In some cases the KDC will decide to use a different checksum type when re-signing a PAC to include it in a service ticket.
This is common in a cross-realm trust with AD as most AD DCs will use a HMAC-MD5-RC4 checksum while IPA's KDC will instead choose to use HMAC-SHA-AES when re-signing the PAC. In current MIT code re-signing a PAC with a signature that differs in length from the original will cause an error. While MIT should handle this properly, we use the workaround of regenerating the PAC from scratch so that there is no trace of the previous signatures. Tested while obtaining a cross-realm ticket from an AD domain against a service belonging to an IPA domain. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 79958daf4405ba031137540318e68587247df4c8 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Tue, 22 Nov 2011 18:03:10 -0500 Subject: [PATCH] ipa-kdb: Support re-signing PAC with different checksum Fixes: https://fedorahosted.org/freeipa/ticket/2122 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 44 +++++++++++++++++++++++++++++++++++++- 1 files changed, 42 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index 3d4975e73e2402bda3065f6f90bf8bf7c2e4f9c5..63c18b5d59d4a8c5669097f8163755bd3284280a 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -552,6 +552,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, { krb5_authdata **authdata = NULL; krb5_error_code kerr; + krb5_ui_4 *buffer_types = NULL; + size_t num_buffers; + krb5_pac old_pac = NULL; + krb5_pac new_pac = NULL; + krb5_data data; + size_t i; /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, @@ -573,16 +579,50 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, kerr = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, - pac); + &old_pac); if (kerr) { goto done; } - kerr = krb5_pac_verify(context, *pac, authtime, + kerr = krb5_pac_verify(context, old_pac, authtime, client_princ, krbtgt_key, NULL); + if (kerr) { + goto done; + } + + /* extract buffers and rebuilt pac from scratch so that when re-signing + * with a different cksum type does not cause issues due to mismatching + * signature buffer lengths */ + kerr = krb5_pac_init(context, &new_pac); + if (kerr) { + goto done; + } + + kerr = krb5_pac_get_types(context, old_pac, &num_buffers, &buffer_types); + if (kerr) { + goto done; + } + + for (i = 0; i < num_buffers; i++) { + kerr = krb5_pac_get_buffer(context, old_pac, + buffer_types[i], &data); + if (kerr == 0) { + kerr = krb5_pac_add_buffer(context, &new_pac, + buffer_types[i], &data); + } + krb5_free_data_contents(context, &data); + if (kerr) { + krb5_pac_free(context, new_pac); + goto done; + } + } + + *pac = new_pac; done: krb5_free_authdata(context, authdata); + krb5_pac_free(context, old_pac); + free(buffer_types); return kerr; } -- 1.7.7.1
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
