Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0018-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0018-CVE-2022-38023.patch of Package samba
From a0c68f4caaa0771dcde074906956335c9e458bdf Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Fri, 25 Nov 2022 13:13:36 +0100 Subject: [PATCH 18/29] CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' This makes it more flexible when we change the global default to 'reject md5 servers = yes'. 'allow nt4 crypto = no' is already the default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f) Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17698 --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++- 1 file changed, 55 insertions(+), 3 deletions(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index dad06835862e..301a5c8144f5 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -135,12 +135,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( struct netr_ServerAuthenticate3 *r, struct netlogon_server_pipe_state *pipe_state, uint32_t negotiate_flags, + const char *trust_account_in_db, NTSTATUS orig_status) { struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; - bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); - bool reject_des_client = !allow_nt4_crypto; - bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); + bool account_allow_nt4_crypto = global_allow_nt4_crypto; + const char *explicit_nt4_opt = NULL; + bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + bool account_reject_md5_client = global_reject_md5_client; + const char *explicit_md5_opt = NULL; + bool reject_des_client; + bool allow_nt4_crypto; + bool reject_md5_client; + + /* + * We don't use lpcfg_parm_bool(), as we + * need the explicit_opt pointer in order to + * adjust the debug messages. + */ + + if (trust_account_in_db != NULL) { + explicit_nt4_opt = lpcfg_get_parametric(lp_ctx, + NULL, + "allow nt4 crypto", + trust_account_in_db); + } + if (explicit_nt4_opt != NULL) { + account_allow_nt4_crypto = lp_bool(explicit_nt4_opt); + } + allow_nt4_crypto = account_allow_nt4_crypto; + if (trust_account_in_db != NULL) { + explicit_md5_opt = lpcfg_get_parametric(lp_ctx, + NULL, + "server reject md5 schannel", + trust_account_in_db); + } + if (explicit_md5_opt != NULL) { + account_reject_md5_client = lp_bool(explicit_md5_opt); + } + reject_md5_client = account_reject_md5_client; + + reject_des_client = !allow_nt4_crypto; if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { reject_des_client = false; @@ -309,12 +345,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( case SEC_CHAN_NULL: return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_INVALID_PARAMETER); default: DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", r->in.secure_channel_type)); return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_INVALID_PARAMETER); } @@ -322,6 +360,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( if (sam_ctx == NULL) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_INVALID_SYSTEM_SERVICE); } @@ -353,6 +392,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( if (encoded_name == NULL) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_MEMORY); } @@ -360,12 +400,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( if (len < 2) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_TRUST_SAM_ACCOUNT); } if (require_trailer && encoded_name[len - 1] != trailer) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_TRUST_SAM_ACCOUNT); } encoded_name[len - 1] = '\0'; @@ -386,11 +428,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( encoded_name)); return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_TRUST_SAM_ACCOUNT); } if (!NT_STATUS_IS_OK(nt_status)) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ nt_status); } @@ -400,11 +444,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_TRUST_SAM_ACCOUNT); } if (!NT_STATUS_IS_OK(nt_status)) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ nt_status); } @@ -412,6 +458,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( if (flatname == NULL) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_TRUST_SAM_ACCOUNT); } @@ -419,6 +466,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( if (*trust_account_for_search == NULL) { return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_MEMORY); } } else { @@ -436,6 +484,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( log_escape(mem_ctx, r->in.account_name))); return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_NO_TRUST_SAM_ACCOUNT); } @@ -445,6 +494,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( log_escape(mem_ctx, r->in.account_name))); return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_INTERNAL_DB_CORRUPTION); } @@ -456,11 +506,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( r->in.account_name)); return dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + NULL, /* trust_account_in_db */ NT_STATUS_INTERNAL_DB_CORRUPTION); } nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( dce_call, r, pipe_state, negotiate_flags, + *trust_account_in_db, NT_STATUS_OK); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.