[ipfire-2.x.git] / src / patches / samba / CVE-2016-2112-v3-6.patch

From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 30 Mar 2016 16:55:44 +0200
Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
 ntlmssp_have_feature()

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 source3/include/proto.h  |  1 +
 source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 32b4e3d..43008ea 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *p
 NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
 void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
 void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
 NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
 			const DATA_BLOB in, DATA_BLOB *out) ;
 NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 045dc87..7e58990 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom
 	return NT_STATUS_OK;
 }
 
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
+			  uint32_t feature)
+{
+	if (feature & NTLMSSP_FEATURE_SIGN) {
+		if (ntlmssp_state->session_key.length == 0) {
+			return false;
+		}
+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+			return true;
+		}
+	}
+
+	if (feature & NTLMSSP_FEATURE_SEAL) {
+		if (ntlmssp_state->session_key.length == 0) {
+			return false;
+		}
+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+			return true;
+		}
+	}
+
+	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+		if (ntlmssp_state->session_key.length > 0) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
 /**
  * Request features for the NTLMSSP negotiation
  *
-- 
2.8.1


From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 24 Mar 2016 16:22:36 +0100
Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
---
 source3/libads/sasl.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index e7daa8a..6690f83 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
 	/* we have a reference conter on ntlmssp_state, if we are signing
 	   then the state will be kept by the signing engine */
 
+	if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+		bool ok;
+
+		ok = ntlmssp_have_feature(ntlmssp_state,
+					  NTLMSSP_FEATURE_SEAL);
+		if (!ok) {
+			DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
+			TALLOC_FREE(ntlmssp_state);
+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+		}
+
+		ok = ntlmssp_have_feature(ntlmssp_state,
+					  NTLMSSP_FEATURE_SIGN);
+		if (!ok) {
+			DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
+			TALLOC_FREE(ntlmssp_state);
+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+		}
+
+	} else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+		bool ok;
+
+		ok = ntlmssp_have_feature(ntlmssp_state,
+					  NTLMSSP_FEATURE_SIGN);
+		if (!ok) {
+			DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+			TALLOC_FREE(ntlmssp_state);
+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+		}
+	}
+
 	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
 		ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
 		ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
-- 
2.8.1


From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 5 Sep 2014 17:38:38 +1200
Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl
 wrapping" to sign

This is to disrupt MITM attacks between us and our DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(backported from commit afe02d12f444ad9a6abf31a61f578320520263a9)
---
 docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 +++-----
 source3/param/loadparm.c                            | 2 ++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index a926cec..a7c4395 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
 	</para>
 
 	<para>
-	The default value is <emphasis>plain</emphasis> which is not irritable 
-	to KRB5 clock skew errors. That implies synchronizing the time
-	with the KDC in the case of using <emphasis>sign</emphasis> or 
-	<emphasis>seal</emphasis>.
+	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 	</para>
 </description>
-<value type="default">plain</value>
+<value type="default">sign</value>
 </samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7065cf6..c5249b7 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals)
 	Globals.ldap_debug_level = 0;
 	Globals.ldap_debug_threshold = 10;
 
+	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
 	/* This is what we tell the afs client. in reality we set the token 
 	 * to never expire, though, when this runs out the afs client will 
 	 * forget the token. Set to 0 to get NEVERDATE.*/
-- 
2.8.1
Commit	Line	Data
77ecb239 AF	1	From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
	2	From: Andreas Schneider <asn@cryptomilk.org>
	3	Date: Wed, 30 Mar 2016 16:55:44 +0200
	4	Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
	5	ntlmssp_have_feature()
	6
	7	Signed-off-by: Andreas Schneider <asn@samba.org>
	8	---
	9	source3/include/proto.h \| 1 +
	10	source3/libsmb/ntlmssp.c \| 30 ++++++++++++++++++++++++++++++
	11	2 files changed, 31 insertions(+)
	12
	13	diff --git a/source3/include/proto.h b/source3/include/proto.h
	14	index 32b4e3d..43008ea 100644
	15	--- a/source3/include/proto.h
	16	+++ b/source3/include/proto.h
	17	@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state ntlmssp_state, const char p
	18	NTSTATUS ntlmssp_set_domain(struct ntlmssp_state ntlmssp_state, const char domain) ;
	19	void ntlmssp_want_feature_list(struct ntlmssp_state ntlmssp_state, char feature_list);
	20	void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
	21	+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
	22	NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
	23	const DATA_BLOB in, DATA_BLOB *out) ;
	24	NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
	25	diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
	26	index 045dc87..7e58990 100644
	27	--- a/source3/libsmb/ntlmssp.c
	28	+++ b/source3/libsmb/ntlmssp.c
	29	@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state ntlmssp_state, const char dom
	30	return NT_STATUS_OK;
	31	}
	32
	33	+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
	34	+ uint32_t feature)
	35	+{
	36	+ if (feature & NTLMSSP_FEATURE_SIGN) {
	37	+ if (ntlmssp_state->session_key.length == 0) {
	38	+ return false;
	39	+ }
	40	+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
	41	+ return true;
	42	+ }
	43	+ }
	44	+
	45	+ if (feature & NTLMSSP_FEATURE_SEAL) {
	46	+ if (ntlmssp_state->session_key.length == 0) {
	47	+ return false;
	48	+ }
	49	+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
	50	+ return true;
	51	+ }
	52	+ }
	53	+
	54	+ if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
	55	+ if (ntlmssp_state->session_key.length > 0) {
	56	+ return true;
	57	+ }
	58	+ }
	59	+
	60	+ return false;
	61	+}
	62	+
	63	/**
	64	* Request features for the NTLMSSP negotiation
65	*
66	--
67	2.8.1
68
69
70	From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001
71	From: Ralph Boehme <slow@samba.org>
72	Date: Thu, 24 Mar 2016 16:22:36 +0100
73	Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade
74
75	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
76
77	Pair-programmed-with: Ralph Boehme <slow@samba.org>
78
79	Signed-off-by: Stefan Metzmacher <metze@samba.org>
80	Signed-off-by: Ralph Boehme <slow@samba.org>
81	---
82	source3/libads/sasl.c \| 31 +++++++++++++++++++++++++++++++
83	1 file changed, 31 insertions(+)
84
85	diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
86	index e7daa8a..6690f83 100644
87	--- a/source3/libads/sasl.c
88	+++ b/source3/libads/sasl.c
89	@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
90	/* we have a reference conter on ntlmssp_state, if we are signing
91	then the state will be kept by the signing engine */
92
93	+ if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
94	+ bool ok;
95	+
96	+ ok = ntlmssp_have_feature(ntlmssp_state,
97	+ NTLMSSP_FEATURE_SEAL);
98	+ if (!ok) {
99	+ DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
100	+ TALLOC_FREE(ntlmssp_state);
101	+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
102	+ }
103	+
104	+ ok = ntlmssp_have_feature(ntlmssp_state,
105	+ NTLMSSP_FEATURE_SIGN);
106	+ if (!ok) {
107	+ DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
108	+ TALLOC_FREE(ntlmssp_state);
109	+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
110	+ }
111	+
112	+ } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
113	+ bool ok;
114	+
115	+ ok = ntlmssp_have_feature(ntlmssp_state,
116	+ NTLMSSP_FEATURE_SIGN);
117	+ if (!ok) {
118	+ DEBUG(0,("The gensec feature signing request, but unavailable\n"));
119	+ TALLOC_FREE(ntlmssp_state);
120	+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
121	+ }
122	+ }
123	+
124	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
125	ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
126	ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
127	--
128	2.8.1
129
130
131	From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001
132	From: Andrew Bartlett <abartlet@samba.org>
133	Date: Fri, 5 Sep 2014 17:38:38 +1200
134	Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl
135	wrapping" to sign
136
137	This is to disrupt MITM attacks between us and our DC
138
139	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
140
141	Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
142	Signed-off-by: Garming Sam <garming@catalyst.net.nz>
143	Signed-off-by: Andrew Bartlett <abartlet@samba.org>
144	(backported from commit afe02d12f444ad9a6abf31a61f578320520263a9)
145	---
146	docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml \| 8 +++-----
147	source3/param/loadparm.c \| 2 ++
148	2 files changed, 5 insertions(+), 5 deletions(-)
149
150	diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
151	index a926cec..a7c4395 100644
152	--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
153	+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
154	@@ -34,11 +34,9 @@
155	</para>
156
157	<para>
158	- The default value is <emphasis>plain</emphasis> which is not irritable
159	- to KRB5 clock skew errors. That implies synchronizing the time
160	- with the KDC in the case of using <emphasis>sign</emphasis> or
161	- <emphasis>seal</emphasis>.
162	+ The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
163	+ with the KDC in the case of using <emphasis>Kerberos</emphasis>.
164	</para>
165	</description>
166	-<value type="default">plain</value>
167	+<value type="default">sign</value>
168	</samba:parameter>
169	diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
170	index 7065cf6..c5249b7 100644
171	--- a/source3/param/loadparm.c
172	+++ b/source3/param/loadparm.c
173	@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals)
174	Globals.ldap_debug_level = 0;
175	Globals.ldap_debug_threshold = 10;
176
177	+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
178	+
179	/* This is what we tell the afs client. in reality we set the token
180	* to never expire, though, when this runs out the afs client will
181	* forget the token. Set to 0 to get NEVERDATE.*/
182	--
183	2.8.1
184