sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-04 17:47:26 +03:00
Code

CVE-2022-37966 kdc: Assume trust objects support AES by default

Browse Source 
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d)
This commit is contained in:
Joseph Sutton 2022-11-22 11:32:34 +13:00 committed by Stefan Metzmacher
parent a836bcf22c
commit c13c60ffbf
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source4/kdc/db-glue.c
View File

@ -1472,9 +1472,10 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
NTSTATUS status;
if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) {
/* If not told otherwise, Windows now assumes that trusts support AES. */
supported_enctypes = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
supported_enctypes);
ENC_HMAC_SHA1_96_AES256);
}
status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo);