Attachment #9394 for bug #46301

View | Details | Raw Unified | Return to bug 46301
Collapse All | Expand All

(-)a/services/univention-s4-connector/debian/changelog (+7 lines)

Lines 1-3	Link Here

univention-s4-connector (12.0.2-2) unstable; urgency=medium

  * Bug #46292: Avoid segfault on krb5Key with unsupported

    Kerberos encryption type

 -- Arvid Requate <requate@univention.de>  Fri, 16 Feb 2018 13:06:44 +0100

univention-s4-connector (12.0.2-1) unstable; urgency=medium

univention-s4-connector (12.0.2-1) unstable; urgency=medium

  * Bug #32014: Sync account locking *state* from Samba/AD to OpenLDAP:

  * Bug #32014: Sync account locking *state* from Samba/AD to OpenLDAP:

(-)a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py (-1 / +11 lines)

Lines 46-51 import heimdal	Link Here

from ldap.controls import LDAPControl

from ldap.controls import LDAPControl

import traceback

import traceback

class Krb5Context(object):

	def __init__(self):

		self.ctx = heimdal.context()

		self.etypes = self.ctx.get_permitted_enctypes()

		self.etype_ids = [et.toint() for et in self.etypes]

krb5_context = Krb5Context()

def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0):

def calculate_krb5key(unicodePwd, supplementalCredentials, kvno=0):

	up_blob = unicodePwd

	up_blob = unicodePwd

Lines 168-178 def calculate_supplementalCredentials(ucs_krb5key, old_supplementalCredentials):	Link Here

168

	krb_ctr4_salt = ''

175

	krb_ctr4_salt = ''

169

	for k in ucs_krb5key:

176

	for k in ucs_krb5key:

170

		(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)

177

		(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)

171

172

		key_data = keyblock.keyvalue()

178

		key_data = keyblock.keyvalue()

173

		saltstring = salt.saltvalue()

179

		saltstring = salt.saltvalue()

174

		enctype = keyblock.keytype()

180

		enctype = keyblock.keytype()

175

		enctype_id = enctype.toint()

181

		enctype_id = enctype.toint()

182

		if enctype_id not in krb5_context.etype_ids:

183

			ud.debug(ud.LDAP, ud.WARN, "calculate_supplementalCredentials: ignoring unsupported krb5_keytype: (%d)" % (enctype_id,))

184

			continue

185

176

		ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id))

186

		ud.debug(ud.LDAP, ud.INFO, "calculate_supplementalCredentials: krb5_keytype: %s (%d)" % (enctype, enctype_id))

177

		if enctype_id == 18:

187

		if enctype_id == 18:

178

			krb5_aes256 = key_data

188

			krb5_aes256 = key_data

(-)a/services/univention-samba4/debian/changelog (+7 lines)

Lines 1-3	Link Here

univention-samba4 (7.0.2-3) unstable; urgency=medium

  * Bug #46292: Avoid s4search-decode segfault on krb5Key with unsupported

    Kerberos encryption type

 -- Arvid Requate <requate@univention.de>  Fri, 16 Feb 2018 12:57:40 +0100

univention-samba4 (7.0.2-2) unstable; urgency=medium

univention-samba4 (7.0.2-2) unstable; urgency=medium

  * Bug #46118: Bump version for rebuild in 4.3-0 main branch

  * Bug #46118: Bump version for rebuild in 4.3-0 main branch




from samba.ndr import ndr_print
from datetime import datetime

krb5_context = None

class Krb5Context(object):
	def __init__(self):
		self.ctx = heimdal.context()
		self.etypes = self.ctx.get_permitted_enctypes()
		self.etype_ids = [et.toint() for et in self.etypes]

keytypes = {
	1: 'des_crc',


regEx = re.compile('^([a-zA-Z0-9-]*):?: (.*)')


def decode_unicodePwd(value, kvno=0):
	global krb5_context
	if not krb5_context:
		krb5_context = Krb5Context()
	up_blob = binascii.a2b_base64(value)
	keyblock = heimdal.keyblock_raw(krb5_context.ctx, 23, up_blob)
	krb5key = heimdal.asn1_encode_key(keyblock, None, kvno)
	print "# decoded:"
	print "#\tsambaNTPassword:: %s" % binascii.b2a_hex(up_blob).upper().strip()



def decode_krb5Key(value):
	global krb5_context
	if not krb5_context:
		krb5_context = Krb5Context()
	k = binascii.a2b_base64(value)
	(keyblock, salt, kvno) = heimdal.asn1_decode_key(k)
	enctype = keyblock.keytype()
	enctype_id = enctype.toint()
	if enctype_id not in krb5_context.etype_ids:
		print "#\tSKIPPING ENC type %s, not support by this Heimdal version" % enctype_id
		return
	print "#\tkrb5_keytype: %s (%d)" % (enctype, enctype_id)
	key_data = keyblock.keyvalue()
	print "#\tkeyblock: ", binascii.b2a_base64(key_data).strip()



def decode_supplementalCredentials(value, kvno=0):
	global krb5_context
	if not krb5_context:
		krb5_context = Krb5Context()
	object_data = ndr_unpack(drsblobs.supplementalCredentialsBlob, binascii.a2b_base64(value))
	print "# supplementalCredentials recoded as krb5key:"
	# print "%s" % (ndr_print(object_data).strip(),)

				keytype = keytypes.get(k.keytype, k.keytype)
				print "#\tkeytype: %s (%d)" % (keytype, k.keytype)
				print "#\tkeyblock:",
				keyblock = heimdal.keyblock_raw(krb5_context.ctx, k.keytype, k.value)
				key_data = keyblock.keyvalue()
				print binascii.b2a_base64(key_data).strip()
				print "#\tkrb5SaltObject:",
				krb5SaltObject = heimdal.salt_raw(krb5_context.ctx, krb.ctr.salt.string)
				print krb5SaltObject.saltvalue()
				krb5key = heimdal.asn1_encode_key(keyblock, krb5SaltObject, kvno)
				print "#\tkrb5Key:: %s" % binascii.b2a_base64(krb5key).strip()

Return to bug 46301