The branch, v4-6-test has been updated via d0c6802 Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData" via c190c37 Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()" via e1a5f80 Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key" via 542382a Revert "s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob" via fb65808 Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key" via 4afb9bd Revert "HEIMDAL:hdb: export a hdb_enctype_supported() helper function" via cb60d1c Revert "s4:kdc: use the strongest possible tgs session key" via 0cd6906 Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers" via 89f27fa Revert "TODO s4:kdc: indicate support for new encryption types by adding empty keys" via 3a54a04 Revert "HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets" from 56a40ab samba: Only use async signal-safe functions in signal handler
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test - Log ----------------------------------------------------------------- commit d0c6802bd6f5be279b95858a6a6920a1745c32a8 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:23 2018 +0100 Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData" This reverts commit 678a7a32473b1f64421cd905b7d535878eb11cab. Autobuild-User(v4-6-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-6-test): Wed Feb 21 15:14:49 CET 2018 on sn-devel-144 commit c190c375403ec80c2c9b34f195c1c0fb6a172595 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:23 2018 +0100 Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()" This reverts commit e8988e614aaf269b24b072e483047bdcd80fef33. commit e1a5f808c571a8c0d66c5407f8327d4648045847 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:23 2018 +0100 Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key" This reverts commit ec57c13dc378d15dad98efd59e86bcc2775c5b0a. commit 542382aa2fba9ce43f77882963ccb13f84574a4f Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:22 2018 +0100 Revert "s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob" This reverts commit 2557d5c6235f7d24866163124fc254cfe81d3871. commit fb65808bb2d1daf5bbf56b59ac3d9501da101cb4 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:22 2018 +0100 Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key" This reverts commit 03484706e4ff546fc7fe41124d896e9f7840fe80. commit 4afb9bddeb074ecd3d8b3c704cfd91907f34c9fb Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:22 2018 +0100 Revert "HEIMDAL:hdb: export a hdb_enctype_supported() helper function" This reverts commit 18d7cf191718b3a30165a43271e503cc07ca5b50. commit cb60d1c2175c32a4b3879d2c9e39a4760d17f78a Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:22 2018 +0100 Revert "s4:kdc: use the strongest possible tgs session key" This reverts commit 9fdf175905efde803941a5876ce7e060013fc9a0. commit 0cd690617547366562fb1deed049f0c7ab129b3e Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:22 2018 +0100 Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers" This reverts commit fe146338f304a52f861777ada5774887fe0776e3. commit 89f27fab18020c5b236a684359a1172981528425 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:22 2018 +0100 Revert "TODO s4:kdc: indicate support for new encryption types by adding empty keys" This reverts commit bf07697273017014516010475f79be3e59a2ce07. commit 3a54a0497315430501a13f6397f3e2889197158a Author: Karolin Seeger <ksee...@samba.org> Date: Wed Feb 21 10:15:22 2018 +0100 Revert "HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets" This reverts commit 9ecdf21e174ba7525b77035664428fbdcbf53690. ----------------------------------------------------------------------- Summary of changes: source4/heimdal/kdc/kerberos5.c | 20 ++--- source4/heimdal/kdc/krb5tgs.c | 127 ++++++++++++++--------------- source4/heimdal/lib/hdb/hdb.c | 30 +------ source4/heimdal/lib/hdb/version-script.map | 1 - source4/kdc/db-glue.c | 73 +---------------- source4/kdc/kdc-heimdal.c | 6 +- source4/kdc/pac-glue.c | 6 +- 7 files changed, 80 insertions(+), 183 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index c6ec65e..3282d5e 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, krb5_error_code ret; krb5_salt def_salt; krb5_enctype enctype = ETYPE_NULL; - Key *key = NULL; + Key *key; int i; /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */ @@ -159,34 +159,29 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, /* drive the search with local supported enctypes list */ p = krb5_kerberos_enctypes(context); - for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) { + for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) { if (krb5_enctype_valid(context, p[i]) != 0) continue; /* check that the client supports it too */ - for (j = 0; j < len && key == NULL; j++) { + for (j = 0; j < len && enctype == ETYPE_NULL; j++) { if (p[i] != etypes[j]) continue; /* save best of union of { client, crypto system } */ if (clientbest == ETYPE_NULL) clientbest = p[i]; - if (enctype == ETYPE_NULL) { - ret = hdb_enctype_supported(context, &princ->entry, p[i]); - if (ret == 0) { - enctype = p[i]; - } - } /* check target princ support */ ret = hdb_enctype2key(context, &princ->entry, p[i], &key); if (ret) continue; if (is_preauth && !is_default_salt_p(&def_salt, key)) continue; + enctype = p[i]; } } if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL) enctype = clientbest; - else if (key == NULL) + else if (enctype == ETYPE_NULL) ret = KRB5KDC_ERR_ETYPE_NOSUPP; if (ret == 0 && ret_enctype != NULL) *ret_enctype = enctype; @@ -327,6 +322,7 @@ krb5_error_code _kdc_encode_reply(krb5_context context, krb5_kdc_configuration *config, KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek, + krb5_enctype etype, int skvno, const EncryptionKey *skey, int ckvno, const EncryptionKey *reply_key, int rk_is_subkey, @@ -353,7 +349,7 @@ _kdc_encode_reply(krb5_context context, return KRB5KRB_ERR_GENERIC; } - ret = krb5_crypto_init(context, skey, 0, &crypto); + ret = krb5_crypto_init(context, skey, etype, &crypto); if (ret) { const char *msg; free(buf); @@ -1724,7 +1720,7 @@ _kdc_as_rep(krb5_context context, log_as_req(context, config, reply_key->keytype, setype, b); ret = _kdc_encode_reply(context, config, - &rep, &et, &ek, server->entry.kvno, + &rep, &et, &ek, setype, server->entry.kvno, &skey->key, client->entry.kvno, reply_key, 0, &e_text, reply); free_EncTicketPart(&et); diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index e11ad52..a888788 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -725,7 +725,6 @@ tgs_make_reply(krb5_context context, KDC_REQ_BODY *b, krb5_const_principal tgt_name, const EncTicketPart *tgt, - const EncTicketPart *adtgt, const krb5_keyblock *replykey, int rk_is_subkey, const EncryptionKey *serverkey, @@ -759,7 +758,7 @@ tgs_make_reply(krb5_context context, rep.pvno = 5; rep.msg_type = krb_tgs_rep; - et.authtime = adtgt->authtime; + et.authtime = tgt->authtime; _kdc_fix_time(&b->till); et.endtime = min(tgt->endtime, *b->till); ALLOC(et.starttime); @@ -988,7 +987,7 @@ tgs_make_reply(krb5_context context, etype list, even if we don't want a session key with DES3? */ ret = _kdc_encode_reply(context, config, - &rep, &et, &ek, + &rep, &et, &ek, et.key.keytype, kvno, serverkey, 0, replykey, rk_is_subkey, e_text, reply); @@ -1160,6 +1159,7 @@ tgs_parse_request(krb5_context context, const struct sockaddr *from_addr, time_t **csec, int **cusec, + AuthorizationData **auth_data, krb5_keyblock **replykey, int *rk_is_subkey) { @@ -1170,11 +1170,14 @@ tgs_parse_request(krb5_context context, krb5_auth_context ac = NULL; krb5_flags ap_req_options; krb5_flags verify_ap_req_flags; + krb5_crypto crypto; Key *tkey; krb5_keyblock *subkey = NULL; + unsigned usage; krb5uint32 kvno = 0; krb5uint32 *kvno_ptr = NULL; + *auth_data = NULL; *csec = NULL; *cusec = NULL; *replykey = NULL; @@ -1325,6 +1328,7 @@ tgs_parse_request(krb5_context context, goto out; } + usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; *rk_is_subkey = 1; ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); @@ -1336,6 +1340,7 @@ tgs_parse_request(krb5_context context, goto out; } if(subkey == NULL){ + usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; *rk_is_subkey = 0; ret = krb5_auth_con_getkey(context, ac, &subkey); @@ -1357,6 +1362,47 @@ tgs_parse_request(krb5_context context, *replykey = subkey; + if (b->enc_authorization_data) { + krb5_data ad; + + ret = krb5_crypto_init(context, subkey, 0, &crypto); + if (ret) { + const char *msg = krb5_get_error_message(context, ret); + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); + goto out; + } + ret = krb5_decrypt_EncryptedData (context, + crypto, + usage, + b->enc_authorization_data, + &ad); + krb5_crypto_destroy(context, crypto); + if(ret){ + krb5_auth_con_free(context, ac); + kdc_log(context, config, 0, + "Failed to decrypt enc-authorization-data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + ALLOC(*auth_data); + if (*auth_data == NULL) { + krb5_auth_con_free(context, ac); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL); + if(ret){ + krb5_auth_con_free(context, ac); + free(*auth_data); + *auth_data = NULL; + kdc_log(context, config, 0, "Failed to decode authorization data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + } + krb5_auth_con_free(context, ac); out: @@ -1454,6 +1500,7 @@ tgs_build_reply(krb5_context context, krb5_data *reply, const char *from, const char **e_text, + AuthorizationData **auth_data, const struct sockaddr *from_addr) { krb5_error_code ret; @@ -1469,9 +1516,6 @@ tgs_build_reply(krb5_context context, krb5_keyblock sessionkey; krb5_kvno kvno; krb5_data rspac; - AuthorizationData *auth_data = NULL; - const EncryptionKey *auth_data_key = replykey; - unsigned auth_data_usage; hdb_entry_ex *krbtgt_out = NULL; @@ -1481,7 +1525,6 @@ tgs_build_reply(krb5_context context, Realm r; int nloop = 0; EncTicketPart adtkt; - EncTicketPart *adtgt = tgt; char opt_str[128]; int signedpath = 0; @@ -1497,12 +1540,6 @@ tgs_build_reply(krb5_context context, s = b->sname; r = b->realm; - if (rk_is_subkey != 0) { - auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; - } else { - auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; - } - if (b->kdc_options.canonicalize) flags |= HDB_F_CANON; @@ -1705,7 +1742,7 @@ server_lookup: ret = _kdc_find_etype(context, config->tgs_use_strongest_session_key, FALSE, - server, b->etype.val, b->etype.len, &etype, + server, b->etype.val, b->etype.len, NULL, &skey); if(ret) { kdc_log(context, config, 0, @@ -1713,6 +1750,7 @@ server_lookup: goto out; } ekey = &skey->key; + etype = skey->key.keytype; kvno = server->entry.kvno; } @@ -2145,55 +2183,10 @@ server_lookup: goto out; } - if (rk_is_subkey == 0) { - auth_data_key = &adtkt.key; - } - adtgt = &adtkt; kdc_log(context, config, 0, "constrained delegation for %s " "from %s (%s) to %s", tpn, cpn, dpn, spn); } - if (b->enc_authorization_data) { - krb5_data ad; - krb5_crypto crypto; - - ret = krb5_crypto_init(context, auth_data_key, 0, &crypto); - if (ret) { - const char *msg = krb5_get_error_message(context, ret); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); - krb5_free_error_message(context, msg); - goto out; - } - - ret = krb5_decrypt_EncryptedData (context, - crypto, - auth_data_usage, - b->enc_authorization_data, - &ad); - krb5_crypto_destroy(context, crypto); - if(ret){ - kdc_log(context, config, 0, - "Failed to decrypt enc-authorization-data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out; - } - ALLOC(auth_data); - if (auth_data == NULL) { - krb5_data_free(&ad); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out; - } - ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL); - krb5_data_free(&ad); - if(ret){ - free(auth_data); - auth_data = NULL; - kdc_log(context, config, 0, "Failed to decode authorization data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out; - } - } - /* * Check flags */ @@ -2264,13 +2257,12 @@ server_lookup: b, tp, tgt, - adtgt, replykey, rk_is_subkey, ekey, &sessionkey, kvno, - auth_data, + *auth_data, server, server->entry.principal, spn, @@ -2315,11 +2307,6 @@ out: free(ref_realm); free_METHOD_DATA(&enc_pa_data); - if (auth_data) { - free_AuthorizationData(auth_data); - free(auth_data); - } - free_EncTicketPart(&adtkt); return ret; @@ -2338,6 +2325,7 @@ _kdc_tgs_rep(krb5_context context, struct sockaddr *from_addr, int datagram_reply) { + AuthorizationData *auth_data = NULL; krb5_error_code ret; int i = 0; const PA_DATA *tgs_req; @@ -2376,6 +2364,7 @@ _kdc_tgs_rep(krb5_context context, &e_text, from, from_addr, &csec, &cusec, + &auth_data, &replykey, &rk_is_subkey); if (ret == HDB_ERR_NOT_FOUND_HERE) { @@ -2400,6 +2389,7 @@ _kdc_tgs_rep(krb5_context context, data, from, &e_text, + &auth_data, from_addr); if (ret) { kdc_log(context, config, 0, @@ -2436,5 +2426,10 @@ out: if(krbtgt) _kdc_free_ent(context, krbtgt); + if (auth_data) { + free_AuthorizationData(auth_data); + free(auth_data); + } + return ret; } diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c index 4c8df93..5dc5a09 100644 --- a/source4/heimdal/lib/hdb/hdb.c +++ b/source4/heimdal/lib/hdb/hdb.c @@ -93,12 +93,11 @@ static struct hdb_method dbmetod = #endif -static krb5_error_code -_hdb_next_enctype2key(krb5_context context, +krb5_error_code +hdb_next_enctype2key(krb5_context context, const hdb_entry *e, krb5_enctype enctype, - Key **key, - bool require_key) + Key **key) { Key *k; @@ -106,10 +105,6 @@ _hdb_next_enctype2key(krb5_context context, k < e->keys.val + e->keys.len; k++) { - if (require_key && k->key.keyvalue.length == 0) { - continue; - } - if(k->key.keytype == enctype){ *key = k; return 0; @@ -121,16 +116,6 @@ _hdb_next_enctype2key(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; /* XXX */ } - -krb5_error_code -hdb_next_enctype2key(krb5_context context, - const hdb_entry *e, - krb5_enctype enctype, - Key **key) -{ - return _hdb_next_enctype2key(context, e, enctype, key, true); -} - krb5_error_code hdb_enctype2key(krb5_context context, hdb_entry *e, @@ -141,15 +126,6 @@ hdb_enctype2key(krb5_context context, return hdb_next_enctype2key(context, e, enctype, key); } -krb5_error_code -hdb_enctype_supported(krb5_context context, - hdb_entry *e, - krb5_enctype enctype) -{ - Key *key = NULL; - return _hdb_next_enctype2key(context, e, enctype, &key, false); -} - void hdb_free_key(Key *key) { diff --git a/source4/heimdal/lib/hdb/version-script.map b/source4/heimdal/lib/hdb/version-script.map index c4bd8f4..f80fb78 100644 --- a/source4/heimdal/lib/hdb/version-script.map +++ b/source4/heimdal/lib/hdb/version-script.map @@ -20,7 +20,6 @@ HEIMDAL_HDB_1.0 { hdb_dbinfo_get_realm; hdb_default_db; hdb_enctype2key; - hdb_enctype_supported; hdb_entry2string; hdb_entry2value; hdb_entry_alias2value; diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index bfd940c..bf55bef 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -267,7 +267,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, bool is_rodc, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type, - unsigned flags, struct sdb_entry_ex *entry_ex) { krb5_error_code ret = 0; @@ -288,38 +287,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", 0); - uint32_t new_session_enctypes = 0; - const krb5_enctype newer_enctypes[] = { - ENCTYPE_AES256_CTS_HMAC_SHA1_96, - ENCTYPE_AES128_CTS_HMAC_SHA1_96, - }; - - switch (ent_type) { - case SAMBA_KDC_ENT_TYPE_CLIENT: - case SAMBA_KDC_ENT_TYPE_ANY: - break; - case SAMBA_KDC_ENT_TYPE_SERVER: - case SAMBA_KDC_ENT_TYPE_KRBTGT: - case SAMBA_KDC_ENT_TYPE_TRUST: - if (flags & (SDB_F_FOR_AS_REQ|SDB_F_FOR_TGS_REQ)) { - /* - * We should indicate support for new encryption - * types (for session keys) via empty keyvalues, - * in case we don't have stored keys for such encryption - * types. - */ - new_session_enctypes = supported_enctypes; - } - break; - } - - if (userAccountControl & UF_NORMAL_ACCOUNT) { - supported_enctypes = 0; - } - if (supported_enctypes == 0) { - /* Otherwise, add in the default enc types */ - supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; - } if (rid == DOMAIN_RID_KRBTGT || is_rodc) { /* KDCs (and KDCs on RODCs) use AES */ @@ -341,7 +308,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ if (userAccountControl & UF_USE_DES_KEY_ONLY) { supported_enctypes = ENC_CRC32|ENC_RSA_MD5; -- Samba Shared Repository