From b682473bc18356b361d47adaff77e40996a09069 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 15 Dec 2011 18:12:41 +0100 Subject: [PATCH 1/3] s3-krb5: use and request AES keys in kerberos operations. Guenther (cherry picked from commit eae33e96fcaa456830862325b91579faf2a96213) --- source3/libads/kerberos.c | 1 + source3/libads/kerberos_keytab.c | 8 +++++++- source3/libsmb/clikrb5.c | 6 ++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 52d2475..0a4566a 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -941,6 +941,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, goto done; } + /* FIXME: add aes here - gd */ file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n" "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 721a8c6..badce3e 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -261,9 +261,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) krb5_keytab keytab = NULL; krb5_data password; krb5_kvno kvno; - krb5_enctype enctypes[4] = { + krb5_enctype enctypes[6] = { ENCTYPE_DES_CBC_CRC, ENCTYPE_DES_CBC_MD5, +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, +#endif +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + ENCTYPE_AES256_CTS_HMAC_SHA1_96, +#endif ENCTYPE_ARCFOUR_HMAC, 0 }; diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 7958205..59e1fa5 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -868,6 +868,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, ENCTYPE_ARCFOUR_HMAC, ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC, +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, +#endif +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + ENCTYPE_AES256_CTS_HMAC_SHA1_96, +#endif ENCTYPE_NULL}; initialize_krb5_error_table(); -- 1.7.9.5 From 037bf9e727659dc54760917ccf1d6d7c1860711a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Mon, 19 Dec 2011 10:52:58 +0100 Subject: [PATCH 2/3] s3-kerberos: add aes enctypes to generated krb5.conf. Guenther (cherry picked from commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe) --- source3/libads/kerberos.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 0a4566a..9ab98d4 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -904,6 +904,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, int fd; char *realm_upper = NULL; bool result = false; + char *aes_enctypes = NULL; if (!lp_create_krb5_conf()) { return false; @@ -941,15 +942,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, goto done; } - /* FIXME: add aes here - gd */ + aes_enctypes = talloc_strdup(fname, ""); + if (aes_enctypes == NULL) { + goto done; + } + +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); + if (aes_enctypes == NULL) { + goto done; + } +#endif +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); + if (aes_enctypes == NULL) { + goto done; + } +#endif + file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n" - "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" - "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" - "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" + "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" + "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" + "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" "[realms]\n\t%s = {\n" "\t%s\t}\n", - realm_upper, realm_upper, kdc_ip_string); + realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, + realm_upper, kdc_ip_string); if (!file_contents) { goto done; -- 1.7.9.5 From 36ff417edcf751dba34fe401710ff85cbd77bc1b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 22 Oct 2012 13:47:48 +0200 Subject: [PATCH 3/3] lib/krb5_wrap: request enc_types in the correct order (bug #9272) aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 should have a higher priority than arcfour-hmac-md5, otherwise the KDC still gives us arcfour-hmac-md5 session keys. Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam (similar to commit 24f3f87706329e6e280dc6be6d025e997d46c910) --- source3/libsmb/clikrb5.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 59e1fa5..dce1df7 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -865,15 +865,15 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, krb5_ccache ccdef = NULL; krb5_auth_context auth_context = NULL; krb5_enctype enc_types[] = { - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES_CBC_CRC, -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - ENCTYPE_AES128_CTS_HMAC_SHA1_96, -#endif #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ENCTYPE_AES256_CTS_HMAC_SHA1_96, #endif +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, +#endif + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_CRC, ENCTYPE_NULL}; initialize_krb5_error_table(); -- 1.7.9.5