kdc: avoid re-encoding KDC-REQ-BODY

Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.

[abartlet@samba.org adapted from Heimdal commit
 ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
 by removing references to FAST and GSS-pre-auth.

 This fixes the Windows 11 22H2 issue with TGS-REQ
 as seen at https://github.com/heimdal/heimdal/issues/1011 and so
 removes the knownfail file for this test]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org private autobuild passed]

diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2
deleted file mode 100644 (file)
index 69980ce..0000000
--- a/selftest/knownfail.d/windows11-22h2
+++ /dev/null
@@ -1,2 +0,0 @@
-# This tests shows the new timestamp from Windows 11 22H2 which fails in this version
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till
\ No newline at end of file

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index b8c8c39a3d47991eecd094fab607ced802e1e490..3461cf0ef575e081271c5af8cc32eb4720c517a9 100644 (file)
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context,
                        krb5_keyblock *key)
 {
     krb5_authenticator auth;
-    size_t len = 0;
-    unsigned char *buf;
-    size_t buf_size;
     krb5_error_code ret;
     krb5_crypto crypto;
 
@@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context,
        goto out;
     }
 
-    /* XXX should not re-encode this */
-    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
-    if(ret){
-       const char *msg = krb5_get_error_message(context, ret);
-       kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg);
-       krb5_free_error_message(context, msg);
-       goto out;
-    }
-    if(buf_size != len) {
-       free(buf);
-       kdc_log(context, config, 0, "Internal error in ASN.1 encoder");
-       *e_text = "KDC internal error";
-       ret = KRB5KRB_ERR_GENERIC;
-       goto out;
-    }
     ret = krb5_crypto_init(context, key, 0, &crypto);
     if (ret) {
        const char *msg = krb5_get_error_message(context, ret);
-       free(buf);
        kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
        krb5_free_error_message(context, msg);
        goto out;
@@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context,
     ret = krb5_verify_checksum(context,
                               crypto,
                               KRB5_KU_TGS_REQ_AUTH_CKSUM,
-                              buf,
-                              len,
+                              b->_save.data,
+                              b->_save.length,
                               auth->cksum);
-    free(buf);
     krb5_crypto_destroy(context, crypto);
     if(ret){
        const char *msg = krb5_get_error_message(context, ret);

diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c
index ad7f3efc10a77bfa6ee160e0fe61919291977ff6..64ea4c00e41bddbc673612b70ab04822d894d3fe 100644 (file)
--- a/source4/heimdal/kdc/pkinit.c
+++ b/source4/heimdal/kdc/pkinit.c
@@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context,
                         PKAuthenticator *a,
                         const KDC_REQ *req)
 {
-    u_char *buf = NULL;
-    size_t buf_size;
     krb5_error_code ret;
-    size_t len = 0;
     krb5_timestamp now;
     Checksum checksum;
 
@@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context,
        return KRB5KRB_AP_ERR_SKEW;
     }
 
-    ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret);
-    if (ret) {
-       krb5_clear_error_message(context);
-       return ret;
-    }
-    if (buf_size != len)
-       krb5_abortx(context, "Internal error in ASN.1 encoder");
-
     ret = krb5_create_checksum(context,
                               NULL,
                               0,
                               CKSUMTYPE_SHA1,
-                              buf,
-                              len,
+                              req->req_body._save.data,
+                              req->req_body._save.length,
                               &checksum);
-    free(buf);
     if (ret) {
        krb5_clear_error_message(context);
        return ret;

diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt
index 1d6d5e8989f133d5978c8ecf16468ab63bdadac1..5acc596d39ce23bbd9e3428b69a1dbc3504bc9d2 100644 (file)
--- a/source4/heimdal/lib/asn1/krb5.opt
+++ b/source4/heimdal/lib/asn1/krb5.opt
@@ -4,3 +4,4 @@
 --sequence=METHOD-DATA
 --sequence=ETYPE-INFO
 --sequence=ETYPE-INFO2
+--preserve-binary=KDC-REQ-BODY