diff options
| author | Stefan Metzmacher <metze@samba.org> | 2022-03-03 19:17:06 +0100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2022-03-06 23:05:40 +0000 |
| commit | f33f73f82fb2d5d96928ce5910e2d0d939c2ff57 (patch) | |
| tree | 347cc8296d773ada882400462080a170e3a27fd8 /third_party | |
| parent | 95b1963339e27667eacbe4b99e2501c1aba54b38 (diff) | |
| download | samba-f33f73f82fb2d5d96928ce5910e2d0d939c2ff57.tar.gz | |
third_party/heimdal: import lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab)
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'third_party')
| -rw-r--r-- | third_party/heimdal/kdc/fast.c | 20 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/kdc-accessors.h | 20 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/kdc-plugin.c | 28 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/kdc-plugin.h | 6 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/kdc_locl.h | 5 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/kerberos5.c | 17 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/krb5tgs.c | 25 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/libkdc-exports.def | 3 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/mssfu.c | 5 | ||||
| -rw-r--r-- | third_party/heimdal/kdc/version-script.map | 3 | ||||
| -rw-r--r-- | third_party/heimdal/lib/asn1/krb5.asn1 | 54 | ||||
| -rw-r--r-- | third_party/heimdal/lib/asn1/libasn1-exports.def | 25 | ||||
| -rw-r--r-- | third_party/heimdal/lib/krb5/krb5.h | 4 | ||||
| -rw-r--r-- | third_party/heimdal/lib/krb5/pac.c | 2 | ||||
| -rw-r--r-- | third_party/heimdal/lib/krb5/principal.c | 9 | ||||
| -rw-r--r-- | third_party/heimdal/tests/plugin/kdc_test_plugin.c | 8 |
16 files changed, 189 insertions, 45 deletions
diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index 25cab3096b7..043227892b5 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -464,7 +464,6 @@ fast_unwrap_request(astgs_request_t r, krb5_flags ap_req_options; krb5_keyblock armorkey; krb5_keyblock explicit_armorkey; - krb5_boolean explicit_armor; krb5_error_code ret; krb5_ap_req ap_req; KrbFastReq fastreq; @@ -518,7 +517,7 @@ fast_unwrap_request(astgs_request_t r, goto out; } - explicit_armor = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL; + r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL; /* * @@ -625,11 +624,11 @@ fast_unwrap_request(astgs_request_t r, ac->remote_subkey, &ticket->ticket.key, &armorkey, - explicit_armor ? NULL : &r->armor_crypto); + r->explicit_armor_present ? NULL : &r->armor_crypto); if (ret) goto out; - if (explicit_armor) { + if (r->explicit_armor_present) { ret = _krb5_fast_explicit_armor_key(r->context, &armorkey, tgs_ac->remote_subkey, @@ -869,7 +868,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r) if (ret) goto out; - ret = _kdc_check_pac(r->context, r->config, armor_client_principal, NULL, + ret = _kdc_check_pac(r, armor_client_principal, NULL, armor_client, r->armor_server, r->armor_server, r->armor_server, &r->armor_key->key, &r->armor_key->key, @@ -887,6 +886,17 @@ _kdc_fast_check_armor_pac(astgs_request_t r) goto out; } + if (r->explicit_armor_present) { + r->explicit_armor_clientdb = armor_db; + armor_db = NULL; + + r->explicit_armor_client = armor_client; + armor_client = NULL; + + r->explicit_armor_pac = mspac; + mspac = NULL; + } + out: krb5_xfree(armor_client_principal_name); if (armor_client) diff --git a/third_party/heimdal/kdc/kdc-accessors.h b/third_party/heimdal/kdc/kdc-accessors.h index 81c03d2f222..911b83d7576 100644 --- a/third_party/heimdal/kdc/kdc-accessors.h +++ b/third_party/heimdal/kdc/kdc-accessors.h @@ -346,4 +346,24 @@ ASTGS_REQUEST_GET_ACCESSOR(uint64_t, pac_attributes) ASTGS_REQUEST_SET_ACCESSOR(uint64_t, pac_attributes) +/* + * const HDB * + * kdc_request_get_explicit_armor_clientdb(astgs_request_t); + */ + +ASTGS_REQUEST_GET_ACCESSOR_PTR(HDB *, explicit_armor_clientdb) + +/* + * const hdb_entry * + * kdc_request_get_explicit_armor_client(astgs_request_t); + */ +ASTGS_REQUEST_GET_ACCESSOR_PTR(hdb_entry *, explicit_armor_client); + +/* + * krb5_const_pac + * kdc_request_get_explicit_armor_pac(astgs_request_t); + */ + +ASTGS_REQUEST_GET_ACCESSOR_PTR(struct krb5_pac_data *, explicit_armor_pac); + #endif /* HEIMDAL_KDC_KDC_ACCESSORS_H */ diff --git a/third_party/heimdal/kdc/kdc-plugin.c b/third_party/heimdal/kdc/kdc-plugin.c index 8759893a956..925c250597a 100644 --- a/third_party/heimdal/kdc/kdc-plugin.c +++ b/third_party/heimdal/kdc/kdc-plugin.c @@ -72,7 +72,7 @@ krb5_kdc_plugin_init(krb5_context context) } struct generate_uc { - krb5_kdc_configuration *config; + astgs_request_t r; hdb_entry *client; hdb_entry *server; const krb5_keyblock *reply_key; @@ -90,8 +90,7 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) return KRB5_PLUGIN_NO_HANDLE; return ft->pac_generate((void *)plug, - context, - uc->config, + uc->r, uc->client, uc->server, uc->reply_key, @@ -101,8 +100,7 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) krb5_error_code -_kdc_pac_generate(krb5_context context, - krb5_kdc_configuration *config, +_kdc_pac_generate(astgs_request_t r, hdb_entry *client, hdb_entry *server, const krb5_keyblock *reply_key, @@ -114,20 +112,20 @@ _kdc_pac_generate(krb5_context context, *pac = NULL; - if (krb5_config_get_bool_default(context, NULL, FALSE, "realms", + if (krb5_config_get_bool_default(r->context, NULL, FALSE, "realms", client->principal->realm, "disable_pac", NULL)) return 0; if (have_plugin) { - uc.config = config; + uc.r = r; uc.client = client; uc.server = server; uc.reply_key = reply_key; uc.pac = pac; uc.pac_attributes = pac_attributes; - ret = _krb5_plugin_run_f(context, &kdc_plugin_data, + ret = _krb5_plugin_run_f(r->context, &kdc_plugin_data, 0, &uc, generate); if (ret != KRB5_PLUGIN_NO_HANDLE) return ret; @@ -135,13 +133,13 @@ _kdc_pac_generate(krb5_context context, } if (*pac == NULL) - ret = krb5_pac_init(context, pac); + ret = krb5_pac_init(r->context, pac); return ret; } struct verify_uc { - krb5_kdc_configuration *config; + astgs_request_t r; krb5_principal client_principal; krb5_principal delegated_proxy_principal; hdb_entry *client; @@ -161,8 +159,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) return KRB5_PLUGIN_NO_HANDLE; ret = ft->pac_verify((void *)plug, - context, - uc->config, + uc->r, uc->client_principal, uc->delegated_proxy_principal, uc->client, uc->server, uc->krbtgt, uc->pac); @@ -170,8 +167,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) } krb5_error_code -_kdc_pac_verify(krb5_context context, - krb5_kdc_configuration *config, +_kdc_pac_verify(astgs_request_t r, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, hdb_entry *client, @@ -184,7 +180,7 @@ _kdc_pac_verify(krb5_context context, if (!have_plugin) return KRB5_PLUGIN_NO_HANDLE; - uc.config = config; + uc.r = r; uc.client_principal = client_principal; uc.delegated_proxy_principal = delegated_proxy_principal; uc.client = client; @@ -192,7 +188,7 @@ _kdc_pac_verify(krb5_context context, uc.krbtgt = krbtgt; uc.pac = pac; - return _krb5_plugin_run_f(context, &kdc_plugin_data, + return _krb5_plugin_run_f(r->context, &kdc_plugin_data, 0, &uc, verify); } diff --git a/third_party/heimdal/kdc/kdc-plugin.h b/third_party/heimdal/kdc/kdc-plugin.h index efe8dd6abe0..9fc5946df17 100644 --- a/third_party/heimdal/kdc/kdc-plugin.h +++ b/third_party/heimdal/kdc/kdc-plugin.h @@ -48,8 +48,7 @@ typedef krb5_error_code (KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, - krb5_context, /* context */ - krb5_kdc_configuration *, /* configuration */ + astgs_request_t, hdb_entry *, /* client */ hdb_entry *, /* server */ const krb5_keyblock *, /* pk_replykey */ @@ -64,8 +63,7 @@ typedef krb5_error_code typedef krb5_error_code (KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, - krb5_context, /* context */ - krb5_kdc_configuration *, /* configuration */ + astgs_request_t, const krb5_principal, /* new ticket client */ const krb5_principal, /* delegation proxy */ hdb_entry *,/* client */ diff --git a/third_party/heimdal/kdc/kdc_locl.h b/third_party/heimdal/kdc/kdc_locl.h index 8418a91a0a4..767d04f5c8c 100644 --- a/third_party/heimdal/kdc/kdc_locl.h +++ b/third_party/heimdal/kdc/kdc_locl.h @@ -167,6 +167,7 @@ struct astgs_request_desc { /* only valid for tgs-req */ unsigned int rk_is_subkey : 1; unsigned int fast_asserted : 1; + unsigned int explicit_armor_present : 1; krb5_crypto armor_crypto; hdb_entry *armor_server; @@ -174,6 +175,10 @@ struct astgs_request_desc { krb5_ticket *armor_ticket; Key *armor_key; + hdb_entry *explicit_armor_client; + HDB *explicit_armor_clientdb; + krb5_pac explicit_armor_pac; + KDCFastState fast; }; diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index b30d321f6f1..e95bdad0a64 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -280,6 +280,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, * enctype in its KDC-REQ-BODY's etype list, which is what * `etypes' is here. */ + enctype = p[i]; ret = 0; break; } @@ -295,6 +296,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, */ for (m = 0; m < princ->etypes->len; m++) { if (p[i] == princ->etypes->val[m]) { + enctype = p[i]; ret = 0; break; } @@ -1856,8 +1858,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, * Validate a PA mech was actually used before doing this. */ - ret = _kdc_pac_generate(r->context, - r->config, + ret = _kdc_pac_generate(r, r->client, r->server, r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY) @@ -2744,12 +2745,19 @@ _kdc_as_rep(astgs_request_t r) out: r->error_code = ret; - _kdc_audit_request(r); + { + krb5_error_code ret2 = _kdc_audit_request(r); + if (ret2) { + krb5_data_free(r->reply); + ret = ret2; + } + } /* * In case of a non proxy error, build an error message. */ - if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0) + if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0) { + kdc_log(r->context, config, 5, "as-req: sending error: %d to client", ret); ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto, @@ -2759,6 +2767,7 @@ out: r->server_princ, NULL, NULL, r->reply); + } if (r->pa_used && r->pa_used->cleanup) r->pa_used->cleanup(r); diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 39d42106e01..06889f47120 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -76,8 +76,7 @@ _kdc_synthetic_princ_used_p(krb5_context context, krb5_ticket *ticket) */ krb5_error_code -_kdc_check_pac(krb5_context context, - krb5_kdc_configuration *config, +_kdc_check_pac(astgs_request_t r, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, hdb_entry *client, @@ -92,6 +91,8 @@ _kdc_check_pac(krb5_context context, krb5_principal *pac_canon_name, uint64_t *pac_attributes) { + krb5_context context = r->context; + krb5_kdc_configuration *config = r->config; krb5_pac pac = NULL; krb5_error_code ret; krb5_boolean signedticket; @@ -139,7 +140,7 @@ _kdc_check_pac(krb5_context context, } /* Verify the KDC signatures. */ - ret = _kdc_pac_verify(context, config, + ret = _kdc_pac_verify(r, client_principal, delegated_proxy_principal, client, server, krbtgt, &pac); if (ret == 0) { @@ -1770,7 +1771,7 @@ server_lookup: } /* Verify the PAC of the TGT. */ - ret = _kdc_check_pac(context, config, user2user_princ, NULL, + ret = _kdc_check_pac(priv, user2user_princ, NULL, user2user_client, user2user_krbtgt, user2user_krbtgt, user2user_krbtgt, &uukey->key, &priv->ticket_key->key, &adtkt, &user2user_kdc_issued, &user2user_pac, NULL, NULL); @@ -1897,7 +1898,7 @@ server_lookup: flags &= ~HDB_F_SYNTHETIC_OK; priv->clientdb = clientdb; - ret = _kdc_check_pac(context, config, priv->client_princ, NULL, + ret = _kdc_check_pac(priv, priv->client_princ, NULL, priv->client, priv->server, priv->krbtgt, priv->krbtgt, &priv->ticket_key->key, &priv->ticket_key->key, tgt, @@ -2156,7 +2157,13 @@ _kdc_tgs_rep(astgs_request_t r) out: r->error_code = ret; - _kdc_audit_request(r); + { + krb5_error_code ret2 = _kdc_audit_request(r); + if (ret2) { + krb5_data_free(data); + ret = ret2; + } + } if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ METHOD_DATA error_method = { 0, NULL }; @@ -2203,6 +2210,12 @@ out: krb5_free_ticket(r->context, r->armor_ticket); if (r->armor_server) _kdc_free_ent(r->context, r->armor_serverdb, r->armor_server); + if (r->explicit_armor_client) + _kdc_free_ent(r->context, + r->explicit_armor_clientdb, + r->explicit_armor_client); + if (r->explicit_armor_pac) + krb5_pac_free(r->context, r->explicit_armor_pac); krb5_free_keyblock_contents(r->context, &r->reply_key); krb5_free_keyblock_contents(r->context, &r->strengthen_key); diff --git a/third_party/heimdal/kdc/libkdc-exports.def b/third_party/heimdal/kdc/libkdc-exports.def index 3cc929e6025..2c4564bcadc 100644 --- a/third_party/heimdal/kdc/libkdc-exports.def +++ b/third_party/heimdal/kdc/libkdc-exports.def @@ -33,6 +33,9 @@ EXPORTS kdc_request_get_config kdc_request_get_cname kdc_request_get_error_code + kdc_request_get_explicit_armor_pac + kdc_request_get_explicit_armor_clientdb + kdc_request_get_explicit_armor_client kdc_request_get_from kdc_request_get_krbtgt kdc_request_get_krbtgtdb diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c index 9e67aad3319..fda5a37b1c6 100644 --- a/third_party/heimdal/kdc/mssfu.c +++ b/third_party/heimdal/kdc/mssfu.c @@ -252,8 +252,7 @@ validate_protocol_transition(astgs_request_t r) if (ret) goto out; /* kdc_check_flags() calls kdc_audit_addreason() */ - ret = _kdc_pac_generate(r->context, - r->config, + ret = _kdc_pac_generate(r, s4u_client, r->server, NULL, @@ -473,7 +472,7 @@ validate_constrained_delegation(astgs_request_t r) * TODO: pass in t->sname and t->realm and build * a S4U_DELEGATION_INFO blob to the PAC. */ - ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name, + ret = _kdc_check_pac(r, s4u_client_name, s4u_server_name, s4u_client, r->server, r->krbtgt, r->client, &clientkey->key, &r->ticket_key->key, &evidence_tkt, &ad_kdc_issued, &s4u_pac, diff --git a/third_party/heimdal/kdc/version-script.map b/third_party/heimdal/kdc/version-script.map index 9067bb6e43f..72a21e62950 100644 --- a/third_party/heimdal/kdc/version-script.map +++ b/third_party/heimdal/kdc/version-script.map @@ -36,6 +36,9 @@ HEIMDAL_KDC_1.0 { kdc_request_get_config; kdc_request_get_cname; kdc_request_get_error_code; + kdc_request_get_explicit_armor_pac; + kdc_request_get_explicit_armor_clientdb; + kdc_request_get_explicit_armor_client; kdc_request_get_from; kdc_request_get_krbtgt; kdc_request_get_krbtgtdb; diff --git a/third_party/heimdal/lib/asn1/krb5.asn1 b/third_party/heimdal/lib/asn1/krb5.asn1 index 639ec5af2d2..d7ce6bd6333 100644 --- a/third_party/heimdal/lib/asn1/krb5.asn1 +++ b/third_party/heimdal/lib/asn1/krb5.asn1 @@ -55,8 +55,12 @@ EXPORTS PA-ClientCanonicalizedNames, PA-DATA, PA-ENC-TS-ENC, + PA-KERB-KEY-LIST-REP, + PA-KERB-KEY-LIST-REQ, + PA-PAC-OPTIONS, PA-PAC-REQUEST, PA-S4U2Self, + PA-S4U-X509-USER, PA-SERVER-REFERRAL-DATA, PA-ServerReferralData, PA-SvrReferralData, @@ -80,6 +84,7 @@ EXPORTS KDCFastState, KDCFastCookie, KDC-PROXY-MESSAGE, + KERB-AD-RESTRICTION-ENTRY, KERB-TIMES, KERB-CRED, KERB-TGS-REQ-IN, @@ -190,7 +195,10 @@ PADATA-TYPE ::= INTEGER { KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u KRB5-PADATA-REQ-ENC-PA-REP(149), -- + KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE + KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE + KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth } @@ -217,7 +225,10 @@ AUTHDATA-TYPE ::= INTEGER { KRB5-AUTHDATA-SIGNTICKET-OLD(142), KRB5-AUTHDATA-SIGNTICKET(512), KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised - KRB5-AUTHDATA-AP-OPTIONS(143), + KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE + KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE + KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE + KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE -- N.B. these assignments have not been confirmed yet. -- -- DO NOT USE in production yet! @@ -592,6 +603,33 @@ PA-PAC-REQUEST ::= SEQUENCE { -- should be included or not } +-- MS-KILE/MS-SFU +PAC-OPTIONS-FLAGS ::= BIT STRING { + claims(0), + branch-aware(1), + forward-to-full-dc(2), + resource-based-constrained-delegation(3) +} + +-- MS-KILE +PA-PAC-OPTIONS ::= SEQUENCE { + flags [0] PAC-OPTIONS-FLAGS +} + +-- MS-KILE +-- captures show that [UNIVERSAL 16] is required to parse it +KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE { + restriction-type [0] Krb5Int32, + restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure +} + +-- MS-KILE Section 2.2.11 +PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE + +-- MS-KILE Section 2.2.12 + +PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType, + -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf PROV-SRV-LOCATION ::= GeneralString @@ -819,6 +857,20 @@ PA-S4U2Self ::= SEQUENCE { auth[3] GeneralString } +PA-S4U-X509-USER::= SEQUENCE { + user-id[0] S4UUserID, + checksum[1] Checksum +} + +S4UUserID ::= SEQUENCE { + nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY + cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints + crealm [2] Realm, + subject-certificate [3] OCTET STRING OPTIONAL, + options [4] BIT STRING OPTIONAL, + ... +} + AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- login-alias [0] PrincipalName, checksum [1] Checksum diff --git a/third_party/heimdal/lib/asn1/libasn1-exports.def b/third_party/heimdal/lib/asn1/libasn1-exports.def index 15d3a37beba..a7cb720bda3 100644 --- a/third_party/heimdal/lib/asn1/libasn1-exports.def +++ b/third_party/heimdal/lib/asn1/libasn1-exports.def @@ -445,6 +445,7 @@ EXPORTS copy_KDC_REQ copy_KDC_REQ_BODY copy_KDFAlgorithmId + copy_KERB_AD_RESTRICTION_ENTRY copy_KERB_ARMOR_SERVICE_REPLY copy_KERB_CRED copy_KerberosString @@ -517,12 +518,16 @@ EXPORTS copy_PA_ENC_TS_ENC copy_PA_FX_FAST_REPLY copy_PA_FX_FAST_REQUEST + copy_PA_KERB_KEY_LIST_REP + copy_PA_KERB_KEY_LIST_REQ + copy_PA_PAC_OPTIONS copy_PA_PAC_REQUEST copy_PA_PK_AS_REP copy_PA_PK_AS_REP_BTMM copy_PA_PK_AS_REP_Win2k copy_PA_PK_AS_REQ copy_PA_PK_AS_REQ_Win2k + copy_PA_S4U_X509_USER copy_PA_S4U2Self copy_PA_SAM_CHALLENGE_2 copy_PA_SAM_CHALLENGE_2_BODY @@ -805,6 +810,7 @@ EXPORTS decode_KDC_REQ decode_KDC_REQ_BODY decode_KDFAlgorithmId + decode_KERB_AD_RESTRICTION_ENTRY decode_KERB_ARMOR_SERVICE_REPLY decode_KERB_CRED decode_KerberosString @@ -877,12 +883,16 @@ EXPORTS decode_PA_ENC_TS_ENC decode_PA_FX_FAST_REPLY decode_PA_FX_FAST_REQUEST + decode_PA_KERB_KEY_LIST_REP + decode_PA_KERB_KEY_LIST_REQ + decode_PA_PAC_OPTIONS decode_PA_PAC_REQUEST decode_PA_PK_AS_REP decode_PA_PK_AS_REP_BTMM decode_PA_PK_AS_REP_Win2k decode_PA_PK_AS_REQ decode_PA_PK_AS_REQ_Win2k + decode_PA_S4U_X509_USER decode_PA_S4U2Self decode_PA_SAM_CHALLENGE_2 decode_PA_SAM_CHALLENGE_2_BODY @@ -1311,6 +1321,7 @@ EXPORTS encode_KDC_REQ encode_KDC_REQ_BODY encode_KDFAlgorithmId + encode_KERB_AD_RESTRICTION_ENTRY encode_KERB_ARMOR_SERVICE_REPLY encode_KERB_CRED encode_KerberosString @@ -1383,12 +1394,16 @@ EXPORTS encode_PA_ENC_TS_ENC encode_PA_FX_FAST_REPLY encode_PA_FX_FAST_REQUEST + encode_PA_KERB_KEY_LIST_REP + encode_PA_KERB_KEY_LIST_REQ + encode_PA_PAC_OPTIONS encode_PA_PAC_REQUEST encode_PA_PK_AS_REP encode_PA_PK_AS_REP_BTMM encode_PA_PK_AS_REP_Win2k encode_PA_PK_AS_REQ encode_PA_PK_AS_REQ_Win2k + encode_PA_S4U_X509_USER encode_PA_S4U2Self encode_PA_SAM_CHALLENGE_2 encode_PA_SAM_CHALLENGE_2_BODY @@ -1672,6 +1687,7 @@ EXPORTS free_KDC_REQ free_KDC_REQ_BODY free_KDFAlgorithmId + free_KERB_AD_RESTRICTION_ENTRY free_KERB_ARMOR_SERVICE_REPLY free_KERB_CRED free_KerberosString @@ -1744,12 +1760,16 @@ EXPORTS free_PA_ENC_TS_ENC free_PA_FX_FAST_REPLY free_PA_FX_FAST_REQUEST + free_PA_KERB_KEY_LIST_REP + free_PA_KERB_KEY_LIST_REQ + free_PA_PAC_OPTIONS free_PA_PAC_REQUEST free_PA_PK_AS_REP free_PA_PK_AS_REP_BTMM free_PA_PK_AS_REP_Win2k free_PA_PK_AS_REQ free_PA_PK_AS_REQ_Win2k + free_PA_S4U_X509_USER free_PA_S4U2Self free_PA_SAM_CHALLENGE_2 free_PA_SAM_CHALLENGE_2_BODY @@ -2052,6 +2072,7 @@ EXPORTS length_KDC_REQ length_KDC_REQ_BODY length_KDFAlgorithmId + length_KERB_AD_RESTRICTION_ENTRY length_KERB_ARMOR_SERVICE_REPLY length_KERB_CRED length_KerberosString @@ -2124,12 +2145,16 @@ EXPORTS length_PA_ENC_TS_ENC length_PA_FX_FAST_REPLY length_PA_FX_FAST_REQUEST + length_PA_KERB_KEY_LIST_REP + length_PA_KERB_KEY_LIST_REQ + length_PA_PAC_OPTIONS length_PA_PAC_REQUEST length_PA_PK_AS_REP length_PA_PK_AS_REP_BTMM length_PA_PK_AS_REP_Win2k length_PA_PK_AS_REQ length_PA_PK_AS_REQ_Win2k + length_PA_S4U_X509_USER length_PA_S4U2Self length_PA_SAM_CHALLENGE_2 length_PA_SAM_CHALLENGE_2_BODY diff --git a/third_party/heimdal/lib/krb5/krb5.h b/third_party/heimdal/lib/krb5/krb5.h index e78edcac9af..e4a9e7ec882 100644 --- a/third_party/heimdal/lib/krb5/krb5.h +++ b/third_party/heimdal/lib/krb5/krb5.h @@ -275,6 +275,10 @@ typedef enum krb5_key_usage { KRB5_KU_PA_SERVER_REFERRAL = 26, /* Keyusage for the server referral in a TGS req */ KRB5_KU_SAM_ENC_NONCE_SAD = 27, + /* Defined in [MS-SFU] */ + KRB5_KU_PA_S4U_X509_USER_REQUEST = 26, + /* Defined in [MS-SFU] */ + KRB5_KU_PA_S4U_X509_USER_REPLY = 27, /* Encryption of the SAM-NONCE-OR-SAD field */ KRB5_KU_PA_PKINIT_KX = 44, /* Encryption type of the kdc session contribution in pk-init */ diff --git a/third_party/heimdal/lib/krb5/pac.c b/third_party/heimdal/lib/krb5/pac.c index 2bdeae8ecd1..a12c00d7732 100644 --- a/third_party/heimdal/lib/krb5/pac.c +++ b/third_party/heimdal/lib/krb5/pac.c @@ -383,7 +383,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, size_t len, offset, header_end, old_end; uint32_t i; - assert(data->length > 0 && data->data != NULL); + assert(data->data != NULL); len = p->pac->numbuffers; diff --git a/third_party/heimdal/lib/krb5/principal.c b/third_party/heimdal/lib/krb5/principal.c index 6080e462341..91743488d9f 100644 --- a/third_party/heimdal/lib/krb5/principal.c +++ b/third_party/heimdal/lib/krb5/principal.c @@ -789,6 +789,9 @@ krb5_make_principal(krb5_context context, krb5_error_code ret; krb5_realm r = NULL; va_list ap; + + *principal = NULL; + if(realm == NULL) { ret = krb5_get_default_realm(context, &r); if(ret) @@ -943,7 +946,11 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc) { - krb5_principal p = malloc(sizeof(*p)); + krb5_principal p; + + *outprinc = NULL; + + p = malloc(sizeof(*p)); if (p == NULL) return krb5_enomem(context); if(copy_Principal(inprinc, p)) { diff --git a/third_party/heimdal/tests/plugin/kdc_test_plugin.c b/third_party/heimdal/tests/plugin/kdc_test_plugin.c index 4fcf311fddf..ff33b5f7262 100644 --- a/third_party/heimdal/tests/plugin/kdc_test_plugin.c +++ b/third_party/heimdal/tests/plugin/kdc_test_plugin.c @@ -20,14 +20,14 @@ fini(void *ctx) static krb5_error_code KRB5_CALLCONV pac_generate(void *ctx, - krb5_context context, - krb5_kdc_configuration *config, + astgs_request_t r, hdb_entry *client, hdb_entry *server, const krb5_keyblock *pk_replykey, uint64_t pac_attributes, krb5_pac *pac) { + krb5_context context = kdc_request_get_context((kdc_request_t)r); krb5_error_code ret; krb5_data data; @@ -55,8 +55,7 @@ pac_generate(void *ctx, static krb5_error_code KRB5_CALLCONV pac_verify(void *ctx, - krb5_context context, - krb5_kdc_configuration *config, + astgs_request_t r, const krb5_principal new_ticket_client, const krb5_principal delegation_proxy, hdb_entry * client, @@ -64,6 +63,7 @@ pac_verify(void *ctx, hdb_entry * krbtgt, krb5_pac *pac) { + krb5_context context = kdc_request_get_context((kdc_request_t)r); krb5_error_code ret; krb5_data data; krb5_cksumtype cstype; |