[Patches] Backport Heimdal fixes for PKINIT (bug #12986)
Stefan Metzmacher
metze at samba.org
Mon Aug 28 08:32:58 UTC 2017
Hi,
here're 2 backports from upstream Heimdal which fix parsing of PKINIT
requests for single sign on with Vmware Horizon.
See https://bugzilla.samba.org/show_bug.cgi?id=12986
Pleas review and push:-)
Thanks!
metze
-------------- next part --------------
From 358e3cbbe8788e1d670b33e3c7c65e2315d0c503 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha at h5l.org>
Date: Mon, 29 Apr 2013 11:37:39 -0700
Subject: [PATCH 1/2] HEIMDAL: allow optional q in DH DomainParameters
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from heimdal commit e8317b955f5a390c4f296871ba6987ad05478c95)
---
source4/heimdal/kdc/pkinit.c | 2 +-
source4/heimdal/lib/asn1/rfc2459.asn1 | 2 +-
source4/heimdal/lib/krb5/pkinit.c | 7 ++++++-
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index d85b156..3a9e8f2 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -361,7 +361,7 @@ get_dh_param(krb5_context context,
}
ret = _krb5_dh_group_ok(context, config->pkinit_dh_min_bits,
- &dhparam.p, &dhparam.g, &dhparam.q, moduli,
+ &dhparam.p, &dhparam.g, dhparam.q, moduli,
&client_params->dh_group_name);
if (ret) {
/* XXX send back proposal of better group */
diff --git a/source4/heimdal/lib/asn1/rfc2459.asn1 b/source4/heimdal/lib/asn1/rfc2459.asn1
index bf82f81..7843f65 100644
--- a/source4/heimdal/lib/asn1/rfc2459.asn1
+++ b/source4/heimdal/lib/asn1/rfc2459.asn1
@@ -239,7 +239,7 @@ ValidationParms ::= SEQUENCE {
DomainParameters ::= SEQUENCE {
p INTEGER, -- odd prime, p=jq +1
g INTEGER, -- generator, g
- q INTEGER, -- factor of p-1
+ q INTEGER OPTIONAL, -- factor of p-1
j INTEGER OPTIONAL, -- subgroup factor
validationParms ValidationParms OPTIONAL -- ValidationParms
}
diff --git a/source4/heimdal/lib/krb5/pkinit.c b/source4/heimdal/lib/krb5/pkinit.c
index 1103a17..c30a298 100644
--- a/source4/heimdal/lib/krb5/pkinit.c
+++ b/source4/heimdal/lib/krb5/pkinit.c
@@ -497,7 +497,12 @@ build_auth_pack(krb5_context context,
free_DomainParameters(&dp);
return ret;
}
- ret = BN_to_integer(context, dh->q, &dp.q);
+ dp.q = calloc(1, sizeof(*dp.q));
+ if (dp.q == NULL) {
+ free_DomainParameters(&dp);
+ return ENOMEM;
+ }
+ ret = BN_to_integer(context, dh->q, dp.q);
if (ret) {
free_DomainParameters(&dp);
return ret;
--
1.9.1
From a9d6691d4d6608ba9bd00775e58604eddaf57e38 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha at h5l.org>
Date: Mon, 29 Apr 2013 11:42:46 -0700
Subject: [PATCH 2/2] HEIMDAL: don't bother seeing q if not sent
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12986
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from heimdal commit 19f9fdbcea11013cf13ac72c416f161ee55dee2b)
---
source4/heimdal/kdc/pkinit.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index 3a9e8f2..c874847 100644
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -381,9 +381,12 @@ get_dh_param(krb5_context context,
dh->g = integer_to_BN(context, "DH base", &dhparam.g);
if (dh->g == NULL)
goto out;
- dh->q = integer_to_BN(context, "DH p-1 factor", &dhparam.q);
- if (dh->g == NULL)
- goto out;
+
+ if (dhparam.q) {
+ dh->q = integer_to_BN(context, "DH p-1 factor", dhparam.q);
+ if (dh->g == NULL)
+ goto out;
+ }
{
heim_integer glue;
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170828/a88c4fcb/signature.sig>
More information about the samba-technical
mailing list