src/patches/samba/CVE-2016-2126-v3.6.patch

   1 From 4e47b5d703c54215804d595980be028f47a87cbf Mon Sep 17 00:00:00 2001
   2 From: Stefan Metzmacher <metze@samba.org>
   3 Date: Wed, 7 Dec 2016 11:18:59 +0100
   4 Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types
   5  in check_pac_checksum()
   6
   7 AES based checksums can only be checked with the corresponding AES based
   8 keytype.
   9
  10 Otherwise we may trigger an undefined code path deep in the kerberos
  11 libraries, which can leed to segmentation faults.
  12
  13 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
  14
  15 Signed-off-by: Stefan Metzmacher <metze@samba.org>
  16 Backported-by: Andreas Schneider <asn@samba.org>
  17 ---
  18  source3/include/smb_krb5.h | 12 ++++++++++++
  19  source3/libads/authdata.c  | 22 ++++++++++++++++++++++
  20  2 files changed, 34 insertions(+)
  21
  22 diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
  23 index 5a55d3040d5..2780622f512 100644
  24 --- a/source3/include/smb_krb5.h
  25 +++ b/source3/include/smb_krb5.h
  26 @@ -61,6 +61,18 @@
  27  #define ENCTYPE_ARCFOUR_HMAC ENCTYPE_ARCFOUR_HMAC_MD5
  28  #endif
  29
  30 +#if !defined(CKSUMTYPE_HMAC_MD5_ARCFOUR) && defined(CKSUMTYPE_HMAC_MD5)
  31 +#define CKSUMTYPE_HMAC_MD5_ARCFOUR CKSUMTYPE_HMAC_MD5
  32 +#endif
  33 +
  34 +#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
  35 +#define CKSUMTYPE_HMAC_SHA1_96_AES256 CKSUMTYPE_HMAC_SHA1_96_AES_256
  36 +#endif
  37 +
  38 +#if !defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
  39 +#define CKSUMTYPE_HMAC_SHA1_96_AES128 CKSUMTYPE_HMAC_SHA1_96_AES_128
  40 +#endif
  41 +
  42  /* The older versions of heimdal that don't have this
  43     define don't seem to use it anyway.  I'm told they
  44     always use a subkey */
  45 diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
  46 index 0d877ddef89..30622843f1d 100644
  47 --- a/source3/libads/authdata.c
  48 +++ b/source3/libads/authdata.c
  49 @@ -42,6 +42,28 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
  50         krb5_checksum cksum;
  51         krb5_keyusage usage = 0;
  52
  53 +       switch (sig->type) {
  54 +       case CKSUMTYPE_HMAC_MD5_ARCFOUR:
  55 +               /* ignores the key type */
  56 +               break;
  57 +       case CKSUMTYPE_HMAC_SHA1_96_AES256:
  58 +               if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
  59 +                       return EINVAL;
  60 +               }
  61 +               /* ok */
  62 +               break;
  63 +       case CKSUMTYPE_HMAC_SHA1_96_AES128:
  64 +               if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
  65 +                       return EINVAL;
  66 +               }
  67 +               /* ok */
  68 +               break;
  69 +       default:
  70 +               DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
  71 +                       (int)sig->type));
  72 +               return EINVAL;
  73 +       }
  74 +
  75         smb_krb5_checksum_from_pac_sig(&cksum, sig);
  76
  77  #ifdef HAVE_KRB5_KU_OTHER_CKSUM /* Heimdal */
  78 --
  79 2.11.0
  80