From 9b48e7f7eda5e368c1192d562c268885c1f68d8b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 10 Mar 2022 17:49:52 +0100 Subject: third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d) This fixes the regressions against KDCs without FAST support. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184 --- third_party/heimdal/lib/krb5/fast.c | 98 ++++++++++++++++++++++++---- third_party/heimdal/lib/krb5/get_cred.c | 76 +++++++++++++-------- third_party/heimdal/lib/krb5/init_creds_pw.c | 1 - 3 files changed, 134 insertions(+), 41 deletions(-) (limited to 'third_party/heimdal') diff --git a/third_party/heimdal/lib/krb5/fast.c b/third_party/heimdal/lib/krb5/fast.c index 617446c3634..83893542d69 100644 --- a/third_party/heimdal/lib/krb5/fast.c +++ b/third_party/heimdal/lib/krb5/fast.c @@ -413,8 +413,14 @@ _krb5_fast_create_armor(krb5_context context, } if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) { - if (state->armor_crypto) + if (state->armor_crypto) { krb5_crypto_destroy(context, state->armor_crypto); + state->armor_crypto = NULL; + } + if (state->strengthen_key) { + krb5_free_keyblock(context, state->strengthen_key); + state->strengthen_key = NULL; + } krb5_free_keyblock_contents(context, &state->armor_key); /* @@ -455,14 +461,15 @@ _krb5_fast_create_armor(krb5_context context, krb5_error_code _krb5_fast_wrap_req(krb5_context context, struct krb5_fast_state *state, - krb5_data *checksum_data, KDC_REQ *req) { PA_FX_FAST_REQUEST fxreq; krb5_error_code ret; KrbFastReq fastreq; - krb5_data data, aschecksum_data; + krb5_data data, aschecksum_data, tgschecksum_data; + const krb5_data *checksum_data = NULL; size_t size = 0; + krb5_boolean readd_padata_to_outer = FALSE; if (state->flags & KRB5_FAST_DISABLED) { _krb5_debug(context, 10, "fast disabled, not doing any fast wrapping"); @@ -473,6 +480,7 @@ _krb5_fast_wrap_req(krb5_context context, memset(&fastreq, 0, sizeof(fastreq)); krb5_data_zero(&data); krb5_data_zero(&aschecksum_data); + krb5_data_zero(&tgschecksum_data); if (state->armor_crypto == NULL) return check_fast(context, state); @@ -511,8 +519,6 @@ _krb5_fast_wrap_req(krb5_context context, ALLOC(req->req_body.till, 1); *req->req_body.till = 0; - heim_assert(checksum_data == NULL, "checksum data not NULL"); - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, aschecksum_data.data, aschecksum_data.length, @@ -523,14 +529,63 @@ _krb5_fast_wrap_req(krb5_context context, heim_assert(aschecksum_data.length == size, "ASN.1 internal error"); checksum_data = &aschecksum_data; - } - if (req->padata) { - ret = copy_METHOD_DATA(req->padata, &fastreq.padata); - free_METHOD_DATA(req->padata); - if (ret) - goto out; + if (req->padata) { + ret = copy_METHOD_DATA(req->padata, &fastreq.padata); + free_METHOD_DATA(req->padata); + if (ret) + goto out; + } } else { + const PA_DATA *tgs_req_ptr = NULL; + int tgs_req_idx = 0; + size_t i; + + heim_assert(req->padata != NULL, "req->padata is NULL"); + + tgs_req_ptr = krb5_find_padata(req->padata->val, + req->padata->len, + KRB5_PADATA_TGS_REQ, + &tgs_req_idx); + heim_assert(tgs_req_ptr != NULL, "KRB5_PADATA_TGS_REQ not found"); + heim_assert(tgs_req_idx == 0, "KRB5_PADATA_TGS_REQ not first"); + + tgschecksum_data.data = tgs_req_ptr->padata_value.data; + tgschecksum_data.length = tgs_req_ptr->padata_value.length; + checksum_data = &tgschecksum_data; + + /* + * Now copy all remaining once to + * the fastreq.padata and clear + * them in the outer req first, + * and remember to readd them later. + */ + readd_padata_to_outer = TRUE; + + for (i = 1; i < req->padata->len; i++) { + PA_DATA *val = &req->padata->val[i]; + + ret = krb5_padata_add(context, + &fastreq.padata, + val->padata_type, + val->padata_value.data, + val->padata_value.length); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + val->padata_value.data = NULL; + val->padata_value.length = 0; + } + + /* + * Only TGS-REQ remaining + */ + req->padata->len = 1; + } + + if (req->padata == NULL) { ALLOC(req->padata, 1); if (req->padata == NULL) { ret = krb5_enomem(context); @@ -586,6 +641,27 @@ _krb5_fast_wrap_req(krb5_context context, goto out; krb5_data_zero(&data); + if (readd_padata_to_outer) { + size_t i; + + for (i = 0; i < fastreq.padata.len; i++) { + PA_DATA *val = &fastreq.padata.val[i]; + + ret = krb5_padata_add(context, + req->padata, + val->padata_type, + val->padata_value.data, + val->padata_value.length); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto out; + } + val->padata_value.data = NULL; + val->padata_value.length = 0; + } + } + out: free_KrbFastReq(&fastreq); free_PA_FX_FAST_REQUEST(&fxreq); diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index ec757797866..6e48846bcb3 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -239,20 +239,6 @@ init_tgs_req (krb5_context context, if (ret) goto fail; } - - if (padata) { - if (t->padata == NULL) { - ALLOC(t->padata, 1); - if (t->padata == NULL) { - ret = krb5_enomem(context); - goto fail; - } - } - - ret = copy_METHOD_DATA(padata, t->padata); - if (ret) - goto fail; - } ret = krb5_auth_con_init(context, &ac); if(ret) @@ -278,6 +264,20 @@ init_tgs_req (krb5_context context, if (ret) goto fail; + ret = make_pa_tgs_req(context, + &ac, + &t->req_body, + ccache, + krbtgt, + &tgs_req); + if(ret) + goto fail; + + /* + * Add KRB5_PADATA_TGS_REQ first + * followed by all others. + */ + if (t->padata == NULL) { ALLOC(t->padata, 1); if (t->padata == NULL) { @@ -286,15 +286,40 @@ init_tgs_req (krb5_context context, } } - ret = make_pa_tgs_req(context, - &ac, - &t->req_body, - ccache, - krbtgt, - &tgs_req); - if(ret) + ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, + tgs_req.data, tgs_req.length); + if (ret) goto fail; + krb5_data_zero(&tgs_req); + + { + size_t i; + for (i = 0; i < padata->len; i++) { + const PA_DATA *val1 = &padata->val[i]; + PA_DATA val2; + + ret = copy_PA_DATA(val1, &val2); + if (ret) { + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto fail; + } + + ret = krb5_padata_add(context, t->padata, + val2.padata_type, + val2.padata_value.data, + val2.padata_value.length); + if (ret) { + free_PA_DATA(&val2); + + krb5_set_error_message(context, ret, + N_("malloc: out of memory", "")); + goto fail; + } + } + } + if (state) { state->armor_ac = ac; ret = _krb5_fast_create_armor(context, state, NULL); @@ -302,7 +327,7 @@ init_tgs_req (krb5_context context, if (ret) goto fail; - ret = _krb5_fast_wrap_req(context, state, &tgs_req, t); + ret = _krb5_fast_wrap_req(context, state, t); if (ret) goto fail; @@ -310,13 +335,6 @@ init_tgs_req (krb5_context context, state->flags &= ~KRB5_FAST_EXPECTED; } - ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, - tgs_req.data, tgs_req.length); - if (ret) - goto fail; - - krb5_data_zero(&tgs_req); - ret = krb5_auth_con_getlocalsubkey(context, ac, subkey); if (ret) goto fail; diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c index e42fcf10bc1..4173837779b 100644 --- a/third_party/heimdal/lib/krb5/init_creds_pw.c +++ b/third_party/heimdal/lib/krb5/init_creds_pw.c @@ -3394,7 +3394,6 @@ init_creds_step(krb5_context context, ret = _krb5_fast_wrap_req(context, &ctx->fast_state, - NULL, &req2); krb5_data_free(&checksum_data); -- cgit v1.2.1