diff options
| author | Stefan Metzmacher <metze@samba.org> | 2017-09-20 23:05:09 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-02-20 12:52:17 +0100 |
| commit | 3dd52dd0df77bac590645cf05b54766101456016 (patch) | |
| tree | a87447bbdf8419ff4e3c71e7604f89dd5a3b591f /source4 | |
| parent | 9ec1a523d2acba03a8cd7c21013d896962863759 (diff) | |
| download | samba-3dd52dd0df77bac590645cf05b54766101456016.tar.gz | |
HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()
We do this after checking for constraint delegation (S4U2Proxy).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/heimdal/kdc/krb5tgs.c | 115 |
1 files changed, 56 insertions, 59 deletions
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 6bc4b6ff59c..f5b4137c2b8 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1159,7 +1159,6 @@ tgs_parse_request(krb5_context context, const struct sockaddr *from_addr, time_t **csec, int **cusec, - AuthorizationData **auth_data, krb5_keyblock **replykey, int *rk_is_subkey) { @@ -1170,14 +1169,11 @@ tgs_parse_request(krb5_context context, krb5_auth_context ac = NULL; krb5_flags ap_req_options; krb5_flags verify_ap_req_flags; - krb5_crypto crypto; Key *tkey; krb5_keyblock *subkey = NULL; - unsigned usage; krb5uint32 kvno = 0; krb5uint32 *kvno_ptr = NULL; - *auth_data = NULL; *csec = NULL; *cusec = NULL; *replykey = NULL; @@ -1328,7 +1324,6 @@ tgs_parse_request(krb5_context context, goto out; } - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; *rk_is_subkey = 1; ret = krb5_auth_con_getremotesubkey(context, ac, &subkey); @@ -1340,7 +1335,6 @@ tgs_parse_request(krb5_context context, goto out; } if(subkey == NULL){ - usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; *rk_is_subkey = 0; ret = krb5_auth_con_getkey(context, ac, &subkey); @@ -1362,49 +1356,6 @@ tgs_parse_request(krb5_context context, *replykey = subkey; - if (b->enc_authorization_data) { - krb5_data ad; - - ret = krb5_crypto_init(context, subkey, 0, &crypto); - if (ret) { - const char *msg = krb5_get_error_message(context, ret); - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); - krb5_free_error_message(context, msg); - goto out; - } - ret = krb5_decrypt_EncryptedData (context, - crypto, - usage, - b->enc_authorization_data, - &ad); - krb5_crypto_destroy(context, crypto); - if(ret){ - krb5_auth_con_free(context, ac); - kdc_log(context, config, 0, - "Failed to decrypt enc-authorization-data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out; - } - ALLOC(*auth_data); - if (*auth_data == NULL) { - krb5_data_free(&ad); - krb5_auth_con_free(context, ac); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out; - } - ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL); - krb5_data_free(&ad); - if(ret){ - krb5_auth_con_free(context, ac); - free(*auth_data); - *auth_data = NULL; - kdc_log(context, config, 0, "Failed to decode authorization data"); - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ - goto out; - } - } - krb5_auth_con_free(context, ac); out: @@ -1502,7 +1453,6 @@ tgs_build_reply(krb5_context context, krb5_data *reply, const char *from, const char **e_text, - AuthorizationData **auth_data, const struct sockaddr *from_addr) { krb5_error_code ret; @@ -1518,6 +1468,9 @@ tgs_build_reply(krb5_context context, krb5_keyblock sessionkey; krb5_kvno kvno; krb5_data rspac; + AuthorizationData *auth_data = NULL; + const EncryptionKey *auth_data_key = replykey; + unsigned auth_data_usage; hdb_entry_ex *krbtgt_out = NULL; @@ -1542,6 +1495,12 @@ tgs_build_reply(krb5_context context, s = b->sname; r = b->realm; + if (rk_is_subkey != 0) { + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY; + } else { + auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION; + } + if (b->kdc_options.canonicalize) flags |= HDB_F_CANON; @@ -2189,6 +2148,47 @@ server_lookup: "from %s (%s) to %s", tpn, cpn, dpn, spn); } + if (b->enc_authorization_data) { + krb5_data ad; + krb5_crypto crypto; + + ret = krb5_crypto_init(context, auth_data_key, 0, &crypto); + if (ret) { + const char *msg = krb5_get_error_message(context, ret); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); + goto out; + } + + ret = krb5_decrypt_EncryptedData (context, + crypto, + auth_data_usage, + b->enc_authorization_data, + &ad); + krb5_crypto_destroy(context, crypto); + if(ret){ + kdc_log(context, config, 0, + "Failed to decrypt enc-authorization-data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + ALLOC(auth_data); + if (auth_data == NULL) { + krb5_data_free(&ad); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL); + krb5_data_free(&ad); + if(ret){ + free(auth_data); + auth_data = NULL; + kdc_log(context, config, 0, "Failed to decode authorization data"); + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */ + goto out; + } + } + /* * Check flags */ @@ -2264,7 +2264,7 @@ server_lookup: ekey, &sessionkey, kvno, - *auth_data, + auth_data, server, server->entry.principal, spn, @@ -2309,6 +2309,11 @@ out: free(ref_realm); free_METHOD_DATA(&enc_pa_data); + if (auth_data) { + free_AuthorizationData(auth_data); + free(auth_data); + } + free_EncTicketPart(&adtkt); return ret; @@ -2327,7 +2332,6 @@ _kdc_tgs_rep(krb5_context context, struct sockaddr *from_addr, int datagram_reply) { - AuthorizationData *auth_data = NULL; krb5_error_code ret; int i = 0; const PA_DATA *tgs_req; @@ -2366,7 +2370,6 @@ _kdc_tgs_rep(krb5_context context, &e_text, from, from_addr, &csec, &cusec, - &auth_data, &replykey, &rk_is_subkey); if (ret == HDB_ERR_NOT_FOUND_HERE) { @@ -2391,7 +2394,6 @@ _kdc_tgs_rep(krb5_context context, data, from, &e_text, - &auth_data, from_addr); if (ret) { kdc_log(context, config, 0, @@ -2428,10 +2430,5 @@ out: if(krbtgt) _kdc_free_ent(context, krbtgt); - if (auth_data) { - free_AuthorizationData(auth_data); - free(auth_data); - } - return ret; } |