Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0002-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0002-CVE-2020-25719-sign-and-verify-PAC-with-ticket-principal.patch of Package samba
From 34347586375dea9b615fb6a0218bcb5927031e4d Mon Sep 17 00:00:00 2001 From: Isaac Boukris <iboukris@gmail.com> Date: Thu, 16 Jan 2020 22:00:21 +0100 Subject: [PATCH] Sign and verify PAC with ticket principal instead of canon Conflict: NA Reference: https://git.samba.org/samba.git/?p=samba.git;a=patch;h=34347586375dea9b615fb6a0218bcb5927031e4d principal With MIT library 1.18 the KDC no longer set KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows us to not canonicalize them (like in Windows / Heimdal). However, it now breaks the PAC signature verification as it was wrongly done using canonical client rather than ticket client name. Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> --- source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 586cf81451d..2eec496fa92 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -301,20 +301,12 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data) { - krb5_const_principal ks_client_princ; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; krb5_error_code code; krb5_pac pac = NULL; krb5_data pac_data; - /* Prefer canonicalised name from client entry */ - if (client != NULL) { - ks_client_princ = client->princ; - } else { - ks_client_princ = client_princ; - } - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { @@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, if (!is_as_req) { code = ks_verify_pac(context, flags, - ks_client_princ, + client_princ, client, server, krbtgt, @@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, goto done; } - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, + code = krb5_pac_sign(context, pac, authtime, client_princ, server_key, krbtgt_key, &pac_data); if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); -- GitLab
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.