614 lines
24 KiB
Diff
614 lines
24 KiB
Diff
From d8c48f3773d72a5e36bb46a1c09ba11fc64ae38d Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Wed, 6 Nov 2019 09:17:52 +0100
|
|
Subject: [PATCH 01/10] selftest/remote_pac: remove
|
|
test_PACVerify_workstation_des
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source4/torture/rpc/remote_pac.c | 37 --------------------------------
|
|
1 file changed, 37 deletions(-)
|
|
|
|
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
|
|
index 7a5cda74b74..f12060e3c8f 100644
|
|
--- a/source4/torture/rpc/remote_pac.c
|
|
+++ b/source4/torture/rpc/remote_pac.c
|
|
@@ -38,7 +38,6 @@
|
|
|
|
#define TEST_MACHINE_NAME_BDC "torturepacbdc"
|
|
#define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
|
|
-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes"
|
|
#define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc"
|
|
#define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk"
|
|
|
|
@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
|
|
NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
|
|
}
|
|
|
|
-static bool test_PACVerify_workstation_des(struct torture_context *tctx,
|
|
- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx)
|
|
-{
|
|
- struct samr_SetUserInfo r;
|
|
- union samr_UserInfo user_info;
|
|
- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx);
|
|
- struct smb_krb5_context *smb_krb5_context;
|
|
- krb5_error_code ret;
|
|
-
|
|
- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(),
|
|
- tctx->lp_ctx, &smb_krb5_context);
|
|
- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed");
|
|
-
|
|
- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) {
|
|
- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes");
|
|
- }
|
|
-
|
|
- /* Mark this workstation with DES-only */
|
|
- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST;
|
|
- r.in.user_handle = torture_join_samr_user_policy(join_ctx);
|
|
- r.in.level = 16;
|
|
- r.in.info = &user_info;
|
|
-
|
|
- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r),
|
|
- "failed to set DES info account flags");
|
|
- torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
- "failed to set DES into account flags");
|
|
-
|
|
- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
|
|
- TEST_MACHINE_NAME_WKSTA_DES,
|
|
- NETLOGON_NEG_AUTH2_ADS_FLAGS);
|
|
-}
|
|
-
|
|
#ifdef SAMBA4_USES_HEIMDAL
|
|
static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
|
|
uint16_t validation_level,
|
|
@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
|
|
&ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
|
|
torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
|
|
|
|
- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des",
|
|
- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES);
|
|
- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des);
|
|
#ifdef SAMBA4_USES_HEIMDAL
|
|
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
|
|
&ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From c19bef15eba2f8436d3ffafae5e640c6581fdb81 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 31 Oct 2019 19:41:46 +0100
|
|
Subject: [PATCH 02/10] selftest: exclude msDS-SupportedEncryptionType in
|
|
ldapcmp
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Pair-Programmed-With: Alexander Bokovoy <ab@samba.org>
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
testprogs/blackbox/dbcheck-oldrelease.sh | 2 +-
|
|
testprogs/blackbox/functionalprep.sh | 2 +-
|
|
testprogs/blackbox/upgradeprovision-oldrelease.sh | 2 +-
|
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
|
|
index 3d0ee2c165a..41c55178d4e 100755
|
|
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
|
|
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
|
|
@@ -388,7 +388,7 @@ referenceprovision() {
|
|
|
|
ldapcmp() {
|
|
if [ x$RELEASE = x"release-4-0-0" ]; then
|
|
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
|
|
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
|
|
fi
|
|
}
|
|
|
|
diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh
|
|
index 80e82252d45..1d37611ef7a 100755
|
|
--- a/testprogs/blackbox/functionalprep.sh
|
|
+++ b/testprogs/blackbox/functionalprep.sh
|
|
@@ -61,7 +61,7 @@ provision_2012r2() {
|
|
ldapcmp_ignore() {
|
|
# At some point we will need to ignore, but right now, it should be perfect
|
|
IGNORE_ATTRS=$1
|
|
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn
|
|
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes
|
|
}
|
|
|
|
ldapcmp() {
|
|
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
|
|
index 76276168011..208baa54a02 100755
|
|
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
|
|
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
|
|
@@ -106,7 +106,7 @@ referenceprovision() {
|
|
|
|
ldapcmp() {
|
|
if [ x$RELEASE != x"alpha13" ]; then
|
|
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
|
|
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
|
|
fi
|
|
}
|
|
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From afb8e18c42122841111b6077bb26bd5dd95e5c55 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 24 Oct 2019 12:20:05 +0300
|
|
Subject: [PATCH 03/10] kerberos: remove single DES enctypes from ENC_ALL_TYPES
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source4/auth/kerberos/kerberos.h | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
|
|
index 2ff9e3868af..1dd63acc838 100644
|
|
--- a/source4/auth/kerberos/kerberos.h
|
|
+++ b/source4/auth/kerberos/kerberos.h
|
|
@@ -50,7 +50,7 @@ struct keytab_container {
|
|
#define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01")
|
|
#define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01")
|
|
|
|
-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \
|
|
+#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \
|
|
ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
|
|
|
|
#ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From 4747d04bd8c9d694b613cdec92640312208aee9d Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 24 Oct 2019 18:53:34 +0300
|
|
Subject: [PATCH 04/10] kdc/db-glue: do not fetch single DES keys from db
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source4/kdc/db-glue.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
|
|
index f62a633c6c7..023ae7b580d 100644
|
|
--- a/source4/kdc/db-glue.c
|
|
+++ b/source4/kdc/db-glue.c
|
|
@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
|
|
|
|
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
|
|
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
|
|
- supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
|
|
+ supported_enctypes = 0;
|
|
} else {
|
|
/* Otherwise, add in the default enc types */
|
|
- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
|
|
+ supported_enctypes |= ENC_RC4_HMAC_MD5;
|
|
}
|
|
|
|
/* Is this the krbtgt or a RODC krbtgt */
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From 5c460fe678eb5db9f0f2eed67a6be8c07ca8d53c Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 24 Oct 2019 18:32:37 +0300
|
|
Subject: [PATCH 05/10] password_hash: do not generate single DES keys
|
|
|
|
Per RFC-6649 single DES enctypes should not be used.
|
|
|
|
MIT has retired single DES encryption types, see:
|
|
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/advanced/retiring-des.html
|
|
|
|
As a workaround, store random keys instead, making the usage of signle DES
|
|
encryption types virtually impossible.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
.../dsdb/samdb/ldb_modules/password_hash.c | 49 +++----------------
|
|
1 file changed, 7 insertions(+), 42 deletions(-)
|
|
|
|
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
|
|
index 006e35c46d5..ffd48da616e 100644
|
|
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
|
|
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
|
|
@@ -783,56 +783,21 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
|
|
}
|
|
|
|
/*
|
|
- * create ENCTYPE_DES_CBC_MD5 key out of
|
|
- * the salt and the cleartext password
|
|
+ * As per RFC-6649 single DES encryption types are no longer considered
|
|
+ * secure to be used in Kerberos, we store random keys instead of the
|
|
+ * ENCTYPE_DES_CBC_MD5 and ENCTYPE_DES_CBC_CRC keys.
|
|
*/
|
|
- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
|
|
- NULL,
|
|
- &salt,
|
|
- &cleartext_data,
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- &key);
|
|
- if (krb5_ret) {
|
|
- ldb_asprintf_errstring(ldb,
|
|
- "setup_kerberos_keys: "
|
|
- "generation of a des-cbc-md5 key failed: %s",
|
|
- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
|
|
- krb5_ret, io->ac));
|
|
- return LDB_ERR_OPERATIONS_ERROR;
|
|
- }
|
|
- io->g.des_md5 = data_blob_talloc(io->ac,
|
|
- KRB5_KEY_DATA(&key),
|
|
- KRB5_KEY_LENGTH(&key));
|
|
- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
|
|
+ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8);
|
|
if (!io->g.des_md5.data) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
+ generate_secret_buffer(io->g.des_md5.data, 8);
|
|
|
|
- /*
|
|
- * create ENCTYPE_DES_CBC_CRC key out of
|
|
- * the salt and the cleartext password
|
|
- */
|
|
- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
|
|
- NULL,
|
|
- &salt,
|
|
- &cleartext_data,
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- &key);
|
|
- if (krb5_ret) {
|
|
- ldb_asprintf_errstring(ldb,
|
|
- "setup_kerberos_keys: "
|
|
- "generation of a des-cbc-crc key failed: %s",
|
|
- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
|
|
- krb5_ret, io->ac));
|
|
- return LDB_ERR_OPERATIONS_ERROR;
|
|
- }
|
|
- io->g.des_crc = data_blob_talloc(io->ac,
|
|
- KRB5_KEY_DATA(&key),
|
|
- KRB5_KEY_LENGTH(&key));
|
|
- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
|
|
+ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8);
|
|
if (!io->g.des_crc.data) {
|
|
return ldb_oom(ldb);
|
|
}
|
|
+ generate_secret_buffer(io->g.des_crc.data, 8);
|
|
|
|
return LDB_SUCCESS;
|
|
}
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From 000abe4e405ce5fa4eae6235335bfca2a8152e3c Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Thu, 24 Oct 2019 19:04:51 +0300
|
|
Subject: [PATCH 06/10] kerberos_keytab: do not add single DES keys to keytab
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source3/libads/kerberos_keytab.c | 2 --
|
|
testprogs/blackbox/test_export_keytab_heimdal.sh | 16 ++++++++--------
|
|
2 files changed, 8 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
|
index 97d5535041c..7d193e1a600 100644
|
|
--- a/source3/libads/kerberos_keytab.c
|
|
+++ b/source3/libads/kerberos_keytab.c
|
|
@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
krb5_data password;
|
|
krb5_kvno kvno;
|
|
krb5_enctype enctypes[6] = {
|
|
- ENCTYPE_DES_CBC_CRC,
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
|
|
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
#endif
|
|
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
|
|
index cfa245fd4de..6a2595cd684 100755
|
|
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
|
|
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
|
|
@@ -43,7 +43,7 @@ test_keytab() {
|
|
|
|
echo "test: $testname"
|
|
|
|
- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour")
|
|
+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour")
|
|
status=$?
|
|
if [ x$status != x0 ]; then
|
|
echo "failure: $testname"
|
|
@@ -64,22 +64,22 @@ unc="//$SERVER/tmp"
|
|
testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
|
|
|
|
testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
|
|
-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
|
|
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
|
|
testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
|
|
-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
|
|
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
|
|
|
|
testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
|
|
-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
|
|
+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
|
|
testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
|
|
-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
|
|
+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
|
|
|
|
testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
|
|
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
|
|
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
|
|
testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
|
|
-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
|
|
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
|
|
|
|
testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1`
|
|
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5
|
|
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3
|
|
|
|
KRB5CCNAME="$PREFIX/tmpuserccache"
|
|
export KRB5CCNAME
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From 4e96a263c2c038bc4c835b78161623cc4d050c61 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Mon, 16 Sep 2019 15:17:08 +0300
|
|
Subject: [PATCH 07/10] machine_account_secrets: do not generate single DES
|
|
keys
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source3/passdb/machine_account_secrets.c | 36 ------------------------
|
|
1 file changed, 36 deletions(-)
|
|
|
|
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
|
|
index dfc21f295a1..efba80f1474 100644
|
|
--- a/source3/passdb/machine_account_secrets.c
|
|
+++ b/source3/passdb/machine_account_secrets.c
|
|
@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
|
|
krb5_keyblock key;
|
|
DATA_BLOB aes_256_b = data_blob_null;
|
|
DATA_BLOB aes_128_b = data_blob_null;
|
|
- DATA_BLOB des_md5_b = data_blob_null;
|
|
bool ok;
|
|
#endif /* HAVE_ADS */
|
|
DATA_BLOB arc4_b = data_blob_null;
|
|
@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
|
|
return ENOMEM;
|
|
}
|
|
|
|
- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
|
|
- NULL,
|
|
- &salt,
|
|
- &cleartext_utf8,
|
|
- ENCTYPE_DES_CBC_MD5,
|
|
- &key);
|
|
- if (krb5_ret != 0) {
|
|
- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
|
|
- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
|
|
- krb5_free_context(krb5_ctx);
|
|
- TALLOC_FREE(keys);
|
|
- TALLOC_FREE(salt_data);
|
|
- return krb5_ret;
|
|
- }
|
|
- des_md5_b = data_blob_talloc(keys,
|
|
- KRB5_KEY_DATA(&key),
|
|
- KRB5_KEY_LENGTH(&key));
|
|
- krb5_free_keyblock_contents(krb5_ctx, &key);
|
|
- if (des_md5_b.data == NULL) {
|
|
- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
|
|
- krb5_free_context(krb5_ctx);
|
|
- TALLOC_FREE(keys);
|
|
- TALLOC_FREE(salt_data);
|
|
- return ENOMEM;
|
|
- }
|
|
-
|
|
krb5_free_context(krb5_ctx);
|
|
no_kerberos:
|
|
|
|
@@ -1227,15 +1200,6 @@ no_kerberos:
|
|
keys[idx].value = arc4_b;
|
|
idx += 1;
|
|
|
|
-#ifdef HAVE_ADS
|
|
- if (des_md5_b.length != 0) {
|
|
- keys[idx].keytype = ENCTYPE_DES_CBC_MD5;
|
|
- keys[idx].iteration_count = 4096;
|
|
- keys[idx].value = des_md5_b;
|
|
- idx += 1;
|
|
- }
|
|
-#endif /* HAVE_ADS */
|
|
-
|
|
p->salt_data = salt_data;
|
|
p->default_iteration_count = 4096;
|
|
p->num_keys = idx;
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From 79fce8cfb906ca8b5bfa5f1954bf81ff950c3d23 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Tue, 12 Nov 2019 12:00:34 +0100
|
|
Subject: [PATCH 08/10] selftest: mitm-s4u2self: use zlib for CRC32_checksum
|
|
calc
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source4/torture/krb5/kdc-canon-heimdal.c | 19 +++++++++++++------
|
|
1 file changed, 13 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
|
|
index ee3045181dc..7dec67bc49b 100644
|
|
--- a/source4/torture/krb5/kdc-canon-heimdal.c
|
|
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
|
|
@@ -33,6 +33,7 @@
|
|
#include "auth/auth_sam_reply.h"
|
|
#include "auth/gensec/gensec.h"
|
|
#include "param/param.h"
|
|
+#include "zlib.h"
|
|
|
|
#define TEST_CANONICALIZE 0x0000001
|
|
#define TEST_ENTERPRISE 0x0000002
|
|
@@ -214,6 +215,17 @@ static bool test_accept_ticket(struct torture_context *tctx,
|
|
return true;
|
|
}
|
|
|
|
+static void
|
|
+zCRC32_checksum(const void *data,
|
|
+ size_t len,
|
|
+ Checksum *C)
|
|
+{
|
|
+ uint32_t *crc = C->checksum.data;
|
|
+ *crc = ~(crc32(0xffffffff, data, len));
|
|
+ C->checksum.length = 4;
|
|
+ C->cksumtype = 1;
|
|
+}
|
|
+
|
|
krb5_error_code
|
|
_krb5_s4u2self_to_checksumdata(krb5_context context,
|
|
const PA_S4U2Self *self,
|
|
@@ -252,11 +264,7 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context,
|
|
torture_assert_int_equal(test_context->tctx,
|
|
_krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data),
|
|
0, "_krb5_s4u2self_to_checksumdata() failed");
|
|
- torture_assert_int_equal(test_context->tctx,
|
|
- krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM,
|
|
- CKSUMTYPE_CRC32, cksum_data.data,
|
|
- cksum_data.length, &mod_self.cksum),
|
|
- 0, "krb5_create_checksum() failed");
|
|
+ zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum);
|
|
|
|
ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length,
|
|
&mod_self, &used, ret);
|
|
@@ -270,7 +278,6 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context,
|
|
|
|
free_PA_S4U2Self(&self);
|
|
krb5_data_free(&cksum_data);
|
|
- free_Checksum(&mod_self.cksum);
|
|
|
|
return true;
|
|
}
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From 1a658936884a9a18616fcb1d13b8f9b6be587322 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Sat, 16 Nov 2019 22:46:19 +0100
|
|
Subject: [PATCH 09/10] selftest: allow any kdc error in mitm-s4u2self test
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source4/torture/krb5/kdc-canon-heimdal.c | 14 ++++++--------
|
|
1 file changed, 6 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
|
|
index 7dec67bc49b..5315afa9252 100644
|
|
--- a/source4/torture/krb5/kdc-canon-heimdal.c
|
|
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
|
|
@@ -737,13 +737,12 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex
|
|
error.pvno, 5,
|
|
"Got wrong error.pvno");
|
|
expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE;
|
|
- if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) {
|
|
- expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE;
|
|
+ if (!test_context->test_data->mitm_s4u2self) {
|
|
+ torture_assert_int_equal(test_context->tctx,
|
|
+ error.error_code,
|
|
+ expected_error,
|
|
+ "Got wrong error.error_code");
|
|
}
|
|
- torture_assert_int_equal(test_context->tctx,
|
|
- error.error_code,
|
|
- expected_error,
|
|
- "Got wrong error.error_code");
|
|
} else {
|
|
torture_assert_int_equal(test_context->tctx,
|
|
decode_TGS_REP(recv_buf->data, recv_buf->length,
|
|
@@ -2090,8 +2089,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
|
|
|| test_data->upn == false)) {
|
|
|
|
if (test_data->mitm_s4u2self) {
|
|
- torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM,
|
|
- assertion_message);
|
|
+ torture_assert_int_not_equal(tctx, k5ret, 0, assertion_message);
|
|
/* Done testing mitm-s4u2self */
|
|
return true;
|
|
}
|
|
--
|
|
2.24.1
|
|
|
|
|
|
From 80ebb75804312a848df4cf5ab883291eaf816130 Mon Sep 17 00:00:00 2001
|
|
From: Isaac Boukris <iboukris@gmail.com>
|
|
Date: Sat, 16 Nov 2019 23:03:34 +0100
|
|
Subject: [PATCH 10/10] heimdal: do not compile weak crypto
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202
|
|
|
|
Signed-off-by: Isaac Boukris <iboukris@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
selftest/target/Samba.pm | 1 -
|
|
source4/heimdal_build/roken.h | 3 ---
|
|
2 files changed, 4 deletions(-)
|
|
|
|
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
|
|
index c30f6fe33ce..3f5ac64c8c2 100644
|
|
--- a/selftest/target/Samba.pm
|
|
+++ b/selftest/target/Samba.pm
|
|
@@ -261,7 +261,6 @@ sub mk_krb5_conf($$)
|
|
dns_lookup_kdc = true
|
|
ticket_lifetime = 24h
|
|
forwardable = yes
|
|
- allow_weak_crypto = yes
|
|
|
|
# We are running on the same machine, do not correct
|
|
# system clock differences
|
|
diff --git a/source4/heimdal_build/roken.h b/source4/heimdal_build/roken.h
|
|
index 9752c04a741..559021c0a0e 100644
|
|
--- a/source4/heimdal_build/roken.h
|
|
+++ b/source4/heimdal_build/roken.h
|
|
@@ -6,9 +6,6 @@
|
|
|
|
#include "config.h"
|
|
|
|
-/* Support 'weak' keys for now, it can't be worse than NTLM and we don't want to hard-code the behaviour at this point */
|
|
-#define HEIM_WEAK_CRYPTO 1
|
|
-
|
|
/* path to sysconf - should we force this to samba LIBDIR ? */
|
|
#define SYSCONFDIR "/etc"
|
|
|
|
--
|
|
2.24.1
|
|
|