third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling back...

Previously we tried to decode KERB-ERROR-DATA as METHOD-DATA,
resulting in a confusing error message. Now we just ignore it; but we
could also choose to set an error message containing the NTSTATUS code
in hexadecimal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15514

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 10 01:35:32 UTC 2023 on atb-devel-224

diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c
index 6e48846bcb3a8cfeb636bcc2e79c451ff8022be1..ff06325912bbd53c359a7ad76cafdc9aa452d9a6 100644 (file)
--- a/third_party/heimdal/lib/krb5/get_cred.c
+++ b/third_party/heimdal/lib/krb5/get_cred.c
@@ -719,13 +719,31 @@ get_cred_kdc(krb5_context context,
        memset(&md, 0, sizeof(md));
 
        if (rep.error.e_data) {
-           ret = decode_METHOD_DATA(rep.error.e_data->data,
-                                    rep.error.e_data->length,
-                                    &md, NULL);
+           KERB_ERROR_DATA kerb_error_data;
+
+           memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+
+           /* First try to decode the e-data as KERB-ERROR-DATA. */
+           ret = decode_KERB_ERROR_DATA(rep.error.e_data->data,
+                                        rep.error.e_data->length,
+                                        &kerb_error_data,
+                                        &len);
            if (ret) {
-               krb5_set_error_message(context, ret,
-                                      N_("Failed to decode METHOD-DATA", ""));
-               goto out;
+               /* That failed, so try to decode it as METHOD-DATA. */
+               ret = decode_METHOD_DATA(rep.error.e_data->data,
+                                        rep.error.e_data->length,
+                                        &md, NULL);
+               if (ret) {
+                   krb5_set_error_message(context, ret,
+                                          N_("Failed to decode METHOD-DATA", ""));
+                   goto out;
+               }
+           } else if (len != rep.error.e_data->length) {
+               /* Trailing data — just ignore the error. */
+               free_KERB_ERROR_DATA(&kerb_error_data);
+           } else {
+               /* OK. */
+               free_KERB_ERROR_DATA(&kerb_error_data);
            }
        }
 

diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c
index 2c026ad29f2f328fd79da33b8b878c2bdc78c558..8b6db0be594e579fef4d6d8f9a2da25a850ff023 100644 (file)
--- a/third_party/heimdal/lib/krb5/init_creds_pw.c
+++ b/third_party/heimdal/lib/krb5/init_creds_pw.c
@@ -3146,19 +3146,36 @@ init_creds_step(krb5_context context,
            memset(&ctx->md, 0, sizeof(ctx->md));
 
            if (ctx->error.e_data) {
+               KERB_ERROR_DATA kerb_error_data;
                krb5_error_code ret2;
 
-               ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
-                                        ctx->error.e_data->length,
-                                        &ctx->md,
-                                        NULL);
+               memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+
+               /* First try to decode the e-data as KERB-ERROR-DATA. */
+               ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data,
+                                             ctx->error.e_data->length,
+                                             &kerb_error_data,
+                                             &len);
                if (ret2) {
-                   /*
-                    * Just ignore any error, the error will be pushed
-                    * out from krb5_error_from_rd_error() if there
-                    * was one.
-                    */
-                   _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", ""));
+                   /* That failed, so try to decode it as METHOD-DATA. */
+                   ret2 = decode_METHOD_DATA(ctx->error.e_data->data,
+                                             ctx->error.e_data->length,
+                                             &ctx->md,
+                                             NULL);
+                   if (ret2) {
+                       /*
+                        * Just ignore any error, the error will be pushed
+                        * out from krb5_error_from_rd_error() if there
+                        * was one.
+                        */
+                       _krb5_debug(context, 5, N_("Failed to decode METHOD-DATA", ""));
+                   }
+               } else if (len != ctx->error.e_data->length) {
+                   /* Trailing data — just ignore the error. */
+                   free_KERB_ERROR_DATA(&kerb_error_data);
+               } else {
+                   /* OK. */
+                   free_KERB_ERROR_DATA(&kerb_error_data);
                }
            }