1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/source4/torture
Uri Simchoni 6379737b7d heimdal: encode/decode kvno as signed integer
This patch changes the encoding/decoding of kvno (key version number)
in blobs and packets to signed integer, for compatibility with Windows.
Reportedly, MIT Kerberos does the same.

This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599
in the heimdal tree.

According to the Kerberos spec (RFC 4120 5.2.9), the kvno field
in encrypted data object is an unsigned integer that fits in
32 bits. The Heimdal Kerberos component bundled with Samba
conforms to this. However, Windows deviates from the standard
and encodes kvno as a signed integer, and this creates
interoperability issues.

ASN.1 DER has no special encoding for unsigned integer. A 32-bit
unsigned integer is encoded as a signed integer, so while a signed
32-bit integer (covering the range of -0x80000000..0x7fffffff) is
encoded using up to 4 bytes, an unsigned integer (covering
0..0xffffffff) could require 5 bytes.

Normally, kvno for a given account starts at 1 and increments on
password changes. Kerberos defined this as unsigned because there's
no meaning for negative version numbers, so the standard writers figured
4 billion versions is better than 2 billion. It was not
expected for a kvno to really go past 0x7fffffff and the disctinction
usually does not matter. However, RODCs use kvnos which
have the most-significant bit set.

In Active Directory, RODCs have a private secret for the krbtgt,
because the assumption is that the RODC is less secure, and
recovering the domain krbtgt secret from the RODC would compromise
the security of the entire domain. The kvno field is being used
to identify the private krbtgt account that owns the key - the
upper 16 bits are the RODC id, and the lower 16 bits identify
the key version number for this specific RODC. It's common to
have an RODC id greater than 0x8000, and therefore to have a
kvno larger than 0x7fffffff, which would be DER-encoded using
5 bytes.

Windows encodes kvno as signed integer - basically taking the
32 bits and treating them as a signed integer rather than an
unsigned integer. This means that in Windows a kvno can
always be encoded using 4 bytes, and Windows DCs reject a kvno
encoded using more than 4 bytes without even generating an error
response (the DC assumes it's an attack).

Heimdal re-encodes the TGT when it creates a TGS request. Obviously
it cannot decode and encode the encrypted parts but it does re-encode
the plain parts, which include the kvno. That leads to a 5-byte
kvno in the TGS request, which is rejected without an error
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat May  7 21:14:21 CEST 2016 on sn-devel-144
2016-05-07 21:14:21 +02:00
..
auth kerberos: Remove un-used event context argument from smb_krb5_init_context() 2014-04-28 02:24:57 +02:00
basic s4:torture:basic: fix 'Conditional jump or move ' valgrind error 2016-04-25 10:35:15 +02:00
dfs torture: change dfs tests now that we return a level 4 when level 4 is requested 2012-04-26 21:25:37 +02:00
dns s4-dns: dlz-bind: Add trailing '.' to all fqdn strings 2014-11-21 06:14:55 +01:00
drs Rename 'errors' to 'samba-errors' and make it public. 2016-01-13 07:47:04 +01:00
krb5 s4:torture/krb5: add a --option=torture:run_removedollar_test=true option to kdc-conon 2015-06-24 01:03:16 +02:00
ldap torture_ldap_sort: avoid segfault 2016-03-09 10:32:17 +01:00
ldb ldb torture: test ldb_unpack_data_only_attr_list 2015-12-17 03:23:21 +01:00
libnet s4:torture:libnet: fix 'Syscall param writev(vector[...])' valgrind error 2016-04-25 10:35:16 +02:00
libnetapi s4/torture/libnetapi/libnetapi_user.c: fix typo 2016-03-04 18:08:21 +01:00
libsmbclient
local util/binsearch: macro for greater than or equal search 2016-03-09 10:32:16 +01:00
man docs: remove duplicate mention of "smbtorture" in smbtorture manpage. 2013-11-19 09:52:39 +01:00
nbench dlist: remove unneeded type argument from DLIST_ADD_END() 2016-02-06 21:48:17 +01:00
nbt s4-torture: fix gcc6 build warnings. 2016-02-06 21:48:18 +01:00
ndr lib: Give base64.c its own .h 2016-05-04 01:28:23 +02:00
ntp s4:torture/ntp: add missing #include "torture/ntp/proto.h" 2014-04-02 09:03:45 +02:00
rap s4:torture/rap/printing: check smbcli_rap_netprintqgetinfo() WERR status 2011-12-17 01:09:32 +01:00
raw s4:torture:raw: fix 'Invalid read of size 1 & Conditional jump or move' errors. 2016-04-25 10:35:15 +02:00
rpc heimdal: encode/decode kvno as signed integer 2016-05-07 21:14:21 +02:00
smb2 s4:torture:smb2: fix 'Use of uninitialised value of size 8' valgrind error. 2016-04-25 10:35:16 +02:00
tests selftest: Remove unused support for --exeext 2012-02-01 02:45:07 +01:00
unix lib: Convert callers of sid_blob_parse to sid_parse 2015-08-26 21:41:12 +02:00
vfs s4:torture:vfs: fix Invalid read of size 8 valgrind valgrind error (and segv) 2016-04-25 10:35:16 +02:00
winbind s4:torture/winbind: add more debug output to samba4.winbind.struct.domain_info 2015-12-14 23:26:40 +01:00
gentest.c torture/gentest time_skew(): don't use labs() on unsigned NTTIME 2015-12-24 04:09:28 +01:00
locktest.c s4:torture/locktest: comment out unused code and avoid smbcli_nt_error() 2014-11-25 07:25:46 +01:00
masktest.c s4:torture: avoid argv related const warnings 2014-04-02 09:03:45 +02:00
shell.c s4:torture/shell: simplify cli_credentials_set_password() call 2013-08-05 17:48:03 +12:00
smbtorture.c s4:torture: avoid const warnings in smbtorture.c 2014-04-02 09:03:45 +02:00
smbtorture.h
torture.c Revert making public of the samba-module library. 2011-12-03 08:36:30 +01:00
util_smb.c dlist: remove unneeded type argument from DLIST_ADD_END() 2016-02-06 21:48:17 +01:00
util.h torture: Add a new w2k12 target 2013-09-05 13:46:10 -07:00
wscript_build waf: Only build the backupkey rpc test with AD DC enabled 2016-01-22 17:47:21 +01:00