From ab6e3fce040f9ad27cbce44e9038a24f15b601c8 Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Sun, 15 Aug 2010 18:31:28 +0400 Subject: s4:heimdal: import lorikeet-heimdal-201009250123 (commit 42cabfb5b683dbcb97d583c397b897507689e382) I based this on Matthieu's import of lorikeet-heimdal, and then updated it to this commit. Andrew Bartlett --- source4/heimdal/kdc/default_config.c | 6 +++--- source4/heimdal/kdc/kerberos5.c | 2 +- source4/heimdal/kdc/krb5tgs.c | 28 +++++++++++++++++++--------- source4/heimdal/kdc/pkinit.c | 16 ++++++++-------- source4/heimdal/kdc/windc.c | 19 ++++++++++++------- 5 files changed, 43 insertions(+), 28 deletions(-) (limited to 'source4/heimdal/kdc') diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c index f5df4e0298..118bdf97aa 100644 --- a/source4/heimdal/kdc/default_config.c +++ b/source4/heimdal/kdc/default_config.c @@ -264,7 +264,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) if (c->pkinit_kdc_identity == NULL) { if (c->pkinit_kdc_friendly_name == NULL) - c->pkinit_kdc_friendly_name = + c->pkinit_kdc_friendly_name = strdup("O=System Identity,CN=com.apple.kerberos.kdc"); c->pkinit_kdc_identity = strdup("KEYCHAIN:"); } @@ -276,7 +276,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) if (c->enable_pkinit) { if (c->pkinit_kdc_identity == NULL) krb5_errx(context, 1, "pkinit enabled but no identity"); - + if (c->pkinit_kdc_anchors == NULL) krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); @@ -287,7 +287,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->pkinit_kdc_revoke); } - + *config = c; return 0; diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 05df86e143..9fb0998a2a 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -910,7 +910,7 @@ _kdc_as_rep(krb5_context context, const char *e_text = NULL; krb5_crypto crypto; Key *ckey, *skey; - EncryptionKey *reply_key, session_key; + EncryptionKey *reply_key = NULL, session_key; int flags = 0; #ifdef PKINIT pk_client_params *pkp = NULL; diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 06a535d4d4..23f9674bef 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -314,6 +314,7 @@ check_PAC(krb5_context context, for (j = 0; j < child.len; j++) { if (child.val[j].ad_type == KRB5_AUTHDATA_WIN2K_PAC) { + int signed_pac = 0; krb5_pac pac; /* Found PAC */ @@ -334,19 +335,26 @@ check_PAC(krb5_context context, } ret = _kdc_pac_verify(context, client_principal, - client, server, krbtgt, &pac); + client, server, krbtgt, &pac, &signed_pac); if (ret) { krb5_pac_free(context, pac); return ret; } - *signedpath = 1; - - ret = _krb5_pac_sign(context, pac, tkt->authtime, - client_principal, - server_key, krbtgt_sign_key, rspac); + /* + * Only re-sign PAC if we could verify it with the PAC + * function. The no-verify case happens when we get in + * a PAC from cross realm from a Windows domain and + * that there is no PAC verification function. + */ + if (signed_pac) { + *signedpath = 1; + ret = _krb5_pac_sign(context, pac, tkt->authtime, + client_principal, + server_key, krbtgt_key, rspac); + } krb5_pac_free(context, pac); - + return ret; } } @@ -449,7 +457,7 @@ check_tgs_flags(krb5_context context, } if(f.renewable){ - if(!tgt->flags.renewable){ + if(!tgt->flags.renewable || tgt->renew_till == NULL){ kdc_log(context, config, 0, "Bad request for renewable ticket"); return KRB5KDC_ERR_BADOPTION; @@ -802,7 +810,9 @@ tgs_make_reply(krb5_context context, et.endtime = *et.starttime + life; } if(f.renewable_ok && tgt->flags.renewable && - et.renew_till == NULL && et.endtime < *b->till){ + et.renew_till == NULL && et.endtime < *b->till && + tgt->renew_till != NULL) + { et.flags.renewable = 1; ALLOC(et.renew_till); *et.renew_till = *b->till; diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index 4405bf4f19..9c0be23b14 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -227,10 +227,7 @@ generate_dh_keyblock(krb5_context context, goto out; } - dh_gen_keylen = DH_size(client_params->u.dh.key); - size = BN_num_bytes(client_params->u.dh.key->p); - if (size < dh_gen_keylen) - size = dh_gen_keylen; + size = DH_size(client_params->u.dh.key); dh_gen_key = malloc(size); if (dh_gen_key == NULL) { @@ -238,17 +235,20 @@ generate_dh_keyblock(krb5_context context, krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - memset(dh_gen_key, 0, size - dh_gen_keylen); - dh_gen_keylen = DH_compute_key(dh_gen_key + (size - dh_gen_keylen), - client_params->u.dh.public_key, - client_params->u.dh.key); + dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key); if (dh_gen_keylen == -1) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key"); goto out; } + if (dh_gen_keylen < size) { + size -= dh_gen_keylen; + memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); + memset(dh_gen_key, 0, size); + } + ret = 0; #ifdef HAVE_OPENSSL } else if (client_params->keyex == USE_ECDH) { diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index a8f1eb15d1..6efbeee9dd 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -87,14 +87,19 @@ _kdc_pac_verify(krb5_context context, hdb_entry_ex *client, hdb_entry_ex *server, hdb_entry_ex *krbtgt, - krb5_pac *pac) + krb5_pac *pac, + int *verified) { - if (windcft == NULL) { - krb5_set_error_message(context, EINVAL, "Can't verify PAC, no function"); - return EINVAL; - } - return (windcft->pac_verify)(windcctx, context, - client_principal, client, server, krbtgt, pac); + krb5_error_code ret; + + if (windcft == NULL) + return 0; + + ret = windcft->pac_verify(windcctx, context, + client_principal, client, server, krbtgt, pac); + if (ret == 0) + *verified = 1; + return ret; } krb5_error_code -- cgit