diff options
author | Andrew Bartlett <abartlet@samba.org> | 2022-11-01 15:20:47 +1300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:30 +0000 |
commit | 975e43fc45531fdea14b93a3b1529b3218a177e6 (patch) | |
tree | a436a898c2d681eef51bb13f98cfca24f7524a43 /third_party | |
parent | 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5 (diff) | |
download | samba-975e43fc45531fdea14b93a3b1529b3218a177e6.tar.gz |
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'third_party')
-rw-r--r-- | third_party/heimdal/kdc/kerberos5.c | 44 | ||||
-rw-r--r-- | third_party/heimdal/kdc/krb5tgs.c | 6 | ||||
-rw-r--r-- | third_party/heimdal/kdc/misc.c | 4 | ||||
-rw-r--r-- | third_party/heimdal/lib/hdb/hdb.asn1 | 3 |
4 files changed, 47 insertions, 10 deletions
diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index b4968afcaaf..e75686c625a 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -384,6 +384,39 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, return ret; } +/* + * The principal's session_etypes must be sorted in order of strength, with + * preferred etype first. +*/ +krb5_error_code +_kdc_find_session_etype(astgs_request_t r, + krb5_enctype *etypes, size_t len, + const hdb_entry *princ, + krb5_enctype *ret_enctype) +{ + size_t i; + + if (princ->session_etypes == NULL) { + /* The principal must have session etypes available. */ + return KRB5KDC_ERR_ETYPE_NOSUPP; + } + + /* Loop over the client's specified etypes. */ + for (i = 0; i < len; ++i) { + size_t j; + + /* Check that the server also supports the etype. */ + for (j = 0; j < princ->session_etypes->len; ++j) { + if (princ->session_etypes->val[j] == etypes[i]) { + *ret_enctype = etypes[i]; + return 0; + } + } + } + + return KRB5KDC_ERR_ETYPE_NOSUPP; +} + krb5_error_code _kdc_make_anonymous_principalname (PrincipalName *pn) { @@ -2209,13 +2242,18 @@ _kdc_as_rep(astgs_request_t r) } /* + * This has to be here (not later), because we need to have r->sessionetype + * set prior to calling pa_pkinit_validate(), which in turn calls + * _kdc_pk_mk_pa_reply(), during padata validation. + */ + + /* * Select an enctype for the to-be-issued ticket's session key using the * intersection of the client's requested enctypes and the server's (like a * root krbtgt, but not necessarily) etypes from its HDB entry. */ - ret = _kdc_find_etype(r, (is_tgs ? KFE_IS_TGS:0), - b->etype.val, b->etype.len, - &r->sessionetype, NULL, NULL); + ret = _kdc_find_session_etype(r, b->etype.val, b->etype.len, + r->server, &r->sessionetype); if (ret) { kdc_log(r->context, config, 4, "Client (%s) from %s has no common enctypes with KDC " diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c index 893e77749cf..71991c17975 100644 --- a/third_party/heimdal/kdc/krb5tgs.c +++ b/third_party/heimdal/kdc/krb5tgs.c @@ -1816,10 +1816,8 @@ server_lookup: } else { Key *skey; - ret = _kdc_find_etype(priv, krb5_principal_is_krbtgt(context, priv->server_princ) - ? KFE_IS_TGS : 0, - b->etype.val, b->etype.len, &etype, NULL, - NULL); + ret = _kdc_find_session_etype(priv, b->etype.val, b->etype.len, + priv->server, &etype); if(ret) { kdc_log(context, config, 4, "Server (%s) has no support for etypes", spn); diff --git a/third_party/heimdal/kdc/misc.c b/third_party/heimdal/kdc/misc.c index b48503d26a0..eab8107935f 100644 --- a/third_party/heimdal/kdc/misc.c +++ b/third_party/heimdal/kdc/misc.c @@ -299,9 +299,9 @@ _kdc_get_preferred_key(krb5_context context, } } - krb5_set_error_message(context, EINVAL, + krb5_set_error_message(context, ret = KRB5KDC_ERR_ETYPE_NOSUPP, "No valid kerberos key found for %s", name); - return EINVAL; /* XXX */ + return ret; } krb5_error_code diff --git a/third_party/heimdal/lib/hdb/hdb.asn1 b/third_party/heimdal/lib/hdb/hdb.asn1 index abc75f742cc..1a763de3d44 100644 --- a/third_party/heimdal/lib/hdb/hdb.asn1 +++ b/third_party/heimdal/lib/hdb/hdb.asn1 @@ -237,7 +237,8 @@ HDB_entry ::= SEQUENCE { flags[10] HDBFlags, etypes[11] HDB-EncTypeList OPTIONAL, generation[12] GENERATION OPTIONAL, - extensions[13] HDB-extensions OPTIONAL + extensions[13] HDB-extensions OPTIONAL, + session-etypes[14] HDB-EncTypeList OPTIONAL } HDB_entry_alias ::= [APPLICATION 0] SEQUENCE { |