GitLab's annual major release is around the corner. Along with a lot of new and exciting features, there will be a few breaking changes. Learn more here.

Commit 6095a4f0 authored by Isaac Boukris's avatar Isaac Boukris Committed by Andrew Bartlett
Browse files

kdc: allow checksum of PA-FOR-USER to be HMAC_MD5



even if the tgt session key uses different hmac.

Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is
always HMAC_MD5, and that's what windows 7 client
and MIT client send.

In heimdal both the client and kdc use the checksum of
the tgt key instead and therefore work with each other
but windows and MIT clients fail against heimdal KDC.

Windows KDC allows either checksum (HMAC_MD5 or from
tgt) so we should do the same to support all clients.
Signed-off-by: default avatarIsaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett's avatarAndrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 11 02:48:58 UTC 2020 on sn-devel-184
parent c8080bbd
......@@ -393,5 +393,3 @@
^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
# Fixed upstream heimdal in PR #439
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum
......@@ -1946,12 +1946,29 @@ server_lookup:
goto out;
}
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_OTHER_CKSUM,
datack.data,
datack.length,
&self.cksum);
/* Allow HMAC_MD5 checksum with any key type */
if (self.cksum.cksumtype == CKSUMTYPE_HMAC_MD5) {
unsigned char csdata[16];
Checksum cs;
cs.checksum.length = sizeof(csdata);
cs.checksum.data = &csdata;
ret = _krb5_HMAC_MD5_checksum(context, &crypto->key,
datack.data, datack.length,
KRB5_KU_OTHER_CKSUM, &cs);
if (ret == 0 &&
krb5_data_ct_cmp(&cs.checksum, &self.cksum.checksum) != 0)
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
}
else {
ret = krb5_verify_checksum(context,
crypto,
KRB5_KU_OTHER_CKSUM,
datack.data,
datack.length,
&self.cksum);
}
krb5_data_free(&datack);
krb5_crypto_destroy(context, crypto);
if (ret) {
......
......@@ -764,6 +764,7 @@ HEIMDAL_KRB5_2.0 {
_krb5_principalname2krb5_principal;
_krb5_put_int;
_krb5_s4u2self_to_checksumdata;
_krb5_HMAC_MD5_checksum;
# kinit helper
krb5_get_init_creds_opt_set_pkinit_user_certs;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment