aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/samba36/patches/025-CVE-2016-2112-v3-6.patch
blob: 78e0a66979d23463a6925bf4d1836c5ed2833aab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 30 Mar 2016 16:55:44 +0200
Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
 ntlmssp_have_feature()

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 source3/include/proto.h  |  1 +
 source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
 NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
 void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
 void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
 NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
 			const DATA_BLOB in, DATA_BLOB *out) ;
 NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
 	return NT_STATUS_OK;
 }
 
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
+			  uint32_t feature)
+{
+	if (feature & NTLMSSP_FEATURE_SIGN) {
+		if (ntlmssp_state->session_key.length == 0) {
+			return false;
+		}
+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+			return true;
+		}
+	}
+
+	if (feature & NTLMSSP_FEATURE_SEAL) {
+		if (ntlmssp_state->session_key.length == 0) {
+			return false;
+		}
+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+			return true;
+		}
+	}
+
+	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+		if (ntlmssp_state->session_key.length > 0) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
 /**
  * Request features for the NTLMSSP negotiation
  *
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
 	/* we have a reference conter on ntlmssp_state, if we are signing
 	   then the state will be kept by the signing engine */
 
+	if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+		bool ok;
+
+		ok = ntlmssp_have_feature(ntlmssp_state,
+					  NTLMSSP_FEATURE_SEAL);
+		if (!ok) {
+			DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
+			TALLOC_FREE(ntlmssp_state);
+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+		}
+
+		ok = ntlmssp_have_feature(ntlmssp_state,
+					  NTLMSSP_FEATURE_SIGN);
+		if (!ok) {
+			DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
+			TALLOC_FREE(ntlmssp_state);
+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+		}
+
+	} else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+		bool ok;
+
+		ok = ntlmssp_have_feature(ntlmssp_state,
+					  NTLMSSP_FEATURE_SIGN);
+		if (!ok) {
+			DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+			TALLOC_FREE(ntlmssp_state);
+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+		}
+	}
+
 	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
 		ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
 		ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
 	</para>
 
 	<para>
-	The default value is <emphasis>plain</emphasis> which is not irritable 
-	to KRB5 clock skew errors. That implies synchronizing the time
-	with the KDC in the case of using <emphasis>sign</emphasis> or 
-	<emphasis>seal</emphasis>.
+	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 	</para>
 </description>
-<value type="default">plain</value>
+<value type="default">sign</value>
 </samba:parameter>
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
 	Globals.ldap_debug_level = 0;
 	Globals.ldap_debug_threshold = 10;
 
+	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
 	/* This is what we tell the afs client. in reality we set the token 
 	 * to never expire, though, when this runs out the afs client will 
 	 * forget the token. Set to 0 to get NEVERDATE.*/