HEIMDAL: move code from source4/heimdal* to third_party/heimdal*

This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184

5 files changed, 455 insertions, 0 deletions

diff --git a/third_party/heimdal/tests/plugin/Makefile.am b/third_party/heimdal/tests/plugin/Makefile.am
new file mode 100644
index 00000000000..3fb1a2324b9
--- /dev/null
+++ b/third_party/heimdal/tests/plugin/Makefile.am
@@ -0,0 +1,48 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+# for krb5_locl.h
+AM_CPPFLAGS += -I$(srcdir)/../../lib/krb5
+
+noinst_DATA = krb5.conf
+
+SCRIPT_TESTS = check-pac
+TESTS = $(SCRIPT_TESTS)
+
+port = 49188
+
+do_subst = sed -e 's,[@]srcdir[@],$(srcdir),g' \
+	-e 's,[@]env_setup[@],$(top_builddir)/tests/bin/setup-env,g' \
+	-e 's,[@]port[@],$(port),g' \
+	-e 's,[@]objdir[@],$(top_builddir)/tests/plugin,g' \
+	-e 's,[@]EGREP[@],$(EGREP),g' 
+
+LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken)
+
+check-pac: check-pac.in Makefile
+	$(do_subst) < $(srcdir)/check-pac.in > check-pac.tmp
+	chmod +x check-pac.tmp
+	mv check-pac.tmp check-pac
+
+krb5.conf: krb5.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp
+	mv krb5.conf.tmp krb5.conf
+
+lib_LTLIBRARIES = windc.la
+
+windc_la_SOURCES = windc.c
+windc_la_LDFLAGS = -module
+
+CLEANFILES= \
+	$(TESTS) \
+	server.keytab \
+	current-db* \
+	foopassword \
+	krb5.conf krb5.conf.tmp \
+	messages.log
+
+EXTRA_DIST = \
+	NTMakefile \
+	check-pac.in \
+	krb5.conf.in
diff --git a/third_party/heimdal/tests/plugin/NTMakefile b/third_party/heimdal/tests/plugin/NTMakefile
new file mode 100644
index 00000000000..dc345c980b3
--- /dev/null
+++ b/third_party/heimdal/tests/plugin/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+# - Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+# 
+# - Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+# 
+
+RELDIR=tests\plugin 
+
+!include ../../windows/NTMakefile.w32 
+
diff --git a/third_party/heimdal/tests/plugin/check-pac.in b/third_party/heimdal/tests/plugin/check-pac.in
new file mode 100644
index 00000000000..60ec21a31f3
--- /dev/null
+++ b/third_party/heimdal/tests/plugin/check-pac.in
@@ -0,0 +1,174 @@
+#!/bin/sh
+#
+# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+srcdir="@srcdir@"
+env_setup="@env_setup@"
+objdir="@objdir@"
+EGREP="@EGREP@"
+
+. ${env_setup}
+
+testfailed="echo test failed; cat messages.log; exit 1"
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+R2=TEST2.H5L.SE
+
+port=@port@
+
+kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r ${R}"
+kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
+
+server=host/datan.test.h5l.se
+cache="FILE:${objdir}/cache.krb5"
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+rodc_kvno="3058761729"
+
+kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
+klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
+kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
+kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache ${afs_no_unlog}"
+test_apreq="${TESTS_ENVIRONMENT} ../../lib/krb5/test_ap-req"
+
+KRB5_CONFIG="${objdir}/krb5.conf"
+export KRB5_CONFIG
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R} || exit 1
+${kadmin} add -p bar --use-defaults ${server}@${R} || exit 1
+${kadmin} modify --kvno=$rodc_kvno "krbtgt/${R}@${R}" || exit 1
+${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R2} || exit 1
+
+${kadmin} add -p foo --use-defaults foo@${R2} || exit 1
+${kadmin} add -p bar --use-defaults bar@${R2} || exit 1
+${kadmin} ext -k ${keytab} bar@${R2} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+${kadmin} check ${R2} || exit 1
+
+echo foo > ${objdir}/foopassword
+
+echo "Empty log"
+> messages.log
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+
+ec=0
+
+echo "Check that WINDC module was loaded "
+grep "windc init" messages.log >/dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client initial tickets"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets" ; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Verify PAC on server"; > messages.log
+${test_apreq} --verify-pac ${server}@${R} ${keytab} ${cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client initial tickets (pac)"; > messages.log
+${kinit} --request-pac --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets" ; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Verify PAC on server (pac)"; > messages.log
+${test_apreq} --verify-pac ${server}@${R} ${keytab} ${cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client initial tickets (no pac)"; > messages.log
+${kinit} --no-request-pac --password-file=${objdir}/foopassword foo@${R} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets" ; > messages.log
+${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
+echo "Verify PAC on server (no pac)"; > messages.log
+${test_apreq} --verify-pac ${server}@${R} ${keytab} ${cache} 2> /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+${test_apreq} ${server}@${R} ${keytab} ${cache} 2> /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Check the --no-verify-pac option"; > messages.log
+${test_apreq} --no-verify-pac ${server}@${R} ${keytab} ${cache} 2> /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kdestroy}
+
+echo "Getting client initial tickets (no pac - realm config)"; > messages.log
+${kinit} --no-request-pac --password-file=${objdir}/foopassword foo@${R2} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "Getting tickets" ; > messages.log
+${kgetcred} bar@${R2} || { ec=1 ; eval "${testfailed}"; }
+echo "Verify PAC on server (no pac - realm config)"; > messages.log
+${test_apreq} --verify-pac bar@${R2} ${keytab} ${cache} 2> /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+${test_apreq} bar@${R2} ${keytab} ${cache} 2> /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+
+echo "killing kdc (${kdcpid})"
+kill $kdcpid || exit 1
+
+trap "" EXIT
+
+exit $ec
diff --git a/third_party/heimdal/tests/plugin/krb5.conf.in b/third_party/heimdal/tests/plugin/krb5.conf.in
new file mode 100644
index 00000000000..8ab2f17177c
--- /dev/null
+++ b/third_party/heimdal/tests/plugin/krb5.conf.in
@@ -0,0 +1,37 @@
+# $Id$
+
+[libdefaults]
+	default_realm = TEST.H5L.SE
+	no-addresses = TRUE
+
+	plugin_dir = @objdir@ @objdir@/.libs
+
+[appdefaults]
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = localhost:@port@
+	}
+	TEST2.H5L.SE = {
+		kdc = localhost:@port@
+		disable_pac = true
+	}
+
+[kdc]
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+                log_file = @objdir@/log.current-db.log
+	}
+
+[hdb]
+	db-dir = @objdir@
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+[kadmin]
+#	default_keys = arcfour-hmac-md5:pw-salt
diff --git a/third_party/heimdal/tests/plugin/windc.c b/third_party/heimdal/tests/plugin/windc.c
new file mode 100644
index 00000000000..357148019ae
--- /dev/null
+++ b/third_party/heimdal/tests/plugin/windc.c
@@ -0,0 +1,161 @@
+#include <string.h>
+#include <krb5_locl.h>
+#include <hdb.h>
+#include <hx509.h>
+#include <kdc.h>
+#include <windc_plugin.h>
+
+static krb5_error_code KRB5_CALLCONV
+windc_init(krb5_context context, void **ctx)
+{
+    krb5_warnx(context, "windc init");
+    *ctx = NULL;
+    return 0;
+}
+
+static void KRB5_CALLCONV
+windc_fini(void *ctx)
+{
+}
+
+static krb5_error_code KRB5_CALLCONV
+pac_generate(void *ctx, krb5_context context,
+	     struct hdb_entry_ex *client,
+	     struct hdb_entry_ex *server,
+	     const krb5_keyblock *pk_replykey,
+	     uint64_t pac_attributes,
+	     krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_data data;
+
+    if ((pac_attributes & (KRB5_PAC_WAS_REQUESTED |
+			   KRB5_PAC_WAS_GIVEN_IMPLICITLY)) == 0) {
+	*pac = NULL;
+	return 0;
+    }
+
+    krb5_warnx(context, "pac generate");
+
+    data.data = "\x00\x01";
+    data.length = 2;
+
+    ret = krb5_pac_init(context, pac);
+    if (ret)
+	return ret;
+
+    ret = krb5_pac_add_buffer(context, *pac, 1, &data);
+    if (ret)
+	return ret;
+
+    return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+pac_verify(void *ctx, krb5_context context,
+	   const krb5_principal new_ticket_client,
+	   const krb5_principal delegation_proxy,
+	   struct hdb_entry_ex * client,
+	   struct hdb_entry_ex * server,
+	   struct hdb_entry_ex * krbtgt,
+	   krb5_pac *pac)
+{
+    krb5_error_code ret;
+    krb5_data data;
+    krb5_cksumtype cstype;
+    uint16_t rodc_id;
+    krb5_enctype etype;
+    Key *key;
+
+    krb5_warnx(context, "pac_verify");
+
+    ret = krb5_pac_get_buffer(context, *pac, 1, &data);
+    if (ret)
+	return ret;
+    krb5_data_free(&data);
+
+    ret = krb5_pac_get_kdc_checksum_info(context, *pac, &cstype, &rodc_id);
+    if (ret)
+	return ret;
+
+    if (rodc_id == 0 || rodc_id != krbtgt->entry.kvno >> 16) {
+	krb5_warnx(context, "Wrong RODCIdentifier");
+	return EINVAL;
+    }
+
+    ret = krb5_cksumtype_to_enctype(context, cstype, &etype);
+    if (ret)
+	return ret;
+
+    ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key);
+    if (ret)
+	return ret;
+
+    return krb5_pac_verify(context, *pac, 0, NULL, NULL, &key->key);
+}
+
+static void logit(const char *what, astgs_request_t r)
+{
+    krb5_warnx(r->context, "%s: client %s server %s",
+	       what,
+	       r->cname ? r->cname : "<unknown>",
+	       r->sname ? r->sname : "<unknown>");
+}
+
+static krb5_error_code KRB5_CALLCONV
+client_access(void *ctx, astgs_request_t r)
+{
+    logit("client_access", r);
+    return 0;
+}
+
+static krb5_error_code KRB5_CALLCONV
+finalize_reply(void *ctx, astgs_request_t r)
+{
+    logit("finalize_reply", r);
+    return 0;
+}
+
+static krb5plugin_windc_ftable windc = {
+    KRB5_WINDC_PLUGING_MINOR,
+    windc_init,
+    windc_fini,
+    pac_generate,
+    pac_verify,
+    client_access,
+    finalize_reply
+};
+
+static const krb5plugin_windc_ftable *const windc_plugins[] = {
+    &windc
+};
+
+krb5_error_code KRB5_CALLCONV
+windc_plugin_load(krb5_context context,
+		       krb5_get_instance_func_t *get_instance,
+		       size_t *num_plugins,
+		       const krb5plugin_windc_ftable *const **plugins);
+
+static uintptr_t KRB5_CALLCONV
+windc_get_instance(const char *libname)
+{
+    if (strcmp(libname, "hdb") == 0)
+	return hdb_get_instance(libname);
+    else if (strcmp(libname, "krb5") == 0)
+	return krb5_get_instance(libname);
+
+    return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+windc_plugin_load(krb5_context context,
+		  krb5_get_instance_func_t *get_instance,
+		  size_t *num_plugins,
+		  const krb5plugin_windc_ftable *const **plugins)
+{
+    *get_instance = windc_get_instance;
+    *num_plugins = sizeof(windc_plugins) / sizeof(windc_plugins[0]);
+    *plugins = windc_plugins;
+
+    return 0;
+}