packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0014-CVE-2022-37966.patch

210 lines
7.9 KiB
Diff
Raw Blame History

From 96333365e1720e4eebcc643f4d65afa68f2c1baa Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 15 Nov 2022 18:14:36 +1300
Subject: [PATCH 14/54] CVE-2022-37966 param: Add support for new option "kdc
default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../kdcdefaultdomainsupportedenctypes.xml | 42 ++++++++++
lib/param/loadparm.c | 79 +++++++++++++++++++
librpc/idl/security.idl | 1 +
source3/param/loadparm.c | 3 +
4 files changed, 125 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
new file mode 100644
index 000000000000..e93650ac3e07
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="kdc default domain supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_default_domain_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0.
+ </para>
+
+ <para>
+ This allows Samba administrators to match the configuration flexibility provided by the
+ <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para>
+ <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 1dcc8061fa21..1cb25f843b3b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -70,6 +70,7 @@
#include "tdb.h"
#include "librpc/gen_ndr/nbt.h"
#include "librpc/gen_ndr/dns.h"
+#include "librpc/gen_ndr/security.h"
#include "libds/common/roles.h"
#include "lib/util/samba_util.h"
#include "libcli/auth/ntlm_check.h"
@@ -1704,6 +1705,80 @@ out:
return value_is_valid;
}
+bool handle_kdc_default_domain_supported_enctypes(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue, char **ptr)
+{
+ char **enctype_list = NULL;
+ char **enctype = NULL;
+ uint32_t result = 0;
+ bool ok = true;
+
+ enctype_list = str_list_make(NULL, pszParmValue, NULL);
+ if (enctype_list == NULL) {
+ DBG_ERR("OOM: failed to make string list from %s\n",
+ pszParmValue);
+ ok = false;
+ goto out;
+ }
+
+ for (enctype = enctype_list; *enctype != NULL; ++enctype) {
+ if (strwicmp(*enctype, "arcfour-hmac-md5") == 0 ||
+ strwicmp(*enctype, "rc4-hmac") == 0)
+ {
+ result |= KERB_ENCTYPE_RC4_HMAC_MD5;
+ }
+ else if (strwicmp(*enctype, "aes128-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes128-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ }
+ else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes256-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ }
+ else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96-sk") == 0 ||
+ strwicmp(*enctype, "aes256-cts-sk") == 0)
+ {
+ result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+ }
+ else {
+ const char *bitstr = *enctype;
+ int base;
+ int error;
+ unsigned long bit;
+
+ /* See if the bit's specified in hexadecimal. */
+ if (bitstr[0] == '0' &&
+ (bitstr[1] == 'x' || bitstr[2] == 'X'))
+ {
+ base = 16;
+ bitstr += 2;
+ }
+ else {
+ base = 10;
+ }
+
+ bit = smb_strtoul(bitstr, NULL, base, &error, SMB_STR_FULL_STR_CONV);
+ if (error) {
+ DBG_ERR("WARNING: Ignoring invalid value '%s' "
+ "for parameter 'kdc default domain supported enctypes'\n",
+ *enctype);
+ ok = false;
+ } else {
+ result |= bit;
+ }
+ }
+ }
+
+ *(int *)ptr = result;
+out:
+ TALLOC_FREE(enctype_list);
+
+ return ok;
+}
+
static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service,
int parmnum, void *parm_ptr,
const char *pszParmName, const char *pszParmValue,
@@ -3012,6 +3087,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"rpc start on demand helpers",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "kdc default domain supported enctypes",
+ "rc4-hmac aes256-cts-hmac-sha1-96-sk");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index d05e3c3e1b7a..8cfdbf569962 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -725,6 +725,7 @@ interface security
KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
+ KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020,
KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000,
KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7e20acbf8b96..fb15b20e1876 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -995,6 +995,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
*/
Globals.rpc_start_on_demand_helpers = true;
+ Globals.kdc_default_domain_supported_enctypes =
+ KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink