From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 13:13:36 +0000 (+0100)
Subject: CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
X-Git-Tag: samba-4.15.13~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=18996e9971224210aa50cff9796c805dc594c296;p=thirdparty%2Fsamba.git

CVE-2022-37966 param: Add support for new option "kdc supported enctypes"

This allows admins to disable enctypes completely if required.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
---

diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
new file mode 100644
index 00000000000..5e028bbb2be
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="kdc supported enctypes"
+                 type="integer"
+                 context="G"
+                 handler="handle_kdc_supported_enctypes"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    On an active directory domain controller, this is the list of supported encryption types for local running kdc.
+  </para>
+
+  <para>
+    This allows Samba administrators to remove support for weak/unused encryption types, similar
+    the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant>
+    GPO/Local Policies/Security Options Value, which results in the
+    <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows.
+  </para>
+  <para>
+    Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names.
+  </para>
+  <para>
+    Specified values are ORed together bitwise, and those currently supported consist of:
+    </para><itemizedlist>
+   <listitem>
+       <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+       <para>Known on Windows as Kerberos RC4 encryption</para>
+   </listitem>
+   <listitem>
+       <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+       <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+   </listitem>
+   <listitem>
+       <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+       <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+   </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d55df1f4f80..44292c3cbbb 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -1778,6 +1778,75 @@ out:
 	return ok;
 }
 
+bool handle_kdc_supported_enctypes(struct loadparm_context *lp_ctx,
+				   struct loadparm_service *service,
+				   const char *pszParmValue, char **ptr)
+{
+	char **enctype_list = NULL;
+	char **enctype = NULL;
+	uint32_t result = 0;
+	bool ok = true;
+
+	enctype_list = str_list_make(NULL, pszParmValue, NULL);
+	if (enctype_list == NULL) {
+		DBG_ERR("OOM: failed to make string list from %s\n",
+			pszParmValue);
+		ok = false;
+		goto out;
+	}
+
+	for (enctype = enctype_list; *enctype != NULL; ++enctype) {
+		if (strwicmp(*enctype, "arcfour-hmac-md5") == 0 ||
+		    strwicmp(*enctype, "rc4-hmac") == 0)
+		{
+			result |= KERB_ENCTYPE_RC4_HMAC_MD5;
+		}
+		else if (strwicmp(*enctype, "aes128-cts-hmac-sha1-96") == 0 ||
+			 strwicmp(*enctype, "aes128-cts") == 0)
+		{
+			result |= KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+		}
+		else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96") == 0 ||
+			 strwicmp(*enctype, "aes256-cts") == 0)
+		{
+			result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+		}
+		else {
+			const char *bitstr = *enctype;
+			int base;
+			int error;
+			unsigned long bit;
+
+			/* See if the bit's specified in hexadecimal. */
+			if (bitstr[0] == '0' &&
+			    (bitstr[1] == 'x' || bitstr[2] == 'X'))
+			{
+				base = 16;
+				bitstr += 2;
+			}
+			else {
+				base = 10;
+			}
+
+			bit = smb_strtoul(bitstr, NULL, base, &error, SMB_STR_FULL_STR_CONV);
+			if (error) {
+				DBG_ERR("WARNING: Ignoring invalid value '%s' "
+					"for parameter 'kdc default domain supported enctypes'\n",
+					*enctype);
+				ok = false;
+			} else {
+				result |= bit;
+			}
+		}
+	}
+
+	*(int *)ptr = result;
+out:
+	TALLOC_FREE(enctype_list);
+
+	return ok;
+}
+
 static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service,
 			 int parmnum, void *parm_ptr,
 			 const char *pszParmName, const char *pszParmValue,