From fd75c3e23ccaa560380043703273cd33cccf9db1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 3 Mar 2022 18:02:35 +0100
Subject: [PATCH] lib/krb5: let krb5_init_creds_step() return an out_realm

This matches krb5_init_creds_step() from MIT. The only
difference is the type 'krb5_realm' (Heimdal) vs. 'krb5_data' (MIT).

    krb5_error_code KRB5_CALLCONV
    krb5_init_creds_step(krb5_context context,
                         krb5_init_creds_context ctx,
                         krb5_data *in,
                         krb5_data *out,
                         krb5_data *realm,
                         unsigned int *flags);

NOTE: commit 1cdc9d5f3cff0288846c29c35ee91b6056a2e2bb
"krb5: export krb5_init_creds_step()" exported
krb5_init_creds_step() the first time, but that's
not in any released version, so it should be fine
to fix up the prototype in order to make the
function actually useful for external callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 lib/krb5/fast.c          |  7 +++++--
 lib/krb5/init_creds_pw.c | 26 +++++++++++++++++++-------
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/lib/krb5/fast.c b/lib/krb5/fast.c
index 5b49c1be7..5e4875c6c 100644
--- a/lib/krb5/fast.c
+++ b/lib/krb5/fast.c
@@ -856,7 +856,7 @@ _krb5_fast_anon_pkinit_step(krb5_context context,
 			    struct krb5_fast_state *state,
 			    krb5_data *in,
 			    krb5_data *out,
-			    const void *_unused,
+			    krb5_realm *out_realm,
 			    unsigned int *flags)
 {
     krb5_error_code ret;
@@ -867,6 +867,9 @@ _krb5_fast_anon_pkinit_step(krb5_context context,
     krb5_creds cred;
     krb5_data data = { 3, rk_UNCONST("yes") };
 
+    krb5_data_zero(out);
+    *out_realm = NULL;
+
     memset(&cred, 0, sizeof(cred));
 
     if (state->anon_pkinit_opt == NULL) {
@@ -902,7 +905,7 @@ _krb5_fast_anon_pkinit_step(krb5_context context,
 
     anon_pk_ctx = state->anon_pkinit_ctx;
 
-    ret = krb5_init_creds_step(context, anon_pk_ctx, in, out, NULL, flags);
+    ret = krb5_init_creds_step(context, anon_pk_ctx, in, out, out_realm, flags);
     if (ret ||
 	(*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
 	goto out;
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 4985d709b..25767e31f 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -2966,7 +2966,7 @@ init_creds_step(krb5_context context,
 		krb5_init_creds_context ctx,
 		krb5_data *in,
 		krb5_data *out,
-		const void *_unused,
+		krb5_realm *out_realm,
 		unsigned int *flags)
 {
     struct timeval start_time, end_time;
@@ -2979,6 +2979,7 @@ init_creds_step(krb5_context context,
     gettimeofday(&start_time, NULL);
 
     krb5_data_zero(out);
+    *out_realm = NULL;
     krb5_data_zero(&checksum_data);
 
     if (ctx->as_req.req_body.cname == NULL) {
@@ -3417,6 +3418,13 @@ init_creds_step(krb5_context context,
     if (ret)
 	goto out;
 
+    *out_realm = strdup(ctx->cred.client->realm);
+    if (*out_realm == NULL) {
+	krb5_data_free(out);
+	ret = ENOMEM;
+	goto out;
+    }
+
     *flags = KRB5_INIT_CREDS_STEP_FLAG_CONTINUE;
 
     gettimeofday(&end_time, NULL);
@@ -3439,6 +3447,7 @@ init_creds_step(krb5_context context,
  * @param ctx ctx krb5_init_creds_context context.
  * @param in input data from KDC, first round it should be reset by krb5_data_zero().
  * @param out reply to KDC. The caller needs to call krb5_data_free()
+ * @param out_realm the destination realm for 'out', free with krb5_xfree()
  * @param flags status of the round, if
  *        KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
  *
@@ -3453,18 +3462,20 @@ krb5_init_creds_step(krb5_context context,
 		     krb5_init_creds_context ctx,
 		     krb5_data *in,
 		     krb5_data *out,
-		     const void *_unused,
+		     krb5_realm *out_realm,
 		     unsigned int *flags)
 {
     krb5_error_code ret;
     krb5_data empty;
 
     krb5_data_zero(&empty);
+    krb5_data_zero(out);
+    *out_realm = NULL;
 
     if ((ctx->fast_state.flags & KRB5_FAST_ANON_PKINIT_ARMOR) &&
 	ctx->fast_state.armor_ccache == NULL) {
 	ret = _krb5_fast_anon_pkinit_step(context, ctx, &ctx->fast_state,
-					  in, out, NULL, flags);
+					  in, out, out_realm, flags);
         if (ret && (ctx->fast_state.flags & KRB5_FAST_OPTIMISTIC)) {
             _krb5_debug(context, 5, "Preauth failed with optimistic "
                         "FAST, trying w/o FAST");
@@ -3478,7 +3489,7 @@ krb5_init_creds_step(krb5_context context,
 	in = &empty;
     }
 
-    return init_creds_step(context, ctx, in, out, NULL, flags);
+    return init_creds_step(context, ctx, in, out, out_realm, flags);
 }
 
 /**
@@ -3690,9 +3701,10 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
 
     while (1) {
 	struct timeval nstart, nend;
+	krb5_realm realm = NULL;
 
 	flags = 0;
-	ret = krb5_init_creds_step(context, ctx, &in, &out, NULL, &flags);
+	ret = krb5_init_creds_step(context, ctx, &in, &out, &realm, &flags);
 	krb5_data_free(&in);
 	if (ret)
 	    goto out;
@@ -3702,9 +3714,9 @@ krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)
 
 	gettimeofday(&nstart, NULL);
 
-	ret = krb5_sendto_context (context, stctx, &out,
-				   ctx->cred.client->realm, &in);
+	ret = krb5_sendto_context (context, stctx, &out, realm, &in);
 	krb5_data_free(&out);
+	free(realm);
     	if (ret)
 	    goto out;