diff options
| author | Stefan Metzmacher <metze@samba.org> | 2017-11-07 18:03:45 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:49 +0100 |
| commit | 527a164b410f87c6f2a9b508d8261214819f8ef3 (patch) | |
| tree | 87e5beb6fa284d09248f0c1b7d9a709594c33bd5 | |
| parent | 8b8835b09fa45c0cd3aba5d5aa504fcfd290386f (diff) | |
| download | samba-527a164b410f87c6f2a9b508d8261214819f8ef3.tar.gz | |
CVE-2022-37966 s4:kdc: use the strongest possible keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
[jsutton@samba.org Adapted to configuration parameters having been
renamed from {as,tgs} to {tgt,svc}]
| -rw-r--r-- | source4/kdc/kdc-heimdal.c | 23 |
1 files changed, 8 insertions, 15 deletions
diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c index ca202bd6f9d..a6d889e0654 100644 --- a/source4/kdc/kdc-heimdal.c +++ b/source4/kdc/kdc-heimdal.c @@ -388,24 +388,17 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd) kdc_config->num_db = 1; /* - * This restores the behavior before - * commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3 - * s4:heimdal: import lorikeet-heimdal-201107150856 - * (commit 48936803fae4a2fb362c79365d31f420c917b85b) + * Note with the CVE-2022-37966 patches, + * see https://bugzilla.samba.org/show_bug.cgi?id=15219 + * and https://bugzilla.samba.org/show_bug.cgi?id=15237 + * we want to use the strongest keys for everything. * - * as_use_strongest_session_key,preauth_use_strongest_session_key - * and tgs_use_strongest_session_key are input to the - * _kdc_find_etype() function. The old bahavior is in - * the use_strongest_session_key=FALSE code path. - * (The only remaining difference in _kdc_find_etype() - * is the is_preauth parameter.) - * - * The old behavior in the _kdc_get_preferred_key() - * function is use_strongest_server_key=TRUE. + * Some of these don't have any real effect anymore, + * but it is better to have them as true... */ - kdc_config->as_use_strongest_session_key = false; + kdc_config->as_use_strongest_session_key = true; kdc_config->preauth_use_strongest_session_key = true; - kdc_config->tgs_use_strongest_session_key = false; + kdc_config->tgs_use_strongest_session_key = true; kdc_config->use_strongest_server_key = true; kdc_config->autodetect_referrals = false; |