diff options
| author | Stefan Metzmacher <metze@samba.org> | 2022-03-10 16:12:43 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-03-11 17:10:29 +0000 |
| commit | 67bdc922f9836779f1b37805575c5c4eea9ba3e6 (patch) | |
| tree | 7e282e54cf272c0969f4a474b60d73a77f74fb7e /third_party | |
| parent | b7bc1f6dddc1c5fee8a39422823f167db1f24bb2 (diff) | |
| download | samba-67bdc922f9836779f1b37805575c5c4eea9ba3e6.tar.gz | |
third_party/heimdal: import lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/heimdal/.github/workflows/coverity.yml | 68 | ||||
| -rw-r--r-- | third_party/heimdal/.github/workflows/linux.yml | 146 | ||||
| -rw-r--r-- | third_party/heimdal/.github/workflows/osx.yml | 122 | ||||
| -rw-r--r-- | third_party/heimdal/.github/workflows/scanbuild.yml | 67 | ||||
| -rw-r--r-- | third_party/heimdal/.github/workflows/valgrind.yml | 71 | ||||
| -rw-r--r-- | third_party/heimdal/.github/workflows/windows.yml | 92 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/default_config.c | 9 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/fast.c | 3 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/kdc.h | 1 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/krb5tgs.c | 3 | ||||
| -rw-r--r-- | third_party/heimdal/lib/krb5/krb5.conf.5 | 2 | ||||
| -rw-r--r-- | third_party/heimdal/lib/krb5/pac.c | 12 | ||||
| -rw-r--r-- | third_party/heimdal/tests/gss/check-context.in | 4 |
13 files changed, 590 insertions, 10 deletions
diff --git a/third_party/heimdal/.github/workflows/coverity.yml b/third_party/heimdal/.github/workflows/coverity.yml new file mode 100644 index 00000000000..5a175f52a8c --- /dev/null +++ b/third_party/heimdal/.github/workflows/coverity.yml @@ -0,0 +1,68 @@ +name: Linux Coverity Build + +on: + push: + # Pushes to this branch get the scan-build treatment + branches: + - 'coverity*' + +jobs: + linux: + if: secrets.COVERITY_SCAN_TOKEN != '' + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Download Coverity Build Tool + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + run: | + wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=ruby" -O cov-analysis-linux64.tar.gz + mkdir cov-analysis-linux64 + tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + ulimit -c unlimited + # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW + (cd lib/libedit && make -j4) + (cd lib/sqlite && make -j4) + export PATH=`pwd`/cov-analysis-linux64/bin:$PATH + cov-build --dir cov-int make -j4 + - name: Submit the result to Coverity Scan + env: + TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} + EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} + PROJECT: ${{ secrets.COVERITY_SCAN_PROJECT }} + run: | + tar czvf heimdal.tgz cov-int + curl \ + --form project=ruby \ + --form token=$TOKEN \ + --form email=$EMAIL \ + --form file=@heimdal.tgz \ + --form version=trunk \ + --form description="`./ruby -v`" "https://scan.coverity.com/builds?project=$PROJECT" diff --git a/third_party/heimdal/.github/workflows/linux.yml b/third_party/heimdal/.github/workflows/linux.yml new file mode 100644 index 00000000000..48e4c80dc3c --- /dev/null +++ b/third_party/heimdal/.github/workflows/linux.yml @@ -0,0 +1,146 @@ +name: Linux Build + +on: + push: + branches: + - 'master' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/linux.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/linux.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang, linux-gcc] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + cflags: '' + - name: linux-gcc + os: ubuntu-18.04 + compiler: gcc + cflags: '-Wnonnull' + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex doxygen + sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl + sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl + sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python + sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils + sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + make check + - name: Make Install + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build || true + make DESTDIR=/tmp/h5l install + cd /tmp/h5l + tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz . + - name: Core dump stacks + run: | + echo "thread apply all bt" > /tmp/x + find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done + if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi + - name: Test logs + run: | + find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from - + find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Make Dist + run: | + cd build + make dist + make distclean + if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then + echo "Files not removed by make distclean:" + git ls-files -o|grep -v ^build/ + fi + - name: Upload Install Tarball + uses: actions/upload-artifact@v2 + with: + name: Install Tarball + path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz' + - name: Upload Dist Tarball + uses: actions/upload-artifact@v2 + with: + name: Dist Tarball + path: 'build/heimdal-*.tar.gz' + - name: Upload Logs Tarball + uses: actions/upload-artifact@v2 + with: + name: Test Logs + path: '~/logs-linux-${{ matrix.compiler }}.tgz' diff --git a/third_party/heimdal/.github/workflows/osx.yml b/third_party/heimdal/.github/workflows/osx.yml new file mode 100644 index 00000000000..342f850f1c7 --- /dev/null +++ b/third_party/heimdal/.github/workflows/osx.yml @@ -0,0 +1,122 @@ +name: OS X Build + +on: + push: + branches: + - 'master' + - 'osx-build' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/osx.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.am' + - '**.m4' + - '**.ac' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/osx.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + osx: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [osx-clang] + include: + - name: osx-clang + os: macos-latest + compiler: clang + steps: + - name: Install packages + run: | + echo "bison, flex, ncurses, texinfo, and unzip are in the base OS." + echo "berkeley-db, perl, python, curl, and jq are installed in the" + echo "base image already." + brew install autoconf automake libtool cpanm + sudo cpanm install JSON + - name: Clone repository + uses: actions/checkout@v1 + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3" + ulimit -c unlimited + make -j4 + #- name: Setup upterm session + # uses: lhotari/action-upterm@v1 + # with: + # limit-access-to-actor: true + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + set -vx + sudo lsof -nP -i:49188 || true + cd build + make check + - name: Install + run: | + cd build || true + make DESTDIR=/tmp/h5l install + cd /tmp/h5l + tar czf $HOME/heimdal-install-osx.tgz . + - name: Test logs + run: | + find build -depth -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/' | cpio -o > $HOME/logs-osx.cpio + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Upload Install Tarball + uses: actions/upload-artifact@v2 + with: + name: Install Tarball + path: '~/heimdal-install-osx.tgz' + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Upload Test Logs + path: '~/logs-osx.cpio' diff --git a/third_party/heimdal/.github/workflows/scanbuild.yml b/third_party/heimdal/.github/workflows/scanbuild.yml new file mode 100644 index 00000000000..678ccfd8046 --- /dev/null +++ b/third_party/heimdal/.github/workflows/scanbuild.yml @@ -0,0 +1,67 @@ +name: Linux Static Analyzer Build + +on: + push: + # Pushes to this branch get the scan-build treatment + branches: + - 'scan-build*' + + pull_request: + # Changing this build gets it to run + paths: + - '.github/workflows/scanbuild.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + ulimit -c unlimited + # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW + (cd lib/libedit && make -j4) + (cd lib/sqlite && make -j4) + scan-build --keep-going make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + scan-build --keep-going make check + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Scan-Build Reports + path: '/tmp/scan-build*/' diff --git a/third_party/heimdal/.github/workflows/valgrind.yml b/third_party/heimdal/.github/workflows/valgrind.yml new file mode 100644 index 00000000000..ab5e9091661 --- /dev/null +++ b/third_party/heimdal/.github/workflows/valgrind.yml @@ -0,0 +1,71 @@ +name: Linux Valgrind Tests Build + +on: + push: + # Pushes to the valgrind branch get the valgrind treatment + branches: + - 'valgrind*' + + pull_request: + # Changing this build also gets it to run + paths: + - '.github/workflows/valgrind.yml' + +jobs: + unix: + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + name: [linux-clang] + include: + - name: linux-clang + os: ubuntu-18.04 + compiler: clang + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Install packages + if: startsWith(matrix.os, 'ubuntu') + run: | + sudo apt-get update -qq + sudo apt-get install -y bison comerr-dev flex libcap-ng-dev lmdb-utils liblmdb-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev jq valgrind + # Temporary workaround for: + # https://github.com/actions/virtual-environments/issues/3185 + sudo hostname localhost + - name: Build + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + CONFIGURE_OPTS: ${{ matrix.configureopts }} + CHECK_TESTER_NO_VALGRIND: 'no-valgrind' + run: | + /bin/sh ./autogen.sh + mkdir build + cd build + ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" + make -j4 + - name: Test + env: + CC: ${{ matrix.compiler }} + MAKEVARS: ${{ matrix.makevars }} + run: | + cd build + ulimit -c unlimited + make check-valgrind + - name: Valgrind output + run: | + find . -name \*.log -print0|xargs -0 grep '^==[0-9]*== ' || true + - name: Test logs + run: | + find build -depth -name \*.log | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-valgrind.tgz --verbatim-files-from --files-from - + find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Failed Test logs + if: ${{ failure() }} + run: | + find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Test Logs + path: '~/logs-linux-valgrind.tgz' diff --git a/third_party/heimdal/.github/workflows/windows.yml b/third_party/heimdal/.github/workflows/windows.yml new file mode 100644 index 00000000000..f1c187c397a --- /dev/null +++ b/third_party/heimdal/.github/workflows/windows.yml @@ -0,0 +1,92 @@ +name: Windows Build + +on: + push: + branches: + - 'master' + - 'heimdal-7-1-branch' + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**.w32' + - '**/NTMakefile*' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/windows.yml' + - '!appveyor.yml' + - '!.travis.yml' + + pull_request: + paths: + - '!docs/**' + - '!**.md' + - '!**.[1-9]' + - '**.[chly]' + - '**.hin' + - '**.in' + - '**.pl' + - '**.py' + - '**.asn1' + - '**.opt' + - '**.w32' + - '**/NTMakefile' + - '**/COPYING' + - '**/INSTALL' + - '**/README*' + - '.github/workflows/windows.yml' + - '!appveyor.yml' + - '!.travis.yml' + +jobs: + windows: + runs-on: windows-latest + env: + APPVER: '10.0' + CODESIGN_PKT: 0000000000000000 + INSTALL_DIR: C:\heimdal + WINSDKVER: '10.0.22000.0' + WIXDIR: 'c:\Program Files (x86)\Windows Installer XML v3.5' + steps: + - name: Clone repository + uses: actions/checkout@v1 + - name: Find MSVC and run vcvarsall.bat + uses: ilammy/msvc-dev-cmd@v1 + with: + arch: amd64 + - name: Build and Test + shell: cmd + run: | + set PATH=%PATH%;C:\msys64\usr\bin;C:\Program Files (x86)\HTML Help Workshop;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin + set CODESIGN_PKT=0000000000000000 + set dbg__type=Debug + mkdir %INSTALL_DIR% + pacman --noconfirm -S zstd + pacman --noconfirm -S autoconf + pacman --noconfirm -S automake + pacman --noconfirm -S flex + pacman --noconfirm -S bison + pacman --noconfirm -S perl + pacman --noconfirm -S perl-JSON + set PATH=%PATH%;%wix%bin + title Heimdal Build %CPU% %dbg__type% + set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop" + set "PATH=%PATH%;C:/msys64/usr/bin" + set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin" + set "PATH=%PATH%;C:\Python310-x64" + echo PATH=%PATH% + nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 + nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test + - name: Upload Artifacts + uses: actions/upload-artifact@v2 + with: + name: Objects + path: 'D:/a/heimdal/heimdal/out/' diff --git a/third_party/heimdal/kdc/default_config.c b/third_party/heimdal/kdc/default_config.c index 01f8f7b54a6..83c73504ce7 100644 --- a/third_party/heimdal/kdc/default_config.c +++ b/third_party/heimdal/kdc/default_config.c @@ -101,6 +101,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->strict_nametypes = FALSE; c->trpolicy = TRPOLICY_ALWAYS_CHECK; c->require_pac = FALSE; + c->enable_fast = TRUE; c->enable_armored_pa_enc_timestamp = TRUE; c->enable_unarmored_pa_enc_timestamp = TRUE; c->enable_pkinit = FALSE; @@ -262,6 +263,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) "require_pac", NULL); + c->enable_fast = + krb5_config_get_bool_default(context, + NULL, + c->enable_fast, + "kdc", + "enable_fast", + NULL); + c->enable_armored_pa_enc_timestamp = krb5_config_get_bool_default(context, NULL, diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index 043227892b5..392fc966050 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -755,6 +755,9 @@ _kdc_fast_unwrap_request(astgs_request_t r, const PA_DATA *pa; int i = 0; + if (!r->config->enable_fast) + return 0; + ret = fast_unwrap_request(r, tgs_ticket, tgs_ac); if (ret) return ret; diff --git a/third_party/heimdal/kdc/kdc.h b/third_party/heimdal/kdc/kdc.h index e3709ada6b0..31e54325452 100644 --- a/third_party/heimdal/kdc/kdc.h +++ b/third_party/heimdal/kdc/kdc.h @@ -106,6 +106,7 @@ struct krb5_kdc_service { unsigned int use_strongest_server_key : 1; \ \ unsigned int require_pac : 1; \ + unsigned int enable_fast : 1; \ unsigned int enable_armored_pa_enc_timestamp : 1 #ifndef __KDC_LOCL_H__ diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 06889f47120..aab6806fbe1 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -902,6 +902,9 @@ validate_fast_ad(astgs_request_t r, krb5_authdata *auth_data) krb5_data_zero(&data); + if (!r->config->enable_fast) + return 0; + ret = _krb5_get_ad(r->context, auth_data, NULL, KRB5_AUTHDATA_FX_FAST_USED, &data); if (ret == 0) { diff --git a/third_party/heimdal/lib/krb5/krb5.conf.5 b/third_party/heimdal/lib/krb5/krb5.conf.5 index 1013a78d873..8a9623ecada 100644 --- a/third_party/heimdal/lib/krb5/krb5.conf.5 +++ b/third_party/heimdal/lib/krb5/krb5.conf.5 @@ -816,6 +816,8 @@ addresses in the tickets. .It Li allow-null-ticket-addresses = Va BOOL Allow address-less tickets. .\" XXX +.It Li enable_fast = Va BOOL +Enable RFC 6113 FAST support, this is enabled by default. .It Li enable_armored_pa_enc_timestamp = Va BOOL Enable armored encrypted timestamp pre-authentication with key strengthening. diff --git a/third_party/heimdal/lib/krb5/pac.c b/third_party/heimdal/lib/krb5/pac.c index a12c00d7732..c8f355c8179 100644 --- a/third_party/heimdal/lib/krb5/pac.c +++ b/third_party/heimdal/lib/krb5/pac.c @@ -458,7 +458,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL -krb5_pac_get_buffer(krb5_context context, krb5_pac p, +krb5_pac_get_buffer(krb5_context context, krb5_const_pac p, uint32_t type, krb5_data *data) { krb5_error_code ret; @@ -508,7 +508,7 @@ static struct { */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL -_krb5_pac_get_buffer_by_name(krb5_context context, krb5_pac p, +_krb5_pac_get_buffer_by_name(krb5_context context, krb5_const_pac p, const krb5_data *name, krb5_data *data) { size_t i; @@ -531,7 +531,7 @@ _krb5_pac_get_buffer_by_name(krb5_context context, krb5_pac p, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_types(krb5_context context, - krb5_pac p, + krb5_const_pac p, size_t *len, uint32_t **types) { @@ -1573,7 +1573,7 @@ out: KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_pac_get_kdc_checksum_info(krb5_context context, - krb5_pac pac, + krb5_const_pac pac, krb5_cksumtype *cstype, uint16_t *rodc_id) { @@ -1628,7 +1628,7 @@ out: KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pac_get_canon_principal(krb5_context context, - krb5_pac pac, + krb5_const_pac pac, krb5_principal *canon_princ) { *canon_princ = NULL; @@ -1644,7 +1644,7 @@ _krb5_pac_get_canon_principal(krb5_context context, KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _krb5_pac_get_attributes_info(krb5_context context, - krb5_pac pac, + krb5_const_pac pac, uint64_t *pac_attributes) { *pac_attributes = 0; diff --git a/third_party/heimdal/tests/gss/check-context.in b/third_party/heimdal/tests/gss/check-context.in index 46c058d068b..2b866d2f724 100644 --- a/third_party/heimdal/tests/gss/check-context.in +++ b/third_party/heimdal/tests/gss/check-context.in @@ -159,14 +159,10 @@ mv ${keytabfile} ${keytabfile}.no echo "checking non existant keytabfile (krb5)" ; > messages.log ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ { eval "$testfailed"; } -grep ${keytabfile} test_context.log > /dev/null || \ - { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } echo "checking non existant keytabfile (spengo)" ; > messages.log ${context} --mech-type=spnego --mech-types=spnego,krb5 \ host@lucid.test.h5l.se > test_context.log 2>&1 && \ { eval "$testfailed"; } -grep ${keytabfile} test_context.log > /dev/null || \ - { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } mv ${keytabfile}.no ${keytabfile} |