From: Joseph Sutton Date: Mon, 12 Jun 2023 00:12:06 +0000 (+1200) Subject: third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86e... X-Git-Tag: talloc-2.4.1~309 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc4740426d2f43ca7703e3e4e6ef71c902ce5cd3;p=thirdparty%2Fsamba.git third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- diff --git a/third_party/heimdal/kdc/default_config.c b/third_party/heimdal/kdc/default_config.c index 83c73504ce7..ce29dcc4b5a 100644 --- a/third_party/heimdal/kdc/default_config.c +++ b/third_party/heimdal/kdc/default_config.c @@ -102,6 +102,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->trpolicy = TRPOLICY_ALWAYS_CHECK; c->require_pac = FALSE; c->enable_fast = TRUE; + c->enable_fast_cookie = TRUE; c->enable_armored_pa_enc_timestamp = TRUE; c->enable_unarmored_pa_enc_timestamp = TRUE; c->enable_pkinit = FALSE; @@ -271,6 +272,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) "enable_fast", NULL); + c->enable_fast_cookie = + krb5_config_get_bool_default(context, + NULL, + c->enable_fast_cookie, + "kdc", + "enable_fast_cookie", + NULL); + c->enable_armored_pa_enc_timestamp = krb5_config_get_bool_default(context, NULL, diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index 969b5d2f8da..1352a10fe01 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -266,6 +266,33 @@ fast_add_cookie(astgs_request_t r, return ret; } +static krb5_error_code +fast_add_dummy_cookie(astgs_request_t r, + METHOD_DATA *method_data) +{ + krb5_error_code ret; + krb5_data data; + const krb5_data *dummy_fast_cookie = &r->config->dummy_fast_cookie; + + if (dummy_fast_cookie->data == NULL) + return 0; + + ret = krb5_data_copy(&data, + dummy_fast_cookie->data, + dummy_fast_cookie->length); + if (ret) + return ret; + + ret = krb5_padata_add(r->context, method_data, + KRB5_PADATA_FX_COOKIE, + data.data, data.length); + if (ret) { + krb5_data_free(&data); + } + + return ret; +} + krb5_error_code _kdc_fast_mk_response(krb5_context context, krb5_crypto armor_crypto, @@ -341,13 +368,24 @@ _kdc_fast_mk_e_data(astgs_request_t r, * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS. */ if (armor_crypto || r->fast.fast_state.len) { - kdc_log(r->context, r->config, 5, "Adding FAST cookie for KRB-ERROR"); - ret = fast_add_cookie(r, error_client, error_method); - if (ret) { - kdc_log(r->context, r->config, 1, - "Failed to add FAST cookie: %d", ret); - free_METHOD_DATA(error_method); - return ret; + if (r->config->enable_fast_cookie) { + kdc_log(r->context, r->config, 5, "Adding FAST cookie for KRB-ERROR"); + ret = fast_add_cookie(r, error_client, error_method); + if (ret) { + kdc_log(r->context, r->config, 1, + "Failed to add FAST cookie: %d", ret); + free_METHOD_DATA(error_method); + return ret; + } + } else { + kdc_log(r->context, r->config, 5, "Adding dummy FAST cookie for KRB-ERROR"); + ret = fast_add_dummy_cookie(r, error_method); + if (ret) { + kdc_log(r->context, r->config, 1, + "Failed to add dummy FAST cookie: %d", ret); + free_METHOD_DATA(error_method); + return ret; + } } } @@ -803,17 +841,19 @@ _kdc_fast_unwrap_request(astgs_request_t r, if (ret) return ret; - /* - * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS. - */ - pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FX_COOKIE); - if (pa) { - krb5_const_principal ticket_client = NULL; + if (r->config->enable_fast_cookie) { + /* + * FX-COOKIE can be used outside of FAST, e.g. SRP or GSS. + */ + pa = _kdc_find_padata(&r->req, &i, KRB5_PADATA_FX_COOKIE); + if (pa) { + krb5_const_principal ticket_client = NULL; - if (tgs_ticket) - ticket_client = tgs_ticket->client; + if (tgs_ticket) + ticket_client = tgs_ticket->client; - ret = fast_parse_cookie(r, ticket_client, pa); + ret = fast_parse_cookie(r, ticket_client, pa); + } } return ret; diff --git a/third_party/heimdal/kdc/kdc.h b/third_party/heimdal/kdc/kdc.h index 31e54325452..057d29a02a1 100644 --- a/third_party/heimdal/kdc/kdc.h +++ b/third_party/heimdal/kdc/kdc.h @@ -92,6 +92,12 @@ struct krb5_kdc_service { size_t num_db; \ const char *app; \ \ + /* + * If non-null, contains static dummy data to include in + * place of the FAST cookie when it is disabled. + */ \ + krb5_data dummy_fast_cookie; \ + \ /* \ * Windows 2019 (and earlier versions) always sends the salt\ * and Samba has testsuites that check this behaviour, so a \ @@ -107,6 +113,7 @@ struct krb5_kdc_service { \ unsigned int require_pac : 1; \ unsigned int enable_fast : 1; \ + unsigned int enable_fast_cookie : 1; \ unsigned int enable_armored_pa_enc_timestamp : 1 #ifndef __KDC_LOCL_H__ diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index 26680e0e736..6d4887a44a6 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -1282,6 +1282,7 @@ struct kdc_patypes { #define PA_SYNTHETIC_OK 4 #define PA_REPLACE_REPLY_KEY 8 /* PA mech replaces reply key */ #define PA_USES_LONG_TERM_KEY 16 /* PA mech uses client's long-term key */ +#define PA_USES_FAST_COOKIE 32 /* Multi-step PA mech maintains state in PA-FX-COOKIE */ krb5_error_code (*validate)(astgs_request_t, const PA_DATA *pa); krb5_error_code (*finalize_pac)(astgs_request_t r); void (*cleanup)(astgs_request_t r); @@ -1324,7 +1325,7 @@ static const struct kdc_patypes pat[] = { { KRB5_PADATA_FX_COOKIE, "FX-COOKIE", 0, NULL, NULL, NULL }, { KRB5_PADATA_GSS , "GSS", - PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY, + PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY | PA_USES_FAST_COOKIE, pa_gss_validate, pa_gss_finalize_pac, NULL }, }; @@ -2531,6 +2532,8 @@ _kdc_as_rep(astgs_request_t r) continue; if (r->armor_crypto == NULL && (pat[n].flags & PA_REQ_FAST)) continue; + if (!r->config->enable_fast_cookie && (pat[n].flags & PA_USES_FAST_COOKIE)) + continue; kdc_log(r->context, config, 5, "Looking for %s pa-data -- %s", pat[n].name, r->cname); @@ -2614,6 +2617,8 @@ _kdc_as_rep(astgs_request_t r) continue; if (pat[n].type == KRB5_PADATA_GSS && !r->config->enable_gss_preauth) continue; + if (!r->config->enable_fast_cookie && (pat[n].flags & PA_USES_FAST_COOKIE)) + continue; ret = krb5_padata_add(r->context, r->rep.padata, pat[n].type, NULL, 0); diff --git a/third_party/heimdal/lib/krb5/krb5.conf.5 b/third_party/heimdal/lib/krb5/krb5.conf.5 index 06d069d251a..3d9fea6626e 100644 --- a/third_party/heimdal/lib/krb5/krb5.conf.5 +++ b/third_party/heimdal/lib/krb5/krb5.conf.5 @@ -830,6 +830,9 @@ Allow address-less tickets. .\" XXX .It Li enable_fast = Va BOOL Enable RFC 6113 FAST support, this is enabled by default. +.It Li enable_fast_cookie = Va BOOL +If FAST is enabled, enable support for the FAST cookie +and mechanisms that require it. .It Li enable_armored_pa_enc_timestamp = Va BOOL Enable armored encrypted timestamp pre-authentication with key strengthening.