third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d)

This fixes the regressions against KDCs without FAST support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184

3 files changed, 134 insertions, 41 deletions

diff --git a/third_party/heimdal/lib/krb5/fast.c b/third_party/heimdal/lib/krb5/fast.c
index 617446c3634..83893542d69 100644
--- a/third_party/heimdal/lib/krb5/fast.c
+++ b/third_party/heimdal/lib/krb5/fast.c
@@ -413,8 +413,14 @@ _krb5_fast_create_armor(krb5_context context,
     }
 
     if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) {
-	if (state->armor_crypto)
+	if (state->armor_crypto) {
 	    krb5_crypto_destroy(context, state->armor_crypto);
+	    state->armor_crypto = NULL;
+	}
+	if (state->strengthen_key) {
+	    krb5_free_keyblock(context, state->strengthen_key);
+	    state->strengthen_key = NULL;
+	}
 	krb5_free_keyblock_contents(context, &state->armor_key);
 
 	/*
@@ -455,14 +461,15 @@ _krb5_fast_create_armor(krb5_context context,
 krb5_error_code
 _krb5_fast_wrap_req(krb5_context context,
 		    struct krb5_fast_state *state,
-		    krb5_data *checksum_data,
 		    KDC_REQ *req)
 {
     PA_FX_FAST_REQUEST fxreq;
     krb5_error_code ret;
     KrbFastReq fastreq;
-    krb5_data data, aschecksum_data;
+    krb5_data data, aschecksum_data, tgschecksum_data;
+    const krb5_data *checksum_data = NULL;
     size_t size = 0;
+    krb5_boolean readd_padata_to_outer = FALSE;
 
     if (state->flags & KRB5_FAST_DISABLED) {
 	_krb5_debug(context, 10, "fast disabled, not doing any fast wrapping");
@@ -473,6 +480,7 @@ _krb5_fast_wrap_req(krb5_context context,
     memset(&fastreq, 0, sizeof(fastreq));
     krb5_data_zero(&data);
     krb5_data_zero(&aschecksum_data);
+    krb5_data_zero(&tgschecksum_data);
 
     if (state->armor_crypto == NULL)
 	return check_fast(context, state);
@@ -511,8 +519,6 @@ _krb5_fast_wrap_req(krb5_context context,
 	ALLOC(req->req_body.till, 1);
 	*req->req_body.till = 0;
 
-	heim_assert(checksum_data == NULL, "checksum data not NULL");
-
 	ASN1_MALLOC_ENCODE(KDC_REQ_BODY,
 			   aschecksum_data.data,
 			   aschecksum_data.length,
@@ -523,14 +529,63 @@ _krb5_fast_wrap_req(krb5_context context,
 	heim_assert(aschecksum_data.length == size, "ASN.1 internal error");
 
 	checksum_data = &aschecksum_data;
-    }
 
-    if (req->padata) {
-	ret = copy_METHOD_DATA(req->padata, &fastreq.padata);
-	free_METHOD_DATA(req->padata);
-	if (ret)
-	    goto out;
+	if (req->padata) {
+	    ret = copy_METHOD_DATA(req->padata, &fastreq.padata);
+	    free_METHOD_DATA(req->padata);
+	    if (ret)
+		goto out;
+	}
     } else {
+	const PA_DATA *tgs_req_ptr = NULL;
+	int tgs_req_idx = 0;
+	size_t i;
+
+	heim_assert(req->padata != NULL, "req->padata is NULL");
+
+	tgs_req_ptr = krb5_find_padata(req->padata->val,
+				       req->padata->len,
+				       KRB5_PADATA_TGS_REQ,
+				       &tgs_req_idx);
+	heim_assert(tgs_req_ptr != NULL, "KRB5_PADATA_TGS_REQ not found");
+	heim_assert(tgs_req_idx == 0, "KRB5_PADATA_TGS_REQ not first");
+
+	tgschecksum_data.data = tgs_req_ptr->padata_value.data;
+	tgschecksum_data.length = tgs_req_ptr->padata_value.length;
+	checksum_data = &tgschecksum_data;
+
+	/*
+	 * Now copy all remaining once to
+	 * the fastreq.padata and clear
+	 * them in the outer req first,
+	 * and remember to readd them later.
+	 */
+	readd_padata_to_outer = TRUE;
+
+	for (i = 1; i < req->padata->len; i++) {
+	    PA_DATA *val = &req->padata->val[i];
+
+	    ret = krb5_padata_add(context,
+				  &fastreq.padata,
+				  val->padata_type,
+				  val->padata_value.data,
+				  val->padata_value.length);
+	    if (ret) {
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
+		goto out;
+	    }
+	    val->padata_value.data = NULL;
+	    val->padata_value.length = 0;
+	}
+
+	/*
+	 * Only TGS-REQ remaining
+	 */
+	req->padata->len = 1;
+    }
+
+    if (req->padata == NULL) {
 	ALLOC(req->padata, 1);
 	if (req->padata == NULL) {
 	    ret = krb5_enomem(context);
@@ -586,6 +641,27 @@ _krb5_fast_wrap_req(krb5_context context,
 	goto out;
     krb5_data_zero(&data);
 
+    if (readd_padata_to_outer) {
+	size_t i;
+
+	for (i = 0; i < fastreq.padata.len; i++) {
+	    PA_DATA *val = &fastreq.padata.val[i];
+
+	    ret = krb5_padata_add(context,
+				  req->padata,
+				  val->padata_type,
+				  val->padata_value.data,
+				  val->padata_value.length);
+	    if (ret) {
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
+		goto out;
+	    }
+	    val->padata_value.data = NULL;
+	    val->padata_value.length = 0;
+	}
+    }
+
  out:
     free_KrbFastReq(&fastreq);
     free_PA_FX_FAST_REQUEST(&fxreq);
diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c
index ec757797866..6e48846bcb3 100644
--- a/third_party/heimdal/lib/krb5/get_cred.c
+++ b/third_party/heimdal/lib/krb5/get_cred.c
@@ -239,20 +239,6 @@ init_tgs_req (krb5_context context,
 	if (ret)
 	    goto fail;
     }
-    
-    if (padata) {
-	if (t->padata == NULL) {
-	    ALLOC(t->padata, 1);
-	    if (t->padata == NULL) {
-		ret = krb5_enomem(context);
-		goto fail;
-	    }
-	}
-	
-	ret = copy_METHOD_DATA(padata, t->padata);
-	if (ret)
-	    goto fail;
-    }
 
     ret = krb5_auth_con_init(context, &ac);
     if(ret)
@@ -278,6 +264,20 @@ init_tgs_req (krb5_context context,
     if (ret)
 	goto fail;
 
+    ret = make_pa_tgs_req(context,
+			  &ac,
+			  &t->req_body,
+			  ccache,
+			  krbtgt,
+			  &tgs_req);
+    if(ret)
+	goto fail;
+
+    /*
+     * Add KRB5_PADATA_TGS_REQ first
+     * followed by all others.
+     */
+
     if (t->padata == NULL) {
 	ALLOC(t->padata, 1);
 	if (t->padata == NULL) {
@@ -286,15 +286,40 @@ init_tgs_req (krb5_context context,
 	}
     }
 
-    ret = make_pa_tgs_req(context,
-			  &ac,
-			  &t->req_body,
-			  ccache,
-			  krbtgt,
-			  &tgs_req);
-    if(ret)
+    ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ,
+			  tgs_req.data, tgs_req.length);
+    if (ret)
 	goto fail;
 
+    krb5_data_zero(&tgs_req);
+
+    {
+	size_t i;
+	for (i = 0; i < padata->len; i++) {
+	    const PA_DATA *val1 = &padata->val[i];
+	    PA_DATA val2;
+
+	    ret = copy_PA_DATA(val1, &val2);
+	    if (ret) {
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
+		goto fail;
+	    }
+
+	    ret = krb5_padata_add(context, t->padata,
+				  val2.padata_type,
+				  val2.padata_value.data,
+				  val2.padata_value.length);
+	    if (ret) {
+		free_PA_DATA(&val2);
+
+		krb5_set_error_message(context, ret,
+				       N_("malloc: out of memory", ""));
+		goto fail;
+	    }
+	}
+    }
+
     if (state) {
 	state->armor_ac = ac;
 	ret = _krb5_fast_create_armor(context, state, NULL);
@@ -302,7 +327,7 @@ init_tgs_req (krb5_context context,
 	if (ret)
 	    goto fail;
 
-	ret = _krb5_fast_wrap_req(context, state, &tgs_req, t);
+	ret = _krb5_fast_wrap_req(context, state, t);
 	if (ret)
 	    goto fail;
 
@@ -310,13 +335,6 @@ init_tgs_req (krb5_context context,
 	state->flags &= ~KRB5_FAST_EXPECTED;
     }
 
-    ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ,
-			  tgs_req.data, tgs_req.length);
-    if (ret)
-	goto fail;
-
-    krb5_data_zero(&tgs_req);
-
     ret = krb5_auth_con_getlocalsubkey(context, ac, subkey);
     if (ret)
 	goto fail;
diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c
index e42fcf10bc1..4173837779b 100644
--- a/third_party/heimdal/lib/krb5/init_creds_pw.c
+++ b/third_party/heimdal/lib/krb5/init_creds_pw.c
@@ -3394,7 +3394,6 @@ init_creds_step(krb5_context context,
 
     ret = _krb5_fast_wrap_req(context,
 			      &ctx->fast_state,
-			      NULL,
 			      &req2);
 
     krb5_data_free(&checksum_data);