Accidental commits?
Stefan Metzmacher
metze at samba.org
Tue Feb 20 19:30:11 UTC 2018
Hi Andrew,
I also noticed that, I guess we'll push reverts shortly.
metze
Am 20.02.2018 um 19:25 schrieb Andrew Bartlett via samba-technical:
> Karolin,
>
> This looks like a different kind of commit to what I would normally
> expect to see in v4-6-test. Can you check if you could you have
> unintentionally pushed a testing branch?
>
> Thanks,
>
> Andrew Bartlett
>
> On Tue, 2018-02-20 at 17:04 +0100, Karolin Seeger wrote:
>> The branch, v4-6-test has been updated
>> via 56a40ab samba: Only use async signal-safe functions in signal handler
>> via 670af37 subnet: Avoid a segfault when renaming subnet objects
>> via f2e21e6 HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
>> via ffda28e TODO s4:kdc: indicate support for new encryption types by adding empty keys
>> via 075f061 TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
>> via 7d0559e s4:kdc: use the strongest possible tgs session key
>> via 2a7392d HEIMDAL:hdb: export a hdb_enctype_supported() helper function
>> via 8ac00b0 HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
>> via 9f3571a s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
>> via 312bf1c HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
>> via 3dd52dd HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
>> via 9ec1a52 HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
>> from 2ed8741 VERSION: Bump version up to 4.6.14...
>>
>> https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
>>
>>
>> - Log -----------------------------------------------------------------
>> commit 56a40ab005671fd6ce3c55cd91eddcbcc925891d
>> Author: Volker Lendecke <vl at samba.org>
>> Date: Thu Jan 4 21:06:02 2018 +0100
>>
>> samba: Only use async signal-safe functions in signal handler
>>
>> Otherwise shutdown can hang
>>
>> Signed-off-by: Volker Lendecke <vl at samba.org>
>> Reviewed-by: Andreas Schneider <asn at samba.org>
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13240
>>
>> Signed-off-by: Björn Baumbach <bb at sernet.de>
>> (similar to commit 361ea743576cf125d7957a97ed78a0446dab1a19)
>>
>> Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
>> Autobuild-Date(v4-6-test): Tue Feb 20 17:03:44 CET 2018 on sn-devel-144
>>
>> commit 670af37291bc75481ac89efff62760d74377536f
>> Author: Garming Sam <garming at catalyst.net.nz>
>> Date: Wed Sep 20 14:55:11 2017 +1200
>>
>> subnet: Avoid a segfault when renaming subnet objects
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031
>>
>> Signed-off-by: Garming Sam <garming at catalyst.net.nz>
>> Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>>
>> commit f2e21e692640308c003bd851da0c627af73a9451
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Wed Nov 8 13:18:29 2017 +0100
>>
>> HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> commit ffda28e9b14a6d0464cc2b931105a4d43712dcba
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Tue Nov 7 12:23:31 2017 +0100
>>
>> TODO s4:kdc: indicate support for new encryption types by adding empty keys
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>>
>> commit 075f061ca337d516a82b0fb19b001ff8cff61915
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Tue Nov 7 12:23:31 2017 +0100
>>
>> TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>>
>> commit 7d0559e0eb5d533a5f5764a39d04fb05d8d34633
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Tue Nov 7 18:03:45 2017 +0100
>>
>> s4:kdc: use the strongest possible tgs session key
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> commit 2a7392d3b216d4a79d81fd6a31bb2294b70c9a35
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Tue Nov 7 15:47:25 2017 +0100
>>
>> HEIMDAL:hdb: export a hdb_enctype_supported() helper function
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> commit 8ac00b066c893f9da5ac44f9391e41ad018d08bc
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Wed Nov 8 11:57:08 2017 +0100
>>
>> HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
>>
>> Currently the value is the same anyway as the session key is always of the
>> same type as server key up to now, but that will change shortly.
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> commit 9f3571aa20a209901c6ab7c776200afeac54eca4
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Thu Sep 28 14:51:43 2017 +0200
>>
>> s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
>>
>> We need the target service without realm, but the proxy services with realm.
>>
>> I have a domain with an w2008r2 server and a samba and now both generate
>> the same S4U_DELEGATION_INFO.
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> commit 312bf1c331038059698d14d7026387079a49bb61
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Wed Sep 20 23:05:09 2017 +0200
>>
>> HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> commit 3dd52dd0df77bac590645cf05b54766101456016
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Wed Sep 20 23:05:09 2017 +0200
>>
>> HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
>>
>> We do this after checking for constraint delegation (S4U2Proxy).
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> commit 9ec1a523d2acba03a8cd7c21013d896962863759
>> Author: Stefan Metzmacher <metze at samba.org>
>> Date: Wed Sep 20 23:05:09 2017 +0200
>>
>> HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
>>
>> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
>>
>> Signed-off-by: Stefan Metzmacher <metze at samba.org>
>>
>> -----------------------------------------------------------------------
>>
>> Summary of changes:
>> python/samba/subnets.py | 33 ++++++++
>> source4/dsdb/samdb/ldb_modules/samldb.c | 8 +-
>> source4/dsdb/tests/python/sites.py | 45 ++++++++++
>> source4/heimdal/kdc/kerberos5.c | 20 +++--
>> source4/heimdal/kdc/krb5tgs.c | 127 +++++++++++++++--------------
>> source4/heimdal/lib/hdb/hdb.c | 30 ++++++-
>> source4/heimdal/lib/hdb/version-script.map | 1 +
>> source4/kdc/db-glue.c | 73 ++++++++++++++++-
>> source4/kdc/kdc-heimdal.c | 6 +-
>> source4/kdc/pac-glue.c | 6 +-
>> source4/smbd/server.c | 4 +-
>> 11 files changed, 266 insertions(+), 87 deletions(-)
>>
>>
>> Changeset truncated at 500 lines:
>>
>> diff --git a/python/samba/subnets.py b/python/samba/subnets.py
>> index e859f06..72eeb0f 100644
>> --- a/python/samba/subnets.py
>> +++ b/python/samba/subnets.py
>> @@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name):
>>
>> samdb.delete(dnsubnet)
>>
>> +def rename_subnet(samdb, configDn, subnet_name, new_name):
>> + """Rename a subnet.
>> +
>> + :param samdb: A samdb connection
>> + :param configDn: The DN of the configuration partition
>> + :param subnet_name: Name of the subnet to rename
>> + :param new_name: New name for the subnet
>> + :return: None
>> + :raise SubnetNotFound: if the subnet to be renamed does not exist.
>> + :raise SubnetExists: if the subnet to be created already exists.
>> + """
>> + dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites")
>> + if dnsubnet.add_base(configDn) == False:
>> + raise SubnetException("dnsubnet.add_base() failed")
>> + if dnsubnet.add_child("CN=X") == False:
>> + raise SubnetException("dnsubnet.add_child() failed")
>> + dnsubnet.set_component(0, "CN", subnet_name)
>> +
>> + newdnsubnet = ldb.Dn(samdb, str(dnsubnet))
>> + newdnsubnet.set_component(0, "CN", new_name)
>> + try:
>> + samdb.rename(dnsubnet, newdnsubnet)
>> + except LdbError as (enum, estr):
>> + if enum == ldb.ERR_NO_SUCH_OBJECT:
>> + raise SubnetNotFound('Subnet %s does not exist' % subnet)
>> + elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS:
>> + raise SubnetAlreadyExists('A subnet with the CIDR %s already exists'
>> + % new_name)
>> + elif enum == ldb.ERR_INVALID_DN_SYNTAX:
>> + raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name,
>> + estr))
>> + else:
>> + raise
>>
>> def set_subnet_site(samdb, configDn, subnet_name, site_name):
>> """Assign a subnet to a site.
>> diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
>> index 8459210..9f72df2 100644
>> --- a/source4/dsdb/samdb/ldb_modules/samldb.c
>> +++ b/source4/dsdb/samdb/ldb_modules/samldb.c
>> @@ -3072,13 +3072,13 @@ static int verify_cidr(const char *cidr)
>> }
>>
>>
>> -static int samldb_verify_subnet(struct samldb_ctx *ac)
>> +static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn)
>> {
>> struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
>> const char *cidr = NULL;
>> const struct ldb_val *rdn_value = NULL;
>>
>> - rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
>> + rdn_value = ldb_dn_get_rdn_val(dn);
>> if (rdn_value == NULL) {
>> ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val "
>> "failed");
>> @@ -3240,7 +3240,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
>>
>> if (samdb_find_attribute(ldb, ac->msg,
>> "objectclass", "subnet") != NULL) {
>> - ret = samldb_verify_subnet(ac);
>> + ret = samldb_verify_subnet(ac, ac->msg->dn);
>> if (ret != LDB_SUCCESS) {
>> talloc_free(ac);
>> return ret;
>> @@ -3633,7 +3633,7 @@ static int check_rename_constraints(struct ldb_message *msg,
>>
>> /* subnet objects */
>> if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
>> - ret = samldb_verify_subnet(ac);
>> + ret = samldb_verify_subnet(ac, newdn);
>> if (ret != LDB_SUCCESS) {
>> talloc_free(ac);
>> return ret;
>> diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py
>> index a894da3..123e1ec 100755
>> --- a/source4/dsdb/tests/python/sites.py
>> +++ b/source4/dsdb/tests/python/sites.py
>> @@ -183,6 +183,51 @@ class SimpleSubnetTests(SitesBaseTests):
>> self.assertRaises(subnets.SubnetNotFound,
>> subnets.delete_subnet, self.ldb, basedn, cidr)
>>
>> + def test_rename_good_subnet_to_good_subnet(self):
>> + """Make sure that we can rename subnets"""
>> + basedn = self.ldb.get_config_basedn()
>> + cidr = "10.16.0.0/24"
>> + new_cidr = "10.16.1.0/24"
>> +
>> + subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
>> +
>> + subnets.rename_subnet(self.ldb, basedn, cidr, new_cidr)
>> +
>> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
>> + expression='(&(objectclass=subnet)(cn=%s))' % new_cidr)
>> +
>> + self.assertEqual(len(ret), 1, 'Failed to rename subnet %s' % cidr)
>> +
>> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
>> + expression='(&(objectclass=subnet)(cn=%s))' % cidr)
>> +
>> + self.assertEqual(len(ret), 0, 'Failed to remove old subnet during rename %s' % cidr)
>> +
>> + subnets.delete_subnet(self.ldb, basedn, new_cidr)
>> +
>> + def test_rename_good_subnet_to_bad_subnet(self):
>> + """Make sure that the CIDR checking runs during rename"""
>> + basedn = self.ldb.get_config_basedn()
>> + cidr = "10.17.0.0/24"
>> + bad_cidr = "10.11.12.0/14"
>> +
>> + subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
>> +
>> + self.assertRaises(subnets.SubnetInvalid, subnets.rename_subnet,
>> + self.ldb, basedn, cidr, bad_cidr)
>> +
>> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
>> + expression='(&(objectclass=subnet)(cn=%s))' % bad_cidr)
>> +
>> + self.assertEqual(len(ret), 0, 'Failed to rename subnet %s' % cidr)
>> +
>> + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
>> + expression='(&(objectclass=subnet)(cn=%s))' % cidr)
>> +
>> + self.assertEqual(len(ret), 1, 'Failed to remove old subnet during rename %s' % cidr)
>> +
>> + subnets.delete_subnet(self.ldb, basedn, cidr)
>> +
>> def test_create_bad_ranges(self):
>> """These CIDR ranges all have something wrong with them, and they
>> should all fail."""
>> diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
>> index 3282d5e..c6ec65e 100644
>> --- a/source4/heimdal/kdc/kerberos5.c
>> +++ b/source4/heimdal/kdc/kerberos5.c
>> @@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
>> krb5_error_code ret;
>> krb5_salt def_salt;
>> krb5_enctype enctype = ETYPE_NULL;
>> - Key *key;
>> + Key *key = NULL;
>> int i;
>>
>> /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
>> @@ -159,29 +159,34 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
>>
>> /* drive the search with local supported enctypes list */
>> p = krb5_kerberos_enctypes(context);
>> - for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
>> + for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
>> if (krb5_enctype_valid(context, p[i]) != 0)
>> continue;
>>
>> /* check that the client supports it too */
>> - for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
>> + for (j = 0; j < len && key == NULL; j++) {
>> if (p[i] != etypes[j])
>> continue;
>> /* save best of union of { client, crypto system } */
>> if (clientbest == ETYPE_NULL)
>> clientbest = p[i];
>> + if (enctype == ETYPE_NULL) {
>> + ret = hdb_enctype_supported(context, &princ->entry, p[i]);
>> + if (ret == 0) {
>> + enctype = p[i];
>> + }
>> + }
>> /* check target princ support */
>> ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
>> if (ret)
>> continue;
>> if (is_preauth && !is_default_salt_p(&def_salt, key))
>> continue;
>> - enctype = p[i];
>> }
>> }
>> if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
>> enctype = clientbest;
>> - else if (enctype == ETYPE_NULL)
>> + else if (key == NULL)
>> ret = KRB5KDC_ERR_ETYPE_NOSUPP;
>> if (ret == 0 && ret_enctype != NULL)
>> *ret_enctype = enctype;
>> @@ -322,7 +327,6 @@ krb5_error_code
>> _kdc_encode_reply(krb5_context context,
>> krb5_kdc_configuration *config,
>> KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
>> - krb5_enctype etype,
>> int skvno, const EncryptionKey *skey,
>> int ckvno, const EncryptionKey *reply_key,
>> int rk_is_subkey,
>> @@ -349,7 +353,7 @@ _kdc_encode_reply(krb5_context context,
>> return KRB5KRB_ERR_GENERIC;
>> }
>>
>> - ret = krb5_crypto_init(context, skey, etype, &crypto);
>> + ret = krb5_crypto_init(context, skey, 0, &crypto);
>> if (ret) {
>> const char *msg;
>> free(buf);
>> @@ -1720,7 +1724,7 @@ _kdc_as_rep(krb5_context context,
>> log_as_req(context, config, reply_key->keytype, setype, b);
>>
>> ret = _kdc_encode_reply(context, config,
>> - &rep, &et, &ek, setype, server->entry.kvno,
>> + &rep, &et, &ek, server->entry.kvno,
>> &skey->key, client->entry.kvno,
>> reply_key, 0, &e_text, reply);
>> free_EncTicketPart(&et);
>> diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
>> index a888788..e11ad52 100644
>> --- a/source4/heimdal/kdc/krb5tgs.c
>> +++ b/source4/heimdal/kdc/krb5tgs.c
>> @@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context,
>> KDC_REQ_BODY *b,
>> krb5_const_principal tgt_name,
>> const EncTicketPart *tgt,
>> + const EncTicketPart *adtgt,
>> const krb5_keyblock *replykey,
>> int rk_is_subkey,
>> const EncryptionKey *serverkey,
>> @@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context,
>> rep.pvno = 5;
>> rep.msg_type = krb_tgs_rep;
>>
>> - et.authtime = tgt->authtime;
>> + et.authtime = adtgt->authtime;
>> _kdc_fix_time(&b->till);
>> et.endtime = min(tgt->endtime, *b->till);
>> ALLOC(et.starttime);
>> @@ -987,7 +988,7 @@ tgs_make_reply(krb5_context context,
>> etype list, even if we don't want a session key with
>> DES3? */
>> ret = _kdc_encode_reply(context, config,
>> - &rep, &et, &ek, et.key.keytype,
>> + &rep, &et, &ek,
>> kvno,
>> serverkey, 0, replykey, rk_is_subkey,
>> e_text, reply);
>> @@ -1159,7 +1160,6 @@ tgs_parse_request(krb5_context context,
>> const struct sockaddr *from_addr,
>> time_t **csec,
>> int **cusec,
>> - AuthorizationData **auth_data,
>> krb5_keyblock **replykey,
>> int *rk_is_subkey)
>> {
>> @@ -1170,14 +1170,11 @@ tgs_parse_request(krb5_context context,
>> krb5_auth_context ac = NULL;
>> krb5_flags ap_req_options;
>> krb5_flags verify_ap_req_flags;
>> - krb5_crypto crypto;
>> Key *tkey;
>> krb5_keyblock *subkey = NULL;
>> - unsigned usage;
>> krb5uint32 kvno = 0;
>> krb5uint32 *kvno_ptr = NULL;
>>
>> - *auth_data = NULL;
>> *csec = NULL;
>> *cusec = NULL;
>> *replykey = NULL;
>> @@ -1328,7 +1325,6 @@ tgs_parse_request(krb5_context context,
>> goto out;
>> }
>>
>> - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
>> *rk_is_subkey = 1;
>>
>> ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
>> @@ -1340,7 +1336,6 @@ tgs_parse_request(krb5_context context,
>> goto out;
>> }
>> if(subkey == NULL){
>> - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
>> *rk_is_subkey = 0;
>>
>> ret = krb5_auth_con_getkey(context, ac, &subkey);
>> @@ -1362,47 +1357,6 @@ tgs_parse_request(krb5_context context,
>>
>> *replykey = subkey;
>>
>> - if (b->enc_authorization_data) {
>> - krb5_data ad;
>> -
>> - ret = krb5_crypto_init(context, subkey, 0, &crypto);
>> - if (ret) {
>> - const char *msg = krb5_get_error_message(context, ret);
>> - krb5_auth_con_free(context, ac);
>> - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
>> - krb5_free_error_message(context, msg);
>> - goto out;
>> - }
>> - ret = krb5_decrypt_EncryptedData (context,
>> - crypto,
>> - usage,
>> - b->enc_authorization_data,
>> - &ad);
>> - krb5_crypto_destroy(context, crypto);
>> - if(ret){
>> - krb5_auth_con_free(context, ac);
>> - kdc_log(context, config, 0,
>> - "Failed to decrypt enc-authorization-data");
>> - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
>> - goto out;
>> - }
>> - ALLOC(*auth_data);
>> - if (*auth_data == NULL) {
>> - krb5_auth_con_free(context, ac);
>> - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
>> - goto out;
>> - }
>> - ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
>> - if(ret){
>> - krb5_auth_con_free(context, ac);
>> - free(*auth_data);
>> - *auth_data = NULL;
>> - kdc_log(context, config, 0, "Failed to decode authorization data");
>> - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
>> - goto out;
>> - }
>> - }
>> -
>> krb5_auth_con_free(context, ac);
>>
>> out:
>> @@ -1500,7 +1454,6 @@ tgs_build_reply(krb5_context context,
>> krb5_data *reply,
>> const char *from,
>> const char **e_text,
>> - AuthorizationData **auth_data,
>> const struct sockaddr *from_addr)
>> {
>> krb5_error_code ret;
>> @@ -1516,6 +1469,9 @@ tgs_build_reply(krb5_context context,
>> krb5_keyblock sessionkey;
>> krb5_kvno kvno;
>> krb5_data rspac;
>> + AuthorizationData *auth_data = NULL;
>> + const EncryptionKey *auth_data_key = replykey;
>> + unsigned auth_data_usage;
>>
>> hdb_entry_ex *krbtgt_out = NULL;
>>
>> @@ -1525,6 +1481,7 @@ tgs_build_reply(krb5_context context,
>> Realm r;
>> int nloop = 0;
>> EncTicketPart adtkt;
>> + EncTicketPart *adtgt = tgt;
>> char opt_str[128];
>> int signedpath = 0;
>>
>> @@ -1540,6 +1497,12 @@ tgs_build_reply(krb5_context context,
>> s = b->sname;
>> r = b->realm;
>>
>> + if (rk_is_subkey != 0) {
>> + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
>> + } else {
>> + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
>> + }
>> +
>> if (b->kdc_options.canonicalize)
>> flags |= HDB_F_CANON;
>>
>> @@ -1742,7 +1705,7 @@ server_lookup:
>>
>> ret = _kdc_find_etype(context,
>> config->tgs_use_strongest_session_key, FALSE,
>> - server, b->etype.val, b->etype.len, NULL,
>> + server, b->etype.val, b->etype.len, &etype,
>> &skey);
>> if(ret) {
>> kdc_log(context, config, 0,
>> @@ -1750,7 +1713,6 @@ server_lookup:
>> goto out;
>> }
>> ekey = &skey->key;
>> - etype = skey->key.keytype;
>> kvno = server->entry.kvno;
>> }
>>
>> @@ -2183,10 +2145,55 @@ server_lookup:
>> goto out;
>> }
>>
>> + if (rk_is_subkey == 0) {
>> + auth_data_key = &adtkt.key;
>> + }
>> + adtgt = &adtkt;
>> kdc_log(context, config, 0, "constrained delegation for %s "
>> "from %s (%s) to %s", tpn, cpn, dpn, spn);
>> }
>>
>> + if (b->enc_authorization_data) {
>> + krb5_data ad;
>> + krb5_crypto crypto;
>> +
>> + ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
>> + if (ret) {
>> + const char *msg = krb5_get_error_message(context, ret);
>> + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
>> + krb5_free_error_message(context, msg);
>> + goto out;
>> + }
>> +
>> + ret = krb5_decrypt_EncryptedData (context,
>> + crypto,
>> + auth_data_usage,
>> + b->enc_authorization_data,
>> + &ad);
>> + krb5_crypto_destroy(context, crypto);
>> + if(ret){
>> + kdc_log(context, config, 0,
>> + "Failed to decrypt enc-authorization-data");
>> + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
>> + goto out;
>> + }
>> + ALLOC(auth_data);
>> + if (auth_data == NULL) {
>> + krb5_data_free(&ad);
>> + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
>> + goto out;
>> + }
>> + ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
>> + krb5_data_free(&ad);
>> + if(ret){
>> + free(auth_data);
>> + auth_data = NULL;
>> + kdc_log(context, config, 0, "Failed to decode authorization data");
>> + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
>> + goto out;
>> + }
>> + }
>> +
>> /*
>> * Check flags
>> */
>> @@ -2257,12 +2264,13 @@ server_lookup:
>> b,
>> tp,
>> tgt,
>> + adtgt,
>> replykey,
>> rk_is_subkey,
>> ekey,
>> &sessionkey,
>> kvno,
>> - *auth_data,
>> + auth_data,
>> server,
>> server->entry.principal,
>> spn,
>> @@ -2307,6 +2315,11 @@ out:
>> free(ref_realm);
>> free_METHOD_DATA(&enc_pa_data);
>>
>> + if (auth_data) {
>> + free_AuthorizationData(auth_data);
>> + free(auth_data);
>> + }
>> +
>> free_EncTicketPart(&adtkt);
>>
>> return ret;
>> @@ -2325,7 +2338,6 @@ _kdc_tgs_rep(krb5_context context,
>> struct sockaddr *from_addr,
>> int datagram_reply)
>> {
>> - AuthorizationData *auth_data = NULL;
>> krb5_error_code ret;
>> int i = 0;
>> const PA_DATA *tgs_req;
>> @@ -2364,7 +2376,6 @@ _kdc_tgs_rep(krb5_context context,
>> &e_text,
>> from, from_addr,
>> &csec, &cusec,
>> - &auth_data,
>> &replykey,
>> &rk_is_subkey);
>> if (ret == HDB_ERR_NOT_FOUND_HERE) {
>> @@ -2389,7 +2400,6 @@ _kdc_tgs_rep(krb5_context context,
>> data,
>> from,
>> &e_text,
>> - &auth_data,
>> from_addr);
>> if (ret) {
>> kdc_log(context, config, 0,
>> @@ -2426,10 +2436,5 @@ out:
>> if(krbtgt)
>> _kdc_free_ent(context, krbtgt);
>>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180220/1f920d60/signature.sig>
More information about the samba-technical
mailing list