Joseph Sutton
b90b219ab8
krb5: CVE-2022-42898 PAC parse integer overflows
...
Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Heavily edited by committer Nico Williams <nico@twosigma.com >, original by
Joseph Sutton <josephsutton@catalyst.net.nz >.
Signed-off-by: Nico Williams <nico@twosigma.com >
2022-11-15 17:51:45 -06:00
Luke Howard
f7964251ff
kdc: support for PAC_ATTRIBUTES_INFO
...
Add PAC_ATTRIBUTES_INFO to the PAC. This info buffer indicates whether the user
explicitly requested a PAC be present or absent.
Note: this changes the windc plugin ABI.
2021-12-22 10:36:26 +11:00
Luke Howard
0ab3b7b2dd
krb5: support for canonical name in PAC
...
If the UPN_DNS_INFO buffer in the Windows PAC contains a canonical principal
name, use it in lieu of the ticket client name to determine the GSS-API
initiator name.
2021-12-22 10:36:26 +11:00
Joseph Sutton
814e58fda8
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
...
This lets us call it from Samba.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz >
[abartlet@samba.org Similar to Samba commit 3bdce12789af1e7a7aba56691f184625a432410d
but also fixed for caller in Heimdal windc plugin tests]
2021-12-14 13:44:01 +11:00
Luke Howard
2acc4508d9
krb5: fix test_pac format string
...
Don't pass a potentially (although in reality, not) untrusted string to
krb5_err(); cleanup error handling.
2021-09-19 14:01:51 +10:00
Isaac Boukris
6c339fd5a5
krb5: add pac ticket-signature unit tests
2021-09-19 13:25:34 +10:00
Isaac Boukris
2ffaba9401
kdc: sign ticket using Windows PAC
...
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes : #767
2021-09-19 13:25:27 +10:00
Love Hornquist Astrand
0879b9831a
remove trailing whitespace
2011-05-21 11:57:31 -07:00
Love Hornquist Astrand
55c4979df2
Now pac from christian passes since we make hmac checksums always use the raw key
2010-11-06 20:23:49 +01:00
Love Hornquist Astrand
76cf97e2b0
free pac after reading it
2009-09-21 09:59:38 -07:00
Love Hornquist Astrand
f5a7b42db6
Don't parse realm for names, makes test pass for hosts w/o default realm
2009-09-19 13:43:58 -07:00
Love Hörnquist Åstrand
47ebb62930
Release p2, valgrind output from Andrew Bartlett
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25280 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-06-08 21:57:45 +00:00
Love Hörnquist Åstrand
942a821fab
remove RCSID
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25171 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-05-04 06:17:40 +00:00
Love Hörnquist Åstrand
953cf8b43e
make new pac test fail
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24061 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-12-11 04:51:08 +00:00
Love Hörnquist Åstrand
ccfd154900
test pac from christian
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24038 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-11-12 04:20:24 +00:00
Love Hörnquist Åstrand
6937d41a02
remove trailing whitespace
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898
switch to utf8 encoding of all files
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
743ccd85cf
make work with cpp again, reported by Hai Zaar
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21934 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-08-27 14:21:04 +00:00
Love Hörnquist Åstrand
e73b363f90
plug memory leaks.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20844 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-06-03 14:31:01 +00:00
Love Hörnquist Åstrand
390ccdaa8a
Use more interesting data to cause more errors.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19845 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-01-11 10:42:54 +00:00
Love Hörnquist Åstrand
191c1f4ffa
move around to code test on real PAC.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19784 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-01-09 11:25:09 +00:00
Love Hörnquist Åstrand
fe73261177
Test more PAC (note that the values used in this test is wrong, they
...
have to be fixed when the pac code is fixed).
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19782 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-01-09 11:09:13 +00:00
Love Hörnquist Åstrand
4e6e594fc6
export some more pac functions.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19670 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-01-04 11:00:52 +00:00
Love Hörnquist Åstrand
150c794a7c
add comments, fix pac_get_types test
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19621 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-01-02 12:49:11 +00:00
Love Hörnquist Åstrand
a253f3b44c
test krb5_pac_get_types
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19620 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-01-02 12:43:11 +00:00
Love Hörnquist Åstrand
c8c330e163
test Add/remove pac buffer functions.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19618 ec53bebd-3082-4978-b11e-865c3cabbd6b
2007-01-02 12:19:35 +00:00
Love Hörnquist Åstrand
cffffb6192
Test signing.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18993 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-11-12 08:38:10 +00:00
Love Hörnquist Åstrand
7eaec81548
PAC testing.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18989 ec53bebd-3082-4978-b11e-865c3cabbd6b
2006-11-10 07:47:04 +00:00