1 From 4e47b5d703c54215804d595980be028f47a87cbf Mon Sep 17 00:00:00 2001
2 From: Stefan Metzmacher <metze@samba.org>
3 Date: Wed, 7 Dec 2016 11:18:59 +0100
4 Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types
5 in check_pac_checksum()
7 AES based checksums can only be checked with the corresponding AES based
10 Otherwise we may trigger an undefined code path deep in the kerberos
11 libraries, which can leed to segmentation faults.
13 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
15 Signed-off-by: Stefan Metzmacher <metze@samba.org>
16 Backported-by: Andreas Schneider <asn@samba.org>
18 source3/include/smb_krb5.h | 12 ++++++++++++
19 source3/libads/authdata.c | 22 ++++++++++++++++++++++
20 2 files changed, 34 insertions(+)
22 diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
23 index 5a55d3040d5..2780622f512 100644
24 --- a/source3/include/smb_krb5.h
25 +++ b/source3/include/smb_krb5.h
27 #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
30 +#if !defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && defined(CKSUMTYPE_HMAC_MD5)
31 +#define CKSUMTYPE_HMAC_MD5_ARCFOUR CKSUMTYPE_HMAC_MD5
34 +#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
35 +#define CKSUMTYPE_HMAC_SHA1_96_AES256 CKSUMTYPE_HMAC_SHA1_96_AES_256
38 +#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
39 +#define CKSUMTYPE_HMAC_SHA1_96_AES128 CKSUMTYPE_HMAC_SHA1_96_AES_128
42 /* The older versions of heimdal that don't have this
43 define don't seem to use it anyway. I'm told they
44 always use a subkey */
45 diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
46 index 0d877ddef89..30622843f1d 100644
47 --- a/source3/libads/authdata.c
48 +++ b/source3/libads/authdata.c
49 @@ -42,6 +42,28 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
51 krb5_keyusage usage = 0;
53 + switch (sig->type) {
54 + case CKSUMTYPE_HMAC_MD5_ARCFOUR:
55 + /* ignores the key type */
57 + case CKSUMTYPE_HMAC_SHA1_96_AES256:
58 + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
63 + case CKSUMTYPE_HMAC_SHA1_96_AES128:
64 + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
70 + DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
75 smb_krb5_checksum_from_pac_sig(&cksum, sig);
77 #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */