 009a4706d238b7d6107c6adc684a37cd7a3bed0c
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 27 11:55:33 2024 +1300
python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when
PKINIT freshness used
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jo Sutton <josut...@catalyst.net.nz>
commit 724f403d8863bf3f29bff35bff0f274183621bb3
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 27 11:09:38 2024 +1300
libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
This allows an ACL level check (rather than only an all-or-nothing KDC
configuration)
that PKINIT freshness was used during the AS-REQ.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jo Sutton <josut...@catalyst.net.nz>
commit ea41dccb99b6448c93c43b8de8d2bcca698f1a7c
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Feb 27 14:55:27 2024 +1300
third_party/heimdal: import lorikeet-heimdal-202402270140 (commit
e78a9d974c680d775650fb51f617ca7bf9d6727d)
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jo Sutton <josut...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/dom_sid.h | 1 +
libcli/security/util_sid.c | 4 ++++
librpc/idl/security.idl | 8 ++++++++
python/samba/tests/krb5/pkinit_tests.py | 14 +++++++++++++-
source4/kdc/pac-glue.c | 10 ++++++++++
source4/kdc/pac-glue.h | 1 +
source4/kdc/wdc-samba4.c | 10 ++++++++++
third_party/heimdal/kdc/kdc-accessors.h | 7 +++++++
third_party/heimdal/kdc/kdc_locl.h | 1 +
third_party/heimdal/kdc/libkdc-exports.def | 1 +
third_party/heimdal/kdc/pkinit.c | 2 ++
third_party/heimdal/kdc/version-script.map | 1 +
third_party/heimdal/lib/asn1/asn1_err.et | 2 +-
third_party/heimdal/lib/asn1/asn1_print.c | 2 +-
third_party/heimdal/lib/base/heimbase.c | 2 +-
third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c | 2 +-
third_party/heimdal/lib/hx509/cert.c | 2 +-
third_party/heimdal/lib/hx509/hx509_err.et | 4 ++--
third_party/heimdal/lib/krb5/crypto.c | 8 ++++----
third_party/heimdal/lib/sqlite/sqlite3.c | 2 +-
third_party/heimdal/po/heim_com_err569856/de.po | 2 +-
.../heimdal/po/heim_com_err569856/heim_com_err569856.pot | 2 +-
third_party/heimdal/po/heimdal_krb5/de.po | 3 +--
third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot | 2 +-
third_party/heimdal/po/heimdal_krb5/sv_SE.po | 2 +-
25 files changed, 76 insertions(+), 19 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 343001e87ee..5e1c5d90958 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -43,6 +43,7 @@ extern const struct dom_sid global_sid_Network;
extern const struct dom_sid global_sid_Asserted_Identity;
extern const struct dom_sid global_sid_Asserted_Identity_Service;
extern const struct dom_sid
global_sid_Asserted_Identity_Authentication_Authority;
+extern const struct dom_sid global_sid_Fresh_Public_Key_Identity;
extern const struct dom_sid global_sid_Creator_Owner;
extern const struct dom_sid global_sid_Creator_Group;
extern const struct dom_sid global_sid_Owner_Rights;
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 54a2fc35fda..0942b2fe259 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -83,6 +83,10 @@ const struct dom_sid
global_sid_Asserted_Identity_Authentication_Authority = /*
const struct dom_sid global_sid_Asserted_Identity_Service = /* Asserted
Identity Service */
{ 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+/* S-1-18-3 */
+const struct dom_sid global_sid_Fresh_Public_Key_Identity = /* Fresh Public
Key Identity */
+{ 1, 1, {0,0,0,0,0,18}, {3,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
/* S-1-5-2 */
const struct dom_sid global_sid_Network = /* Network rids
*/
{ 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 8783b678157..d5e65032652 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -324,6 +324,14 @@ interface security
*/
const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+ /*
+ * This is added during the AS-REQ/AS-REP exchange after the
+ * PKINIT Freshness extension is used (shows current
+ * possession, rather than just a saved signature, of the
+ * client pulic key).
+ */
+ const string SID_FRESH_PUBLIC_KEY_IDENTITY = "S-1-18-3";
+
const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
diff --git a/python/samba/tests/krb5/pkinit_tests.py
b/python/samba/tests/krb5/pkinit_tests.py
index 3d47c799f86..effc691beba 100755
--- a/python/samba/tests/krb5/pkinit_tests.py
+++ b/python/samba/tests/krb5/pkinit_tests.py
@@ -35,9 +35,10 @@ from cryptography.hazmat.primitives.asymmetric import dh,
padding
from cryptography.x509.oid import NameOID
import samba.tests
+from samba.dcerpc import security
from samba.tests.krb5 import kcrypto
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-from samba.tests.krb5.raw_testcase import PkInit
+from samba.tests.krb5.raw_testcase import PkInit, RawKerberosTest
from samba.tests.krb5.rfc4120_constants import (
DES_EDE3_CBC,
KDC_ERR_CLIENT_NOT_TRUSTED,
@@ -55,6 +56,8 @@ from samba.tests.krb5.rfc4120_constants import (
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+SidType = RawKerberosTest.SidType
+
global_asn1_print = False
global_hexdump = False
@@ -1159,6 +1162,13 @@ class PkInitTests(KDCBaseTest):
ticket_decryption_key = self.TicketDecryptionKey_from_creds(
target_creds)
+ if freshness_token is None:
+ expected_groups = None
+ unexpected_groups = {(security.SID_FRESH_PUBLIC_KEY_IDENTITY,
SidType.EXTRA_SID, security.SE_GROUP_DEFAULT_FLAGS)}
+ else:
+ expected_groups = {(security.SID_FRESH_PUBLIC_KEY_IDENTITY,
SidType.EXTRA_SID, security.SE_GROUP_DEFAULT_FLAGS), ...}
+ unexpected_groups = None
+
kdc_exchange_dict = self.as_exchange_dict(
creds=creds,
client_cert=certificate,
@@ -1167,6 +1177,8 @@ class PkInitTests(KDCBaseTest):
expected_srealm=target_realm,
expected_sname=expected_sname,
expected_supported_etypes=target_creds.tgs_supported_enctypes,
+ expected_groups=expected_groups,
+ unexpected_groups=unexpected_groups,
ticket_decryption_key=ticket_decryption_key,
generate_padata_fn=generate_pk_padata,
check_error_fn=check_error_fn,
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 12465b7644d..58f089f4562 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -824,6 +824,16 @@ NTSTATUS samba_kdc_add_claims_valid(struct
auth_user_info_dc *user_info_dc)
&user_info_dc->num_sids);
}
+NTSTATUS samba_kdc_add_fresh_public_key_identity(struct auth_user_info_dc
*user_info_dc)
+{
+ return add_sid_to_array_attrs_unique(
+ user_info_dc,
+ &global_sid_Fresh_Public_Key_Identity,
+ SE_GROUP_DEFAULT_FLAGS,
+ &user_info_dc->sids,
+ &user_info_dc->num_sids);
+}
+
static NTSTATUS samba_kdc_add_compounded_auth(struct auth_user_info_dc
*user_info_dc)
{
return add_sid_to_array_attrs_unique(
diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 1b4444a0aeb..aa022f7b001 100644
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -200,3 +200,4 @@ NTSTATUS samba_kdc_add_asserted_identity(enum
samba_asserted_identity ai,
struct auth_user_info_dc
*user_info_dc);
NTSTATUS samba_kdc_add_claims_valid(struct auth_user_info_dc *user_info_dc);
+NTSTATUS samba_kdc_add_fresh_public_key_identity(struct auth_user_info_dc
*user_info_dc);
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index dc2fffad2e4..d1653a36404 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -165,6 +165,16 @@ static krb5_error_code samba_wdc_get_pac(void *priv,
return map_errno_from_nt_status(nt_status);
}
+ if (kdc_request_get_pkinit_freshness_used(r)) {
+ nt_status =
samba_kdc_add_fresh_public_key_identity(user_info_dc_shallow_copy);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DBG_ERR("Failed to add Fresh Public Key Identity: %s\n",
+ nt_errstr(nt_status));
+ talloc_free(mem_ctx);
+ return map_errno_from_nt_status(nt_status);
+ }
+ }
+
ret = samba_kdc_get_claims_data_from_db(server_entry->kdc_db_ctx->samdb,
skdc_entry,
&auth_claims.user_claims);
diff --git a/third_party/heimdal/kdc/kdc-accessors.h
b/third_party/heimdal/kdc/kdc-accessors.h
index c00fd49d60b..8d1305a139e 100644
--- a/third_party/heimdal/kdc/kdc-accessors.h
+++ b/third_party/heimdal/kdc/kdc-accessors.h
@@ -339,6 +339,13 @@ ASTGS_REQUEST_SET_ACCESSOR_PTR(struct krb5_pac_data *,
pac, pac)
ASTGS_REQUEST_GET_ACCESSOR(uint64_t, pac_attributes)
+/*
+ * unsigned int
+ * kdc_request_get_pkinit_freshness_used(astgs_request_t);
+ */
+
+ASTGS_REQUEST_GET_ACCESSOR(unsigned int, pkinit_freshness_used)
+
/*
* void
* kdc_request_set_pac_attributes(astgs_request_t, uint64_t);
diff --git a/third_party/heimdal/kdc/kdc_locl.h
b/third_party/heimdal/kdc/kdc_locl.h
index f2160b72419..d56d6b557b9 100644
--- a/third_party/heimdal/kdc/kdc_locl.h
+++ b/third_party/heimdal/kdc/kdc_locl.h
@@ -155,6 +155,7 @@ struct astgs_request_desc {
/* Only AS */
const struct kdc_patypes *pa_used;
+ unsigned int pkinit_freshness_used : 1;
/* PA methods can affect both the reply key and the session key (pkinit) */
krb5_enctype sessionetype;
diff --git a/third_party/heimdal/kdc/libkdc-exports.def
b/third_party/heimdal/kdc/libkdc-exports.def
index 1d42b8c570c..1c6997a23c2 100644
--- a/third_party/heimdal/kdc/libkdc-exports.def
+++ b/third_party/heimdal/kdc/libkdc-exports.def
@@ -49,6 +49,7 @@ EXPORTS
kdc_request_get_krbtgt_princ
kdc_request_get_pac
kdc_request_get_pac_attributes
+ kdc_request_get_pkinit_freshness_used
kdc_request_get_rep
kdc_request_get_reply_key
kdc_request_get_req
diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c
index c853359bbc2..9f1f4b106f0 100644
--- a/third_party/heimdal/kdc/pkinit.c
+++ b/third_party/heimdal/kdc/pkinit.c
@@ -1996,6 +1996,8 @@ _kdc_pk_validate_freshness_token(astgs_request_t r,
return KRB5_KDC_ERR_PREAUTH_EXPIRED;
}
+ r->pkinit_freshness_used = TRUE;
+
free_PA_ENC_TS_ENC(&ts_enc);
return 0;
}
diff --git a/third_party/heimdal/kdc/version-script.map
b/third_party/heimdal/kdc/version-script.map
index c644b30c8e4..508357d0a7d 100644
--- a/third_party/heimdal/kdc/version-script.map
+++ b/third_party/heimdal/kdc/version-script.map
@@ -52,6 +52,7 @@ HEIMDAL_KDC_1.0 {
kdc_request_get_krbtgt_princ;
kdc_request_get_pac;
kdc_request_get_pac_attributes;
+ kdc_request_get_pkinit_freshness_used;
kdc_request_get_rep;
kdc_request_get_reply_key;
kdc_request_get_req;
diff --git a/third_party/heimdal/lib/asn1/asn1_err.et
b/third_party/heimdal/lib/asn1/asn1_err.et
index ac7a9ebaa52..dc08a86cf30 100644
--- a/third_party/heimdal/lib/asn1/asn1_err.et
+++ b/third_party/heimdal/lib/asn1/asn1_err.et
@@ -23,7 +23,7 @@ error_code MIN_CONSTRAINT, "ASN.1 too few elements"
error_code MAX_CONSTRAINT, "ASN.1 too many elements"
error_code EXACT_CONSTRAINT, "ASN.1 wrong number of elements"
error_code INDEF_OVERRUN, "ASN.1 BER indefinte encoding overrun"
-error_code INDEF_UNDERRUN, "ASN.1 BER indefinte encoding underun"
+error_code INDEF_UNDERRUN, "ASN.1 BER indefinte encoding underrun"
error_code GOT_BER, "ASN.1 got BER encoded when expected DER"
error_code INDEF_EXTRA_DATA, "ASN.1 EoC tag contained data"
end
diff --git a/third_party/heimdal/lib/asn1/asn1_print.c
b/third_party/heimdal/lib/asn1/asn1_print.c
index 9ef6ffd23a2..9b598b78cdf 100644
--- a/third_party/heimdal/lib/asn1/asn1_print.c
+++ b/third_party/heimdal/lib/asn1/asn1_print.c
@@ -566,7 +566,7 @@ dotype(unsigned char *buf, size_t len, char **argv, size_t
*size)
"BER indefinte encoding overun", typename);
case ASN1_INDEF_UNDERRUN:
errx(1, "Could not decode and print data as type %s: "
- "BER indefinte encoding underun", typename);
+ "BER indefinte encoding underrun", typename);
case ASN1_GOT_BER:
errx(1, "Could not decode and print data as type %s: "
"BER encoding when DER expected", typename);
diff --git a/third_party/heimdal/lib/base/heimbase.c
b/third_party/heimdal/lib/base/heimbase.c
index 4e9ea1b4b5f..05add641e01 100644
--- a/third_party/heimdal/lib/base/heimbase.c
+++ b/third_party/heimdal/lib/base/heimbase.c
@@ -701,7 +701,7 @@ heim_auto_release(heim_object_t ptr)
}
if (tls == NULL || (ar = tls->current) == NULL)
- heim_abort("no auto relase pool in place, would leak");
+ heim_abort("no auto release pool in place, would leak");
HEIMDAL_MUTEX_lock(&ar->pool_mutex);
HEIM_TAILQ_INSERT_HEAD(&ar->pool, p, autorel);
diff --git a/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c
b/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c
index c4ac7455cf6..7a211900fd3 100644
--- a/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -747,7 +747,7 @@ acceptor_start
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return gss_mg_set_error_string(GSS_C_NO_OID, GSS_S_NO_CONTEXT,
*minor_status,
- "SPNEGO acceptor didn't find a prefered
mechanism");
+ "SPNEGO acceptor didn't find a preferred
mechanism");
}
/*
diff --git a/third_party/heimdal/lib/hx509/cert.c
b/third_party/heimdal/lib/hx509/cert.c
index 4fcb4ba8da9..9c7997dc46e 100644
--- a/third_party/heimdal/lib/hx509/cert.c
+++ b/third_party/heimdal/lib/hx509/cert.c
@@ -1506,7 +1506,7 @@ _hx509_calculate_path(hx509_context context,
if (path->len > max_depth) {
hx509_cert_free(current);
hx509_set_error_string(context, 0, HX509_PATH_TOO_LONG,
- "Path too long while bulding "
+ "Path too long while building "
"certificate chain");
return HX509_PATH_TOO_LONG;
}
diff --git a/third_party/heimdal/lib/hx509/hx509_err.et
b/third_party/heimdal/lib/hx509/hx509_err.et
index 9b816754022..70c747a9cfe 100644
--- a/third_party/heimdal/lib/hx509/hx509_err.et
+++ b/third_party/heimdal/lib/hx509/hx509_err.et
@@ -62,8 +62,8 @@ error_code SIG_INVALID_FORMAT, "Invalid format on signature"
error_code OID_MISMATCH, "Mismatch between oids"
error_code NO_PROMPTER, "No prompter function defined"
error_code SIGNATURE_WITHOUT_SIGNER, "Signature requires signer, but none
available"
-error_code RSA_PUBLIC_ENCRYPT, "RSA public encyption failed"
-error_code RSA_PRIVATE_ENCRYPT, "RSA private encyption failed"
+error_code RSA_PUBLIC_ENCRYPT, "RSA public encryption failed"
+error_code RSA_PRIVATE_ENCRYPT, "RSA private encryption failed"
error_code RSA_PUBLIC_DECRYPT, "RSA public decryption failed"
error_code RSA_PRIVATE_DECRYPT, "RSA private decryption failed"
error_code ALGORITHM_BEST_BEFORE, "Algorithm has passed its best before date"
diff --git a/third_party/heimdal/lib/krb5/crypto.c
b/third_party/heimdal/lib/krb5/crypto.c
index b52f084669a..af86f7c4575 100644
--- a/third_party/heimdal/lib/krb5/crypto.c
+++ b/third_party/heimdal/lib/krb5/crypto.c
@@ -1226,7 +1226,7 @@ decrypt_internal_derived(krb5_context context,
if (len < checksum_sz + et->confoundersize) {
krb5_set_error_message(context, KRB5_BAD_MSIZE,
N_("Encrypted data shorter then "
- "checksum + confunder", ""));
+ "checksum + confounder", ""));
return KRB5_BAD_MSIZE;
}
@@ -1301,7 +1301,7 @@ decrypt_internal_enc_then_cksum(krb5_context context,
if (len < checksum_sz + et->confoundersize) {
krb5_set_error_message(context, KRB5_BAD_MSIZE,
N_("Encrypted data shorter then "
- "checksum + confunder", ""));
+ "checksum + confounder", ""));
return KRB5_BAD_MSIZE;
}
@@ -1383,7 +1383,7 @@ decrypt_internal(krb5_context context,
if (len < checksum_sz + et->confoundersize) {
krb5_set_error_message(context, KRB5_BAD_MSIZE,
N_("Encrypted data shorter then "
- "checksum + confunder", ""));
+ "checksum + confounder", ""));
return KRB5_BAD_MSIZE;
}
@@ -1445,7 +1445,7 @@ decrypt_internal_special(krb5_context context,
if (len < cksum_sz + et->confoundersize) {
krb5_set_error_message(context, KRB5_BAD_MSIZE,
N_("Encrypted data shorter then "
- "checksum + confunder", ""));
+ "checksum + confounder", ""));
return KRB5_BAD_MSIZE;
}
diff --git a/third_party/heimdal/lib/sqlite/sqlite3.c
b/third_party/heimdal/lib/sqlite/sqlite3.c
index de55858cb0f..7aaed45e977 100644
--- a/third_party/heimdal/lib/sqlite/sqlite3.c
+++ b/third_party/heimdal/lib/sqlite/sqlite3.c
@@ -95906,7 +95906,7 @@ static int vdbeSorterFlushPMA(VdbeSorter *pSorter){
** the background thread from a sub-tasks previous turn is still running,
** skip it. If the first (pSorter->nTask-1) sub-tasks are all still busy,
** fall back to using the final sub-task. The first (pSorter->nTask-1)
- ** sub-tasks are prefered as they use background threads - the final
+ ** sub-tasks are preferred as they use background threads - the final
** sub-task uses the main thread. */
for(i=0; i<nWorker; i++){
int iTest = (pSorter->iPrev + i + 1) % nWorker;
diff --git a/third_party/heimdal/po/heim_com_err569856/de.po
b/third_party/heimdal/po/heim_com_err569856/de.po
index 5e6ace5d766..ba2dbf6e93d 100644
--- a/third_party/heimdal/po/heim_com_err569856/de.po
+++ b/third_party/heimdal/po/heim_com_err569856/de.po
@@ -273,7 +273,7 @@ msgstr "Signatur erfordert Unterzeichner, aber keiner
verfügbar"
#. 073
#. 074
#: ../lib/hx509/hx509_err.c:84 ../lib/hx509/hx509_err.c:85
-msgid "RSA public encyption failed"
+msgid "RSA public encryption failed"
msgstr "RSA-Verschlüsselung mit öffentlichem Schlüssel fehlgeschlagen"
#. 075
diff --git a/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot
b/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot
index 2913f6bcb9c..2305f21a962 100644
--- a/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot
+++ b/third_party/heimdal/po/heim_com_err569856/heim_com_err569856.pot
@@ -267,7 +267,7 @@ msgstr ""
#. 073
#. 074
#: ../lib/hx509/hx509_err.c:84 ../lib/hx509/hx509_err.c:85
-msgid "RSA public encyption failed"
+msgid "RSA public encryption failed"
msgstr ""
#. 075
diff --git a/third_party/heimdal/po/heimdal_krb5/de.po
b/third_party/heimdal/po/heimdal_krb5/de.po
index 037cc46c1e5..26efb2934fd 100644
--- a/third_party/heimdal/po/heimdal_krb5/de.po
+++ b/third_party/heimdal/po/heimdal_krb5/de.po
@@ -325,9 +325,8 @@ msgstr "Verschlüsselungstyp %s ist deaktiviert."
msgid "checksum type %s is disabled"
msgstr "Prüfsummentyp %s ist deaktiviert."
-# FIXME: s/confunder/confounder/
#: lib/krb5/crypto.c:2958
-msgid "Encrypted data shorter then checksum + confunder"
+msgid "Encrypted data shorter then checksum + confounder"
msgstr "verschlüsselte Daten kürzer als Prüfsumme + Störfaktor"
#: lib/krb5/crypto.c:3585
diff --git a/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot
b/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot
index 9dbaaaf7282..ac3effae614 100644
--- a/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot
+++ b/third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot
@@ -549,7 +549,7 @@ msgid "checksum type %s is disabled"
msgstr ""
#: lib/krb5/crypto.c:2958
-msgid "Encrypted data shorter then checksum + confunder"
+msgid "Encrypted data shorter then checksum + confounder"
msgstr ""
#: lib/krb5/crypto.c:3585
diff --git a/third_party/heimdal/po/heimdal_krb5/sv_SE.po
b/third_party/heimdal/po/heimdal_krb5/sv_SE.po
index ffd1ca7c8d6..8d5caa1a634 100644
--- a/third_party/heimdal/po/heimdal_krb5/sv_SE.po
+++ b/third_party/heimdal/po/heimdal_krb5/sv_SE.po
@@ -540,7 +540,7 @@ msgid "checksum type %s is disabled"
msgstr ""
#: lib/krb5/crypto.c:2979
-msgid "Encrypted data shorter then checksum + confunder"
+msgid "Encrypted data shorter then checksum + confounder"
msgstr ""
#: lib/krb5/crypto.c:3589
--
Samba Shared Repository
