Home Explore Help
Register Sign In
wareck
/
openwrt_chaos_calmer
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: c3df3ea581
Branches Tags
openwrt_chaos_c...
/
package
/
network
/
services
/
samba36
/
patches
/
025-CVE-2016-2112-v3-6.patch

025-CVE-2016-2112-v3-6.patch 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
    2. 

  2. From: Andreas Schneider <asn@cryptomilk.org>
    3. 

  3. Date: Wed, 30 Mar 2016 16:55:44 +0200
    4. 

  4. Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
    5. 

  5.  ntlmssp_have_feature()
    6. 

  6. 

  7. Signed-off-by: Andreas Schneider <asn@samba.org>
    8. 

  8. ---
    9. 

  9.  source3/include/proto.h  |  1 +
    10. 

  10.  source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
    11. 

  11.  2 files changed, 31 insertions(+)
    12. 

  12. 

  13. --- a/source3/include/proto.h
    14. 

  14. +++ b/source3/include/proto.h
    15. 

  15. @@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
    16. 

  16.  NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
    17. 

  17.  void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
    18. 

  18.  void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
    19. 

  19. +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
    20. 

  20.  NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
    21. 

  21.  			const DATA_BLOB in, DATA_BLOB *out) ;
    22. 

  22.  NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
    23. 

  23. --- a/source3/libsmb/ntlmssp.c
    24. 

  24. +++ b/source3/libsmb/ntlmssp.c
    25. 

  25. @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
    26. 

  26.  	return NT_STATUS_OK;
    27. 

  27.  }
    28. 

  28.  
    29. 

  29. +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
    30. 

  30. +			  uint32_t feature)
    31. 

  31. +{
    32. 

  32. +	if (feature & NTLMSSP_FEATURE_SIGN) {
    33. 

  33. +		if (ntlmssp_state->session_key.length == 0) {
    34. 

  34. +			return false;
    35. 

  35. +		}
    36. 

  36. +		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
    37. 

  37. +			return true;
    38. 

  38. +		}
    39. 

  39. +	}
    40. 

  40. +
    41. 

  41. +	if (feature & NTLMSSP_FEATURE_SEAL) {
    42. 

  42. +		if (ntlmssp_state->session_key.length == 0) {
    43. 

  43. +			return false;
    44. 

  44. +		}
    45. 

  45. +		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
    46. 

  46. +			return true;
    47. 

  47. +		}
    48. 

  48. +	}
    49. 

  49. +
    50. 

  50. +	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
    51. 

  51. +		if (ntlmssp_state->session_key.length > 0) {
    52. 

  52. +			return true;
    53. 

  53. +		}
    54. 

  54. +	}
    55. 

  55. +
    56. 

  56. +	return false;
    57. 

  57. +}
    58. 

  58. +
    59. 

  59.  /**
    60. 

  60.   * Request features for the NTLMSSP negotiation
    61. 

  61.   *
    62. 

  62. --- a/source3/libads/sasl.c
    63. 

  63. +++ b/source3/libads/sasl.c
    64. 

  64. @@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
    65. 

  65.  	/* we have a reference conter on ntlmssp_state, if we are signing
    66. 

  66.  	   then the state will be kept by the signing engine */
    67. 

  67.  
    68. 

  68. +	if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
    69. 

  69. +		bool ok;
    70. 

  70. +
    71. 

  71. +		ok = ntlmssp_have_feature(ntlmssp_state,
    72. 

  72. +					  NTLMSSP_FEATURE_SEAL);
    73. 

  73. +		if (!ok) {
    74. 

  74. +			DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
    75. 

  75. +			TALLOC_FREE(ntlmssp_state);
    76. 

  76. +			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
    77. 

  77. +		}
    78. 

  78. +
    79. 

  79. +		ok = ntlmssp_have_feature(ntlmssp_state,
    80. 

  80. +					  NTLMSSP_FEATURE_SIGN);
    81. 

  81. +		if (!ok) {
    82. 

  82. +			DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
    83. 

  83. +			TALLOC_FREE(ntlmssp_state);
    84. 

  84. +			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
    85. 

  85. +		}
    86. 

  86. +
    87. 

  87. +	} else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
    88. 

  88. +		bool ok;
    89. 

  89. +
    90. 

  90. +		ok = ntlmssp_have_feature(ntlmssp_state,
    91. 

  91. +					  NTLMSSP_FEATURE_SIGN);
    92. 

  92. +		if (!ok) {
    93. 

  93. +			DEBUG(0,("The gensec feature signing request, but unavailable\n"));
    94. 

  94. +			TALLOC_FREE(ntlmssp_state);
    95. 

  95. +			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
    96. 

  96. +		}
    97. 

  97. +	}
    98. 

  98. +
    99. 

  99.  	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
    100. 

  100.  		ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
    101. 

  101.  		ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
    102. 

  102. --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
    103. 

  103. +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
    104. 

  104. @@ -34,11 +34,9 @@
    105. 

  105.  	</para>
    106. 

  106.  
    107. 

  107.  	<para>
    108. 

  108. -	The default value is <emphasis>plain</emphasis> which is not irritable 
    109. 

  109. -	to KRB5 clock skew errors. That implies synchronizing the time
    110. 

  110. -	with the KDC in the case of using <emphasis>sign</emphasis> or 
    111. 

  111. -	<emphasis>seal</emphasis>.
    112. 

  112. +	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
    113. 

  113. +	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
    114. 

  114.  	</para>
    115. 

  115.  </description>
    116. 

  116. -<value type="default">plain</value>
    117. 

  117. +<value type="default">sign</value>
    118. 

  118.  </samba:parameter>
    119. 

  119. --- a/source3/param/loadparm.c
    120. 

  120. +++ b/source3/param/loadparm.c
    121. 

  121. @@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
    122. 

  122.  	Globals.ldap_debug_level = 0;
    123. 

  123.  	Globals.ldap_debug_threshold = 10;
    124. 

  124.  
    125. 

  125. +	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
    126. 

  126. +
    127. 

  127.  	/* This is what we tell the afs client. in reality we set the token 
    128. 

  128.  	 * to never expire, though, when this runs out the afs client will 
    129. 

  129.  	 * forget the token. Set to 0 to get NEVERDATE.*/
    130.