diff options
| author | Luke Howard <lukeh@padl.com> | 2022-10-20 13:27:31 +1300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-12-15 10:59:46 +0100 |
| commit | 2620bea3af8d9e4e1db195deba414a46e8c66b3d (patch) | |
| tree | 7646c46398923c90bc3c2633aa1da96036c88cbf | |
| parent | ff5d6ada80e90e5fd67086e52f7e82f91bbafcc0 (diff) | |
| download | samba-2620bea3af8d9e4e1db195deba414a46e8c66b3d.tar.gz | |
kdc: avoid re-encoding KDC-REQ-BODY
Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid
re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT.
[abartlet@samba.org adapted from Heimdal commit
ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e
by removing references to FAST and GSS-pre-auth.
This fixes the Windows 11 22H2 issue with TGS-REQ
as seen at https://github.com/heimdal/heimdal/issues/1011 and so
removes the knownfail file for this test]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org private autobuild passed]
| -rw-r--r-- | selftest/knownfail.d/windows11-22h2 | 2 | ||||
| -rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 24 | ||||
| -rw-r--r-- | source4/heimdal/kdc/pkinit.c | 16 | ||||
| -rw-r--r-- | source4/heimdal/lib/asn1/krb5.opt | 1 |
4 files changed, 5 insertions, 38 deletions
diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2 deleted file mode 100644 index 69980ce763a..00000000000 --- a/selftest/knownfail.d/windows11-22h2 +++ /dev/null @@ -1,2 +0,0 @@ -# This tests shows the new timestamp from Windows 11 22H2 which fails in this version -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till
\ No newline at end of file diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index b8c8c39a3d4..3461cf0ef57 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context, krb5_keyblock *key) { krb5_authenticator auth; - size_t len = 0; - unsigned char *buf; - size_t buf_size; krb5_error_code ret; krb5_crypto crypto; @@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context, goto out; } - /* XXX should not re-encode this */ - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); - if(ret){ - const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg); - krb5_free_error_message(context, msg); - goto out; - } - if(buf_size != len) { - free(buf); - kdc_log(context, config, 0, "Internal error in ASN.1 encoder"); - *e_text = "KDC internal error"; - ret = KRB5KRB_ERR_GENERIC; - goto out; - } ret = krb5_crypto_init(context, key, 0, &crypto); if (ret) { const char *msg = krb5_get_error_message(context, ret); - free(buf); kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); krb5_free_error_message(context, msg); goto out; @@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context, ret = krb5_verify_checksum(context, crypto, KRB5_KU_TGS_REQ_AUTH_CKSUM, - buf, - len, + b->_save.data, + b->_save.length, auth->cksum); - free(buf); krb5_crypto_destroy(context, crypto); if(ret){ const char *msg = krb5_get_error_message(context, ret); diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c index ad7f3efc10a..64ea4c00e41 100644 --- a/source4/heimdal/kdc/pkinit.c +++ b/source4/heimdal/kdc/pkinit.c @@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context, PKAuthenticator *a, const KDC_REQ *req) { - u_char *buf = NULL; - size_t buf_size; krb5_error_code ret; - size_t len = 0; krb5_timestamp now; Checksum checksum; @@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context, return KRB5KRB_AP_ERR_SKEW; } - ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret); - if (ret) { - krb5_clear_error_message(context); - return ret; - } - if (buf_size != len) - krb5_abortx(context, "Internal error in ASN.1 encoder"); - ret = krb5_create_checksum(context, NULL, 0, CKSUMTYPE_SHA1, - buf, - len, + req->req_body._save.data, + req->req_body._save.length, &checksum); - free(buf); if (ret) { krb5_clear_error_message(context); return ret; diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt index 1d6d5e8989f..5acc596d39c 100644 --- a/source4/heimdal/lib/asn1/krb5.opt +++ b/source4/heimdal/lib/asn1/krb5.opt @@ -4,3 +4,4 @@ --sequence=METHOD-DATA --sequence=ETYPE-INFO --sequence=ETYPE-INFO2 +--preserve-binary=KDC-REQ-BODY |