| commit | ea8e8a4a8a8bca03a6ec9756a4422b47c0082454 | |
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | |
| Mon, 15 Nov 2021 23:51:28 +0000 (16 12:51 +1300) | ||
| committer | Luke Howard <lukeh@padl.com> | |
| Thu, 16 Dec 2021 05:09:07 +0000 (16 16:09 +1100) | ||
| tree | f92baf2d5ca2c24d409809d1ad98aa1d945a4a6d | treesnapshot (tar.gz zip) |
| parent | 6b635f66de08b5972366ac63e298d9672a3cae76 | commitdiff |
kdc: Avoid races and multiple DB lookups in s4u2self check
Assists Samba to address CVE-2020-25719
Passing in target_server as a string principal means that for
an alias we must looking up the DB twice.
This is subject to a race and is a poor use of resources,
so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
We also avoid doing a name comparison if the HDB plugin provides
a validation hook, this allows the HDB layer more freedom
to choose how to handle things.
In Samba AD the client record has already been bound to the the
original client by the SID check in the PAC, so the record is
known to match the ticket.
Likewise by looking up server only once we ensure that the
keys looked up originally (to decrypt) are in the record
we confirm the SID for here.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(Based on Samba commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376)
Assists Samba to address CVE-2020-25719
Passing in target_server as a string principal means that for
an alias we must looking up the DB twice.
This is subject to a race and is a poor use of resources,
so instead just pass in the record we
already got when trying to confirm that the server in
S4U2Self is the same as the requesting client.
We also avoid doing a name comparison if the HDB plugin provides
a validation hook, this allows the HDB layer more freedom
to choose how to handle things.
In Samba AD the client record has already been bound to the the
original client by the SID check in the PAC, so the record is
known to match the ticket.
Likewise by looking up server only once we ensure that the
keys looked up originally (to decrypt) are in the record
we confirm the SID for here.
Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(Based on Samba commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376)
| kdc/krb5tgs.c | diffblobblamehistory | |
| lib/hdb/hdb.h | diffblobblamehistory |