From eeebd488f2a31482f2c47a1618513c937041c3ac Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 17 May 2023 09:06:17 +1200 Subject: third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- third_party/heimdal/kdc/fast.c | 5 ++--- third_party/heimdal/kdc/kerberos5.c | 15 +++++++++++---- third_party/heimdal/kdc/krb5tgs.c | 2 +- third_party/heimdal/kuser/kinit.c | 20 ++++++++++++-------- third_party/heimdal/lib/hdb/hdb.asn1 | 4 ++-- third_party/heimdal/lib/hdb/hdb.h | 1 + 6 files changed, 29 insertions(+), 18 deletions(-) diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index e6c523ced95..a037331261a 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -834,10 +834,9 @@ _kdc_free_fast_state(KDCFastState *state) } krb5_error_code -_kdc_fast_check_armor_pac(astgs_request_t r) +_kdc_fast_check_armor_pac(astgs_request_t r, int flags) { krb5_error_code ret; - int flags; krb5_boolean ad_kdc_issued = FALSE; krb5_pac mspac = NULL; krb5_principal armor_client_principal = NULL; @@ -845,7 +844,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r) hdb_entry *armor_client = NULL; char *armor_client_principal_name = NULL; - flags = HDB_F_FOR_TGS_REQ; + flags |= HDB_F_ARMOR_PRINCIPAL; if (_kdc_synthetic_princ_used_p(r->context, r->armor_ticket)) flags |= HDB_F_SYNTHETIC_OK; if (r->req.req_body.kdc_options.canonicalize) diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index ecca52cdcdd..416fd29f553 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -2561,11 +2561,11 @@ _kdc_as_rep(astgs_request_t r) */ if (r->pa_max_life > 0) t = rk_time_add(start, min(rk_time_sub(t, start), r->pa_max_life)); - else if (r->client->max_life && *r->client->max_life) + else if (r->client->max_life) t = rk_time_add(start, min(rk_time_sub(t, start), *r->client->max_life)); - if (r->server->max_life && *r->server->max_life) + if (r->server->max_life) t = rk_time_add(start, min(rk_time_sub(t, start), *r->server->max_life)); @@ -2576,6 +2576,13 @@ _kdc_as_rep(astgs_request_t r) t = min(t, rk_time_add(start, realm->max_life)); #endif r->et.endtime = t; + + if (start > r->et.endtime) { + _kdc_set_e_text(r, "Requested effective lifetime is negative or too short"); + ret = KRB5KDC_ERR_NEVER_VALID; + goto out; + } + if(f.renewable_ok && r->et.endtime < *b->till){ f.renewable = 1; if(b->rtime == NULL){ @@ -2589,10 +2596,10 @@ _kdc_as_rep(astgs_request_t r) t = *b->rtime; if(t == 0) t = MAX_TIME; - if(r->client->max_renew && *r->client->max_renew) + if(r->client->max_renew) t = rk_time_add(start, min(rk_time_sub(t, start), *r->client->max_renew)); - if(r->server->max_renew && *r->server->max_renew) + if(r->server->max_renew) t = rk_time_add(start, min(rk_time_sub(t, start), *r->server->max_renew)); #if 0 diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 0bad42aa3b7..1ded41616dc 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -1908,7 +1908,7 @@ server_lookup: /* Validate armor TGT before potentially including device claims */ if (priv->armor_ticket) { - ret = _kdc_fast_check_armor_pac(priv); + ret = _kdc_fast_check_armor_pac(priv, HDB_F_FOR_TGS_REQ); if (ret) goto out; } diff --git a/third_party/heimdal/kuser/kinit.c b/third_party/heimdal/kuser/kinit.c index 01cb8ed1a41..a374817a067 100644 --- a/third_party/heimdal/kuser/kinit.c +++ b/third_party/heimdal/kuser/kinit.c @@ -1263,16 +1263,18 @@ update_siginfo_msg(time_t exp, const char *srv) #ifdef HAVE_SIGACTION static void -handle_siginfo(int sig) +handler(int sig) { - struct iovec iov[2]; + if (sig == SIGINFO) { + struct iovec iov[2]; - iov[0].iov_base = rk_UNCONST(siginfo_msg); - iov[0].iov_len = strlen(siginfo_msg); - iov[1].iov_base = "\n"; - iov[1].iov_len = 1; + iov[0].iov_base = rk_UNCONST(siginfo_msg); + iov[0].iov_len = strlen(siginfo_msg); + iov[1].iov_base = "\n"; + iov[1].iov_len = 1; - writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0])); + writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0])); + } /* else ignore interrupts; our progeny will not ignore them */ } #endif @@ -1890,9 +1892,11 @@ main(int argc, char **argv) #ifdef HAVE_SIGACTION memset(&sa, 0, sizeof(sa)); sigemptyset(&sa.sa_mask); - sa.sa_handler = handle_siginfo; + sa.sa_handler = handler; sigaction(SIGINFO, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + sigaction(SIGQUIT, &sa, NULL); #endif ret = simple_execvp_timed(argv[1], argv+1, diff --git a/third_party/heimdal/lib/hdb/hdb.asn1 b/third_party/heimdal/lib/hdb/hdb.asn1 index 1a763de3d44..341927f2f0d 100644 --- a/third_party/heimdal/lib/hdb/hdb.asn1 +++ b/third_party/heimdal/lib/hdb/hdb.asn1 @@ -232,8 +232,8 @@ HDB_entry ::= SEQUENCE { valid-start[5] KerberosTime OPTIONAL, valid-end[6] KerberosTime OPTIONAL, pw-end[7] KerberosTime OPTIONAL, - max-life[8] INTEGER (0..4294967295) OPTIONAL, - max-renew[9] INTEGER (0..4294967295) OPTIONAL, + max-life[8] INTEGER (-2147483648..2147483647) OPTIONAL, + max-renew[9] INTEGER (-2147483648..2147483647) OPTIONAL, flags[10] HDBFlags, etypes[11] HDB-EncTypeList OPTIONAL, generation[12] GENERATION OPTIONAL, diff --git a/third_party/heimdal/lib/hdb/hdb.h b/third_party/heimdal/lib/hdb/hdb.h index 2a3d1c4bb8c..87377513d54 100644 --- a/third_party/heimdal/lib/hdb/hdb.h +++ b/third_party/heimdal/lib/hdb/hdb.h @@ -77,6 +77,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_F_DELAY_NEW_KEYS 0x08000 /* apply [hdb] new_service_key_delay */ #define HDB_F_SYNTHETIC_OK 0x10000 /* synthetic principal for PKINIT or GSS preauth OK */ #define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */ +#define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */ /* hdb_capability_flags */ #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -- cgit v1.2.1