samba/backport-0050-CVE-2022-37966.patch

From ca15d88d6e6907b164b2e9d4fb78c283b82c843d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 09:05:51 +0100
Subject: [PATCH 50/54] CVE-2022-37966 param: let "kdc default domain
 supportedenctypes = 0" mean the default

In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
 .../security/kdcdefaultdomainsupportedenctypes.xml          | 2 +-
 lib/param/loadparm.c                                        | 4 ----
 python/samba/tests/krb5/etype_tests.py                      | 2 ++
 python/samba/tests/krb5/kdc_base_test.py                    | 6 +++++-
 source3/param/loadparm.c                                    | 3 ---
 source4/kdc/db-glue.c                                       | 6 +++++-
 6 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
index e93650ac3e07..984611167b59 100644
--- a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -38,5 +38,5 @@
 
 </description>
 
-<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 1cb25f843b3b..8387242c25f5 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3087,10 +3087,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "rpc start on demand helpers",
 				  "yes");
 
-	lpcfg_do_global_parameter(lp_ctx,
-				  "kdc default domain supported enctypes",
-				  "rc4-hmac aes256-cts-hmac-sha1-96-sk");
-
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py
index 1a16518df94e..9725d544c2ac 100755
--- a/python/samba/tests/krb5/etype_tests.py
+++ b/python/samba/tests/krb5/etype_tests.py
@@ -63,6 +63,8 @@ class EtypeTests(KdcTgsBaseTests):
             lp = self.get_lp()
             self.default_supported_enctypes = lp.get(
                 'kdc default domain supported enctypes')
+            if self.default_supported_enctypes == 0:
+                self.default_supported_enctypes = rc4_bit | aes256_sk_bit
 
     def _server_creds(self, supported=None, force_nt4_hash=False,
                       account_type=None):
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 1016d056eefb..46271a90bcf4 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -63,6 +63,9 @@ from samba.ndr import ndr_pack, ndr_unpack
 from samba import net
 from samba.samdb import SamDB, dsdb_Dn
 
+rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5
+aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
+
 from samba.tests import delete_force
 import samba.tests.krb5.kcrypto as kcrypto
 from samba.tests.krb5.raw_testcase import (
@@ -664,7 +667,8 @@ class KDCBaseTest(RawKerberosTest):
         if supported_enctypes is None:
             lp = self.get_lp()
             supported_enctypes = lp.get('kdc default domain supported enctypes')
-
+            if supported_enctypes == 0:
+                supported_enctypes = rc4_bit | aes256_sk_bit
         supported_enctypes = int(supported_enctypes)
 
         if extra_bits is not None:
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index fb15b20e1876..7e20acbf8b96 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -995,9 +995,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	 */
 	Globals.rpc_start_on_demand_helpers = true;
 
-	Globals.kdc_default_domain_supported_enctypes =
-		KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
-
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();
 }
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bc7f2b2311c3..4cdbdf9a325b 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1062,7 +1062,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx);
 	struct ldb_message_element *objectclasses;
 	struct ldb_val computer_val = data_blob_string_const("computer");
-	uint32_t default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+	uint32_t config_default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+	uint32_t default_supported_enctypes =
+		config_default_supported_enctypes != 0 ?
+		config_default_supported_enctypes :
+		ENC_RC4_HMAC_MD5 | ENC_HMAC_SHA1_96_AES256_SK;
 	uint32_t supported_enctypes
 		= ldb_msg_find_attr_as_uint(msg,
 					    "msDS-SupportedEncryptionTypes",
-- 
2.34.1
fix CVE-2022-38023 CVE-2022-37966 CVE-2022-37967 2022-12-29 07:17:40 +00:00			`From ca15d88d6e6907b164b2e9d4fb78c283b82c843d Mon Sep 17 00:00:00 2001`
			`From: Stefan Metzmacher <metze@samba.org>`
			`Date: Wed, 30 Nov 2022 09:05:51 +0100`
			`Subject: [PATCH 50/54] CVE-2022-37966 param: let "kdc default domain`
			`supportedenctypes = 0" mean the default`

			`In order to allow better upgrades we need the default value for smb.conf to the`
			`same even if the effective default value of the software changes in future.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237`

			`Signed-off-by: Stefan Metzmacher <metze@samba.org>`
			`Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17695`
			`---`
			`.../security/kdcdefaultdomainsupportedenctypes.xml \| 2 +-`
			`lib/param/loadparm.c \| 4 ----`
			`python/samba/tests/krb5/etype_tests.py \| 2 ++`
			`python/samba/tests/krb5/kdc_base_test.py \| 6 +++++-`
			`source3/param/loadparm.c \| 3 ---`
			`source4/kdc/db-glue.c \| 6 +++++-`
			`6 files changed, 13 insertions(+), 10 deletions(-)`

			`diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml`
			`index e93650ac3e07..984611167b59 100644`
			`--- a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml`
			`+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml`
			`@@ -38,5 +38,5 @@`

			`</description>`

			`-<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>`
			`+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>`
			`</samba:parameter>`
			`diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c`
			`index 1cb25f843b3b..8387242c25f5 100644`
			`--- a/lib/param/loadparm.c`
			`+++ b/lib/param/loadparm.c`
			`@@ -3087,10 +3087,6 @@ struct loadparm_context loadparm_init(TALLOC_CTX mem_ctx)`
			`"rpc start on demand helpers",`
			`"yes");`

			`- lpcfg_do_global_parameter(lp_ctx,`
			`- "kdc default domain supported enctypes",`
			`- "rc4-hmac aes256-cts-hmac-sha1-96-sk");`
			`-`
			`for (i = 0; parm_table[i].label; i++) {`
			`if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {`
			`lp_ctx->flags[i] \|= FLAG_DEFAULT;`
			`diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py`
			`index 1a16518df94e..9725d544c2ac 100755`
			`--- a/python/samba/tests/krb5/etype_tests.py`
			`+++ b/python/samba/tests/krb5/etype_tests.py`
			`@@ -63,6 +63,8 @@ class EtypeTests(KdcTgsBaseTests):`
			`lp = self.get_lp()`
			`self.default_supported_enctypes = lp.get(`
			`'kdc default domain supported enctypes')`
			`+ if self.default_supported_enctypes == 0:`
			`+ self.default_supported_enctypes = rc4_bit \| aes256_sk_bit`

			`def _server_creds(self, supported=None, force_nt4_hash=False,`
			`account_type=None):`
			`diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py`
			`index 1016d056eefb..46271a90bcf4 100644`
			`--- a/python/samba/tests/krb5/kdc_base_test.py`
			`+++ b/python/samba/tests/krb5/kdc_base_test.py`
			`@@ -63,6 +63,9 @@ from samba.ndr import ndr_pack, ndr_unpack`
			`from samba import net`
			`from samba.samdb import SamDB, dsdb_Dn`

			`+rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5`
			`+aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK`
			`+`
			`from samba.tests import delete_force`
			`import samba.tests.krb5.kcrypto as kcrypto`
			`from samba.tests.krb5.raw_testcase import (`
			`@@ -664,7 +667,8 @@ class KDCBaseTest(RawKerberosTest):`
			`if supported_enctypes is None:`
			`lp = self.get_lp()`
			`supported_enctypes = lp.get('kdc default domain supported enctypes')`
			`-`
			`+ if supported_enctypes == 0:`
			`+ supported_enctypes = rc4_bit \| aes256_sk_bit`
			`supported_enctypes = int(supported_enctypes)`

			`if extra_bits is not None:`
			`diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c`
			`index fb15b20e1876..7e20acbf8b96 100644`
			`--- a/source3/param/loadparm.c`
			`+++ b/source3/param/loadparm.c`
			`@@ -995,9 +995,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)`
			`*/`
			`Globals.rpc_start_on_demand_helpers = true;`

			`- Globals.kdc_default_domain_supported_enctypes =`
			`- KERB_ENCTYPE_RC4_HMAC_MD5 \| KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;`
			`-`
			`/* Now put back the settings that were set with lp_set_cmdline() */`
			`apply_lp_set_cmdline();`
			`}`
			`diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c`
			`index bc7f2b2311c3..4cdbdf9a325b 100644`
			`--- a/source4/kdc/db-glue.c`
			`+++ b/source4/kdc/db-glue.c`
			`@@ -1062,7 +1062,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,`
			`bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx);`
			`struct ldb_message_element *objectclasses;`
			`struct ldb_val computer_val = data_blob_string_const("computer");`
			`- uint32_t default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);`
			`+ uint32_t config_default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);`
			`+ uint32_t default_supported_enctypes =`
			`+ config_default_supported_enctypes != 0 ?`
			`+ config_default_supported_enctypes :`
			`+ ENC_RC4_HMAC_MD5 \| ENC_HMAC_SHA1_96_AES256_SK;`
			`uint32_t supported_enctypes`
			`= ldb_msg_find_attr_as_uint(msg,`
			`"msDS-SupportedEncryptionTypes",`
			`--`
			`2.34.1`