Accidental commits? (was: Re: [SCM] Samba Shared Repository - branch v4-6-test updated)

Andrew Bartlett abartlet at samba.org
Tue Feb 20 18:25:47 UTC 2018


Karolin,

This looks like a different kind of commit to what I would normally
expect to see in v4-6-test.  Can you check if you could you have
unintentionally pushed a testing branch?

Thanks,

Andrew Bartlett

On Tue, 2018-02-20 at 17:04 +0100, Karolin Seeger wrote:
> The branch, v4-6-test has been updated
>        via  56a40ab samba: Only use async signal-safe functions in signal handler
>        via  670af37 subnet: Avoid a segfault when renaming subnet objects
>        via  f2e21e6 HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
>        via  ffda28e TODO s4:kdc: indicate support for new encryption types by adding empty keys
>        via  075f061 TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
>        via  7d0559e s4:kdc: use the strongest possible tgs session key
>        via  2a7392d HEIMDAL:hdb: export a hdb_enctype_supported() helper function
>        via  8ac00b0 HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
>        via  9f3571a s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
>        via  312bf1c HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
>        via  3dd52dd HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
>        via  9ec1a52 HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
>       from  2ed8741 VERSION: Bump version up to 4.6.14...
> 
> https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
> 
> 
> - Log -----------------------------------------------------------------
> commit 56a40ab005671fd6ce3c55cd91eddcbcc925891d
> Author: Volker Lendecke <vl at samba.org>
> Date:   Thu Jan 4 21:06:02 2018 +0100
> 
>     samba: Only use async signal-safe functions in signal handler
>     
>     Otherwise shutdown can hang
>     
>     Signed-off-by: Volker Lendecke <vl at samba.org>
>     Reviewed-by: Andreas Schneider <asn at samba.org>
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13240
>     
>     Signed-off-by: Björn Baumbach <bb at sernet.de>
>     (similar to commit 361ea743576cf125d7957a97ed78a0446dab1a19)
>     
>     Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
>     Autobuild-Date(v4-6-test): Tue Feb 20 17:03:44 CET 2018 on sn-devel-144
> 
> commit 670af37291bc75481ac89efff62760d74377536f
> Author: Garming Sam <garming at catalyst.net.nz>
> Date:   Wed Sep 20 14:55:11 2017 +1200
> 
>     subnet: Avoid a segfault when renaming subnet objects
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031
>     
>     Signed-off-by: Garming Sam <garming at catalyst.net.nz>
>     Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> 
> commit f2e21e692640308c003bd851da0c627af73a9451
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Wed Nov 8 13:18:29 2017 +0100
> 
>     HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> commit ffda28e9b14a6d0464cc2b931105a4d43712dcba
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Tue Nov 7 12:23:31 2017 +0100
> 
>     TODO s4:kdc: indicate support for new encryption types by adding empty keys
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
> 
> commit 075f061ca337d516a82b0fb19b001ff8cff61915
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Tue Nov 7 12:23:31 2017 +0100
> 
>     TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
> 
> commit 7d0559e0eb5d533a5f5764a39d04fb05d8d34633
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Tue Nov 7 18:03:45 2017 +0100
> 
>     s4:kdc: use the strongest possible tgs session key
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> commit 2a7392d3b216d4a79d81fd6a31bb2294b70c9a35
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Tue Nov 7 15:47:25 2017 +0100
> 
>     HEIMDAL:hdb: export a hdb_enctype_supported() helper function
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> commit 8ac00b066c893f9da5ac44f9391e41ad018d08bc
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Wed Nov 8 11:57:08 2017 +0100
> 
>     HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
>     
>     Currently the value is the same anyway as the session key is always of the
>     same type as server key up to now, but that will change shortly.
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> commit 9f3571aa20a209901c6ab7c776200afeac54eca4
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Thu Sep 28 14:51:43 2017 +0200
> 
>     s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
>     
>     We need the target service without realm, but the proxy services with realm.
>     
>     I have a domain with an w2008r2 server and a samba and now both generate
>     the same S4U_DELEGATION_INFO.
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> commit 312bf1c331038059698d14d7026387079a49bb61
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Wed Sep 20 23:05:09 2017 +0200
> 
>     HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> commit 3dd52dd0df77bac590645cf05b54766101456016
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Wed Sep 20 23:05:09 2017 +0200
> 
>     HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
>     
>     We do this after checking for constraint delegation (S4U2Proxy).
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> commit 9ec1a523d2acba03a8cd7c21013d896962863759
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Wed Sep 20 23:05:09 2017 +0200
> 
>     HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
>     
>     BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>     
>     Signed-off-by: Stefan Metzmacher <metze at samba.org>
> 
> -----------------------------------------------------------------------
> 
> Summary of changes:
>  python/samba/subnets.py                    |  33 ++++++++
>  source4/dsdb/samdb/ldb_modules/samldb.c    |   8 +-
>  source4/dsdb/tests/python/sites.py         |  45 ++++++++++
>  source4/heimdal/kdc/kerberos5.c            |  20 +++--
>  source4/heimdal/kdc/krb5tgs.c              | 127 +++++++++++++++--------------
>  source4/heimdal/lib/hdb/hdb.c              |  30 ++++++-
>  source4/heimdal/lib/hdb/version-script.map |   1 +
>  source4/kdc/db-glue.c                      |  73 ++++++++++++++++-
>  source4/kdc/kdc-heimdal.c                  |   6 +-
>  source4/kdc/pac-glue.c                     |   6 +-
>  source4/smbd/server.c                      |   4 +-
>  11 files changed, 266 insertions(+), 87 deletions(-)
> 
> 
> Changeset truncated at 500 lines:
> 
> diff --git a/python/samba/subnets.py b/python/samba/subnets.py
> index e859f06..72eeb0f 100644
> --- a/python/samba/subnets.py
> +++ b/python/samba/subnets.py
> @@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name):
>  
>      samdb.delete(dnsubnet)
>  
> +def rename_subnet(samdb, configDn, subnet_name, new_name):
> +    """Rename a subnet.
> +
> +    :param samdb: A samdb connection
> +    :param configDn: The DN of the configuration partition
> +    :param subnet_name: Name of the subnet to rename
> +    :param new_name: New name for the subnet
> +    :return: None
> +    :raise SubnetNotFound: if the subnet to be renamed does not exist.
> +    :raise SubnetExists: if the subnet to be created already exists.
> +    """
> +    dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites")
> +    if dnsubnet.add_base(configDn) == False:
> +        raise SubnetException("dnsubnet.add_base() failed")
> +    if dnsubnet.add_child("CN=X") == False:
> +        raise SubnetException("dnsubnet.add_child() failed")
> +    dnsubnet.set_component(0, "CN", subnet_name)
> +
> +    newdnsubnet = ldb.Dn(samdb, str(dnsubnet))
> +    newdnsubnet.set_component(0, "CN", new_name)
> +    try:
> +        samdb.rename(dnsubnet, newdnsubnet)
> +    except LdbError as (enum, estr):
> +        if enum == ldb.ERR_NO_SUCH_OBJECT:
> +            raise SubnetNotFound('Subnet %s does not exist' % subnet)
> +        elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS:
> +            raise SubnetAlreadyExists('A subnet with the CIDR %s already exists'
> +                                      % new_name)
> +        elif enum == ldb.ERR_INVALID_DN_SYNTAX:
> +            raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name,
> +                                                                  estr))
> +        else:
> +            raise
>  
>  def set_subnet_site(samdb, configDn, subnet_name, site_name):
>      """Assign a subnet to a site.
> diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
> index 8459210..9f72df2 100644
> --- a/source4/dsdb/samdb/ldb_modules/samldb.c
> +++ b/source4/dsdb/samdb/ldb_modules/samldb.c
> @@ -3072,13 +3072,13 @@ static int verify_cidr(const char *cidr)
>  }
>  
>  
> -static int samldb_verify_subnet(struct samldb_ctx *ac)
> +static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn)
>  {
>  	struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
>  	const char *cidr = NULL;
>  	const struct ldb_val *rdn_value = NULL;
>  
> -	rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
> +	rdn_value = ldb_dn_get_rdn_val(dn);
>  	if (rdn_value == NULL) {
>  		ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val "
>  				  "failed");
> @@ -3240,7 +3240,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
>  
>  	if (samdb_find_attribute(ldb, ac->msg,
>  				 "objectclass", "subnet") != NULL) {
> -		ret = samldb_verify_subnet(ac);
> +		ret = samldb_verify_subnet(ac, ac->msg->dn);
>  		if (ret != LDB_SUCCESS) {
>  			talloc_free(ac);
>  			return ret;
> @@ -3633,7 +3633,7 @@ static int check_rename_constraints(struct ldb_message *msg,
>  
>  	/* subnet objects */
>  	if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
> -		ret = samldb_verify_subnet(ac);
> +		ret = samldb_verify_subnet(ac, newdn);
>  		if (ret != LDB_SUCCESS) {
>  			talloc_free(ac);
>  			return ret;
> diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py
> index a894da3..123e1ec 100755
> --- a/source4/dsdb/tests/python/sites.py
> +++ b/source4/dsdb/tests/python/sites.py
> @@ -183,6 +183,51 @@ class SimpleSubnetTests(SitesBaseTests):
>          self.assertRaises(subnets.SubnetNotFound,
>                            subnets.delete_subnet, self.ldb, basedn, cidr)
>  
> +    def test_rename_good_subnet_to_good_subnet(self):
> +        """Make sure that we can rename subnets"""
> +        basedn = self.ldb.get_config_basedn()
> +        cidr = "10.16.0.0/24"
> +        new_cidr = "10.16.1.0/24"
> +
> +        subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
> +
> +        subnets.rename_subnet(self.ldb, basedn, cidr, new_cidr)
> +
> +        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> +                              expression='(&(objectclass=subnet)(cn=%s))' % new_cidr)
> +
> +        self.assertEqual(len(ret), 1, 'Failed to rename subnet %s' % cidr)
> +
> +        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> +                              expression='(&(objectclass=subnet)(cn=%s))' % cidr)
> +
> +        self.assertEqual(len(ret), 0, 'Failed to remove old subnet during rename %s' % cidr)
> +
> +        subnets.delete_subnet(self.ldb, basedn, new_cidr)
> +
> +    def test_rename_good_subnet_to_bad_subnet(self):
> +        """Make sure that the CIDR checking runs during rename"""
> +        basedn = self.ldb.get_config_basedn()
> +        cidr = "10.17.0.0/24"
> +        bad_cidr = "10.11.12.0/14"
> +
> +        subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
> +
> +        self.assertRaises(subnets.SubnetInvalid, subnets.rename_subnet,
> +                          self.ldb, basedn, cidr, bad_cidr)
> +
> +        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> +                              expression='(&(objectclass=subnet)(cn=%s))' % bad_cidr)
> +
> +        self.assertEqual(len(ret), 0, 'Failed to rename subnet %s' % cidr)
> +
> +        ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> +                              expression='(&(objectclass=subnet)(cn=%s))' % cidr)
> +
> +        self.assertEqual(len(ret), 1, 'Failed to remove old subnet during rename %s' % cidr)
> +
> +        subnets.delete_subnet(self.ldb, basedn, cidr)
> +
>      def test_create_bad_ranges(self):
>          """These CIDR ranges all have something wrong with them, and they
>          should all fail."""
> diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
> index 3282d5e..c6ec65e 100644
> --- a/source4/heimdal/kdc/kerberos5.c
> +++ b/source4/heimdal/kdc/kerberos5.c
> @@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
>      krb5_error_code ret;
>      krb5_salt def_salt;
>      krb5_enctype enctype = ETYPE_NULL;
> -    Key *key;
> +    Key *key = NULL;
>      int i;
>  
>      /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
> @@ -159,29 +159,34 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
>  
>  	/* drive the search with local supported enctypes list */
>  	p = krb5_kerberos_enctypes(context);
> -	for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
> +	for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
>  	    if (krb5_enctype_valid(context, p[i]) != 0)
>  		continue;
>  
>  	    /* check that the client supports it too */
> -	    for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
> +	    for (j = 0; j < len && key == NULL; j++) {
>  		if (p[i] != etypes[j])
>  		    continue;
>  		/* save best of union of { client, crypto system } */
>  		if (clientbest == ETYPE_NULL)
>  		    clientbest = p[i];
> +		if (enctype == ETYPE_NULL) {
> +		    ret = hdb_enctype_supported(context, &princ->entry, p[i]);
> +		    if (ret == 0) {
> +			enctype = p[i];
> +		    }
> +		}
>  		/* check target princ support */
>  		ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
>  		if (ret)
>  		    continue;
>  		if (is_preauth && !is_default_salt_p(&def_salt, key))
>  		    continue;
> -		enctype = p[i];
>  	    }
>  	}
>  	if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
>  	    enctype = clientbest;
> -	else if (enctype == ETYPE_NULL)
> +	else if (key == NULL)
>  	    ret = KRB5KDC_ERR_ETYPE_NOSUPP;
>  	if (ret == 0 && ret_enctype != NULL)
>  	    *ret_enctype = enctype;
> @@ -322,7 +327,6 @@ krb5_error_code
>  _kdc_encode_reply(krb5_context context,
>  		  krb5_kdc_configuration *config,
>  		  KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
> -		  krb5_enctype etype,
>  		  int skvno, const EncryptionKey *skey,
>  		  int ckvno, const EncryptionKey *reply_key,
>  		  int rk_is_subkey,
> @@ -349,7 +353,7 @@ _kdc_encode_reply(krb5_context context,
>  	return KRB5KRB_ERR_GENERIC;
>      }
>  
> -    ret = krb5_crypto_init(context, skey, etype, &crypto);
> +    ret = krb5_crypto_init(context, skey, 0, &crypto);
>      if (ret) {
>          const char *msg;
>  	free(buf);
> @@ -1720,7 +1724,7 @@ _kdc_as_rep(krb5_context context,
>      log_as_req(context, config, reply_key->keytype, setype, b);
>  
>      ret = _kdc_encode_reply(context, config,
> -			    &rep, &et, &ek, setype, server->entry.kvno,
> +			    &rep, &et, &ek, server->entry.kvno,
>  			    &skey->key, client->entry.kvno,
>  			    reply_key, 0, &e_text, reply);
>      free_EncTicketPart(&et);
> diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
> index a888788..e11ad52 100644
> --- a/source4/heimdal/kdc/krb5tgs.c
> +++ b/source4/heimdal/kdc/krb5tgs.c
> @@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context,
>  	       KDC_REQ_BODY *b,
>  	       krb5_const_principal tgt_name,
>  	       const EncTicketPart *tgt,
> +	       const EncTicketPart *adtgt,
>  	       const krb5_keyblock *replykey,
>  	       int rk_is_subkey,
>  	       const EncryptionKey *serverkey,
> @@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context,
>      rep.pvno = 5;
>      rep.msg_type = krb_tgs_rep;
>  
> -    et.authtime = tgt->authtime;
> +    et.authtime = adtgt->authtime;
>      _kdc_fix_time(&b->till);
>      et.endtime = min(tgt->endtime, *b->till);
>      ALLOC(et.starttime);
> @@ -987,7 +988,7 @@ tgs_make_reply(krb5_context context,
>         etype list, even if we don't want a session key with
>         DES3? */
>      ret = _kdc_encode_reply(context, config,
> -			    &rep, &et, &ek, et.key.keytype,
> +			    &rep, &et, &ek,
>  			    kvno,
>  			    serverkey, 0, replykey, rk_is_subkey,
>  			    e_text, reply);
> @@ -1159,7 +1160,6 @@ tgs_parse_request(krb5_context context,
>  		  const struct sockaddr *from_addr,
>  		  time_t **csec,
>  		  int **cusec,
> -		  AuthorizationData **auth_data,
>  		  krb5_keyblock **replykey,
>  		  int *rk_is_subkey)
>  {
> @@ -1170,14 +1170,11 @@ tgs_parse_request(krb5_context context,
>      krb5_auth_context ac = NULL;
>      krb5_flags ap_req_options;
>      krb5_flags verify_ap_req_flags;
> -    krb5_crypto crypto;
>      Key *tkey;
>      krb5_keyblock *subkey = NULL;
> -    unsigned usage;
>      krb5uint32 kvno = 0;
>      krb5uint32 *kvno_ptr = NULL;
>  
> -    *auth_data = NULL;
>      *csec  = NULL;
>      *cusec = NULL;
>      *replykey = NULL;
> @@ -1328,7 +1325,6 @@ tgs_parse_request(krb5_context context,
>  	goto out;
>      }
>  
> -    usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
>      *rk_is_subkey = 1;
>  
>      ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
> @@ -1340,7 +1336,6 @@ tgs_parse_request(krb5_context context,
>  	goto out;
>      }
>      if(subkey == NULL){
> -	usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
>  	*rk_is_subkey = 0;
>  
>  	ret = krb5_auth_con_getkey(context, ac, &subkey);
> @@ -1362,47 +1357,6 @@ tgs_parse_request(krb5_context context,
>  
>      *replykey = subkey;
>  
> -    if (b->enc_authorization_data) {
> -	krb5_data ad;
> -
> -	ret = krb5_crypto_init(context, subkey, 0, &crypto);
> -	if (ret) {
> -	    const char *msg = krb5_get_error_message(context, ret);
> -	    krb5_auth_con_free(context, ac);
> -	    kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
> -	    krb5_free_error_message(context, msg);
> -	    goto out;
> -	}
> -	ret = krb5_decrypt_EncryptedData (context,
> -					  crypto,
> -					  usage,
> -					  b->enc_authorization_data,
> -					  &ad);
> -	krb5_crypto_destroy(context, crypto);
> -	if(ret){
> -	    krb5_auth_con_free(context, ac);
> -	    kdc_log(context, config, 0,
> -		    "Failed to decrypt enc-authorization-data");
> -	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> -	    goto out;
> -	}
> -	ALLOC(*auth_data);
> -	if (*auth_data == NULL) {
> -	    krb5_auth_con_free(context, ac);
> -	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> -	    goto out;
> -	}
> -	ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
> -	if(ret){
> -	    krb5_auth_con_free(context, ac);
> -	    free(*auth_data);
> -	    *auth_data = NULL;
> -	    kdc_log(context, config, 0, "Failed to decode authorization data");
> -	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> -	    goto out;
> -	}
> -    }
> -
>      krb5_auth_con_free(context, ac);
>  
>  out:
> @@ -1500,7 +1454,6 @@ tgs_build_reply(krb5_context context,
>  		krb5_data *reply,
>  		const char *from,
>  		const char **e_text,
> -		AuthorizationData **auth_data,
>  		const struct sockaddr *from_addr)
>  {
>      krb5_error_code ret;
> @@ -1516,6 +1469,9 @@ tgs_build_reply(krb5_context context,
>      krb5_keyblock sessionkey;
>      krb5_kvno kvno;
>      krb5_data rspac;
> +    AuthorizationData *auth_data = NULL;
> +    const EncryptionKey *auth_data_key = replykey;
> +    unsigned auth_data_usage;
>  
>      hdb_entry_ex *krbtgt_out = NULL;
>  
> @@ -1525,6 +1481,7 @@ tgs_build_reply(krb5_context context,
>      Realm r;
>      int nloop = 0;
>      EncTicketPart adtkt;
> +    EncTicketPart *adtgt = tgt;
>      char opt_str[128];
>      int signedpath = 0;
>  
> @@ -1540,6 +1497,12 @@ tgs_build_reply(krb5_context context,
>      s = b->sname;
>      r = b->realm;
>  
> +    if (rk_is_subkey != 0) {
> +	auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
> +    } else {
> +	auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
> +    }
> +
>      if (b->kdc_options.canonicalize)
>  	flags |= HDB_F_CANON;
>  
> @@ -1742,7 +1705,7 @@ server_lookup:
>  
>  	    ret = _kdc_find_etype(context,
>  				  config->tgs_use_strongest_session_key, FALSE,
> -				  server, b->etype.val, b->etype.len, NULL,
> +				  server, b->etype.val, b->etype.len, &etype,
>  				  &skey);
>  	    if(ret) {
>  		kdc_log(context, config, 0,
> @@ -1750,7 +1713,6 @@ server_lookup:
>  		goto out;
>  	    }
>  	    ekey = &skey->key;
> -	    etype = skey->key.keytype;
>  	    kvno = server->entry.kvno;
>  	}
>  
> @@ -2183,10 +2145,55 @@ server_lookup:
>  	    goto out;
>  	}
>  
> +	if (rk_is_subkey == 0) {
> +	    auth_data_key = &adtkt.key;
> +	}
> +	adtgt = &adtkt;
>  	kdc_log(context, config, 0, "constrained delegation for %s "
>  		"from %s (%s) to %s", tpn, cpn, dpn, spn);
>      }
>  
> +    if (b->enc_authorization_data) {
> +	krb5_data ad;
> +	krb5_crypto crypto;
> +
> +	ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
> +	if (ret) {
> +	    const char *msg = krb5_get_error_message(context, ret);
> +	    kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
> +	    krb5_free_error_message(context, msg);
> +	    goto out;
> +	}
> +
> +	ret = krb5_decrypt_EncryptedData (context,
> +					  crypto,
> +					  auth_data_usage,
> +					  b->enc_authorization_data,
> +					  &ad);
> +	krb5_crypto_destroy(context, crypto);
> +	if(ret){
> +	    kdc_log(context, config, 0,
> +		    "Failed to decrypt enc-authorization-data");
> +	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> +	    goto out;
> +	}
> +	ALLOC(auth_data);
> +	if (auth_data == NULL) {
> +	    krb5_data_free(&ad);
> +	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> +	    goto out;
> +	}
> +	ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
> +	krb5_data_free(&ad);
> +	if(ret){
> +	    free(auth_data);
> +	    auth_data = NULL;
> +	    kdc_log(context, config, 0, "Failed to decode authorization data");
> +	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> +	    goto out;
> +	}
> +    }
> +
>      /*
>       * Check flags
>       */
> @@ -2257,12 +2264,13 @@ server_lookup:
>  			 b,
>  			 tp,
>  			 tgt,
> +			 adtgt,
>  			 replykey,
>  			 rk_is_subkey,
>  			 ekey,
>  			 &sessionkey,
>  			 kvno,
> -			 *auth_data,
> +			 auth_data,
>  			 server,
>  			 server->entry.principal,
>  			 spn,
> @@ -2307,6 +2315,11 @@ out:
>  	free(ref_realm);
>      free_METHOD_DATA(&enc_pa_data);
>  
> +    if (auth_data) {
> +       free_AuthorizationData(auth_data);
> +       free(auth_data);
> +    }
> +
>      free_EncTicketPart(&adtkt);
>  
>      return ret;
> @@ -2325,7 +2338,6 @@ _kdc_tgs_rep(krb5_context context,
>  	     struct sockaddr *from_addr,
>  	     int datagram_reply)
>  {
> -    AuthorizationData *auth_data = NULL;
>      krb5_error_code ret;
>      int i = 0;
>      const PA_DATA *tgs_req;
> @@ -2364,7 +2376,6 @@ _kdc_tgs_rep(krb5_context context,
>  			    &e_text,
>  			    from, from_addr,
>  			    &csec, &cusec,
> -			    &auth_data,
>  			    &replykey,
>  			    &rk_is_subkey);
>      if (ret == HDB_ERR_NOT_FOUND_HERE) {
> @@ -2389,7 +2400,6 @@ _kdc_tgs_rep(krb5_context context,
>  			  data,
>  			  from,
>  			  &e_text,
> -			  &auth_data,
>  			  from_addr);
>      if (ret) {
>  	kdc_log(context, config, 0,
> @@ -2426,10 +2436,5 @@ out:
>      if(krbtgt)
>  	_kdc_free_ent(context, krbtgt);
>  
> 
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list