[PATCH] heimdal - align kvno internal type with upstream
Uri Simchoni
uri at samba.org
Tue May 17 19:48:06 UTC 2016
Hi,
I tried pushing the changes of commit
6379737b7ddc6ccb752238c5820cc62e76a8da17 to upstream heimdal (the kvno
signedness, affecting RODC). It turns out the encoding in upstream
Heimdal has long been changed to signed, but the internal representation
of kvno remains unsigned and they want to keep it that way. The upstream
code included a pointer type mismatch which would make our picky build
modes scream, and I fixed that (with Andrew pushing it).
In the interest of aligning our fork and heimdal (sigh...), this patch
reverts the internal representation change and takes care of
signed->unsigned conversion. The goal is no functional changes to Samba
- it just makes the code more similar to upstream Heimdal (not identical
because there are subtle differences which are out of scope for this
change).
Review appreciated,
Uri.
-------------- next part --------------
From 88862e86cb66f0a1a0b27d2e66eb89306c56094e Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Tue, 17 May 2016 13:45:11 +0300
Subject: [PATCH] heimdal make kvno unisgned internally
The folks at heimdal didn't like the patch in
commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted
that kvno should remain unsigned internally, even though it is
encoded as signed in packets. This patch reverts some of the
unsigned->signed changes in that commit, and resolves conversion
issues - in order to be aligned with upstream Heimdal.
Signed-off-by: Uri Simchoni <uri at samba.org>
---
source4/heimdal/kdc/krb5tgs.c | 17 +++++++++++++++--
source4/heimdal/kdc/misc.c | 2 +-
source4/torture/rpc/lsa.c | 2 +-
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 1d0d1dd..c221c90 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1174,6 +1174,8 @@ tgs_parse_request(krb5_context context,
Key *tkey;
krb5_keyblock *subkey = NULL;
unsigned usage;
+ krb5uint32 kvno = 0;
+ krb5uint32 *kvno_ptr = NULL;
*auth_data = NULL;
*csec = NULL;
@@ -1201,7 +1203,12 @@ tgs_parse_request(krb5_context context,
ap_req.ticket.sname,
ap_req.ticket.realm);
- ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt);
+ if (ap_req.ticket.enc_part.kvno) {
+ kvno = *ap_req.ticket.enc_part.kvno;
+ kvno_ptr = &kvno;
+ }
+ ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, kvno_ptr,
+ NULL, krbtgt);
if(ret == HDB_ERR_NOT_FOUND_HERE) {
char *p;
@@ -1541,6 +1548,8 @@ tgs_build_reply(krb5_context context,
hdb_entry_ex *uu;
krb5_principal p;
Key *uukey;
+ krb5uint32 second_kvno = 0;
+ krb5uint32 *kvno_ptr = NULL;
if(b->additional_tickets == NULL ||
b->additional_tickets->len == 0){
@@ -1557,8 +1566,12 @@ tgs_build_reply(krb5_context context,
goto out;
}
_krb5_principalname2krb5_principal(context, &p, t->sname, t->realm);
+ if(t->enc_part.kvno){
+ second_kvno = *t->enc_part.kvno;
+ kvno_ptr = &second_kvno;
+ }
ret = _kdc_db_fetch(context, config, p,
- HDB_F_GET_KRBTGT, t->enc_part.kvno,
+ HDB_F_GET_KRBTGT, kvno_ptr,
NULL, &uu);
krb5_free_principal(context, p);
if(ret){
diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c
index 6fd5119..b0bc38a 100644
--- a/source4/heimdal/kdc/misc.c
+++ b/source4/heimdal/kdc/misc.c
@@ -40,7 +40,7 @@ _kdc_db_fetch(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal principal,
unsigned flags,
- krb5int32 *kvno_ptr,
+ krb5uint32 *kvno_ptr,
HDB **db,
hdb_entry_ex **h)
{
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 4d0084b..fa884fb 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -3183,7 +3183,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
const char *old_password = cli_credentials_get_old_password(credentials);
int kvno = cli_credentials_get_kvno(credentials);
int expected_kvno = 0;
- krb5int32 t_kvno = 0;
+ krb5uint32 t_kvno = 0;
const char *host = torture_setting_string(tctx, "host", NULL);
krb5_error_code k5ret;
krb5_boolean k5ok;
--
2.5.5
More information about the samba-technical
mailing list