The branch, master has been updated via 9b45ba5 gensec/spnego: work around missing server mechListMIC in SMB servers from a7735be kcc: Fix a -Werror,-Wformat-security error
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 9b45ba5cd53bd513eb777590815a0b8408af64e2 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Sep 1 08:08:23 2016 +0200 gensec/spnego: work around missing server mechListMIC in SMB servers BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Christian Ambach <a...@samba.org> Autobuild-User(master): Christian Ambach <a...@samba.org> Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144 ----------------------------------------------------------------------- Summary of changes: auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 68 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index ef30ab7..5f5047a 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -55,9 +55,11 @@ struct spnego_state { DATA_BLOB mech_types; size_t num_targs; + bool downgraded; bool mic_requested; bool needs_mic_sign; bool needs_mic_check; + bool may_skip_mic_check; bool done_mic_check; bool simulate_w2k; @@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ * Indicate the downgrade and request a * mic. */ + spnego_state->downgraded = true; spnego_state->mic_requested = true; break; } @@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n", gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid), gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech))); - + spnego_state->downgraded = true; spnego_state->no_response_expected = false; talloc_free(spnego_state->sub_sec_security); nt_status = gensec_subcontext_start(spnego_state, @@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA return NT_STATUS_INVALID_PARAMETER; } + if (spnego.negTokenTarg.mechListMIC.length == 0 + && spnego_state->may_skip_mic_check) { + /* + * In this case we don't require + * a mechListMIC from the server. + * + * This works around bugs in the Azure + * and Apple spnego implementations. + * + * See + * https://bugzilla.samba.org/show_bug.cgi?id=11994 + */ + spnego_state->needs_mic_check = false; + nt_status = NT_STATUS_OK; + goto client_response; + } + nt_status = gensec_check_packet(spnego_state->sub_sec_security, spnego_state->mech_types.data, spnego_state->mech_types.length, @@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA */ new_spnego = false; } + break; case SPNEGO_ACCEPT_INCOMPLETE: + if (spnego.negTokenTarg.mechListMIC.length > 0) { + new_spnego = true; + break; + } + + if (spnego_state->downgraded) { + /* + * A downgrade should be protected if + * supported + */ + break; + } + + /* + * The caller may just asked for + * GENSEC_FEATURE_SESSION_KEY, this + * is only reflected in the want_features. + * + * As it will imply + * gensec_have_features(GENSEC_FEATURE_SIGN) + * to return true. + */ + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { + break; + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + break; + } + /* + * Here we're sure our preferred mech was + * selected by the server and our caller doesn't + * need GENSEC_FEATURE_SIGN nor + * GENSEC_FEATURE_SEAL support. + * + * In this case we don't require + * a mechListMIC from the server. + * + * This works around bugs in the Azure + * and Apple spnego implementations. + * + * See + * https://bugzilla.samba.org/show_bug.cgi?id=11994 + */ + spnego_state->may_skip_mic_check = true; + break; + case SPNEGO_REQUEST_MIC: if (spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; -- Samba Shared Repository