[Patches] Backport Heimdal fixes for PKINIT (bug #12986)

Stefan Metzmacher metze at samba.org
Mon Aug 28 08:32:58 UTC 2017


Hi,

here're 2 backports from upstream Heimdal which fix parsing of PKINIT
requests for single sign on with Vmware Horizon.
See https://bugzilla.samba.org/show_bug.cgi?id=12986

Pleas review and push:-)

Thanks!
metze
-------------- next part --------------
From 358e3cbbe8788e1d670b33e3c7c65e2315d0c503 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha at h5l.org>
Date: Mon, 29 Apr 2013 11:37:39 -0700
Subject: [PATCH 1/2] HEIMDAL: allow optional q in DH DomainParameters

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986

Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from heimdal commit e8317b955f5a390c4f296871ba6987ad05478c95)
---
 source4/heimdal/kdc/pkinit.c          | 2 +-
 source4/heimdal/lib/asn1/rfc2459.asn1 | 2 +-
 source4/heimdal/lib/krb5/pkinit.c     | 7 ++++++-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index d85b156..3a9e8f2 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -361,7 +361,7 @@ get_dh_param(krb5_context context,
     }
 
     ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
-			    &dhparam.p, &dhparam.g, &dhparam.q, moduli,
+			    &dhparam.p, &dhparam.g, dhparam.q, moduli,
 			    &client_params->dh_group_name);
     if (ret) {
 	/* XXX send back proposal of better group */
diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1
index bf82f81..7843f65 100644
--- a/source4/heimdal/lib/asn1/rfc2459.asn1
+++ b/source4/heimdal/lib/asn1/rfc2459.asn1
@@ -239,7 +239,7 @@ ValidationParms ::= SEQUENCE {
 DomainParameters ::= SEQUENCE {
 	p		INTEGER, -- odd prime, p=jq +1
 	g		INTEGER, -- generator, g
-	q		INTEGER, -- factor of p-1
+	q		INTEGER OPTIONAL, -- factor of p-1
 	j		INTEGER OPTIONAL, -- subgroup factor
 	validationParms	ValidationParms OPTIONAL -- ValidationParms
 }
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 1103a17..c30a298 100644
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -497,7 +497,12 @@ build_auth_pack(krb5_context context,
 		free_DomainParameters(&dp);
 		return ret;
 	    }
-	    ret = BN_to_integer(context, dh->q, &dp.q);
+	    dp.q = calloc(1, sizeof(*dp.q));
+	    if (dp.q == NULL) {
+		free_DomainParameters(&dp);
+		return ENOMEM;
+	    }
+	    ret = BN_to_integer(context, dh->q, dp.q);
 	    if (ret) {
 		free_DomainParameters(&dp);
 		return ret;
-- 
1.9.1


From a9d6691d4d6608ba9bd00775e58604eddaf57e38 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha at h5l.org>
Date: Mon, 29 Apr 2013 11:42:46 -0700
Subject: [PATCH 2/2] HEIMDAL: don't bother seeing q if not sent

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986

Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from heimdal commit 19f9fdbcea11013cf13ac72c416f161ee55dee2b)
---
 source4/heimdal/kdc/pkinit.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 3a9e8f2..c874847 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -381,9 +381,12 @@ get_dh_param(krb5_context context,
     dh->g = integer_to_BN(context, "DH base", &dhparam.g);
     if (dh->g == NULL)
 	goto out;
-    dh->q = integer_to_BN(context, "DH p-1 factor", &dhparam.q);
-    if (dh->g == NULL)
-	goto out;
+
+    if (dhparam.q) {
+	dh->q = integer_to_BN(context, "DH p-1 factor", dhparam.q);
+	if (dh->g == NULL)
+	    goto out;
+    }
 
     {
 	heim_integer glue;
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170828/a88c4fcb/signature.sig>


More information about the samba-technical mailing list