summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-06-24 09:40:16 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-06-29 16:59:30 +1000
commitd76e4852ebf6ebaaa0e59b481c4b17ac15310aec (patch)
treea0bf4de89712ea0d16556900c5c760ec10d08752
parentf41e71109744cbacfcbf6b8cf545e1f322d68494 (diff)
downloadsamba-d76e4852ebf6ebaaa0e59b481c4b17ac15310aec.tar.gz
samba-d76e4852ebf6ebaaa0e59b481c4b17ac15310aec.tar.bz2
samba-d76e4852ebf6ebaaa0e59b481c4b17ac15310aec.zip
s4:kdc Rework the 'allowed enc types' calculation
This changes the calculation to apply the allowed enc types to all uses of the key (no point allowing a weak kinit to a key the server wanted strongly protected). It also ensures that all the non-DES keys are available on the krbtgt in particular, even as it does not have a msds-SupportedEncryptionTypes attributes. Andrew Bartlett
-rw-r--r--source4/kdc/db-glue.c76
1 files changed, 35 insertions, 41 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8eb3f79119..e913647511 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -40,6 +40,7 @@
#include "param/param.h"
#include "../lib/crypto/md4.h"
#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
#include <hdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/db-glue.h"
@@ -191,42 +192,10 @@ static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
talloc_free(entry_ex->ctx);
}
-/* Determine, by translation between the encryption types allowed in
- * the msDS-SupportedEncTypes and their Kerberos defined values, if a
- * given encryption type is permitted for this target principal at
- * this time. */
-static bool allowed_enc_type(enum samba_kdc_ent_type ent_type,
- uint32_t supported_enc_types_bitmap, uint32_t enc_type_enum)
-{
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */
- supported_enc_types_bitmap &= (~ENC_CRC32|ENC_RSA_MD5);
- case SAMBA_KDC_ENT_TYPE_SERVER:
- switch (enc_type_enum) {
- case ENCTYPE_DES_CBC_CRC:
- return supported_enc_types_bitmap & ENC_CRC32;
- case ENCTYPE_DES_CBC_MD5:
- return supported_enc_types_bitmap & ENC_RSA_MD5;
- case ENCTYPE_ARCFOUR_HMAC_MD5:
- return supported_enc_types_bitmap & ENC_RC4_HMAC_MD5;
- case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
- return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES128;
- case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
- return supported_enc_types_bitmap & ENC_HMAC_SHA1_96_AES256;
- default:
- return false;
- }
- default:
- return true;
- /* Return all enc types to everyone else */
- }
-}
-
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
TALLOC_CTX *mem_ctx,
struct ldb_message *msg,
+ uint32_t rid,
unsigned int userAccountControl,
enum samba_kdc_ent_type ent_type,
hdb_entry_ex *entry_ex)
@@ -244,14 +213,38 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
- /* Supported Enc Types for TGS-REQ to this target */
- uint32_t supported_enc_types = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncTypes",
- ENC_CRC32|ENC_RSA_MD5|ENC_RC4_HMAC_MD5);
+ /* Supported Enc for this entry */
+ uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */
+
+ /* However, if this is a TGS-REQ, then lock it down to a
+ * reasonable guess as to what the server can decode. The
+ * krbtgt is special - default to use what is stored for the KDC */
+ if (rid != DOMAIN_RID_KRBTGT && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+ /* This is the standard set for a server that has not declared a msDS-SupportedEncryptionTypes */
+ supported_enctypes = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ }
+ supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
+ supported_enctypes);
+ if (rid == DOMAIN_RID_KRBTGT) {
+ /* Be double-sure never to use DES here */
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ }
+
+ switch (ent_type) {
+ case SAMBA_KDC_ENT_TYPE_KRBTGT:
+ case SAMBA_KDC_ENT_TYPE_TRUST:
+ /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ break;
+ default:
+ break;
+ /* No further restrictions */
+ }
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
/* However, don't allow use of DES, if we were told not to by msDS-SupportedEncTypes */
- supported_enc_types &= ENC_CRC32|ENC_RSA_MD5;
+ supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
}
entry_ex->entry.keys.val = NULL;
@@ -367,7 +360,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
goto out;
}
- if (hash && supported_enc_types & ENC_RC4_HMAC_MD5) {
+ if (hash && (supported_enctypes & ENC_RC4_HMAC_MD5)) {
Key key;
key.mkvno = 0;
@@ -391,7 +384,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
if (!pkb4->keys[i].value) continue;
- if (!allowed_enc_type(ent_type, supported_enc_types, pkb4->keys[i].keytype)) {
+ if (!(kerberos_enctype_to_bitmap(pkb4->keys[i].keytype) & supported_enctypes)) {
continue;
}
@@ -450,7 +443,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
if (!pkb3->keys[i].value) continue;
- if (!allowed_enc_type(ent_type, supported_enc_types, pkb3->keys[i].keytype)) {
+ if (!(kerberos_enctype_to_bitmap(pkb3->keys[i].keytype) & supported_enctypes)) {
continue;
}
@@ -724,7 +717,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.generation = NULL;
/* Get keys from the db */
- ret = samba_kdc_message2entry_keys(context, p, msg, userAccountControl,
+ ret = samba_kdc_message2entry_keys(context, p, msg,
+ rid, userAccountControl,
ent_type, entry_ex);
if (ret) {
/* Could be bougus data in the entry, or out of memory */