From 6e3fd37ab243858e6494a37b3c805bff855ff5a7 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 16 Sep 2019 16:40:12 +0300
Subject: [PATCH] Adapt sign_authdata in our KDB module for krb5 v1.18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source4/kdc/mit-kdb/kdb_samba.c | 2 +-
source4/kdc/mit-kdb/kdb_samba.h | 21 ++++++++++++++++++
source4/kdc/mit-kdb/kdb_samba_policies.c | 27 ++++++++++++++++++++++++
3 files changed, 49 insertions(+), 1 deletion(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
index c5157d6ed1b..02bbdca9f54 100644
--- a/source4/kdc/mit-kdb/kdb_samba.c
+++ b/source4/kdc/mit-kdb/kdb_samba.c
@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
- .min_ver = 1,
+ .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
.init_library = kdb_samba_init_library,
.fini_library = kdb_samba_fini_library,
diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
index 22ef9085b6a..ad4f6e27573 100644
--- a/source4/kdc/mit-kdb/kdb_samba.h
+++ b/source4/kdc/mit-kdb/kdb_samba.h
@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
/* from kdb_samba_policies.c */
+#if KRB5_KDB_API_VERSION < 10
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data);
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_db_entry *local_krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *local_krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ void *authdata_info,
+ krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data);
+#endif
krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
krb5_kdc_req *kdcreq,
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index fc80329f221..586cf81451d 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -287,6 +287,7 @@ done:
return code;
}
+#if KRB5_KDB_API_VERSION < 10
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
@@ -301,6 +302,27 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **tgt_auth_data,
krb5_authdata ***signed_auth_data)
{
+#else
+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_const_principal server_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_db_entry *local_krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *local_krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ void *authdata_info,
+ krb5_data ***auth_indicators,
+ krb5_authdata ***signed_auth_data)
+{
+#endif
krb5_const_principal ks_client_princ;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
@@ -308,6 +330,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_pac pac = NULL;
krb5_data pac_data;
+#if KRB5_KDB_API_VERSION >= 10
+ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
+ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
+#endif
+
/* Prefer canonicalised name from client entry */
if (client != NULL) {
ks_client_princ = client->princ;
--
2.25.4
From 958807109845313c35a0c6949b33ffbc09eeba59 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 16 Jan 2020 22:00:21 +0100
Subject: [PATCH] Sign and verify PAC with ticket principal instead of canon
principal
With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).
However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 586cf81451d..2eec496fa92 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata ***signed_auth_data)
{
#endif
- krb5_const_principal ks_client_princ;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
krb5_error_code code;
@@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
#endif
- /* Prefer canonicalised name from client entry */
- if (client != NULL) {
- ks_client_princ = client->princ;
- } else {
- ks_client_princ = client_princ;
- }
-
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
@@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
if (!is_as_req) {
code = ks_verify_pac(context,
flags,
- ks_client_princ,
+ client_princ,
client,
server,
krbtgt,
@@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
goto done;
}
- code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
+ code = krb5_pac_sign(context, pac, authtime, client_princ,
server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
--
2.25.4