OpenWrt – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001 |
2 | From: Andreas Schneider <asn@cryptomilk.org> |
||
3 | Date: Wed, 30 Mar 2016 16:55:44 +0200 |
||
4 | Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing |
||
5 | ntlmssp_have_feature() |
||
6 | |||
7 | Signed-off-by: Andreas Schneider <asn@samba.org> |
||
8 | --- |
||
9 | source3/include/proto.h | 1 + |
||
10 | source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++ |
||
11 | 2 files changed, 31 insertions(+) |
||
12 | |||
13 | --- a/source3/include/proto.h |
||
14 | +++ b/source3/include/proto.h |
||
15 | @@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl |
||
16 | NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ; |
||
17 | void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list); |
||
18 | void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature); |
||
19 | +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature); |
||
20 | NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state, |
||
21 | const DATA_BLOB in, DATA_BLOB *out) ; |
||
22 | NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx, |
||
23 | --- a/source3/libsmb/ntlmssp.c |
||
24 | +++ b/source3/libsmb/ntlmssp.c |
||
25 | @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms |
||
26 | return NT_STATUS_OK; |
||
27 | } |
||
28 | |||
29 | +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, |
||
30 | + uint32_t feature) |
||
31 | +{ |
||
32 | + if (feature & NTLMSSP_FEATURE_SIGN) { |
||
33 | + if (ntlmssp_state->session_key.length == 0) { |
||
34 | + return false; |
||
35 | + } |
||
36 | + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { |
||
37 | + return true; |
||
38 | + } |
||
39 | + } |
||
40 | + |
||
41 | + if (feature & NTLMSSP_FEATURE_SEAL) { |
||
42 | + if (ntlmssp_state->session_key.length == 0) { |
||
43 | + return false; |
||
44 | + } |
||
45 | + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { |
||
46 | + return true; |
||
47 | + } |
||
48 | + } |
||
49 | + |
||
50 | + if (feature & NTLMSSP_FEATURE_SESSION_KEY) { |
||
51 | + if (ntlmssp_state->session_key.length > 0) { |
||
52 | + return true; |
||
53 | + } |
||
54 | + } |
||
55 | + |
||
56 | + return false; |
||
57 | +} |
||
58 | + |
||
59 | /** |
||
60 | * Request features for the NTLMSSP negotiation |
||
61 | * |
||
62 | --- a/source3/libads/sasl.c |
||
63 | +++ b/source3/libads/sasl.c |
||
64 | @@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss |
||
65 | /* we have a reference conter on ntlmssp_state, if we are signing |
||
66 | then the state will be kept by the signing engine */ |
||
67 | |||
68 | + if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) { |
||
69 | + bool ok; |
||
70 | + |
||
71 | + ok = ntlmssp_have_feature(ntlmssp_state, |
||
72 | + NTLMSSP_FEATURE_SEAL); |
||
73 | + if (!ok) { |
||
74 | + DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n")); |
||
75 | + TALLOC_FREE(ntlmssp_state); |
||
76 | + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); |
||
77 | + } |
||
78 | + |
||
79 | + ok = ntlmssp_have_feature(ntlmssp_state, |
||
80 | + NTLMSSP_FEATURE_SIGN); |
||
81 | + if (!ok) { |
||
82 | + DEBUG(0,("The ntlmssp feature signing request, but unavailable\n")); |
||
83 | + TALLOC_FREE(ntlmssp_state); |
||
84 | + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); |
||
85 | + } |
||
86 | + |
||
87 | + } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) { |
||
88 | + bool ok; |
||
89 | + |
||
90 | + ok = ntlmssp_have_feature(ntlmssp_state, |
||
91 | + NTLMSSP_FEATURE_SIGN); |
||
92 | + if (!ok) { |
||
93 | + DEBUG(0,("The gensec feature signing request, but unavailable\n")); |
||
94 | + TALLOC_FREE(ntlmssp_state); |
||
95 | + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); |
||
96 | + } |
||
97 | + } |
||
98 | + |
||
99 | if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { |
||
100 | ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE; |
||
101 | ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE; |
||
102 | --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml |
||
103 | +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml |
||
104 | @@ -34,11 +34,9 @@ |
||
105 | </para> |
||
106 | |||
107 | <para> |
||
108 | - The default value is <emphasis>plain</emphasis> which is not irritable |
||
109 | - to KRB5 clock skew errors. That implies synchronizing the time |
||
110 | - with the KDC in the case of using <emphasis>sign</emphasis> or |
||
111 | - <emphasis>seal</emphasis>. |
||
112 | + The default value is <emphasis>sign</emphasis>. That implies synchronizing the time |
||
113 | + with the KDC in the case of using <emphasis>Kerberos</emphasis>. |
||
114 | </para> |
||
115 | </description> |
||
116 | -<value type="default">plain</value> |
||
117 | +<value type="default">sign</value> |
||
118 | </samba:parameter> |
||
119 | --- a/source3/param/loadparm.c |
||
120 | +++ b/source3/param/loadparm.c |
||
121 | @@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo |
||
122 | Globals.ldap_debug_level = 0; |
||
123 | Globals.ldap_debug_threshold = 10; |
||
124 | |||
125 | + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; |
||
126 | + |
||
127 | /* This is what we tell the afs client. in reality we set the token |
||
128 | * to never expire, though, when this runs out the afs client will |
||
129 | * forget the token. Set to 0 to get NEVERDATE.*/ |