1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0d79afe55517367a5f9670)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-09-25 13:16:43 +13:00 committed by Andrew Bartlett
parent 6d7a05bf78
commit 7b68f751be
7 changed files with 39 additions and 17 deletions

View File

@ -333,9 +333,7 @@ kcm_op_retrieve(krb5_context context,
return ret;
}
if (disallow_getting_krbtgt &&
mcreds.server->name.name_string.len == 2 &&
strcmp(mcreds.server->name.name_string.val[0], KRB5_TGS_NAME) == 0)
if (disallow_getting_krbtgt && krb5_principal_is_krbtgt(context, mcreds.server))
{
free(name);
krb5_free_cred_contents(context, &mcreds);

View File

@ -962,7 +962,13 @@ tgs_parse_request(astgs_request_t r,
goto out;
}
if(!get_krbtgt_realm(&ap_req.ticket.sname)){
if(!krb5_principalname_is_krbtgt(r->context, &ap_req.ticket.sname)){
/*
* Note: this check is not to be depended upon for security. Nothing
* prevents a client modifying the sname, as it is located in the
* unencrypted part of the ticket.
*/
/* XXX check for ticket.sname == req.sname */
kdc_log(r->context, config, 4, "PA-DATA is not a ticket-granting ticket");
ret = KRB5KDC_ERR_POLICY; /* ? */
@ -1631,7 +1637,13 @@ server_lookup:
goto out;
}
t = &b->additional_tickets->val[0];
if(!get_krbtgt_realm(&t->sname)){
if(!krb5_principalname_is_krbtgt(context, &t->sname)){
/*
* Note: this check is not to be depended upon for
* security. Nothing prevents a client modifying the sname, as
* it is located in the unencrypted part of the ticket.
*/
kdc_log(context, config, 4,
"Additional ticket is not a ticket-granting ticket");
kdc_audit_addreason((kdc_request_t)priv,

View File

@ -1616,7 +1616,7 @@ fetch_it(krb5_context context,
if (!db->enable_virtual_hostbased_princs)
maxdots = mindots = 0;
if (db->enable_virtual_hostbased_princs && comp1 &&
strcmp("krbtgt", comp0) != 0 && strcmp(KRB5_WELLKNOWN_NAME, comp0) != 0) {
(comp0 == NULL || (strcmp("krbtgt", comp0) != 0 && strcmp(KRB5_WELLKNOWN_NAME, comp0) != 0))) {
char *htmp;
if ((host = strdup(comp1)) == NULL)

View File

@ -539,6 +539,7 @@ EXPORTS
krb5_principal_set_comp_string
krb5_principal_set_realm
krb5_principal_set_type
krb5_principalname_is_krbtgt
krb5_print_address
krb5_program_setup
krb5_prompter_posix

View File

@ -1244,6 +1244,20 @@ krb5_principal_is_pku2u(krb5_context context, krb5_const_principal principal)
return strcmp(principal->realm, KRB5_PKU2U_REALM_NAME) == 0;
}
/**
* Check if the cname part of the principal name is a krbtgt principal
*
* @ingroup krb5_principal
*/
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_principalname_is_krbtgt(krb5_context context, const PrincipalName *p)
{
return 1 <= p->name_string.len &&
p->name_string.len <= 2 &&
strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0;
}
/**
* Check if the cname part of the principal is a krbtgt principal
*
@ -1253,8 +1267,7 @@ krb5_principal_is_pku2u(krb5_context context, krb5_const_principal principal)
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_principal_is_krbtgt(krb5_context context, krb5_const_principal p)
{
return p->name.name_string.len == 2 &&
strcmp(p->name.name_string.val[0], KRB5_TGS_NAME) == 0;
return krb5_principalname_is_krbtgt(context, &p->name);
}
/**

View File

@ -823,13 +823,6 @@ t_err(krb5_context context,
krb5_err(context, 1, error, "test %s failed in %s", test, func);
}
static krb5_boolean
is_krbtgt(const PrincipalName *p)
{
return (p->name_string.len == 2 &&
strcmp(p->name_string.val[0], KRB5_TGS_NAME) == 0);
}
static void
check_ticket_signature(krb5_context context,
const struct test_pac_ticket *tkt)
@ -875,7 +868,9 @@ check_ticket_signature(krb5_context context,
if (ret)
t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse", ret);
heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
heim_assert(!krb5_principalname_is_krbtgt(context,
&ticket.sname) == !!signedticket,
"ticket-signature");
ret = krb5_pac_verify(context, pac, et.authtime, client,
tkt->key, tkt->kdc_key);
@ -932,7 +927,9 @@ check_ticket_signature(krb5_context context,
if (ret)
t_err(context, tkt->name, "_krb5_kdc_pac_ticket_parse 2", ret);
heim_assert(!is_krbtgt(&ticket.sname) == !!signedticket, "ticket-signature");
heim_assert(!krb5_principalname_is_krbtgt(context,
&ticket.sname) == !!signedticket,
"ticket-signature");
ret = krb5_pac_verify(context, pac, et.authtime, client, tkt->key,
tkt->kdc_key);

View File

@ -532,6 +532,7 @@ HEIMDAL_KRB5_2.0 {
krb5_principal_is_federated;
krb5_principal_is_krbtgt;
krb5_principal_is_root_krbtgt;
krb5_principalname_is_krbtgt;
krb5_print_address;
krb5_program_setup;
krb5_prompter_posix;