[Patches] Fixes for machine password problems [bug #12262]

Tue Feb 21 14:43:36 UTC 2017

Am 20.02.2017 um 20:08 schrieb Stefan Metzmacher:
> Hi,
> 
> here's some patches to fix problem with the random passwords
> winbindd sets every week (by default).
> https://bugzilla.samba.org/show_bug.cgi?id=12262
> 
> In Samba 4.2 we only used ascii passwords, but with 4.3
> we're using random unicode passwords. This causes
> a lot of trouble if someone uses "unix charset != utf8".
> But also with unix charset = utf8 it can sometimes happen
> that kerberos authentication start to fail if
> the password uses code points > 0xffff.
> 
> Please review and push:-)
> 
> Thanks!
> metze
> 
> PS: As future improvement we could calculate the
> ENCTYPE_ARCFOUR_HMAC in smb_krb5_create_key_from_string()
> ourself using E_md4hash().

Here's the patch :-)

Please review and push :-)

Thanks!
metze
-------------- next part --------------
From 82004e77bba3785f3ce37820626f3e9c7677a785 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Feb 2017 12:15:07 +0100
Subject: [PATCH] krb5_wrap: use our own code to calculate the
 ENCTYPE_ARCFOUR_HMAC key

Our own convert_string_talloc() function handles a wider range
of unicode code points than the MIT krb5 or heimdal code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 lib/krb5_wrap/krb5_samba.c | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index bb0b5df..0c98147 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -23,6 +23,7 @@
 #include "includes.h"
 #include "system/filesys.h"
 #include "krb5_samba.h"
+#include "lib/crypto/crypto.h"
 
 #ifdef HAVE_COM_ERR_H
 #include <com_err.h>
@@ -300,6 +301,42 @@ int smb_krb5_create_key_from_string(krb5_context context,
 		return -1;
 	}
 
+	if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+		TALLOC_CTX *frame = talloc_stackframe();
+		uint8_t *utf16 = NULL;
+		size_t utf16_size = 0;
+		uint8_t nt_hash[16];
+		bool ok;
+
+		ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
+					   password->data, password->length,
+					   (void **)&utf16, &utf16_size);
+		if (!ok) {
+			if (errno == 0) {
+				errno = EINVAL;
+			}
+			ret = errno;
+			TALLOC_FREE(frame);
+			return ret;
+		}
+
+		mdfour(nt_hash, utf16, utf16_size);
+		memset(utf16, 0, utf16_size);
+		ret = smb_krb5_keyblock_init_contents(context,
+						      ENCTYPE_ARCFOUR_HMAC,
+						      nt_hash,
+						      sizeof(nt_hash),
+						      key);
+		ZERO_STRUCT(nt_hash);
+		if (ret != 0) {
+			TALLOC_FREE(frame);
+			return ret;
+		}
+
+		TALLOC_FREE(frame);
+		return 0;
+	}
+
 #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
 {/* MIT */
 	krb5_data _salt;
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170221/0bfd32c1/signature.sig>
