[SCM] Samba Shared Repository - branch v4-6-test updated
Karolin Seeger
kseeger at samba.org
Tue Feb 20 16:04:03 UTC 2018
The branch, v4-6-test has been updated
via 56a40ab samba: Only use async signal-safe functions in signal handler
via 670af37 subnet: Avoid a segfault when renaming subnet objects
via f2e21e6 HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
via ffda28e TODO s4:kdc: indicate support for new encryption types by adding empty keys
via 075f061 TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
via 7d0559e s4:kdc: use the strongest possible tgs session key
via 2a7392d HEIMDAL:hdb: export a hdb_enctype_supported() helper function
via 8ac00b0 HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
via 9f3571a s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
via 312bf1c HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
via 3dd52dd HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
via 9ec1a52 HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
from 2ed8741 VERSION: Bump version up to 4.6.14...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
- Log -----------------------------------------------------------------
commit 56a40ab005671fd6ce3c55cd91eddcbcc925891d
Author: Volker Lendecke <vl at samba.org>
Date: Thu Jan 4 21:06:02 2018 +0100
samba: Only use async signal-safe functions in signal handler
Otherwise shutdown can hang
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13240
Signed-off-by: Björn Baumbach <bb at sernet.de>
(similar to commit 361ea743576cf125d7957a97ed78a0446dab1a19)
Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-6-test): Tue Feb 20 17:03:44 CET 2018 on sn-devel-144
commit 670af37291bc75481ac89efff62760d74377536f
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Sep 20 14:55:11 2017 +1200
subnet: Avoid a segfault when renaming subnet objects
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit f2e21e692640308c003bd851da0c627af73a9451
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 8 13:18:29 2017 +0100
HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ffda28e9b14a6d0464cc2b931105a4d43712dcba
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 7 12:23:31 2017 +0100
TODO s4:kdc: indicate support for new encryption types by adding empty keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
commit 075f061ca337d516a82b0fb19b001ff8cff61915
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 7 12:23:31 2017 +0100
TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
commit 7d0559e0eb5d533a5f5764a39d04fb05d8d34633
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 7 18:03:45 2017 +0100
s4:kdc: use the strongest possible tgs session key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 2a7392d3b216d4a79d81fd6a31bb2294b70c9a35
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 7 15:47:25 2017 +0100
HEIMDAL:hdb: export a hdb_enctype_supported() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 8ac00b066c893f9da5ac44f9391e41ad018d08bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 8 11:57:08 2017 +0100
HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
Currently the value is the same anyway as the session key is always of the
same type as server key up to now, but that will change shortly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9f3571aa20a209901c6ab7c776200afeac54eca4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 28 14:51:43 2017 +0200
s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
We need the target service without realm, but the proxy services with realm.
I have a domain with an w2008r2 server and a samba and now both generate
the same S4U_DELEGATION_INFO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 312bf1c331038059698d14d7026387079a49bb61
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 20 23:05:09 2017 +0200
HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 3dd52dd0df77bac590645cf05b54766101456016
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 20 23:05:09 2017 +0200
HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
We do this after checking for constraint delegation (S4U2Proxy).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9ec1a523d2acba03a8cd7c21013d896962863759
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 20 23:05:09 2017 +0200
HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/subnets.py | 33 ++++++++
source4/dsdb/samdb/ldb_modules/samldb.c | 8 +-
source4/dsdb/tests/python/sites.py | 45 ++++++++++
source4/heimdal/kdc/kerberos5.c | 20 +++--
source4/heimdal/kdc/krb5tgs.c | 127 +++++++++++++++--------------
source4/heimdal/lib/hdb/hdb.c | 30 ++++++-
source4/heimdal/lib/hdb/version-script.map | 1 +
source4/kdc/db-glue.c | 73 ++++++++++++++++-
source4/kdc/kdc-heimdal.c | 6 +-
source4/kdc/pac-glue.c | 6 +-
source4/smbd/server.c | 4 +-
11 files changed, 266 insertions(+), 87 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/subnets.py b/python/samba/subnets.py
index e859f06..72eeb0f 100644
--- a/python/samba/subnets.py
+++ b/python/samba/subnets.py
@@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name):
samdb.delete(dnsubnet)
+def rename_subnet(samdb, configDn, subnet_name, new_name):
+ """Rename a subnet.
+
+ :param samdb: A samdb connection
+ :param configDn: The DN of the configuration partition
+ :param subnet_name: Name of the subnet to rename
+ :param new_name: New name for the subnet
+ :return: None
+ :raise SubnetNotFound: if the subnet to be renamed does not exist.
+ :raise SubnetExists: if the subnet to be created already exists.
+ """
+ dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites")
+ if dnsubnet.add_base(configDn) == False:
+ raise SubnetException("dnsubnet.add_base() failed")
+ if dnsubnet.add_child("CN=X") == False:
+ raise SubnetException("dnsubnet.add_child() failed")
+ dnsubnet.set_component(0, "CN", subnet_name)
+
+ newdnsubnet = ldb.Dn(samdb, str(dnsubnet))
+ newdnsubnet.set_component(0, "CN", new_name)
+ try:
+ samdb.rename(dnsubnet, newdnsubnet)
+ except LdbError as (enum, estr):
+ if enum == ldb.ERR_NO_SUCH_OBJECT:
+ raise SubnetNotFound('Subnet %s does not exist' % subnet)
+ elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS:
+ raise SubnetAlreadyExists('A subnet with the CIDR %s already exists'
+ % new_name)
+ elif enum == ldb.ERR_INVALID_DN_SYNTAX:
+ raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name,
+ estr))
+ else:
+ raise
def set_subnet_site(samdb, configDn, subnet_name, site_name):
"""Assign a subnet to a site.
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 8459210..9f72df2 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -3072,13 +3072,13 @@ static int verify_cidr(const char *cidr)
}
-static int samldb_verify_subnet(struct samldb_ctx *ac)
+static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn)
{
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
const char *cidr = NULL;
const struct ldb_val *rdn_value = NULL;
- rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
+ rdn_value = ldb_dn_get_rdn_val(dn);
if (rdn_value == NULL) {
ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val "
"failed");
@@ -3240,7 +3240,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
if (samdb_find_attribute(ldb, ac->msg,
"objectclass", "subnet") != NULL) {
- ret = samldb_verify_subnet(ac);
+ ret = samldb_verify_subnet(ac, ac->msg->dn);
if (ret != LDB_SUCCESS) {
talloc_free(ac);
return ret;
@@ -3633,7 +3633,7 @@ static int check_rename_constraints(struct ldb_message *msg,
/* subnet objects */
if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
- ret = samldb_verify_subnet(ac);
+ ret = samldb_verify_subnet(ac, newdn);
if (ret != LDB_SUCCESS) {
talloc_free(ac);
return ret;
diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py
index a894da3..123e1ec 100755
--- a/source4/dsdb/tests/python/sites.py
+++ b/source4/dsdb/tests/python/sites.py
@@ -183,6 +183,51 @@ class SimpleSubnetTests(SitesBaseTests):
self.assertRaises(subnets.SubnetNotFound,
subnets.delete_subnet, self.ldb, basedn, cidr)
+ def test_rename_good_subnet_to_good_subnet(self):
+ """Make sure that we can rename subnets"""
+ basedn = self.ldb.get_config_basedn()
+ cidr = "10.16.0.0/24"
+ new_cidr = "10.16.1.0/24"
+
+ subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+
+ subnets.rename_subnet(self.ldb, basedn, cidr, new_cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % new_cidr)
+
+ self.assertEqual(len(ret), 1, 'Failed to rename subnet %s' % cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % cidr)
+
+ self.assertEqual(len(ret), 0, 'Failed to remove old subnet during rename %s' % cidr)
+
+ subnets.delete_subnet(self.ldb, basedn, new_cidr)
+
+ def test_rename_good_subnet_to_bad_subnet(self):
+ """Make sure that the CIDR checking runs during rename"""
+ basedn = self.ldb.get_config_basedn()
+ cidr = "10.17.0.0/24"
+ bad_cidr = "10.11.12.0/14"
+
+ subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
+
+ self.assertRaises(subnets.SubnetInvalid, subnets.rename_subnet,
+ self.ldb, basedn, cidr, bad_cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % bad_cidr)
+
+ self.assertEqual(len(ret), 0, 'Failed to rename subnet %s' % cidr)
+
+ ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
+ expression='(&(objectclass=subnet)(cn=%s))' % cidr)
+
+ self.assertEqual(len(ret), 1, 'Failed to remove old subnet during rename %s' % cidr)
+
+ subnets.delete_subnet(self.ldb, basedn, cidr)
+
def test_create_bad_ranges(self):
"""These CIDR ranges all have something wrong with them, and they
should all fail."""
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index 3282d5e..c6ec65e 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
krb5_error_code ret;
krb5_salt def_salt;
krb5_enctype enctype = ETYPE_NULL;
- Key *key;
+ Key *key = NULL;
int i;
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
@@ -159,29 +159,34 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
/* drive the search with local supported enctypes list */
p = krb5_kerberos_enctypes(context);
- for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
+ for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
/* check that the client supports it too */
- for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
+ for (j = 0; j < len && key == NULL; j++) {
if (p[i] != etypes[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
+ if (enctype == ETYPE_NULL) {
+ ret = hdb_enctype_supported(context, &princ->entry, p[i]);
+ if (ret == 0) {
+ enctype = p[i];
+ }
+ }
/* check target princ support */
ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
if (ret)
continue;
if (is_preauth && !is_default_salt_p(&def_salt, key))
continue;
- enctype = p[i];
}
}
if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
enctype = clientbest;
- else if (enctype == ETYPE_NULL)
+ else if (key == NULL)
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (ret == 0 && ret_enctype != NULL)
*ret_enctype = enctype;
@@ -322,7 +327,6 @@ krb5_error_code
_kdc_encode_reply(krb5_context context,
krb5_kdc_configuration *config,
KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
- krb5_enctype etype,
int skvno, const EncryptionKey *skey,
int ckvno, const EncryptionKey *reply_key,
int rk_is_subkey,
@@ -349,7 +353,7 @@ _kdc_encode_reply(krb5_context context,
return KRB5KRB_ERR_GENERIC;
}
- ret = krb5_crypto_init(context, skey, etype, &crypto);
+ ret = krb5_crypto_init(context, skey, 0, &crypto);
if (ret) {
const char *msg;
free(buf);
@@ -1720,7 +1724,7 @@ _kdc_as_rep(krb5_context context,
log_as_req(context, config, reply_key->keytype, setype, b);
ret = _kdc_encode_reply(context, config,
- &rep, &et, &ek, setype, server->entry.kvno,
+ &rep, &et, &ek, server->entry.kvno,
&skey->key, client->entry.kvno,
reply_key, 0, &e_text, reply);
free_EncTicketPart(&et);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a888788..e11ad52 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context,
KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt,
+ const EncTicketPart *adtgt,
const krb5_keyblock *replykey,
int rk_is_subkey,
const EncryptionKey *serverkey,
@@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context,
rep.pvno = 5;
rep.msg_type = krb_tgs_rep;
- et.authtime = tgt->authtime;
+ et.authtime = adtgt->authtime;
_kdc_fix_time(&b->till);
et.endtime = min(tgt->endtime, *b->till);
ALLOC(et.starttime);
@@ -987,7 +988,7 @@ tgs_make_reply(krb5_context context,
etype list, even if we don't want a session key with
DES3? */
ret = _kdc_encode_reply(context, config,
- &rep, &et, &ek, et.key.keytype,
+ &rep, &et, &ek,
kvno,
serverkey, 0, replykey, rk_is_subkey,
e_text, reply);
@@ -1159,7 +1160,6 @@ tgs_parse_request(krb5_context context,
const struct sockaddr *from_addr,
time_t **csec,
int **cusec,
- AuthorizationData **auth_data,
krb5_keyblock **replykey,
int *rk_is_subkey)
{
@@ -1170,14 +1170,11 @@ tgs_parse_request(krb5_context context,
krb5_auth_context ac = NULL;
krb5_flags ap_req_options;
krb5_flags verify_ap_req_flags;
- krb5_crypto crypto;
Key *tkey;
krb5_keyblock *subkey = NULL;
- unsigned usage;
krb5uint32 kvno = 0;
krb5uint32 *kvno_ptr = NULL;
- *auth_data = NULL;
*csec = NULL;
*cusec = NULL;
*replykey = NULL;
@@ -1328,7 +1325,6 @@ tgs_parse_request(krb5_context context,
goto out;
}
- usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
*rk_is_subkey = 1;
ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
@@ -1340,7 +1336,6 @@ tgs_parse_request(krb5_context context,
goto out;
}
if(subkey == NULL){
- usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
*rk_is_subkey = 0;
ret = krb5_auth_con_getkey(context, ac, &subkey);
@@ -1362,47 +1357,6 @@ tgs_parse_request(krb5_context context,
*replykey = subkey;
- if (b->enc_authorization_data) {
- krb5_data ad;
-
- ret = krb5_crypto_init(context, subkey, 0, &crypto);
- if (ret) {
- const char *msg = krb5_get_error_message(context, ret);
- krb5_auth_con_free(context, ac);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
- krb5_free_error_message(context, msg);
- goto out;
- }
- ret = krb5_decrypt_EncryptedData (context,
- crypto,
- usage,
- b->enc_authorization_data,
- &ad);
- krb5_crypto_destroy(context, crypto);
- if(ret){
- krb5_auth_con_free(context, ac);
- kdc_log(context, config, 0,
- "Failed to decrypt enc-authorization-data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out;
- }
- ALLOC(*auth_data);
- if (*auth_data == NULL) {
- krb5_auth_con_free(context, ac);
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out;
- }
- ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
- if(ret){
- krb5_auth_con_free(context, ac);
- free(*auth_data);
- *auth_data = NULL;
- kdc_log(context, config, 0, "Failed to decode authorization data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out;
- }
- }
-
krb5_auth_con_free(context, ac);
out:
@@ -1500,7 +1454,6 @@ tgs_build_reply(krb5_context context,
krb5_data *reply,
const char *from,
const char **e_text,
- AuthorizationData **auth_data,
const struct sockaddr *from_addr)
{
krb5_error_code ret;
@@ -1516,6 +1469,9 @@ tgs_build_reply(krb5_context context,
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_data rspac;
+ AuthorizationData *auth_data = NULL;
+ const EncryptionKey *auth_data_key = replykey;
+ unsigned auth_data_usage;
hdb_entry_ex *krbtgt_out = NULL;
@@ -1525,6 +1481,7 @@ tgs_build_reply(krb5_context context,
Realm r;
int nloop = 0;
EncTicketPart adtkt;
+ EncTicketPart *adtgt = tgt;
char opt_str[128];
int signedpath = 0;
@@ -1540,6 +1497,12 @@ tgs_build_reply(krb5_context context,
s = b->sname;
r = b->realm;
+ if (rk_is_subkey != 0) {
+ auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
+ } else {
+ auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
+ }
+
if (b->kdc_options.canonicalize)
flags |= HDB_F_CANON;
@@ -1742,7 +1705,7 @@ server_lookup:
ret = _kdc_find_etype(context,
config->tgs_use_strongest_session_key, FALSE,
- server, b->etype.val, b->etype.len, NULL,
+ server, b->etype.val, b->etype.len, &etype,
&skey);
if(ret) {
kdc_log(context, config, 0,
@@ -1750,7 +1713,6 @@ server_lookup:
goto out;
}
ekey = &skey->key;
- etype = skey->key.keytype;
kvno = server->entry.kvno;
}
@@ -2183,10 +2145,55 @@ server_lookup:
goto out;
}
+ if (rk_is_subkey == 0) {
+ auth_data_key = &adtkt.key;
+ }
+ adtgt = &adtkt;
kdc_log(context, config, 0, "constrained delegation for %s "
"from %s (%s) to %s", tpn, cpn, dpn, spn);
}
+ if (b->enc_authorization_data) {
+ krb5_data ad;
+ krb5_crypto crypto;
+
+ ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
+ if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
+ goto out;
+ }
+
+ ret = krb5_decrypt_EncryptedData (context,
+ crypto,
+ auth_data_usage,
+ b->enc_authorization_data,
+ &ad);
+ krb5_crypto_destroy(context, crypto);
+ if(ret){
+ kdc_log(context, config, 0,
+ "Failed to decrypt enc-authorization-data");
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ goto out;
+ }
+ ALLOC(auth_data);
+ if (auth_data == NULL) {
+ krb5_data_free(&ad);
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ goto out;
+ }
+ ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
+ krb5_data_free(&ad);
+ if(ret){
+ free(auth_data);
+ auth_data = NULL;
+ kdc_log(context, config, 0, "Failed to decode authorization data");
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ goto out;
+ }
+ }
+
/*
* Check flags
*/
@@ -2257,12 +2264,13 @@ server_lookup:
b,
tp,
tgt,
+ adtgt,
replykey,
rk_is_subkey,
ekey,
&sessionkey,
kvno,
- *auth_data,
+ auth_data,
server,
server->entry.principal,
spn,
@@ -2307,6 +2315,11 @@ out:
free(ref_realm);
free_METHOD_DATA(&enc_pa_data);
+ if (auth_data) {
+ free_AuthorizationData(auth_data);
+ free(auth_data);
+ }
+
free_EncTicketPart(&adtkt);
return ret;
@@ -2325,7 +2338,6 @@ _kdc_tgs_rep(krb5_context context,
struct sockaddr *from_addr,
int datagram_reply)
{
- AuthorizationData *auth_data = NULL;
krb5_error_code ret;
int i = 0;
const PA_DATA *tgs_req;
@@ -2364,7 +2376,6 @@ _kdc_tgs_rep(krb5_context context,
&e_text,
from, from_addr,
&csec, &cusec,
- &auth_data,
&replykey,
&rk_is_subkey);
if (ret == HDB_ERR_NOT_FOUND_HERE) {
@@ -2389,7 +2400,6 @@ _kdc_tgs_rep(krb5_context context,
data,
from,
&e_text,
- &auth_data,
from_addr);
if (ret) {
kdc_log(context, config, 0,
@@ -2426,10 +2436,5 @@ out:
if(krbtgt)
_kdc_free_ent(context, krbtgt);
--
Samba Shared Repository
More information about the samba-cvs
mailing list