]>
Commit | Line | Data |
---|---|---|
77ecb239 AF |
1 | From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001 |
2 | From: Andreas Schneider <asn@cryptomilk.org> | |
3 | Date: Wed, 30 Mar 2016 16:55:44 +0200 | |
4 | Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing | |
5 | ntlmssp_have_feature() | |
6 | ||
7 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
8 | --- | |
9 | source3/include/proto.h | 1 + | |
10 | source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++ | |
11 | 2 files changed, 31 insertions(+) | |
12 | ||
13 | diff --git a/source3/include/proto.h b/source3/include/proto.h | |
14 | index 32b4e3d..43008ea 100644 | |
15 | --- a/source3/include/proto.h | |
16 | +++ b/source3/include/proto.h | |
17 | @@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *p | |
18 | NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ; | |
19 | void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list); | |
20 | void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature); | |
21 | +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature); | |
22 | NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state, | |
23 | const DATA_BLOB in, DATA_BLOB *out) ; | |
24 | NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx, | |
25 | diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c | |
26 | index 045dc87..7e58990 100644 | |
27 | --- a/source3/libsmb/ntlmssp.c | |
28 | +++ b/source3/libsmb/ntlmssp.c | |
29 | @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom | |
30 | return NT_STATUS_OK; | |
31 | } | |
32 | ||
33 | +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, | |
34 | + uint32_t feature) | |
35 | +{ | |
36 | + if (feature & NTLMSSP_FEATURE_SIGN) { | |
37 | + if (ntlmssp_state->session_key.length == 0) { | |
38 | + return false; | |
39 | + } | |
40 | + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { | |
41 | + return true; | |
42 | + } | |
43 | + } | |
44 | + | |
45 | + if (feature & NTLMSSP_FEATURE_SEAL) { | |
46 | + if (ntlmssp_state->session_key.length == 0) { | |
47 | + return false; | |
48 | + } | |
49 | + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { | |
50 | + return true; | |
51 | + } | |
52 | + } | |
53 | + | |
54 | + if (feature & NTLMSSP_FEATURE_SESSION_KEY) { | |
55 | + if (ntlmssp_state->session_key.length > 0) { | |
56 | + return true; | |
57 | + } | |
58 | + } | |
59 | + | |
60 | + return false; | |
61 | +} | |
62 | + | |
63 | /** | |
64 | * Request features for the NTLMSSP negotiation | |
65 | * | |
66 | -- | |
67 | 2.8.1 | |
68 | ||
69 | ||
70 | From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001 | |
71 | From: Ralph Boehme <slow@samba.org> | |
72 | Date: Thu, 24 Mar 2016 16:22:36 +0100 | |
73 | Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade | |
74 | ||
75 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
76 | ||
77 | Pair-programmed-with: Ralph Boehme <slow@samba.org> | |
78 | ||
79 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
80 | Signed-off-by: Ralph Boehme <slow@samba.org> | |
81 | --- | |
82 | source3/libads/sasl.c | 31 +++++++++++++++++++++++++++++++ | |
83 | 1 file changed, 31 insertions(+) | |
84 | ||
85 | diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c | |
86 | index e7daa8a..6690f83 100644 | |
87 | --- a/source3/libads/sasl.c | |
88 | +++ b/source3/libads/sasl.c | |
89 | @@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads) | |
90 | /* we have a reference conter on ntlmssp_state, if we are signing | |
91 | then the state will be kept by the signing engine */ | |
92 | ||
93 | + if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) { | |
94 | + bool ok; | |
95 | + | |
96 | + ok = ntlmssp_have_feature(ntlmssp_state, | |
97 | + NTLMSSP_FEATURE_SEAL); | |
98 | + if (!ok) { | |
99 | + DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n")); | |
100 | + TALLOC_FREE(ntlmssp_state); | |
101 | + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); | |
102 | + } | |
103 | + | |
104 | + ok = ntlmssp_have_feature(ntlmssp_state, | |
105 | + NTLMSSP_FEATURE_SIGN); | |
106 | + if (!ok) { | |
107 | + DEBUG(0,("The ntlmssp feature signing request, but unavailable\n")); | |
108 | + TALLOC_FREE(ntlmssp_state); | |
109 | + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); | |
110 | + } | |
111 | + | |
112 | + } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) { | |
113 | + bool ok; | |
114 | + | |
115 | + ok = ntlmssp_have_feature(ntlmssp_state, | |
116 | + NTLMSSP_FEATURE_SIGN); | |
117 | + if (!ok) { | |
118 | + DEBUG(0,("The gensec feature signing request, but unavailable\n")); | |
119 | + TALLOC_FREE(ntlmssp_state); | |
120 | + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE); | |
121 | + } | |
122 | + } | |
123 | + | |
124 | if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) { | |
125 | ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE; | |
126 | ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE; | |
127 | -- | |
128 | 2.8.1 | |
129 | ||
130 | ||
131 | From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001 | |
132 | From: Andrew Bartlett <abartlet@samba.org> | |
133 | Date: Fri, 5 Sep 2014 17:38:38 +1200 | |
134 | Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl | |
135 | wrapping" to sign | |
136 | ||
137 | This is to disrupt MITM attacks between us and our DC | |
138 | ||
139 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 | |
140 | ||
141 | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> | |
142 | Signed-off-by: Garming Sam <garming@catalyst.net.nz> | |
143 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | |
144 | (backported from commit afe02d12f444ad9a6abf31a61f578320520263a9) | |
145 | --- | |
146 | docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 +++----- | |
147 | source3/param/loadparm.c | 2 ++ | |
148 | 2 files changed, 5 insertions(+), 5 deletions(-) | |
149 | ||
150 | diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | |
151 | index a926cec..a7c4395 100644 | |
152 | --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | |
153 | +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | |
154 | @@ -34,11 +34,9 @@ | |
155 | </para> | |
156 | ||
157 | <para> | |
158 | - The default value is <emphasis>plain</emphasis> which is not irritable | |
159 | - to KRB5 clock skew errors. That implies synchronizing the time | |
160 | - with the KDC in the case of using <emphasis>sign</emphasis> or | |
161 | - <emphasis>seal</emphasis>. | |
162 | + The default value is <emphasis>sign</emphasis>. That implies synchronizing the time | |
163 | + with the KDC in the case of using <emphasis>Kerberos</emphasis>. | |
164 | </para> | |
165 | </description> | |
166 | -<value type="default">plain</value> | |
167 | +<value type="default">sign</value> | |
168 | </samba:parameter> | |
169 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
170 | index 7065cf6..c5249b7 100644 | |
171 | --- a/source3/param/loadparm.c | |
172 | +++ b/source3/param/loadparm.c | |
173 | @@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals) | |
174 | Globals.ldap_debug_level = 0; | |
175 | Globals.ldap_debug_threshold = 10; | |
176 | ||
177 | + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; | |
178 | + | |
179 | /* This is what we tell the afs client. in reality we set the token | |
180 | * to never expire, though, when this runs out the afs client will | |
181 | * forget the token. Set to 0 to get NEVERDATE.*/ | |
182 | -- | |
183 | 2.8.1 | |
184 |