third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal/kdc/fast.c

@@ -834,10 +834,9 @@ _kdc_free_fast_state(KDCFastState *state)
 }
 
 krb5_error_code
-_kdc_fast_check_armor_pac(astgs_request_t r)
+_kdc_fast_check_armor_pac(astgs_request_t r, int flags)
 {
     krb5_error_code ret;
-    int flags;
     krb5_boolean ad_kdc_issued = FALSE;
     krb5_pac mspac = NULL;
     krb5_principal armor_client_principal = NULL;
@@ -845,7 +844,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
     hdb_entry *armor_client = NULL;
     char *armor_client_principal_name = NULL;
 
-    flags = HDB_F_FOR_TGS_REQ;
+    flags |= HDB_F_ARMOR_PRINCIPAL;
     if (_kdc_synthetic_princ_used_p(r->context, r->armor_ticket))
 	flags |= HDB_F_SYNTHETIC_OK;
     if (r->req.req_body.kdc_options.canonicalize)

third_party/heimdal/kdc/kerberos5.c

@@ -2561,11 +2561,11 @@ _kdc_as_rep(astgs_request_t r)
          */
         if (r->pa_max_life > 0)
             t = rk_time_add(start, min(rk_time_sub(t, start), r->pa_max_life));
-        else if (r->client->max_life && *r->client->max_life)
+        else if (r->client->max_life)
 	    t = rk_time_add(start, min(rk_time_sub(t, start),
                                        *r->client->max_life));
 
-	if (r->server->max_life && *r->server->max_life)
+	if (r->server->max_life)
 	    t = rk_time_add(start, min(rk_time_sub(t, start),
                                        *r->server->max_life));
 
@@ -2576,6 +2576,13 @@ _kdc_as_rep(astgs_request_t r)
 	t = min(t, rk_time_add(start, realm->max_life));
 #endif
 	r->et.endtime = t;
+
+	if (start > r->et.endtime) {
+	    _kdc_set_e_text(r, "Requested effective lifetime is negative or too short");
+	    ret = KRB5KDC_ERR_NEVER_VALID;
+	    goto out;
+	}
+
 	if(f.renewable_ok && r->et.endtime < *b->till){
 	    f.renewable = 1;
 	    if(b->rtime == NULL){
@@ -2589,10 +2596,10 @@ _kdc_as_rep(astgs_request_t r)
 	    t = *b->rtime;
 	    if(t == 0)
 		t = MAX_TIME;
-	    if(r->client->max_renew && *r->client->max_renew)
+	    if(r->client->max_renew)
 		t = rk_time_add(start, min(rk_time_sub(t, start),
                                            *r->client->max_renew));
-	    if(r->server->max_renew && *r->server->max_renew)
+	    if(r->server->max_renew)
 		t = rk_time_add(start, min(rk_time_sub(t, start),
                                            *r->server->max_renew));
 #if 0

third_party/heimdal/kdc/krb5tgs.c

@@ -1908,7 +1908,7 @@ server_lookup:
 
     /* Validate armor TGT before potentially including device claims */
     if (priv->armor_ticket) {
-	ret = _kdc_fast_check_armor_pac(priv);
+	ret = _kdc_fast_check_armor_pac(priv, HDB_F_FOR_TGS_REQ);
 	if (ret)
 	    goto out;
     }

third_party/heimdal/kuser/kinit.c

@@ -1263,16 +1263,18 @@ update_siginfo_msg(time_t exp, const char *srv)
 
 #ifdef HAVE_SIGACTION
 static void
-handle_siginfo(int sig)
+handler(int sig)
 {
-    struct iovec iov[2];
+    if (sig == SIGINFO) {
+        struct iovec iov[2];
 
-    iov[0].iov_base = rk_UNCONST(siginfo_msg);
-    iov[0].iov_len = strlen(siginfo_msg);
-    iov[1].iov_base = "\n";
-    iov[1].iov_len = 1;
+        iov[0].iov_base = rk_UNCONST(siginfo_msg);
+        iov[0].iov_len = strlen(siginfo_msg);
+        iov[1].iov_base = "\n";
+        iov[1].iov_len = 1;
 
-    writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
+        writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
+    } /* else ignore interrupts; our progeny will not ignore them */
 }
 #endif
 
@@ -1890,9 +1892,11 @@ main(int argc, char **argv)
 #ifdef HAVE_SIGACTION
 	memset(&sa, 0, sizeof(sa));
 	sigemptyset(&sa.sa_mask);
-	sa.sa_handler = handle_siginfo;
+	sa.sa_handler = handler;
 
 	sigaction(SIGINFO, &sa, NULL);
+	sigaction(SIGINT, &sa, NULL);
+	sigaction(SIGQUIT, &sa, NULL);
 #endif
 
 	ret = simple_execvp_timed(argv[1], argv+1,

third_party/heimdal/lib/hdb/hdb.asn1

@@ -232,8 +232,8 @@ HDB_entry ::= SEQUENCE {
 	valid-start[5]	KerberosTime OPTIONAL,
 	valid-end[6]	KerberosTime OPTIONAL,
 	pw-end[7]	KerberosTime OPTIONAL,
-	max-life[8]	INTEGER (0..4294967295) OPTIONAL,
-	max-renew[9]	INTEGER (0..4294967295) OPTIONAL,
+	max-life[8]	INTEGER (-2147483648..2147483647) OPTIONAL,
+	max-renew[9]	INTEGER (-2147483648..2147483647) OPTIONAL,
 	flags[10]	HDBFlags,
 	etypes[11]	HDB-EncTypeList OPTIONAL,
 	generation[12]	GENERATION OPTIONAL,

third_party/heimdal/lib/hdb/hdb.h

@@ -77,6 +77,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_DELAY_NEW_KEYS	0x08000	/* apply [hdb] new_service_key_delay */
 #define HDB_F_SYNTHETIC_OK	0x10000	/* synthetic principal for PKINIT or GSS preauth OK */
 #define HDB_F_GET_FAST_COOKIE	0x20000	/* fetch the FX-COOKIE key (not a normal principal) */
+#define HDB_F_ARMOR_PRINCIPAL	0x40000	/* fetch is for the client of an armor ticket */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1