Accidental commits?
Andrew Bartlett
abartlet at samba.org
Tue Feb 20 19:39:49 UTC 2018
On Tue, 2018-02-20 at 20:30 +0100, Stefan Metzmacher wrote:
> Hi Andrew,
>
> I also noticed that, I guess we'll push reverts shortly.
Less important but if we choose to instead just reset the branch I'll
note that I didn't yet re-upload the cherry-picked patches for
Douglas's abort() on the subnet rename, so they landed without the
cherry-pick markers.
Finally, I would just ask that we don't over-react on this. This is
the only mis-merge I can remember since we adopted this procedure.
In particular: while I'm normally a great fan of automated checks and
protections, this is 'only' a git issue, we can reset or revert without
harm.
Likewise I want to say a big thank you to Karolin for doing all the
tedious work landing our release-branch patches, and please don't feel
bad about it.
Thanks,
Andrew Bartlett
> metze
>
> Am 20.02.2018 um 19:25 schrieb Andrew Bartlett via samba-technical:
> > Karolin,
> >
> > This looks like a different kind of commit to what I would normally
> > expect to see in v4-6-test. Can you check if you could you have
> > unintentionally pushed a testing branch?
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> > On Tue, 2018-02-20 at 17:04 +0100, Karolin Seeger wrote:
> > > The branch, v4-6-test has been updated
> > > via 56a40ab samba: Only use async signal-safe functions in signal handler
> > > via 670af37 subnet: Avoid a segfault when renaming subnet objects
> > > via f2e21e6 HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
> > > via ffda28e TODO s4:kdc: indicate support for new encryption types by adding empty keys
> > > via 075f061 TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
> > > via 7d0559e s4:kdc: use the strongest possible tgs session key
> > > via 2a7392d HEIMDAL:hdb: export a hdb_enctype_supported() helper function
> > > via 8ac00b0 HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
> > > via 9f3571a s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
> > > via 312bf1c HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
> > > via 3dd52dd HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
> > > via 9ec1a52 HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
> > > from 2ed8741 VERSION: Bump version up to 4.6.14...
> > >
> > > https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
> > >
> > >
> > > - Log -----------------------------------------------------------------
> > > commit 56a40ab005671fd6ce3c55cd91eddcbcc925891d
> > > Author: Volker Lendecke <vl at samba.org>
> > > Date: Thu Jan 4 21:06:02 2018 +0100
> > >
> > > samba: Only use async signal-safe functions in signal handler
> > >
> > > Otherwise shutdown can hang
> > >
> > > Signed-off-by: Volker Lendecke <vl at samba.org>
> > > Reviewed-by: Andreas Schneider <asn at samba.org>
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13240
> > >
> > > Signed-off-by: Björn Baumbach <bb at sernet.de>
> > > (similar to commit 361ea743576cf125d7957a97ed78a0446dab1a19)
> > >
> > > Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
> > > Autobuild-Date(v4-6-test): Tue Feb 20 17:03:44 CET 2018 on sn-devel-144
> > >
> > > commit 670af37291bc75481ac89efff62760d74377536f
> > > Author: Garming Sam <garming at catalyst.net.nz>
> > > Date: Wed Sep 20 14:55:11 2017 +1200
> > >
> > > subnet: Avoid a segfault when renaming subnet objects
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031
> > >
> > > Signed-off-by: Garming Sam <garming at catalyst.net.nz>
> > > Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
> > >
> > > commit f2e21e692640308c003bd851da0c627af73a9451
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Wed Nov 8 13:18:29 2017 +0100
> > >
> > > HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > commit ffda28e9b14a6d0464cc2b931105a4d43712dcba
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Tue Nov 7 12:23:31 2017 +0100
> > >
> > > TODO s4:kdc: indicate support for new encryption types by adding empty keys
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
> > >
> > > commit 075f061ca337d516a82b0fb19b001ff8cff61915
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Tue Nov 7 12:23:31 2017 +0100
> > >
> > > TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
> > >
> > > commit 7d0559e0eb5d533a5f5764a39d04fb05d8d34633
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Tue Nov 7 18:03:45 2017 +0100
> > >
> > > s4:kdc: use the strongest possible tgs session key
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > commit 2a7392d3b216d4a79d81fd6a31bb2294b70c9a35
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Tue Nov 7 15:47:25 2017 +0100
> > >
> > > HEIMDAL:hdb: export a hdb_enctype_supported() helper function
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > commit 8ac00b066c893f9da5ac44f9391e41ad018d08bc
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Wed Nov 8 11:57:08 2017 +0100
> > >
> > > HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key
> > >
> > > Currently the value is the same anyway as the session key is always of the
> > > same type as server key up to now, but that will change shortly.
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > commit 9f3571aa20a209901c6ab7c776200afeac54eca4
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Thu Sep 28 14:51:43 2017 +0200
> > >
> > > s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob
> > >
> > > We need the target service without realm, but the proxy services with realm.
> > >
> > > I have a domain with an w2008r2 server and a samba and now both generate
> > > the same S4U_DELEGATION_INFO.
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > commit 312bf1c331038059698d14d7026387079a49bb61
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Wed Sep 20 23:05:09 2017 +0200
> > >
> > > HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > commit 3dd52dd0df77bac590645cf05b54766101456016
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Wed Sep 20 23:05:09 2017 +0200
> > >
> > > HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
> > >
> > > We do this after checking for constraint delegation (S4U2Proxy).
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > commit 9ec1a523d2acba03a8cd7c21013d896962863759
> > > Author: Stefan Metzmacher <metze at samba.org>
> > > Date: Wed Sep 20 23:05:09 2017 +0200
> > >
> > > HEIMDAL:kdc: fix memory leak when decryption AuthorizationData
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
> > >
> > > Signed-off-by: Stefan Metzmacher <metze at samba.org>
> > >
> > > -----------------------------------------------------------------------
> > >
> > > Summary of changes:
> > > python/samba/subnets.py | 33 ++++++++
> > > source4/dsdb/samdb/ldb_modules/samldb.c | 8 +-
> > > source4/dsdb/tests/python/sites.py | 45 ++++++++++
> > > source4/heimdal/kdc/kerberos5.c | 20 +++--
> > > source4/heimdal/kdc/krb5tgs.c | 127 +++++++++++++++--------------
> > > source4/heimdal/lib/hdb/hdb.c | 30 ++++++-
> > > source4/heimdal/lib/hdb/version-script.map | 1 +
> > > source4/kdc/db-glue.c | 73 ++++++++++++++++-
> > > source4/kdc/kdc-heimdal.c | 6 +-
> > > source4/kdc/pac-glue.c | 6 +-
> > > source4/smbd/server.c | 4 +-
> > > 11 files changed, 266 insertions(+), 87 deletions(-)
> > >
> > >
> > > Changeset truncated at 500 lines:
> > >
> > > diff --git a/python/samba/subnets.py b/python/samba/subnets.py
> > > index e859f06..72eeb0f 100644
> > > --- a/python/samba/subnets.py
> > > +++ b/python/samba/subnets.py
> > > @@ -127,6 +127,39 @@ def delete_subnet(samdb, configDn, subnet_name):
> > >
> > > samdb.delete(dnsubnet)
> > >
> > > +def rename_subnet(samdb, configDn, subnet_name, new_name):
> > > + """Rename a subnet.
> > > +
> > > + :param samdb: A samdb connection
> > > + :param configDn: The DN of the configuration partition
> > > + :param subnet_name: Name of the subnet to rename
> > > + :param new_name: New name for the subnet
> > > + :return: None
> > > + :raise SubnetNotFound: if the subnet to be renamed does not exist.
> > > + :raise SubnetExists: if the subnet to be created already exists.
> > > + """
> > > + dnsubnet = ldb.Dn(samdb, "CN=Subnets,CN=Sites")
> > > + if dnsubnet.add_base(configDn) == False:
> > > + raise SubnetException("dnsubnet.add_base() failed")
> > > + if dnsubnet.add_child("CN=X") == False:
> > > + raise SubnetException("dnsubnet.add_child() failed")
> > > + dnsubnet.set_component(0, "CN", subnet_name)
> > > +
> > > + newdnsubnet = ldb.Dn(samdb, str(dnsubnet))
> > > + newdnsubnet.set_component(0, "CN", new_name)
> > > + try:
> > > + samdb.rename(dnsubnet, newdnsubnet)
> > > + except LdbError as (enum, estr):
> > > + if enum == ldb.ERR_NO_SUCH_OBJECT:
> > > + raise SubnetNotFound('Subnet %s does not exist' % subnet)
> > > + elif enum == ldb.ERR_ENTRY_ALREADY_EXISTS:
> > > + raise SubnetAlreadyExists('A subnet with the CIDR %s already exists'
> > > + % new_name)
> > > + elif enum == ldb.ERR_INVALID_DN_SYNTAX:
> > > + raise SubnetInvalid("%s is not a valid subnet: %s" % (new_name,
> > > + estr))
> > > + else:
> > > + raise
> > >
> > > def set_subnet_site(samdb, configDn, subnet_name, site_name):
> > > """Assign a subnet to a site.
> > > diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
> > > index 8459210..9f72df2 100644
> > > --- a/source4/dsdb/samdb/ldb_modules/samldb.c
> > > +++ b/source4/dsdb/samdb/ldb_modules/samldb.c
> > > @@ -3072,13 +3072,13 @@ static int verify_cidr(const char *cidr)
> > > }
> > >
> > >
> > > -static int samldb_verify_subnet(struct samldb_ctx *ac)
> > > +static int samldb_verify_subnet(struct samldb_ctx *ac, struct ldb_dn *dn)
> > > {
> > > struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
> > > const char *cidr = NULL;
> > > const struct ldb_val *rdn_value = NULL;
> > >
> > > - rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
> > > + rdn_value = ldb_dn_get_rdn_val(dn);
> > > if (rdn_value == NULL) {
> > > ldb_set_errstring(ldb, "samldb: ldb_dn_get_rdn_val "
> > > "failed");
> > > @@ -3240,7 +3240,7 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
> > >
> > > if (samdb_find_attribute(ldb, ac->msg,
> > > "objectclass", "subnet") != NULL) {
> > > - ret = samldb_verify_subnet(ac);
> > > + ret = samldb_verify_subnet(ac, ac->msg->dn);
> > > if (ret != LDB_SUCCESS) {
> > > talloc_free(ac);
> > > return ret;
> > > @@ -3633,7 +3633,7 @@ static int check_rename_constraints(struct ldb_message *msg,
> > >
> > > /* subnet objects */
> > > if (samdb_find_attribute(ldb, msg, "objectclass", "subnet") != NULL) {
> > > - ret = samldb_verify_subnet(ac);
> > > + ret = samldb_verify_subnet(ac, newdn);
> > > if (ret != LDB_SUCCESS) {
> > > talloc_free(ac);
> > > return ret;
> > > diff --git a/source4/dsdb/tests/python/sites.py b/source4/dsdb/tests/python/sites.py
> > > index a894da3..123e1ec 100755
> > > --- a/source4/dsdb/tests/python/sites.py
> > > +++ b/source4/dsdb/tests/python/sites.py
> > > @@ -183,6 +183,51 @@ class SimpleSubnetTests(SitesBaseTests):
> > > self.assertRaises(subnets.SubnetNotFound,
> > > subnets.delete_subnet, self.ldb, basedn, cidr)
> > >
> > > + def test_rename_good_subnet_to_good_subnet(self):
> > > + """Make sure that we can rename subnets"""
> > > + basedn = self.ldb.get_config_basedn()
> > > + cidr = "10.16.0.0/24"
> > > + new_cidr = "10.16.1.0/24"
> > > +
> > > + subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
> > > +
> > > + subnets.rename_subnet(self.ldb, basedn, cidr, new_cidr)
> > > +
> > > + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> > > + expression='(&(objectclass=subnet)(cn=%s))' % new_cidr)
> > > +
> > > + self.assertEqual(len(ret), 1, 'Failed to rename subnet %s' % cidr)
> > > +
> > > + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> > > + expression='(&(objectclass=subnet)(cn=%s))' % cidr)
> > > +
> > > + self.assertEqual(len(ret), 0, 'Failed to remove old subnet during rename %s' % cidr)
> > > +
> > > + subnets.delete_subnet(self.ldb, basedn, new_cidr)
> > > +
> > > + def test_rename_good_subnet_to_bad_subnet(self):
> > > + """Make sure that the CIDR checking runs during rename"""
> > > + basedn = self.ldb.get_config_basedn()
> > > + cidr = "10.17.0.0/24"
> > > + bad_cidr = "10.11.12.0/14"
> > > +
> > > + subnets.create_subnet(self.ldb, basedn, cidr, self.sitename)
> > > +
> > > + self.assertRaises(subnets.SubnetInvalid, subnets.rename_subnet,
> > > + self.ldb, basedn, cidr, bad_cidr)
> > > +
> > > + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> > > + expression='(&(objectclass=subnet)(cn=%s))' % bad_cidr)
> > > +
> > > + self.assertEqual(len(ret), 0, 'Failed to rename subnet %s' % cidr)
> > > +
> > > + ret = self.ldb.search(base=basedn, scope=SCOPE_SUBTREE,
> > > + expression='(&(objectclass=subnet)(cn=%s))' % cidr)
> > > +
> > > + self.assertEqual(len(ret), 1, 'Failed to remove old subnet during rename %s' % cidr)
> > > +
> > > + subnets.delete_subnet(self.ldb, basedn, cidr)
> > > +
> > > def test_create_bad_ranges(self):
> > > """These CIDR ranges all have something wrong with them, and they
> > > should all fail."""
> > > diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
> > > index 3282d5e..c6ec65e 100644
> > > --- a/source4/heimdal/kdc/kerberos5.c
> > > +++ b/source4/heimdal/kdc/kerberos5.c
> > > @@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
> > > krb5_error_code ret;
> > > krb5_salt def_salt;
> > > krb5_enctype enctype = ETYPE_NULL;
> > > - Key *key;
> > > + Key *key = NULL;
> > > int i;
> > >
> > > /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
> > > @@ -159,29 +159,34 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
> > >
> > > /* drive the search with local supported enctypes list */
> > > p = krb5_kerberos_enctypes(context);
> > > - for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
> > > + for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
> > > if (krb5_enctype_valid(context, p[i]) != 0)
> > > continue;
> > >
> > > /* check that the client supports it too */
> > > - for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
> > > + for (j = 0; j < len && key == NULL; j++) {
> > > if (p[i] != etypes[j])
> > > continue;
> > > /* save best of union of { client, crypto system } */
> > > if (clientbest == ETYPE_NULL)
> > > clientbest = p[i];
> > > + if (enctype == ETYPE_NULL) {
> > > + ret = hdb_enctype_supported(context, &princ->entry, p[i]);
> > > + if (ret == 0) {
> > > + enctype = p[i];
> > > + }
> > > + }
> > > /* check target princ support */
> > > ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
> > > if (ret)
> > > continue;
> > > if (is_preauth && !is_default_salt_p(&def_salt, key))
> > > continue;
> > > - enctype = p[i];
> > > }
> > > }
> > > if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
> > > enctype = clientbest;
> > > - else if (enctype == ETYPE_NULL)
> > > + else if (key == NULL)
> > > ret = KRB5KDC_ERR_ETYPE_NOSUPP;
> > > if (ret == 0 && ret_enctype != NULL)
> > > *ret_enctype = enctype;
> > > @@ -322,7 +327,6 @@ krb5_error_code
> > > _kdc_encode_reply(krb5_context context,
> > > krb5_kdc_configuration *config,
> > > KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
> > > - krb5_enctype etype,
> > > int skvno, const EncryptionKey *skey,
> > > int ckvno, const EncryptionKey *reply_key,
> > > int rk_is_subkey,
> > > @@ -349,7 +353,7 @@ _kdc_encode_reply(krb5_context context,
> > > return KRB5KRB_ERR_GENERIC;
> > > }
> > >
> > > - ret = krb5_crypto_init(context, skey, etype, &crypto);
> > > + ret = krb5_crypto_init(context, skey, 0, &crypto);
> > > if (ret) {
> > > const char *msg;
> > > free(buf);
> > > @@ -1720,7 +1724,7 @@ _kdc_as_rep(krb5_context context,
> > > log_as_req(context, config, reply_key->keytype, setype, b);
> > >
> > > ret = _kdc_encode_reply(context, config,
> > > - &rep, &et, &ek, setype, server->entry.kvno,
> > > + &rep, &et, &ek, server->entry.kvno,
> > > &skey->key, client->entry.kvno,
> > > reply_key, 0, &e_text, reply);
> > > free_EncTicketPart(&et);
> > > diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
> > > index a888788..e11ad52 100644
> > > --- a/source4/heimdal/kdc/krb5tgs.c
> > > +++ b/source4/heimdal/kdc/krb5tgs.c
> > > @@ -725,6 +725,7 @@ tgs_make_reply(krb5_context context,
> > > KDC_REQ_BODY *b,
> > > krb5_const_principal tgt_name,
> > > const EncTicketPart *tgt,
> > > + const EncTicketPart *adtgt,
> > > const krb5_keyblock *replykey,
> > > int rk_is_subkey,
> > > const EncryptionKey *serverkey,
> > > @@ -758,7 +759,7 @@ tgs_make_reply(krb5_context context,
> > > rep.pvno = 5;
> > > rep.msg_type = krb_tgs_rep;
> > >
> > > - et.authtime = tgt->authtime;
> > > + et.authtime = adtgt->authtime;
> > > _kdc_fix_time(&b->till);
> > > et.endtime = min(tgt->endtime, *b->till);
> > > ALLOC(et.starttime);
> > > @@ -987,7 +988,7 @@ tgs_make_reply(krb5_context context,
> > > etype list, even if we don't want a session key with
> > > DES3? */
> > > ret = _kdc_encode_reply(context, config,
> > > - &rep, &et, &ek, et.key.keytype,
> > > + &rep, &et, &ek,
> > > kvno,
> > > serverkey, 0, replykey, rk_is_subkey,
> > > e_text, reply);
> > > @@ -1159,7 +1160,6 @@ tgs_parse_request(krb5_context context,
> > > const struct sockaddr *from_addr,
> > > time_t **csec,
> > > int **cusec,
> > > - AuthorizationData **auth_data,
> > > krb5_keyblock **replykey,
> > > int *rk_is_subkey)
> > > {
> > > @@ -1170,14 +1170,11 @@ tgs_parse_request(krb5_context context,
> > > krb5_auth_context ac = NULL;
> > > krb5_flags ap_req_options;
> > > krb5_flags verify_ap_req_flags;
> > > - krb5_crypto crypto;
> > > Key *tkey;
> > > krb5_keyblock *subkey = NULL;
> > > - unsigned usage;
> > > krb5uint32 kvno = 0;
> > > krb5uint32 *kvno_ptr = NULL;
> > >
> > > - *auth_data = NULL;
> > > *csec = NULL;
> > > *cusec = NULL;
> > > *replykey = NULL;
> > > @@ -1328,7 +1325,6 @@ tgs_parse_request(krb5_context context,
> > > goto out;
> > > }
> > >
> > > - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
> > > *rk_is_subkey = 1;
> > >
> > > ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
> > > @@ -1340,7 +1336,6 @@ tgs_parse_request(krb5_context context,
> > > goto out;
> > > }
> > > if(subkey == NULL){
> > > - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
> > > *rk_is_subkey = 0;
> > >
> > > ret = krb5_auth_con_getkey(context, ac, &subkey);
> > > @@ -1362,47 +1357,6 @@ tgs_parse_request(krb5_context context,
> > >
> > > *replykey = subkey;
> > >
> > > - if (b->enc_authorization_data) {
> > > - krb5_data ad;
> > > -
> > > - ret = krb5_crypto_init(context, subkey, 0, &crypto);
> > > - if (ret) {
> > > - const char *msg = krb5_get_error_message(context, ret);
> > > - krb5_auth_con_free(context, ac);
> > > - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
> > > - krb5_free_error_message(context, msg);
> > > - goto out;
> > > - }
> > > - ret = krb5_decrypt_EncryptedData (context,
> > > - crypto,
> > > - usage,
> > > - b->enc_authorization_data,
> > > - &ad);
> > > - krb5_crypto_destroy(context, crypto);
> > > - if(ret){
> > > - krb5_auth_con_free(context, ac);
> > > - kdc_log(context, config, 0,
> > > - "Failed to decrypt enc-authorization-data");
> > > - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> > > - goto out;
> > > - }
> > > - ALLOC(*auth_data);
> > > - if (*auth_data == NULL) {
> > > - krb5_auth_con_free(context, ac);
> > > - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> > > - goto out;
> > > - }
> > > - ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
> > > - if(ret){
> > > - krb5_auth_con_free(context, ac);
> > > - free(*auth_data);
> > > - *auth_data = NULL;
> > > - kdc_log(context, config, 0, "Failed to decode authorization data");
> > > - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> > > - goto out;
> > > - }
> > > - }
> > > -
> > > krb5_auth_con_free(context, ac);
> > >
> > > out:
> > > @@ -1500,7 +1454,6 @@ tgs_build_reply(krb5_context context,
> > > krb5_data *reply,
> > > const char *from,
> > > const char **e_text,
> > > - AuthorizationData **auth_data,
> > > const struct sockaddr *from_addr)
> > > {
> > > krb5_error_code ret;
> > > @@ -1516,6 +1469,9 @@ tgs_build_reply(krb5_context context,
> > > krb5_keyblock sessionkey;
> > > krb5_kvno kvno;
> > > krb5_data rspac;
> > > + AuthorizationData *auth_data = NULL;
> > > + const EncryptionKey *auth_data_key = replykey;
> > > + unsigned auth_data_usage;
> > >
> > > hdb_entry_ex *krbtgt_out = NULL;
> > >
> > > @@ -1525,6 +1481,7 @@ tgs_build_reply(krb5_context context,
> > > Realm r;
> > > int nloop = 0;
> > > EncTicketPart adtkt;
> > > + EncTicketPart *adtgt = tgt;
> > > char opt_str[128];
> > > int signedpath = 0;
> > >
> > > @@ -1540,6 +1497,12 @@ tgs_build_reply(krb5_context context,
> > > s = b->sname;
> > > r = b->realm;
> > >
> > > + if (rk_is_subkey != 0) {
> > > + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
> > > + } else {
> > > + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
> > > + }
> > > +
> > > if (b->kdc_options.canonicalize)
> > > flags |= HDB_F_CANON;
> > >
> > > @@ -1742,7 +1705,7 @@ server_lookup:
> > >
> > > ret = _kdc_find_etype(context,
> > > config->tgs_use_strongest_session_key, FALSE,
> > > - server, b->etype.val, b->etype.len, NULL,
> > > + server, b->etype.val, b->etype.len, &etype,
> > > &skey);
> > > if(ret) {
> > > kdc_log(context, config, 0,
> > > @@ -1750,7 +1713,6 @@ server_lookup:
> > > goto out;
> > > }
> > > ekey = &skey->key;
> > > - etype = skey->key.keytype;
> > > kvno = server->entry.kvno;
> > > }
> > >
> > > @@ -2183,10 +2145,55 @@ server_lookup:
> > > goto out;
> > > }
> > >
> > > + if (rk_is_subkey == 0) {
> > > + auth_data_key = &adtkt.key;
> > > + }
> > > + adtgt = &adtkt;
> > > kdc_log(context, config, 0, "constrained delegation for %s "
> > > "from %s (%s) to %s", tpn, cpn, dpn, spn);
> > > }
> > >
> > > + if (b->enc_authorization_data) {
> > > + krb5_data ad;
> > > + krb5_crypto crypto;
> > > +
> > > + ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
> > > + if (ret) {
> > > + const char *msg = krb5_get_error_message(context, ret);
> > > + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
> > > + krb5_free_error_message(context, msg);
> > > + goto out;
> > > + }
> > > +
> > > + ret = krb5_decrypt_EncryptedData (context,
> > > + crypto,
> > > + auth_data_usage,
> > > + b->enc_authorization_data,
> > > + &ad);
> > > + krb5_crypto_destroy(context, crypto);
> > > + if(ret){
> > > + kdc_log(context, config, 0,
> > > + "Failed to decrypt enc-authorization-data");
> > > + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> > > + goto out;
> > > + }
> > > + ALLOC(auth_data);
> > > + if (auth_data == NULL) {
> > > + krb5_data_free(&ad);
> > > + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> > > + goto out;
> > > + }
> > > + ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
> > > + krb5_data_free(&ad);
> > > + if(ret){
> > > + free(auth_data);
> > > + auth_data = NULL;
> > > + kdc_log(context, config, 0, "Failed to decode authorization data");
> > > + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
> > > + goto out;
> > > + }
> > > + }
> > > +
> > > /*
> > > * Check flags
> > > */
> > > @@ -2257,12 +2264,13 @@ server_lookup:
> > > b,
> > > tp,
> > > tgt,
> > > + adtgt,
> > > replykey,
> > > rk_is_subkey,
> > > ekey,
> > > &sessionkey,
> > > kvno,
> > > - *auth_data,
> > > + auth_data,
> > > server,
> > > server->entry.principal,
> > > spn,
> > > @@ -2307,6 +2315,11 @@ out:
> > > free(ref_realm);
> > > free_METHOD_DATA(&enc_pa_data);
> > >
> > > + if (auth_data) {
> > > + free_AuthorizationData(auth_data);
> > > + free(auth_data);
> > > + }
> > > +
> > > free_EncTicketPart(&adtkt);
> > >
> > > return ret;
> > > @@ -2325,7 +2338,6 @@ _kdc_tgs_rep(krb5_context context,
> > > struct sockaddr *from_addr,
> > > int datagram_reply)
> > > {
> > > - AuthorizationData *auth_data = NULL;
> > > krb5_error_code ret;
> > > int i = 0;
> > > const PA_DATA *tgs_req;
> > > @@ -2364,7 +2376,6 @@ _kdc_tgs_rep(krb5_context context,
> > > &e_text,
> > > from, from_addr,
> > > &csec, &cusec,
> > > - &auth_data,
> > > &replykey,
> > > &rk_is_subkey);
> > > if (ret == HDB_ERR_NOT_FOUND_HERE) {
> > > @@ -2389,7 +2400,6 @@ _kdc_tgs_rep(krb5_context context,
> > > data,
> > > from,
> > > &e_text,
> > > - &auth_data,
> > > from_addr);
> > > if (ret) {
> > > kdc_log(context, config, 0,
> > > @@ -2426,10 +2436,5 @@ out:
> > > if(krbtgt)
> > > _kdc_free_ent(context, krbtgt);
> > >
> > >
> > >
>
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list