1
0

025-CVE-2016-2112-v3-6.patch 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
  1. From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
  2. From: Andreas Schneider <asn@cryptomilk.org>
  3. Date: Wed, 30 Mar 2016 16:55:44 +0200
  4. Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
  5. ntlmssp_have_feature()
  6. Signed-off-by: Andreas Schneider <asn@samba.org>
  7. ---
  8. source3/include/proto.h | 1 +
  9. source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
  10. 2 files changed, 31 insertions(+)
  11. --- a/source3/include/proto.h
  12. +++ b/source3/include/proto.h
  13. @@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
  14. NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
  15. void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
  16. void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
  17. +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
  18. NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
  19. const DATA_BLOB in, DATA_BLOB *out) ;
  20. NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
  21. --- a/source3/libsmb/ntlmssp.c
  22. +++ b/source3/libsmb/ntlmssp.c
  23. @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
  24. return NT_STATUS_OK;
  25. }
  26. +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
  27. + uint32_t feature)
  28. +{
  29. + if (feature & NTLMSSP_FEATURE_SIGN) {
  30. + if (ntlmssp_state->session_key.length == 0) {
  31. + return false;
  32. + }
  33. + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
  34. + return true;
  35. + }
  36. + }
  37. +
  38. + if (feature & NTLMSSP_FEATURE_SEAL) {
  39. + if (ntlmssp_state->session_key.length == 0) {
  40. + return false;
  41. + }
  42. + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
  43. + return true;
  44. + }
  45. + }
  46. +
  47. + if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
  48. + if (ntlmssp_state->session_key.length > 0) {
  49. + return true;
  50. + }
  51. + }
  52. +
  53. + return false;
  54. +}
  55. +
  56. /**
  57. * Request features for the NTLMSSP negotiation
  58. *
  59. --- a/source3/libads/sasl.c
  60. +++ b/source3/libads/sasl.c
  61. @@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
  62. /* we have a reference conter on ntlmssp_state, if we are signing
  63. then the state will be kept by the signing engine */
  64. + if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
  65. + bool ok;
  66. +
  67. + ok = ntlmssp_have_feature(ntlmssp_state,
  68. + NTLMSSP_FEATURE_SEAL);
  69. + if (!ok) {
  70. + DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
  71. + TALLOC_FREE(ntlmssp_state);
  72. + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
  73. + }
  74. +
  75. + ok = ntlmssp_have_feature(ntlmssp_state,
  76. + NTLMSSP_FEATURE_SIGN);
  77. + if (!ok) {
  78. + DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
  79. + TALLOC_FREE(ntlmssp_state);
  80. + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
  81. + }
  82. +
  83. + } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
  84. + bool ok;
  85. +
  86. + ok = ntlmssp_have_feature(ntlmssp_state,
  87. + NTLMSSP_FEATURE_SIGN);
  88. + if (!ok) {
  89. + DEBUG(0,("The gensec feature signing request, but unavailable\n"));
  90. + TALLOC_FREE(ntlmssp_state);
  91. + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
  92. + }
  93. + }
  94. +
  95. if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
  96. ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
  97. ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
  98. --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
  99. +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
  100. @@ -34,11 +34,9 @@
  101. </para>
  102. <para>
  103. - The default value is <emphasis>plain</emphasis> which is not irritable
  104. - to KRB5 clock skew errors. That implies synchronizing the time
  105. - with the KDC in the case of using <emphasis>sign</emphasis> or
  106. - <emphasis>seal</emphasis>.
  107. + The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
  108. + with the KDC in the case of using <emphasis>Kerberos</emphasis>.
  109. </para>
  110. </description>
  111. -<value type="default">plain</value>
  112. +<value type="default">sign</value>
  113. </samba:parameter>
  114. --- a/source3/param/loadparm.c
  115. +++ b/source3/param/loadparm.c
  116. @@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
  117. Globals.ldap_debug_level = 0;
  118. Globals.ldap_debug_threshold = 10;
  119. + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
  120. +
  121. /* This is what we tell the afs client. in reality we set the token
  122. * to never expire, though, when this runs out the afs client will
  123. * forget the token. Set to 0 to get NEVERDATE.*/