diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-29 14:13:36 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:49 +0100 |
commit | 18996e9971224210aa50cff9796c805dc594c296 (patch) | |
tree | 43da8a6747b381b6f66e2239898715297ea75c43 | |
parent | 34fc0da78699827674245ea5f00282107054ba9c (diff) | |
download | samba-18996e9971224210aa50cff9796c805dc594c296.tar.gz |
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
This allows admins to disable enctypes completely if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
-rw-r--r-- | docs-xml/smbdotconf/security/kdcsupportedenctypes.xml | 40 | ||||
-rw-r--r-- | lib/param/loadparm.c | 69 |
2 files changed, 109 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml new file mode 100644 index 00000000000..5e028bbb2be --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml @@ -0,0 +1,40 @@ +<samba:parameter name="kdc supported enctypes" + type="integer" + context="G" + handler="handle_kdc_supported_enctypes" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + On an active directory domain controller, this is the list of supported encryption types for local running kdc. + </para> + + <para> + This allows Samba administrators to remove support for weak/unused encryption types, similar + the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant> + GPO/Local Policies/Security Options Value, which results in the + <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows. + </para> + <para> + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names. + </para> + <para> + Specified values are ORed together bitwise, and those currently supported consist of: + </para><itemizedlist> + <listitem> + <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para> + <para>Known on Windows as Kerberos RC4 encryption</para> + </listitem> + <listitem> + <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para> + <para>Known on Windows as Kerberos AES 128 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para> + <para>Known on Windows as Kerberos AES 256 bit encryption</para> + </listitem> +</itemizedlist> + +</description> + +<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index d55df1f4f80..44292c3cbbb 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -1778,6 +1778,75 @@ out: return ok; } +bool handle_kdc_supported_enctypes(struct loadparm_context *lp_ctx, + struct loadparm_service *service, + const char *pszParmValue, char **ptr) +{ + char **enctype_list = NULL; + char **enctype = NULL; + uint32_t result = 0; + bool ok = true; + + enctype_list = str_list_make(NULL, pszParmValue, NULL); + if (enctype_list == NULL) { + DBG_ERR("OOM: failed to make string list from %s\n", + pszParmValue); + ok = false; + goto out; + } + + for (enctype = enctype_list; *enctype != NULL; ++enctype) { + if (strwicmp(*enctype, "arcfour-hmac-md5") == 0 || + strwicmp(*enctype, "rc4-hmac") == 0) + { + result |= KERB_ENCTYPE_RC4_HMAC_MD5; + } + else if (strwicmp(*enctype, "aes128-cts-hmac-sha1-96") == 0 || + strwicmp(*enctype, "aes128-cts") == 0) + { + result |= KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96; + } + else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96") == 0 || + strwicmp(*enctype, "aes256-cts") == 0) + { + result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96; + } + else { + const char *bitstr = *enctype; + int base; + int error; + unsigned long bit; + + /* See if the bit's specified in hexadecimal. */ + if (bitstr[0] == '0' && + (bitstr[1] == 'x' || bitstr[2] == 'X')) + { + base = 16; + bitstr += 2; + } + else { + base = 10; + } + + bit = smb_strtoul(bitstr, NULL, base, &error, SMB_STR_FULL_STR_CONV); + if (error) { + DBG_ERR("WARNING: Ignoring invalid value '%s' " + "for parameter 'kdc default domain supported enctypes'\n", + *enctype); + ok = false; + } else { + result |= bit; + } + } + } + + *(int *)ptr = result; +out: + TALLOC_FREE(enctype_list); + + return ok; +} + static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service, int parmnum, void *parm_ptr, const char *pszParmName, const char *pszParmValue, |