Attachment 18438 Details for Bug 15712 – the modifications I attempted to make

the modifications I attempted to make

0001-fix.patch (text/plain), 3.53 KB, created by ze yue on 2024-09-10 09:05:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: ze yue

Created: 2024-09-10 09:05:49 UTC

Size: 3.53 KB

patch

obsolete

>From ad25724dbeedeb40caab9dc970a093481bb44858 Mon Sep 17 00:00:00 2001
>From: lvzeyue <18589334186@163.com>
>Date: Tue, 10 Sep 2024 10:44:46 +0800
>Subject: [PATCH] =?UTF-8?q?=E3=80=90fix=E3=80=91=20=E4=BF=AE=E6=AD=A3?=
> =?UTF-8?q?=E5=86=85=E5=AD=98=E9=94=99=E8=AF=AF?=
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>---
> source4/kdc/db-glue.c | 61 ++++++++++++++++++++++++++-------------------------
> source4/kdc/sdb.c     |  8 +++++++
> 2 files changed, 39 insertions(+), 30 deletions(-)
>
>diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
>index 3d7c048..3952d98 100644
>--- a/source4/kdc/db-glue.c
>+++ b/source4/kdc/db-glue.c
>@@ -1661,36 +1661,37 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
> 		 * FIXME: Currently limited to Heimdal so as not to
> 		 * break MIT KDCs, for which no fix is available.
> 		 */
>-#ifdef samba4_USES_HEIMDAL
>-		if (is_krbtgt) {
>-			/*
>-			 * The krbtgt account, having no reason to
>-			 * issue tickets encrypted in weaker keys,
>-			 * shall only make available its strongest
>-			 * key. All weaker keys are stripped out. This
>-			 * makes it impossible for an RC4-encrypted
>-			 * TGT to be accepted when AES KDC keys exist.
>-			 *
>-			 * This controls the ticket key and so the PAC
>-			 * signature algorithms indirectly, preventing
>-			 * a weak KDC checksum from being accepted
>-			 * when we verify the signatures for an
>-			 * S4U2Proxy evidence ticket. As such, this is
>-			 * indispensable for addressing
>-			 * CVE-2022-37966.
>-			 *
>-			 * Being strict here also provides protection
>-			 * against possible future attacks on weak
>-			 * keys.
>-			 */
>-			entry->keys.len = 1;
>-			if (entry->etypes != NULL) {
>-				entry->etypes->len = 1;
>-			}
>-			entry->old_keys.len = MIN(entry->old_keys.len, 1);
>-			entry->older_keys.len = MIN(entry->older_keys.len, 1);
>-		}
>-#endif
>+// #ifdef samba4_USES_HEIMDAL
>+// 		if (is_krbtgt) {
>+// 			/*
>+// 			 * The krbtgt account, having no reason to
>+// 			 * issue tickets encrypted in weaker keys,
>+// 			 * shall only make available its strongest
>+// 			 * key. All weaker keys are stripped out. This
>+// 			 * makes it impossible for an RC4-encrypted
>+// 			 * TGT to be accepted when AES KDC keys exist.
>+// 			 *
>+// 			 * This controls the ticket key and so the PAC
>+// 			 * signature algorithms indirectly, preventing
>+// 			 * a weak KDC checksum from being accepted
>+// 			 * when we verify the signatures for an
>+// 			 * S4U2Proxy evidence ticket. As such, this is
>+// 			 * indispensable for addressing
>+// 			 * CVE-2022-37966.
>+// 			 *
>+// 			 * Being strict here also provides protection
>+// 			 * against possible future attacks on weak
>+// 			 * keys.
>+// 			 */
>+// 			entry->keys.len = 1;
>+// 			if (entry->etypes != NULL) {
>+// 				entry->etypes->len = 1;
>+// 			}
>+// 			entry->old_keys.len = MIN(entry->old_keys.len, 1);
>+// 			entry->older_keys.len = MIN(entry->older_keys.len, 1);
>+// 		}
>+// #endif
> 	} else if (kdc_db_ctx->rodc) {
> 		/*
> 		 * We are on an RODC, but don't have keys for this
>diff --git a/source4/kdc/sdb.c b/source4/kdc/sdb.c
>index b7f3ce5..5116ef1 100644
>--- a/source4/kdc/sdb.c
>+++ b/source4/kdc/sdb.c
>@@ -90,7 +90,15 @@ void sdb_entry_free(struct sdb_entry *s)
> 	}
> 	SAFE_FREE(s->valid_start);
> 	SAFE_FREE(s->valid_end);
>+	SAFE_FREE(s->max_life);
>+	SAFE_FREE(s->max_renew);
> 	SAFE_FREE(s->pw_end);
>+	if(s->session_etypes) {
>+		SAFE_FREE(s->etypes->val);
>+		SAFE_FREE(s->etypes);
>+	}
>+	if(s->session_etypes) {
>+		SAFE_FREE(s->session_etypes->val);
>+		SAFE_FREE(s->session_etypes);
>+	}
> 
> 	ZERO_STRUCTP(s);
> }
>-- 
>1.8.3.1
>

Actions: View

Attachments on bug 15712: 18438