From 78ac66939a3a2d6352610e4681540c1b660e46f9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 5 Mar 2022 00:39:14 +0100 Subject: [PATCH] kdc: remember kvno numbers for longterm key pre-auth BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054 Upstream: https://github.com/heimdal/heimdal/pull/970 Signed-off-by: Stefan Metzmacher --- third_party/heimdal/kdc/kdc-audit.h | 3 +++ third_party/heimdal/kdc/kerberos5.c | 26 ++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/third_party/heimdal/kdc/kdc-audit.h b/third_party/heimdal/kdc/kdc-audit.h index 1e58c258ae74..df5362031f5a 100644 --- a/third_party/heimdal/kdc/kdc-audit.h +++ b/third_party/heimdal/kdc/kdc-audit.h @@ -62,7 +62,10 @@ #define KDC_REQUEST_KV_AUTH_EVENT "#auth_event" /* heim_number_t */ #define KDC_REQUEST_KV_PA_NAME "pa" /* heim_string_t */ #define KDC_REQUEST_KV_PA_ETYPE "pa-etype" /* heim_number_t */ +#define KDC_REQUEST_KV_PA_SUCCEEDED_KVNO "pa-succeeded-kvno" /* heim_number_t */ +#define KDC_REQUEST_KV_PA_FAILED_KVNO "pa-failed-kvno" /* heim_number_t */ #define KDC_REQUEST_KV_GSS_INITIATOR "gss_initiator" /* heim_string_t */ #define KDC_REQUEST_KV_PKINIT_CLIENT_CERT "pkinit_client_cert" /* heim_string_t */ +#define KDC_REQUEST_KV_PA_HISTORIC_KVNO "pa-historic-kvno" /* heim_number_t */ #endif /* HEIMDAL_KDC_KDC_AUDIT_H */ diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index 1935434f144a..38d93e323718 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -866,6 +866,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) estr, r->cname); free(estr); free_EncryptedData(&enc_data); + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_FAILED_KVNO, + kvno); return ret; } if (ret == KRB5KRB_AP_ERR_SKEW) { @@ -896,6 +899,10 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) * via pa_enc_chal_decrypt_kvno() */ + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_FAILED_KVNO, + kvno); + /* * Check if old and older keys are * able to decrypt. @@ -917,6 +924,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) NULL, /* KDCchallengekey */ NULL); /* used_key */ if (hret == 0) { + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_HISTORIC_KVNO, + hkvno); break; } if (hret == KRB5KDC_ERR_ETYPE_NOSUPP) { @@ -982,6 +992,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa) kstr ? kstr : "unknown enctype"); kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY); + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_SUCCEEDED_KVNO, + kvno); return 0; } @@ -1109,6 +1122,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) estr, r->cname); free(estr); free_EncryptedData(&enc_data); + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_FAILED_KVNO, + kvno); goto out; } if (ret == KRB5KDC_ERR_PREAUTH_FAILED) { @@ -1117,6 +1133,10 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) krb5_error_code hret = ret; int hi; + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_FAILED_KVNO, + kvno); + /* * Check if old and older keys are * able to decrypt. @@ -1135,6 +1155,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) NULL); /* pa_key */ if (hret == 0) { krb5_data_free(&ts_data); + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_HISTORIC_KVNO, + hkvno); break; } if (hret == KRB5KDC_ERR_ETYPE_NOSUPP) { @@ -1220,6 +1243,9 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) pa_key->key.keytype); kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT, KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY); + kdc_audit_setkv_number((kdc_request_t)r, + KDC_REQUEST_KV_PA_SUCCEEDED_KVNO, + kvno); ret = 0; -- 2.34.1