The Samba-Bugzilla – Attachment 17211 Details for
Bug 15002
S4U2Self requests don't work against servers without FAST support
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-16-test
bfixes-tmp416.txt (text/plain), 51.82 KB, created by
Stefan Metzmacher
on 2022-03-12 12:12:25 UTC
(
hide
)
Description:
Patches for v4-16-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-03-12 12:12:25 UTC
Size:
51.82 KB
patch
obsolete
>From d4b98847a96cbb9f42c13139f33859b81563cd0d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 10 Mar 2022 16:12:43 +0100 >Subject: [PATCH 1/5] third_party/heimdal: import lorikeet-heimdal-202203101709 > (commit 47863866da25cc21d292ce335a976b8b33fa1864) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >(cherry picked from commit 67bdc922f9836779f1b37805575c5c4eea9ba3e6) >--- > .../heimdal/.github/workflows/coverity.yml | 68 ++++++++ > .../heimdal/.github/workflows/linux.yml | 146 ++++++++++++++++++ > third_party/heimdal/.github/workflows/osx.yml | 122 +++++++++++++++ > .../heimdal/.github/workflows/scanbuild.yml | 67 ++++++++ > .../heimdal/.github/workflows/valgrind.yml | 71 +++++++++ > .../heimdal/.github/workflows/windows.yml | 92 +++++++++++ > third_party/heimdal/kdc/default_config.c | 9 ++ > third_party/heimdal/kdc/fast.c | 3 + > third_party/heimdal/kdc/kdc.h | 1 + > third_party/heimdal/kdc/krb5tgs.c | 3 + > third_party/heimdal/lib/krb5/krb5.conf.5 | 2 + > third_party/heimdal/lib/krb5/pac.c | 12 +- > .../heimdal/tests/gss/check-context.in | 4 - > 13 files changed, 590 insertions(+), 10 deletions(-) > create mode 100644 third_party/heimdal/.github/workflows/coverity.yml > create mode 100644 third_party/heimdal/.github/workflows/linux.yml > create mode 100644 third_party/heimdal/.github/workflows/osx.yml > create mode 100644 third_party/heimdal/.github/workflows/scanbuild.yml > create mode 100644 third_party/heimdal/.github/workflows/valgrind.yml > create mode 100644 third_party/heimdal/.github/workflows/windows.yml > >diff --git a/third_party/heimdal/.github/workflows/coverity.yml b/third_party/heimdal/.github/workflows/coverity.yml >new file mode 100644 >index 000000000000..5a175f52a8ce >--- /dev/null >+++ b/third_party/heimdal/.github/workflows/coverity.yml >@@ -0,0 +1,68 @@ >+name: Linux Coverity Build >+ >+on: >+ push: >+ # Pushes to this branch get the scan-build treatment >+ branches: >+ - 'coverity*' >+ >+jobs: >+ linux: >+ if: secrets.COVERITY_SCAN_TOKEN != '' >+ runs-on: ${{ matrix.os }} >+ strategy: >+ fail-fast: false >+ matrix: >+ name: [linux-clang] >+ include: >+ - name: linux-clang >+ os: ubuntu-18.04 >+ compiler: clang >+ steps: >+ - name: Clone repository >+ uses: actions/checkout@v1 >+ - name: Install packages >+ if: startsWith(matrix.os, 'ubuntu') >+ run: | >+ sudo apt-get update -qq >+ sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind >+ # Temporary workaround for: >+ # https://github.com/actions/virtual-environments/issues/3185 >+ sudo hostname localhost >+ - name: Download Coverity Build Tool >+ env: >+ TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} >+ run: | >+ wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=ruby" -O cov-analysis-linux64.tar.gz >+ mkdir cov-analysis-linux64 >+ tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 >+ - name: Build >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ CONFIGURE_OPTS: ${{ matrix.configureopts }} >+ run: | >+ /bin/sh ./autogen.sh >+ mkdir build >+ cd build >+ ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" >+ ulimit -c unlimited >+ # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW >+ (cd lib/libedit && make -j4) >+ (cd lib/sqlite && make -j4) >+ export PATH=`pwd`/cov-analysis-linux64/bin:$PATH >+ cov-build --dir cov-int make -j4 >+ - name: Submit the result to Coverity Scan >+ env: >+ TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} >+ EMAIL: ${{ secrets.COVERITY_SCAN_EMAIL }} >+ PROJECT: ${{ secrets.COVERITY_SCAN_PROJECT }} >+ run: | >+ tar czvf heimdal.tgz cov-int >+ curl \ >+ --form project=ruby \ >+ --form token=$TOKEN \ >+ --form email=$EMAIL \ >+ --form file=@heimdal.tgz \ >+ --form version=trunk \ >+ --form description="`./ruby -v`" "https://scan.coverity.com/builds?project=$PROJECT" >diff --git a/third_party/heimdal/.github/workflows/linux.yml b/third_party/heimdal/.github/workflows/linux.yml >new file mode 100644 >index 000000000000..48e4c80dc3c2 >--- /dev/null >+++ b/third_party/heimdal/.github/workflows/linux.yml >@@ -0,0 +1,146 @@ >+name: Linux Build >+ >+on: >+ push: >+ branches: >+ - 'master' >+ - 'heimdal-7-1-branch' >+ paths: >+ - '!docs/**' >+ - '!**.md' >+ - '!**.[1-9]' >+ - '**.[chly]' >+ - '**.hin' >+ - '**.in' >+ - '**.am' >+ - '**.m4' >+ - '**.ac' >+ - '**.pl' >+ - '**.py' >+ - '**.asn1' >+ - '**.opt' >+ - '**/COPYING' >+ - '**/INSTALL' >+ - '**/README*' >+ - '.github/workflows/linux.yml' >+ - '!appveyor.yml' >+ - '!.travis.yml' >+ >+ pull_request: >+ paths: >+ - '!docs/**' >+ - '!**.md' >+ - '!**.[1-9]' >+ - '**.[chly]' >+ - '**.hin' >+ - '**.in' >+ - '**.am' >+ - '**.m4' >+ - '**.ac' >+ - '**.pl' >+ - '**.py' >+ - '**.asn1' >+ - '**.opt' >+ - '**/COPYING' >+ - '**/INSTALL' >+ - '**/README*' >+ - '.github/workflows/linux.yml' >+ - '!appveyor.yml' >+ - '!.travis.yml' >+ >+jobs: >+ unix: >+ runs-on: ${{ matrix.os }} >+ strategy: >+ fail-fast: false >+ matrix: >+ name: [linux-clang, linux-gcc] >+ include: >+ - name: linux-clang >+ os: ubuntu-18.04 >+ compiler: clang >+ cflags: '' >+ - name: linux-gcc >+ os: ubuntu-18.04 >+ compiler: gcc >+ cflags: '-Wnonnull' >+ steps: >+ - name: Clone repository >+ uses: actions/checkout@v1 >+ - name: Install packages >+ if: startsWith(matrix.os, 'ubuntu') >+ run: | >+ sudo apt-get update -qq >+ sudo apt-get install -y bison comerr-dev flex doxygen >+ sudo apt-get install -y libcap-ng-dev libdb-dev libedit-dev libjson-perl >+ sudo apt-get install -y libldap2-dev libncurses5-dev libperl4-corelibs-perl >+ sudo apt-get install -y libsqlite3-dev libkeyutils-dev pkg-config python >+ sudo apt-get install -y ss-dev texinfo unzip netbase keyutils ldap-utils >+ sudo apt-get install -y gdb apport curl libmicrohttpd-dev jq valgrind >+ # Temporary workaround for: >+ # https://github.com/actions/virtual-environments/issues/3185 >+ sudo hostname localhost >+ - name: Build >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ run: | >+ /bin/sh ./autogen.sh >+ mkdir build >+ cd build >+ ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="${{ matrix.cflags }} -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" >+ make -j4 >+ - name: Test >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ run: | >+ cd build >+ ulimit -c unlimited >+ make check >+ - name: Make Install >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ run: | >+ cd build || true >+ make DESTDIR=/tmp/h5l install >+ cd /tmp/h5l >+ tar czf $HOME/heimdal-install-linux-${{ matrix.compiler }}.tgz . >+ - name: Core dump stacks >+ run: | >+ echo "thread apply all bt" > /tmp/x >+ find . -name core -print | while read core; do gdb -batch -x x `file "$core"|sed -e "s/^[^']*'//" -e "s/[ '].*$//"` "$core"; done >+ if [ "$(find . -name core -print | wc -l)" -gt 0 ]; then false; fi >+ - name: Test logs >+ run: | >+ find build -depth -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-${{ matrix.compiler }}.tgz --verbatim-files-from --files-from - >+ find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat >+ - name: Failed Test logs >+ if: ${{ failure() }} >+ run: | >+ find build -name \*.trs | xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat >+ - name: Make Dist >+ run: | >+ cd build >+ make dist >+ make distclean >+ if [ "$(git ls-files -o|grep -v ^build/ | wc -l)" -ne 0 ]; then >+ echo "Files not removed by make distclean:" >+ git ls-files -o|grep -v ^build/ >+ fi >+ - name: Upload Install Tarball >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Install Tarball >+ path: '~/heimdal-install-linux-${{ matrix.compiler }}.tgz' >+ - name: Upload Dist Tarball >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Dist Tarball >+ path: 'build/heimdal-*.tar.gz' >+ - name: Upload Logs Tarball >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Test Logs >+ path: '~/logs-linux-${{ matrix.compiler }}.tgz' >diff --git a/third_party/heimdal/.github/workflows/osx.yml b/third_party/heimdal/.github/workflows/osx.yml >new file mode 100644 >index 000000000000..342f850f1c70 >--- /dev/null >+++ b/third_party/heimdal/.github/workflows/osx.yml >@@ -0,0 +1,122 @@ >+name: OS X Build >+ >+on: >+ push: >+ branches: >+ - 'master' >+ - 'osx-build' >+ - 'heimdal-7-1-branch' >+ paths: >+ - '!docs/**' >+ - '!**.md' >+ - '!**.[1-9]' >+ - '**.[chly]' >+ - '**.hin' >+ - '**.in' >+ - '**.am' >+ - '**.m4' >+ - '**.ac' >+ - '**.pl' >+ - '**.py' >+ - '**.asn1' >+ - '**.opt' >+ - '**/COPYING' >+ - '**/INSTALL' >+ - '**/README*' >+ - '.github/workflows/osx.yml' >+ - '!appveyor.yml' >+ - '!.travis.yml' >+ >+ pull_request: >+ paths: >+ - '!docs/**' >+ - '!**.md' >+ - '!**.[1-9]' >+ - '**.[chly]' >+ - '**.hin' >+ - '**.in' >+ - '**.am' >+ - '**.m4' >+ - '**.ac' >+ - '**.pl' >+ - '**.py' >+ - '**.asn1' >+ - '**.opt' >+ - '**/COPYING' >+ - '**/INSTALL' >+ - '**/README*' >+ - '.github/workflows/osx.yml' >+ - '!appveyor.yml' >+ - '!.travis.yml' >+ >+jobs: >+ osx: >+ runs-on: ${{ matrix.os }} >+ strategy: >+ fail-fast: false >+ matrix: >+ name: [osx-clang] >+ include: >+ - name: osx-clang >+ os: macos-latest >+ compiler: clang >+ steps: >+ - name: Install packages >+ run: | >+ echo "bison, flex, ncurses, texinfo, and unzip are in the base OS." >+ echo "berkeley-db, perl, python, curl, and jq are installed in the" >+ echo "base image already." >+ brew install autoconf automake libtool cpanm >+ sudo cpanm install JSON >+ - name: Clone repository >+ uses: actions/checkout@v1 >+ - name: Build >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ CONFIGURE_OPTS: ${{ matrix.configureopts }} >+ run: | >+ /bin/sh ./autogen.sh >+ mkdir build >+ cd build >+ ../configure --srcdir=`dirname "$PWD"` --disable-afs-support --enable-maintainer-mode --enable-developer $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" CFLAGS="-O0 -g -ggdb3" >+ ulimit -c unlimited >+ make -j4 >+ #- name: Setup upterm session >+ # uses: lhotari/action-upterm@v1 >+ # with: >+ # limit-access-to-actor: true >+ - name: Test >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ CONFIGURE_OPTS: ${{ matrix.configureopts }} >+ run: | >+ set -vx >+ sudo lsof -nP -i:49188 || true >+ cd build >+ make check >+ - name: Install >+ run: | >+ cd build || true >+ make DESTDIR=/tmp/h5l install >+ cd /tmp/h5l >+ tar czf $HOME/heimdal-install-osx.tgz . >+ - name: Test logs >+ run: | >+ find build -depth -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/' | cpio -o > $HOME/logs-osx.cpio >+ find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat >+ - name: Failed Test logs >+ if: ${{ failure() }} >+ run: | >+ find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat >+ - name: Upload Install Tarball >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Install Tarball >+ path: '~/heimdal-install-osx.tgz' >+ - name: Upload Artifacts >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Upload Test Logs >+ path: '~/logs-osx.cpio' >diff --git a/third_party/heimdal/.github/workflows/scanbuild.yml b/third_party/heimdal/.github/workflows/scanbuild.yml >new file mode 100644 >index 000000000000..678ccfd80462 >--- /dev/null >+++ b/third_party/heimdal/.github/workflows/scanbuild.yml >@@ -0,0 +1,67 @@ >+name: Linux Static Analyzer Build >+ >+on: >+ push: >+ # Pushes to this branch get the scan-build treatment >+ branches: >+ - 'scan-build*' >+ >+ pull_request: >+ # Changing this build gets it to run >+ paths: >+ - '.github/workflows/scanbuild.yml' >+ >+jobs: >+ unix: >+ runs-on: ${{ matrix.os }} >+ strategy: >+ fail-fast: false >+ matrix: >+ name: [linux-clang] >+ include: >+ - name: linux-clang >+ os: ubuntu-18.04 >+ compiler: clang >+ steps: >+ - name: Clone repository >+ uses: actions/checkout@v1 >+ - name: Install packages >+ if: startsWith(matrix.os, 'ubuntu') >+ run: | >+ sudo apt-get update -qq >+ sudo apt-get install -y bison comerr-dev flex libcap-ng-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev clang-tools clang-format jq valgrind >+ # Temporary workaround for: >+ # https://github.com/actions/virtual-environments/issues/3185 >+ sudo hostname localhost >+ - name: Build >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ CONFIGURE_OPTS: ${{ matrix.configureopts }} >+ run: | >+ /bin/sh ./autogen.sh >+ mkdir build >+ cd build >+ ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" >+ ulimit -c unlimited >+ # We don't want to scan-build libedit nor SQLite3 because ETOOSLOW >+ (cd lib/libedit && make -j4) >+ (cd lib/sqlite && make -j4) >+ scan-build --keep-going make -j4 >+ - name: Test >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ run: | >+ cd build >+ ulimit -c unlimited >+ scan-build --keep-going make check >+ - name: Failed Test logs >+ if: ${{ failure() }} >+ run: | >+ find build -name \*.trs|xargs grep -lw FAIL|sed -e 's/trs$/log/'|xargs cat >+ - name: Upload Artifacts >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Scan-Build Reports >+ path: '/tmp/scan-build*/' >diff --git a/third_party/heimdal/.github/workflows/valgrind.yml b/third_party/heimdal/.github/workflows/valgrind.yml >new file mode 100644 >index 000000000000..ab5e90916610 >--- /dev/null >+++ b/third_party/heimdal/.github/workflows/valgrind.yml >@@ -0,0 +1,71 @@ >+name: Linux Valgrind Tests Build >+ >+on: >+ push: >+ # Pushes to the valgrind branch get the valgrind treatment >+ branches: >+ - 'valgrind*' >+ >+ pull_request: >+ # Changing this build also gets it to run >+ paths: >+ - '.github/workflows/valgrind.yml' >+ >+jobs: >+ unix: >+ runs-on: ${{ matrix.os }} >+ strategy: >+ fail-fast: false >+ matrix: >+ name: [linux-clang] >+ include: >+ - name: linux-clang >+ os: ubuntu-18.04 >+ compiler: clang >+ steps: >+ - name: Clone repository >+ uses: actions/checkout@v1 >+ - name: Install packages >+ if: startsWith(matrix.os, 'ubuntu') >+ run: | >+ sudo apt-get update -qq >+ sudo apt-get install -y bison comerr-dev flex libcap-ng-dev lmdb-utils liblmdb-dev libdb-dev libedit-dev libjson-perl libldap2-dev libncurses5-dev libperl4-corelibs-perl libsqlite3-dev libkeyutils-dev pkg-config python ss-dev texinfo unzip netbase keyutils ldap-utils gdb apport curl libmicrohttpd-dev jq valgrind >+ # Temporary workaround for: >+ # https://github.com/actions/virtual-environments/issues/3185 >+ sudo hostname localhost >+ - name: Build >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ CONFIGURE_OPTS: ${{ matrix.configureopts }} >+ CHECK_TESTER_NO_VALGRIND: 'no-valgrind' >+ run: | >+ /bin/sh ./autogen.sh >+ mkdir build >+ cd build >+ ../configure --srcdir=`dirname "$PWD"` --enable-maintainer-mode --enable-developer --with-ldap $CONFIGURE_OPTS --prefix=$HOME/inst CFLAGS="-g -ggdb3 -O0 -Wno-error=shadow -Wno-error=bad-function-cast -Wno-error=unused-function -Wno-error=unused-result -Wno-error=deprecated-declarations" >+ make -j4 >+ - name: Test >+ env: >+ CC: ${{ matrix.compiler }} >+ MAKEVARS: ${{ matrix.makevars }} >+ run: | >+ cd build >+ ulimit -c unlimited >+ make check-valgrind >+ - name: Valgrind output >+ run: | >+ find . -name \*.log -print0|xargs -0 grep '^==[0-9]*== ' || true >+ - name: Test logs >+ run: | >+ find build -depth -name \*.log | sed -e 's/trs$/log/' | tar -czf $HOME/logs-linux-valgrind.tgz --verbatim-files-from --files-from - >+ find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat >+ - name: Failed Test logs >+ if: ${{ failure() }} >+ run: | >+ find build -name \*.trs|xargs grep -lw FAIL | sed -e 's/trs$/log/' | xargs cat >+ - name: Upload Artifacts >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Test Logs >+ path: '~/logs-linux-valgrind.tgz' >diff --git a/third_party/heimdal/.github/workflows/windows.yml b/third_party/heimdal/.github/workflows/windows.yml >new file mode 100644 >index 000000000000..f1c187c397a9 >--- /dev/null >+++ b/third_party/heimdal/.github/workflows/windows.yml >@@ -0,0 +1,92 @@ >+name: Windows Build >+ >+on: >+ push: >+ branches: >+ - 'master' >+ - 'heimdal-7-1-branch' >+ paths: >+ - '!docs/**' >+ - '!**.md' >+ - '!**.[1-9]' >+ - '**.[chly]' >+ - '**.hin' >+ - '**.in' >+ - '**.pl' >+ - '**.py' >+ - '**.asn1' >+ - '**.opt' >+ - '**.w32' >+ - '**/NTMakefile*' >+ - '**/COPYING' >+ - '**/INSTALL' >+ - '**/README*' >+ - '.github/workflows/windows.yml' >+ - '!appveyor.yml' >+ - '!.travis.yml' >+ >+ pull_request: >+ paths: >+ - '!docs/**' >+ - '!**.md' >+ - '!**.[1-9]' >+ - '**.[chly]' >+ - '**.hin' >+ - '**.in' >+ - '**.pl' >+ - '**.py' >+ - '**.asn1' >+ - '**.opt' >+ - '**.w32' >+ - '**/NTMakefile' >+ - '**/COPYING' >+ - '**/INSTALL' >+ - '**/README*' >+ - '.github/workflows/windows.yml' >+ - '!appveyor.yml' >+ - '!.travis.yml' >+ >+jobs: >+ windows: >+ runs-on: windows-latest >+ env: >+ APPVER: '10.0' >+ CODESIGN_PKT: 0000000000000000 >+ INSTALL_DIR: C:\heimdal >+ WINSDKVER: '10.0.22000.0' >+ WIXDIR: 'c:\Program Files (x86)\Windows Installer XML v3.5' >+ steps: >+ - name: Clone repository >+ uses: actions/checkout@v1 >+ - name: Find MSVC and run vcvarsall.bat >+ uses: ilammy/msvc-dev-cmd@v1 >+ with: >+ arch: amd64 >+ - name: Build and Test >+ shell: cmd >+ run: | >+ set PATH=%PATH%;C:\msys64\usr\bin;C:\Program Files (x86)\HTML Help Workshop;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin >+ set CODESIGN_PKT=0000000000000000 >+ set dbg__type=Debug >+ mkdir %INSTALL_DIR% >+ pacman --noconfirm -S zstd >+ pacman --noconfirm -S autoconf >+ pacman --noconfirm -S automake >+ pacman --noconfirm -S flex >+ pacman --noconfirm -S bison >+ pacman --noconfirm -S perl >+ pacman --noconfirm -S perl-JSON >+ set PATH=%PATH%;%wix%bin >+ title Heimdal Build %CPU% %dbg__type% >+ set "PATH=%PATH%;C:\Perl64\bin;C:\tools\cygwin\bin;C:\Program Files (x86)\HTML Help Workshop" >+ set "PATH=%PATH%;C:/msys64/usr/bin" >+ set "PATH=%PATH%;C:\program files (x86)\windows installer xml v3.5\bin;C:\cygwin\bin" >+ set "PATH=%PATH%;C:\Python310-x64" >+ echo PATH=%PATH% >+ nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 >+ nmake /f NTMakefile APPVEYOR=1 MAKEINFO=makeinfo NO_INSTALLERS=1 test >+ - name: Upload Artifacts >+ uses: actions/upload-artifact@v2 >+ with: >+ name: Objects >+ path: 'D:/a/heimdal/heimdal/out/' >diff --git a/third_party/heimdal/kdc/default_config.c b/third_party/heimdal/kdc/default_config.c >index 01f8f7b54a69..83c73504ce7a 100644 >--- a/third_party/heimdal/kdc/default_config.c >+++ b/third_party/heimdal/kdc/default_config.c >@@ -101,6 +101,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) > c->strict_nametypes = FALSE; > c->trpolicy = TRPOLICY_ALWAYS_CHECK; > c->require_pac = FALSE; >+ c->enable_fast = TRUE; > c->enable_armored_pa_enc_timestamp = TRUE; > c->enable_unarmored_pa_enc_timestamp = TRUE; > c->enable_pkinit = FALSE; >@@ -262,6 +263,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) > "require_pac", > NULL); > >+ c->enable_fast = >+ krb5_config_get_bool_default(context, >+ NULL, >+ c->enable_fast, >+ "kdc", >+ "enable_fast", >+ NULL); >+ > c->enable_armored_pa_enc_timestamp = > krb5_config_get_bool_default(context, > NULL, >diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c >index 043227892b5d..392fc966050e 100644 >--- a/third_party/heimdal/kdc/fast.c >+++ b/third_party/heimdal/kdc/fast.c >@@ -755,6 +755,9 @@ _kdc_fast_unwrap_request(astgs_request_t r, > const PA_DATA *pa; > int i = 0; > >+ if (!r->config->enable_fast) >+ return 0; >+ > ret = fast_unwrap_request(r, tgs_ticket, tgs_ac); > if (ret) > return ret; >diff --git a/third_party/heimdal/kdc/kdc.h b/third_party/heimdal/kdc/kdc.h >index e3709ada6b0a..31e54325452a 100644 >--- a/third_party/heimdal/kdc/kdc.h >+++ b/third_party/heimdal/kdc/kdc.h >@@ -106,6 +106,7 @@ struct krb5_kdc_service { > unsigned int use_strongest_server_key : 1; \ > \ > unsigned int require_pac : 1; \ >+ unsigned int enable_fast : 1; \ > unsigned int enable_armored_pa_enc_timestamp : 1 > > #ifndef __KDC_LOCL_H__ >diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c >index 06889f47120e..aab6806fbe12 100644 >--- a/third_party/heimdal/kdc/krb5tgs.c >+++ b/third_party/heimdal/kdc/krb5tgs.c >@@ -902,6 +902,9 @@ validate_fast_ad(astgs_request_t r, krb5_authdata *auth_data) > > krb5_data_zero(&data); > >+ if (!r->config->enable_fast) >+ return 0; >+ > ret = _krb5_get_ad(r->context, auth_data, NULL, > KRB5_AUTHDATA_FX_FAST_USED, &data); > if (ret == 0) { >diff --git a/third_party/heimdal/lib/krb5/krb5.conf.5 b/third_party/heimdal/lib/krb5/krb5.conf.5 >index 1013a78d8731..8a9623ecadab 100644 >--- a/third_party/heimdal/lib/krb5/krb5.conf.5 >+++ b/third_party/heimdal/lib/krb5/krb5.conf.5 >@@ -816,6 +816,8 @@ addresses in the tickets. > .It Li allow-null-ticket-addresses = Va BOOL > Allow address-less tickets. > .\" XXX >+.It Li enable_fast = Va BOOL >+Enable RFC 6113 FAST support, this is enabled by default. > .It Li enable_armored_pa_enc_timestamp = Va BOOL > Enable armored encrypted timestamp pre-authentication with key > strengthening. >diff --git a/third_party/heimdal/lib/krb5/pac.c b/third_party/heimdal/lib/krb5/pac.c >index a12c00d77328..c8f355c81790 100644 >--- a/third_party/heimdal/lib/krb5/pac.c >+++ b/third_party/heimdal/lib/krb5/pac.c >@@ -458,7 +458,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, > */ > > KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL >-krb5_pac_get_buffer(krb5_context context, krb5_pac p, >+krb5_pac_get_buffer(krb5_context context, krb5_const_pac p, > uint32_t type, krb5_data *data) > { > krb5_error_code ret; >@@ -508,7 +508,7 @@ static struct { > */ > > KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL >-_krb5_pac_get_buffer_by_name(krb5_context context, krb5_pac p, >+_krb5_pac_get_buffer_by_name(krb5_context context, krb5_const_pac p, > const krb5_data *name, krb5_data *data) > { > size_t i; >@@ -531,7 +531,7 @@ _krb5_pac_get_buffer_by_name(krb5_context context, krb5_pac p, > > KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL > krb5_pac_get_types(krb5_context context, >- krb5_pac p, >+ krb5_const_pac p, > size_t *len, > uint32_t **types) > { >@@ -1573,7 +1573,7 @@ out: > > KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL > krb5_pac_get_kdc_checksum_info(krb5_context context, >- krb5_pac pac, >+ krb5_const_pac pac, > krb5_cksumtype *cstype, > uint16_t *rodc_id) > { >@@ -1628,7 +1628,7 @@ out: > > KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL > _krb5_pac_get_canon_principal(krb5_context context, >- krb5_pac pac, >+ krb5_const_pac pac, > krb5_principal *canon_princ) > { > *canon_princ = NULL; >@@ -1644,7 +1644,7 @@ _krb5_pac_get_canon_principal(krb5_context context, > > KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL > _krb5_pac_get_attributes_info(krb5_context context, >- krb5_pac pac, >+ krb5_const_pac pac, > uint64_t *pac_attributes) > { > *pac_attributes = 0; >diff --git a/third_party/heimdal/tests/gss/check-context.in b/third_party/heimdal/tests/gss/check-context.in >index 46c058d068b4..2b866d2f7242 100644 >--- a/third_party/heimdal/tests/gss/check-context.in >+++ b/third_party/heimdal/tests/gss/check-context.in >@@ -159,14 +159,10 @@ mv ${keytabfile} ${keytabfile}.no > echo "checking non existant keytabfile (krb5)" ; > messages.log > ${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ > { eval "$testfailed"; } >-grep ${keytabfile} test_context.log > /dev/null || \ >- { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } > echo "checking non existant keytabfile (spengo)" ; > messages.log > ${context} --mech-type=spnego --mech-types=spnego,krb5 \ > host@lucid.test.h5l.se > test_context.log 2>&1 && \ > { eval "$testfailed"; } >-grep ${keytabfile} test_context.log > /dev/null || \ >- { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } > > mv ${keytabfile}.no ${keytabfile} > >-- >2.25.1 > > >From 34577419f9dbf9d588cffd547bc0b07fbd4f48b7 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 9 Mar 2022 12:39:07 +0100 >Subject: [PATCH 2/5] docs-xml: add 'kdc enable fast' option > >This will be useful to test against a KDC without FAST support >and find/prevent regressions. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >(cherry picked from commit 12b623088cf48cf9e4a046441810ef20e1f079b8) >--- > docs-xml/smbdotconf/security/kdcenablefast.xml | 15 +++++++++++++++ > lib/param/loadparm.c | 2 ++ > source3/param/loadparm.c | 2 ++ > 3 files changed, 19 insertions(+) > create mode 100644 docs-xml/smbdotconf/security/kdcenablefast.xml > >diff --git a/docs-xml/smbdotconf/security/kdcenablefast.xml b/docs-xml/smbdotconf/security/kdcenablefast.xml >new file mode 100644 >index 000000000000..e47ca3b0bd41 >--- /dev/null >+++ b/docs-xml/smbdotconf/security/kdcenablefast.xml >@@ -0,0 +1,15 @@ >+<samba:parameter name="kdc enable fast" >+ type="boolean" >+ context="G" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ <para>With the Samba 4.16 the embedded Heimdal KDC brings >+ support for RFC6113 FAST, which wasn't available in >+ older Samba versions.</para> >+ >+ <para>This option is mostly for testing and currently only applies >+ if the embedded Heimdal KDC is used.</para> >+</description> >+ >+<value type="default">yes</value> >+</samba:parameter> >diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c >index cae763b44ea4..d6d845391e6f 100644 >--- a/lib/param/loadparm.c >+++ b/lib/param/loadparm.c >@@ -2695,6 +2695,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) > lpcfg_do_global_parameter(lp_ctx, "krb5 port", "88"); > lpcfg_do_global_parameter(lp_ctx, "kpasswd port", "464"); > >+ lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True"); >+ > lpcfg_do_global_parameter(lp_ctx, "nt status support", "True"); > > lpcfg_do_global_parameter(lp_ctx, "max wins ttl", "518400"); /* 6 days */ >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index a366870d1fe9..21e061939e3e 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -942,6 +942,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) > > Globals.kpasswd_port = 464; > >+ Globals.kdc_enable_fast = true; >+ > Globals.aio_max_threads = 100; > > lpcfg_string_set(Globals.ctx, >-- >2.25.1 > > >From b3b896878cdfccfc8ab66b435b84ff5890a3e5e0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 9 Mar 2022 12:39:07 +0100 >Subject: [PATCH 3/5] s4:kdc: make use of the 'kdc enable fast' option > >This will useful to test against a KDC without FAST support >and find/prevent regressions. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >(cherry picked from commit 2db7589d69abebad16b66d933114367f815d5fc3) >--- > source4/kdc/db-glue.c | 8 ++++++-- > source4/kdc/kdc-heimdal.c | 7 +++++++ > 2 files changed, 13 insertions(+), 2 deletions(-) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 8d17038cfe66..bdadc1278c30 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -448,11 +448,15 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, > *supported_enctypes_out = 0; > > if (rid == DOMAIN_RID_KRBTGT || is_rodc) { >+ bool enable_fast; >+ > /* KDCs (and KDCs on RODCs) use AES */ > supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; > >- /* KDCs support FAST */ >- supported_enctypes |= ENC_FAST_SUPPORTED; >+ enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); >+ if (enable_fast) { >+ supported_enctypes |= ENC_FAST_SUPPORTED; >+ } > } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { > /* DCs and RODCs comptuer accounts use AES */ > supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; >diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c >index ddf3b649da2d..0d2a410fc3b4 100644 >--- a/source4/kdc/kdc-heimdal.c >+++ b/source4/kdc/kdc-heimdal.c >@@ -422,6 +422,13 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd) > > kdc_config->require_pac = true; > >+ /* >+ * By default we enable RFC6113/FAST support, >+ * but we have an option to disable in order to >+ * test against a KDC with FAST support. >+ */ >+ kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx); >+ > /* > * Match Windows and RFC6113 and Windows but break older > * Heimdal clients. >-- >2.25.1 > > >From 528b865272f7e9e12a6c9c410d3fcf91dee545ed Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 9 Mar 2022 12:53:18 +0100 >Subject: [PATCH 4/5] selftest: use 'kdc enable fast = no' for fl2000 fl2003 > >This makes sure we still run tests against KDCs without FAST support >and it already found a few regressions. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >(cherry picked from commit f1a71e24864367a55a30813dd642e7ef392b5ac9) >--- > selftest/knownfail.d/broken.no-fast | 32 +++++++++++++++++++++++++++++ > selftest/target/Samba4.pm | 2 ++ > source4/selftest/tests.py | 5 ++++- > 3 files changed, 38 insertions(+), 1 deletion(-) > create mode 100644 selftest/knownfail.d/broken.no-fast > >diff --git a/selftest/knownfail.d/broken.no-fast b/selftest/knownfail.d/broken.no-fast >new file mode 100644 >index 000000000000..a337cacee8b8 >--- /dev/null >+++ b/selftest/knownfail.d/broken.no-fast >@@ -0,0 +1,32 @@ >+^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2000dc >+^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2000dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2000dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2000dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc >+^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2003dc >+^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2003dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2003dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2003dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc >+^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc >+^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2003dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2003dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2003dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc >+^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2000dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2000dc >+^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2000dc >+^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2003dc >+^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2000dc >+^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.ad_member_oneway >+^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.ad_member_oneway >+^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2000dc >+^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2000dc >+^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2003dc >+^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2003dc >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index da6b2de488b7..4c263f55de4d 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1655,6 +1655,7 @@ sub provision_fl2000dc($$) > > print "PROVISIONING DC WITH FOREST LEVEL 2000...\n"; > my $extra_conf_options = " >+ kdc enable fast = no > spnego:simulate_w2k=yes > ntlmssp_server:force_old_spnego=yes > "; >@@ -1698,6 +1699,7 @@ sub provision_fl2003dc($$$) > > print "PROVISIONING DC WITH FOREST LEVEL 2003...\n"; > my $extra_conf_options = "allow dns updates = nonsecure and secure >+ kdc enable fast = no > dcesrv:header signing = no > dcesrv:max auth states = 0 > dns forwarder = $ip_addr1 [$ip_addr2]:54"; >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 829eda82979e..a7572b53cadf 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -1666,12 +1666,15 @@ plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", ' > '--option=torture:krb5-service=http'], > "samba4.krb5.kdc with account having identical UPN and SPN") > for env in ["fl2008r2dc", "fl2003dc"]: >+ fast_support = have_fast_support >+ if env in ["fl2003dc"]: >+ fast_support = 0 > planoldpythontestsuite(env, "samba.tests.krb5.as_req_tests", > environ={ > 'ADMIN_USERNAME': '$USERNAME', > 'ADMIN_PASSWORD': '$PASSWORD', > 'STRICT_CHECKING': '0', >- 'FAST_SUPPORT': have_fast_support, >+ 'FAST_SUPPORT': fast_support, > 'TKT_SIG_SUPPORT': tkt_sig_support, > 'EXPECT_PAC': expect_pac, > 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, >-- >2.25.1 > > >From 85758b4fed7418124208c75356cd6e12fd1b7bc1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 10 Mar 2022 17:49:52 +0100 >Subject: [PATCH 5/5] third_party/heimdal: import lorikeet-heimdal-202203101710 > (commit df8d801544144949931cd742169be1207b239c3d) > >This fixes the regressions against KDCs without FAST support. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184 > >(cherry picked from commit 9b48e7f7eda5e368c1192d562c268885c1f68d8b) >--- > selftest/knownfail.d/broken.no-fast | 32 ------- > third_party/heimdal/lib/krb5/fast.c | 98 +++++++++++++++++--- > third_party/heimdal/lib/krb5/get_cred.c | 76 +++++++++------ > third_party/heimdal/lib/krb5/init_creds_pw.c | 1 - > 4 files changed, 134 insertions(+), 73 deletions(-) > delete mode 100644 selftest/knownfail.d/broken.no-fast > >diff --git a/selftest/knownfail.d/broken.no-fast b/selftest/knownfail.d/broken.no-fast >deleted file mode 100644 >index a337cacee8b8..000000000000 >--- a/selftest/knownfail.d/broken.no-fast >+++ /dev/null >@@ -1,32 +0,0 @@ >-^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2000dc >-^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2000dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2000dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2000dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc >-^samba4.rpc.pac.on.ncacn_np.netr-bdc-arcfour.s4u2self-arcfour.fl2003dc >-^samba4.rpc.pac.on.ncacn_np.netr-bcd-aes.s4u2self-aes.fl2003dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2self-arcfour.fl2003dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2self-aes.fl2003dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc >-^samba4.rpc.pac.on.ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2003dc >-^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2003dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2003dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2003dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.ccache.fl2000dc >-^samba4.blackbox.kinit_trust.Test.login.with.kerberos.ccache.fl2000dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.fl2000dc >-^samba4.blackbox.kinit_trust.Test.login.with.user.kerberos.lowercase.realm.2.fl2000dc >-^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2003dc >-^samba4.blackbox.trust_token.Test.token.with.kerberos.fl2000dc >-^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.ad_member_oneway >-^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.ad_member_oneway >-^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2000dc >-^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2000dc >-^samba3.wbinfo_simple.trust:--krb5auth=ADDOM.SAMBA.EXAMPLE.COM/Administrator%locDCpass1.wbinfo.fl2003dc >-^samba3.wbinfo_simple.trust:--krb5auth=ADDOMAIN/Administrator%locDCpass1.wbinfo.fl2003dc >diff --git a/third_party/heimdal/lib/krb5/fast.c b/third_party/heimdal/lib/krb5/fast.c >index 617446c36342..83893542d690 100644 >--- a/third_party/heimdal/lib/krb5/fast.c >+++ b/third_party/heimdal/lib/krb5/fast.c >@@ -413,8 +413,14 @@ _krb5_fast_create_armor(krb5_context context, > } > > if (state->type == choice_PA_FX_FAST_REQUEST_armored_data) { >- if (state->armor_crypto) >+ if (state->armor_crypto) { > krb5_crypto_destroy(context, state->armor_crypto); >+ state->armor_crypto = NULL; >+ } >+ if (state->strengthen_key) { >+ krb5_free_keyblock(context, state->strengthen_key); >+ state->strengthen_key = NULL; >+ } > krb5_free_keyblock_contents(context, &state->armor_key); > > /* >@@ -455,14 +461,15 @@ _krb5_fast_create_armor(krb5_context context, > krb5_error_code > _krb5_fast_wrap_req(krb5_context context, > struct krb5_fast_state *state, >- krb5_data *checksum_data, > KDC_REQ *req) > { > PA_FX_FAST_REQUEST fxreq; > krb5_error_code ret; > KrbFastReq fastreq; >- krb5_data data, aschecksum_data; >+ krb5_data data, aschecksum_data, tgschecksum_data; >+ const krb5_data *checksum_data = NULL; > size_t size = 0; >+ krb5_boolean readd_padata_to_outer = FALSE; > > if (state->flags & KRB5_FAST_DISABLED) { > _krb5_debug(context, 10, "fast disabled, not doing any fast wrapping"); >@@ -473,6 +480,7 @@ _krb5_fast_wrap_req(krb5_context context, > memset(&fastreq, 0, sizeof(fastreq)); > krb5_data_zero(&data); > krb5_data_zero(&aschecksum_data); >+ krb5_data_zero(&tgschecksum_data); > > if (state->armor_crypto == NULL) > return check_fast(context, state); >@@ -511,8 +519,6 @@ _krb5_fast_wrap_req(krb5_context context, > ALLOC(req->req_body.till, 1); > *req->req_body.till = 0; > >- heim_assert(checksum_data == NULL, "checksum data not NULL"); >- > ASN1_MALLOC_ENCODE(KDC_REQ_BODY, > aschecksum_data.data, > aschecksum_data.length, >@@ -523,14 +529,63 @@ _krb5_fast_wrap_req(krb5_context context, > heim_assert(aschecksum_data.length == size, "ASN.1 internal error"); > > checksum_data = &aschecksum_data; >- } > >- if (req->padata) { >- ret = copy_METHOD_DATA(req->padata, &fastreq.padata); >- free_METHOD_DATA(req->padata); >- if (ret) >- goto out; >+ if (req->padata) { >+ ret = copy_METHOD_DATA(req->padata, &fastreq.padata); >+ free_METHOD_DATA(req->padata); >+ if (ret) >+ goto out; >+ } > } else { >+ const PA_DATA *tgs_req_ptr = NULL; >+ int tgs_req_idx = 0; >+ size_t i; >+ >+ heim_assert(req->padata != NULL, "req->padata is NULL"); >+ >+ tgs_req_ptr = krb5_find_padata(req->padata->val, >+ req->padata->len, >+ KRB5_PADATA_TGS_REQ, >+ &tgs_req_idx); >+ heim_assert(tgs_req_ptr != NULL, "KRB5_PADATA_TGS_REQ not found"); >+ heim_assert(tgs_req_idx == 0, "KRB5_PADATA_TGS_REQ not first"); >+ >+ tgschecksum_data.data = tgs_req_ptr->padata_value.data; >+ tgschecksum_data.length = tgs_req_ptr->padata_value.length; >+ checksum_data = &tgschecksum_data; >+ >+ /* >+ * Now copy all remaining once to >+ * the fastreq.padata and clear >+ * them in the outer req first, >+ * and remember to readd them later. >+ */ >+ readd_padata_to_outer = TRUE; >+ >+ for (i = 1; i < req->padata->len; i++) { >+ PA_DATA *val = &req->padata->val[i]; >+ >+ ret = krb5_padata_add(context, >+ &fastreq.padata, >+ val->padata_type, >+ val->padata_value.data, >+ val->padata_value.length); >+ if (ret) { >+ krb5_set_error_message(context, ret, >+ N_("malloc: out of memory", "")); >+ goto out; >+ } >+ val->padata_value.data = NULL; >+ val->padata_value.length = 0; >+ } >+ >+ /* >+ * Only TGS-REQ remaining >+ */ >+ req->padata->len = 1; >+ } >+ >+ if (req->padata == NULL) { > ALLOC(req->padata, 1); > if (req->padata == NULL) { > ret = krb5_enomem(context); >@@ -586,6 +641,27 @@ _krb5_fast_wrap_req(krb5_context context, > goto out; > krb5_data_zero(&data); > >+ if (readd_padata_to_outer) { >+ size_t i; >+ >+ for (i = 0; i < fastreq.padata.len; i++) { >+ PA_DATA *val = &fastreq.padata.val[i]; >+ >+ ret = krb5_padata_add(context, >+ req->padata, >+ val->padata_type, >+ val->padata_value.data, >+ val->padata_value.length); >+ if (ret) { >+ krb5_set_error_message(context, ret, >+ N_("malloc: out of memory", "")); >+ goto out; >+ } >+ val->padata_value.data = NULL; >+ val->padata_value.length = 0; >+ } >+ } >+ > out: > free_KrbFastReq(&fastreq); > free_PA_FX_FAST_REQUEST(&fxreq); >diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c >index ec757797866d..6e48846bcb3a 100644 >--- a/third_party/heimdal/lib/krb5/get_cred.c >+++ b/third_party/heimdal/lib/krb5/get_cred.c >@@ -239,20 +239,6 @@ init_tgs_req (krb5_context context, > if (ret) > goto fail; > } >- >- if (padata) { >- if (t->padata == NULL) { >- ALLOC(t->padata, 1); >- if (t->padata == NULL) { >- ret = krb5_enomem(context); >- goto fail; >- } >- } >- >- ret = copy_METHOD_DATA(padata, t->padata); >- if (ret) >- goto fail; >- } > > ret = krb5_auth_con_init(context, &ac); > if(ret) >@@ -278,6 +264,20 @@ init_tgs_req (krb5_context context, > if (ret) > goto fail; > >+ ret = make_pa_tgs_req(context, >+ &ac, >+ &t->req_body, >+ ccache, >+ krbtgt, >+ &tgs_req); >+ if(ret) >+ goto fail; >+ >+ /* >+ * Add KRB5_PADATA_TGS_REQ first >+ * followed by all others. >+ */ >+ > if (t->padata == NULL) { > ALLOC(t->padata, 1); > if (t->padata == NULL) { >@@ -286,15 +286,40 @@ init_tgs_req (krb5_context context, > } > } > >- ret = make_pa_tgs_req(context, >- &ac, >- &t->req_body, >- ccache, >- krbtgt, >- &tgs_req); >- if(ret) >+ ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, >+ tgs_req.data, tgs_req.length); >+ if (ret) > goto fail; > >+ krb5_data_zero(&tgs_req); >+ >+ { >+ size_t i; >+ for (i = 0; i < padata->len; i++) { >+ const PA_DATA *val1 = &padata->val[i]; >+ PA_DATA val2; >+ >+ ret = copy_PA_DATA(val1, &val2); >+ if (ret) { >+ krb5_set_error_message(context, ret, >+ N_("malloc: out of memory", "")); >+ goto fail; >+ } >+ >+ ret = krb5_padata_add(context, t->padata, >+ val2.padata_type, >+ val2.padata_value.data, >+ val2.padata_value.length); >+ if (ret) { >+ free_PA_DATA(&val2); >+ >+ krb5_set_error_message(context, ret, >+ N_("malloc: out of memory", "")); >+ goto fail; >+ } >+ } >+ } >+ > if (state) { > state->armor_ac = ac; > ret = _krb5_fast_create_armor(context, state, NULL); >@@ -302,7 +327,7 @@ init_tgs_req (krb5_context context, > if (ret) > goto fail; > >- ret = _krb5_fast_wrap_req(context, state, &tgs_req, t); >+ ret = _krb5_fast_wrap_req(context, state, t); > if (ret) > goto fail; > >@@ -310,13 +335,6 @@ init_tgs_req (krb5_context context, > state->flags &= ~KRB5_FAST_EXPECTED; > } > >- ret = krb5_padata_add(context, t->padata, KRB5_PADATA_TGS_REQ, >- tgs_req.data, tgs_req.length); >- if (ret) >- goto fail; >- >- krb5_data_zero(&tgs_req); >- > ret = krb5_auth_con_getlocalsubkey(context, ac, subkey); > if (ret) > goto fail; >diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c >index e42fcf10bc17..4173837779b0 100644 >--- a/third_party/heimdal/lib/krb5/init_creds_pw.c >+++ b/third_party/heimdal/lib/krb5/init_creds_pw.c >@@ -3394,7 +3394,6 @@ init_creds_step(krb5_context context, > > ret = _krb5_fast_wrap_req(context, > &ctx->fast_state, >- NULL, > &req2); > > krb5_data_free(&checksum_data); >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 15002
: 17211