diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-03-10 17:49:52 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-03-14 14:27:13 +0000 |
commit | 9d819c9359f35758219ee78ef0ade3828a9d8135 (patch) | |
tree | bba8c5a6511a94ec8b6622b29e7cf0c607ba8988 | |
parent | e6196c456c1d9635376fcc5565b9f67e2e7cf65a (diff) | |
download | samba-9d819c9359f35758219ee78ef0ade3828a9d8135.tar.gz |
third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d)
This fixes the regressions against KDCs without FAST support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184
(cherry picked from commit 9b48e7f7eda5e368c1192d562c268885c1f68d8b)
-rw-r--r-- | selftest/knownfail.d/broken.no-fast | 32 | ||||
-rw-r--r-- | third_party/heimdal/lib/krb5/fast.c | 98 | ||||
-rw-r--r-- | third_party/heimdal/lib/krb5/get_cred.c | 76 | ||||
-rw-r--r-- | third_party/heimdal/lib/krb5/init_creds_pw.c | 1 |
4 files changed, 134 insertions, 73 deletions
diff --git a/selftest/knownfail.d/broken.no-fast b/selftest/knownfail.d/broken.no-fast deleted file mode 100644 index a337cacee8b..00000000000 --- a/selftest/knownfail.d/broken.no-fast +++ /dev/null @@ -1,32 +0,0 @@ -^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc -^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc -^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2003dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2000dc -^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2000dc -^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2003dc -^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2000dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.ad_member_oneway -^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.ad_member_oneway -^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2000dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2000dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2003dc -^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2003dc diff --git a/third_party/heimdal/lib/krb5/fast.c b/third_party/heimdal/lib/krb5/fast.c index 617446c3634..83893542d69 100644 --- a/third_party/heimdal/lib/krb5/fast.c +++ b/third_party/heimdal/lib/krb5/fast.c @@ -413,8 +413,14 @@ _krb5_fast_create_armor(krb5_context context, } if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) { - if (state->armor_crypto) + if (state->armor_crypto) { krb5_crypto_destroy(context, state->armor_crypto); + state->armor_crypto = NULL; + } + if (state->strengthen_key) { + krb5_free_keyblock(context, state->strengthen_key); + state->strengthen_key = NULL; + } krb5_free_keyblock_contents(context, &state->armor_key); /* @@ -455,14 +461,15 @@ _krb5_fast_create_armor(krb5_context context, krb5_error_code _krb5_fast_wrap_req(krb5_context context, struct krb5_fast_state *state, - krb5_data *checksum_data, KDC_REQ *req) { PA_FX_FAST_REQUEST fxreq; krb5_error_code ret; KrbFastReq fastreq; - krb5_data data, aschecksum_data; + krb5_data data, aschecksum_data, tgschecksum_data; + const krb5_data *checksum_data = NULL; size_t size = 0; + krb5_boolean readd_padata_to_outer = FALSE; if (state->flags & KRB5_FAST_DISABLED) { _krb5_debug(context, 10, "fast disabled, not doing any fast wrapping"); @@ -473,6 +480,7 @@ _krb5_fast_wrap_req(krb5_context context, memset(&fastreq, 0, sizeof(fastreq)); krb5_data_zero(&data); krb5_data_zero(&aschecksum_data); + krb5_data_zero(&tgschecksum_data); if (state->armor_crypto == NULL) return check_fast(context, state); @@ -511,8 +519,6 @@ _krb5_fast_wrap_req(krb5_context context, ALLOC(req->req_body.till, 1); *req->req_body.till = 0; - heim_assert(checksum_data == NULL, "checksum data not NULL"); - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, aschecksum_data.data, aschecksum_data.length, @@ -523,14 +529,63 @@ _krb5_fast_wrap_req(krb5_context context, heim_assert(aschecksum_data.length == size, "ASN.1 internal error"); checksum_data = &aschecksum_data; - } - if (req->padata) { - ret = copy_METHOD_DATA(req->padata, &fastreq.padata); - free_METHOD_DATA(req->padata); - if (ret) - goto out; + if (req->padata) { + ret = copy_METHOD_DATA(req->padata, &fastreq.padata); + free_METHOD_DATA(req->padata); + if (ret) + goto out; + } } else { + const PA_DATA *tgs_req_ptr = NULL; + int tgs_req_idx = 0; + size_t i; + + heim_assert(req->padata != NULL, "req->padata is NULL"); + + tgs_req_ptr = krb5_find_padata(req->padata->val, + req->padata->len, + KRB5_PADATA_TGS_REQ, + &tgs_req_idx); + heim_assert(tgs_req_ptr != NULL, "KRB5_PADATA_TGS_REQ not found"); + heim_assert(tgs_req_idx == 0, "KRB5_PADATA_TGS_REQ not first"); + + tgschecksum_data.data = tgs_req_ptr->padata_value.data; + tgschecksum_data.length = tgs_req_ptr->padata_value.length; + checksum_data = &tgschecksum_data; + + /* + * Now copy all remaining once to + * the fastreq.padata and clear + * them in the outer req first, + * and remember to readd them later. + */ + readd_padata_to_outer = TRUE; + + for (i = 1; i < req->padata->len; i++) { + PA_DATA *val = &req->padata->val[i]; + + ret = krb5_padata_add(context, + &fastreq.padata, + val->padata_type, + val->padata_value.data, + val->padata_value.length); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + val->padata_value.data = NULL; + val->padata_value.length = 0; + } + + /* + * Only TGS-REQ remaining + */ + req->padata->len = 1; + } + + if (req->padata == NULL) { ALLOC(req->padata, 1); if (req->padata == NULL) { ret = krb5_enomem(context); @@ -586,6 +641,27 @@ _krb5_fast_wrap_req(krb5_context context, goto out; krb5_data_zero(&data); + if (readd_padata_to_outer) { + size_t i; + + for (i = 0; i < fastreq.padata.len; i++) { + PA_DATA *val = &fastreq.padata.val[i]; + + ret = krb5_padata_add(context, + req->padata, + val->padata_type, + val->padata_value.data, + val->padata_value.length); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + val->padata_value.data = NULL; + val->padata_value.length = 0; + } + } + out: free_KrbFastReq(&fastreq); free_PA_FX_FAST_REQUEST(&fxreq); diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index ec757797866..6e48846bcb3 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -239,20 +239,6 @@ init_tgs_req (krb5_context context, if (ret) goto fail; } - - if (padata) { - if (t->padata == NULL) { - ALLOC(t->padata, 1); - if (t->padata == NULL) { - ret = krb5_enomem(context); - goto fail; - } - } - - ret = copy_METHOD_DATA(padata, t->padata); - if (ret) - goto fail; - } ret = krb5_auth_con_init(context, &ac); if(ret) @@ -278,6 +264,20 @@ init_tgs_req (krb5_context context, if (ret) goto fail; + ret = make_pa_tgs_req(context, + &ac, + &t->req_body, + ccache, + krbtgt, + &tgs_req); + if(ret) + goto fail; + + /* + * Add KRB5_PADATA_TGS_REQ first + * followed by all others. + */ + if (t->padata == NULL) { ALLOC(t->padata, 1); if (t->padata == NULL) { @@ -286,15 +286,40 @@ init_tgs_req (krb5_context context, } } - ret = make_pa_tgs_req(context, - &ac, - &t->req_body, - ccache, - krbtgt, - &tgs_req); - if(ret) + ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, + tgs_req.data, tgs_req.length); + if (ret) goto fail; + krb5_data_zero(&tgs_req); + + { + size_t i; + for (i = 0; i < padata->len; i++) { + const PA_DATA *val1 = &padata->val[i]; + PA_DATA val2; + + ret = copy_PA_DATA(val1, &val2); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto fail; + } + + ret = krb5_padata_add(context, t->padata, + val2.padata_type, + val2.padata_value.data, + val2.padata_value.length); + if (ret) { + free_PA_DATA(&val2); + + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto fail; + } + } + } + if (state) { state->armor_ac = ac; ret = _krb5_fast_create_armor(context, state, NULL); @@ -302,7 +327,7 @@ init_tgs_req (krb5_context context, if (ret) goto fail; - ret = _krb5_fast_wrap_req(context, state, &tgs_req, t); + ret = _krb5_fast_wrap_req(context, state, t); if (ret) goto fail; @@ -310,13 +335,6 @@ init_tgs_req (krb5_context context, state->flags &= ~KRB5_FAST_EXPECTED; } - ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, - tgs_req.data, tgs_req.length); - if (ret) - goto fail; - - krb5_data_zero(&tgs_req); - ret = krb5_auth_con_getlocalsubkey(context, ac, subkey); if (ret) goto fail; diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c index e42fcf10bc1..4173837779b 100644 --- a/third_party/heimdal/lib/krb5/init_creds_pw.c +++ b/third_party/heimdal/lib/krb5/init_creds_pw.c @@ -3394,7 +3394,6 @@ init_creds_step(krb5_context context, ret = _krb5_fast_wrap_req(context, &ctx->fast_state, - NULL, &req2); krb5_data_free(&checksum_data); |