CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'

This makes it more flexible when we change the global default to 'reject md5 servers = yes'. 'allow nt4 crypto = no' is already the default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
author: Stefan Metzmacher <metze@samba.org> 2022-11-25 13:13:36 +0100
committer: Stefan Metzmacher <metze@samba.org> 2022-12-14 10:28:16 +0000
commit: d2dc3622d4522cbc224fcae384475bf7430988cf (patch)
tree: ff876d2335dbf6ae599caaa36933df60a822afb0 /source4
parent: c25546926f57b66c9b19c8a0fca8a40e85aa400a (diff)
download: samba-d2dc3622d4522cbc224fcae384475bf7430988cf.tar.gz
1 files changed, 55 insertions, 3 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index e39a530fd7f..f303dc00ada 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -130,12 +130,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
 	struct netr_ServerAuthenticate3 *r,
 	struct netlogon_server_pipe_state *pipe_state,
 	uint32_t negotiate_flags,
+	const char *trust_account_in_db,
 	NTSTATUS orig_status)
 {
 	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
-	bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
-	bool reject_des_client = !allow_nt4_crypto;
-	bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
+	bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
+	bool account_allow_nt4_crypto = global_allow_nt4_crypto;
+	const char *explicit_nt4_opt = NULL;
+	bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
+	bool account_reject_md5_client = global_reject_md5_client;
+	const char *explicit_md5_opt = NULL;
+	bool reject_des_client;
+	bool allow_nt4_crypto;
+	bool reject_md5_client;
+
+	/*
+	 * We don't use lpcfg_parm_bool(), as we
+	 * need the explicit_opt pointer in order to
+	 * adjust the debug messages.
+	 */
+
+	if (trust_account_in_db != NULL) {
+		explicit_nt4_opt = lpcfg_get_parametric(lp_ctx,
+							NULL,
+							"allow nt4 crypto",
+							trust_account_in_db);
+	}
+	if (explicit_nt4_opt != NULL) {
+		account_allow_nt4_crypto = lp_bool(explicit_nt4_opt);
+	}
+	allow_nt4_crypto = account_allow_nt4_crypto;
+	if (trust_account_in_db != NULL) {
+		explicit_md5_opt = lpcfg_get_parametric(lp_ctx,
+							NULL,
+							"server reject md5 schannel",
+							trust_account_in_db);
+	}
+	if (explicit_md5_opt != NULL) {
+		account_reject_md5_client = lp_bool(explicit_md5_opt);
+	}
+	reject_md5_client = account_reject_md5_client;
+
+	reject_des_client = !allow_nt4_crypto;
 
 	/*
 	 * If weak cryto is disabled, do not announce that we support RC4.
@@ -321,12 +357,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 	case SEC_CHAN_NULL:
 		return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_INVALID_PARAMETER);
 	default:
 		DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
 			  r->in.secure_channel_type));
 		return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_INVALID_PARAMETER);
 	}
 
@@ -334,6 +372,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 	if (sam_ctx == NULL) {
 		return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_INVALID_SYSTEM_SERVICE);
 	}
 
@@ -365,6 +404,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 		if (encoded_name == NULL) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_MEMORY);
 		}
 
@@ -372,12 +412,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 		if (len < 2) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_TRUST_SAM_ACCOUNT);
 		}
 
 		if (require_trailer && encoded_name[len - 1] != trailer) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_TRUST_SAM_ACCOUNT);
 		}
 		encoded_name[len - 1] = '\0';
@@ -398,11 +440,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 				  encoded_name));
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_TRUST_SAM_ACCOUNT);
 		}
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				nt_status);
 		}
 
@@ -412,11 +456,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_TRUST_SAM_ACCOUNT);
 		}
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				nt_status);
 		}
 
@@ -424,6 +470,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 		if (flatname == NULL) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_TRUST_SAM_ACCOUNT);
 		}
 
@@ -431,6 +478,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 		if (*trust_account_for_search == NULL) {
 			return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_MEMORY);
 		}
 	} else {
@@ -448,6 +496,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 			 log_escape(mem_ctx, r->in.account_name)));
 		return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_NO_TRUST_SAM_ACCOUNT);
 	}
 
@@ -457,6 +506,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 			 log_escape(mem_ctx, r->in.account_name)));
 		return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_INTERNAL_DB_CORRUPTION);
 	}
 
@@ -468,11 +518,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 			 r->in.account_name));
 		return dcesrv_netr_ServerAuthenticate3_check_downgrade(
 				dce_call, r, pipe_state, negotiate_flags,
+				NULL, /* trust_account_in_db */
 				NT_STATUS_INTERNAL_DB_CORRUPTION);
 	}
 
 	nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
 			dce_call, r, pipe_state, negotiate_flags,
+			*trust_account_in_db,
 			NT_STATUS_OK);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
author	Stefan Metzmacher <metze@samba.org>	2022-11-25 13:13:36 +0100
committer	Stefan Metzmacher <metze@samba.org>	2022-12-14 10:28:16 +0000
commit	d2dc3622d4522cbc224fcae384475bf7430988cf (patch)
tree	ff876d2335dbf6ae599caaa36933df60a822afb0 /source4
parent	c25546926f57b66c9b19c8a0fca8a40e85aa400a (diff)
download	samba-d2dc3622d4522cbc224fcae384475bf7430988cf.tar.gz