59 lines
2.3 KiB
Diff
59 lines
2.3 KiB
Diff
From 49e748498325044f2db6920ef9378907fd459741 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Tue, 7 Nov 2017 18:03:45 +0100
|
|
Subject: [PATCH 37/54] CVE-2022-37966 s4:kdc: use the strongest possible keys
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
(cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17695
|
|
---
|
|
source4/kdc/kdc-heimdal.c | 23 ++++++++---------------
|
|
1 file changed, 8 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
|
|
index 5b2b3e36652f..e936d4b7dccf 100644
|
|
--- a/source4/kdc/kdc-heimdal.c
|
|
+++ b/source4/kdc/kdc-heimdal.c
|
|
@@ -388,24 +388,17 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
|
|
kdc_config->num_db = 1;
|
|
|
|
/*
|
|
- * This restores the behavior before
|
|
- * commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3
|
|
- * s4:heimdal: import lorikeet-heimdal-201107150856
|
|
- * (commit 48936803fae4a2fb362c79365d31f420c917b85b)
|
|
+ * Note with the CVE-2022-37966 patches,
|
|
+ * see https://bugzilla.samba.org/show_bug.cgi?id=15219
|
|
+ * and https://bugzilla.samba.org/show_bug.cgi?id=15237
|
|
+ * we want to use the strongest keys for everything.
|
|
*
|
|
- * as_use_strongest_session_key,preauth_use_strongest_session_key
|
|
- * and tgs_use_strongest_session_key are input to the
|
|
- * _kdc_find_etype() function. The old bahavior is in
|
|
- * the use_strongest_session_key=FALSE code path.
|
|
- * (The only remaining difference in _kdc_find_etype()
|
|
- * is the is_preauth parameter.)
|
|
- *
|
|
- * The old behavior in the _kdc_get_preferred_key()
|
|
- * function is use_strongest_server_key=TRUE.
|
|
+ * Some of these don't have any real effect anymore,
|
|
+ * but it is better to have them as true...
|
|
*/
|
|
- kdc_config->tgt_use_strongest_session_key = false;
|
|
+ kdc_config->tgt_use_strongest_session_key = true;
|
|
kdc_config->preauth_use_strongest_session_key = true;
|
|
- kdc_config->svc_use_strongest_session_key = false;
|
|
+ kdc_config->svc_use_strongest_session_key = true;
|
|
kdc_config->use_strongest_server_key = true;
|
|
|
|
kdc_config->force_include_pa_etype_salt = true;
|
|
--
|
|
2.34.1
|