sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry

Browse Source 
This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit cb382f7cddebabde3dac2b4bdb50d5b864463abf)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton@samba.org Adapted to Samba 4.15; removed FAST-supported bit for
 KDC]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Joseph Sutton 2021-12-24 16:59:12 +13:00 committed by Stefan Metzmacher
parent d09d8f995c
commit 86834042a1
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
source4/kdc/db-glue.c
View File

@ -324,7 +324,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
bool is_rodc, bool is_rodc,
uint32_t userAccountControl, uint32_t userAccountControl,
enum samba_kdc_ent_type ent_type, enum samba_kdc_ent_type ent_type,
struct sdb_entry_ex *entry_ex) struct sdb_entry_ex *entry_ex,
uint32_t *supported_enctypes_out)
{ {
struct sdb_entry *entry = &entry_ex->entry; struct sdb_entry *entry = &entry_ex->entry;
krb5_error_code ret = 0; krb5_error_code ret = 0;
@ -347,6 +348,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
= ldb_msg_find_attr_as_uint(msg, = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes", "msDS-SupportedEncryptionTypes",
0); 0);
*supported_enctypes_out = 0;
if (rid == DOMAIN_RID_KRBTGT || is_rodc) { if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
/* KDCs (and KDCs on RODCs) use AES */ /* KDCs (and KDCs on RODCs) use AES */
@ -460,6 +462,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.len++; entry_ex->entry.keys.len++;
} }
*supported_enctypes_out = supported_enctypes;
ret = 0; ret = 0;
goto out; goto out;
} }
@ -610,15 +614,19 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
entry_ex->entry.keys.len++; entry_ex->entry.keys.len++;
*supported_enctypes_out |= ENC_RC4_HMAC_MD5;
} }
if (pkb4) { if (pkb4) {
for (i=0; i < pkb4->num_keys; i++) { for (i=0; i < pkb4->num_keys; i++) {
struct sdb_key key = {}; struct sdb_key key = {};
uint32_t enctype_bit;
if (!pkb4->keys[i].value) continue; if (!pkb4->keys[i].value) continue;
if (!(kerberos_enctype_to_bitmap(pkb4->keys[i].keytype) & supported_enctypes)) { enctype_bit = kerberos_enctype_to_bitmap(pkb4->keys[i].keytype);
if (!(enctype_bit & supported_enctypes)) {
continue; continue;
} }
@ -669,14 +677,18 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
entry_ex->entry.keys.len++; entry_ex->entry.keys.len++;
*supported_enctypes_out |= enctype_bit;
} }
} else if (pkb3) { } else if (pkb3) {
for (i=0; i < pkb3->num_keys; i++) { for (i=0; i < pkb3->num_keys; i++) {
struct sdb_key key = {}; struct sdb_key key = {};
uint32_t enctype_bit;
if (!pkb3->keys[i].value) continue; if (!pkb3->keys[i].value) continue;
if (!(kerberos_enctype_to_bitmap(pkb3->keys[i].keytype) & supported_enctypes)) { enctype_bit = kerberos_enctype_to_bitmap(pkb3->keys[i].keytype);
if (!(enctype_bit & supported_enctypes)) {
continue; continue;
} }
@ -725,9 +737,16 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
entry_ex->entry.keys.len++; entry_ex->entry.keys.len++;
*supported_enctypes_out |= enctype_bit;
} }
} }
/* Set FAST support bits */
*supported_enctypes_out |= supported_enctypes & (ENC_FAST_SUPPORTED |
ENC_COMPOUND_IDENTITY_SUPPORTED |
ENC_CLAIMS_SUPPORTED);
returned_kvno = current_kvno; returned_kvno = current_kvno;
if (is_krbtgt) { if (is_krbtgt) {
/* /*
@ -957,6 +976,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
krb5_boolean is_computer = FALSE; krb5_boolean is_computer = FALSE;
struct samba_kdc_entry *p; struct samba_kdc_entry *p;
uint32_t supported_enctypes = 0;
NTTIME acct_expiry; NTTIME acct_expiry;
NTSTATUS status; NTSTATUS status;
@ -1259,13 +1279,14 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* Get keys from the db */ /* Get keys from the db */
ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg, ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
rid, is_rodc, userAccountControl, rid, is_rodc, userAccountControl,
ent_type, entry_ex); ent_type, entry_ex, &supported_enctypes);
if (ret) { if (ret) {
/* Could be bogus data in the entry, or out of memory */ /* Could be bogus data in the entry, or out of memory */
goto out; goto out;
} }
p->msg = talloc_steal(p, msg); p->msg = talloc_steal(p, msg);
p->supported_enctypes = supported_enctypes;
out: out:
if (ret != 0) { if (ret != 0) {
@ -1406,6 +1427,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
p->is_trust = true; p->is_trust = true;
p->kdc_db_ctx = kdc_db_ctx; p->kdc_db_ctx = kdc_db_ctx;
p->realm_dn = realm_dn; p->realm_dn = realm_dn;
p->supported_enctypes = supported_enctypes;
talloc_set_destructor(p, samba_kdc_entry_destructor); talloc_set_destructor(p, samba_kdc_entry_destructor);

1
source4/kdc/samba_kdc.h
View File

@ -58,6 +58,7 @@ struct samba_kdc_entry {
bool is_rodc; bool is_rodc;
bool is_trust; bool is_trust;
void *entry_ex; void *entry_ex;
uint32_t supported_enctypes;
}; };
extern struct hdb_method hdb_samba4_interface; extern struct hdb_method hdb_samba4_interface;