third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling back to METHOD-DATA) (Import lorikeet-heimdal-202311092338 (commit 50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea))

Previously we tried to decode KERB-ERROR-DATA as METHOD-DATA,
resulting in a confusing error message. Now we just ignore it; but we
could also choose to set an error message containing the NTSTATUS code
in hexadecimal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15514

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 10 01:35:32 UTC 2023 on atb-devel-224

third_party/heimdal/lib/krb5/get_cred.c

@@ -719,13 +719,31 @@ get_cred_kdc(krb5_context context,
 	memset(&md, 0, sizeof(md));
 
 	if (rep.error.e_data) {
-	    ret = decode_METHOD_DATA(rep.error.e_data->data,
-				     rep.error.e_data->length,
-				     &md, NULL);
+	    KERB_ERROR_DATA kerb_error_data;
+
+	    memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+
+	    /* First try to decode the e-data as KERB-ERROR-DATA. */
+	    ret = decode_KERB_ERROR_DATA(rep.error.e_data->data,
+					 rep.error.e_data->length,
+					 &kerb_error_data,
+					 &len);
 	    if (ret) {
-		krb5_set_error_message(context, ret,
-				       N_("Failed to decode METHOD-DATA", ""));
-		goto out;
+		/* That failed, so try to decode it as METHOD-DATA. */
+		ret = decode_METHOD_DATA(rep.error.e_data->data,
+					 rep.error.e_data->length,
+					 &md, NULL);
+		if (ret) {
+		    krb5_set_error_message(context, ret,
+					   N_("Failed to decode METHOD-DATA", ""));
+		    goto out;
+		}
+	    } else if (len != rep.error.e_data->length) {
+		/* Trailing data — just ignore the error. */
+		free_KERB_ERROR_DATA(&kerb_error_data);
+	    } else {
+		/* OK. */
+		free_KERB_ERROR_DATA(&kerb_error_data);
 	    }
 	}
 

third_party/heimdal/lib/krb5/init_creds_pw.c

@@ -3146,19 +3146,36 @@ init_creds_step(krb5_context context,
 	    memset(&ctx->md, 0, sizeof(ctx->md));
 
 	    if (ctx->error.e_data) {
+		KERB_ERROR_DATA kerb_error_data;
 		krb5_error_code ret2;
 
-		ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
-					 ctx->error.e_data->length,
-					 &ctx->md,
-					 NULL);
+		memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+
+		/* First try to decode the e-data as KERB-ERROR-DATA. */
+		ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data,
+					      ctx->error.e_data->length,
+					      &kerb_error_data,
+					      &len);
 		if (ret2) {
-		    /*
-		     * Just ignore any error, the error will be pushed
-		     * out from krb5_error_from_rd_error() if there
-		     * was one.
-		     */
-		    _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", ""));
+		    /* That failed, so try to decode it as METHOD-DATA. */
+		    ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
+					      ctx->error.e_data->length,
+					      &ctx->md,
+					      NULL);
+		    if (ret2) {
+			/*
+			 * Just ignore any error, the error will be pushed
+			 * out from krb5_error_from_rd_error() if there
+			 * was one.
+			 */
+			_krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", ""));
+		    }
+		} else if (len != ctx->error.e_data->length) {
+		    /* Trailing data — just ignore the error. */
+		    free_KERB_ERROR_DATA(&kerb_error_data);
+		} else {
+		    /* OK. */
+		    free_KERB_ERROR_DATA(&kerb_error_data);
 		}
 	    }