From 1c7d891c05fbb644bed24fb2338e7a4fce6efa8a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 3 Mar 2022 19:17:06 +0100 Subject: [PATCH 1/3] third_party/heimdal: import lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab) NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit f33f73f82fb2d5d96928ce5910e2d0d939c2ff57) --- third_party/heimdal/kdc/fast.c | 20 +++++-- third_party/heimdal/kdc/kdc-accessors.h | 20 +++++++ third_party/heimdal/kdc/kdc-plugin.c | 28 +++++----- third_party/heimdal/kdc/kdc-plugin.h | 6 +-- third_party/heimdal/kdc/kdc_locl.h | 5 ++ third_party/heimdal/kdc/kerberos5.c | 17 ++++-- third_party/heimdal/kdc/krb5tgs.c | 25 ++++++--- third_party/heimdal/kdc/libkdc-exports.def | 3 ++ third_party/heimdal/kdc/mssfu.c | 5 +- third_party/heimdal/kdc/version-script.map | 3 ++ third_party/heimdal/lib/asn1/krb5.asn1 | 54 ++++++++++++++++++- .../heimdal/lib/asn1/libasn1-exports.def | 25 +++++++++ third_party/heimdal/lib/krb5/krb5.h | 4 ++ third_party/heimdal/lib/krb5/pac.c | 2 +- third_party/heimdal/lib/krb5/principal.c | 9 +++- .../heimdal/tests/plugin/kdc_test_plugin.c | 8 +-- 16 files changed, 189 insertions(+), 45 deletions(-) diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index 25cab3096b7f..043227892b5d 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -464,7 +464,6 @@ fast_unwrap_request(astgs_request_t r, krb5_flags ap_req_options; krb5_keyblock armorkey; krb5_keyblock explicit_armorkey; - krb5_boolean explicit_armor; krb5_error_code ret; krb5_ap_req ap_req; KrbFastReq fastreq; @@ -518,7 +517,7 @@ fast_unwrap_request(astgs_request_t r, goto out; } - explicit_armor = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL; + r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL; /* * @@ -625,11 +624,11 @@ fast_unwrap_request(astgs_request_t r, ac->remote_subkey, &ticket->ticket.key, &armorkey, - explicit_armor ? NULL : &r->armor_crypto); + r->explicit_armor_present ? NULL : &r->armor_crypto); if (ret) goto out; - if (explicit_armor) { + if (r->explicit_armor_present) { ret = _krb5_fast_explicit_armor_key(r->context, &armorkey, tgs_ac->remote_subkey, @@ -869,7 +868,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r) if (ret) goto out; - ret = _kdc_check_pac(r->context, r->config, armor_client_principal, NULL, + ret = _kdc_check_pac(r, armor_client_principal, NULL, armor_client, r->armor_server, r->armor_server, r->armor_server, &r->armor_key->key, &r->armor_key->key, @@ -887,6 +886,17 @@ _kdc_fast_check_armor_pac(astgs_request_t r) goto out; } + if (r->explicit_armor_present) { + r->explicit_armor_clientdb = armor_db; + armor_db = NULL; + + r->explicit_armor_client = armor_client; + armor_client = NULL; + + r->explicit_armor_pac = mspac; + mspac = NULL; + } + out: krb5_xfree(armor_client_principal_name); if (armor_client) diff --git a/third_party/heimdal/kdc/kdc-accessors.h b/third_party/heimdal/kdc/kdc-accessors.h index 81c03d2f2227..911b83d7576f 100644 --- a/third_party/heimdal/kdc/kdc-accessors.h +++ b/third_party/heimdal/kdc/kdc-accessors.h @@ -346,4 +346,24 @@ ASTGS_REQUEST_GET_ACCESSOR(uint64_t, pac_attributes) ASTGS_REQUEST_SET_ACCESSOR(uint64_t, pac_attributes) +/* + * const HDB * + * kdc_request_get_explicit_armor_clientdb(astgs_request_t); + */ + +ASTGS_REQUEST_GET_ACCESSOR_PTR(HDB *, explicit_armor_clientdb) + +/* + * const hdb_entry * + * kdc_request_get_explicit_armor_client(astgs_request_t); + */ +ASTGS_REQUEST_GET_ACCESSOR_PTR(hdb_entry *, explicit_armor_client); + +/* + * krb5_const_pac + * kdc_request_get_explicit_armor_pac(astgs_request_t); + */ + +ASTGS_REQUEST_GET_ACCESSOR_PTR(struct krb5_pac_data *, explicit_armor_pac); + #endif /* HEIMDAL_KDC_KDC_ACCESSORS_H */ diff --git a/third_party/heimdal/kdc/kdc-plugin.c b/third_party/heimdal/kdc/kdc-plugin.c index 8759893a9560..925c250597a2 100644 --- a/third_party/heimdal/kdc/kdc-plugin.c +++ b/third_party/heimdal/kdc/kdc-plugin.c @@ -72,7 +72,7 @@ krb5_kdc_plugin_init(krb5_context context) } struct generate_uc { - krb5_kdc_configuration *config; + astgs_request_t r; hdb_entry *client; hdb_entry *server; const krb5_keyblock *reply_key; @@ -90,8 +90,7 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) return KRB5_PLUGIN_NO_HANDLE; return ft->pac_generate((void *)plug, - context, - uc->config, + uc->r, uc->client, uc->server, uc->reply_key, @@ -101,8 +100,7 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) krb5_error_code -_kdc_pac_generate(krb5_context context, - krb5_kdc_configuration *config, +_kdc_pac_generate(astgs_request_t r, hdb_entry *client, hdb_entry *server, const krb5_keyblock *reply_key, @@ -114,20 +112,20 @@ _kdc_pac_generate(krb5_context context, *pac = NULL; - if (krb5_config_get_bool_default(context, NULL, FALSE, "realms", + if (krb5_config_get_bool_default(r->context, NULL, FALSE, "realms", client->principal->realm, "disable_pac", NULL)) return 0; if (have_plugin) { - uc.config = config; + uc.r = r; uc.client = client; uc.server = server; uc.reply_key = reply_key; uc.pac = pac; uc.pac_attributes = pac_attributes; - ret = _krb5_plugin_run_f(context, &kdc_plugin_data, + ret = _krb5_plugin_run_f(r->context, &kdc_plugin_data, 0, &uc, generate); if (ret != KRB5_PLUGIN_NO_HANDLE) return ret; @@ -135,13 +133,13 @@ _kdc_pac_generate(krb5_context context, } if (*pac == NULL) - ret = krb5_pac_init(context, pac); + ret = krb5_pac_init(r->context, pac); return ret; } struct verify_uc { - krb5_kdc_configuration *config; + astgs_request_t r; krb5_principal client_principal; krb5_principal delegated_proxy_principal; hdb_entry *client; @@ -161,8 +159,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) return KRB5_PLUGIN_NO_HANDLE; ret = ft->pac_verify((void *)plug, - context, - uc->config, + uc->r, uc->client_principal, uc->delegated_proxy_principal, uc->client, uc->server, uc->krbtgt, uc->pac); @@ -170,8 +167,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) } krb5_error_code -_kdc_pac_verify(krb5_context context, - krb5_kdc_configuration *config, +_kdc_pac_verify(astgs_request_t r, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, hdb_entry *client, @@ -184,7 +180,7 @@ _kdc_pac_verify(krb5_context context, if (!have_plugin) return KRB5_PLUGIN_NO_HANDLE; - uc.config = config; + uc.r = r; uc.client_principal = client_principal; uc.delegated_proxy_principal = delegated_proxy_principal; uc.client = client; @@ -192,7 +188,7 @@ _kdc_pac_verify(krb5_context context, uc.krbtgt = krbtgt; uc.pac = pac; - return _krb5_plugin_run_f(context, &kdc_plugin_data, + return _krb5_plugin_run_f(r->context, &kdc_plugin_data, 0, &uc, verify); } diff --git a/third_party/heimdal/kdc/kdc-plugin.h b/third_party/heimdal/kdc/kdc-plugin.h index efe8dd6abe0e..9fc5946df173 100644 --- a/third_party/heimdal/kdc/kdc-plugin.h +++ b/third_party/heimdal/kdc/kdc-plugin.h @@ -48,8 +48,7 @@ typedef krb5_error_code (KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, - krb5_context, /* context */ - krb5_kdc_configuration *, /* configuration */ + astgs_request_t, hdb_entry *, /* client */ hdb_entry *, /* server */ const krb5_keyblock *, /* pk_replykey */ @@ -64,8 +63,7 @@ typedef krb5_error_code typedef krb5_error_code (KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, - krb5_context, /* context */ - krb5_kdc_configuration *, /* configuration */ + astgs_request_t, const krb5_principal, /* new ticket client */ const krb5_principal, /* delegation proxy */ hdb_entry *,/* client */ diff --git a/third_party/heimdal/kdc/kdc_locl.h b/third_party/heimdal/kdc/kdc_locl.h index 8418a91a0a4b..767d04f5c8c9 100644 --- a/third_party/heimdal/kdc/kdc_locl.h +++ b/third_party/heimdal/kdc/kdc_locl.h @@ -167,6 +167,7 @@ struct astgs_request_desc { /* only valid for tgs-req */ unsigned int rk_is_subkey : 1; unsigned int fast_asserted : 1; + unsigned int explicit_armor_present : 1; krb5_crypto armor_crypto; hdb_entry *armor_server; @@ -174,6 +175,10 @@ struct astgs_request_desc { krb5_ticket *armor_ticket; Key *armor_key; + hdb_entry *explicit_armor_client; + HDB *explicit_armor_clientdb; + krb5_pac explicit_armor_pac; + KDCFastState fast; }; diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index b30d321f6f14..e95bdad0a640 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -280,6 +280,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, * enctype in its KDC-REQ-BODY's etype list, which is what * `etypes' is here. */ + enctype = p[i]; ret = 0; break; } @@ -295,6 +296,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, */ for (m = 0; m < princ->etypes->len; m++) { if (p[i] == princ->etypes->val[m]) { + enctype = p[i]; ret = 0; break; } @@ -1856,8 +1858,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, * Validate a PA mech was actually used before doing this. */ - ret = _kdc_pac_generate(r->context, - r->config, + ret = _kdc_pac_generate(r, r->client, r->server, r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY) @@ -2744,12 +2745,19 @@ _kdc_as_rep(astgs_request_t r) out: r->error_code = ret; - _kdc_audit_request(r); + { + krb5_error_code ret2 = _kdc_audit_request(r); + if (ret2) { + krb5_data_free(r->reply); + ret = ret2; + } + } /* * In case of a non proxy error, build an error message. */ - if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0) + if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0) { + kdc_log(r->context, config, 5, "as-req: sending error: %d to client", ret); ret = _kdc_fast_mk_error(r, r->rep.padata, r->armor_crypto, @@ -2759,6 +2767,7 @@ out: r->server_princ, NULL, NULL, r->reply); + } if (r->pa_used && r->pa_used->cleanup) r->pa_used->cleanup(r); diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 39d42106e01e..06889f47120e 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -76,8 +76,7 @@ _kdc_synthetic_princ_used_p(krb5_context context, krb5_ticket *ticket) */ krb5_error_code -_kdc_check_pac(krb5_context context, - krb5_kdc_configuration *config, +_kdc_check_pac(astgs_request_t r, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, hdb_entry *client, @@ -92,6 +91,8 @@ _kdc_check_pac(krb5_context context, krb5_principal *pac_canon_name, uint64_t *pac_attributes) { + krb5_context context = r->context; + krb5_kdc_configuration *config = r->config; krb5_pac pac = NULL; krb5_error_code ret; krb5_boolean signedticket; @@ -139,7 +140,7 @@ _kdc_check_pac(krb5_context context, } /* Verify the KDC signatures. */ - ret = _kdc_pac_verify(context, config, + ret = _kdc_pac_verify(r, client_principal, delegated_proxy_principal, client, server, krbtgt, &pac); if (ret == 0) { @@ -1770,7 +1771,7 @@ server_lookup: } /* Verify the PAC of the TGT. */ - ret = _kdc_check_pac(context, config, user2user_princ, NULL, + ret = _kdc_check_pac(priv, user2user_princ, NULL, user2user_client, user2user_krbtgt, user2user_krbtgt, user2user_krbtgt, &uukey->key, &priv->ticket_key->key, &adtkt, &user2user_kdc_issued, &user2user_pac, NULL, NULL); @@ -1897,7 +1898,7 @@ server_lookup: flags &= ~HDB_F_SYNTHETIC_OK; priv->clientdb = clientdb; - ret = _kdc_check_pac(context, config, priv->client_princ, NULL, + ret = _kdc_check_pac(priv, priv->client_princ, NULL, priv->client, priv->server, priv->krbtgt, priv->krbtgt, &priv->ticket_key->key, &priv->ticket_key->key, tgt, @@ -2156,7 +2157,13 @@ _kdc_tgs_rep(astgs_request_t r) out: r->error_code = ret; - _kdc_audit_request(r); + { + krb5_error_code ret2 = _kdc_audit_request(r); + if (ret2) { + krb5_data_free(data); + ret = ret2; + } + } if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ METHOD_DATA error_method = { 0, NULL }; @@ -2203,6 +2210,12 @@ out: krb5_free_ticket(r->context, r->armor_ticket); if (r->armor_server) _kdc_free_ent(r->context, r->armor_serverdb, r->armor_server); + if (r->explicit_armor_client) + _kdc_free_ent(r->context, + r->explicit_armor_clientdb, + r->explicit_armor_client); + if (r->explicit_armor_pac) + krb5_pac_free(r->context, r->explicit_armor_pac); krb5_free_keyblock_contents(r->context, &r->reply_key); krb5_free_keyblock_contents(r->context, &r->strengthen_key); diff --git a/third_party/heimdal/kdc/libkdc-exports.def b/third_party/heimdal/kdc/libkdc-exports.def index 3cc929e6025b..2c4564bcadcc 100644 --- a/third_party/heimdal/kdc/libkdc-exports.def +++ b/third_party/heimdal/kdc/libkdc-exports.def @@ -33,6 +33,9 @@ EXPORTS kdc_request_get_config kdc_request_get_cname kdc_request_get_error_code + kdc_request_get_explicit_armor_pac + kdc_request_get_explicit_armor_clientdb + kdc_request_get_explicit_armor_client kdc_request_get_from kdc_request_get_krbtgt kdc_request_get_krbtgtdb diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c index 9e67aad33193..fda5a37b1c6e 100644 --- a/third_party/heimdal/kdc/mssfu.c +++ b/third_party/heimdal/kdc/mssfu.c @@ -252,8 +252,7 @@ validate_protocol_transition(astgs_request_t r) if (ret) goto out; /* kdc_check_flags() calls kdc_audit_addreason() */ - ret = _kdc_pac_generate(r->context, - r->config, + ret = _kdc_pac_generate(r, s4u_client, r->server, NULL, @@ -473,7 +472,7 @@ validate_constrained_delegation(astgs_request_t r) * TODO: pass in t->sname and t->realm and build * a S4U_DELEGATION_INFO blob to the PAC. */ - ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name, + ret = _kdc_check_pac(r, s4u_client_name, s4u_server_name, s4u_client, r->server, r->krbtgt, r->client, &clientkey->key, &r->ticket_key->key, &evidence_tkt, &ad_kdc_issued, &s4u_pac, diff --git a/third_party/heimdal/kdc/version-script.map b/third_party/heimdal/kdc/version-script.map index 9067bb6e43f4..72a21e629506 100644 --- a/third_party/heimdal/kdc/version-script.map +++ b/third_party/heimdal/kdc/version-script.map @@ -36,6 +36,9 @@ HEIMDAL_KDC_1.0 { kdc_request_get_config; kdc_request_get_cname; kdc_request_get_error_code; + kdc_request_get_explicit_armor_pac; + kdc_request_get_explicit_armor_clientdb; + kdc_request_get_explicit_armor_client; kdc_request_get_from; kdc_request_get_krbtgt; kdc_request_get_krbtgtdb; diff --git a/third_party/heimdal/lib/asn1/krb5.asn1 b/third_party/heimdal/lib/asn1/krb5.asn1 index 639ec5af2d25..d7ce6bd6333d 100644 --- a/third_party/heimdal/lib/asn1/krb5.asn1 +++ b/third_party/heimdal/lib/asn1/krb5.asn1 @@ -55,8 +55,12 @@ EXPORTS PA-ClientCanonicalizedNames, PA-DATA, PA-ENC-TS-ENC, + PA-KERB-KEY-LIST-REP, + PA-KERB-KEY-LIST-REQ, + PA-PAC-OPTIONS, PA-PAC-REQUEST, PA-S4U2Self, + PA-S4U-X509-USER, PA-SERVER-REFERRAL-DATA, PA-ServerReferralData, PA-SvrReferralData, @@ -80,6 +84,7 @@ EXPORTS KDCFastState, KDCFastCookie, KDC-PROXY-MESSAGE, + KERB-AD-RESTRICTION-ENTRY, KERB-TIMES, KERB-CRED, KERB-TGS-REQ-IN, @@ -190,7 +195,10 @@ PADATA-TYPE ::= INTEGER { KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u KRB5-PADATA-REQ-ENC-PA-REP(149), -- + KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE + KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE + KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth } @@ -217,7 +225,10 @@ AUTHDATA-TYPE ::= INTEGER { KRB5-AUTHDATA-SIGNTICKET-OLD(142), KRB5-AUTHDATA-SIGNTICKET(512), KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised - KRB5-AUTHDATA-AP-OPTIONS(143), + KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE + KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE + KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE + KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE -- N.B. these assignments have not been confirmed yet. -- -- DO NOT USE in production yet! @@ -592,6 +603,33 @@ PA-PAC-REQUEST ::= SEQUENCE { -- should be included or not } +-- MS-KILE/MS-SFU +PAC-OPTIONS-FLAGS ::= BIT STRING { + claims(0), + branch-aware(1), + forward-to-full-dc(2), + resource-based-constrained-delegation(3) +} + +-- MS-KILE +PA-PAC-OPTIONS ::= SEQUENCE { + flags [0] PAC-OPTIONS-FLAGS +} + +-- MS-KILE +-- captures show that [UNIVERSAL 16] is required to parse it +KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE { + restriction-type [0] Krb5Int32, + restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure +} + +-- MS-KILE Section 2.2.11 +PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE + +-- MS-KILE Section 2.2.12 + +PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType, + -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf PROV-SRV-LOCATION ::= GeneralString @@ -819,6 +857,20 @@ PA-S4U2Self ::= SEQUENCE { auth[3] GeneralString } +PA-S4U-X509-USER::= SEQUENCE { + user-id[0] S4UUserID, + checksum[1] Checksum +} + +S4UUserID ::= SEQUENCE { + nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY + cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints + crealm [2] Realm, + subject-certificate [3] OCTET STRING OPTIONAL, + options [4] BIT STRING OPTIONAL, + ... +} + AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- login-alias [0] PrincipalName, checksum [1] Checksum diff --git a/third_party/heimdal/lib/asn1/libasn1-exports.def b/third_party/heimdal/lib/asn1/libasn1-exports.def index 15d3a37bebaf..a7cb720bda3d 100644 --- a/third_party/heimdal/lib/asn1/libasn1-exports.def +++ b/third_party/heimdal/lib/asn1/libasn1-exports.def @@ -445,6 +445,7 @@ EXPORTS copy_KDC_REQ copy_KDC_REQ_BODY copy_KDFAlgorithmId + copy_KERB_AD_RESTRICTION_ENTRY copy_KERB_ARMOR_SERVICE_REPLY copy_KERB_CRED copy_KerberosString @@ -517,12 +518,16 @@ EXPORTS copy_PA_ENC_TS_ENC copy_PA_FX_FAST_REPLY copy_PA_FX_FAST_REQUEST + copy_PA_KERB_KEY_LIST_REP + copy_PA_KERB_KEY_LIST_REQ + copy_PA_PAC_OPTIONS copy_PA_PAC_REQUEST copy_PA_PK_AS_REP copy_PA_PK_AS_REP_BTMM copy_PA_PK_AS_REP_Win2k copy_PA_PK_AS_REQ copy_PA_PK_AS_REQ_Win2k + copy_PA_S4U_X509_USER copy_PA_S4U2Self copy_PA_SAM_CHALLENGE_2 copy_PA_SAM_CHALLENGE_2_BODY @@ -805,6 +810,7 @@ EXPORTS decode_KDC_REQ decode_KDC_REQ_BODY decode_KDFAlgorithmId + decode_KERB_AD_RESTRICTION_ENTRY decode_KERB_ARMOR_SERVICE_REPLY decode_KERB_CRED decode_KerberosString @@ -877,12 +883,16 @@ EXPORTS decode_PA_ENC_TS_ENC decode_PA_FX_FAST_REPLY decode_PA_FX_FAST_REQUEST + decode_PA_KERB_KEY_LIST_REP + decode_PA_KERB_KEY_LIST_REQ + decode_PA_PAC_OPTIONS decode_PA_PAC_REQUEST decode_PA_PK_AS_REP decode_PA_PK_AS_REP_BTMM decode_PA_PK_AS_REP_Win2k decode_PA_PK_AS_REQ decode_PA_PK_AS_REQ_Win2k + decode_PA_S4U_X509_USER decode_PA_S4U2Self decode_PA_SAM_CHALLENGE_2 decode_PA_SAM_CHALLENGE_2_BODY @@ -1311,6 +1321,7 @@ EXPORTS encode_KDC_REQ encode_KDC_REQ_BODY encode_KDFAlgorithmId + encode_KERB_AD_RESTRICTION_ENTRY encode_KERB_ARMOR_SERVICE_REPLY encode_KERB_CRED encode_KerberosString @@ -1383,12 +1394,16 @@ EXPORTS encode_PA_ENC_TS_ENC encode_PA_FX_FAST_REPLY encode_PA_FX_FAST_REQUEST + encode_PA_KERB_KEY_LIST_REP + encode_PA_KERB_KEY_LIST_REQ + encode_PA_PAC_OPTIONS encode_PA_PAC_REQUEST encode_PA_PK_AS_REP encode_PA_PK_AS_REP_BTMM encode_PA_PK_AS_REP_Win2k encode_PA_PK_AS_REQ encode_PA_PK_AS_REQ_Win2k + encode_PA_S4U_X509_USER encode_PA_S4U2Self encode_PA_SAM_CHALLENGE_2 encode_PA_SAM_CHALLENGE_2_BODY @@ -1672,6 +1687,7 @@ EXPORTS free_KDC_REQ free_KDC_REQ_BODY free_KDFAlgorithmId + free_KERB_AD_RESTRICTION_ENTRY free_KERB_ARMOR_SERVICE_REPLY free_KERB_CRED free_KerberosString @@ -1744,12 +1760,16 @@ EXPORTS free_PA_ENC_TS_ENC free_PA_FX_FAST_REPLY free_PA_FX_FAST_REQUEST + free_PA_KERB_KEY_LIST_REP + free_PA_KERB_KEY_LIST_REQ + free_PA_PAC_OPTIONS free_PA_PAC_REQUEST free_PA_PK_AS_REP free_PA_PK_AS_REP_BTMM free_PA_PK_AS_REP_Win2k free_PA_PK_AS_REQ free_PA_PK_AS_REQ_Win2k + free_PA_S4U_X509_USER free_PA_S4U2Self free_PA_SAM_CHALLENGE_2 free_PA_SAM_CHALLENGE_2_BODY @@ -2052,6 +2072,7 @@ EXPORTS length_KDC_REQ length_KDC_REQ_BODY length_KDFAlgorithmId + length_KERB_AD_RESTRICTION_ENTRY length_KERB_ARMOR_SERVICE_REPLY length_KERB_CRED length_KerberosString @@ -2124,12 +2145,16 @@ EXPORTS length_PA_ENC_TS_ENC length_PA_FX_FAST_REPLY length_PA_FX_FAST_REQUEST + length_PA_KERB_KEY_LIST_REP + length_PA_KERB_KEY_LIST_REQ + length_PA_PAC_OPTIONS length_PA_PAC_REQUEST length_PA_PK_AS_REP length_PA_PK_AS_REP_BTMM length_PA_PK_AS_REP_Win2k length_PA_PK_AS_REQ length_PA_PK_AS_REQ_Win2k + length_PA_S4U_X509_USER length_PA_S4U2Self length_PA_SAM_CHALLENGE_2 length_PA_SAM_CHALLENGE_2_BODY diff --git a/third_party/heimdal/lib/krb5/krb5.h b/third_party/heimdal/lib/krb5/krb5.h index e78edcac9af5..e4a9e7ec882c 100644 --- a/third_party/heimdal/lib/krb5/krb5.h +++ b/third_party/heimdal/lib/krb5/krb5.h @@ -275,6 +275,10 @@ typedef enum krb5_key_usage { KRB5_KU_PA_SERVER_REFERRAL = 26, /* Keyusage for the server referral in a TGS req */ KRB5_KU_SAM_ENC_NONCE_SAD = 27, + /* Defined in [MS-SFU] */ + KRB5_KU_PA_S4U_X509_USER_REQUEST = 26, + /* Defined in [MS-SFU] */ + KRB5_KU_PA_S4U_X509_USER_REPLY = 27, /* Encryption of the SAM-NONCE-OR-SAD field */ KRB5_KU_PA_PKINIT_KX = 44, /* Encryption type of the kdc session contribution in pk-init */ diff --git a/third_party/heimdal/lib/krb5/pac.c b/third_party/heimdal/lib/krb5/pac.c index 2bdeae8ecd1d..a12c00d77328 100644 --- a/third_party/heimdal/lib/krb5/pac.c +++ b/third_party/heimdal/lib/krb5/pac.c @@ -383,7 +383,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, size_t len, offset, header_end, old_end; uint32_t i; - assert(data->length > 0 && data->data != NULL); + assert(data->data != NULL); len = p->pac->numbuffers; diff --git a/third_party/heimdal/lib/krb5/principal.c b/third_party/heimdal/lib/krb5/principal.c index 6080e4623415..91743488d9fb 100644 --- a/third_party/heimdal/lib/krb5/principal.c +++ b/third_party/heimdal/lib/krb5/principal.c @@ -789,6 +789,9 @@ krb5_make_principal(krb5_context context, krb5_error_code ret; krb5_realm r = NULL; va_list ap; + + *principal = NULL; + if(realm == NULL) { ret = krb5_get_default_realm(context, &r); if(ret) @@ -943,7 +946,11 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc) { - krb5_principal p = malloc(sizeof(*p)); + krb5_principal p; + + *outprinc = NULL; + + p = malloc(sizeof(*p)); if (p == NULL) return krb5_enomem(context); if(copy_Principal(inprinc, p)) { diff --git a/third_party/heimdal/tests/plugin/kdc_test_plugin.c b/third_party/heimdal/tests/plugin/kdc_test_plugin.c index 4fcf311fddfe..ff33b5f7262c 100644 --- a/third_party/heimdal/tests/plugin/kdc_test_plugin.c +++ b/third_party/heimdal/tests/plugin/kdc_test_plugin.c @@ -20,14 +20,14 @@ fini(void *ctx) static krb5_error_code KRB5_CALLCONV pac_generate(void *ctx, - krb5_context context, - krb5_kdc_configuration *config, + astgs_request_t r, hdb_entry *client, hdb_entry *server, const krb5_keyblock *pk_replykey, uint64_t pac_attributes, krb5_pac *pac) { + krb5_context context = kdc_request_get_context((kdc_request_t)r); krb5_error_code ret; krb5_data data; @@ -55,8 +55,7 @@ pac_generate(void *ctx, static krb5_error_code KRB5_CALLCONV pac_verify(void *ctx, - krb5_context context, - krb5_kdc_configuration *config, + astgs_request_t r, const krb5_principal new_ticket_client, const krb5_principal delegation_proxy, hdb_entry * client, @@ -64,6 +63,7 @@ pac_verify(void *ctx, hdb_entry * krbtgt, krb5_pac *pac) { + krb5_context context = kdc_request_get_context((kdc_request_t)r); krb5_error_code ret; krb5_data data; krb5_cksumtype cstype; -- 2.25.1 From 01d478a68221669094e74b3a9a8612d2e6ad7b0d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Feb 2022 21:31:52 +0100 Subject: [PATCH 2/3] s4:kdc: let pac functions in wdc-samba4.c take astgs_request_t NOTE: This commit finally works again! This aligns us with the following Heimdal change: commit 11d8a053f50c88256b4d49c7e482c2eb8f6bde33 Author: Stefan Metzmacher AuthorDate: Thu Feb 24 18:27:09 2022 +0100 Commit: Luke Howard CommitDate: Thu Mar 3 09:58:48 2022 +1100 kdc-plugin: also pass astgs_request_t to the pac related functions This is more consistent and allows the pac hooks to be more flexible. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher (cherry picked from commit 27ee5ad713b760e8226537d79c529ace1efb07bf) --- source4/kdc/wdc-samba4.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index dfca27175a21..7f99233440e7 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -36,14 +36,15 @@ * * For PKINIT we also get pk_reply_key and can add PAC_CREDENTIAL_INFO. */ -static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, - krb5_kdc_configuration *config, +static krb5_error_code samba_wdc_get_pac(void *priv, + astgs_request_t r, hdb_entry *client, hdb_entry *server, const krb5_keyblock *pk_reply_key, uint64_t pac_attributes, krb5_pac *pac) { + krb5_context context = kdc_request_get_context((kdc_request_t)r); TALLOC_CTX *mem_ctx; DATA_BLOB *logon_blob = NULL; DATA_BLOB *cred_ndr = NULL; @@ -663,8 +664,7 @@ out: /* Resign (and reform, including possibly new groups) a PAC */ -static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, - krb5_kdc_configuration *config, +static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, hdb_entry *client, @@ -672,6 +672,8 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, hdb_entry *krbtgt, krb5_pac *pac) { + krb5_context context = kdc_request_get_context((kdc_request_t)r); + krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r); struct samba_kdc_entry *krbtgt_skdc_entry = talloc_get_type_abort(krbtgt->context, struct samba_kdc_entry); -- 2.25.1 From 9c31948acd517de4135694b5a41b10a7360ebca6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 21 Feb 2022 10:29:12 +0100 Subject: [PATCH 3/3] s4:kdc: redirect pre-authentication failures to an RWDC The most important case is that we still have a previous password cached at the RODC and the inbound replication hasn't wiped the cache yet and we also haven't triggered a new replication yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be) --- selftest/knownfail | 1 - source4/dsdb/tests/python/rodc_rwdc.py | 3 +- source4/kdc/hdb-samba4.c | 93 +++++++------------------- 3 files changed, 24 insertions(+), 73 deletions(-) diff --git a/selftest/knownfail b/selftest/knownfail index 2a5287cba2df..7e897dd026d5 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -377,7 +377,6 @@ ^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\) # We currently don't send referrals for LDAP modify of non-replicated attrs ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* -^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos # NETLOGON is disabled in any non-DC environments ^samba.tests.netlogonsvc.python\(ad_member\) ^samba.tests.netlogonsvc.python\(simpleserver\) diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py index 74e0773abc37..beea26e8e1ae 100644 --- a/source4/dsdb/tests/python/rodc_rwdc.py +++ b/source4/dsdb/tests/python/rodc_rwdc.py @@ -1146,8 +1146,7 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): creds2 = make_creds(username, password) self.try_ldap_logon(RWDC, creds2) - # We can forward WRONG_PASSWORD over NTLM. - # This SHOULD succeed. + # The RODC forward WRONG_PASSWORD to the RWDC self.try_ldap_logon(RODC, creds2) def test_change_password_reveal_on_demand_ntlm(self): diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 6e87345e2c31..3f573f297f89 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -466,60 +466,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx, irpc_handle, &req); } -static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx, - struct samba_kdc_db_context *kdc_db_ctx, - struct auth_usersupplied_info *user_info) -{ - struct dcerpc_binding_handle *irpc_handle; - struct winbind_SamLogon req; - struct netr_IdentityInfo *identity_info; - struct netr_NetworkInfo *network_info; - - irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx, - "winbind_server", - &ndr_table_winbind); - if (irpc_handle == NULL) { - DEBUG(0, ("Winbind forwarding for [%s]\\[%s] failed, " - "no winbind_server running!\n", - user_info->mapped.domain_name, user_info->mapped.account_name)); - return; - } - - network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo); - if (network_info == NULL) { - DEBUG(0, ("Winbind forwarding failed: No memory\n")); - return; - } - - identity_info = &network_info->identity_info; - req.in.logon_level = 2; - req.in.logon.network = network_info; - - identity_info->domain_name.string = user_info->mapped.domain_name; - identity_info->parameter_control = user_info->logon_parameters; /* TODO */ - identity_info->logon_id = user_info->logon_id; - identity_info->account_name.string = user_info->mapped.account_name; - identity_info->workstation.string - = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s", - tsocket_address_string(user_info->remote_host, - identity_info)); - if (identity_info->workstation.string == NULL) { - DEBUG(0, ("Winbind forwarding failed: No memory allocating workstation string\n")); - return; - } - - req.in.validation_level = 3; - - /* - * The memory in identity_info and user_info only needs to be - * valid until the end of this function call, as it will be - * pushed to NDR during this call - */ - - dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx, - irpc_handle, &req); -} - static krb5_error_code hdb_samba4_audit(krb5_context context, HDB *db, hdb_entry *entry, @@ -527,24 +473,18 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, { struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); - struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); uint64_t logon_id = generate_random_u64(); - heim_object_t auth_details_obj = NULL; const char *auth_details = NULL; - char *etype_str = NULL; - heim_object_t hdb_auth_status_obj = NULL; int hdb_auth_status; - heim_object_t pa_type_obj = NULL; const char *pa_type = NULL; - struct auth_usersupplied_info ui; - size_t sa_socklen = 0; + int final_ret = 0; hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT); if (hdb_auth_status_obj == NULL) { @@ -645,6 +585,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, const char *auth_description = NULL; NTSTATUS status; int ret; + bool rwdc_fallback = false; ret = tsocket_address_bsd_from_sockaddr(frame, r->addr, sa_socklen, @@ -677,34 +618,44 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) { authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); status = NT_STATUS_WRONG_PASSWORD; - /* - * TODO We currently send a bad password via NETLOGON, - * however, it should probably forward the ticket to - * another KDC to allow login after password changes. - */ - if (kdc_db_ctx->rodc) { - send_bad_password_netlogon(frame, kdc_db_ctx, &ui); - } + rwdc_fallback = kdc_db_ctx->rodc; } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) { status = NT_STATUS_ACCOUNT_LOCKED_OUT; + rwdc_fallback = kdc_db_ctx->rodc; } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) { if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { status = NT_STATUS_PKINIT_NAME_MISMATCH; } else { status = NT_STATUS_ACCOUNT_RESTRICTION; } + rwdc_fallback = kdc_db_ctx->rodc; } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) { if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { status = NT_STATUS_PKINIT_FAILURE; } else { status = NT_STATUS_GENERIC_COMMAND_FAILED; } + rwdc_fallback = kdc_db_ctx->rodc; } else { DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n", hdb_auth_status); status = NT_STATUS_INTERNAL_ERROR; } + if (rwdc_fallback) { + /* + * Forward the request to an RWDC in order + * to give an authoritative answer to the client. + */ + auth_description = talloc_asprintf(frame, + "%s,Forward-To-RWDC", + ui.auth_description); + if (auth_description != NULL) { + ui.auth_description = auth_description; + } + final_ret = HDB_ERR_NOT_FOUND_HERE; + } + log_authentication_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, &r->tv_start, @@ -736,6 +687,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, ui.auth_description = pa_type; + /* Note this is not forwarded to an RWDC */ + log_authentication_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, &r->tv_start, @@ -750,7 +703,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, free(etype_str); - return 0; + return final_ret; } /* This interface is to be called by the KDC and libnet_keytab_dump, -- 2.25.1