samba: import RHEL security fixes.

[ipfire-2.x.git] / src / patches / samba / CVE-2016-2110-v3-6.patch

diff --git a/src/patches/samba/CVE-2016-2110-v3-6.patch b/src/patches/samba/CVE-2016-2110-v3-6.patch
new file mode 100644 (file)
index 0000000..1f454be
--- /dev/null
+++ b/src/patches/samba/CVE-2016-2110-v3-6.patch
@@ -0,0 +1,670 @@
+From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 1 Dec 2015 08:46:45 +0100
+Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
+ ntlmssp_state->allow_lm_key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 1de6189..20a5987 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -530,7 +530,8 @@ noccache:
+       DEBUG(3, ("Got challenge flags:\n"));
+       debug_ntlmssp_flags(chal_flags);
+ 
+-      ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
++      ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
++                               ntlmssp_state->allow_lm_key);
+ 
+       if (ntlmssp_state->unicode) {
+               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+@@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
+       ntlmssp_state->unicode = True;
+ 
+       ntlmssp_state->use_ntlmv2 = use_ntlmv2;
++      ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
+ 
+       ntlmssp_state->expected_state = NTLMSSP_INITIAL;
+ 
+-- 
+2.8.1
+
+
+From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 11 Dec 2015 14:50:23 +0100
+Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add
+ ntlmssp3_handle_neg_flags()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a copy of ntlmssp_handle_neg_flags(), which will be changed
+in an incompatible way in the following commits.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 56 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 20a5987..ad09f9f 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+       return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+ 
++static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
++                                    uint32_t neg_flags, bool allow_lm)
++{
++      if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
++              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
++              ntlmssp_state->unicode = true;
++      } else {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
++              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
++              ntlmssp_state->unicode = false;
++      }
++
++      if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
++              /* other end forcing us to use LM */
++              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
++              ntlmssp_state->use_ntlmv2 = false;
++      } else {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
++      }
++
++      if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
++      }
++
++      if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++      }
++
++      if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
++      }
++
++      if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
++      }
++
++      if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
++      }
++
++      if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
++      }
++
++      if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
++      }
++
++      if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
++              ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
++      }
++}
++
+ /**
+  * Next state function for the Challenge Packet.  Generate an auth packet.
+  *
+@@ -530,8 +584,8 @@ noccache:
+       DEBUG(3, ("Got challenge flags:\n"));
+       debug_ntlmssp_flags(chal_flags);
+ 
+-      ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
+-                               ntlmssp_state->allow_lm_key);
++      ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
++                                ntlmssp_state->allow_lm_key);
+ 
+       if (ntlmssp_state->unicode) {
+               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+-- 
+2.8.1
+
+
+From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Thu, 31 Mar 2016 12:39:50 +0200
+Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let
+ ntlmssp3_handle_neg_flags() return NTSTATUS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In future we can do a more fine granted negotiation
+and assert specific security features.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++--------------
+ 1 file changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index ad09f9f..81a85ce 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+       return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+ 
+-static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+-                                    uint32_t neg_flags, bool allow_lm)
++static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
++                                        uint32_t flags)
+ {
+-      if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
++      if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+               ntlmssp_state->unicode = true;
+@@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+               ntlmssp_state->unicode = false;
+       }
+ 
+-      if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
++      if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
+               /* other end forcing us to use LM */
+               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+               ntlmssp_state->use_ntlmv2 = false;
+@@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+       }
+ 
+-      if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++      if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+       }
+ 
+-      if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++      if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+       }
+ 
+-      if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
++      if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
+       }
+ 
+-      if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
++      if (!(flags & NTLMSSP_NEGOTIATE_56)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
+       }
+ 
+-      if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
++      if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
+       }
+ 
+-      if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
++      if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+       }
+ 
+-      if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
++      if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+       }
+ 
+-      if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
++      if ((flags & NTLMSSP_REQUEST_TARGET)) {
+               ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+       }
++
++      return NT_STATUS_OK;
+ }
+ 
+ /**
+@@ -584,8 +586,11 @@ noccache:
+       DEBUG(3, ("Got challenge flags:\n"));
+       debug_ntlmssp_flags(chal_flags);
+ 
+-      ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
+-                                ntlmssp_state->allow_lm_key);
++      nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
++      if (!NT_STATUS_IS_OK(nt_status)) {
++              return nt_status;
++      }
++
+ 
+       if (ntlmssp_state->unicode) {
+               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+-- 
+2.8.1
+
+
+From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 1 Dec 2015 15:01:09 +0100
+Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
+ NTLMv2 to LM_AUTH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+man smb.conf says "client ntlmv2 auth = yes" the default disables,
+"client lanman auth = yes":
+
+  ...
+  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
+  logins will be attempted.
+  ...
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 81a85ce..23a5e5d 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
+               NTLMSSP_NEGOTIATE_KEY_EXCH |
+               NTLMSSP_REQUEST_TARGET;
+ 
++      if (ntlmssp_state->use_ntlmv2) {
++              ntlmssp_state->allow_lm_key = false;
++      }
++
+       ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
+       if (!ntlmssp_state->client.netbios_name) {
+               talloc_free(ntlmssp_state);
+-- 
+2.8.1
+
+
+From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 31 Mar 2016 12:59:05 +0200
+Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
+ variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We now give an error when required flags are missing.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ libcli/auth/ntlmssp.h    |  1 +
+ source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h
+index 495d94f..88a049b 100644
+--- a/libcli/auth/ntlmssp.h
++++ b/libcli/auth/ntlmssp.h
+@@ -83,6 +83,7 @@ struct ntlmssp_state
+       DATA_BLOB nt_resp;
+       DATA_BLOB session_key;
+ 
++      uint32_t required_flags;
+       uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
+ 
+       /**
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 23a5e5d..48d7d45 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+                                         uint32_t flags)
+ {
++      uint32_t missing_flags = ntlmssp_state->required_flags;
++
+       if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+@@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+               ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+       }
+ 
++      missing_flags &= ~ntlmssp_state->neg_flags;
++      if (missing_flags != 0) {
++              NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
++              DEBUG(1, ("%s: Got challenge flags[0x%08x] "
++                        "- possible downgrade detected! "
++                        "missing_flags[0x%08x] - %s\n",
++                        __func__,
++                        (unsigned)flags,
++                        (unsigned)missing_flags,
++                        nt_errstr(status)));
++              debug_ntlmssp_flags(missing_flags);
++              DEBUGADD(4, ("neg_flags[0x%08x]\n",
++                           (unsigned)ntlmssp_state->neg_flags));
++              debug_ntlmssp_flags(ntlmssp_state->neg_flags);
++
++              return status;
++      }
++
+       return NT_STATUS_OK;
+ }
+ 
+-- 
+2.8.1
+
+
+From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 31 Mar 2016 13:03:24 +0200
+Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
+ NTLMv2 to LM_AUTH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+man smb.conf says "client ntlmv2 auth = yes" the default disables,
+"client lanman auth = yes":
+
+  ...
+  Likewise, if the client ntlmv2 auth parameter is enabled, then only
+  NTLMv2 logins will be attempted.
+  ...
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 48d7d45..bf40404 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+ 
+       if (ntlmssp_state->use_ntlmv2) {
+               ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
++              ntlmssp_state->allow_lm_key = false;
+       }
+ 
+       /* generate the ntlmssp negotiate packet */
+-- 
+2.8.1
+
+
+From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 11 Apr 2016 16:18:44 +0200
+Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let
+ ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2
+
+ntlmssp_handle_neg_flags() can only disable flags, but not
+set them. All supported flags are set at start time.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index bf40404..7b17a43 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+               ntlmssp_state->allow_lm_key = false;
+       }
+ 
++      if (ntlmssp_state->allow_lm_key) {
++              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
++      }
++
+       /* generate the ntlmssp negotiate packet */
+       status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
+                 "NTLMSSP",
+@@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+               ntlmssp_state->unicode = false;
+       }
+ 
+-      if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
+-              /* other end forcing us to use LM */
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
+-              ntlmssp_state->use_ntlmv2 = false;
+-      } else {
++      /*
++       * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
++       * has priority over NTLMSSP_NEGOTIATE_LM_KEY
++       */
++      if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++      }
++
++      if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+       }
+ 
+-      if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+-              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
++      if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+       }
+ 
+-      if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+-              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
++      if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
++              ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+       }
+ 
+       if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+-- 
+2.8.1
+
+
+From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 31 Mar 2016 14:21:12 +0200
+Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
+ require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 7b17a43..d5c83fd 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
+       }
+ 
+       if (ntlmssp_state->use_ntlmv2) {
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+               ntlmssp_state->allow_lm_key = false;
+       }
+ 
+-- 
+2.8.1
+
+
+From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Thu, 31 Mar 2016 14:30:05 +0200
+Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to
+ require flags
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index d5c83fd..309175b 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur
+        * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
+        */
+       if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+       }
+       if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+       }
+       if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
+       }
+       if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
+               ntlmssp_state->use_ccache = true;
+       }
++
++      ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
+ }
+ 
+ /**
+@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
+ {
+       /* As per JRA's comment above */
+       if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+       }
+       if (feature & NTLMSSP_FEATURE_SIGN) {
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+       }
+       if (feature & NTLMSSP_FEATURE_SEAL) {
+-              ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
++              ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
+       }
+       if (feature & NTLMSSP_FEATURE_CCACHE) {
+               ntlmssp_state->use_ccache = true;
+       }
++
++      ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
+ }
+ 
+ /**
+-- 
+2.8.1
+
+
+From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 31 Mar 2016 15:02:11 +0200
+Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
+ ntlmssp creds cache case
+
+Pair-Programmed-With: Ralph Boehme <slow@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
+index 309175b..045dc87 100644
+--- a/source3/libsmb/ntlmssp.c
++++ b/source3/libsmb/ntlmssp.c
+@@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
+       DATA_BLOB encrypted_session_key = data_blob_null;
+       NTSTATUS nt_status = NT_STATUS_OK;
+ 
++      if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
++                       "NTLMSSP",
++                       &ntlmssp_command,
++                       &server_domain_blob,
++                       &chal_flags)) {
++              DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
++              dump_data(2, reply.data, reply.length);
++
++              return NT_STATUS_INVALID_PARAMETER;
++      }
++      data_blob_free(&server_domain_blob);
++
++      DEBUG(3, ("Got challenge flags:\n"));
++      debug_ntlmssp_flags(chal_flags);
++
++      nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
++      if (!NT_STATUS_IS_OK(nt_status)) {
++              return nt_status;
++      }
++
+       if (ntlmssp_state->use_ccache) {
+               struct wbcCredentialCacheParams params;
+               struct wbcCredentialCacheInfo *info = NULL;
+@@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
+ 
+ noccache:
+ 
+-      if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
+-                       "NTLMSSP",
+-                       &ntlmssp_command,
+-                       &server_domain_blob,
+-                       &chal_flags)) {
+-              DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
+-              dump_data(2, reply.data, reply.length);
+-
+-              return NT_STATUS_INVALID_PARAMETER;
+-      }
+-
+       if (DEBUGLEVEL >= 10) {
+               struct CHALLENGE_MESSAGE *challenge = talloc(
+                       talloc_tos(), struct CHALLENGE_MESSAGE);
+@@ -615,17 +624,6 @@ noccache:
+               }
+       }
+ 
+-      data_blob_free(&server_domain_blob);
+-
+-      DEBUG(3, ("Got challenge flags:\n"));
+-      debug_ntlmssp_flags(chal_flags);
+-
+-      nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
+-      if (!NT_STATUS_IS_OK(nt_status)) {
+-              return nt_status;
+-      }
+-
+-
+       if (ntlmssp_state->unicode) {
+               if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
+                       chal_parse_string = "CdUdbddB";
+-- 
+2.8.1
+