Accidental commits? (was: Re: [SCM] Samba Shared Repository - branch v4-6-test updated)
Andrew Bartlett
abartlet at samba.org
Tue Feb 20 18:25:47 UTC 2018
Karolin,
This looks like a different kind of commit to what I would normally
expect to see in v4-6-test. Can you check if you could you have
unintentionally pushed a testing branch?
Thanks,
Andrew Bartlett
On Tue, 2018-02-20 at 17:04 +0100, Karolin Seeger wrote:
> The branch, v4-6-test has been updated
> via 56a40ab samba: Only use async signal-safe functions in signal handler
> via 670af37 subnet: Avoid a segfault when renaming subnet objects
> via f2e21e6 HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
> via ffda28e TODO s4:kdc: indicate support for new encryption types by adding empty keys
> via 075f061 TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
> via 7d0559e s4:kdc: use the strongest possible tgs session key
> via 2a7392d HEIMDAL:hdb: export a hdb_enctype_supported() helper function
> via 8ac00b0 HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
> via 9f3571a s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
> via 312bf1c HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
> via 3dd52dd HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
> via 9ec1a52 HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
> from 2ed8741 VERSION: Bump version up to 4.6.14...
>
> https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
>
>
> - Log -----------------------------------------------------------------
> commit 56a40ab005671fd6ce3c55cd91eddcbcc925891d
> Author: Volker Lendecke <vl at samba.org>
> Date: Thu Jan 4 21:06:02 2018 +0100
>
> samba: Only use async signal-safe functions in signal handler
>
> Otherwise shutdown can hang
>
> Signed-off-by: Volker Lendecke <vl at samba.org>
> Reviewed-by: Andreas Schneider <asn at samba.org>
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13240
>
> Signed-off-by: Björn Baumbach <bb at sernet.de>
> (similar to commit 361ea743576cf125d7957a97ed78a0446dab1a19)
>
> Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
> Autobuild-Date(v4-6-test): Tue Feb 20 17:03:44 CET 2018 on sn-devel-144
>
> commit 670af37291bc75481ac89efff62760d74377536f
> Author: Garming Sam <garming at catalyst.net.nz>
> Date: Wed Sep 20 14:55:11 2017 +1200
>
> subnet: Avoid a segfault when renaming subnet objects
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031
>
> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
> Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>
> commit f2e21e692640308c003bd851da0c627af73a9451
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Wed Nov 8 13:18:29 2017 +0100
>
> HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> commit ffda28e9b14a6d0464cc2b931105a4d43712dcba
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Tue Nov 7 12:23:31 2017 +0100
>
> TODO s4:kdc: indicate support for new encryption types by adding empty keys
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>
> commit 075f061ca337d516a82b0fb19b001ff8cff61915
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Tue Nov 7 12:23:31 2017 +0100
>
> TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>
> commit 7d0559e0eb5d533a5f5764a39d04fb05d8d34633
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Tue Nov 7 18:03:45 2017 +0100
>
> s4:kdc: use the strongest possible tgs session key
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> commit 2a7392d3b216d4a79d81fd6a31bb2294b70c9a35
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Tue Nov 7 15:47:25 2017 +0100
>
> HEIMDAL:hdb: export a hdb_enctype_supported() helper function
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> commit 8ac00b066c893f9da5ac44f9391e41ad018d08bc
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Wed Nov 8 11:57:08 2017 +0100
>
> HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
>
> Currently the value is the same anyway as the session key is always of the
> same type as server key up to now, but that will change shortly.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> commit 9f3571aa20a209901c6ab7c776200afeac54eca4
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Thu Sep 28 14:51:43 2017 +0200
>
> s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
>
> We need the target service without realm, but the proxy services with realm.
>
> I have a domain with an w2008r2 server and a samba and now both generate
> the same S4U_DELEGATION_INFO.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> commit 312bf1c331038059698d14d7026387079a49bb61
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Wed Sep 20 23:05:09 2017 +0200
>
> HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> commit 3dd52dd0df77bac590645cf05b54766101456016
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Wed Sep 20 23:05:09 2017 +0200
>
> HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
>
> We do this after checking for constraint delegation (S4U2Proxy).
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> commit 9ec1a523d2acba03a8cd7c21013d896962863759
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Wed Sep 20 23:05:09 2017 +0200
>
> HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>
> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>
> -----------------------------------------------------------------------
>
> Summary of changes:
> python/samba/subnets.py | 33 ++++++++
> source4/dsdb/samdb/ldb_modules/samldb.c | 8 +-
> source4/dsdb/tests/python/sites.py | 45 ++++++++++
> source4/heimdal/kdc/kerberos5.c | 20 +++--
> source4/heimdal/kdc/krb5tgs.c | 127 +++++++++++++++--------------
> source4/heimdal/lib/hdb/hdb.c | 30 ++++++-
> source4/heimdal/lib/hdb/version-script.map | 1 +
> source4/kdc/db-glue.c | 73 ++++++++++++++++-
> source4/kdc/kdc-heimdal.c | 6 +-
> source4/kdc/pac-glue.c | 6 +-
> source4/smbd/server.c | 4 +-
> 11 files changed, 266 insertions(+), 87 deletions(-)
>
>
> Changeset truncated at 500 lines:
>
> diff --git a/python/samba/subnets.py b/python/samba/subnets.py
> index e859f06..72eeb0f 100644
> --- a/python/samba/subnets.py
> +++ b/python/samba/subnets.py
> @@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name):
>
> samdb.delete(dnsubnet)
>
> +def rename_subnet(samdb, configDn, subnet_name, new_name):
> + """Rename a subnet.
> +
> + :param samdb: A samdb connection
> + :param configDn: The DN of the configuration partition
> + :param subnet_name: Name of the subnet to rename
> + :param new_name: New name for the subnet
> + :return: None
> + :raise SubnetNotFound: if the subnet to be renamed does not exist.
> + :raise SubnetExists: if the subnet to be created already exists.
> + """
> + dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites")
> + if dnsubnet.add_base(configDn) == False:
> + raise SubnetException("dnsubnet.add_base() failed")
> + if dnsubnet.add_child("CN=X") == False:
> + raise SubnetException("dnsubnet.add_child() failed")
> + dnsubnet.set_component(0, "CN", subnet_name)
> +
> + newdnsubnet = ldb.Dn(samdb, str(dnsubnet))
> + newdnsubnet.set_component(0, "CN", new_name)
> + try:
> + samdb.rename(dnsubnet, newdnsubnet)
> + except LdbError as (enum, estr):
> + if enum == ldb.ERR_NO_SUCH_OBJECT:
> + raise SubnetNotFound('Subnet %s does not exist' % subnet)
> + elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS:
> + raise SubnetAlreadyExists('A subnet with the CIDR %s already exists'
> + % new_name)
> + elif enum == ldb.ERR_INVALID_DN_SYNTAX:
> + raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name,
> + estr))
> + else:
> + raise
>
> def set_subnet_site(samdb, configDn, subnet_name, site_name):
> """Assign a subnet to a site.
> diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
> index 8459210..9f72df2 100644
> --- a/source4/dsdb/samdb/ldb_modules/samldb.c
> +++ b/source4/dsdb/samdb/ldb_modules/samldb.c
> @@ -3072,13 +3072,13 @@ static int verify_cidr(const char *cidr)
> }
>
>
> -static int samldb_verify_subnet(struct samldb_ctx *ac)
> +static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn)
> {
> struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
> const char *cidr = NULL;
> const struct ldb_val *rdn_value = NULL;
>
> - rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
> + rdn_value = ldb_dn_get_rdn_val(dn);
> if (rdn_value == NULL) {
> ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val "
> "failed");
> @@ -3240,7 +3240,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
>
> if (samdb_find_attribute(ldb, ac->msg,
> "objectclass", "subnet") != NULL) {
> - ret = samldb_verify_subnet(ac);
> + ret = samldb_verify_subnet(ac, ac->msg->dn);
> if (ret != LDB_SUCCESS) {
> talloc_free(ac);
> return ret;
> @@ -3633,7 +3633,7 @@ static int check_rename_constraints(struct ldb_message *msg,
>
> /* subnet objects */
> if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
> - ret = samldb_verify_subnet(ac);
> + ret = samldb_verify_subnet(ac, newdn);
> if (ret != LDB_SUCCESS) {
> talloc_free(ac);
> return ret;
> diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py
> index a894da3..123e1ec 100755
> --- a/source4/dsdb/tests/python/sites.py
> +++ b/source4/dsdb/tests/python/sites.py
> @@ -183,6 +183,51 @@ class SimpleSubnetTests(SitesBaseTests):
> self.assertRaises(subnets.SubnetNotFound,
> subnets.delete_subnet, self.ldb, basedn, cidr)
>
> + def test_rename_good_subnet_to_good_subnet(self):
> + """Make sure that we can rename subnets"""
> + basedn = self.ldb.get_config_basedn()
> + cidr = "10.16.0.0/24"
> + new_cidr = "10.16.1.0/24"
> +
> + subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
> +
> + subnets.rename_subnet(self.ldb, basedn, cidr, new_cidr)
> +
> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> + expression='(&(objectclass=subnet)(cn=%s))' % new_cidr)
> +
> + self.assertEqual(len(ret), 1, 'Failed to rename subnet %s' % cidr)
> +
> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> + expression='(&(objectclass=subnet)(cn=%s))' % cidr)
> +
> + self.assertEqual(len(ret), 0, 'Failed to remove old subnet during rename %s' % cidr)
> +
> + subnets.delete_subnet(self.ldb, basedn, new_cidr)
> +
> + def test_rename_good_subnet_to_bad_subnet(self):
> + """Make sure that the CIDR checking runs during rename"""
> + basedn = self.ldb.get_config_basedn()
> + cidr = "10.17.0.0/24"
> + bad_cidr = "10.11.12.0/14"
> +
> + subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
> +
> + self.assertRaises(subnets.SubnetInvalid, subnets.rename_subnet,
> + self.ldb, basedn, cidr, bad_cidr)
> +
> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> + expression='(&(objectclass=subnet)(cn=%s))' % bad_cidr)
> +
> + self.assertEqual(len(ret), 0, 'Failed to rename subnet %s' % cidr)
> +
> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> + expression='(&(objectclass=subnet)(cn=%s))' % cidr)
> +
> + self.assertEqual(len(ret), 1, 'Failed to remove old subnet during rename %s' % cidr)
> +
> + subnets.delete_subnet(self.ldb, basedn, cidr)
> +
> def test_create_bad_ranges(self):
> """These CIDR ranges all have something wrong with them, and they
> should all fail."""
> diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
> index 3282d5e..c6ec65e 100644
> --- a/source4/heimdal/kdc/kerberos5.c
> +++ b/source4/heimdal/kdc/kerberos5.c
> @@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
> krb5_error_code ret;
> krb5_salt def_salt;
> krb5_enctype enctype = ETYPE_NULL;
> - Key *key;
> + Key *key = NULL;
> int i;
>
> /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
> @@ -159,29 +159,34 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
>
> /* drive the search with local supported enctypes list */
> p = krb5_kerberos_enctypes(context);
> - for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
> + for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
> if (krb5_enctype_valid(context, p[i]) != 0)
> continue;
>
> /* check that the client supports it too */
> - for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
> + for (j = 0; j < len && key == NULL; j++) {
> if (p[i] != etypes[j])
> continue;
> /* save best of union of { client, crypto system } */
> if (clientbest == ETYPE_NULL)
> clientbest = p[i];
> + if (enctype == ETYPE_NULL) {
> + ret = hdb_enctype_supported(context, &princ->entry, p[i]);
> + if (ret == 0) {
> + enctype = p[i];
> + }
> + }
> /* check target princ support */
> ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
> if (ret)
> continue;
> if (is_preauth && !is_default_salt_p(&def_salt, key))
> continue;
> - enctype = p[i];
> }
> }
> if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
> enctype = clientbest;
> - else if (enctype == ETYPE_NULL)
> + else if (key == NULL)
> ret = KRB5KDC_ERR_ETYPE_NOSUPP;
> if (ret == 0 && ret_enctype != NULL)
> *ret_enctype = enctype;
> @@ -322,7 +327,6 @@ krb5_error_code
> _kdc_encode_reply(krb5_context context,
> krb5_kdc_configuration *config,
> KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
> - krb5_enctype etype,
> int skvno, const EncryptionKey *skey,
> int ckvno, const EncryptionKey *reply_key,
> int rk_is_subkey,
> @@ -349,7 +353,7 @@ _kdc_encode_reply(krb5_context context,
> return KRB5KRB_ERR_GENERIC;
> }
>
> - ret = krb5_crypto_init(context, skey, etype, &crypto);
> + ret = krb5_crypto_init(context, skey, 0, &crypto);
> if (ret) {
> const char *msg;
> free(buf);
> @@ -1720,7 +1724,7 @@ _kdc_as_rep(krb5_context context,
> log_as_req(context, config, reply_key->keytype, setype, b);
>
> ret = _kdc_encode_reply(context, config,
> - &rep, &et, &ek, setype, server->entry.kvno,
> + &rep, &et, &ek, server->entry.kvno,
> &skey->key, client->entry.kvno,
> reply_key, 0, &e_text, reply);
> free_EncTicketPart(&et);
> diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
> index a888788..e11ad52 100644
> --- a/source4/heimdal/kdc/krb5tgs.c
> +++ b/source4/heimdal/kdc/krb5tgs.c
> @@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context,
> KDC_REQ_BODY *b,
> krb5_const_principal tgt_name,
> const EncTicketPart *tgt,
> + const EncTicketPart *adtgt,
> const krb5_keyblock *replykey,
> int rk_is_subkey,
> const EncryptionKey *serverkey,
> @@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context,
> rep.pvno = 5;
> rep.msg_type = krb_tgs_rep;
>
> - et.authtime = tgt->authtime;
> + et.authtime = adtgt->authtime;
> _kdc_fix_time(&b->till);
> et.endtime = min(tgt->endtime, *b->till);
> ALLOC(et.starttime);
> @@ -987,7 +988,7 @@ tgs_make_reply(krb5_context context,
> etype list, even if we don't want a session key with
> DES3? */
> ret = _kdc_encode_reply(context, config,
> - &rep, &et, &ek, et.key.keytype,
> + &rep, &et, &ek,
> kvno,
> serverkey, 0, replykey, rk_is_subkey,
> e_text, reply);
> @@ -1159,7 +1160,6 @@ tgs_parse_request(krb5_context context,
> const struct sockaddr *from_addr,
> time_t **csec,
> int **cusec,
> - AuthorizationData **auth_data,
> krb5_keyblock **replykey,
> int *rk_is_subkey)
> {
> @@ -1170,14 +1170,11 @@ tgs_parse_request(krb5_context context,
> krb5_auth_context ac = NULL;
> krb5_flags ap_req_options;
> krb5_flags verify_ap_req_flags;
> - krb5_crypto crypto;
> Key *tkey;
> krb5_keyblock *subkey = NULL;
> - unsigned usage;
> krb5uint32 kvno = 0;
> krb5uint32 *kvno_ptr = NULL;
>
> - *auth_data = NULL;
> *csec = NULL;
> *cusec = NULL;
> *replykey = NULL;
> @@ -1328,7 +1325,6 @@ tgs_parse_request(krb5_context context,
> goto out;
> }
>
> - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
> *rk_is_subkey = 1;
>
> ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
> @@ -1340,7 +1336,6 @@ tgs_parse_request(krb5_context context,
> goto out;
> }
> if(subkey == NULL){
> - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
> *rk_is_subkey = 0;
>
> ret = krb5_auth_con_getkey(context, ac, &subkey);
> @@ -1362,47 +1357,6 @@ tgs_parse_request(krb5_context context,
>
> *replykey = subkey;
>
> - if (b->enc_authorization_data) {
> - krb5_data ad;
> -
> - ret = krb5_crypto_init(context, subkey, 0, &crypto);
> - if (ret) {
> - const char *msg = krb5_get_error_message(context, ret);
> - krb5_auth_con_free(context, ac);
> - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
> - krb5_free_error_message(context, msg);
> - goto out;
> - }
> - ret = krb5_decrypt_EncryptedData (context,
> - crypto,
> - usage,
> - b->enc_authorization_data,
> - &ad);
> - krb5_crypto_destroy(context, crypto);
> - if(ret){
> - krb5_auth_con_free(context, ac);
> - kdc_log(context, config, 0,
> - "Failed to decrypt enc-authorization-data");
> - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> - goto out;
> - }
> - ALLOC(*auth_data);
> - if (*auth_data == NULL) {
> - krb5_auth_con_free(context, ac);
> - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> - goto out;
> - }
> - ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
> - if(ret){
> - krb5_auth_con_free(context, ac);
> - free(*auth_data);
> - *auth_data = NULL;
> - kdc_log(context, config, 0, "Failed to decode authorization data");
> - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> - goto out;
> - }
> - }
> -
> krb5_auth_con_free(context, ac);
>
> out:
> @@ -1500,7 +1454,6 @@ tgs_build_reply(krb5_context context,
> krb5_data *reply,
> const char *from,
> const char **e_text,
> - AuthorizationData **auth_data,
> const struct sockaddr *from_addr)
> {
> krb5_error_code ret;
> @@ -1516,6 +1469,9 @@ tgs_build_reply(krb5_context context,
> krb5_keyblock sessionkey;
> krb5_kvno kvno;
> krb5_data rspac;
> + AuthorizationData *auth_data = NULL;
> + const EncryptionKey *auth_data_key = replykey;
> + unsigned auth_data_usage;
>
> hdb_entry_ex *krbtgt_out = NULL;
>
> @@ -1525,6 +1481,7 @@ tgs_build_reply(krb5_context context,
> Realm r;
> int nloop = 0;
> EncTicketPart adtkt;
> + EncTicketPart *adtgt = tgt;
> char opt_str[128];
> int signedpath = 0;
>
> @@ -1540,6 +1497,12 @@ tgs_build_reply(krb5_context context,
> s = b->sname;
> r = b->realm;
>
> + if (rk_is_subkey != 0) {
> + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
> + } else {
> + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
> + }
> +
> if (b->kdc_options.canonicalize)
> flags |= HDB_F_CANON;
>
> @@ -1742,7 +1705,7 @@ server_lookup:
>
> ret = _kdc_find_etype(context,
> config->tgs_use_strongest_session_key, FALSE,
> - server, b->etype.val, b->etype.len, NULL,
> + server, b->etype.val, b->etype.len, &etype,
> &skey);
> if(ret) {
> kdc_log(context, config, 0,
> @@ -1750,7 +1713,6 @@ server_lookup:
> goto out;
> }
> ekey = &skey->key;
> - etype = skey->key.keytype;
> kvno = server->entry.kvno;
> }
>
> @@ -2183,10 +2145,55 @@ server_lookup:
> goto out;
> }
>
> + if (rk_is_subkey == 0) {
> + auth_data_key = &adtkt.key;
> + }
> + adtgt = &adtkt;
> kdc_log(context, config, 0, "constrained delegation for %s "
> "from %s (%s) to %s", tpn, cpn, dpn, spn);
> }
>
> + if (b->enc_authorization_data) {
> + krb5_data ad;
> + krb5_crypto crypto;
> +
> + ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
> + if (ret) {
> + const char *msg = krb5_get_error_message(context, ret);
> + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
> + krb5_free_error_message(context, msg);
> + goto out;
> + }
> +
> + ret = krb5_decrypt_EncryptedData (context,
> + crypto,
> + auth_data_usage,
> + b->enc_authorization_data,
> + &ad);
> + krb5_crypto_destroy(context, crypto);
> + if(ret){
> + kdc_log(context, config, 0,
> + "Failed to decrypt enc-authorization-data");
> + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> + goto out;
> + }
> + ALLOC(auth_data);
> + if (auth_data == NULL) {
> + krb5_data_free(&ad);
> + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> + goto out;
> + }
> + ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
> + krb5_data_free(&ad);
> + if(ret){
> + free(auth_data);
> + auth_data = NULL;
> + kdc_log(context, config, 0, "Failed to decode authorization data");
> + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> + goto out;
> + }
> + }
> +
> /*
> * Check flags
> */
> @@ -2257,12 +2264,13 @@ server_lookup:
> b,
> tp,
> tgt,
> + adtgt,
> replykey,
> rk_is_subkey,
> ekey,
> &sessionkey,
> kvno,
> - *auth_data,
> + auth_data,
> server,
> server->entry.principal,
> spn,
> @@ -2307,6 +2315,11 @@ out:
> free(ref_realm);
> free_METHOD_DATA(&enc_pa_data);
>
> + if (auth_data) {
> + free_AuthorizationData(auth_data);
> + free(auth_data);
> + }
> +
> free_EncTicketPart(&adtkt);
>
> return ret;
> @@ -2325,7 +2338,6 @@ _kdc_tgs_rep(krb5_context context,
> struct sockaddr *from_addr,
> int datagram_reply)
> {
> - AuthorizationData *auth_data = NULL;
> krb5_error_code ret;
> int i = 0;
> const PA_DATA *tgs_req;
> @@ -2364,7 +2376,6 @@ _kdc_tgs_rep(krb5_context context,
> &e_text,
> from, from_addr,
> &csec, &cusec,
> - &auth_data,
> &replykey,
> &rk_is_subkey);
> if (ret == HDB_ERR_NOT_FOUND_HERE) {
> @@ -2389,7 +2400,6 @@ _kdc_tgs_rep(krb5_context context,
> data,
> from,
> &e_text,
> - &auth_data,
> from_addr);
> if (ret) {
> kdc_log(context, config, 0,
> @@ -2426,10 +2436,5 @@ out:
> if(krbtgt)
> _kdc_free_ent(context, krbtgt);
>
>
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list