From: Joseph Sutton Date: Tue, 31 Oct 2023 00:22:05 +0000 (+1300) Subject: third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3... X-Git-Tag: talloc-2.4.2~916 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=57c543a1d91112301b38e3832f706684b4d30877;p=thirdparty%2Fsamba.git third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index b63d0b16a9d..7b96371723e 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -426,12 +426,6 @@ _kdc_fast_mk_e_data(astgs_request_t r, } r->e_text = NULL; - if (r->fast.flags.requested_hidden_names) { - error_client = NULL; - error_server = NULL; - } - csec = 0; - cusec = 0; ret = _kdc_fast_mk_response(r->context, armor_crypto, error_method, NULL, NULL, @@ -488,8 +482,8 @@ _kdc_fast_mk_error(astgs_request_t r, heim_assert(r != NULL, "invalid request in _kdc_fast_mk_error"); - if (r->e_data != NULL) { - e_data = r->e_data; + if (r->e_data.length) { + e_data = &r->e_data; } else { ret = _kdc_fast_mk_e_data(r, error_method, @@ -509,6 +503,15 @@ _kdc_fast_mk_error(astgs_request_t r, e_data = &_e_data; } + if (armor_crypto) { + if (r->fast.flags.requested_hidden_names) { + error_client = NULL; + error_server = NULL; + } + csec = 0; + cusec = 0; + } + ret = krb5_mk_error(r->context, outer_error, r->e_text, diff --git a/third_party/heimdal/kdc/kdc-plugin.c b/third_party/heimdal/kdc/kdc-plugin.c index 50015b407dc..3b065c698d1 100644 --- a/third_party/heimdal/kdc/kdc-plugin.c +++ b/third_party/heimdal/kdc/kdc-plugin.c @@ -530,6 +530,19 @@ kdc_request_add_pac_buffer(astgs_request_t r, return ret; } +/* + * Override the e-data field to be returned in an error reply. The data will be + * owned by the KDC and eventually will be freed with krb5_data_free(). + */ +KDC_LIB_FUNCTION krb5_error_code KDC_LIB_CALL +kdc_request_set_e_data(astgs_request_t r, heim_octet_string e_data) +{ + krb5_data_free(&r->e_data); + r->e_data = e_data; + + return 0; +} + #undef _KDC_REQUEST_GET_ACCESSOR #define _KDC_REQUEST_GET_ACCESSOR(R, T, f) \ KDC_LIB_FUNCTION T KDC_LIB_CALL \ diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index 8a6add4d22c..76cecd3e12f 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -505,27 +505,6 @@ _kdc_set_e_text(astgs_request_t r, const char *fmt, ...) kdc_log(r->context, r->config, 4, "%s", e_text); } -/* - * Override the e-data field to be returned in an error reply. The data will be - * owned by the KDC and eventually will be freed with krb5_data_free(). - */ -krb5_error_code -kdc_set_e_data(astgs_request_t r, heim_octet_string e_data) -{ - if (r->e_data == NULL) { - ALLOC(r->e_data); - if (r->e_data == NULL) { - return ENOMEM; - } - } else { - krb5_data_free(r->e_data); - } - - *r->e_data = e_data; - - return 0; -} - void _kdc_log_timestamp(astgs_request_t r, const char *type, KerberosTime authtime, KerberosTime *starttime, diff --git a/third_party/heimdal/kdc/libkdc-exports.def b/third_party/heimdal/kdc/libkdc-exports.def index a6aaf94d3fc..1d42b8c570c 100644 --- a/third_party/heimdal/kdc/libkdc-exports.def +++ b/third_party/heimdal/kdc/libkdc-exports.def @@ -63,6 +63,7 @@ EXPORTS kdc_request_set_canon_client_princ kdc_request_set_client_princ kdc_request_set_cname + kdc_request_set_e_data kdc_request_set_error_code kdc_request_set_krbtgt_princ kdc_request_set_pac @@ -71,7 +72,6 @@ EXPORTS kdc_request_set_reply_key kdc_request_set_server_princ kdc_request_set_sname - kdc_set_e_data kdc_audit_addkv kdc_audit_addkv_number kdc_audit_addkv_object diff --git a/third_party/heimdal/kdc/process.c b/third_party/heimdal/kdc/process.c index d07c9c06280..b53d91ffc22 100644 --- a/third_party/heimdal/kdc/process.c +++ b/third_party/heimdal/kdc/process.c @@ -429,8 +429,7 @@ process_request(krb5_context context, free(r->cname); free(r->sname); free(r->e_text_buf); - if (r->e_data) - krb5_free_data(context, r->e_data); + krb5_data_free(&r->e_data); } heim_release(r->reason); diff --git a/third_party/heimdal/kdc/version-script.map b/third_party/heimdal/kdc/version-script.map index 415526c007c..c644b30c8e4 100644 --- a/third_party/heimdal/kdc/version-script.map +++ b/third_party/heimdal/kdc/version-script.map @@ -66,6 +66,7 @@ HEIMDAL_KDC_1.0 { kdc_request_set_canon_client_princ; kdc_request_set_client_princ; kdc_request_set_cname; + kdc_request_set_e_data; kdc_request_set_error_code; kdc_request_set_krbtgt_princ; kdc_request_set_pac; @@ -74,7 +75,6 @@ HEIMDAL_KDC_1.0 { kdc_request_set_reply_key; kdc_request_set_server_princ; kdc_request_set_sname; - kdc_set_e_data; kdc_audit_addkv; kdc_audit_addkv_number; kdc_audit_addkv_object; diff --git a/third_party/heimdal/lib/base/heimbase-svc.h b/third_party/heimdal/lib/base/heimbase-svc.h index 54377632bb1..6c2e02f273c 100644 --- a/third_party/heimdal/lib/base/heimbase-svc.h +++ b/third_party/heimdal/lib/base/heimbase-svc.h @@ -68,7 +68,7 @@ char *cname; \ char *sname; \ const char *e_text; \ - heim_octet_string *e_data; \ + heim_octet_string e_data; \ char *e_text_buf; \ heim_string_t reason; \ /* auditing key/value store */ \ diff --git a/third_party/heimdal/tests/plugin/kdc_test_plugin.c b/third_party/heimdal/tests/plugin/kdc_test_plugin.c index 6df40a2b722..45855d7c949 100644 --- a/third_party/heimdal/tests/plugin/kdc_test_plugin.c +++ b/third_party/heimdal/tests/plugin/kdc_test_plugin.c @@ -56,13 +56,13 @@ pac_generate(void *ctx, static krb5_error_code KRB5_CALLCONV pac_verify(void *ctx, astgs_request_t r, - const krb5_principal new_ticket_client, - const krb5_principal delegation_proxy, + krb5_const_principal new_ticket_client, + hdb_entry * delegation_proxy, hdb_entry * client, hdb_entry * server, hdb_entry * krbtgt, - krb5_pac pac, - krb5_boolean *is_trusted) + EncTicketPart *ticket, + krb5_pac pac) { krb5_context context = kdc_request_get_context((kdc_request_t)r); krb5_error_code ret;