From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 7 Nov 2017 17:03:45 +0000 (+0100)
Subject: CVE-2022-37966 s4:kdc: use the strongest possible keys
X-Git-Tag: samba-4.15.13~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=527a164b410f87c6f2a9b508d8261214819f8ef3;p=thirdparty%2Fsamba.git

CVE-2022-37966 s4:kdc: use the strongest possible keys

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
[jsutton@samba.org Adapted to configuration parameters having been
 renamed from {as,tgs} to {tgt,svc}]
---

diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index ca202bd6f9d..a6d889e0654 100644
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -388,24 +388,17 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
 	kdc_config->num_db = 1;
 
 	/*
-	 * This restores the behavior before
-	 * commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3
-	 * s4:heimdal: import lorikeet-heimdal-201107150856
-	 * (commit 48936803fae4a2fb362c79365d31f420c917b85b)
+	 * Note with the CVE-2022-37966 patches,
+	 * see https://bugzilla.samba.org/show_bug.cgi?id=15219
+	 * and https://bugzilla.samba.org/show_bug.cgi?id=15237
+	 * we want to use the strongest keys for everything.
 	 *
-	 * as_use_strongest_session_key,preauth_use_strongest_session_key
-	 * and tgs_use_strongest_session_key are input to the
-	 * _kdc_find_etype() function. The old bahavior is in
-	 * the use_strongest_session_key=FALSE code path.
-	 * (The only remaining difference in _kdc_find_etype()
-	 *  is the is_preauth parameter.)
-	 *
-	 * The old behavior in the _kdc_get_preferred_key()
-	 * function is use_strongest_server_key=TRUE.
+	 * Some of these don't have any real effect anymore,
+	 * but it is better to have them as true...
 	 */
-	kdc_config->as_use_strongest_session_key = false;
+	kdc_config->as_use_strongest_session_key = true;
 	kdc_config->preauth_use_strongest_session_key = true;
-	kdc_config->tgs_use_strongest_session_key = false;
+	kdc_config->tgs_use_strongest_session_key = true;
 	kdc_config->use_strongest_server_key = true;
 
 	kdc_config->autodetect_referrals = false;