From d4b98847a96cbb9f42c13139f33859b81563cd0d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Mar 2022 16:12:43 +0100 Subject: [PATCH 1/5] third_party/heimdal: import lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton (cherry picked from commit 67bdc922f9836779f1b37805575c5c4eea9ba3e6) --- .../heimdal/.github/workflows/coverity.yml | 68 ++++++++ .../heimdal/.github/workflows/linux.yml | 146 ++++++++++++++++++ third_party/heimdal/.github/workflows/osx.yml | 122 +++++++++++++++ .../heimdal/.github/workflows/scanbuild.yml | 67 ++++++++ .../heimdal/.github/workflows/valgrind.yml | 71 +++++++++ .../heimdal/.github/workflows/windows.yml | 92 +++++++++++ third_party/heimdal/kdc/default_config.c | 9 ++ third_party/heimdal/kdc/fast.c | 3 + third_party/heimdal/kdc/kdc.h | 1 + third_party/heimdal/kdc/krb5tgs.c | 3 + third_party/heimdal/lib/krb5/krb5.conf.5 | 2 + third_party/heimdal/lib/krb5/pac.c | 12 +- .../heimdal/tests/gss/check-context.in | 4 - 13 files changed, 590 insertions(+), 10 deletions(-) create mode 100644 third_party/heimdal/.github/workflows/coverity.yml create mode 100644 third_party/heimdal/.github/workflows/linux.yml create mode 100644 third_party/heimdal/.github/workflows/osx.yml create mode 100644 third_party/heimdal/.github/workflows/scanbuild.yml create mode 100644 third_party/heimdal/.github/workflows/valgrind.yml create mode 100644 third_party/heimdal/.github/workflows/windows.yml diff --git a/third_party/heimdal/.github/workflows/coverity.yml b/third_party/heimdal/.github/workflows/coverity.yml new file mode 100644 index 000000000000..5a175f52a8ce --- /dev/null +++ b/third_party/heimdal/.github/workflows/coverity.yml @@ -0,0 +1,68 @@ +name: Linux Coverity Build + +on: + push: + # Pushes to this branch get the scan-build treatment + branches: + - 'coverity*' + +jobs: + linux: + if: secrets.COVERITY_SCAN_TOKEN != '' + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Download Coverity Build Tool + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + run: | + wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=ruby" -O cov-analysis-linux64.tar.gz + mkdir cov-analysis-linux64 + tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + ulimit -c unlimited + # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW + (cd lib/libedit && make -j4) + (cd lib/sqlite && make -j4) + export PATH=`pwd`/cov-analysis-linux64/bin:$PATH + cov-build --dir cov-int make -j4 + - name: Submit the result to Coverity Scan + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} + PROJECT: ${{ secrets.COVERITY_SCAN_PROJECT }} + run: | + tar czvf heimdal.tgz cov-int + curl \ + --form project=ruby \ + --form token=$TOKEN \ + --form email=$EMAIL \ + --form file=@heimdal.tgz \ + --form version=trunk \ + --form description="`./ruby -v`" "https://scan.coverity.com/builds?project=$PROJECT" diff --git a/third_party/heimdal/.github/workflows/linux.yml b/third_party/heimdal/.github/workflows/linux.yml new file mode 100644 index 000000000000..48e4c80dc3c2 --- /dev/null +++ b/third_party/heimdal/.github/workflows/linux.yml @@ -0,0 +1,146 @@ +name: Linux Build + +on: + push: + branches: + - 'master' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/linux.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/linux.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang, linux-gcc] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + cflags: '' + - name: linux-gcc + os: ubuntu-18.04 + compiler: gcc + cflags: '-Wnonnull' + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex doxygen + sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl + sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl + sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python + sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils + sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + make check + - name: Make Install + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build || true + make DESTDIR=/tmp/h5l install + cd /tmp/h5l + tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz . + - name: Core dump stacks + run: | + echo "thread apply all bt" > /tmp/x + find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done + if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi + - name: Test logs + run: | + find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from - + find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Make Dist + run: | + cd build + make dist + make distclean + if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then + echo "Files not removed by make distclean:" + git ls-files -o|grep -v ^build/ + fi + - name: Upload Install Tarball + uses: actions/upload-artifact@v2 + with: + name: Install Tarball + path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz' + - name: Upload Dist Tarball + uses: actions/upload-artifact@v2 + with: + name: Dist Tarball + path: 'build/heimdal-*.tar.gz' + - name: Upload Logs Tarball + uses: actions/upload-artifact@v2 + with: + name: Test Logs + path: '~/logs-linux-${{ matrix.compiler }}.tgz' diff --git a/third_party/heimdal/.github/workflows/osx.yml b/third_party/heimdal/.github/workflows/osx.yml new file mode 100644 index 000000000000..342f850f1c70 --- /dev/null +++ b/third_party/heimdal/.github/workflows/osx.yml @@ -0,0 +1,122 @@ +name: OS X Build + +on: + push: + branches: + - 'master' + - 'osx-build' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/osx.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/osx.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + osx: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [osx-clang] + include: + - name: osx-clang + os: macos-latest + compiler: clang + steps: + - name: Install packages + run: | + echo "bison, flex, ncurses, texinfo, and unzip are in the base OS." + echo "berkeley-db, perl, python, curl, and jq are installed in the" + echo "base image already." + brew install autoconf automake libtool cpanm + sudo cpanm install JSON + - name: Clone repository + uses: actions/checkout@v1 + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3" + ulimit -c unlimited + make -j4 + #- name: Setup upterm session + # uses: lhotari/action-upterm@v1 + # with: + # limit-access-to-actor: true + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + set -vx + sudo lsof -nP -i:49188 || true + cd build + make check + - name: Install + run: | + cd build || true + make DESTDIR=/tmp/h5l install + cd /tmp/h5l + tar czf $HOME/heimdal-install-osx.tgz . + - name: Test logs + run: | + find build -depth -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/' | cpio -o > $HOME/logs-osx.cpio + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Upload Install Tarball + uses: actions/upload-artifact@v2 + with: + name: Install Tarball + path: '~/heimdal-install-osx.tgz' + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Upload Test Logs + path: '~/logs-osx.cpio' diff --git a/third_party/heimdal/.github/workflows/scanbuild.yml b/third_party/heimdal/.github/workflows/scanbuild.yml new file mode 100644 index 000000000000..678ccfd80462 --- /dev/null +++ b/third_party/heimdal/.github/workflows/scanbuild.yml @@ -0,0 +1,67 @@ +name: Linux Static Analyzer Build + +on: + push: + # Pushes to this branch get the scan-build treatment + branches: + - 'scan-build*' + + pull_request: + # Changing this build gets it to run + paths: + - '.github/workflows/scanbuild.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + ulimit -c unlimited + # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW + (cd lib/libedit && make -j4) + (cd lib/sqlite && make -j4) + scan-build --keep-going make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + scan-build --keep-going make check + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Scan-Build Reports + path: '/tmp/scan-build*/' diff --git a/third_party/heimdal/.github/workflows/valgrind.yml b/third_party/heimdal/.github/workflows/valgrind.yml new file mode 100644 index 000000000000..ab5e90916610 --- /dev/null +++ b/third_party/heimdal/.github/workflows/valgrind.yml @@ -0,0 +1,71 @@ +name: Linux Valgrind Tests Build + +on: + push: + # Pushes to the valgrind branch get the valgrind treatment + branches: + - 'valgrind*' + + pull_request: + # Changing this build also gets it to run + paths: + - '.github/workflows/valgrind.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev lmdb-utils liblmdb-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + CHECK_TESTER_NO_VALGRIND: 'no-valgrind' + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + make check-valgrind + - name: Valgrind output + run: | + find . -name \*.log -print0|xargs -0 grep '^==[0-9]*== ' || true + - name: Test logs + run: | + find build -depth -name \*.log | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-valgrind.tgz --verbatim-files-from --files-from - + find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Test Logs + path: '~/logs-linux-valgrind.tgz' diff --git a/third_party/heimdal/.github/workflows/windows.yml b/third_party/heimdal/.github/workflows/windows.yml new file mode 100644 index 000000000000..f1c187c397a9 --- /dev/null +++ b/third_party/heimdal/.github/workflows/windows.yml @@ -0,0 +1,92 @@ +name: Windows Build + +on: + push: + branches: + - 'master' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**.w32' + - '**/NTMakefile*' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/windows.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**.w32' + - '**/NTMakefile' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/windows.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + windows: + runs-on: windows-latest + env: + APPVER: '10.0' + CODESIGN_PKT: 0000000000000000 + INSTALL_DIR: C:\heimdal + WINSDKVER: '10.0.22000.0' + WIXDIR: 'c:\Program Files (x86)\Windows Installer XML v3.5' + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Find MSVC and run vcvarsall.bat + uses: ilammy/msvc-dev-cmd@v1 + with: + arch: amd64 + - name: Build and Test + shell: cmd + run: | + set PATH=%PATH%;C:\msys64\usr\bin;C:\Program Files (x86)\HTML Help Workshop;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin + set CODESIGN_PKT=0000000000000000 + set dbg__type=Debug + mkdir %INSTALL_DIR% + pacman --noconfirm -S zstd + pacman --noconfirm -S autoconf + pacman --noconfirm -S automake + pacman --noconfirm -S flex + pacman --noconfirm -S bison + pacman --noconfirm -S perl + pacman --noconfirm -S perl-JSON + set PATH=%PATH%;%wix%bin + title Heimdal Build %CPU% %dbg__type% + set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop" + set "PATH=%PATH%;C:/msys64/usr/bin" + set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin" + set "PATH=%PATH%;C:\Python310-x64" + echo PATH=%PATH% + nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 + nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Objects + path: 'D:/a/heimdal/heimdal/out/' diff --git a/third_party/heimdal/kdc/default_config.c b/third_party/heimdal/kdc/default_config.c index 01f8f7b54a69..83c73504ce7a 100644 --- a/third_party/heimdal/kdc/default_config.c +++ b/third_party/heimdal/kdc/default_config.c @@ -101,6 +101,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->strict_nametypes = FALSE; c->trpolicy = TRPOLICY_ALWAYS_CHECK; c->require_pac = FALSE; + c->enable_fast = TRUE; c->enable_armored_pa_enc_timestamp = TRUE; c->enable_unarmored_pa_enc_timestamp = TRUE; c->enable_pkinit = FALSE; @@ -262,6 +263,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) "require_pac", NULL); + c->enable_fast = + krb5_config_get_bool_default(context, + NULL, + c->enable_fast, + "kdc", + "enable_fast", + NULL); + c->enable_armored_pa_enc_timestamp = krb5_config_get_bool_default(context, NULL, diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index 043227892b5d..392fc966050e 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -755,6 +755,9 @@ _kdc_fast_unwrap_request(astgs_request_t r, const PA_DATA *pa; int i = 0; + if (!r->config->enable_fast) + return 0; + ret = fast_unwrap_request(r, tgs_ticket, tgs_ac); if (ret) return ret; diff --git a/third_party/heimdal/kdc/kdc.h b/third_party/heimdal/kdc/kdc.h index e3709ada6b0a..31e54325452a 100644 --- a/third_party/heimdal/kdc/kdc.h +++ b/third_party/heimdal/kdc/kdc.h @@ -106,6 +106,7 @@ struct krb5_kdc_service { unsigned int use_strongest_server_key : 1; \ \ unsigned int require_pac : 1; \ + unsigned int enable_fast : 1; \ unsigned int enable_armored_pa_enc_timestamp : 1 #ifndef __KDC_LOCL_H__ diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 06889f47120e..aab6806fbe12 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -902,6 +902,9 @@ validate_fast_ad(astgs_request_t r, krb5_authdata *auth_data) krb5_data_zero(&data); + if (!r->config->enable_fast) + return 0; + ret = _krb5_get_ad(r->context, auth_data, NULL, KRB5_AUTHDATA_FX_FAST_USED, &data); if (ret == 0) { diff --git a/third_party/heimdal/lib/krb5/krb5.conf.5 b/third_party/heimdal/lib/krb5/krb5.conf.5 index 1013a78d8731..8a9623ecadab 100644 --- a/third_party/heimdal/lib/krb5/krb5.conf.5 +++ b/third_party/heimdal/lib/krb5/krb5.conf.5 @@ -816,6 +816,8 @@ addresses in the tickets. .It Li allow-null-ticket-addresses = Va BOOL Allow address-less tickets. .\" XXX +.It Li enable_fast = Va BOOL +Enable RFC 6113 FAST support, this is enabled by default. .It Li enable_armored_pa_enc_timestamp = Va BOOL Enable armored encrypted timestamp pre-authentication with key strengthening. diff --git a/third_party/heimdal/lib/krb5/pac.c b/third_party/heimdal/lib/krb5/pac.c index a12c00d77328..c8f355c81790 100644 --- a/third_party/heimdal/lib/krb5/pac.c +++ b/third_party/heimdal/lib/krb5/pac.c @@ -458,7 +458,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL -krb5_pac_get_buffer(krb5_context context, krb5_pac p, +krb5_pac_get_buffer(krb5_context context, krb5_const_pac p, uint32_t type, krb5_data *data) { krb5_error_code ret; @@ -508,7 +508,7 @@ static struct { */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL -_krb5_pac_get_buffer_by_name(krb5_context context, krb5_pac p, +_krb5_pac_get_buffer_by_name(krb5_context context, krb5_const_pac p, const krb5_data *name, krb5_data *data) { size_t i; @@ -531,7 +531,7 @@ _krb5_pac_get_buffer_by_name(krb5_context context, krb5_pac p, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_types(krb5_context context, - krb5_pac p, + krb5_const_pac p, size_t *len, uint32_t **types) { @@ -1573,7 +1573,7 @@ out: KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_kdc_checksum_info(krb5_context context, - krb5_pac pac, + krb5_const_pac pac, krb5_cksumtype *cstype, uint16_t *rodc_id) { @@ -1628,7 +1628,7 @@ out: KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pac_get_canon_principal(krb5_context context, - krb5_pac pac, + krb5_const_pac pac, krb5_principal *canon_princ) { *canon_princ = NULL; @@ -1644,7 +1644,7 @@ _krb5_pac_get_canon_principal(krb5_context context, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pac_get_attributes_info(krb5_context context, - krb5_pac pac, + krb5_const_pac pac, uint64_t *pac_attributes) { *pac_attributes = 0; diff --git a/third_party/heimdal/tests/gss/check-context.in b/third_party/heimdal/tests/gss/check-context.in index 46c058d068b4..2b866d2f7242 100644 --- a/third_party/heimdal/tests/gss/check-context.in +++ b/third_party/heimdal/tests/gss/check-context.in @@ -159,14 +159,10 @@ mv ${keytabfile} ${keytabfile}.no echo "checking non existant keytabfile (krb5)" ; > messages.log ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ { eval "$testfailed"; } -grep ${keytabfile} test_context.log > /dev/null || \ - { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } echo "checking non existant keytabfile (spengo)" ; > messages.log ${context} --mech-type=spnego --mech-types=spnego,krb5 \ host@lucid.test.h5l.se > test_context.log 2>&1 && \ { eval "$testfailed"; } -grep ${keytabfile} test_context.log > /dev/null || \ - { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } mv ${keytabfile}.no ${keytabfile} -- 2.25.1 From 34577419f9dbf9d588cffd547bc0b07fbd4f48b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 Mar 2022 12:39:07 +0100 Subject: [PATCH 2/5] docs-xml: add 'kdc enable fast' option This will be useful to test against a KDC without FAST support and find/prevent regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton (cherry picked from commit 12b623088cf48cf9e4a046441810ef20e1f079b8) --- docs-xml/smbdotconf/security/kdcenablefast.xml | 15 +++++++++++++++ lib/param/loadparm.c | 2 ++ source3/param/loadparm.c | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 docs-xml/smbdotconf/security/kdcenablefast.xml diff --git a/docs-xml/smbdotconf/security/kdcenablefast.xml b/docs-xml/smbdotconf/security/kdcenablefast.xml new file mode 100644 index 000000000000..e47ca3b0bd41 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcenablefast.xml @@ -0,0 +1,15 @@ + + + With the Samba 4.16 the embedded Heimdal KDC brings + support for RFC6113 FAST, which wasn't available in + older Samba versions. + + This option is mostly for testing and currently only applies + if the embedded Heimdal KDC is used. + + +yes + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index cae763b44ea4..d6d845391e6f 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2695,6 +2695,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "krb5 port", "88"); lpcfg_do_global_parameter(lp_ctx, "kpasswd port", "464"); + lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True"); + lpcfg_do_global_parameter(lp_ctx, "nt status support", "True"); lpcfg_do_global_parameter(lp_ctx, "max wins ttl", "518400"); /* 6 days */ diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index a366870d1fe9..21e061939e3e 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -942,6 +942,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.kpasswd_port = 464; + Globals.kdc_enable_fast = true; + Globals.aio_max_threads = 100; lpcfg_string_set(Globals.ctx, -- 2.25.1 From b3b896878cdfccfc8ab66b435b84ff5890a3e5e0 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 Mar 2022 12:39:07 +0100 Subject: [PATCH 3/5] s4:kdc: make use of the 'kdc enable fast' option This will useful to test against a KDC without FAST support and find/prevent regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton (cherry picked from commit 2db7589d69abebad16b66d933114367f815d5fc3) --- source4/kdc/db-glue.c | 8 ++++++-- source4/kdc/kdc-heimdal.c | 7 +++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 8d17038cfe66..bdadc1278c30 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -448,11 +448,15 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, *supported_enctypes_out = 0; if (rid == DOMAIN_RID_KRBTGT || is_rodc) { + bool enable_fast; + /* KDCs (and KDCs on RODCs) use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; - /* KDCs support FAST */ - supported_enctypes |= ENC_FAST_SUPPORTED; + enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); + if (enable_fast) { + supported_enctypes |= ENC_FAST_SUPPORTED; + } } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { /* DCs and RODCs comptuer accounts use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c index ddf3b649da2d..0d2a410fc3b4 100644 --- a/source4/kdc/kdc-heimdal.c +++ b/source4/kdc/kdc-heimdal.c @@ -422,6 +422,13 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd) kdc_config->require_pac = true; + /* + * By default we enable RFC6113/FAST support, + * but we have an option to disable in order to + * test against a KDC with FAST support. + */ + kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx); + /* * Match Windows and RFC6113 and Windows but break older * Heimdal clients. -- 2.25.1 From 528b865272f7e9e12a6c9c410d3fcf91dee545ed Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 Mar 2022 12:53:18 +0100 Subject: [PATCH 4/5] selftest: use 'kdc enable fast = no' for fl2000 fl2003 This makes sure we still run tests against KDCs without FAST support and it already found a few regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton (cherry picked from commit f1a71e24864367a55a30813dd642e7ef392b5ac9) --- selftest/knownfail.d/broken.no-fast | 32 +++++++++++++++++++++++++++++ selftest/target/Samba4.pm | 2 ++ source4/selftest/tests.py | 5 ++++- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 selftest/knownfail.d/broken.no-fast diff --git a/selftest/knownfail.d/broken.no-fast b/selftest/knownfail.d/broken.no-fast new file mode 100644 index 000000000000..a337cacee8b8 --- /dev/null +++ b/selftest/knownfail.d/broken.no-fast @@ -0,0 +1,32 @@ +^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2000dc +^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2000dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2000dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2000dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc +^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2003dc +^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2003dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2003dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2003dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc +^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc +^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2003dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2003dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2003dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc +^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2000dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2000dc +^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2000dc +^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2003dc +^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2000dc +^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.ad_member_oneway +^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.ad_member_oneway +^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2000dc +^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2000dc +^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2003dc +^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2003dc diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index da6b2de488b7..4c263f55de4d 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1655,6 +1655,7 @@ sub provision_fl2000dc($$) print "PROVISIONING DC WITH FOREST LEVEL 2000...\n"; my $extra_conf_options = " + kdc enable fast = no spnego:simulate_w2k=yes ntlmssp_server:force_old_spnego=yes "; @@ -1698,6 +1699,7 @@ sub provision_fl2003dc($$$) print "PROVISIONING DC WITH FOREST LEVEL 2003...\n"; my $extra_conf_options = "allow dns updates = nonsecure and secure + kdc enable fast = no dcesrv:header signing = no dcesrv:max auth states = 0 dns forwarder = $ip_addr1 [$ip_addr2]:54"; diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 829eda82979e..a7572b53cadf 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1666,12 +1666,15 @@ plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", ' '--option=torture:krb5-service=http'], "samba4.krb5.kdc with account having identical UPN and SPN") for env in ["fl2008r2dc", "fl2003dc"]: + fast_support = have_fast_support + if env in ["fl2003dc"]: + fast_support = 0 planoldpythontestsuite(env, "samba.tests.krb5.as_req_tests", environ={ 'ADMIN_USERNAME': '$USERNAME', 'ADMIN_PASSWORD': '$PASSWORD', 'STRICT_CHECKING': '0', - 'FAST_SUPPORT': have_fast_support, + 'FAST_SUPPORT': fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, -- 2.25.1 From 85758b4fed7418124208c75356cd6e12fd1b7bc1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Mar 2022 17:49:52 +0100 Subject: [PATCH 5/5] third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d) This fixes the regressions against KDCs without FAST support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184 (cherry picked from commit 9b48e7f7eda5e368c1192d562c268885c1f68d8b) --- selftest/knownfail.d/broken.no-fast | 32 ------- third_party/heimdal/lib/krb5/fast.c | 98 +++++++++++++++++--- third_party/heimdal/lib/krb5/get_cred.c | 76 +++++++++------ third_party/heimdal/lib/krb5/init_creds_pw.c | 1 - 4 files changed, 134 insertions(+), 73 deletions(-) delete mode 100644 selftest/knownfail.d/broken.no-fast diff --git a/selftest/knownfail.d/broken.no-fast b/selftest/knownfail.d/broken.no-fast deleted file mode 100644 index a337cacee8b8..000000000000 --- a/selftest/knownfail.d/broken.no-fast +++ /dev/null @@ -1,32 +0,0 @@ -^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2000dc -^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2003dc -^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2000dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.ad_member_oneway -^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.ad_member_oneway -^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2000dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2000dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2003dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2003dc diff --git a/third_party/heimdal/lib/krb5/fast.c b/third_party/heimdal/lib/krb5/fast.c index 617446c36342..83893542d690 100644 --- a/third_party/heimdal/lib/krb5/fast.c +++ b/third_party/heimdal/lib/krb5/fast.c @@ -413,8 +413,14 @@ _krb5_fast_create_armor(krb5_context context, } if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) { - if (state->armor_crypto) + if (state->armor_crypto) { krb5_crypto_destroy(context, state->armor_crypto); + state->armor_crypto = NULL; + } + if (state->strengthen_key) { + krb5_free_keyblock(context, state->strengthen_key); + state->strengthen_key = NULL; + } krb5_free_keyblock_contents(context, &state->armor_key); /* @@ -455,14 +461,15 @@ _krb5_fast_create_armor(krb5_context context, krb5_error_code _krb5_fast_wrap_req(krb5_context context, struct krb5_fast_state *state, - krb5_data *checksum_data, KDC_REQ *req) { PA_FX_FAST_REQUEST fxreq; krb5_error_code ret; KrbFastReq fastreq; - krb5_data data, aschecksum_data; + krb5_data data, aschecksum_data, tgschecksum_data; + const krb5_data *checksum_data = NULL; size_t size = 0; + krb5_boolean readd_padata_to_outer = FALSE; if (state->flags & KRB5_FAST_DISABLED) { _krb5_debug(context, 10, "fast disabled, not doing any fast wrapping"); @@ -473,6 +480,7 @@ _krb5_fast_wrap_req(krb5_context context, memset(&fastreq, 0, sizeof(fastreq)); krb5_data_zero(&data); krb5_data_zero(&aschecksum_data); + krb5_data_zero(&tgschecksum_data); if (state->armor_crypto == NULL) return check_fast(context, state); @@ -511,8 +519,6 @@ _krb5_fast_wrap_req(krb5_context context, ALLOC(req->req_body.till, 1); *req->req_body.till = 0; - heim_assert(checksum_data == NULL, "checksum data not NULL"); - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, aschecksum_data.data, aschecksum_data.length, @@ -523,14 +529,63 @@ _krb5_fast_wrap_req(krb5_context context, heim_assert(aschecksum_data.length == size, "ASN.1 internal error"); checksum_data = &aschecksum_data; - } - if (req->padata) { - ret = copy_METHOD_DATA(req->padata, &fastreq.padata); - free_METHOD_DATA(req->padata); - if (ret) - goto out; + if (req->padata) { + ret = copy_METHOD_DATA(req->padata, &fastreq.padata); + free_METHOD_DATA(req->padata); + if (ret) + goto out; + } } else { + const PA_DATA *tgs_req_ptr = NULL; + int tgs_req_idx = 0; + size_t i; + + heim_assert(req->padata != NULL, "req->padata is NULL"); + + tgs_req_ptr = krb5_find_padata(req->padata->val, + req->padata->len, + KRB5_PADATA_TGS_REQ, + &tgs_req_idx); + heim_assert(tgs_req_ptr != NULL, "KRB5_PADATA_TGS_REQ not found"); + heim_assert(tgs_req_idx == 0, "KRB5_PADATA_TGS_REQ not first"); + + tgschecksum_data.data = tgs_req_ptr->padata_value.data; + tgschecksum_data.length = tgs_req_ptr->padata_value.length; + checksum_data = &tgschecksum_data; + + /* + * Now copy all remaining once to + * the fastreq.padata and clear + * them in the outer req first, + * and remember to readd them later. + */ + readd_padata_to_outer = TRUE; + + for (i = 1; i < req->padata->len; i++) { + PA_DATA *val = &req->padata->val[i]; + + ret = krb5_padata_add(context, + &fastreq.padata, + val->padata_type, + val->padata_value.data, + val->padata_value.length); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + val->padata_value.data = NULL; + val->padata_value.length = 0; + } + + /* + * Only TGS-REQ remaining + */ + req->padata->len = 1; + } + + if (req->padata == NULL) { ALLOC(req->padata, 1); if (req->padata == NULL) { ret = krb5_enomem(context); @@ -586,6 +641,27 @@ _krb5_fast_wrap_req(krb5_context context, goto out; krb5_data_zero(&data); + if (readd_padata_to_outer) { + size_t i; + + for (i = 0; i < fastreq.padata.len; i++) { + PA_DATA *val = &fastreq.padata.val[i]; + + ret = krb5_padata_add(context, + req->padata, + val->padata_type, + val->padata_value.data, + val->padata_value.length); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + val->padata_value.data = NULL; + val->padata_value.length = 0; + } + } + out: free_KrbFastReq(&fastreq); free_PA_FX_FAST_REQUEST(&fxreq); diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index ec757797866d..6e48846bcb3a 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -239,20 +239,6 @@ init_tgs_req (krb5_context context, if (ret) goto fail; } - - if (padata) { - if (t->padata == NULL) { - ALLOC(t->padata, 1); - if (t->padata == NULL) { - ret = krb5_enomem(context); - goto fail; - } - } - - ret = copy_METHOD_DATA(padata, t->padata); - if (ret) - goto fail; - } ret = krb5_auth_con_init(context, &ac); if(ret) @@ -278,6 +264,20 @@ init_tgs_req (krb5_context context, if (ret) goto fail; + ret = make_pa_tgs_req(context, + &ac, + &t->req_body, + ccache, + krbtgt, + &tgs_req); + if(ret) + goto fail; + + /* + * Add KRB5_PADATA_TGS_REQ first + * followed by all others. + */ + if (t->padata == NULL) { ALLOC(t->padata, 1); if (t->padata == NULL) { @@ -286,15 +286,40 @@ init_tgs_req (krb5_context context, } } - ret = make_pa_tgs_req(context, - &ac, - &t->req_body, - ccache, - krbtgt, - &tgs_req); - if(ret) + ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, + tgs_req.data, tgs_req.length); + if (ret) goto fail; + krb5_data_zero(&tgs_req); + + { + size_t i; + for (i = 0; i < padata->len; i++) { + const PA_DATA *val1 = &padata->val[i]; + PA_DATA val2; + + ret = copy_PA_DATA(val1, &val2); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto fail; + } + + ret = krb5_padata_add(context, t->padata, + val2.padata_type, + val2.padata_value.data, + val2.padata_value.length); + if (ret) { + free_PA_DATA(&val2); + + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto fail; + } + } + } + if (state) { state->armor_ac = ac; ret = _krb5_fast_create_armor(context, state, NULL); @@ -302,7 +327,7 @@ init_tgs_req (krb5_context context, if (ret) goto fail; - ret = _krb5_fast_wrap_req(context, state, &tgs_req, t); + ret = _krb5_fast_wrap_req(context, state, t); if (ret) goto fail; @@ -310,13 +335,6 @@ init_tgs_req (krb5_context context, state->flags &= ~KRB5_FAST_EXPECTED; } - ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, - tgs_req.data, tgs_req.length); - if (ret) - goto fail; - - krb5_data_zero(&tgs_req); - ret = krb5_auth_con_getlocalsubkey(context, ac, subkey); if (ret) goto fail; diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c index e42fcf10bc17..4173837779b0 100644 --- a/third_party/heimdal/lib/krb5/init_creds_pw.c +++ b/third_party/heimdal/lib/krb5/init_creds_pw.c @@ -3394,7 +3394,6 @@ init_creds_step(krb5_context context, ret = _krb5_fast_wrap_req(context, &ctx->fast_state, - NULL, &req2); krb5_data_free(&checksum_data); -- 2.25.1