]>
Commit | Line | Data |
---|---|---|
1d13e637 AF |
1 | From 4e47b5d703c54215804d595980be028f47a87cbf Mon Sep 17 00:00:00 2001 |
2 | From: Stefan Metzmacher <metze@samba.org> | |
3 | Date: Wed, 7 Dec 2016 11:18:59 +0100 | |
4 | Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types | |
5 | in check_pac_checksum() | |
6 | ||
7 | AES based checksums can only be checked with the corresponding AES based | |
8 | keytype. | |
9 | ||
10 | Otherwise we may trigger an undefined code path deep in the kerberos | |
11 | libraries, which can leed to segmentation faults. | |
12 | ||
13 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 | |
14 | ||
15 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
16 | Backported-by: Andreas Schneider <asn@samba.org> | |
17 | --- | |
18 | source3/include/smb_krb5.h | 12 ++++++++++++ | |
19 | source3/libads/authdata.c | 22 ++++++++++++++++++++++ | |
20 | 2 files changed, 34 insertions(+) | |
21 | ||
22 | diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h | |
23 | index 5a55d3040d5..2780622f512 100644 | |
24 | --- a/source3/include/smb_krb5.h | |
25 | +++ b/source3/include/smb_krb5.h | |
26 | @@ -61,6 +61,18 @@ | |
27 | #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5 | |
28 | #endif | |
29 | ||
30 | +#if !defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && defined(CKSUMTYPE_HMAC_MD5) | |
31 | +#define CKSUMTYPE_HMAC_MD5_ARCFOUR CKSUMTYPE_HMAC_MD5 | |
32 | +#endif | |
33 | + | |
34 | +#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_256) | |
35 | +#define CKSUMTYPE_HMAC_SHA1_96_AES256 CKSUMTYPE_HMAC_SHA1_96_AES_256 | |
36 | +#endif | |
37 | + | |
38 | +#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_128) | |
39 | +#define CKSUMTYPE_HMAC_SHA1_96_AES128 CKSUMTYPE_HMAC_SHA1_96_AES_128 | |
40 | +#endif | |
41 | + | |
42 | /* The older versions of heimdal that don't have this | |
43 | define don't seem to use it anyway. I'm told they | |
44 | always use a subkey */ | |
45 | diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c | |
46 | index 0d877ddef89..30622843f1d 100644 | |
47 | --- a/source3/libads/authdata.c | |
48 | +++ b/source3/libads/authdata.c | |
49 | @@ -42,6 +42,28 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, | |
50 | krb5_checksum cksum; | |
51 | krb5_keyusage usage = 0; | |
52 | ||
53 | + switch (sig->type) { | |
54 | + case CKSUMTYPE_HMAC_MD5_ARCFOUR: | |
55 | + /* ignores the key type */ | |
56 | + break; | |
57 | + case CKSUMTYPE_HMAC_SHA1_96_AES256: | |
58 | + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { | |
59 | + return EINVAL; | |
60 | + } | |
61 | + /* ok */ | |
62 | + break; | |
63 | + case CKSUMTYPE_HMAC_SHA1_96_AES128: | |
64 | + if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { | |
65 | + return EINVAL; | |
66 | + } | |
67 | + /* ok */ | |
68 | + break; | |
69 | + default: | |
70 | + DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", | |
71 | + (int)sig->type)); | |
72 | + return EINVAL; | |
73 | + } | |
74 | + | |
75 | smb_krb5_checksum_from_pac_sig(&cksum, sig); | |
76 | ||
77 | #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */ | |
78 | -- | |
79 | 2.11.0 | |
80 |