third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

5 files changed, 228 insertions, 167 deletions

diff --git a/third_party/heimdal/tests/plugin/Makefile.am b/third_party/heimdal/tests/plugin/Makefile.am
index 3fb1a2324b9..5dd43ccb04d 100644
--- a/third_party/heimdal/tests/plugin/Makefile.am
+++ b/third_party/heimdal/tests/plugin/Makefile.am
@@ -29,10 +29,10 @@ krb5.conf: krb5.conf.in Makefile
 	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
 	mv krb5.conf.tmp krb5.conf
 
-lib_LTLIBRARIES = windc.la
+lib_LTLIBRARIES = kdc_test_plugin.la
 
-windc_la_SOURCES = windc.c
-windc_la_LDFLAGS = -module
+kdc_test_plugin_la_SOURCES = kdc_test_plugin.c
+kdc_test_plugin_la_LDFLAGS = -module
 
 CLEANFILES= \
 	$(TESTS) \
diff --git a/third_party/heimdal/tests/plugin/check-pac.in b/third_party/heimdal/tests/plugin/check-pac.in
index 60ec21a31f3..85bf8cd9a98 100644
--- a/third_party/heimdal/tests/plugin/check-pac.in
+++ b/third_party/heimdal/tests/plugin/check-pac.in
@@ -108,15 +108,15 @@ echo "Empty log"
 > messages.log
 
 echo Starting kdc
-${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
 kdcpid=`getpid kdc`
 
 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
 
 ec=0
 
-echo "Check that WINDC module was loaded "
-grep "windc init" messages.log >/dev/null || \
+echo "Check that KDC plugin module was loaded "
+grep "kdc plugin init" messages.log >/dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 
 echo "Getting client initial tickets"; > messages.log
diff --git a/third_party/heimdal/tests/plugin/kdc_test_plugin.c b/third_party/heimdal/tests/plugin/kdc_test_plugin.c
new file mode 100644
index 00000000000..4fcf311fddf
--- /dev/null
+++ b/third_party/heimdal/tests/plugin/kdc_test_plugin.c
@@ -0,0 +1,207 @@
+#include <string.h>
+#include <krb5_locl.h>
+#include <hdb.h>
+#include <hx509.h>
+#include <kdc.h>
+#include <kdc-plugin.h>
+
+static krb5_error_code KRB5_CALLCONV
+init(krb5_context context, void **ctx)
+{
+    krb5_warnx(context, "kdc plugin init");
+    *ctx = NULL;
+    return 0;
+}
+
+static void KRB5_CALLCONV
+fini(void *ctx)
+{
+}
+
+static krb5_error_code KRB5_CALLCONV
+pac_generate(void *ctx,
+	     krb5_context context,
+	     krb5_kdc_configuration *config,
+	     hdb_entry *client,
+	     hdb_entry *server,
+	     const krb5_keyblock *pk_replykey,
+	     uint64_t pac_attributes,
+	     krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_data data;
+
+    if ((pac_attributes & (KRB5_PAC_WAS_REQUESTED |
+			   KRB5_PAC_WAS_GIVEN_IMPLICITLY)) == 0) {
+	*pac = NULL;
+	return 0;
+    }
+
+    krb5_warnx(context, "pac generate");
+
+    data.data = "\x00\x01";
+    data.length = 2;
+
+    ret = krb5_pac_init(context, pac);
+    if (ret)
+	return ret;
+
+    ret = krb5_pac_add_buffer(context, *pac, 1, &data);
+    if (ret)
+	return ret;
+
+    return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+pac_verify(void *ctx,
+	   krb5_context context,
+	   krb5_kdc_configuration *config,
+	   const krb5_principal new_ticket_client,
+	   const krb5_principal delegation_proxy,
+	   hdb_entry * client,
+	   hdb_entry * server,
+	   hdb_entry * krbtgt,
+	   krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    krb5_cksumtype cstype;
+    uint16_t rodc_id;
+    krb5_enctype etype;
+    Key *key;
+
+    krb5_warnx(context, "pac_verify");
+
+    ret = krb5_pac_get_buffer(context, *pac, 1, &data);
+    if (ret)
+	return ret;
+    krb5_data_free(&data);
+
+    ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id);
+    if (ret)
+	return ret;
+
+    if (rodc_id == 0 || rodc_id != krbtgt->kvno >> 16) {
+	krb5_warnx(context, "Wrong RODCIdentifier");
+	return EINVAL;
+    }
+
+    ret = krb5_cksumtype_to_enctype(context, cstype, &etype);
+    if (ret)
+	return ret;
+
+    ret = hdb_enctype2key(context, krbtgt, NULL, etype, &key);
+    if (ret)
+	return ret;
+
+    return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key);
+}
+
+static void logit(const char *what, astgs_request_t r)
+{
+    krb5_context context = kdc_request_get_context((kdc_request_t)r);
+    const char *cname = kdc_request_get_cname((kdc_request_t)r);
+    const char *sname = kdc_request_get_sname((kdc_request_t)r);
+
+    krb5_warnx(context, "%s: client %s server %s",
+	       what,
+	       cname ? cname : "<unknown>",
+	       sname ? sname : "<unknown>");
+}
+
+static krb5_error_code KRB5_CALLCONV
+client_access(void *ctx, astgs_request_t r)
+{
+    logit("client_access", r);
+
+    return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+finalize_reply(void *ctx, astgs_request_t r)
+{
+    heim_number_t n;
+    krb5_error_code ret;
+
+    logit("finalize_reply", r);
+
+    n = heim_number_create(1234);
+    if (n == NULL)
+	return ENOMEM;
+
+    ret = kdc_request_set_attribute((kdc_request_t)r,
+				    HSTR("org.h5l.tests.kdc-plugin"), n);
+    heim_release(n);
+
+    return ret;
+}
+
+static krb5_error_code KRB5_CALLCONV
+audit(void *ctx, astgs_request_t r)
+{
+    krb5_error_code ret = kdc_request_get_error_code((kdc_request_t)r);
+    heim_number_t n;
+
+    logit("audit", r);
+
+    if (ret)
+	return 0; /* finalize_reply only called in success */
+
+    n = kdc_request_get_attribute((kdc_request_t)r,
+				  HSTR("org.h5l.tests.kdc-plugin"));
+
+    heim_assert(n && heim_number_get_int(n) == 1234,
+		"attribute not passed from finalize_reply");
+
+    if (n == NULL || heim_number_get_int(n) != 1234)
+	return EINVAL; /* return value is ignored, but for completeness */
+
+    return 0;
+}
+
+static krb5plugin_kdc_ftable kdc_plugin = {
+    KRB5_PLUGIN_KDC_VERSION_10,
+    init,
+    fini,
+    pac_generate,
+    pac_verify,
+    client_access,
+    NULL, /* referral_policy */
+    finalize_reply,
+    audit
+};
+
+static const krb5plugin_kdc_ftable *const kdc_plugins[] = {
+    &kdc_plugin
+};
+
+krb5_error_code KRB5_CALLCONV
+kdc_plugin_load(krb5_context context,
+	        krb5_get_instance_func_t *get_instance,
+	        size_t *num_plugins,
+		const krb5plugin_kdc_ftable *const **plugins);
+
+static uintptr_t KRB5_CALLCONV
+kdc_plugin_get_instance(const char *libname)
+{
+    if (strcmp(libname, "hdb") == 0)
+	return hdb_get_instance(libname);
+    else if (strcmp(libname, "krb5") == 0)
+	return krb5_get_instance(libname);
+
+    return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+kdc_plugin_load(krb5_context context,
+		krb5_get_instance_func_t *get_instance,
+		size_t *num_plugins,
+		const krb5plugin_kdc_ftable *const **plugins)
+{
+    *get_instance = kdc_plugin_get_instance;
+    *num_plugins = sizeof(kdc_plugins) / sizeof(kdc_plugins[0]);
+    *plugins = kdc_plugins;
+
+    return 0;
+}
diff --git a/third_party/heimdal/tests/plugin/krb5.conf.in b/third_party/heimdal/tests/plugin/krb5.conf.in
index 8ab2f17177c..d188c314b36 100644
--- a/third_party/heimdal/tests/plugin/krb5.conf.in
+++ b/third_party/heimdal/tests/plugin/krb5.conf.in
@@ -19,6 +19,21 @@
 	}
 
 [kdc]
+	enable-digest = true
+	allow-anonymous = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+        strict-nametypes = true
+        synthetic_clients = true
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
 	database = {
 		dbname = @objdir@/current-db
 		realm = TEST.H5L.SE
diff --git a/third_party/heimdal/tests/plugin/windc.c b/third_party/heimdal/tests/plugin/windc.c
deleted file mode 100644
index 357148019ae..00000000000
--- a/third_party/heimdal/tests/plugin/windc.c
+++ /dev/null
@@ -1,161 +0,0 @@
-#include <string.h>
-#include <krb5_locl.h>
-#include <hdb.h>
-#include <hx509.h>
-#include <kdc.h>
-#include <windc_plugin.h>
-
-static krb5_error_code KRB5_CALLCONV
-windc_init(krb5_context context, void **ctx)
-{
-    krb5_warnx(context, "windc init");
-    *ctx = NULL;
-    return 0;
-}
-
-static void KRB5_CALLCONV
-windc_fini(void *ctx)
-{
-}
-
-static krb5_error_code KRB5_CALLCONV
-pac_generate(void *ctx, krb5_context context,
-	     struct hdb_entry_ex *client,
-	     struct hdb_entry_ex *server,
-	     const krb5_keyblock *pk_replykey,
-	     uint64_t pac_attributes,
-	     krb5_pac *pac)
-{
-    krb5_error_code ret;
-    krb5_data data;
-
-    if ((pac_attributes & (KRB5_PAC_WAS_REQUESTED |
-			   KRB5_PAC_WAS_GIVEN_IMPLICITLY)) == 0) {
-	*pac = NULL;
-	return 0;
-    }
-
-    krb5_warnx(context, "pac generate");
-
-    data.data = "\x00\x01";
-    data.length = 2;
-
-    ret = krb5_pac_init(context, pac);
-    if (ret)
-	return ret;
-
-    ret = krb5_pac_add_buffer(context, *pac, 1, &data);
-    if (ret)
-	return ret;
-
-    return 0;
-}
-
-static krb5_error_code KRB5_CALLCONV
-pac_verify(void *ctx, krb5_context context,
-	   const krb5_principal new_ticket_client,
-	   const krb5_principal delegation_proxy,
-	   struct hdb_entry_ex * client,
-	   struct hdb_entry_ex * server,
-	   struct hdb_entry_ex * krbtgt,
-	   krb5_pac *pac)
-{
-    krb5_error_code ret;
-    krb5_data data;
-    krb5_cksumtype cstype;
-    uint16_t rodc_id;
-    krb5_enctype etype;
-    Key *key;
-
-    krb5_warnx(context, "pac_verify");
-
-    ret = krb5_pac_get_buffer(context, *pac, 1, &data);
-    if (ret)
-	return ret;
-    krb5_data_free(&data);
-
-    ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id);
-    if (ret)
-	return ret;
-
-    if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) {
-	krb5_warnx(context, "Wrong RODCIdentifier");
-	return EINVAL;
-    }
-
-    ret = krb5_cksumtype_to_enctype(context, cstype, &etype);
-    if (ret)
-	return ret;
-
-    ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key);
-    if (ret)
-	return ret;
-
-    return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key);
-}
-
-static void logit(const char *what, astgs_request_t r)
-{
-    krb5_warnx(r->context, "%s: client %s server %s",
-	       what,
-	       r->cname ? r->cname : "<unknown>",
-	       r->sname ? r->sname : "<unknown>");
-}
-
-static krb5_error_code KRB5_CALLCONV
-client_access(void *ctx, astgs_request_t r)
-{
-    logit("client_access", r);
-    return 0;
-}
-
-static krb5_error_code KRB5_CALLCONV
-finalize_reply(void *ctx, astgs_request_t r)
-{
-    logit("finalize_reply", r);
-    return 0;
-}
-
-static krb5plugin_windc_ftable windc = {
-    KRB5_WINDC_PLUGING_MINOR,
-    windc_init,
-    windc_fini,
-    pac_generate,
-    pac_verify,
-    client_access,
-    finalize_reply
-};
-
-static const krb5plugin_windc_ftable *const windc_plugins[] = {
-    &windc
-};
-
-krb5_error_code KRB5_CALLCONV
-windc_plugin_load(krb5_context context,
-		       krb5_get_instance_func_t *get_instance,
-		       size_t *num_plugins,
-		       const krb5plugin_windc_ftable *const **plugins);
-
-static uintptr_t KRB5_CALLCONV
-windc_get_instance(const char *libname)
-{
-    if (strcmp(libname, "hdb") == 0)
-	return hdb_get_instance(libname);
-    else if (strcmp(libname, "krb5") == 0)
-	return krb5_get_instance(libname);
-
-    return 0;
-}
-
-krb5_error_code KRB5_CALLCONV
-windc_plugin_load(krb5_context context,
-		  krb5_get_instance_func_t *get_instance,
-		  size_t *num_plugins,
-		  const krb5plugin_windc_ftable *const **plugins)
-{
-    *get_instance = windc_get_instance;
-    *num_plugins = sizeof(windc_plugins) / sizeof(windc_plugins[0]);
-    *plugins = windc_plugins;
-
-    return 0;
-}