third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0...

author Joseph Sutton <josephsutton@catalyst.net.nz>

Mon, 25 Sep 2023 00:16:43 +0000 (13:16 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 26 Oct 2023 01:24:32 +0000 (01:24 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Mon, 25 Sep 2023 00:16:43 +0000 (13:16 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 26 Oct 2023 01:24:32 +0000 (01:24 +0000)
diff --git a/third_party/heimdal/kcm/protocol.c b/third_party/heimdal/kcm/protocol.c

index 31f17623d01d2c1a3d3d689bca3326c46cf7777f..b5442e458913b380b4911a26f8f8dd2e834ac7c2 100644 (file)
--- a/third_party/heimdal/kcm/protocol.c
+++ b/third_party/heimdal/kcm/protocol.c
@@ -333,9 +333,7 @@ kcm_op_retrieve(krb5_context context,
         return ret;
      }
  
-    if (disallow_getting_krbtgt &&
-       mcreds.server->name.name_string.len == 2 &&
-       strcmp(mcreds.server->name.name_string.val[0], KRB5_TGS_NAME) == 0)
+    if (disallow_getting_krbtgt && krb5_principal_is_krbtgt(context, mcreds.server))
      {
         free(name);
         krb5_free_cred_contents(context, &mcreds);
diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c

index 6ba3efccc4a51319ffe84e0aed45d31864e16268..af80450c4b0e3deb077371ac79e324043e8c9923 100644 (file)
--- a/third_party/heimdal/kdc/krb5tgs.c
+++ b/third_party/heimdal/kdc/krb5tgs.c
@@ -962,7 +962,13 @@ tgs_parse_request(astgs_request_t r,
         goto out;
      }
  
-    if(!get_krbtgt_realm(&ap_req.ticket.sname)){
+    if(!krb5_principalname_is_krbtgt(r->context, &ap_req.ticket.sname)){
+       /*
+        * Note: this check is not to be depended upon for security. Nothing
+        * prevents a client modifying the sname, as it is located in the
+        * unencrypted part of the ticket.
+        */
+
         /* XXX check for ticket.sname == req.sname */
         kdc_log(r->context, config, 4, "PA-DATA is not a ticket-granting ticket");
         ret = KRB5KDC_ERR_POLICY; /* ? */
@@ -1631,7 +1637,13 @@ server_lookup:
                 goto out;
             }
             t = &b->additional_tickets->val[0];
-           if(!get_krbtgt_realm(&t->sname)){
+           if(!krb5_principalname_is_krbtgt(context, &t->sname)){
+               /*
+                * Note: this check is not to be depended upon for
+                * security. Nothing prevents a client modifying the sname, as
+                * it is located in the unencrypted part of the ticket.
+                */
+
                 kdc_log(context, config, 4,
                         "Additional ticket is not a ticket-granting ticket");
                 kdc_audit_addreason((kdc_request_t)priv,
diff --git a/third_party/heimdal/lib/hdb/common.c b/third_party/heimdal/lib/hdb/common.c

index 1c947b3cfc5474c6b1531776741b923b2692af16..f86481dd9ead8e6cd1f09196e51c2b5505807742 100644 (file)
--- a/third_party/heimdal/lib/hdb/common.c
+++ b/third_party/heimdal/lib/hdb/common.c
@@ -1616,7 +1616,7 @@ fetch_it(krb5_context context,
      if (!db->enable_virtual_hostbased_princs)
          maxdots = mindots = 0;
      if (db->enable_virtual_hostbased_princs && comp1 &&
-        strcmp("krbtgt", comp0) != 0 && strcmp(KRB5_WELLKNOWN_NAME, comp0) != 0) {
+        (comp0 == NULL || (strcmp("krbtgt", comp0) != 0 && strcmp(KRB5_WELLKNOWN_NAME, comp0) != 0))) {
          char *htmp;
  
          if ((host = strdup(comp1)) == NULL)
diff --git a/third_party/heimdal/lib/krb5/libkrb5-exports.def.in b/third_party/heimdal/lib/krb5/libkrb5-exports.def.in

index 3845cd73601a425397612d230337fd09849f80fd..4870de90d1f1973440b5fd886ed617fc1b5b64df 100644 (file)
--- a/third_party/heimdal/lib/krb5/libkrb5-exports.def.in
+++ b/third_party/heimdal/lib/krb5/libkrb5-exports.def.in
@@ -539,6 +539,7 @@ EXPORTS
         krb5_principal_set_comp_string
         krb5_principal_set_realm
         krb5_principal_set_type
+       krb5_principalname_is_krbtgt
         krb5_print_address
         krb5_program_setup
         krb5_prompter_posix
diff --git a/third_party/heimdal/lib/krb5/principal.c b/third_party/heimdal/lib/krb5/principal.c

index 4a8e66deb4162925094b45f4d963e4ee9af98655..33ebd19ffe0ddfabf9168278ed69014295850049 100644 (file)
--- a/third_party/heimdal/lib/krb5/principal.c
+++ b/third_party/heimdal/lib/krb5/principal.c
@@ -1244,6 +1244,20 @@ krb5_principal_is_pku2u(krb5_context context, krb5_const_principal principal)
      return strcmp(principal->realm, KRB5_PKU2U_REALM_NAME) == 0;
  }
  
+/**
+ * Check if the cname part of the principal name is a krbtgt principal
+ *
+ * @ingroup krb5_principal
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principalname_is_krbtgt(krb5_context context, const PrincipalName *p)
+{
+    return 1 <= p->name_string.len &&
+       p->name_string.len <= 2 &&
+       strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0;
+}
+
  /**
   * Check if the cname part of the principal is a krbtgt principal
   *
@@ -1253,8 +1267,7 @@ krb5_principal_is_pku2u(krb5_context context, krb5_const_principal principal)
  KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
  krb5_principal_is_krbtgt(krb5_context context, krb5_const_principal p)
  {
-    return p->name.name_string.len == 2 &&
-       strcmp(p->name.name_string.val[0], KRB5_TGS_NAME) == 0;
+    return krb5_principalname_is_krbtgt(context, &p->name);
  }
  
  /**
diff --git a/third_party/heimdal/lib/krb5/test_pac.c b/third_party/heimdal/lib/krb5/test_pac.c

index 70da1cb62665feeb43ee360ccf5c440f6e6dceda..89434ccd09fcc7a365f106874895fd2f485df2e9 100644 (file)
--- a/third_party/heimdal/lib/krb5/test_pac.c
+++ b/third_party/heimdal/lib/krb5/test_pac.c
@@ -823,13 +823,6 @@ t_err(krb5_context context,
     krb5_err(context, 1, error, "test %s failed in %s", test, func);
  }
  
-static krb5_boolean
-is_krbtgt(const PrincipalName *p)
-{
-    return (p->name_string.len == 2 &&
-           strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0);
-}
-
  static void
  check_ticket_signature(krb5_context context,
                        const struct test_pac_ticket *tkt)
@@ -875,7 +868,9 @@ check_ticket_signature(krb5_context context,
      if (ret)
         t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse", ret);
  
-    heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+    heim_assert(!krb5_principalname_is_krbtgt(context,
+                                             &ticket.sname) == !!signedticket,
+               "ticket-signature");
  
      ret = krb5_pac_verify(context, pac, et.authtime, client,
                           tkt->key, tkt->kdc_key);
@@ -932,7 +927,9 @@ check_ticket_signature(krb5_context context,
      if (ret)
         t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse 2", ret);
  
-    heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
+    heim_assert(!krb5_principalname_is_krbtgt(context,
+                                             &ticket.sname) == !!signedticket,
+               "ticket-signature");
  
      ret = krb5_pac_verify(context, pac, et.authtime, client, tkt->key,
                           tkt->kdc_key);
diff --git a/third_party/heimdal/lib/krb5/version-script.map b/third_party/heimdal/lib/krb5/version-script.map

index a81b08fa14786dc7bfe917006a02d013d9fcd844..f2cfa3cd3f9bb7fb27f2e573d7787fc1953b4889 100644 (file)
--- a/third_party/heimdal/lib/krb5/version-script.map
+++ b/third_party/heimdal/lib/krb5/version-script.map
@@ -532,6 +532,7 @@ HEIMDAL_KRB5_2.0 {
                 krb5_principal_is_federated;
                 krb5_principal_is_krbtgt;
                 krb5_principal_is_root_krbtgt;
+               krb5_principalname_is_krbtgt;
                 krb5_print_address;
                 krb5_program_setup;
                 krb5_prompter_posix;
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Mon, 25 Sep 2023 00:16:43 +0000 (13:16 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 26 Oct 2023 01:24:32 +0000 (01:24 +0000)
third_party/heimdal/kcm/protocol.c		patch \| blob \| history
third_party/heimdal/kdc/krb5tgs.c		patch \| blob \| history
third_party/heimdal/lib/hdb/common.c		patch \| blob \| history
third_party/heimdal/lib/krb5/libkrb5-exports.def.in		patch \| blob \| history
third_party/heimdal/lib/krb5/principal.c		patch \| blob \| history
third_party/heimdal/lib/krb5/test_pac.c		patch \| blob \| history
third_party/heimdal/lib/krb5/version-script.map		patch \| blob \| history