s3:rpcclient: Encrypt the password buffers only if really needed
If we are in FIPS mode certain ciphers like RC4 are not available, so
we should make sure we do not call them. We will add AES support in the
next patch.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Martin Schwenke [Fri, 25 Feb 2022 08:44:52 +0000 (19:44 +1100)]
ctdb-tests: Add tests for cluster mutex I/O timeout
Block the locker helper child by taking a lock on the 2nd byte of the
lock file. This will cause a ping timeout if the process is blocked
for long enough.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Jul 28 11:10:54 UTC 2022 on sn-devel-184
Martin Schwenke [Fri, 21 Jan 2022 02:37:17 +0000 (13:37 +1100)]
ctdb-mutex: Do inode checks in a child process
In future this will allow extra I/O tests and a timeout in the parent
to (hopefully) release the lock if the child gets wedged. For
simplicity, use tmon only to detect when either parent or child goes
away. Plumbing a timeout for pings from child to parent will be done
later.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 2 Feb 2022 10:47:59 +0000 (21:47 +1100)]
ctdb-tests: Add tests for trivial FD monitoring
tmon_ping_test covers complex 2-way interaction between processes
using tmon_ping_send(), including via a socketpair(). tmon_test
covers the more general functionality of tmon_send() but uses a
simpler 1-way harness with wide coverage.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 3 May 2022 23:02:12 +0000 (09:02 +1000)]
ctdb-build: Separate test backtrace support into separate subsystem
A convention when testing members of ctdb-util is to include the .c
file so that static functions can potentially be tested. This means
that such tests can't be linked against ctdb-util or duplicate symbols
will be encountered.
ctdb-tests-common depends on ctdb-client, which depends in turn on
ctdb-util, so this can't be used to pull in backtrace support.
Instead, make ctdb-tests-backtrace its own subsystem.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Douglas Bagnall [Mon, 11 Jul 2022 00:06:54 +0000 (12:06 +1200)]
py/uptodateness: more details in missing dn report
This does not fix bug 15127, but it improves reporting.
https://bugzilla.samba.org/show_bug.cgi?id=15127
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 28 06:18:43 UTC 2022 on sn-devel-184
Jeremy Allison [Tue, 26 Jul 2022 21:34:27 +0000 (14:34 -0700)]
s3: smbd: Inside filename_convert_dirfsp_nosymlink() ensure the returned smb_fname is always allocated off mem_ctx.
Without this, if we just return smb_fname_rel->fsp->fsp_name as the smb_fname
then we return something allocated off fsp (which itself is allocated off
the conn struct), not the passed in talloc_ctx.
Do this for both non-stream and stream returns.
This matters for two reasons.
1). If we error out after calling filename_convert_dirfsp()
but before getting to the code inside create_file_unixpath()
that takes ownership of the passed in smb_fname->fsp we will
leak the fsp as the destructor for smb_fname that closes the
fsp will never fire on return to the client, as smb_fname is
owned by smb_fname->fsp, not the talloc_tos() context.
2). Some uses of filename_convert() expect to be able
to TALLOC_FREE the returned smb_fname once they've successfully
called SMB_VFS_CREATE_FILE() as they consider the passed in smb_fname
no longer used. It would be nice to be able to just change
filename_convert() -> filename_convert_dirfsp() without
having to change the lifetime handling of smb_fname.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Tue, 7 Jun 2022 16:53:08 +0000 (09:53 -0700)]
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Fixes the raw.write.bad-write test.
NB. We need the two (==0) changes in source3/smbd/smb2_reply.c
as the gcc optimizer now knows that the return from
smbreq_bufrem() can never be less than zero.
Joseph Sutton [Fri, 10 Jun 2022 07:18:53 +0000 (19:18 +1200)]
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.
Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.
Joseph Sutton [Fri, 10 Jun 2022 07:18:35 +0000 (19:18 +1200)]
CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
We use the presence or absence of a REQUESTER_SID PAC buffer to
determine whether the ticket is a TGT. We will later use this to reject
TGTs where a service ticket is expected.
Joseph Sutton [Fri, 10 Jun 2022 07:18:07 +0000 (19:18 +1200)]
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.
Joseph Sutton [Mon, 30 May 2022 07:16:02 +0000 (19:16 +1200)]
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
To ensure that, when decrypting the kpasswd ticket, we look up the
correct principal and don't trust the sname from the ticket, we should
pass the principal name of the kpasswd service into krb5_rd_req_ctx().
However, gensec_krb5_update_internal() will pass in NULL unless the
principal in our credentials is CRED_SPECIFIED.
At present, our principal will be considered obtained as CRED_SMB_CONF
(from the cli_credentials_set_conf() a few lines up), so we explicitly
set the realm again, but this time as CRED_SPECIFIED. Now the value of
server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
be NULL.
Joseph Sutton [Thu, 26 May 2022 04:39:20 +0000 (16:39 +1200)]
CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
This plugin is now only used by the kpasswd service. Thus, ensuring we
only look up the kadmin/changepw principal means we can't be fooled into
accepting tickets for other service principals. We make sure not to
specify a specific kvno, to ensure that we do not accept RODC-issued
tickets.
Joseph Sutton [Wed, 25 May 2022 08:00:55 +0000 (20:00 +1200)]
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
We would only compare the first 'n' characters, where 'n' is the length
of the principal component string, so 'k@REALM' would erroneously be
considered equal to 'krbtgt@REALM'.
A fallback in krb5_rd_req_ctx() means that Samba's kpasswd service will
try many inappropriate keys to decrypt the ticket supplied to it. For
example, it will accept a ticket encrypted with the Administrator's key,
when it should rather accept only tickets encrypted with the krbtgt's
key (and not an RODC krbtgt). To fix this, declare the HDB keytab using
the HDBGET ops, which do not support iteration.
Joseph Sutton [Mon, 30 May 2022 07:18:17 +0000 (19:18 +1200)]
CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their life
For Heimdal, this now matches the behaviour of Windows. The object of
this requirement is to ensure we don't allow kpasswd tickets, not having
a lifetime of more than two minutes, to be passed off as TGTs.
An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
suffices to prevent kpasswd ticket misuse, so this is just an additional
precaution on top.
Joseph Sutton [Wed, 18 May 2022 04:56:01 +0000 (16:56 +1200)]
CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
Since this principal goes through the samba_kdc_fetch_server() path,
setting the canonicalisation flag would cause the principal to be
replaced with the sAMAccountName; this meant requests to
kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we
properly handle canonicalisation for the kadmin/changepw principal.
Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 18 May 2022 04:49:43 +0000 (16:49 +1200)]
CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
If we attempt to return an error code outside of Heimdal's allowed range
[KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC
error, and the error text will be set to the meaningless result of
krb5_get_error_message(). Avoid this by ensuring the error code is in
the correct range.
Joseph Sutton [Fri, 27 May 2022 07:29:34 +0000 (19:29 +1200)]
CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in smb_krb5_mk_error()
The error code passed in will be an offset from ERROR_TABLE_BASE_krb5,
so we need to subtract that before creating the error. Heimdal does this
internally, so it isn't needed there.
The error_data we create already has an explicit length, and should not
be zero-terminated, so we omit the trailing null byte. Previously,
Heimdal builds would leave a superfluous trailing null byte on error
strings, while MIT builds would omit the final character.
The two bytes added to the string's length are for the prepended error
code.
Joseph Sutton [Tue, 31 May 2022 07:23:06 +0000 (19:23 +1200)]
CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20
With MIT Kerberos >= 1.20, we should not expect a ticket checksum in
tickets to principals such as kpasswd/changepw, as they are encrypted
with the krbtgt's key.
Joseph Sutton [Mon, 30 May 2022 07:17:41 +0000 (19:17 +1200)]
CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
The target principal and realm fields of the setpw structure are
supposed to be optional, but in MIT Kerberos they are mandatory. For
better compatibility and ease of testing, fall back to parsing the
simpler (containing only the new password) structure if the MIT function
fails to decode it.
Although the target principal and realm fields should be optional, one
is not supposed to specified without the other, so we don't have to deal
with the case where only one is specified.
projects / thirdparty / samba.git / log
