diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-06-13 13:19:23 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-06-23 20:10:01 +1000 |
commit | 80701e5f29567e4ad75a66eb6c8711f817b361b8 (patch) | |
tree | 68129faea618c6110277256701f837f2f0ab478b | |
parent | 06ed6667bece67de768f07f0381e551be2c742a9 (diff) | |
download | samba-80701e5f29567e4ad75a66eb6c8711f817b361b8.tar.gz samba-80701e5f29567e4ad75a66eb6c8711f817b361b8.tar.bz2 samba-80701e5f29567e4ad75a66eb6c8711f817b361b8.zip |
s4:kdc Use msDS-SupportedEncTypes in our KDC
We need to honour this, otherwise we will send AES-encrypted tickets
to unprepared Kerberos targets.
Andrew Bartlett
-rw-r--r-- | source4/kdc/db-glue.c | 84 |
1 files changed, 54 insertions, 30 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 6e06625d6a..8eb3f79119 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -191,11 +191,45 @@ static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex) talloc_free(entry_ex->ctx); } +/* Determine, by translation between the encryption types allowed in + * the msDS-SupportedEncTypes and their Kerberos defined values, if a + * given encryption type is permitted for this target principal at + * this time. */ +static bool allowed_enc_type(enum samba_kdc_ent_type ent_type, + uint32_t supported_enc_types_bitmap, uint32_t enc_type_enum) +{ + switch (ent_type) { + case SAMBA_KDC_ENT_TYPE_KRBTGT: + case SAMBA_KDC_ENT_TYPE_TRUST: + /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */ + supported_enc_types_bitmap &= (~ENC_CRC32|ENC_RSA_MD5); + case SAMBA_KDC_ENT_TYPE_SERVER: + switch (enc_type_enum) { + case ENCTYPE_DES_CBC_CRC: + return supported_enc_types_bitmap & ENC_CRC32; + case ENCTYPE_DES_CBC_MD5: + return supported_enc_types_bitmap & ENC_RSA_MD5; + case ENCTYPE_ARCFOUR_HMAC_MD5: + return supported_enc_types_bitmap & ENC_RC4_HMAC_MD5; + case ENCTYPE_AES128_CTS_HMAC_SHA1_96: + return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES128; + case ENCTYPE_AES256_CTS_HMAC_SHA1_96: + return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES256; + default: + return false; + } + default: + return true; + /* Return all enc types to everyone else */ + } +} + static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, - TALLOC_CTX *mem_ctx, - struct ldb_message *msg, - unsigned int userAccountControl, - hdb_entry_ex *entry_ex) + TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + unsigned int userAccountControl, + enum samba_kdc_ent_type ent_type, + hdb_entry_ex *entry_ex) { krb5_error_code ret = 0; enum ndr_err_code ndr_err; @@ -210,6 +244,16 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, uint16_t i; uint16_t allocated_keys = 0; + /* Supported Enc Types for TGS-REQ to this target */ + uint32_t supported_enc_types = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncTypes", + ENC_CRC32|ENC_RSA_MD5|ENC_RC4_HMAC_MD5); + + /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ + if (userAccountControl & UF_USE_DES_KEY_ONLY) { + /* However, don't allow use of DES, if we were told not to by msDS-SupportedEncTypes */ + supported_enc_types &= ENC_CRC32|ENC_RSA_MD5; + } + entry_ex->entry.keys.val = NULL; entry_ex->entry.keys.len = 0; @@ -323,7 +367,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, goto out; } - if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) { + if (hash && supported_enc_types & ENC_RC4_HMAC_MD5) { Key key; key.mkvno = 0; @@ -343,24 +387,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, if (pkb4) { for (i=0; i < pkb4->num_keys; i++) { - bool use = true; Key key; if (!pkb4->keys[i].value) continue; - if (userAccountControl & UF_USE_DES_KEY_ONLY) { - switch (pkb4->keys[i].keytype) { - case ENCTYPE_DES_CBC_CRC: - case ENCTYPE_DES_CBC_MD5: - break; - default: - use = false; - break; - } + if (!allowed_enc_type(ent_type, supported_enc_types, pkb4->keys[i].keytype)) { + continue; } - if (!use) continue; - key.mkvno = 0; key.salt = NULL; @@ -412,24 +446,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } } else if (pkb3) { for (i=0; i < pkb3->num_keys; i++) { - bool use = true; Key key; if (!pkb3->keys[i].value) continue; - if (userAccountControl & UF_USE_DES_KEY_ONLY) { - switch (pkb3->keys[i].keytype) { - case ENCTYPE_DES_CBC_CRC: - case ENCTYPE_DES_CBC_MD5: - break; - default: - use = false; - break; - } + if (!allowed_enc_type(ent_type, supported_enc_types, pkb3->keys[i].keytype)) { + continue; } - if (!use) continue; - key.mkvno = 0; key.salt = NULL; @@ -701,7 +725,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* Get keys from the db */ ret = samba_kdc_message2entry_keys(context, p, msg, userAccountControl, - entry_ex); + ent_type, entry_ex); if (ret) { /* Could be bougus data in the entry, or out of memory */ goto out; |