From ae320de196b34524e25fc8bf0dd70748cfb584b0 Mon Sep 17 00:00:00 2001 From: root Date: Sun, 16 Aug 2015 21:24:59 +0200 Subject: [PATCH 3/4] Pass through PKP reply key to PAC generation for PAC_CREDENTIAL_DATA. The PKP reply key needs to be passed through to the PAC generation for encryption of the PAC_CREDENTIAL_DATA buffer, which is encrypted separately to the rest of the packet. This adapts the embedded Heimdal to pass through the corresponding crypto state. Caveat: this patch only works against the embedded Heimdal and will break system Heimdal builds in the current form (some #ifdef-fing required). --- source4/heimdal/kdc/kerberos5.c | 11 +++++++++-- source4/heimdal/kdc/krb5tgs.c | 2 +- source4/heimdal/kdc/windc.c | 5 +++-- source4/heimdal/kdc/windc_plugin.h | 3 ++- source4/kdc/wdc-samba4.c | 6 +++++- 5 files changed, 20 insertions(+), 7 deletions(-) diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index c13abb7..3b7341c 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -1665,7 +1665,7 @@ _kdc_as_rep(krb5_context context, copy_HostAddresses(et.caddr, ek.caddr); } -#if PKINIT +#ifdef PKINIT if (pkp) { e_text = "Failed to build PK-INIT reply"; ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, @@ -1760,7 +1760,14 @@ _kdc_as_rep(krb5_context context, krb5_pac p = NULL; krb5_data data; - ret = _kdc_pac_generate(context, client, &p); +#ifdef PKINIT + if (pkp) + /* Send reply key as constant value to pac generate which allows + * parts of the buffer to be encrypted (i.e., PAC_CREDENTIAL_DATA). */ + ret = _kdc_pac_generate(context, client, &p, reply_key); + else +#endif + ret = _kdc_pac_generate(context, client, &p, NULL); if (ret) { kdc_log(context, config, 0, "PAC generation failed for -- %s", client_name); diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 4568177..8050ddb 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -1952,7 +1952,7 @@ server_lookup: krb5_free_error_message(context, msg); goto out; } - ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p); + ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p, NULL); if (ret) { kdc_log(context, config, 0, "PAC generation failed for -- %s", tpn); diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c index ba87abb..955daa7 100644 --- a/source4/heimdal/kdc/windc.c +++ b/source4/heimdal/kdc/windc.c @@ -73,12 +73,13 @@ krb5_kdc_windc_init(krb5_context context) krb5_error_code _kdc_pac_generate(krb5_context context, hdb_entry_ex *client, - krb5_pac *pac) + krb5_pac *pac, + const krb5_keyblock *pkreplykey) { *pac = NULL; if (windcft == NULL) return 0; - return (windcft->pac_generate)(windcctx, context, client, pac); + return (windcft->pac_generate)(windcctx, context, client, pac, pkreplykey); } krb5_error_code diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h index fa4ba43..38a314f 100644 --- a/source4/heimdal/kdc/windc_plugin.h +++ b/source4/heimdal/kdc/windc_plugin.h @@ -53,7 +53,8 @@ struct hdb_entry_ex; typedef krb5_error_code (*krb5plugin_windc_pac_generate)(void *, krb5_context, - struct hdb_entry_ex *, krb5_pac *); + struct hdb_entry_ex *, krb5_pac *, + const krb5_keyblock *); typedef krb5_error_code (*krb5plugin_windc_pac_verify)(void *, krb5_context, diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 2f4945c..929ee38 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -25,10 +25,14 @@ #include "kdc/kdc-glue.h" #include "kdc/pac-glue.h" -/* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */ +/* Given the right private pointer from hdb_samba4, get a PAC from the attached + * ldb messages. In case PKINIT is used to set up the AS, we get the reply + * key to encrypt data in the PAC. */ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, struct hdb_entry_ex *client, krb5_pac *pac) + krb5_pac *pac, + const krb5_keyblock *pkreplykey) { TALLOC_CTX *mem_ctx; DATA_BLOB *pac_blob; -- 2.1.4