‘r->error_code’ might have been set earlier, and we don’t want to
overwrite it with a successful error code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If ‘r->error_code’ was zero, we would turn it into an ERR_GENERIC error
and return that to the client. Now we return the actual error code
instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
There are a few reasons that this function could fail (e.g., failure to
allocate memory) besides random number generation being unavailable. No
other caller abort()s on failure like this.
Furthermore, krb5_generate_random_block(), which is called by
krb5_generate_random_keyblock(), already aborts if random generation
fails.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Excluded: libtomath and libedit files, most of which appear to be
testing or example code not involved in production, and which are
derived from an upstream that should perhaps have patches submitted
upstream instead.
fix https://github.com/heimdal/heimdal/issues/1111
This reverts commit a9c0b8f264.
From Joseph Sutton:
> I found that this commit would result in `KRB5KRB_AP_ERR_BAD_INTEGRITY`
> errors in Samba whenever explicit FAST armor was present. Reverting the
> commit made FAST work again.
> It should be safe to use `tgs_ac` here, since it will always be non-NULL if
> `r->explicit_armor_present` is true. Maybe a local variable
> `explicit_armor_present` (which would be assigned to
> `r->explicit_armor_present` before the function returns successfully) would
> help a static analyser to deduce that its value doesn't change within the
> function, and that `tgs_ac != NULL` still holds.
a9c0b8f264 (commitcomment-95581208)
We have a CSR authorizer plugin for calling to an IPC service.
In this commit we add test implementation of such a service.
We also remove the simple_csr_authorizer plugin and fold its
functionality into the new test_csr_authorizer functionality.
We use the CSR authorizer system for /get-tgt and /get-tgts because,
well, the CSR authorizer system knows how to deal with principal names
("PKINIT SANs").
The caller of the /get-tgts end-point is a batch API that is meant for
super-user clients that implement orchestration for automation. For
this end-point it's important to be able to return TGTs for just the
requested principals that are authorized rather than fail the whole
request because one principal isn't. A principal might be rejected by
the authorizer if, for example, it's not meant to exist, and that might
be desirable because "synthetic" HDB entries might be configured, and we
might not want principals that don't exist to appear to exist for such
an orchestration service.
The hx509 CSR related functions allow one to mark specific requested
EKUs and SANs as authorized or not. Until now we have simply rejected
all requests that don't have all attributes approved, but for /get-tgts
we need partial request approval. This commit implements partial
request approval for the /get-tgts end-point.
Heimdal's HDB plugin interface, and hence Samba's KDC that depends upon
it, doesn't work on 32-bit builds due to structure fields being arranged
in the wrong order. This problem presents itself in the form of
segmentation faults on 32-bit systems, but goes unnoticed on 64-bit
builds thanks to extra structure padding absorbing the errant fields.
This commit reorders the HDB plugin structure fields to prevent crashes
and introduces a common macro to ensure every plugin presents a
consistent interface.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15110
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This is needed when a service provides support for newer entry.etypes
without having a key for that encryption type yet.
It is triggered with svc_use_strongest_session_key=TRUE.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
In order to support batch jobs systems that run many users' jobs and
which jobs need credentials, we add a /get-tgts end-point that is a
batched version of the /get-tgt end-point. This end-point returns JSON.
Also, we make GETs optional, default to not-allowed in preference of
POSTs.
We also correct handling of POST (before POSTs with non-zero-length bodies
would cause the server to close the connection), and add additional CSRF
protection features, including the ability to disable all GET requests
for /get-keys and /get-config.
