| 1 |
From 77631ca7c747796bf3d4dc347afb3f0cb5e4be78 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Stefan Metzmacher <metze@samba.org> |
| 3 |
Date: Tue, 22 Nov 2016 17:08:46 +0100 |
| 4 |
Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types |
| 5 |
in check_pac_checksum() |
| 6 |
|
| 7 |
aes based checksums can only be checked with the |
| 8 |
corresponding aes based keytype. |
| 9 |
|
| 10 |
Otherwise we may trigger an undefined code path |
| 11 |
deep in the kerberos libraries, which can leed to |
| 12 |
segmentation faults. |
| 13 |
|
| 14 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 |
| 15 |
|
| 16 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
| 17 |
--- |
| 18 |
auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++ |
| 19 |
1 file changed, 22 insertions(+) |
| 20 |
|
| 21 |
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c |
| 22 |
index 32d9d7f..7b6efdc 100644 |
| 23 |
--- a/auth/kerberos/kerberos_pac.c |
| 24 |
+++ b/auth/kerberos/kerberos_pac.c |
| 25 |
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, |
| 26 |
krb5_boolean checksum_valid = false; |
| 27 |
krb5_data input; |
| 28 |
|
| 29 |
+ switch (sig->type) { |
| 30 |
+ case CKSUMTYPE_HMAC_MD5: |
| 31 |
+ /* ignores the key type */ |
| 32 |
+ break; |
| 33 |
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256: |
| 34 |
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { |
| 35 |
+ return EINVAL; |
| 36 |
+ } |
| 37 |
+ /* ok */ |
| 38 |
+ break; |
| 39 |
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128: |
| 40 |
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { |
| 41 |
+ return EINVAL; |
| 42 |
+ } |
| 43 |
+ /* ok */ |
| 44 |
+ break; |
| 45 |
+ default: |
| 46 |
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", |
| 47 |
+ (int)sig->type)); |
| 48 |
+ return EINVAL; |
| 49 |
+ } |
| 50 |
+ |
| 51 |
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ |
| 52 |
cksum.cksumtype = (krb5_cksumtype)sig->type; |
| 53 |
cksum.checksum.length = sig->signature.length; |
| 54 |
-- |
| 55 |
1.9.1 |
| 56 |
|
| 57 |
From b6da00dee93b832e271040d80d4f6b6165b51f08 Mon Sep 17 00:00:00 2001 |
| 58 |
From: Stefan Metzmacher <metze@samba.org> |
| 59 |
Date: Tue, 19 Jul 2016 16:31:01 +0200 |
| 60 |
Subject: [PATCH] krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_* |
| 61 |
MIME-Version: 1.0 |
| 62 |
Content-Type: text/plain; charset=UTF-8 |
| 63 |
Content-Transfer-Encoding: 8bit |
| 64 |
|
| 65 |
MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128, |
| 66 |
while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128. |
| 67 |
|
| 68 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
| 69 |
Reviewed-by: Günther Deschner <gd@samba.org> |
| 70 |
(cherry picked from commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6) |
| 71 |
--- |
| 72 |
lib/krb5_wrap/krb5_samba.h | 11 +++++++++++ |
| 73 |
1 file changed, 11 insertions(+) |
| 74 |
|
| 75 |
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h |
| 76 |
index cef9144..20ef6a3 100644 |
| 77 |
--- a/lib/krb5_wrap/krb5_samba.h |
| 78 |
+++ b/lib/krb5_wrap/krb5_samba.h |
| 79 |
@@ -74,6 +74,17 @@ |
| 80 |
#define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR |
| 81 |
#endif |
| 82 |
|
| 83 |
+/* |
| 84 |
+ * CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal |
| 85 |
+ * CKSUMTYPE_HMAC_SHA1_96_AES* in MIT |
| 86 |
+ */ |
| 87 |
+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128) |
| 88 |
+#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128 |
| 89 |
+#endif |
| 90 |
+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256) |
| 91 |
+#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256 |
| 92 |
+#endif |
| 93 |
+ |
| 94 |
typedef struct { |
| 95 |
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ |
| 96 |
krb5_address **addrs; |
| 97 |
-- |
| 98 |
1.9.1 |
| 99 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
