samba-mirror

sin/samba-mirror

Fork 0

mirror of https://github.com/samba-team/samba.git synced 2025-12-14 20:23:54 +03:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Douglas Bagnall	f1a8280169	librpc:bcrypt_rsakey_blob: exponent and modulus lengths can't be zero Apart from it making no sense, without these ranges we end up allocating a NULL buffer and aborting. We also put a maximum size on the RSA key, in case we could get tricked into a DoS by pulling a large buffer and trying crypto maths on it. 6 0x572ebce2749a in talloc_abort samba/lib/talloc/talloc.c:506:3 7 0x572ebce271d4 in talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0 8 0x572ebce271d4 in __talloc_with_prefix samba/lib/talloc/talloc.c:762:12 9 0x572ebce235f9 in __talloc samba/lib/talloc/talloc.c:825:9 10 0x572ebce235f9 in _talloc_named_const samba/lib/talloc/talloc.c:982:8 11 0x572ebce235f9 in _talloc_memdup samba/lib/talloc/talloc.c:2441:9 12 0x572ebc8f6a4f in data_blob_talloc_named samba/lib/util/data_blob.c:56:25 13 0x572ebc7d23bd in pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17 14 0x572ebc7d23bd in ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10 15 0x572ebc788e90 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13 REF: https://issues.oss-fuzz.com/issues/435039896 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Thu Jul 31 05:45:07 UTC 2025 on atb-devel-224	2025-07-31 05:45:07 +00:00
Gary Lockyer	acd0fccfdd	librpc/idl: Add idl for BCRYPT_RSAKEY_BLOB Idl and tests for BCRYPT_RSAKEY_BLOB See https://learn.microsoft.com/en-us/windows/win32/api/ bcrypt/ns-bcrypt-bcrypt_rsakey_blob This is one of the encodings of msDSKeyCredentialLink KeyMaterial when KeyUsage is KEY_USAGE_NGC. As there appears to be no official documentation on the contents of KeyMaterial have based this on. `271dd969e0`/ dsinternals/common/data/hello/KeyCredential.py#L75-L92 Note: only RSA public keys are handled Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2025-07-29 04:30:34 +00:00

Douglas Bagnall

f1a8280169

librpc:bcrypt_rsakey_blob: exponent and modulus lengths can't be zero

Apart from it making no sense, without these ranges we end up
allocating a NULL buffer and aborting.

We also put a maximum size on the RSA key, in case we could get
tricked into a DoS by pulling a large buffer and trying crypto maths
on it.

 6 0x572ebce2749a in talloc_abort samba/lib/talloc/talloc.c:506:3
 7 0x572ebce271d4 in talloc_chunk_from_ptr samba/lib/talloc/talloc.c:0
 8 0x572ebce271d4 in __talloc_with_prefix samba/lib/talloc/talloc.c:762:12
 9 0x572ebce235f9 in __talloc samba/lib/talloc/talloc.c:825:9
10 0x572ebce235f9 in _talloc_named_const samba/lib/talloc/talloc.c:982:8
11 0x572ebce235f9 in _talloc_memdup samba/lib/talloc/talloc.c:2441:9
12 0x572ebc8f6a4f in data_blob_talloc_named samba/lib/util/data_blob.c:56:25
13 0x572ebc7d23bd in pull_BCRYPT_RSAPUBLIC_BLOB samba/librpc/ndr/ndr_keycredlink.c:878:17
14 0x572ebc7d23bd in ndr_pull_KeyMaterialInternal samba/librpc/ndr/ndr_keycredlink.c:959:10
15 0x572ebc788e90 in LLVMFuzzerTestOneInput samba/bin/default/lib/fuzzing/fuzz_ndr_keycredlink_TYPE_STRUCT.c:282:13

REF: https://issues.oss-fuzz.com/issues/435039896

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Jul 31 05:45:07 UTC 2025 on atb-devel-224

2025-07-31 05:45:07 +00:00

Gary Lockyer

acd0fccfdd

librpc/idl: Add idl for BCRYPT_RSAKEY_BLOB

Idl and tests for BCRYPT_RSAKEY_BLOB
See https://learn.microsoft.com/en-us/windows/win32/api/
            bcrypt/ns-bcrypt-bcrypt_rsakey_blob

This is one of the encodings of msDSKeyCredentialLink KeyMaterial when
KeyUsage is KEY_USAGE_NGC. As there appears to be no official
documentation on the contents of KeyMaterial have based this on.

    271dd969e0/
            dsinternals/common/data/hello/KeyCredential.py#L75-L92

Note: only RSA public keys are handled

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

2025-07-29 04:30:34 +00:00

2 Commits