summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2016-11-22 17:08:46 +0100
committerKarolin Seeger <kseeger@samba.org>2016-12-19 10:52:16 +0100
commitb5cc9bd4b2bec4bfe26c554a50551d8fd9bb9f6e (patch)
treecf9ac1c8e9d020b2aa5c5d197ef705247bd43366
parente2c7a9f328ee0ef7111aaa0c4abd1fa12bc959fa (diff)
downloadsamba-b5cc9bd4b2bec4bfe26c554a50551d8fd9bb9f6e.tar.gz
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the corresponding aes based keytype. Otherwise we may trigger an undefined code path deep in the kerberos libraries, which can leed to segmentation faults. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat
-rw-r--r--auth/kerberos/kerberos_pac.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7fad0e..7b6efdc8db0 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
View Lorry Controller Status