heimdal: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
Stefan (metze) Metzmacher
metze at samba.org
Thu Mar 12 02:39:06 MDT 2015
...and here are the patches...
Am 12.03.2015 um 09:26 schrieb Stefan (metze) Metzmacher:
> Hi Andrew,
>
> here are some patches to remove the KRB5_PADATA_CLIENT_CANONICALIZED
> handling
> from heimdal. This PADATA types uses number 133 which is now assigned to
> PA-FX-COOKIE in rfc6113.
>
> KRB5_PADATA_CLIENT_CANONICALIZED was specified in
> draft-ietf-krb-wg-kerberos-referrals-11.txt,
> but it was removed in the final rfc6806. The protection can be archived
> by using FAST (rfc6113).
>
> I noticed that our KDC uses KRB5_PADATA_CLIENT_CANONICALIZED in its
> responses, while I improved the wireshark kerberos dissector.
> https://git.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-current
> has support for FAST (rfc6113) and a lot of other stuff from [MS-KILE],
> [MS-SFU] and [MS-PAC].
>
> These patches are also part of my master4-forest-ok branch
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok
> which Günther is currently reviewing.
>
> metze
>
-------------- next part --------------
From 855458a36d0a4dd4554ff616c44ce05fe9791390 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 12:38:55 +0100
Subject: [PATCH 1/3] heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED
handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/heimdal/lib/krb5/ticket.c | 81 ---------------------------------------
1 file changed, 81 deletions(-)
diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index 09bff30..064bbfb 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -511,87 +511,6 @@ check_client_referral(krb5_context context,
krb5_const_principal mapped,
krb5_keyblock const * key)
{
- krb5_error_code ret;
- PA_ClientCanonicalized canon;
- krb5_crypto crypto;
- krb5_data data;
- PA_DATA *pa;
- size_t len;
- int i = 0;
-
- if (rep->kdc_rep.padata == NULL)
- goto noreferral;
-
- pa = krb5_find_padata(rep->kdc_rep.padata->val,
- rep->kdc_rep.padata->len,
- KRB5_PADATA_CLIENT_CANONICALIZED, &i);
- if (pa == NULL)
- goto noreferral;
-
- ret = decode_PA_ClientCanonicalized(pa->padata_value.data,
- pa->padata_value.length,
- &canon, &len);
- if (ret) {
- krb5_set_error_message(context, ret,
- N_("Failed to decode ClientCanonicalized "
- "from realm %s", ""), requested->realm);
- return ret;
- }
-
- ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
- &canon.names, &len, ret);
- if (ret) {
- free_PA_ClientCanonicalized(&canon);
- return ret;
- }
- if (data.length != len)
- krb5_abortx(context, "internal asn.1 error");
-
- ret = krb5_crypto_init(context, key, 0, &crypto);
- if (ret) {
- free(data.data);
- free_PA_ClientCanonicalized(&canon);
- return ret;
- }
-
- ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
- data.data, data.length,
- &canon.canon_checksum);
- krb5_crypto_destroy(context, crypto);
- free(data.data);
- if (ret) {
- krb5_set_error_message(context, ret,
- N_("Failed to verify client canonicalized "
- "data from realm %s", ""),
- requested->realm);
- free_PA_ClientCanonicalized(&canon);
- return ret;
- }
-
- if (!_krb5_principal_compare_PrincipalName(context,
- requested,
- &canon.names.requested_name))
- {
- free_PA_ClientCanonicalized(&canon);
- krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
- N_("Requested name doesn't match"
- " in client referral", ""));
- return KRB5_PRINC_NOMATCH;
- }
- if (!_krb5_principal_compare_PrincipalName(context,
- mapped,
- &canon.names.mapped_name))
- {
- free_PA_ClientCanonicalized(&canon);
- krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
- N_("Mapped name doesn't match"
- " in client referral", ""));
- return KRB5_PRINC_NOMATCH;
- }
-
- return 0;
-
-noreferral:
if (krb5_principal_compare(context, requested, mapped) == FALSE) {
krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
N_("Not same client principal returned "
--
1.9.1
From e201f69a197e216d461a5281c3098c6fb44971af Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 12:38:55 +0100
Subject: [PATCH 2/3] heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED
handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/heimdal/kdc/kerberos5.c | 52 -----------------------------------------
1 file changed, 52 deletions(-)
diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index bab4b8c..cb97390 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1706,58 +1706,6 @@ _kdc_as_rep(krb5_context context,
if (ret)
goto out;
- /* Add signing of alias referral */
- if (f.canonicalize) {
- PA_ClientCanonicalized canon;
- krb5_data data;
- PA_DATA pa;
- krb5_crypto cryptox;
- size_t len = 0;
-
- memset(&canon, 0, sizeof(canon));
-
- canon.names.requested_name = *b->cname;
- canon.names.mapped_name = client->entry.principal->name;
-
- ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
- &canon.names, &len, ret);
- if (ret)
- goto out;
- if (data.length != len)
- krb5_abortx(context, "internal asn.1 error");
-
- /* sign using "returned session key" */
- ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
- if (ret) {
- free(data.data);
- goto out;
- }
-
- ret = krb5_create_checksum(context, cryptox,
- KRB5_KU_CANONICALIZED_NAMES, 0,
- data.data, data.length,
- &canon.canon_checksum);
- free(data.data);
- krb5_crypto_destroy(context, cryptox);
- if (ret)
- goto out;
-
- ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
- &canon, &len, ret);
- free_Checksum(&canon.canon_checksum);
- if (ret)
- goto out;
- if (data.length != len)
- krb5_abortx(context, "internal asn.1 error");
-
- pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
- pa.padata_value = data;
- ret = add_METHOD_DATA(rep.padata, &pa);
- free(data.data);
- if (ret)
- goto out;
- }
-
if (rep.padata->len == 0) {
free(rep.padata);
rep.padata = NULL;
--
1.9.1
From 51f673940169e916bd3eebf8f4cfb86edc41924b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 12:38:55 +0100
Subject: [PATCH 3/3] heimdal:krb5.asn1: remove
KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/heimdal/lib/asn1/krb5.asn1 | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/source4/heimdal/lib/asn1/krb5.asn1 b/source4/heimdal/lib/asn1/krb5.asn1
index 568fe0c..f3ae6bba 100644
--- a/source4/heimdal/lib/asn1/krb5.asn1
+++ b/source4/heimdal/lib/asn1/krb5.asn1
@@ -157,7 +157,6 @@ PADATA-TYPE ::= INTEGER {
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
- KRB5-PADATA-CLIENT-CANONICALIZED(133), -- referals
KRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework
KRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework
KRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework
@@ -732,16 +731,6 @@ KRB5SignedPath ::= SEQUENCE {
method_data[3] METHOD-DATA OPTIONAL
}
-PA-ClientCanonicalizedNames ::= SEQUENCE{
- requested-name [0] PrincipalName,
- mapped-name [1] PrincipalName
-}
-
-PA-ClientCanonicalized ::= SEQUENCE {
- names [0] PA-ClientCanonicalizedNames,
- canon-checksum [1] Checksum
-}
-
AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
login-alias [0] PrincipalName,
checksum [1] Checksum
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/a6c521d5/attachment.pgp>
More information about the samba-technical
mailing list