third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa74...
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Tue, 16 May 2023 21:06:17 +0000 (09:06 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 18 May 2023 01:03:37 +0000 (01:03 +0000)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
third_party/heimdal/kdc/fast.c
third_party/heimdal/kdc/kerberos5.c
third_party/heimdal/kdc/krb5tgs.c
third_party/heimdal/kuser/kinit.c
third_party/heimdal/lib/hdb/hdb.asn1
third_party/heimdal/lib/hdb/hdb.h

index e6c523ced954d215feb53e5354baafe77eaf487c..a037331261a96a18ddf97138ffbfd92f6a532346 100644 (file)
@@ -834,10 +834,9 @@ _kdc_free_fast_state(KDCFastState *state)
 }
 
 krb5_error_code
-_kdc_fast_check_armor_pac(astgs_request_t r)
+_kdc_fast_check_armor_pac(astgs_request_t r, int flags)
 {
     krb5_error_code ret;
-    int flags;
     krb5_boolean ad_kdc_issued = FALSE;
     krb5_pac mspac = NULL;
     krb5_principal armor_client_principal = NULL;
@@ -845,7 +844,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
     hdb_entry *armor_client = NULL;
     char *armor_client_principal_name = NULL;
 
-    flags = HDB_F_FOR_TGS_REQ;
+    flags |= HDB_F_ARMOR_PRINCIPAL;
     if (_kdc_synthetic_princ_used_p(r->context, r->armor_ticket))
        flags |= HDB_F_SYNTHETIC_OK;
     if (r->req.req_body.kdc_options.canonicalize)
index ecca52cdcddbf23f89aa4dcdf5d8749ab1fb7da9..416fd29f553689f8d2ee34cda35345e22d2b089b 100644 (file)
@@ -2561,11 +2561,11 @@ _kdc_as_rep(astgs_request_t r)
          */
         if (r->pa_max_life > 0)
             t = rk_time_add(start, min(rk_time_sub(t, start), r->pa_max_life));
-        else if (r->client->max_life && *r->client->max_life)
+        else if (r->client->max_life)
            t = rk_time_add(start, min(rk_time_sub(t, start),
                                        *r->client->max_life));
 
-       if (r->server->max_life && *r->server->max_life)
+       if (r->server->max_life)
            t = rk_time_add(start, min(rk_time_sub(t, start),
                                        *r->server->max_life));
 
@@ -2576,6 +2576,13 @@ _kdc_as_rep(astgs_request_t r)
        t = min(t, rk_time_add(start, realm->max_life));
 #endif
        r->et.endtime = t;
+
+       if (start > r->et.endtime) {
+           _kdc_set_e_text(r, "Requested effective lifetime is negative or too short");
+           ret = KRB5KDC_ERR_NEVER_VALID;
+           goto out;
+       }
+
        if(f.renewable_ok && r->et.endtime < *b->till){
            f.renewable = 1;
            if(b->rtime == NULL){
@@ -2589,10 +2596,10 @@ _kdc_as_rep(astgs_request_t r)
            t = *b->rtime;
            if(t == 0)
                t = MAX_TIME;
-           if(r->client->max_renew && *r->client->max_renew)
+           if(r->client->max_renew)
                t = rk_time_add(start, min(rk_time_sub(t, start),
                                            *r->client->max_renew));
-           if(r->server->max_renew && *r->server->max_renew)
+           if(r->server->max_renew)
                t = rk_time_add(start, min(rk_time_sub(t, start),
                                            *r->server->max_renew));
 #if 0
index 0bad42aa3b72d570d43b68ebc194c86c427c8219..1ded41616dc67826dae869742188fd3626c3a877 100644 (file)
@@ -1908,7 +1908,7 @@ server_lookup:
 
     /* Validate armor TGT before potentially including device claims */
     if (priv->armor_ticket) {
-       ret = _kdc_fast_check_armor_pac(priv);
+       ret = _kdc_fast_check_armor_pac(priv, HDB_F_FOR_TGS_REQ);
        if (ret)
            goto out;
     }
index 01cb8ed1a41b59a9d3bba1496b6a3a72f41cc816..a374817a06771ca8119070e52c80a6093d99736f 100644 (file)
@@ -1263,16 +1263,18 @@ update_siginfo_msg(time_t exp, const char *srv)
 
 #ifdef HAVE_SIGACTION
 static void
-handle_siginfo(int sig)
+handler(int sig)
 {
-    struct iovec iov[2];
+    if (sig == SIGINFO) {
+        struct iovec iov[2];
 
-    iov[0].iov_base = rk_UNCONST(siginfo_msg);
-    iov[0].iov_len = strlen(siginfo_msg);
-    iov[1].iov_base = "\n";
-    iov[1].iov_len = 1;
+        iov[0].iov_base = rk_UNCONST(siginfo_msg);
+        iov[0].iov_len = strlen(siginfo_msg);
+        iov[1].iov_base = "\n";
+        iov[1].iov_len = 1;
 
-    writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
+        writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
+    } /* else ignore interrupts; our progeny will not ignore them */
 }
 #endif
 
@@ -1890,9 +1892,11 @@ main(int argc, char **argv)
 #ifdef HAVE_SIGACTION
        memset(&sa, 0, sizeof(sa));
        sigemptyset(&sa.sa_mask);
-       sa.sa_handler = handle_siginfo;
+       sa.sa_handler = handler;
 
        sigaction(SIGINFO, &sa, NULL);
+       sigaction(SIGINT, &sa, NULL);
+       sigaction(SIGQUIT, &sa, NULL);
 #endif
 
        ret = simple_execvp_timed(argv[1], argv+1,
index 1a763de3d444b84c2092bb2436c2eeb0f60ff902..341927f2f0d41074b98c09e20b57fedb434bb1c8 100644 (file)
@@ -232,8 +232,8 @@ HDB_entry ::= SEQUENCE {
        valid-start[5]  KerberosTime OPTIONAL,
        valid-end[6]    KerberosTime OPTIONAL,
        pw-end[7]       KerberosTime OPTIONAL,
-       max-life[8]     INTEGER (0..4294967295) OPTIONAL,
-       max-renew[9]    INTEGER (0..4294967295) OPTIONAL,
+       max-life[8]     INTEGER (-2147483648..2147483647) OPTIONAL,
+       max-renew[9]    INTEGER (-2147483648..2147483647) OPTIONAL,
        flags[10]       HDBFlags,
        etypes[11]      HDB-EncTypeList OPTIONAL,
        generation[12]  GENERATION OPTIONAL,
index 2a3d1c4bb8c6db33e8fa69cd99d40d5d2121ac5c..87377513d549cbe0be66b405ea4964cb44be14b2 100644 (file)
@@ -77,6 +77,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
 #define HDB_F_DELAY_NEW_KEYS   0x08000 /* apply [hdb] new_service_key_delay */
 #define HDB_F_SYNTHETIC_OK     0x10000 /* synthetic principal for PKINIT or GSS preauth OK */
 #define HDB_F_GET_FAST_COOKIE  0x20000 /* fetch the FX-COOKIE key (not a normal principal) */
+#define HDB_F_ARMOR_PRINCIPAL  0x40000 /* fetch is for the client of an armor ticket */
 
 /* hdb_capability_flags */
 #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1