]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/samba/CVE-2016-2110-v3-6.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
[ipfire-2.x.git] / src / patches / samba / CVE-2016-2110-v3-6.patch
1 From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
2 From: Stefan Metzmacher <metze@samba.org>
3 Date: Tue, 1 Dec 2015 08:46:45 +0100
4 Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
5 ntlmssp_state->allow_lm_key
6 MIME-Version: 1.0
7 Content-Type: text/plain; charset=UTF-8
8 Content-Transfer-Encoding: 8bit
9
10 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
11
12 Signed-off-by: Stefan Metzmacher <metze@samba.org>
13 Reviewed-by: Günther Deschner <gd@samba.org>
14 ---
15 source3/libsmb/ntlmssp.c | 4 +++-
16 1 file changed, 3 insertions(+), 1 deletion(-)
17
18 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
19 index 1de6189..20a5987 100644
20 --- a/source3/libsmb/ntlmssp.c
21 +++ b/source3/libsmb/ntlmssp.c
22 @@ -530,7 +530,8 @@ noccache:
23 DEBUG(3, ("Got challenge flags:\n"));
24 debug_ntlmssp_flags(chal_flags);
25
26 - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
27 + ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
28 + ntlmssp_state->allow_lm_key);
29
30 if (ntlmssp_state->unicode) {
31 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
32 @@ -769,6 +770,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
33 ntlmssp_state->unicode = True;
34
35 ntlmssp_state->use_ntlmv2 = use_ntlmv2;
36 + ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
37
38 ntlmssp_state->expected_state = NTLMSSP_INITIAL;
39
40 --
41 2.8.1
42
43
44 From a701bc5f8a76584a2e0680b2c3dd9afb77f12430 Mon Sep 17 00:00:00 2001
45 From: Stefan Metzmacher <metze@samba.org>
46 Date: Fri, 11 Dec 2015 14:50:23 +0100
47 Subject: [PATCH 02/10] CVE-2016-2110: s3:ntlmssp: add
48 ntlmssp3_handle_neg_flags()
49 MIME-Version: 1.0
50 Content-Type: text/plain; charset=UTF-8
51 Content-Transfer-Encoding: 8bit
52
53 This is a copy of ntlmssp_handle_neg_flags(), which will be changed
54 in an incompatible way in the following commits.
55
56 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
57
58 Signed-off-by: Stefan Metzmacher <metze@samba.org>
59 Reviewed-by: Günther Deschner <gd@samba.org>
60 ---
61 source3/libsmb/ntlmssp.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++--
62 1 file changed, 56 insertions(+), 2 deletions(-)
63
64 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
65 index 20a5987..ad09f9f 100644
66 --- a/source3/libsmb/ntlmssp.c
67 +++ b/source3/libsmb/ntlmssp.c
68 @@ -422,6 +422,60 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
69 return NT_STATUS_MORE_PROCESSING_REQUIRED;
70 }
71
72 +static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
73 + uint32_t neg_flags, bool allow_lm)
74 +{
75 + if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
76 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
77 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
78 + ntlmssp_state->unicode = true;
79 + } else {
80 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
81 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
82 + ntlmssp_state->unicode = false;
83 + }
84 +
85 + if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
86 + /* other end forcing us to use LM */
87 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
88 + ntlmssp_state->use_ntlmv2 = false;
89 + } else {
90 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
91 + }
92 +
93 + if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
94 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
95 + }
96 +
97 + if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
98 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
99 + }
100 +
101 + if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
102 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
103 + }
104 +
105 + if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
106 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
107 + }
108 +
109 + if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
110 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
111 + }
112 +
113 + if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
114 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
115 + }
116 +
117 + if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
118 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
119 + }
120 +
121 + if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
122 + ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
123 + }
124 +}
125 +
126 /**
127 * Next state function for the Challenge Packet. Generate an auth packet.
128 *
129 @@ -530,8 +584,8 @@ noccache:
130 DEBUG(3, ("Got challenge flags:\n"));
131 debug_ntlmssp_flags(chal_flags);
132
133 - ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags,
134 - ntlmssp_state->allow_lm_key);
135 + ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
136 + ntlmssp_state->allow_lm_key);
137
138 if (ntlmssp_state->unicode) {
139 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
140 --
141 2.8.1
142
143
144 From 92b2f5315d135b7b83a3ae106b43d18181be2f02 Mon Sep 17 00:00:00 2001
145 From: Andreas Schneider <asn@cryptomilk.org>
146 Date: Thu, 31 Mar 2016 12:39:50 +0200
147 Subject: [PATCH 03/10] CVE-2016-2110: s3:ntlmssp: let
148 ntlmssp3_handle_neg_flags() return NTSTATUS
149 MIME-Version: 1.0
150 Content-Type: text/plain; charset=UTF-8
151 Content-Transfer-Encoding: 8bit
152
153 In future we can do a more fine granted negotiation
154 and assert specific security features.
155
156 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
157
158 Signed-off-by: Stefan Metzmacher <metze@samba.org>
159 Reviewed-by: Günther Deschner <gd@samba.org>
160 ---
161 source3/libsmb/ntlmssp.c | 33 +++++++++++++++++++--------------
162 1 file changed, 19 insertions(+), 14 deletions(-)
163
164 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
165 index ad09f9f..81a85ce 100644
166 --- a/source3/libsmb/ntlmssp.c
167 +++ b/source3/libsmb/ntlmssp.c
168 @@ -422,10 +422,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
169 return NT_STATUS_MORE_PROCESSING_REQUIRED;
170 }
171
172 -static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
173 - uint32_t neg_flags, bool allow_lm)
174 +static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
175 + uint32_t flags)
176 {
177 - if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
178 + if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
179 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
180 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
181 ntlmssp_state->unicode = true;
182 @@ -435,7 +435,7 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
183 ntlmssp_state->unicode = false;
184 }
185
186 - if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
187 + if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
188 /* other end forcing us to use LM */
189 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
190 ntlmssp_state->use_ntlmv2 = false;
191 @@ -443,37 +443,39 @@ static void ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
192 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
193 }
194
195 - if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
196 + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
197 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
198 }
199
200 - if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
201 + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
202 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
203 }
204
205 - if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
206 + if (!(flags & NTLMSSP_NEGOTIATE_128)) {
207 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
208 }
209
210 - if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
211 + if (!(flags & NTLMSSP_NEGOTIATE_56)) {
212 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
213 }
214
215 - if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
216 + if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
217 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
218 }
219
220 - if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
221 + if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
222 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
223 }
224
225 - if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
226 + if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
227 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
228 }
229
230 - if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
231 + if ((flags & NTLMSSP_REQUEST_TARGET)) {
232 ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
233 }
234 +
235 + return NT_STATUS_OK;
236 }
237
238 /**
239 @@ -584,8 +586,11 @@ noccache:
240 DEBUG(3, ("Got challenge flags:\n"));
241 debug_ntlmssp_flags(chal_flags);
242
243 - ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags,
244 - ntlmssp_state->allow_lm_key);
245 + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
246 + if (!NT_STATUS_IS_OK(nt_status)) {
247 + return nt_status;
248 + }
249 +
250
251 if (ntlmssp_state->unicode) {
252 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
253 --
254 2.8.1
255
256
257 From a239a337e3c0081af1a41aaac8957bb1aa0771f8 Mon Sep 17 00:00:00 2001
258 From: Stefan Metzmacher <metze@samba.org>
259 Date: Tue, 1 Dec 2015 15:01:09 +0100
260 Subject: [PATCH 04/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
261 NTLMv2 to LM_AUTH
262 MIME-Version: 1.0
263 Content-Type: text/plain; charset=UTF-8
264 Content-Transfer-Encoding: 8bit
265
266 man smb.conf says "client ntlmv2 auth = yes" the default disables,
267 "client lanman auth = yes":
268
269 ...
270 Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
271 logins will be attempted.
272 ...
273
274 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
275
276 Signed-off-by: Stefan Metzmacher <metze@samba.org>
277 Reviewed-by: Günther Deschner <gd@samba.org>
278 ---
279 source3/libsmb/ntlmssp.c | 4 ++++
280 1 file changed, 4 insertions(+)
281
282 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
283 index 81a85ce..23a5e5d 100644
284 --- a/source3/libsmb/ntlmssp.c
285 +++ b/source3/libsmb/ntlmssp.c
286 @@ -841,6 +841,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx,
287 NTLMSSP_NEGOTIATE_KEY_EXCH |
288 NTLMSSP_REQUEST_TARGET;
289
290 + if (ntlmssp_state->use_ntlmv2) {
291 + ntlmssp_state->allow_lm_key = false;
292 + }
293 +
294 ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
295 if (!ntlmssp_state->client.netbios_name) {
296 talloc_free(ntlmssp_state);
297 --
298 2.8.1
299
300
301 From e11dc9aa90420947f9fc82365b55ecb08353451c Mon Sep 17 00:00:00 2001
302 From: Stefan Metzmacher <metze@samba.org>
303 Date: Thu, 31 Mar 2016 12:59:05 +0200
304 Subject: [PATCH 05/10] CVE-2016-2110: s3:ntlmssp: maintain a required_flags
305 variable
306 MIME-Version: 1.0
307 Content-Type: text/plain; charset=UTF-8
308 Content-Transfer-Encoding: 8bit
309
310 We now give an error when required flags are missing.
311
312 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
313
314 Signed-off-by: Stefan Metzmacher <metze@samba.org>
315 Reviewed-by: Günther Deschner <gd@samba.org>
316 ---
317 libcli/auth/ntlmssp.h | 1 +
318 source3/libsmb/ntlmssp.c | 20 ++++++++++++++++++++
319 2 files changed, 21 insertions(+)
320
321 diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h
322 index 495d94f..88a049b 100644
323 --- a/libcli/auth/ntlmssp.h
324 +++ b/libcli/auth/ntlmssp.h
325 @@ -83,6 +83,7 @@ struct ntlmssp_state
326 DATA_BLOB nt_resp;
327 DATA_BLOB session_key;
328
329 + uint32_t required_flags;
330 uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
331
332 /**
333 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
334 index 23a5e5d..48d7d45 100644
335 --- a/source3/libsmb/ntlmssp.c
336 +++ b/source3/libsmb/ntlmssp.c
337 @@ -425,6 +425,8 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
338 static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
339 uint32_t flags)
340 {
341 + uint32_t missing_flags = ntlmssp_state->required_flags;
342 +
343 if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
344 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
345 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
346 @@ -475,6 +477,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
347 ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
348 }
349
350 + missing_flags &= ~ntlmssp_state->neg_flags;
351 + if (missing_flags != 0) {
352 + NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
353 + DEBUG(1, ("%s: Got challenge flags[0x%08x] "
354 + "- possible downgrade detected! "
355 + "missing_flags[0x%08x] - %s\n",
356 + __func__,
357 + (unsigned)flags,
358 + (unsigned)missing_flags,
359 + nt_errstr(status)));
360 + debug_ntlmssp_flags(missing_flags);
361 + DEBUGADD(4, ("neg_flags[0x%08x]\n",
362 + (unsigned)ntlmssp_state->neg_flags));
363 + debug_ntlmssp_flags(ntlmssp_state->neg_flags);
364 +
365 + return status;
366 + }
367 +
368 return NT_STATUS_OK;
369 }
370
371 --
372 2.8.1
373
374
375 From 06ca5b7655e577ff6e2d5817cf221c05f9bb5c86 Mon Sep 17 00:00:00 2001
376 From: Stefan Metzmacher <metze@samba.org>
377 Date: Thu, 31 Mar 2016 13:03:24 +0200
378 Subject: [PATCH 06/10] CVE-2016-2110: s3:ntlmssp: don't allow a downgrade from
379 NTLMv2 to LM_AUTH
380 MIME-Version: 1.0
381 Content-Type: text/plain; charset=UTF-8
382 Content-Transfer-Encoding: 8bit
383
384 man smb.conf says "client ntlmv2 auth = yes" the default disables,
385 "client lanman auth = yes":
386
387 ...
388 Likewise, if the client ntlmv2 auth parameter is enabled, then only
389 NTLMv2 logins will be attempted.
390 ...
391
392 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
393
394 Signed-off-by: Stefan Metzmacher <metze@samba.org>
395 Reviewed-by: Günther Deschner <gd@samba.org>
396 ---
397 source3/libsmb/ntlmssp.c | 1 +
398 1 file changed, 1 insertion(+)
399
400 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
401 index 48d7d45..bf40404 100644
402 --- a/source3/libsmb/ntlmssp.c
403 +++ b/source3/libsmb/ntlmssp.c
404 @@ -388,6 +388,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
405
406 if (ntlmssp_state->use_ntlmv2) {
407 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
408 + ntlmssp_state->allow_lm_key = false;
409 }
410
411 /* generate the ntlmssp negotiate packet */
412 --
413 2.8.1
414
415
416 From f99d4469a8b09dd93eb7124f2814e15869915671 Mon Sep 17 00:00:00 2001
417 From: Andreas Schneider <asn@samba.org>
418 Date: Mon, 11 Apr 2016 16:18:44 +0200
419 Subject: [PATCH 07/10] CVE-2016-2110: auth/ntlmssp: don't let
420 ntlmssp3_handle_neg_flags() change ntlmssp_state->use_ntlmv2
421
422 ntlmssp_handle_neg_flags() can only disable flags, but not
423 set them. All supported flags are set at start time.
424
425 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
426
427 Signed-off-by: Andreas Schneider <asn@samba.org>
428 Reviewed-by: Guenther Deschner <gd@samba.org>
429 ---
430 source3/libsmb/ntlmssp.c | 26 +++++++++++++++++---------
431 1 file changed, 17 insertions(+), 9 deletions(-)
432
433 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
434 index bf40404..7b17a43 100644
435 --- a/source3/libsmb/ntlmssp.c
436 +++ b/source3/libsmb/ntlmssp.c
437 @@ -391,6 +391,10 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
438 ntlmssp_state->allow_lm_key = false;
439 }
440
441 + if (ntlmssp_state->allow_lm_key) {
442 + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
443 + }
444 +
445 /* generate the ntlmssp negotiate packet */
446 status = msrpc_gen(ntlmssp_state, next_request, "CddAA",
447 "NTLMSSP",
448 @@ -438,20 +442,24 @@ static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
449 ntlmssp_state->unicode = false;
450 }
451
452 - if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
453 - /* other end forcing us to use LM */
454 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
455 - ntlmssp_state->use_ntlmv2 = false;
456 - } else {
457 + /*
458 + * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
459 + * has priority over NTLMSSP_NEGOTIATE_LM_KEY
460 + */
461 + if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
462 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
463 + }
464 +
465 + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
466 ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
467 }
468
469 - if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
470 - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
471 + if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
472 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
473 }
474
475 - if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
476 - ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
477 + if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
478 + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
479 }
480
481 if (!(flags & NTLMSSP_NEGOTIATE_128)) {
482 --
483 2.8.1
484
485
486 From 71dda1c57c36a9816af7873f169306a766e0284a Mon Sep 17 00:00:00 2001
487 From: Stefan Metzmacher <metze@samba.org>
488 Date: Thu, 31 Mar 2016 14:21:12 +0200
489 Subject: [PATCH 08/10] CVE-2016-2110: s3:ntlmssp: let ntlmssp3_client_initial
490 require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2
491 MIME-Version: 1.0
492 Content-Type: text/plain; charset=UTF-8
493 Content-Transfer-Encoding: 8bit
494
495 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
496
497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
498 Reviewed-by: Günther Deschner <gd@samba.org>
499 ---
500 source3/libsmb/ntlmssp.c | 2 +-
501 1 file changed, 1 insertion(+), 1 deletion(-)
502
503 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
504 index 7b17a43..d5c83fd 100644
505 --- a/source3/libsmb/ntlmssp.c
506 +++ b/source3/libsmb/ntlmssp.c
507 @@ -387,7 +387,7 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
508 }
509
510 if (ntlmssp_state->use_ntlmv2) {
511 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
512 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
513 ntlmssp_state->allow_lm_key = false;
514 }
515
516 --
517 2.8.1
518
519
520 From 911e171bd6fc66e2960cbcdf8c48f2f97d19313b Mon Sep 17 00:00:00 2001
521 From: Andreas Schneider <asn@cryptomilk.org>
522 Date: Thu, 31 Mar 2016 14:30:05 +0200
523 Subject: [PATCH 09/10] CVE-2016-2110: s3:ntlmssp: Change want_fetures to
524 require flags
525
526 Pair-Programmed-With: Ralph Boehme <slow@samba.org>
527 Signed-off-by: Andreas Schneider <asn@samba.org>
528 Signed-off-by: Ralph Boehme <slow@samba.org>
529 ---
530 source3/libsmb/ntlmssp.c | 17 +++++++++++------
531 1 file changed, 11 insertions(+), 6 deletions(-)
532
533 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
534 index d5c83fd..309175b 100644
535 --- a/source3/libsmb/ntlmssp.c
536 +++ b/source3/libsmb/ntlmssp.c
537 @@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *featur
538 * also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
539 */
540 if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
541 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
542 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
543 }
544 if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
545 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
546 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
547 }
548 if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
549 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
550 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
551 }
552 if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
553 ntlmssp_state->use_ccache = true;
554 }
555 +
556 + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
557 }
558
559 /**
560 @@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature)
561 {
562 /* As per JRA's comment above */
563 if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
564 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
565 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
566 }
567 if (feature & NTLMSSP_FEATURE_SIGN) {
568 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
569 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
570 }
571 if (feature & NTLMSSP_FEATURE_SEAL) {
572 - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
573 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
574 + ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
575 }
576 if (feature & NTLMSSP_FEATURE_CCACHE) {
577 ntlmssp_state->use_ccache = true;
578 }
579 +
580 + ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
581 }
582
583 /**
584 --
585 2.8.1
586
587
588 From a95a44eff90cdbd42d683567e0d511e9d52026ad Mon Sep 17 00:00:00 2001
589 From: Andreas Schneider <asn@samba.org>
590 Date: Thu, 31 Mar 2016 15:02:11 +0200
591 Subject: [PATCH 10/10] CVE-2016-2110: s3:ntlmssp: Fix downgrade also for the
592 ntlmssp creds cache case
593
594 Pair-Programmed-With: Ralph Boehme <slow@samba.org>
595 Signed-off-by: Andreas Schneider <asn@samba.org>
596 Signed-off-by: Ralph Boehme <slow@samba.org>
597 ---
598 source3/libsmb/ntlmssp.c | 42 ++++++++++++++++++++----------------------
599 1 file changed, 20 insertions(+), 22 deletions(-)
600
601 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
602 index 309175b..045dc87 100644
603 --- a/source3/libsmb/ntlmssp.c
604 +++ b/source3/libsmb/ntlmssp.c
605 @@ -538,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
606 DATA_BLOB encrypted_session_key = data_blob_null;
607 NTSTATUS nt_status = NT_STATUS_OK;
608
609 + if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
610 + "NTLMSSP",
611 + &ntlmssp_command,
612 + &server_domain_blob,
613 + &chal_flags)) {
614 + DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
615 + dump_data(2, reply.data, reply.length);
616 +
617 + return NT_STATUS_INVALID_PARAMETER;
618 + }
619 + data_blob_free(&server_domain_blob);
620 +
621 + DEBUG(3, ("Got challenge flags:\n"));
622 + debug_ntlmssp_flags(chal_flags);
623 +
624 + nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
625 + if (!NT_STATUS_IS_OK(nt_status)) {
626 + return nt_status;
627 + }
628 +
629 if (ntlmssp_state->use_ccache) {
630 struct wbcCredentialCacheParams params;
631 struct wbcCredentialCacheInfo *info = NULL;
632 @@ -588,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
633
634 noccache:
635
636 - if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
637 - "NTLMSSP",
638 - &ntlmssp_command,
639 - &server_domain_blob,
640 - &chal_flags)) {
641 - DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
642 - dump_data(2, reply.data, reply.length);
643 -
644 - return NT_STATUS_INVALID_PARAMETER;
645 - }
646 -
647 if (DEBUGLEVEL >= 10) {
648 struct CHALLENGE_MESSAGE *challenge = talloc(
649 talloc_tos(), struct CHALLENGE_MESSAGE);
650 @@ -615,17 +624,6 @@ noccache:
651 }
652 }
653
654 - data_blob_free(&server_domain_blob);
655 -
656 - DEBUG(3, ("Got challenge flags:\n"));
657 - debug_ntlmssp_flags(chal_flags);
658 -
659 - nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
660 - if (!NT_STATUS_IS_OK(nt_status)) {
661 - return nt_status;
662 - }
663 -
664 -
665 if (ntlmssp_state->unicode) {
666 if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
667 chal_parse_string = "CdUdbddB";
668 --
669 2.8.1
670
IPFire 2.x development tree