Bug 2182671

Summary: Make sign_authdata() generate extended KDC signature [f37]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: freeipaAssignee: Julien Rische <jrische>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: abokovoy, frenaud, ftrivino, ipa-maint, ipa-qe, jhrozek, mhjacks, pvoborni, rcritten, ssorce, tscherf, twoerner
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2176406 Environment:
Last Closed: 2023-07-19 15:02:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182135    
Bug Blocks:    

Description Julien Rische 2023-03-29 10:04:54 UTC 
+++ This bug was initially created as a clone of Bug #2176406 +++

Support for the PAC extended KDC signature (or "full PAC checksum") has recently been implemented upstream[1] for MIT Kerberos. The fix for bug 2169477 backports the krb5_kdc_sign_ticket() function[2] to krb5 1.18.2. This function is a replacement for krb5_pac_sign() and krb5_pac_sign_ext() functions[3], which are currently used in IPA 4.9.11[4]. These two functions do not generate the extended KDC signature, only krb5_kdc_sign_ticket() does. This is the reason why we are backporting it.

The krb5_kdc_sign_ticket() function was initially introduced[5] to support the new "ticket signature" which was introduced by Microsoft[6] to mitigate CVE-2020-17049 (bronze bit attack). This is the reason why this function expects a krb5_enc_tkt_part[7] parameter representing the encrypted part of the ticket out of which the "ticket signature" is generated.

So, the krb5_kdc_sign_ticket() function generates both the "ticket signature" and the "extended KDC signature", and needs the encrypted part of the ticket.

However, on IPA 4.9.11 the PAC is generated by setting the sign_authdata() callback[8][9]. This callback does not provide the ticket's encrypted part as parameter, making krb5_kdc_sign_ticket() not usable in practice.

To be mentioned that, according to the document[10] that made CVE-2022-37967 public, the ticket signature does not have to be present for the PAC to be accepted.


[1]  https://github.com/krb5/krb5/commit/4602a10dbe380d75d1ec00f7d34479ac9d503735
[2]  https://github.com/krb5/krb5/blob/e35b32f81f9defbcce4f2398d93a975ffb807ee7/src/include/krb5/krb5.hin#L8365-L8393 
[3]  https://github.com/krb5/krb5/blob/e35b32f81f9defbcce4f2398d93a975ffb807ee7/src/include/krb5/krb5.hin#L8351-L8363
[4]  https://pagure.io/freeipa/blob/ipa-4-9/f/daemons/ipa-kdb/ipa_kdb_mspac_v6.c#_179
[5]  https://github.com/krb5/krb5/commit/ee4e3c5c9eee061048d5b7393b8f3820d1a563a8
[6]  https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-201123-diff.pdf
     Page 26, section 2.8.3
[7]  https://github.com/krb5/krb5/blob/krb5-1.20.1-final/src/include/krb5/krb5.hin#L1927-L1938
[8]  https://github.com/krb5/krb5/blob/4c3063afb4a4b141b70d56aa381784f7efd637c9/src/include/kdb.h#L1277-L1360
[9]  https://pagure.io/freeipa/blob/ipa-4-9/f/daemons/ipa-kdb/ipa_kdb.c#_725
[10] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
     Page 6, 1st paragraph
Comment 1 Julien Rische 2023-04-24 11:41:18 UTC 
Upstream pull request:
https://github.com/freeipa/freeipa/pull/6785
Comment 2 Florence Blanc-Renaud 2023-06-01 06:06:44 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463
https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7
https://pagure.io/freeipa/c/545a363dd2f7f551fa3ec3fed66c80b30ae3c1e1

Fixed upstream
ipa-4-10:
https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073
https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89
https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af
Comment 3 Julien Rische 2023-07-19 15:02:42 UTC 
Not supporting the new PAC extended KDC signature would only affect cross-realm resource-based constrained delegation requests between FreeIPA and Active Directory. But this type of requests is not supported by FreeIPA at this point anyway. Hence, backporting this feature to Fedora 37 will not have any benefit.