RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2176406 - Make sign_authdata() generate extended KDC signature [rhel-8]
Summary: Make sign_authdata() generate extended KDC signature [rhel-8]
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Julien Rische
QA Contact: Michal Polovka
Depends On: 2169477
Blocks: 2211387
TreeView+ depends on / blocked
Reported: 2023-03-08 10:10 UTC by Julien Rische
Modified: 2023-11-21 12:46 UTC (History)
7 users (show)

Fixed In Version: ipa-4.9.12-4.module+el8.9.0+19311+cb2600ad
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2182671 2211387 (view as bug list)
Last Closed: 2023-11-14 15:32:50 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 9373 0 None None None 2023-05-03 08:13:20 UTC
Github freeipa freeipa pull 6785 0 None open [WIP] Handle PAC signatures based on domain and server capabilities 2023-04-24 11:42:55 UTC
Red Hat Issue Tracker FREEIPA-9550 0 None None None 2023-03-08 10:11:16 UTC
Red Hat Issue Tracker RHELPLAN-151030 0 None None None 2023-03-08 10:11:22 UTC
Red Hat Product Errata RHBA-2023:6977 0 None None None 2023-11-14 15:33:36 UTC

Description Julien Rische 2023-03-08 10:10:26 UTC
Support for the PAC extended KDC signature (or "full PAC checksum") has recently been implemented upstream[1] for MIT Kerberos. The fix for bug 2169477 backports the krb5_kdc_sign_ticket() function[2] to krb5 1.18.2. This function is a replacement for krb5_pac_sign() and krb5_pac_sign_ext() functions[3], which are currently used in IPA 4.9.11[4]. These two functions do not generate the extended KDC signature, only krb5_kdc_sign_ticket() does. This is the reason why we are backporting it.

The krb5_kdc_sign_ticket() function was initially introduced[5] to support the new "ticket signature" which was introduced by Microsoft[6] to mitigate CVE-2020-17049 (bronze bit attack). This is the reason why this function expects a krb5_enc_tkt_part[7] parameter representing the encrypted part of the ticket out of which the "ticket signature" is generated.

So, the krb5_kdc_sign_ticket() function generates both the "ticket signature" and the "extended KDC signature", and needs the encrypted part of the ticket.

However, on IPA 4.9.11 the PAC is generated by setting the sign_authdata() callback[8][9]. This callback does not provide the ticket's encrypted part as parameter, making krb5_kdc_sign_ticket() not usable in practice.

To be mentioned that, according to the document[10] that made CVE-2022-37967 public, the ticket signature does not have to be present for the PAC to be accepted.

[1]  https://github.com/krb5/krb5/commit/4602a10dbe380d75d1ec00f7d34479ac9d503735
[2]  https://github.com/krb5/krb5/blob/e35b32f81f9defbcce4f2398d93a975ffb807ee7/src/include/krb5/krb5.hin#L8365-L8393 
[3]  https://github.com/krb5/krb5/blob/e35b32f81f9defbcce4f2398d93a975ffb807ee7/src/include/krb5/krb5.hin#L8351-L8363
[4]  https://pagure.io/freeipa/blob/ipa-4-9/f/daemons/ipa-kdb/ipa_kdb_mspac_v6.c#_179
[5]  https://github.com/krb5/krb5/commit/ee4e3c5c9eee061048d5b7393b8f3820d1a563a8
[6]  https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-201123-diff.pdf
     Page 26, section 2.8.3
[7]  https://github.com/krb5/krb5/blob/krb5-1.20.1-final/src/include/krb5/krb5.hin#L1927-L1938
[8]  https://github.com/krb5/krb5/blob/4c3063afb4a4b141b70d56aa381784f7efd637c9/src/include/kdb.h#L1277-L1360
[9]  https://pagure.io/freeipa/blob/ipa-4-9/f/daemons/ipa-kdb/ipa_kdb.c#_725
[10] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
     Page 6, 1st paragraph

Comment 3 Julien Rische 2023-04-24 11:42:55 UTC
Upstream pull request:

Comment 4 Julien Rische 2023-05-03 08:13:19 UTC
Upstream ticket:

Comment 5 Rob Crittenden 2023-05-16 18:35:00 UTC
Fixed upstream

Comment 23 errata-xmlrpc 2023-11-14 15:32:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.