The Samba-Bugzilla – Attachment 11339 Details for
Bug 11441
Smart Card Logins break client-side DPAPI (among others)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Pass through PKP reply from Heimdal to allow PAC_CREDENTIAL_DATA encryption.
0003-Pass-through-PKP-reply-key-to-PAC-generation-for-PAC.patch (text/plain), 4.27 KB, created by
Heiko Wundram
on 2015-08-16 19:53:12 UTC
(
hide
)
Description:
Pass through PKP reply from Heimdal to allow PAC_CREDENTIAL_DATA encryption.
Filename:
MIME Type:
Creator:
Heiko Wundram
Created:
2015-08-16 19:53:12 UTC
Size:
4.27 KB
patch
obsolete
>From ae320de196b34524e25fc8bf0dd70748cfb584b0 Mon Sep 17 00:00:00 2001 >From: root <root@vpn.gehrkens.it> >Date: Sun, 16 Aug 2015 21:24:59 +0200 >Subject: [PATCH 3/4] Pass through PKP reply key to PAC generation for > PAC_CREDENTIAL_DATA. > >The PKP reply key needs to be passed through to the PAC generation for encryption >of the PAC_CREDENTIAL_DATA buffer, which is encrypted separately to the rest of >the packet. This adapts the embedded Heimdal to pass through the corresponding >crypto state. > >Caveat: this patch only works against the embedded Heimdal and will break >system Heimdal builds in the current form (some #ifdef-fing required). >--- > source4/heimdal/kdc/kerberos5.c | 11 +++++++++-- > source4/heimdal/kdc/krb5tgs.c | 2 +- > source4/heimdal/kdc/windc.c | 5 +++-- > source4/heimdal/kdc/windc_plugin.h | 3 ++- > source4/kdc/wdc-samba4.c | 6 +++++- > 5 files changed, 20 insertions(+), 7 deletions(-) > >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index c13abb7..3b7341c 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -1665,7 +1665,7 @@ _kdc_as_rep(krb5_context context, > copy_HostAddresses(et.caddr, ek.caddr); > } > >-#if PKINIT >+#ifdef PKINIT > if (pkp) { > e_text = "Failed to build PK-INIT reply"; > ret = _kdc_pk_mk_pa_reply(context, config, pkp, client, >@@ -1760,7 +1760,14 @@ _kdc_as_rep(krb5_context context, > krb5_pac p = NULL; > krb5_data data; > >- ret = _kdc_pac_generate(context, client, &p); >+#ifdef PKINIT >+ if (pkp) >+ /* Send reply key as constant value to pac generate which allows >+ * parts of the buffer to be encrypted (i.e., PAC_CREDENTIAL_DATA). */ >+ ret = _kdc_pac_generate(context, client, &p, reply_key); >+ else >+#endif >+ ret = _kdc_pac_generate(context, client, &p, NULL); > if (ret) { > kdc_log(context, config, 0, "PAC generation failed for -- %s", > client_name); >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index 4568177..8050ddb 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -1952,7 +1952,7 @@ server_lookup: > krb5_free_error_message(context, msg); > goto out; > } >- ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p); >+ ret = _kdc_pac_generate(context, s4u2self_impersonated_client, &p, NULL); > if (ret) { > kdc_log(context, config, 0, "PAC generation failed for -- %s", > tpn); >diff --git a/source4/heimdal/kdc/windc.c b/source4/heimdal/kdc/windc.c >index ba87abb..955daa7 100644 >--- a/source4/heimdal/kdc/windc.c >+++ b/source4/heimdal/kdc/windc.c >@@ -73,12 +73,13 @@ krb5_kdc_windc_init(krb5_context context) > krb5_error_code > _kdc_pac_generate(krb5_context context, > hdb_entry_ex *client, >- krb5_pac *pac) >+ krb5_pac *pac, >+ const krb5_keyblock *pkreplykey) > { > *pac = NULL; > if (windcft == NULL) > return 0; >- return (windcft->pac_generate)(windcctx, context, client, pac); >+ return (windcft->pac_generate)(windcctx, context, client, pac, pkreplykey); > } > > krb5_error_code >diff --git a/source4/heimdal/kdc/windc_plugin.h b/source4/heimdal/kdc/windc_plugin.h >index fa4ba43..38a314f 100644 >--- a/source4/heimdal/kdc/windc_plugin.h >+++ b/source4/heimdal/kdc/windc_plugin.h >@@ -53,7 +53,8 @@ struct hdb_entry_ex; > > typedef krb5_error_code > (*krb5plugin_windc_pac_generate)(void *, krb5_context, >- struct hdb_entry_ex *, krb5_pac *); >+ struct hdb_entry_ex *, krb5_pac *, >+ const krb5_keyblock *); > > typedef krb5_error_code > (*krb5plugin_windc_pac_verify)(void *, krb5_context, >diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c >index 2f4945c..929ee38 100644 >--- a/source4/kdc/wdc-samba4.c >+++ b/source4/kdc/wdc-samba4.c >@@ -25,10 +25,14 @@ > #include "kdc/kdc-glue.h" > #include "kdc/pac-glue.h" > >-/* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */ >+/* Given the right private pointer from hdb_samba4, get a PAC from the attached >+ * ldb messages. In case PKINIT is used to set up the AS, we get the reply >+ * key to encrypt data in the PAC. */ > static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, > struct hdb_entry_ex *client, > krb5_pac *pac) >+ krb5_pac *pac, >+ const krb5_keyblock *pkreplykey) > { > TALLOC_CTX *mem_ctx; > DATA_BLOB *pac_blob; >-- >2.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11339">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11441
:
11337
|
11338
| 11339 |
11340