Skip Menu |
 

History Show all quoted textShow full headers
# Thu Sep 02 14:19:21 2010 simos (Simo Sorce) - Ticket created
Subject: regression in gssapi when using GSS_C_DCE_STYLE flag
Download (untitled) / with headers
text/plain 762B
In latest samba I have added the ability to use GSSAPI authentication,
signing and encryption for DCERPC communication over SMB against Windows
Servers.

With MIT 1.7.1 all seem to work just fine, but with 1.8.2/1.8.3
communication fails with a Checksum error being thrown from the Windows
Server (windows 2008 R2).

To test it you can simply use rpcclient form current samba3 master tree.

kinit as a user, then run:
./bin/rpcclient -k ncacn_np:server.fqdn.here[krb5,sign] -c lsaquery

(Replace server.fqdn.here with the server you want to run against, I run
it against the AD DC)

With 1.7.1 communication is established and dcerpc packets are signed,
and the proper result is returned.
With 1.8.1 the server returns a bind nack with error 9 (Checskum error).
# Thu Sep 02 14:21:43 2010 <glenn.barry@oracle.com> - Comments added
Date: Thu, 2 Sep 2010 11:20:47 -0700 (PDT)
From: glenn.barry@oracle.com
To: rt-comment@krbdev.mit.edu
Subject: Auto Reply: [krbdev.mit.edu #6768] regression in gssapi when using GSS_C_DCE_STYLE flag
RT-Send-Cc:
Download (untitled) / with headers
text/plain 113B
I'll be out of the office from Sep 2 - 10. Pls contact Anup.Sekhar@oracle.com if it can't wait till I get back.
# Mon Sep 13 18:19:13 2010 simos (Simo Sorce) - Status changed from 'new' to 'open'
# Mon Sep 13 18:19:13 2010 simos (Simo Sorce) - Comments added
Download (untitled) / with headers
text/plain 527B
Ticket update.

Thanks to git-bisect and Luke Howard it appears the problem has been
identified.

The bug has been introduced with this commit:
https://github.com/krb5/krb5/commit/dc3ba26a2c9acde7ca4ed9260fdc01997511e478

The issu is in the reordering of the checksum check in
krb5_mk_req_extended()

The attached patch is a temporary workaround that shows the issue is
indeed in that reordering as I am able to pass the rpcclient test using it.
It is not final because apparently it breaks IAKRB.
A better patch should follow.
Download demo.patch
text/x-diff 1.4KiB
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index 3a4004d..4de3191 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -141,6 +141,15 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
goto cleanup;
}

+ if (!in_data && (*auth_context)->checksum_func) {
+ retval = (*auth_context)->checksum_func( context,
+ *auth_context,
+ (*auth_context)->checksum_func_data,
+ &in_data);
+ if (retval)
+ goto cleanup;
+ }
+
/* generate subkey if needed */
if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) {
retval = krb5int_generate_and_save_subkey (context, *auth_context,
@@ -151,15 +160,6 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context,
}


- if (!in_data && (*auth_context)->checksum_func) {
- retval = (*auth_context)->checksum_func( context,
- *auth_context,
- (*auth_context)->checksum_func_data,
- &in_data);
- if (retval)
- goto cleanup;
- }
-
if (in_data) {
if ((*auth_context)->req_cksumtype == 0x8003) {
/* XXX Special hack for GSSAPI */
# Thu Sep 30 23:45:44 2010 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)
# Thu Sep 30 23:45:44 2010 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'
# Thu Sep 30 23:45:44 2010 ghudson@mit.edu (Greg Hudson) - Subject changed from 'regression in gssapi when using GSS_C_DCE_STYLE flag' to 'GSSAPI forwarded credentials must be encrypted in session key'
# Thu Sep 30 23:45:44 2010 ghudson@mit.edu (Greg Hudson) - Tags pullup added
# Thu Sep 30 23:45:44 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 549B

When IAKERB support was added, the krb5_mk_req checksum function
gained access to the send subkey. This caused GSSAPI forwarded
credentials to be encrypted in the subkey, which violates RFC 4121
section 4.1.1 and is not accepted by Microsoft's implementation.
Temporarily null out the send subkey in the auth context so that
krb5_mk_ncred uses the session key instead.


https://github.com/krb5/krb5/commit/bb441175c30679eb913a839b87478b96923bbaae
Commit By: ghudson
Revision: 24399
Changed Files:
U trunk/src/lib/gssapi/krb5/init_sec_context.c
# Thu Sep 30 23:47:38 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 499B

A cleaner impleentation of r24399 which adds two new auth context APIs
(and is therefore less suitable for backporting to 1.8) but doesn't
reach inside the auth context structure in the krb5 mechanism code.


https://github.com/krb5/krb5/commit/544abd0b04cbc1a18d6bac432be1b767b405ae8c
Commit By: ghudson
Revision: 24400
Changed Files:
U trunk/src/include/krb5/krb5.hin
U trunk/src/lib/gssapi/krb5/init_sec_context.c
U trunk/src/lib/krb5/krb/auth_con.c
U trunk/src/lib/krb5/libkrb5.exports
# Fri Oct 15 17:42:26 2010 tlyu (Taylor Yu) - Target_Version 1.8.4 added
# Fri Oct 15 17:42:26 2010 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'
# Fri Oct 15 17:42:26 2010 tlyu (Taylor Yu) - Version_Fixed 1.8.4 added
# Fri Oct 15 17:42:26 2010 tlyu (Taylor Yu) - Correspondence added
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 865B

pull up r24399 from trunk

------------------------------------------------------------------------
r24399 | ghudson | 2010-09-30 23:45:43 -0400 (Thu, 30 Sep 2010) | 12 lines

ticket: 6768
subject: GSSAPI forwarded credentials must be encrypted in session key
target_version: 1.8.4
tags: pullup

When IAKERB support was added, the krb5_mk_req checksum function
gained access to the send subkey. This caused GSSAPI forwarded
credentials to be encrypted in the subkey, which violates RFC 4121
section 4.1.1 and is not accepted by Microsoft's implementation.
Temporarily null out the send subkey in the auth context so that
krb5_mk_ncred uses the session key instead.

https://github.com/krb5/krb5/commit/32be985ded03e342a307f9c321152ff46451745a
Commit By: tlyu
Revision: 24460
Changed Files:
U branches/krb5-1-8/src/lib/gssapi/krb5/init_sec_context.c
# Wed Dec 16 18:02:56 2015 tlyu (Taylor Yu) - CustomField pullup deleted