CVE-2020-25719 s4:kdc: Add samba_kdc_validate_pac_blob()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 4066389e7172b0474cbbe359bb762a71f56fb82b..8a3ec22190c8a5d606bce08663e25f72ad9a7230 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -918,3 +918,59 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
        talloc_free(tmp_ctx);
        return nt_status;
 }
+
+/* Does a parse and SID check, but no crypto. */
+krb5_error_code samba_kdc_validate_pac_blob(
+               krb5_context context,
+               struct samba_kdc_entry *client_skdc_entry,
+               const krb5_pac pac)
+{
+       TALLOC_CTX *frame = talloc_stackframe();
+       struct auth_user_info_dc *pac_user_info = NULL;
+       struct dom_sid *client_sid = NULL;
+       struct dom_sid pac_sid;
+       krb5_error_code code;
+       bool ok;
+
+       code = kerberos_pac_to_user_info_dc(frame,
+                                           pac,
+                                           context,
+                                           &pac_user_info,
+                                           NULL,
+                                           NULL);
+       if (code != 0) {
+               goto out;
+       }
+
+       if (pac_user_info->num_sids == 0) {
+               code = EINVAL;
+               goto out;
+       }
+
+       pac_sid = pac_user_info->sids[0];
+       client_sid = samdb_result_dom_sid(frame,
+                                         client_skdc_entry->msg,
+                                         "objectSid");
+
+       ok = dom_sid_equal(&pac_sid, client_sid);
+       if (!ok) {
+               struct dom_sid_buf buf1;
+               struct dom_sid_buf buf2;
+
+               DBG_ERR("SID mismatch between PAC and looked up client: "
+                       "PAC[%s] != CLI[%s]\n",
+                       dom_sid_str_buf(&pac_sid, &buf1),
+                       dom_sid_str_buf(client_sid, &buf2));
+#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+                       code = KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+#else /* Heimdal (where this is an enum) */
+                       code = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+#endif
+               goto out;
+       }
+
+       code = 0;
+out:
+       TALLOC_FREE(frame);
+       return code;
+}

diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h
index 7b51b0389f5eb97d7b2ba13e14feb898427a168e..e83446647b332efd7c7f59857d49b06f5e4c0997 100644 (file)
--- a/source4/kdc/pac-glue.h
+++ b/source4/kdc/pac-glue.h
@@ -69,3 +69,8 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
                                       const char *client_name,
                                       const char *workstation,
                                       bool password_change);
+
+krb5_error_code samba_kdc_validate_pac_blob(
+               krb5_context context,
+               struct samba_kdc_entry *client_skdc_entry,
+               const krb5_pac pac);