[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Dec 20 10:41:02 UTC 2016
The branch, master has been updated
via 9b566e7 WHATSNEW: Add some information about ID mapping
via cabd1df WHATSNEW: Add Printing changes
via c9c8010 WHATSNEW: Use capital K for Kerberos
via afd8c38 HEIMDAL:lib/krb5: Harden _krb5_derive_key()
via c15464f8 HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
via fb318ab HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
via 05cc099 HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
via ab25cdf CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
via 6459543 CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
via f52ca0c CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
via ee30821 CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
via ce9e4a3 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
from 0bb3490 s3:user_auth_info: let struct user_auth_info use struct cli_credentials internally
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9b566e7b3cd5d3efd510076e9fdec97730df4883
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 14 11:23:10 2016 +0100
WHATSNEW: Add some information about ID mapping
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Karolin Seeger <kseeger at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 20 11:40:07 CET 2016 on sn-devel-144
commit cabd1df66ab6aba4c5f0017f8da0e2cac3adcd74
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 14 08:25:45 2016 +0100
WHATSNEW: Add Printing changes
Signed-off-by: Andreas Schneider <asn at samba.org>
commit c9c8010cbd15bfc864a3425a51d9d1a0449d00c4
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 14 08:15:38 2016 +0100
WHATSNEW: Use capital K for Kerberos
Signed-off-by: Andreas Schneider <asn at samba.org>
commit afd8c389c92e38aa59a55127b2594023561b2ddd
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 18 18:02:30 2016 +0000
HEIMDAL:lib/krb5: Harden _krb5_derive_key()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c15464f886f9734982123d38594073601d49f151
Author: Volker Lendecke <vl at samba.org>
Date: Fri Nov 18 18:02:30 2016 +0000
HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fb318ab0203297019c5e47c6bef4a9abfdeea8a5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 13:53:53 2016 +0100
HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
This allows the optimized checksum->verify() function to be used.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 05cc099499ef3a07d140981ef82937c842a3ffef
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 13:42:31 2016 +0100
HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit ab25cdfa9dd071652985eb9ab98255cda3c3de57
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 17:08:46 2016 +0100
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 6459543b5a4782eeac5d78290918cced7de4790f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:44:22 2016 +0100
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit f52ca0cbb6412c1d3abc5dc9983b0493ef915a3f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:42:59 2016 +0100
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit ee30821ecaff86f9f62da48c8a0d154cc118f058
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:41:10 2016 +0100
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit ce9e4a350135c985133af807dfaf8af95088b571
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 5 21:22:46 2016 +0100
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl at samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 25 +++++++++++-
auth/kerberos/kerberos_pac.c | 22 +++++++++++
librpc/ndr/ndr_dnsp.c | 9 +++++
source3/librpc/crypto/gse.c | 1 -
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/heimdal/lib/krb5/crypto-arcfour.c | 8 ++++
source4/heimdal/lib/krb5/crypto.c | 66 +++++++++++++++----------------
source4/heimdal/lib/krb5/mit_glue.c | 17 ++++----
source4/scripting/bin/nsupdate-gss | 2 +-
9 files changed, 106 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 39445cc..e5ce010 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -30,10 +30,24 @@ next Samba version 4.7 will not accept the wrong spelling.
Users who were using the wrong spelling "ressource" with two "s" can keep the
setting, but are advised to switch to the correct spelling.
+ID Mapping
+----------
+We discovered that the majority of users have an invalid or incorrect
+ID mapping configuration. We implemented checks in the 'testparm' tool to
+validate the ID mapping configuration. You should run it and check if it prints
+any warnings or errors after upgrading! If it does you should fix them. See the
+'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
+There are some ID mapping backends which are not allowed to be used for the
+default backend. Winbind will no longer start if an invalid backend is
+configured as the default backend.
+
+To avoid problems in future we advise all users to run 'testparm' after
+changing the smb.conf file!
+
NEW FEATURES/CHANGES
====================
-kerberos client encryption types
+Kerberos client encryption types
--------------------------------
Some parts of Samba (most notably winbindd) perform Kerberos client
operations based on a Samba-generated krb5.conf file. A new
@@ -48,6 +62,15 @@ only allows AES-based algorithms to be negotiated. Setting the parameter to
This can solves some corner cases of mixed environments with Server 2003R2 and
newer DCs.
+Printing
+--------
+Support for uploading printer drivers from newer Windows clients (Windows 10)
+has been added until our implementation of [MS-PAR] protocol is ready.
+Several issues with uploading different printing drivers have been addressed.
+
+The OS Version for the printing server has been increased to announce
+Windows Server 2003 R2 SP2. If a driver needs a newer version then you should
+check the smb.conf manpage for details.
new option for owner inheritance
--------------------------------
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index ff77bc7..974ff5e 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index d0ae53c..e4ceed1 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 18bb011..a37a0a9 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/heimdal/lib/krb5/crypto-arcfour.c b/source4/heimdal/lib/krb5/crypto-arcfour.c
index e16b70c..2289e7d 100644
--- a/source4/heimdal/lib/krb5/crypto-arcfour.c
+++ b/source4/heimdal/lib/krb5/crypto-arcfour.c
@@ -139,6 +139,10 @@ ARCFOUR_subencrypt(krb5_context context,
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
krb5_error_code ret;
+ if (len < 16) {
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ }
+
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
t[2] = (usage >> 16) & 0xFF;
@@ -207,6 +211,10 @@ ARCFOUR_subdecrypt(krb5_context context,
unsigned char cksum_data[16];
krb5_error_code ret;
+ if (len < 16) {
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ }
+
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
t[2] = (usage >> 16) & 0xFF;
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 75d0a09..7dd2af5 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -305,6 +305,24 @@ get_checksum_key(krb5_context context,
struct _krb5_key_data **key)
{
krb5_error_code ret = 0;
+ struct _krb5_checksum_type *kct = NULL;
+
+ if (crypto == NULL) {
+ krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+ N_("Checksum type %s is keyed but no "
+ "crypto context (key) was passed in", ""),
+ ct->name);
+ return KRB5_BAD_ENCTYPE;
+ }
+ kct = crypto->et->keyed_checksum;
+ if (kct == NULL || kct->type != ct->type) {
+ krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+ N_("Checksum type %s is keyed, but "
+ "the key type %s passed didnt have that checksum "
+ "type as the keyed type", ""),
+ ct->name, crypto->et->name);
+ return KRB5_BAD_ENCTYPE;
+ }
if(ct->flags & F_DERIVED)
ret = _get_derived_key(context, crypto, usage, key);
@@ -340,21 +358,12 @@ create_checksum (krb5_context context,
{
krb5_error_code ret;
struct _krb5_key_data *dkey;
- int keyed_checksum;
if (ct->flags & F_DISABLED) {
krb5_clear_error_message (context);
return KRB5_PROG_SUMTYPE_NOSUPP;
}
- keyed_checksum = (ct->flags & F_KEYED) != 0;
- if(keyed_checksum && crypto == NULL) {
- krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed but no "
- "crypto context (key) was passed in", ""),
- ct->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
- if(keyed_checksum) {
+ if (ct->flags & F_KEYED) {
ret = get_checksum_key(context, crypto, usage, ct, &dkey);
if (ret)
return ret;
@@ -422,7 +431,6 @@ verify_checksum(krb5_context context,
{
krb5_error_code ret;
struct _krb5_key_data *dkey;
- int keyed_checksum;
Checksum c;
struct _krb5_checksum_type *ct;
@@ -443,26 +451,7 @@ verify_checksum(krb5_context context,
return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
}
- keyed_checksum = (ct->flags & F_KEYED) != 0;
- if(keyed_checksum) {
- struct _krb5_checksum_type *kct;
- if (crypto == NULL) {
- krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed but no "
- "crypto context (key) was passed in", ""),
- ct->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
- kct = crypto->et->keyed_checksum;
- if (kct == NULL || kct->type != ct->type) {
- krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed, but "
- "the key type %s passed didnt have that checksum "
- "type as the keyed type", ""),
- ct->name, crypto->et->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
-
+ if (ct->flags & F_KEYED) {
ret = get_checksum_key(context, crypto, usage, ct, &dkey);
if (ret)
return ret;
@@ -1866,8 +1855,12 @@ _krb5_derive_key(krb5_context context,
memcpy(k + i * et->blocksize,
k + (i - 1) * et->blocksize,
et->blocksize);
- (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize,
- 1, 0, NULL);
+ ret = (*et->encrypt)(context, key, k + i * et->blocksize,
+ et->blocksize, 1, 0, NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+ goto out;
+ }
}
} else {
/* this case is probably broken, but won't be run anyway */
@@ -1880,7 +1873,12 @@ _krb5_derive_key(krb5_context context,
goto out;
}
memcpy(c, constant, len);
- (*et->encrypt)(context, key, c, len, 1, 0, NULL);
+ ret = (*et->encrypt)(context, key, c, len, 1, 0, NULL);
+ if (ret) {
+ free(c);
+ krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+ goto out;
+ }
k = malloc(res_len);
if(res_len != 0 && k == NULL) {
free(c);
diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c
index 16c230a..53b20fd 100644
--- a/source4/heimdal/lib/krb5/mit_glue.c
+++ b/source4/heimdal/lib/krb5/mit_glue.c
@@ -67,22 +67,23 @@ krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
const krb5_checksum *cksum, krb5_boolean *valid)
{
krb5_error_code ret;
- krb5_checksum data_cksum;
+ krb5_crypto crypto;
*valid = 0;
- ret = krb5_c_make_checksum(context, cksum->cksumtype,
- key, usage, data, &data_cksum);
+ ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret)
return ret;
- if (data_cksum.cksumtype == cksum->cksumtype
- && krb5_data_ct_cmp(&data_cksum.checksum, &cksum->checksum) == 0)
- *valid = 1;
+ ret = krb5_verify_checksum(context, crypto, usage,
+ data->data, data->length, cksum);
+ krb5_crypto_destroy(context, crypto);
- krb5_free_checksum_contents(context, &data_cksum);
+ if (ret == 0) {
+ *valid = 1;
+ }
- return 0;
+ return ret;
}
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list