heimdal: remove KRB5_PADATA_CLIENT_CANONICALIZED handling

Stefan (metze) Metzmacher metze at samba.org
Thu Mar 12 02:39:06 MDT 2015


...and here are the patches...


Am 12.03.2015 um 09:26 schrieb Stefan (metze) Metzmacher:
> Hi Andrew,
> 
> here are some patches to remove the KRB5_PADATA_CLIENT_CANONICALIZED
> handling
> from heimdal. This PADATA types uses number 133 which is now assigned to
> PA-FX-COOKIE in rfc6113.
> 
> KRB5_PADATA_CLIENT_CANONICALIZED was specified in
> draft-ietf-krb-wg-kerberos-referrals-11.txt,
> but it was removed in the final rfc6806. The protection can be archived
> by using FAST (rfc6113).
> 
> I noticed that our KDC uses KRB5_PADATA_CLIENT_CANONICALIZED in its
> responses, while I improved the wireshark kerberos dissector.
> https://git.samba.org/?p=metze/wireshark/wip.git;a=shortlog;h=refs/heads/ws-metze-current
> has support for FAST (rfc6113) and a lot of other stuff from [MS-KILE],
> [MS-SFU] and [MS-PAC].
> 
> These patches are also part of my master4-forest-ok branch
> https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-forest-ok
> which Günther is currently reviewing.
> 
> metze
> 
-------------- next part --------------
From 855458a36d0a4dd4554ff616c44ce05fe9791390 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 12:38:55 +0100
Subject: [PATCH 1/3] heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED
 handling

This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/heimdal/lib/krb5/ticket.c | 81 ---------------------------------------
 1 file changed, 81 deletions(-)

diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c
index 09bff30..064bbfb 100644
--- a/source4/heimdal/lib/krb5/ticket.c
+++ b/source4/heimdal/lib/krb5/ticket.c
@@ -511,87 +511,6 @@ check_client_referral(krb5_context context,
 		      krb5_const_principal mapped,
 		      krb5_keyblock const * key)
 {
-    krb5_error_code ret;
-    PA_ClientCanonicalized canon;
-    krb5_crypto crypto;
-    krb5_data data;
-    PA_DATA *pa;
-    size_t len;
-    int i = 0;
-
-    if (rep->kdc_rep.padata == NULL)
-	goto noreferral;
-
-    pa = krb5_find_padata(rep->kdc_rep.padata->val,
-			  rep->kdc_rep.padata->len,
-			  KRB5_PADATA_CLIENT_CANONICALIZED, &i);
-    if (pa == NULL)
-	goto noreferral;
-
-    ret = decode_PA_ClientCanonicalized(pa->padata_value.data,
-					pa->padata_value.length,
-					&canon, &len);
-    if (ret) {
-	krb5_set_error_message(context, ret,
-			       N_("Failed to decode ClientCanonicalized "
-				  "from realm %s", ""), requested->realm);
-	return ret;
-    }
-
-    ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
-		       &canon.names, &len, ret);
-    if (ret) {
-	free_PA_ClientCanonicalized(&canon);
-	return ret;
-    }
-    if (data.length != len)
-	krb5_abortx(context, "internal asn.1 error");
-
-    ret = krb5_crypto_init(context, key, 0, &crypto);
-    if (ret) {
-	free(data.data);
-	free_PA_ClientCanonicalized(&canon);
-	return ret;
-    }
-
-    ret = krb5_verify_checksum(context, crypto, KRB5_KU_CANONICALIZED_NAMES,
-			       data.data, data.length,
-			       &canon.canon_checksum);
-    krb5_crypto_destroy(context, crypto);
-    free(data.data);
-    if (ret) {
-	krb5_set_error_message(context, ret,
-			       N_("Failed to verify client canonicalized "
-				  "data from realm %s", ""),
-			       requested->realm);
-	free_PA_ClientCanonicalized(&canon);
-	return ret;
-    }
-
-    if (!_krb5_principal_compare_PrincipalName(context,
-					       requested,
-					       &canon.names.requested_name))
-    {
-	free_PA_ClientCanonicalized(&canon);
-	krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
-			       N_("Requested name doesn't match"
-				  " in client referral", ""));
-	return KRB5_PRINC_NOMATCH;
-    }
-    if (!_krb5_principal_compare_PrincipalName(context,
-					       mapped,
-					       &canon.names.mapped_name))
-    {
-	free_PA_ClientCanonicalized(&canon);
-	krb5_set_error_message(context, KRB5_PRINC_NOMATCH,
-			       N_("Mapped name doesn't match"
-				  " in client referral", ""));
-	return KRB5_PRINC_NOMATCH;
-    }
-
-    return 0;
-
-noreferral:
     if (krb5_principal_compare(context, requested, mapped) == FALSE) {
 	krb5_set_error_message(context, KRB5KRB_AP_ERR_MODIFIED,
 			       N_("Not same client principal returned "
-- 
1.9.1


From e201f69a197e216d461a5281c3098c6fb44971af Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 12:38:55 +0100
Subject: [PATCH 2/3] heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED
 handling

This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/heimdal/kdc/kerberos5.c | 52 -----------------------------------------
 1 file changed, 52 deletions(-)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index bab4b8c..cb97390 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1706,58 +1706,6 @@ _kdc_as_rep(krb5_context context,
     if (ret)
 	goto out;
 
-    /* Add signing of alias referral */
-    if (f.canonicalize) {
-	PA_ClientCanonicalized canon;
-	krb5_data data;
-	PA_DATA pa;
-	krb5_crypto cryptox;
-	size_t len = 0;
-
-	memset(&canon, 0, sizeof(canon));
-
-	canon.names.requested_name = *b->cname;
-	canon.names.mapped_name = client->entry.principal->name;
-
-	ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
-			   &canon.names, &len, ret);
-	if (ret)
-	    goto out;
-	if (data.length != len)
-	    krb5_abortx(context, "internal asn.1 error");
-
-	/* sign using "returned session key" */
-	ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
-	if (ret) {
-	    free(data.data);
-	    goto out;
-	}
-
-	ret = krb5_create_checksum(context, cryptox,
-				   KRB5_KU_CANONICALIZED_NAMES, 0,
-				   data.data, data.length,
-				   &canon.canon_checksum);
-	free(data.data);
-	krb5_crypto_destroy(context, cryptox);
-	if (ret)
-	    goto out;
-
-	ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
-			   &canon, &len, ret);
-	free_Checksum(&canon.canon_checksum);
-	if (ret)
-	    goto out;
-	if (data.length != len)
-	    krb5_abortx(context, "internal asn.1 error");
-
-	pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
-	pa.padata_value = data;
-	ret = add_METHOD_DATA(rep.padata, &pa);
-	free(data.data);
-	if (ret)
-	    goto out;
-    }
-
     if (rep.padata->len == 0) {
 	free(rep.padata);
 	rep.padata = NULL;
-- 
1.9.1


From 51f673940169e916bd3eebf8f4cfb86edc41924b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 10 Mar 2015 12:38:55 +0100
Subject: [PATCH 3/3] heimdal:krb5.asn1: remove
 KRB5_PADATA_CLIENT_CANONICALIZED handling

This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/heimdal/lib/asn1/krb5.asn1 | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/source4/heimdal/lib/asn1/krb5.asn1 b/source4/heimdal/lib/asn1/krb5.asn1
index 568fe0c..f3ae6bba 100644
--- a/source4/heimdal/lib/asn1/krb5.asn1
+++ b/source4/heimdal/lib/asn1/krb5.asn1
@@ -157,7 +157,6 @@ PADATA-TYPE ::= INTEGER {
 						-- tell KDC that is supports
 						-- the asCheckSum in the
 						--  PK-AS-REP
-	KRB5-PADATA-CLIENT-CANONICALIZED(133),	-- referals
 	KRB5-PADATA-FX-COOKIE(133),		-- krb-wg-preauth-framework
 	KRB5-PADATA-AUTHENTICATION-SET(134),	-- krb-wg-preauth-framework
 	KRB5-PADATA-AUTH-SET-SELECTED(135),	-- krb-wg-preauth-framework
@@ -732,16 +731,6 @@ KRB5SignedPath ::= SEQUENCE {
 	method_data[3]  METHOD-DATA OPTIONAL
 }
 
-PA-ClientCanonicalizedNames ::= SEQUENCE{
-	requested-name	[0] PrincipalName,
-	mapped-name	[1] PrincipalName
-}
-
-PA-ClientCanonicalized ::= SEQUENCE {
-	names		[0] PA-ClientCanonicalizedNames,
-	canon-checksum	[1] Checksum
-}
-
 AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
 	login-alias	[0] PrincipalName,
 	checksum	[1] Checksum
-- 
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150312/a6c521d5/attachment.pgp>


More information about the samba-technical mailing list