The branch, v4-6-test has been updated
via d0c6802 Revert "HEIMDAL:kdc: fix memory leak when decryption
AuthorizationData"
via c190c37 Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in
tgs_build_reply()"
via e1a5f80 Revert "HEIMDAL:kdc: if we don't have an authenticator
subkey for S4U2Proxy we need to use the additional tickets key"
via 542382a Revert "s4:kdc: fix the principal names in
samba_kdc_update_delegation_info_blob"
via fb65808 Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the
encryption type based on the server key"
via 4afb9bd Revert "HEIMDAL:hdb: export a hdb_enctype_supported()
helper function"
via cb60d1c Revert "s4:kdc: use the strongest possible tgs session key"
via 0cd6906 Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on
computers"
via 89f27fa Revert "TODO s4:kdc: indicate support for new encryption
types by adding empty keys"
via 3a54a04 Revert "HEIMDAL:kdc: use the correct authtime from
addtitional ticket for S4U2Proxy tickets"
from 56a40ab samba: Only use async signal-safe functions in signal
handler
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
- Log -----------------------------------------------------------------
commit d0c6802bd6f5be279b95858a6a6920a1745c32a8
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:23 2018 +0100
Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData"
This reverts commit 678a7a32473b1f64421cd905b7d535878eb11cab.
Autobuild-User(v4-6-test): Karolin Seeger <ksee...@samba.org>
Autobuild-Date(v4-6-test): Wed Feb 21 15:14:49 CET 2018 on sn-devel-144
commit c190c375403ec80c2c9b34f195c1c0fb6a172595
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:23 2018 +0100
Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()"
This reverts commit e8988e614aaf269b24b072e483047bdcd80fef33.
commit e1a5f808c571a8c0d66c5407f8327d4648045847
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:23 2018 +0100
Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy
we need to use the additional tickets key"
This reverts commit ec57c13dc378d15dad98efd59e86bcc2775c5b0a.
commit 542382aa2fba9ce43f77882963ccb13f84574a4f
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:22 2018 +0100
Revert "s4:kdc: fix the principal names in
samba_kdc_update_delegation_info_blob"
This reverts commit 2557d5c6235f7d24866163124fc254cfe81d3871.
commit fb65808bb2d1daf5bbf56b59ac3d9501da101cb4
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:22 2018 +0100
Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based
on the server key"
This reverts commit 03484706e4ff546fc7fe41124d896e9f7840fe80.
commit 4afb9bddeb074ecd3d8b3c704cfd91907f34c9fb
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:22 2018 +0100
Revert "HEIMDAL:hdb: export a hdb_enctype_supported() helper function"
This reverts commit 18d7cf191718b3a30165a43271e503cc07ca5b50.
commit cb60d1c2175c32a4b3879d2c9e39a4760d17f78a
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:22 2018 +0100
Revert "s4:kdc: use the strongest possible tgs session key"
This reverts commit 9fdf175905efde803941a5876ce7e060013fc9a0.
commit 0cd690617547366562fb1deed049f0c7ab129b3e
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:22 2018 +0100
Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers"
This reverts commit fe146338f304a52f861777ada5774887fe0776e3.
commit 89f27fab18020c5b236a684359a1172981528425
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:22 2018 +0100
Revert "TODO s4:kdc: indicate support for new encryption types by adding
empty keys"
This reverts commit bf07697273017014516010475f79be3e59a2ce07.
commit 3a54a0497315430501a13f6397f3e2889197158a
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Feb 21 10:15:22 2018 +0100
Revert "HEIMDAL:kdc: use the correct authtime from addtitional ticket for
S4U2Proxy tickets"
This reverts commit 9ecdf21e174ba7525b77035664428fbdcbf53690.
-----------------------------------------------------------------------
Summary of changes:
source4/heimdal/kdc/kerberos5.c | 20 ++---
source4/heimdal/kdc/krb5tgs.c | 127 ++++++++++++++---------------
source4/heimdal/lib/hdb/hdb.c | 30 +------
source4/heimdal/lib/hdb/version-script.map | 1 -
source4/kdc/db-glue.c | 73 +----------------
source4/kdc/kdc-heimdal.c | 6 +-
source4/kdc/pac-glue.c | 6 +-
7 files changed, 80 insertions(+), 183 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c6ec65e..3282d5e 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean
use_strongest_session_key,
krb5_error_code ret;
krb5_salt def_salt;
krb5_enctype enctype = ETYPE_NULL;
- Key *key = NULL;
+ Key *key;
int i;
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
@@ -159,34 +159,29 @@ _kdc_find_etype(krb5_context context, krb5_boolean
use_strongest_session_key,
/* drive the search with local supported enctypes list */
p = krb5_kerberos_enctypes(context);
- for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
+ for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
/* check that the client supports it too */
- for (j = 0; j < len && key == NULL; j++) {
+ for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
if (p[i] != etypes[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
- if (enctype == ETYPE_NULL) {
- ret = hdb_enctype_supported(context, &princ->entry, p[i]);
- if (ret == 0) {
- enctype = p[i];
- }
- }
/* check target princ support */
ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
if (ret)
continue;
if (is_preauth && !is_default_salt_p(&def_salt, key))
continue;
+ enctype = p[i];
}
}
if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
enctype = clientbest;
- else if (key == NULL)
+ else if (enctype == ETYPE_NULL)
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (ret == 0 && ret_enctype != NULL)
*ret_enctype = enctype;
@@ -327,6 +322,7 @@ krb5_error_code
_kdc_encode_reply(krb5_context context,
krb5_kdc_configuration *config,
KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
+ krb5_enctype etype,
int skvno, const EncryptionKey *skey,
int ckvno, const EncryptionKey *reply_key,
int rk_is_subkey,
@@ -353,7 +349,7 @@ _kdc_encode_reply(krb5_context context,
return KRB5KRB_ERR_GENERIC;
}
- ret = krb5_crypto_init(context, skey, 0, &crypto);
+ ret = krb5_crypto_init(context, skey, etype, &crypto);
if (ret) {
const char *msg;
free(buf);
@@ -1724,7 +1720,7 @@ _kdc_as_rep(krb5_context context,
log_as_req(context, config, reply_key->keytype, setype, b);
ret = _kdc_encode_reply(context, config,
- &rep, &et, &ek, server->entry.kvno,
+ &rep, &et, &ek, setype, server->entry.kvno,
&skey->key, client->entry.kvno,
reply_key, 0, &e_text, reply);
free_EncTicketPart(&et);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index e11ad52..a888788 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -725,7 +725,6 @@ tgs_make_reply(krb5_context context,
KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt,
- const EncTicketPart *adtgt,
const krb5_keyblock *replykey,
int rk_is_subkey,
const EncryptionKey *serverkey,
@@ -759,7 +758,7 @@ tgs_make_reply(krb5_context context,
rep.pvno = 5;
rep.msg_type = krb_tgs_rep;
- et.authtime = adtgt->authtime;
+ et.authtime = tgt->authtime;
_kdc_fix_time(&b->till);
et.endtime = min(tgt->endtime, *b->till);
ALLOC(et.starttime);
@@ -988,7 +987,7 @@ tgs_make_reply(krb5_context context,
etype list, even if we don't want a session key with
DES3? */
ret = _kdc_encode_reply(context, config,
- &rep, &et, &ek,
+ &rep, &et, &ek, et.key.keytype,
kvno,
serverkey, 0, replykey, rk_is_subkey,
e_text, reply);
@@ -1160,6 +1159,7 @@ tgs_parse_request(krb5_context context,
const struct sockaddr *from_addr,
time_t **csec,
int **cusec,
+ AuthorizationData **auth_data,
krb5_keyblock **replykey,
int *rk_is_subkey)
{
@@ -1170,11 +1170,14 @@ tgs_parse_request(krb5_context context,
krb5_auth_context ac = NULL;
krb5_flags ap_req_options;
krb5_flags verify_ap_req_flags;
+ krb5_crypto crypto;
Key *tkey;
krb5_keyblock *subkey = NULL;
+ unsigned usage;
krb5uint32 kvno = 0;
krb5uint32 *kvno_ptr = NULL;
+ *auth_data = NULL;
*csec = NULL;
*cusec = NULL;
*replykey = NULL;
@@ -1325,6 +1328,7 @@ tgs_parse_request(krb5_context context,
goto out;
}
+ usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
*rk_is_subkey = 1;
ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
@@ -1336,6 +1340,7 @@ tgs_parse_request(krb5_context context,
goto out;
}
if(subkey == NULL){
+ usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
*rk_is_subkey = 0;
ret = krb5_auth_con_getkey(context, ac, &subkey);
@@ -1357,6 +1362,47 @@ tgs_parse_request(krb5_context context,
*replykey = subkey;
+ if (b->enc_authorization_data) {
+ krb5_data ad;
+
+ ret = krb5_crypto_init(context, subkey, 0, &crypto);
+ if (ret) {
+ const char *msg = krb5_get_error_message(context, ret);
+ krb5_auth_con_free(context, ac);
+ kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+ krb5_free_error_message(context, msg);
+ goto out;
+ }
+ ret = krb5_decrypt_EncryptedData (context,
+ crypto,
+ usage,
+ b->enc_authorization_data,
+ &ad);
+ krb5_crypto_destroy(context, crypto);
+ if(ret){
+ krb5_auth_con_free(context, ac);
+ kdc_log(context, config, 0,
+ "Failed to decrypt enc-authorization-data");
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ goto out;
+ }
+ ALLOC(*auth_data);
+ if (*auth_data == NULL) {
+ krb5_auth_con_free(context, ac);
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ goto out;
+ }
+ ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
+ if(ret){
+ krb5_auth_con_free(context, ac);
+ free(*auth_data);
+ *auth_data = NULL;
+ kdc_log(context, config, 0, "Failed to decode authorization data");
+ ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+ goto out;
+ }
+ }
+
krb5_auth_con_free(context, ac);
out:
@@ -1454,6 +1500,7 @@ tgs_build_reply(krb5_context context,
krb5_data *reply,
const char *from,
const char **e_text,
+ AuthorizationData **auth_data,
const struct sockaddr *from_addr)
{
krb5_error_code ret;
@@ -1469,9 +1516,6 @@ tgs_build_reply(krb5_context context,
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_data rspac;
- AuthorizationData *auth_data = NULL;
- const EncryptionKey *auth_data_key = replykey;
- unsigned auth_data_usage;
hdb_entry_ex *krbtgt_out = NULL;
@@ -1481,7 +1525,6 @@ tgs_build_reply(krb5_context context,
Realm r;
int nloop = 0;
EncTicketPart adtkt;
- EncTicketPart *adtgt = tgt;
char opt_str[128];
int signedpath = 0;
@@ -1497,12 +1540,6 @@ tgs_build_reply(krb5_context context,
s = b->sname;
r = b->realm;
- if (rk_is_subkey != 0) {
- auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
- } else {
- auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
- }
-
if (b->kdc_options.canonicalize)
flags |= HDB_F_CANON;
@@ -1705,7 +1742,7 @@ server_lookup:
ret = _kdc_find_etype(context,
config->tgs_use_strongest_session_key, FALSE,
- server, b->etype.val, b->etype.len, &etype,
+ server, b->etype.val, b->etype.len, NULL,
&skey);
if(ret) {
kdc_log(context, config, 0,
@@ -1713,6 +1750,7 @@ server_lookup:
goto out;
}
ekey = &skey->key;
+ etype = skey->key.keytype;
kvno = server->entry.kvno;
}
@@ -2145,55 +2183,10 @@ server_lookup:
goto out;
}
- if (rk_is_subkey == 0) {
- auth_data_key = &adtkt.key;
- }
- adtgt = &adtkt;
kdc_log(context, config, 0, "constrained delegation for %s "
"from %s (%s) to %s", tpn, cpn, dpn, spn);
}
- if (b->enc_authorization_data) {
- krb5_data ad;
- krb5_crypto crypto;
-
- ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
- if (ret) {
- const char *msg = krb5_get_error_message(context, ret);
- kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
- krb5_free_error_message(context, msg);
- goto out;
- }
-
- ret = krb5_decrypt_EncryptedData (context,
- crypto,
- auth_data_usage,
- b->enc_authorization_data,
- &ad);
- krb5_crypto_destroy(context, crypto);
- if(ret){
- kdc_log(context, config, 0,
- "Failed to decrypt enc-authorization-data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out;
- }
- ALLOC(auth_data);
- if (auth_data == NULL) {
- krb5_data_free(&ad);
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out;
- }
- ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
- krb5_data_free(&ad);
- if(ret){
- free(auth_data);
- auth_data = NULL;
- kdc_log(context, config, 0, "Failed to decode authorization data");
- ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
- goto out;
- }
- }
-
/*
* Check flags
*/
@@ -2264,13 +2257,12 @@ server_lookup:
b,
tp,
tgt,
- adtgt,
replykey,
rk_is_subkey,
ekey,
&sessionkey,
kvno,
- auth_data,
+ *auth_data,
server,
server->entry.principal,
spn,
@@ -2315,11 +2307,6 @@ out:
free(ref_realm);
free_METHOD_DATA(&enc_pa_data);
- if (auth_data) {
- free_AuthorizationData(auth_data);
- free(auth_data);
- }
-
free_EncTicketPart(&adtkt);
return ret;
@@ -2338,6 +2325,7 @@ _kdc_tgs_rep(krb5_context context,
struct sockaddr *from_addr,
int datagram_reply)
{
+ AuthorizationData *auth_data = NULL;
krb5_error_code ret;
int i = 0;
const PA_DATA *tgs_req;
@@ -2376,6 +2364,7 @@ _kdc_tgs_rep(krb5_context context,
&e_text,
from, from_addr,
&csec, &cusec,
+ &auth_data,
&replykey,
&rk_is_subkey);
if (ret == HDB_ERR_NOT_FOUND_HERE) {
@@ -2400,6 +2389,7 @@ _kdc_tgs_rep(krb5_context context,
data,
from,
&e_text,
+ &auth_data,
from_addr);
if (ret) {
kdc_log(context, config, 0,
@@ -2436,5 +2426,10 @@ out:
if(krbtgt)
_kdc_free_ent(context, krbtgt);
+ if (auth_data) {
+ free_AuthorizationData(auth_data);
+ free(auth_data);
+ }
+
return ret;
}
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index 4c8df93..5dc5a09 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -93,12 +93,11 @@ static struct hdb_method dbmetod =
#endif
-static krb5_error_code
-_hdb_next_enctype2key(krb5_context context,
+krb5_error_code
+hdb_next_enctype2key(krb5_context context,
const hdb_entry *e,
krb5_enctype enctype,
- Key **key,
- bool require_key)
+ Key **key)
{
Key *k;
@@ -106,10 +105,6 @@ _hdb_next_enctype2key(krb5_context context,
k < e->keys.val + e->keys.len;
k++)
{
- if (require_key && k->key.keyvalue.length == 0) {
- continue;
- }
-
if(k->key.keytype == enctype){
*key = k;
return 0;
@@ -121,16 +116,6 @@ _hdb_next_enctype2key(krb5_context context,
return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
}
-
-krb5_error_code
-hdb_next_enctype2key(krb5_context context,
- const hdb_entry *e,
- krb5_enctype enctype,
- Key **key)
-{
- return _hdb_next_enctype2key(context, e, enctype, key, true);
-}
-
krb5_error_code
hdb_enctype2key(krb5_context context,
hdb_entry *e,
@@ -141,15 +126,6 @@ hdb_enctype2key(krb5_context context,
return hdb_next_enctype2key(context, e, enctype, key);
}
-krb5_error_code
-hdb_enctype_supported(krb5_context context,
- hdb_entry *e,
- krb5_enctype enctype)
-{
- Key *key = NULL;
- return _hdb_next_enctype2key(context, e, enctype, &key, false);
-}
-
void
hdb_free_key(Key *key)
{
diff --git a/source4/heimdal/lib/hdb/version-script.map
b/source4/heimdal/lib/hdb/version-script.map
index c4bd8f4..f80fb78 100644
--- a/source4/heimdal/lib/hdb/version-script.map
+++ b/source4/heimdal/lib/hdb/version-script.map
@@ -20,7 +20,6 @@ HEIMDAL_HDB_1.0 {
hdb_dbinfo_get_realm;
hdb_default_db;
hdb_enctype2key;
- hdb_enctype_supported;
hdb_entry2string;
hdb_entry2value;
hdb_entry_alias2value;
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bfd940c..bf55bef 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -267,7 +267,6 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
bool is_rodc,
uint32_t userAccountControl,
enum samba_kdc_ent_type
ent_type,
- unsigned flags,
struct sdb_entry_ex
*entry_ex)
{
krb5_error_code ret = 0;
@@ -288,38 +287,6 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
0);
- uint32_t new_session_enctypes = 0;
- const krb5_enctype newer_enctypes[] = {
- ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- };
-
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_CLIENT:
- case SAMBA_KDC_ENT_TYPE_ANY:
- break;
- case SAMBA_KDC_ENT_TYPE_SERVER:
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- if (flags & (SDB_F_FOR_AS_REQ|SDB_F_FOR_TGS_REQ)) {
- /*
- * We should indicate support for new encryption
- * types (for session keys) via empty keyvalues,
- * in case we don't have stored keys for such encryption
- * types.
- */
- new_session_enctypes = supported_enctypes;
- }
- break;
- }
-
- if (userAccountControl & UF_NORMAL_ACCOUNT) {
- supported_enctypes = 0;
- }
- if (supported_enctypes == 0) {
- /* Otherwise, add in the default enc types */
- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 |
ENC_RC4_HMAC_MD5;
- }
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
/* KDCs (and KDCs on RODCs) use AES */
@@ -341,7 +308,7 @@ static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context,
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the
newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
--
Samba Shared Repository
