kdc: add KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY support in pa_enc_chal_validate()

If the pre-authentication fails using the keys belonging to the current
kvno, we'll retry it with 2 passwords from the password history.
If we find such passwords were used for the pre-authentication,
we change KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY into
KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Upstream: https://github.com/heimdal/heimdal/pull/970

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
index 4663b236cd334756d4e56f49fc31ffb6e23ab897..1935434f144acff4ee5d79a7089954853b628600 100644 (file)
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -888,14 +888,51 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
        return ret;
     }
     if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
+       krb5_error_code hret = ret;
+       int hi;
+
        /*
         * Logging happens inside of
         * via pa_enc_chal_decrypt_kvno()
         */
+
+       /*
+        * Check if old and older keys are
+        * able to decrypt.
+        */
+       for (hi = 1; hi < 3; hi++) {
+           krb5_kvno hkvno;
+
+           if (hi >= kvno) {
+               break;
+           }
+
+           hkvno = kvno - hi;
+           hret = pa_enc_chal_decrypt_kvno(r, aenctype,
+                                           &pepper1client,
+                                           NULL, /* pepper1kdc */
+                                           &pepper2,
+                                           hkvno,
+                                           &enc_data,
+                                           NULL, /* KDCchallengekey */
+                                           NULL); /* used_key */
+           if (hret == 0) {
+               break;
+           }
+           if (hret == KRB5KDC_ERR_ETYPE_NOSUPP) {
+               break;
+           }
+       }
+
        free_EncryptedData(&enc_data);
 
-       kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
-                              KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
+       if (hret == 0)
+           kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
+                                  KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY);
+       else
+           kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
+                                  KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY);
+
        return ret;
     }
     free_EncryptedData(&enc_data);