Attachment #9394 for bug #46301

View | Details | Raw Unified | Return to bug 46301
Collapse All | Expand All

Lines 1-3 Link Here

(-)a/services/univention-s4-connector/debian/changelog (+7 lines)
		1	univention-s4-connector (12.0.2-2) unstable; urgency=medium
		2
		3	* Bug #46292: Avoid segfault on krb5Key with unsupported
		4	Kerberos encryption type
		5
		6	-- Arvid Requate <requate@univention.de> Fri, 16 Feb 2018 13:06:44 +0100
		7
1	univention-s4-connector (12.0.2-1) unstable; urgency=medium	8	univention-s4-connector (12.0.2-1) unstable; urgency=medium
2		9
3	* Bug #32014: Sync account locking state from Samba/AD to OpenLDAP:	10	* Bug #32014: Sync account locking state from Samba/AD to OpenLDAP:

Lines 46-51 import heimdal Link Here

(-)a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py (-1 / +11 lines)
46	from ldap.controls import LDAPControl	46	from ldap.controls import LDAPControl
47	import traceback	47	import traceback
48		48
		49	class Krb5Context(object):
		50	def __init__(self):
		51	self.ctx = heimdal.context()
		52	self.etypes = self.ctx.get_permitted_enctypes()
		53	self.etype_ids = [et.toint() for et in self.etypes]
		54
		55	krb5_context = Krb5Context()
49		56
50	def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0):	57	def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0):
51	up_blob = unicodePwd	58	up_blob = unicodePwd
Lines 168-178 def calculate_supplementalCredentials(ucs_krb5key, old_supplementalCredentials): Link Here
168	krb_ctr4_salt = ''	175	krb_ctr4_salt = ''
169	for k in ucs_krb5key:	176	for k in ucs_krb5key:
170	(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)	177	(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
171
172	key_data = keyblock.keyvalue()	178	key_data = keyblock.keyvalue()
173	saltstring = salt.saltvalue()	179	saltstring = salt.saltvalue()
174	enctype = keyblock.keytype()	180	enctype = keyblock.keytype()
175	enctype_id = enctype.toint()	181	enctype_id = enctype.toint()
		182	if enctype_id not in krb5_context.etype_ids:
		183	ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ignoring unsupported krb5_keytype: (%d)" % (enctype_id,))
		184	continue
		185
176	ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id))	186	ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id))
177	if enctype_id == 18:	187	if enctype_id == 18:
178	krb5_aes256 = key_data	188	krb5_aes256 = key_data

Lines 1-3 Link Here

(-)a/services/univention-samba4/debian/changelog (+7 lines)
		1	univention-samba4 (7.0.2-3) unstable; urgency=medium
		2
		3	* Bug #46292: Avoid s4search-decode segfault on krb5Key with unsupported
		4	Kerberos encryption type
		5
		6	-- Arvid Requate <requate@univention.de> Fri, 16 Feb 2018 12:57:40 +0100
		7
1	univention-samba4 (7.0.2-2) unstable; urgency=medium	8	univention-samba4 (7.0.2-2) unstable; urgency=medium
2		9
3	* Bug #46118: Bump version for rebuild in 4.3-0 main branch	10	* Bug #46118: Bump version for rebuild in 4.3-0 main branch




from samba.ndr import ndr_print
from datetime import datetime

krb5_context = None

class Krb5Context(object):
	def __init__(self):
		self.ctx = heimdal.context()
		self.etypes = self.ctx.get_permitted_enctypes()
		self.etype_ids = [et.toint() for et in self.etypes]

keytypes = {
	1: 'des_crc',


regEx = re.compile('^([a-zA-Z0-9-]*):?: (.*)')


def decode_unicodePwd(value, kvno=0):
	global krb5_context
	if not krb5_context:
		krb5_context = Krb5Context()
	up_blob = binascii.a2b_base64(value)
	keyblock = heimdal.keyblock_raw(krb5_context.ctx, 23, up_blob)
	krb5key = heimdal.asn1_encode_key(keyblock, None, kvno)
	print "# decoded:"
	print "#\tsambaNTPassword:: %s" % binascii.b2a_hex(up_blob).upper().strip()



def decode_krb5Key(value):
	global krb5_context
	if not krb5_context:
		krb5_context = Krb5Context()
	k = binascii.a2b_base64(value)
	(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
	enctype = keyblock.keytype()
	enctype_id = enctype.toint()
	if enctype_id not in krb5_context.etype_ids:
		print "#\tSKIPPING ENC type %s, not support by this Heimdal version" % enctype_id
		return
	print "#\tkrb5_keytype: %s (%d)" % (enctype, enctype_id)
	key_data = keyblock.keyvalue()
	print "#\tkeyblock: ", binascii.b2a_base64(key_data).strip()



def decode_supplementalCredentials(value, kvno=0):
	global krb5_context
	if not krb5_context:
		krb5_context = Krb5Context()
	object_data = ndr_unpack(drsblobs.supplementalCredentialsBlob, binascii.a2b_base64(value))
	print "# supplementalCredentials recoded as krb5key:"
	# print "%s" % (ndr_print(object_data).strip(),)

				keytype = keytypes.get(k.keytype, k.keytype)
				print "#\tkeytype: %s (%d)" % (keytype, k.keytype)
				print "#\tkeyblock:",
				keyblock = heimdal.keyblock_raw(krb5_context.ctx, k.keytype, k.value)
				key_data = keyblock.keyvalue()
				print binascii.b2a_base64(key_data).strip()
				print "#\tkrb5SaltObject:",
				krb5SaltObject = heimdal.salt_raw(krb5_context.ctx, krb.ctr.salt.string)
				print krb5SaltObject.saltvalue()
				krb5key = heimdal.asn1_encode_key(keyblock, krb5SaltObject, kvno)
				print "#\tkrb5Key:: %s" % binascii.b2a_base64(krb5key).strip()

Return to bug 46301

Lines 47-53 from samba.ndr import ndr_unpack Link Here

(-)a/services/univention-samba4/s4search-decode (-11 / +22 lines)
47	from samba.ndr import ndr_print	47	from samba.ndr import ndr_print
48	from datetime import datetime	48	from datetime import datetime
49		49
50	context = None	50	krb5_context = None
		51
		52	class Krb5Context(object):
		53	def __init__(self):
		54	self.ctx = heimdal.context()
		55	self.etypes = self.ctx.get_permitted_enctypes()
		56	self.etype_ids = [et.toint() for et in self.etypes]
51		57
52	keytypes = {	58	keytypes = {
53	1: 'des_crc',	59	1: 'des_crc',
Lines 58-70 keytypes = { Link Here
58		64
59	regEx = re.compile('^([a-zA-Z0-9-]):?: (.)')	65	regEx = re.compile('^([a-zA-Z0-9-]):?: (.)')
60		66
61
62	def decode_unicodePwd(value, kvno=0):	67	def decode_unicodePwd(value, kvno=0):
63	global context	68	global krb5_context
64	if not context:	69	if not krb5_context:
65	context = heimdal.context()	70	krb5_context = Krb5Context()
66	up_blob = binascii.a2b_base64(value)	71	up_blob = binascii.a2b_base64(value)
67	keyblock = heimdal.keyblock_raw(context, 23, up_blob)	72	keyblock = heimdal.keyblock_raw(krb5_context.ctx, 23, up_blob)
68	krb5key = heimdal.asn1_encode_key(keyblock, None, kvno)	73	krb5key = heimdal.asn1_encode_key(keyblock, None, kvno)
69	print "# decoded:"	74	print "# decoded:"
70	print "#\tsambaNTPassword:: %s" % binascii.b2a_hex(up_blob).upper().strip()	75	print "#\tsambaNTPassword:: %s" % binascii.b2a_hex(up_blob).upper().strip()
Lines 74-83 def decode_unicodePwd(value, kvno=0): Link Here
74		79
75		80
76	def decode_krb5Key(value):	81	def decode_krb5Key(value):
		82	global krb5_context
		83	if not krb5_context:
		84	krb5_context = Krb5Context()
77	k = binascii.a2b_base64(value)	85	k = binascii.a2b_base64(value)
78	(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)	86	(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
79	enctype = keyblock.keytype()	87	enctype = keyblock.keytype()
80	enctype_id = enctype.toint()	88	enctype_id = enctype.toint()
		89	if enctype_id not in krb5_context.etype_ids:
		90	print "#\tSKIPPING ENC type %s, not support by this Heimdal version" % enctype_id
		91	return
81	print "#\tkrb5_keytype: %s (%d)" % (enctype, enctype_id)	92	print "#\tkrb5_keytype: %s (%d)" % (enctype, enctype_id)
82	key_data = keyblock.keyvalue()	93	key_data = keyblock.keyvalue()
83	print "#\tkeyblock: ", binascii.b2a_base64(key_data).strip()	94	print "#\tkeyblock: ", binascii.b2a_base64(key_data).strip()
Lines 88-96 def decode_krb5Key(value): Link Here
88		99
89		100
90	def decode_supplementalCredentials(value, kvno=0):	101	def decode_supplementalCredentials(value, kvno=0):
91	global context	102	global krb5_context
92	if not context:	103	if not krb5_context:
93	context = heimdal.context()	104	krb5_context = Krb5Context()
94	object_data = ndr_unpack(drsblobs.supplementalCredentialsBlob, binascii.a2b_base64(value))	105	object_data = ndr_unpack(drsblobs.supplementalCredentialsBlob, binascii.a2b_base64(value))
95	print "# supplementalCredentials recoded as krb5key:"	106	print "# supplementalCredentials recoded as krb5key:"
96	# print "%s" % (ndr_print(object_data).strip(),)	107	# print "%s" % (ndr_print(object_data).strip(),)
Lines 107-117 def decode_supplementalCredentials(value, kvno=0): Link Here
107	keytype = keytypes.get(k.keytype, k.keytype)	118	keytype = keytypes.get(k.keytype, k.keytype)
108	print "#\tkeytype: %s (%d)" % (keytype, k.keytype)	119	print "#\tkeytype: %s (%d)" % (keytype, k.keytype)
109	print "#\tkeyblock:",	120	print "#\tkeyblock:",
110	keyblock = heimdal.keyblock_raw(context, k.keytype, k.value)	121	keyblock = heimdal.keyblock_raw(krb5_context.ctx, k.keytype, k.value)
111	key_data = keyblock.keyvalue()	122	key_data = keyblock.keyvalue()
112	print binascii.b2a_base64(key_data).strip()	123	print binascii.b2a_base64(key_data).strip()
113	print "#\tkrb5SaltObject:",	124	print "#\tkrb5SaltObject:",
114	krb5SaltObject = heimdal.salt_raw(context, krb.ctr.salt.string)	125	krb5SaltObject = heimdal.salt_raw(krb5_context.ctx, krb.ctr.salt.string)
115	print krb5SaltObject.saltvalue()	126	print krb5SaltObject.saltvalue()
116	krb5key = heimdal.asn1_encode_key(keyblock, krb5SaltObject, kvno)	127	krb5key = heimdal.asn1_encode_key(keyblock, krb5SaltObject, kvno)
117	print "#\tkrb5Key:: %s" % binascii.b2a_base64(krb5key).strip()	128	print "#\tkrb5Key:: %s" % binascii.b2a_base64(krb5key).strip()