samba: update to 4.13.0

[ipfire-2.x.git] / src / patches / samba / CVE-2016-2110-v3-6.patch

diff --git a/src/patches/samba/CVE-2016-2110-v3-6.patch b/src/patches/samba/CVE-2016-2110-v3-6.patch
deleted file mode 100644 (file)
index 1f454be..0000000
--- a/src/patches/samba/CVE-2016-2110-v3-6.patch
+++ /dev/null
@@ -1,670 +0,0 @@
-From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 1 Dec 2015 08:46:45 +0100
-Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
- ntlmssp_state->allow_lm_key
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 1de6189..20a5987 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -530,7 +530,8 @@ noccache:
-       DEBUG(3, ("Got challenge flags:\n"));
-       debug_ntlmssp_flags(chal_flags);
- 
--      ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
-+      ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
-+                               ntlmssp_state->allow_lm_key);
- 
-       if (ntlmssp_state->unicode) {
-               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
-@@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
-       ntlmssp_state->unicode = True;
- 
-       ntlmssp_state->use_ntlmv2 = use_ntlmv2;
-+      ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
- 
-       ntlmssp_state->expected_state = NTLMSSP_INITIAL;
- 
--- 
-2.8.1
-
-
-From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 11 Dec 2015 14:50:23 +0100
-Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add
- ntlmssp3_handle_neg_flags()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a copy of ntlmssp_handle_neg_flags(), which will be changed
-in an incompatible way in the following commits.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 56 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 20a5987..ad09f9f 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
-       return NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
- 
-+static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-+                                    uint32_t neg_flags, bool allow_lm)
-+{
-+      if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
-+              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
-+              ntlmssp_state->unicode = true;
-+      } else {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
-+              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
-+              ntlmssp_state->unicode = false;
-+      }
-+
-+      if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
-+              /* other end forcing us to use LM */
-+              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
-+              ntlmssp_state->use_ntlmv2 = false;
-+      } else {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
-+      }
-+
-+      if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
-+      }
-+
-+      if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-+      }
-+
-+      if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
-+      }
-+
-+      if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
-+      }
-+
-+      if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
-+      }
-+
-+      if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
-+      }
-+
-+      if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
-+      }
-+
-+      if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
-+              ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
-+      }
-+}
-+
- /**
-  * Next state function for the Challenge Packet.  Generate an auth packet.
-  *
-@@ -530,8 +584,8 @@ noccache:
-       DEBUG(3, ("Got challenge flags:\n"));
-       debug_ntlmssp_flags(chal_flags);
- 
--      ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
--                               ntlmssp_state->allow_lm_key);
-+      ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
-+                                ntlmssp_state->allow_lm_key);
- 
-       if (ntlmssp_state->unicode) {
-               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
--- 
-2.8.1
-
-
-From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Thu, 31 Mar 2016 12:39:50 +0200
-Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let
- ntlmssp3_handle_neg_flags() return NTSTATUS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In future we can do a more fine granted negotiation
-and assert specific security features.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++--------------
- 1 file changed, 19 insertions(+), 14 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index ad09f9f..81a85ce 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
-       return NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
- 
--static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
--                                    uint32_t neg_flags, bool allow_lm)
-+static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-+                                        uint32_t flags)
- {
--      if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
-+      if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
-               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
-               ntlmssp_state->unicode = true;
-@@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-               ntlmssp_state->unicode = false;
-       }
- 
--      if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
-+      if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
-               /* other end forcing us to use LM */
-               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
-               ntlmssp_state->use_ntlmv2 = false;
-@@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
-       }
- 
--      if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-+      if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
-       }
- 
--      if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-+      if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-       }
- 
--      if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
-+      if (!(flags & NTLMSSP_NEGOTIATE_128)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
-       }
- 
--      if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
-+      if (!(flags & NTLMSSP_NEGOTIATE_56)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
-       }
- 
--      if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
-+      if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
-       }
- 
--      if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
-+      if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
-       }
- 
--      if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
-+      if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
-       }
- 
--      if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
-+      if ((flags & NTLMSSP_REQUEST_TARGET)) {
-               ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
-       }
-+
-+      return NT_STATUS_OK;
- }
- 
- /**
-@@ -584,8 +586,11 @@ noccache:
-       DEBUG(3, ("Got challenge flags:\n"));
-       debug_ntlmssp_flags(chal_flags);
- 
--      ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
--                                ntlmssp_state->allow_lm_key);
-+      nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
-+      if (!NT_STATUS_IS_OK(nt_status)) {
-+              return nt_status;
-+      }
-+
- 
-       if (ntlmssp_state->unicode) {
-               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
--- 
-2.8.1
-
-
-From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 1 Dec 2015 15:01:09 +0100
-Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
- NTLMv2 to LM_AUTH
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-man smb.conf says "client ntlmv2 auth = yes" the default disables,
-"client lanman auth = yes":
-
-  ...
-  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
-  logins will be attempted.
-  ...
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 81a85ce..23a5e5d 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
-               NTLMSSP_NEGOTIATE_KEY_EXCH |
-               NTLMSSP_REQUEST_TARGET;
- 
-+      if (ntlmssp_state->use_ntlmv2) {
-+              ntlmssp_state->allow_lm_key = false;
-+      }
-+
-       ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
-       if (!ntlmssp_state->client.netbios_name) {
-               talloc_free(ntlmssp_state);
--- 
-2.8.1
-
-
-From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 31 Mar 2016 12:59:05 +0200
-Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
- variable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We now give an error when required flags are missing.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- libcli/auth/ntlmssp.h    |  1 +
- source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h
-index 495d94f..88a049b 100644
---- a/libcli/auth/ntlmssp.h
-+++ b/libcli/auth/ntlmssp.h
-@@ -83,6 +83,7 @@ struct ntlmssp_state
-       DATA_BLOB nt_resp;
-       DATA_BLOB session_key;
- 
-+      uint32_t required_flags;
-       uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
- 
-       /**
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 23a5e5d..48d7d45 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-                                         uint32_t flags)
- {
-+      uint32_t missing_flags = ntlmssp_state->required_flags;
-+
-       if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
-               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
-@@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-               ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
-       }
- 
-+      missing_flags &= ~ntlmssp_state->neg_flags;
-+      if (missing_flags != 0) {
-+              NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
-+              DEBUG(1, ("%s: Got challenge flags[0x%08x] "
-+                        "- possible downgrade detected! "
-+                        "missing_flags[0x%08x] - %s\n",
-+                        __func__,
-+                        (unsigned)flags,
-+                        (unsigned)missing_flags,
-+                        nt_errstr(status)));
-+              debug_ntlmssp_flags(missing_flags);
-+              DEBUGADD(4, ("neg_flags[0x%08x]\n",
-+                           (unsigned)ntlmssp_state->neg_flags));
-+              debug_ntlmssp_flags(ntlmssp_state->neg_flags);
-+
-+              return status;
-+      }
-+
-       return NT_STATUS_OK;
- }
- 
--- 
-2.8.1
-
-
-From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 31 Mar 2016 13:03:24 +0200
-Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
- NTLMv2 to LM_AUTH
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-man smb.conf says "client ntlmv2 auth = yes" the default disables,
-"client lanman auth = yes":
-
-  ...
-  Likewise, if the client ntlmv2 auth parameter is enabled, then only
-  NTLMv2 logins will be attempted.
-  ...
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 48d7d45..bf40404 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
- 
-       if (ntlmssp_state->use_ntlmv2) {
-               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
-+              ntlmssp_state->allow_lm_key = false;
-       }
- 
-       /* generate the ntlmssp negotiate packet */
--- 
-2.8.1
-
-
-From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 11 Apr 2016 16:18:44 +0200
-Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let
- ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2
-
-ntlmssp_handle_neg_flags() can only disable flags, but not
-set them. All supported flags are set at start time.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 26 +++++++++++++++++---------
- 1 file changed, 17 insertions(+), 9 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index bf40404..7b17a43 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
-               ntlmssp_state->allow_lm_key = false;
-       }
- 
-+      if (ntlmssp_state->allow_lm_key) {
-+              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
-+      }
-+
-       /* generate the ntlmssp negotiate packet */
-       status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
-                 "NTLMSSP",
-@@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-               ntlmssp_state->unicode = false;
-       }
- 
--      if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
--              /* other end forcing us to use LM */
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
--              ntlmssp_state->use_ntlmv2 = false;
--      } else {
-+      /*
-+       * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
-+       * has priority over NTLMSSP_NEGOTIATE_LM_KEY
-+       */
-+      if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-+      }
-+
-+      if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
-               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
-       }
- 
--      if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
--              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
-+      if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
-       }
- 
--      if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
--              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
-+      if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
-+              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
-       }
- 
-       if (!(flags & NTLMSSP_NEGOTIATE_128)) {
--- 
-2.8.1
-
-
-From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 31 Mar 2016 14:21:12 +0200
-Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
- require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
----
- source3/libsmb/ntlmssp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 7b17a43..d5c83fd 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
-       }
- 
-       if (ntlmssp_state->use_ntlmv2) {
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
-               ntlmssp_state->allow_lm_key = false;
-       }
- 
--- 
-2.8.1
-
-
-From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Thu, 31 Mar 2016 14:30:05 +0200
-Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to
- require flags
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/libsmb/ntlmssp.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index d5c83fd..309175b 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur
-        * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
-        */
-       if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-       }
-       if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-       }
-       if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
-       }
-       if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
-               ntlmssp_state->use_ccache = true;
-       }
-+
-+      ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
- }
- 
- /**
-@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
- {
-       /* As per JRA's comment above */
-       if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-       }
-       if (feature & NTLMSSP_FEATURE_SIGN) {
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-       }
-       if (feature & NTLMSSP_FEATURE_SEAL) {
--              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-+              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
-       }
-       if (feature & NTLMSSP_FEATURE_CCACHE) {
-               ntlmssp_state->use_ccache = true;
-       }
-+
-+      ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
- }
- 
- /**
--- 
-2.8.1
-
-
-From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 31 Mar 2016 15:02:11 +0200
-Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
- ntlmssp creds cache case
-
-Pair-Programmed-With: Ralph Boehme <slow@samba.org>
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++----------------------
- 1 file changed, 20 insertions(+), 22 deletions(-)
-
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 309175b..045dc87 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
-       DATA_BLOB encrypted_session_key = data_blob_null;
-       NTSTATUS nt_status = NT_STATUS_OK;
- 
-+      if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
-+                       "NTLMSSP",
-+                       &ntlmssp_command,
-+                       &server_domain_blob,
-+                       &chal_flags)) {
-+              DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
-+              dump_data(2, reply.data, reply.length);
-+
-+              return NT_STATUS_INVALID_PARAMETER;
-+      }
-+      data_blob_free(&server_domain_blob);
-+
-+      DEBUG(3, ("Got challenge flags:\n"));
-+      debug_ntlmssp_flags(chal_flags);
-+
-+      nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
-+      if (!NT_STATUS_IS_OK(nt_status)) {
-+              return nt_status;
-+      }
-+
-       if (ntlmssp_state->use_ccache) {
-               struct wbcCredentialCacheParams params;
-               struct wbcCredentialCacheInfo *info = NULL;
-@@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
- 
- noccache:
- 
--      if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
--                       "NTLMSSP",
--                       &ntlmssp_command,
--                       &server_domain_blob,
--                       &chal_flags)) {
--              DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
--              dump_data(2, reply.data, reply.length);
--
--              return NT_STATUS_INVALID_PARAMETER;
--      }
--
-       if (DEBUGLEVEL >= 10) {
-               struct CHALLENGE_MESSAGE *challenge = talloc(
-                       talloc_tos(), struct CHALLENGE_MESSAGE);
-@@ -615,17 +624,6 @@ noccache:
-               }
-       }
- 
--      data_blob_free(&server_domain_blob);
--
--      DEBUG(3, ("Got challenge flags:\n"));
--      debug_ntlmssp_flags(chal_flags);
--
--      nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
--      if (!NT_STATUS_IS_OK(nt_status)) {
--              return nt_status;
--      }
--
--
-       if (ntlmssp_state->unicode) {
-               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
-                       chal_parse_string = "CdUdbddB";
--- 
-2.8.1
-