1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2023-10-13 11:14:55 +13:00
parent 3280893ae8
commit 204b1f0c12
9 changed files with 110 additions and 64 deletions

View File

@ -147,7 +147,6 @@ struct verify_uc {
hdb_entry *krbtgt;
EncTicketPart *ticket;
krb5_pac pac;
krb5_boolean *is_trusted;
};
static krb5_error_code KRB5_LIB_CALL
@ -165,8 +164,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx)
uc->client_principal,
uc->delegated_proxy,
uc->client, uc->server, uc->krbtgt,
uc->ticket, uc->pac,
uc->is_trusted);
uc->ticket, uc->pac);
return ret;
}
@ -178,8 +176,7 @@ _kdc_pac_verify(astgs_request_t r,
hdb_entry *server,
hdb_entry *krbtgt,
EncTicketPart *ticket,
krb5_pac pac,
krb5_boolean *is_trusted)
krb5_pac pac)
{
struct verify_uc uc;
@ -194,7 +191,6 @@ _kdc_pac_verify(astgs_request_t r,
uc.krbtgt = krbtgt;
uc.ticket = ticket,
uc.pac = pac;
uc.is_trusted = is_trusted;
return _krb5_plugin_run_f(r->context, &kdc_plugin_data,
0, &uc, verify);

View File

@ -57,9 +57,7 @@ typedef krb5_error_code
/*
* Verify the PAC KDC signatures by fetching the appropriate TGS key
* and calling krb5_pac_verify() with that key. The possibly-NULL
* is_trusted may be set by the plugin to indicate that the PAC was
* issued by a trusted server, and not, for example, by an RODC.
* and calling krb5_pac_verify() with that key.
*/
typedef krb5_error_code
@ -71,8 +69,7 @@ typedef krb5_error_code
hdb_entry *,/* server */
hdb_entry *,/* krbtgt */
EncTicketPart *, /* ticket */
krb5_pac, /* pac */
krb5_boolean *); /* is_trusted */
krb5_pac); /* pac */
/*
* Update the KDC PAC buffers. This function may be used after verifying the PAC

View File

@ -96,7 +96,6 @@ _kdc_check_pac(astgs_request_t r,
krb5_pac pac = NULL;
krb5_error_code ret;
krb5_boolean signedticket;
krb5_boolean is_trusted = FALSE;
*kdc_issued = FALSE;
*ppac = NULL;
@ -126,12 +125,8 @@ _kdc_check_pac(astgs_request_t r,
/* Verify the KDC signatures. */
ret = _kdc_pac_verify(r,
client_principal, delegated_proxy,
client, server, krbtgt, tkt, pac, &is_trusted);
client, server, krbtgt, tkt, pac);
if (ret == 0) {
if (is_trusted) {
krb5_pac_set_trusted(pac, TRUE);
}
if (pac_canon_name) {
ret = _krb5_pac_get_canon_principal(context, pac, pac_canon_name);
if (ret && ret != ENOENT) {

View File

@ -106,8 +106,12 @@ check_rbcd(krb5_context context,
krb5_kdc_configuration *config,
HDB *clientdb,
krb5_const_principal s4u_principal,
krb5_const_principal client_principal,
const hdb_entry *client_krbtgt,
const hdb_entry *client,
const hdb_entry *device_krbtgt,
const hdb_entry *device,
krb5_const_pac client_pac,
krb5_const_pac device_pac,
const hdb_entry *target)
{
krb5_error_code ret = KRB5KDC_ERR_BADOPTION;
@ -115,9 +119,13 @@ check_rbcd(krb5_context context,
if (clientdb->hdb_check_rbcd) {
ret = clientdb->hdb_check_rbcd(context,
clientdb,
client_krbtgt,
client,
device_krbtgt,
device,
s4u_principal,
client_principal,
client_pac,
device_pac,
target);
if (ret == 0)
return 0;
@ -520,7 +528,11 @@ _kdc_validate_constrained_delegation(astgs_request_t r)
if (rbcd_support) {
ret = check_rbcd(r->context, r->config, r->clientdb,
s4u_client_name, r->client_princ, r->pac, r->server);
s4u_client_name,
r->krbtgt, r->client,
r->armor_server, r->armor_client,
r->pac, r->armor_pac,
r->server);
} else {
ret = KRB5KDC_ERR_BADOPTION;
}

View File

@ -937,7 +937,13 @@ getnewbasename(char **newbasename, int typedefp, const char *basename, const cha
err(1, "malloc");
}
static void define_type(int, const char *, const char *, Type *, Type *, int, int);
typedef enum define_type_options {
DEF_TYPE_NONE = 0,
DEF_TYPE_PRESERVE = 1,
DEF_TYPE_TYPEDEFP = 2,
DEF_TYPE_EMIT_NAME = 4
} define_type_options;
static void define_type(int, const char *, const char *, Type *, Type *, define_type_options);
/*
* Get the SET/SEQUENCE member pair and CLASS field pair defining an open type.
@ -1158,7 +1164,7 @@ define_open_type(int level, const char *newbasename, const char *name, const cha
if (asprintf(&n, "*%s", objects[i]->symbol->gen_name) < 0 || n == NULL)
err(1, "malloc");
define_type(level + 2, n, newbasename, NULL, of->type, FALSE, FALSE);
define_type(level + 2, n, newbasename, NULL, of->type, DEF_TYPE_NONE);
fprintf(jsonfile, "%s", (i + 1) < nobjs ? "," : "");
free(n);
}
@ -1178,7 +1184,8 @@ static const char * const tagclassnames[] = {
};
static void
define_type(int level, const char *name, const char *basename, Type *pt, Type *t, int typedefp, int preservep)
define_type(int level, const char *name, const char *basename,
Type *pt, Type *t, define_type_options opts)
{
const char *label_prefix = NULL;
const char *label_prefix_sep = NULL;
@ -1188,7 +1195,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
"\"is_type\":true,\"exported\":%s,\"typedef\":%s,",
basename, name,
t->symbol && is_export(t->symbol->name) ? "true" : "false",
typedefp ? "true" : "false");
(opts & DEF_TYPE_TYPEDEFP) ? "true" : "false");
switch (t->type) {
case TType:
@ -1214,7 +1221,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
label_prefix = prefix_enum ? name : (enum_prefix ? enum_prefix : "");
label_prefix_sep = prefix_enum ? "_" : "";
fprintf (headerfile, "enum %s {\n", typedefp ? name : "");
fprintf (headerfile, "enum %s {\n", (opts & DEF_TYPE_TYPEDEFP) ? name : "");
fprintf(jsonfile, "\"ttype\":\"INTEGER\",\"ctype\":\"enum\","
"\"members\":[\n");
HEIM_TAILQ_FOREACH(m, t->members, members) {
@ -1298,7 +1305,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
fprintf(jsonfile, "\"ctype\":\"heim_bit_string\"");
} else {
int64_t pos = 0;
getnewbasename(&newbasename, typedefp || level == 0, basename, name);
getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name);
fprintf (headerfile, "struct %s {\n", newbasename);
fprintf(jsonfile, "\"ctype\":\"struct %s\",\"members\":[\n", newbasename);
@ -1313,7 +1320,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
if (asprintf (&n, "_unused%lld:1", (long long)pos) < 0 ||
n == NULL)
err(1, "malloc");
define_type(level + 1, n, newbasename, NULL, &i, FALSE, FALSE);
define_type(level + 1, n, newbasename, NULL, &i, DEF_TYPE_EMIT_NAME);
fprintf(jsonfile, ",");
free(n);
pos++;
@ -1322,7 +1329,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
n = NULL;
if (asprintf (&n, "%s:1", m->gen_name) < 0 || n == NULL)
errx(1, "malloc");
define_type(level + 1, n, newbasename, NULL, &i, FALSE, FALSE);
define_type(level + 1, n, newbasename, NULL, &i, DEF_TYPE_EMIT_NAME);
fprintf(jsonfile, "%s", last_member_p(m));
free (n);
n = NULL;
@ -1341,14 +1348,16 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
if (asprintf (&n, "_unused%lld:1", (long long)pos) < 0 ||
n == NULL)
errx(1, "malloc");
define_type(level + 1, n, newbasename, NULL, &i, FALSE, FALSE);
define_type(level + 1, n, newbasename, NULL, &i, DEF_TYPE_EMIT_NAME);
fprintf(jsonfile, "%s", (pos + 1) < bitset_size ? "," : "");
free(n);
pos++;
}
space(level);
fprintf (headerfile, "} %s;\n\n", name);
fprintf(headerfile, "}%s%s;\n\n",
(opts & DEF_TYPE_EMIT_NAME) ? " " : "",
(opts & DEF_TYPE_EMIT_NAME) ? name : "");
fprintf(jsonfile, "]");
}
break;
@ -1362,9 +1371,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
label_prefix = prefix_enum ? name : (enum_prefix ? enum_prefix : "");
label_prefix_sep = prefix_enum ? "_" : "";
space(level);
fprintf (headerfile, "enum %s {\n", typedefp ? name : "");
fprintf (headerfile, "enum %s {\n", (opts & DEF_TYPE_TYPEDEFP) ? name : "");
fprintf(jsonfile, "\"ctype\":\"enum %s\",\"extensible\":%s,\"members\":[\n",
typedefp ? name : "", have_ellipsis(t) ? "true" : "false");
(opts & DEF_TYPE_TYPEDEFP) ? name : "", have_ellipsis(t) ? "true" : "false");
HEIM_TAILQ_FOREACH(m, t->members, members) {
space(level + 1);
if (m->ellipsis) {
@ -1379,7 +1388,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
}
}
space(level);
fprintf (headerfile, "} %s;\n\n", name);
fprintf(headerfile, "}%s%s;\n\n",
(opts & DEF_TYPE_EMIT_NAME) ? " " : "",
(opts & DEF_TYPE_EMIT_NAME) ? name : "");
fprintf(jsonfile, "]");
break;
}
@ -1390,7 +1401,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
ssize_t more_deco = -1;
int decorated = 0;
getnewbasename(&newbasename, typedefp || level == 0, basename, name);
getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name);
space(level);
@ -1399,7 +1410,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
"\"ctype\":\"struct %s\"",
t->type == TSet ? "SET" : "SEQUENCE",
have_ellipsis(t) ? "true" : "false", newbasename);
if (t->type == TSequence && preservep) {
if (t->type == TSequence && (opts & DEF_TYPE_PRESERVE)) {
space(level + 1);
fprintf(headerfile, "heim_octet_string _save;\n");
fprintf(jsonfile, ",\"preserve\":true");
@ -1443,14 +1454,14 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
fprintf(jsonfile, "{\"name\":\"%s\",\"gen_name\":\"%s\","
"\"optional\":%s,\"defval\":%s,\"type\":",
m->name, m->gen_name, m->optional ? "true" : "false", defvalp);
define_type(level + 1, namep, newbasename, t, m->type, FALSE, FALSE);
define_type(level + 1, namep, newbasename, t, m->type, DEF_TYPE_EMIT_NAME);
fprintf(jsonfile, "}%s", last_member_p(m));
free (n);
free (defval);
} else {
fprintf(jsonfile, "{\"name\":\"%s\",\"gen_name\":\"%s\","
"\"optional\":false,\"type\":", m->name, m->gen_name);
define_type(level + 1, m->gen_name, newbasename, t, m->type, FALSE, FALSE);
define_type(level + 1, m->gen_name, newbasename, t, m->type, DEF_TYPE_EMIT_NAME);
fprintf(jsonfile, "}%s", last_member_p(m));
}
}
@ -1488,7 +1499,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
if (decorated)
fprintf(jsonfile, "]");
space(level);
fprintf (headerfile, "} %s;\n", name);
fprintf(headerfile, "}%s%s;\n",
(opts & DEF_TYPE_EMIT_NAME) ? " " : "",
(opts & DEF_TYPE_EMIT_NAME) ? name : "");
free(deco.field_type);
break;
}
@ -1497,7 +1510,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
Type i;
struct range range = { 0, UINT_MAX };
getnewbasename(&newbasename, typedefp || level == 0, basename, name);
getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name);
memset(&i, 0, sizeof(i));
i.type = TInteger;
@ -1507,11 +1520,13 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
fprintf (headerfile, "struct %s {\n", newbasename);
fprintf(jsonfile, "\"ttype\":\"%s\",\"ctype\":\"struct %s\",\"members\":[",
t->type == TSetOf ? "SET OF" : "SEQUENCE OF", newbasename);
define_type(level + 1, "len", newbasename, t, &i, FALSE, FALSE);
define_type(level + 1, "len", newbasename, t, &i, DEF_TYPE_NONE);
fprintf(jsonfile, ",");
define_type(level + 1, "*val", newbasename, t, t->subtype, FALSE, FALSE);
define_type(level + 1, "*val", newbasename, t, t->subtype, DEF_TYPE_NONE | DEF_TYPE_EMIT_NAME);
space(level);
fprintf (headerfile, "} %s;\n", name);
fprintf(headerfile, "}%s%s;\n",
(opts & DEF_TYPE_EMIT_NAME) ? " " : "",
(opts & DEF_TYPE_EMIT_NAME) ? name : "");
fprintf(jsonfile, "]");
break;
}
@ -1538,7 +1553,7 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
tagclassnames[t->tag.tagclass], t->tag.tagvalue,
t->tag.tagenv == TE_EXPLICIT ? "EXPLICIT" : "IMPLICIT");
fprintf(jsonfile, "\"ttype\":\n");
define_type(level, name, basename, t, t->subtype, typedefp, preservep);
define_type(level, name, basename, t, t->subtype, opts);
break;
case TChoice: {
struct decoration deco;
@ -1547,13 +1562,13 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
int first = 1;
Member *m;
getnewbasename(&newbasename, typedefp || level == 0, basename, name);
getnewbasename(&newbasename, (opts & DEF_TYPE_TYPEDEFP) || level == 0, basename, name);
space(level);
fprintf (headerfile, "struct %s {\n", newbasename);
fprintf(jsonfile, "\"ttype\":\"CHOICE\",\"ctype\":\"struct %s\"",
newbasename);
if (preservep) {
if ((opts & DEF_TYPE_PRESERVE)) {
space(level + 1);
fprintf(headerfile, "heim_octet_string _save;\n");
fprintf(jsonfile, ",\"preserve\":true");
@ -1592,11 +1607,11 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
if (asprintf (&n, "*%s", m->gen_name) < 0 || n == NULL)
errx(1, "malloc");
fprintf(jsonfile, "{\"optional\":");
define_type(level + 2, n, newbasename, t, m->type, FALSE, FALSE);
define_type(level + 2, n, newbasename, t, m->type, DEF_TYPE_EMIT_NAME);
fprintf(jsonfile, "}%s", last_member_p(m));
free (n);
} else {
define_type(level + 2, m->gen_name, newbasename, t, m->type, FALSE, FALSE);
define_type(level + 2, m->gen_name, newbasename, t, m->type, DEF_TYPE_EMIT_NAME);
fprintf(jsonfile, "%s", last_member_p(m));
}
}
@ -1634,7 +1649,9 @@ define_type(int level, const char *name, const char *basename, Type *pt, Type *t
fprintf(jsonfile, "]");
space(level);
fprintf (headerfile, "} %s;\n", name);
fprintf(headerfile, "}%s%s;\n",
(opts & DEF_TYPE_EMIT_NAME) ? " " : "",
(opts & DEF_TYPE_EMIT_NAME) ? name : "");
break;
}
case TUTCTime:
@ -1699,8 +1716,10 @@ declare_type(const Symbol *s, Type *t, int typedefp)
switch (t->type) {
case TType:
define_type(0, s->gen_name, s->gen_name, NULL, s->type, TRUE, TRUE);
if (template_flag)
define_type(0, s->gen_name, s->gen_name, NULL, s->type,
DEF_TYPE_PRESERVE | DEF_TYPE_TYPEDEFP |
(s->emitted_declaration ? 0 : DEF_TYPE_EMIT_NAME));
if (template_flag && !s->emitted_declaration)
generate_template_type_forward(s->gen_name);
emitted_declaration(s);
return;
@ -1721,13 +1740,16 @@ declare_type(const Symbol *s, Type *t, int typedefp)
case TVisibleString:
case TOID :
case TNull:
define_type(0, s->gen_name, s->gen_name, NULL, s->type, TRUE, TRUE);
if (template_flag)
define_type(0, s->gen_name, s->gen_name, NULL, s->type,
DEF_TYPE_PRESERVE | DEF_TYPE_TYPEDEFP |
(s->emitted_declaration ? 0 : DEF_TYPE_EMIT_NAME));
if (template_flag && !s->emitted_declaration)
generate_template_type_forward(s->gen_name);
emitted_declaration(s);
emitted_definition(s);
return;
case TTag:
if (!s->emitted_declaration)
declare_type(s, t->subtype, FALSE);
emitted_declaration(s);
return;
@ -1903,10 +1925,13 @@ generate_type_header (const Symbol *s)
* member fields are not OPTIONAL/DEFAULTed.
*/
generate_subtypes_header(s);
if (!s->emitted_asn1) {
fprintf(headerfile, "/*\n");
fprintf(headerfile, "%s ::= ", s->name);
define_asn1 (0, s->type);
fprintf(headerfile, "\n*/\n\n");
emitted_asn1(s);
}
/*
* Emit enums for the outermost tag of this type. These are needed for
@ -1963,9 +1988,22 @@ generate_type_header (const Symbol *s)
fprintf(symsfile, "ASN1_SYM_TYPE(\"%s\", \"%s\", %s)\n",
s->name, s->gen_name, s->gen_name);
if (!s->emitted_declaration) {
fprintf(headerfile, "typedef ");
define_type(0, s->gen_name, s->gen_name, NULL, s->type, TRUE,
preserve_type(s->name) ? TRUE : FALSE);
define_type(0, s->gen_name, s->gen_name, NULL, s->type,
DEF_TYPE_TYPEDEFP | DEF_TYPE_EMIT_NAME |
(preserve_type(s->name) ? DEF_TYPE_PRESERVE : 0));
} else if (s->type->type == TType) {
/* This is a type alias and we've already declared it */
} else if (s->type->type == TTag &&
s->type->subtype != NULL &&
s->type->subtype->symbol != NULL) {
/* This is a type alias and we've already declared it */
} else {
define_type(0, s->gen_name, s->gen_name, NULL, s->type,
DEF_TYPE_TYPEDEFP |
(preserve_type(s->name) ? DEF_TYPE_PRESERVE : 0));
}
fprintf(headerfile, "\n");
emitted_definition(s);

View File

@ -171,3 +171,9 @@ emitted_tag_enums(const Symbol *s)
{
((Symbol *)(uintptr_t)s)->emitted_tag_enums = 1;
}
void
emitted_asn1(const Symbol *s)
{
((Symbol *)(uintptr_t)s)->emitted_asn1 = 1;
}

View File

@ -238,6 +238,7 @@ struct symbol {
IOSObject *object;
IOSObjectSet *objectset;
HEIM_TAILQ_ENTRY(symbol) symlist;
unsigned int emitted_asn1:1;
unsigned int emitted_declaration:1;
unsigned int emitted_definition:1;
unsigned int emitted_tag_enums:1;
@ -260,6 +261,7 @@ Symbol *getsym(char *name);
void output_name (char *);
int checkundefined(void);
void generate_types(void);
void emitted_asn1(const Symbol *);
void emitted_declaration(const Symbol *);
void emitted_definition(const Symbol *);
void emitted_tag_enums(const Symbol *);

View File

@ -289,7 +289,7 @@ typedef struct HDB {
/**
* Check if resource-based constrained delegation (RBCD) is allowed.
*/
krb5_error_code (*hdb_check_rbcd)(krb5_context, struct HDB *, krb5_const_principal, krb5_const_principal, krb5_const_pac, const hdb_entry *);
krb5_error_code (*hdb_check_rbcd)(krb5_context, struct HDB *, const hdb_entry *, const hdb_entry *, const hdb_entry *, const hdb_entry *, krb5_const_principal, krb5_const_pac, krb5_const_pac, const hdb_entry *);
/**
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins

View File

@ -1249,7 +1249,7 @@ krb5_pac_verify(krb5_context context,
/*
* If we are in the KDC, we expect back a full signature in the PAC
*
* This is set up as a seperate variable to make it easier if a
* This is set up as a separate variable to make it easier if a
* subsequent patch is added to make this configurable in the
* krb5.conf (or forced into the krb5_context via Samba)
*/
@ -1257,8 +1257,8 @@ krb5_pac_verify(krb5_context context,
/*
* If we are on the KDC, then we trust we are not in a realm with
* buggy Windows 2008 or similar era DCs that give our HMAC-MD5
* sigatures over AES keys. DES is also already gone.
* buggy Windows 2008 or similar era DCs that give out HMAC-MD5
* signatures over AES keys. DES is also already gone.
*/
krb5_boolean strict_cksumtype_match = expect_full_sig;