From b2b951d14fa9464cf2333e611e5b651e1d57cf01 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Tue, 17 May 2016 13:45:11 +0300 Subject: [PATCH] heimdal make kvno unisgned internally The folks at heimdal didn't like the patch in commit 6379737b7ddc6ccb752238c5820cc62e76a8da17 and insisted that kvno should remain unsigned internally, even though it is encoded as signed in packets. This patch reverts some of the unsigned->signed changes in that commit, and resolves conversion issues - in order to be aligned with upstream Heimdal. Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue May 24 03:00:39 CEST 2016 on sn-devel-144 --- source4/heimdal/kdc/krb5tgs.c | 17 +++++++++++++++-- source4/heimdal/kdc/misc.c | 2 +- source4/torture/rpc/lsa.c | 2 +- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 1d0d1ddc3fa..c221c903461 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1174,6 +1174,8 @@ tgs_parse_request(krb5_context context, Key *tkey; krb5_keyblock *subkey = NULL; unsigned usage; + krb5uint32 kvno = 0; + krb5uint32 *kvno_ptr = NULL; *auth_data = NULL; *csec = NULL; @@ -1201,7 +1203,12 @@ tgs_parse_request(krb5_context context, ap_req.ticket.sname, ap_req.ticket.realm); - ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, ap_req.ticket.enc_part.kvno, NULL, krbtgt); + if (ap_req.ticket.enc_part.kvno) { + kvno = *ap_req.ticket.enc_part.kvno; + kvno_ptr = &kvno; + } + ret = _kdc_db_fetch(context, config, princ, HDB_F_GET_KRBTGT, kvno_ptr, + NULL, krbtgt); if(ret == HDB_ERR_NOT_FOUND_HERE) { char *p; @@ -1541,6 +1548,8 @@ tgs_build_reply(krb5_context context, hdb_entry_ex *uu; krb5_principal p; Key *uukey; + krb5uint32 second_kvno = 0; + krb5uint32 *kvno_ptr = NULL; if(b->additional_tickets == NULL || b->additional_tickets->len == 0){ @@ -1557,8 +1566,12 @@ tgs_build_reply(krb5_context context, goto out; } _krb5_principalname2krb5_principal(context, &p, t->sname, t->realm); + if(t->enc_part.kvno){ + second_kvno = *t->enc_part.kvno; + kvno_ptr = &second_kvno; + } ret = _kdc_db_fetch(context, config, p, - HDB_F_GET_KRBTGT, t->enc_part.kvno, + HDB_F_GET_KRBTGT, kvno_ptr, NULL, &uu); krb5_free_principal(context, p); if(ret){ diff --git a/source4/heimdal/kdc/misc.c b/source4/heimdal/kdc/misc.c index 6fd5119deca..b0bc38a2b6f 100644 --- a/source4/heimdal/kdc/misc.c +++ b/source4/heimdal/kdc/misc.c @@ -40,7 +40,7 @@ _kdc_db_fetch(krb5_context context, krb5_kdc_configuration *config, krb5_const_principal principal, unsigned flags, - krb5int32 *kvno_ptr, + krb5uint32 *kvno_ptr, HDB **db, hdb_entry_ex **h) { diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 4d0084bd42d..fa884fb17ee 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -3183,7 +3183,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, const char *old_password = cli_credentials_get_old_password(credentials); int kvno = cli_credentials_get_kvno(credentials); int expected_kvno = 0; - krb5int32 t_kvno = 0; + krb5uint32 t_kvno = 0; const char *host = torture_setting_string(tctx, "host", NULL); krb5_error_code k5ret; krb5_boolean k5ok; -- 2.34.1