Attachment 17714 Details for Bug 15273 – 4.17 patches (has to go via lorikeet-heimdal and samba master first)

[patch] 4.17 patches (has to go via lorikeet-heimdal and samba master first)

bfixes-tmp417.txt (text/plain), 3.24 KB, created by Stefan Metzmacher on 2022-12-30 12:43:15 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2022-12-30 12:43:15 UTC

Size: 3.24 KB

patch

obsolete

>From 42d27600e070b22ceaf20d35128b0678f91bf146 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 29 Dec 2022 11:16:06 +0100
>Subject: [PATCH 1/3] HEIMDAL: kdc: don't announce KRB5_PADATA_FX_FAST unless
> fast is enabled
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> third_party/heimdal/kdc/kerberos5.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
>diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
>index b089547f7851..f89951da707e 100644
>--- a/third_party/heimdal/kdc/kerberos5.c
>+++ b/third_party/heimdal/kdc/kerberos5.c
>@@ -2271,7 +2271,10 @@ add_enc_pa_rep(astgs_request_t r)
> 			  KRB5_PADATA_REQ_ENC_PA_REP, cdata.data, cdata.length);
>     if (ret)
> 	return ret;
>-    
>+
>+    if (!r->config->enable_fast)
>+	return 0;
>+
>     return krb5_padata_add(r->context, r->ek.encrypted_pa_data,
> 			   KRB5_PADATA_FX_FAST, NULL, 0);
> }
>@@ -2586,6 +2589,8 @@ _kdc_as_rep(astgs_request_t r)
> 		if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp)
> 		    continue;
> 	    }
>+	    if (pat[n].type == KRB5_PADATA_FX_FAST && !r->config->enable_fast)
>+		continue;
> 
> 	    ret = krb5_padata_add(r->context, r->rep.padata,
> 				  pat[n].type, NULL, 0);
>-- 
>2.34.1
>
>
>From b5a91ca1c8eeb2fb892c79a24e9565af21decb62 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 29 Dec 2022 11:18:22 +0100
>Subject: [PATCH 2/3] HEIMDAL: kdc: don't announce KRB5_PADATA_PKINIT_KX unless
> anonymous is allowed
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> third_party/heimdal/kdc/kerberos5.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
>index f89951da707e..3ff42244ffd8 100644
>--- a/third_party/heimdal/kdc/kerberos5.c
>+++ b/third_party/heimdal/kdc/kerberos5.c
>@@ -2583,6 +2583,8 @@ _kdc_as_rep(astgs_request_t r)
> 
> 	    if (!r->armor_crypto && (pat[n].flags & PA_REQ_FAST))
> 		continue;
>+	    if (pat[n].type == KRB5_PADATA_PKINIT_KX && !r->config->allow_anonymous)
>+		continue;
> 	    if (pat[n].type == KRB5_PADATA_ENC_TIMESTAMP) {
> 		if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp)
> 		    continue;
>-- 
>2.34.1
>
>
>From 2b9bc6ea9642402eb2f284213286bdd9b170f7eb Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Thu, 29 Dec 2022 11:19:02 +0100
>Subject: [PATCH 3/3] HEIMDAL: kdc: don't announce KRB5_PADATA_GSS unless
> gss_preauth is enabled
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15273
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> third_party/heimdal/kdc/kerberos5.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
>index 3ff42244ffd8..b35d272d3f3b 100644
>--- a/third_party/heimdal/kdc/kerberos5.c
>+++ b/third_party/heimdal/kdc/kerberos5.c
>@@ -2593,6 +2593,8 @@ _kdc_as_rep(astgs_request_t r)
> 	    }
> 	    if (pat[n].type == KRB5_PADATA_FX_FAST && !r->config->enable_fast)
> 		continue;
>+	    if (pat[n].type == KRB5_PADATA_GSS && !r->config->enable_gss_preauth)
>+		continue;
> 
> 	    ret = krb5_padata_add(r->context, r->rep.padata,
> 				  pat[n].type, NULL, 0);
>-- 
>2.34.1
>

Actions: View

Attachments on bug 15273: 17714 | 17715