1 From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
2 From: Andreas Schneider <asn@cryptomilk.org>
3 Date: Wed, 30 Mar 2016 16:55:44 +0200
4 Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
7 Signed-off-by: Andreas Schneider <asn@samba.org>
9 source3/include/proto.h | 1 +
10 source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
11 2 files changed, 31 insertions(+)
13 diff --git a/source3/include/proto.h b/source3/include/proto.h
14 index 32b4e3d..43008ea 100644
15 --- a/source3/include/proto.h
16 +++ b/source3/include/proto.h
17 @@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *p
18 NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
19 void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
20 void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
21 +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
22 NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
23 const DATA_BLOB in, DATA_BLOB *out) ;
24 NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
25 diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
26 index 045dc87..7e58990 100644
27 --- a/source3/libsmb/ntlmssp.c
28 +++ b/source3/libsmb/ntlmssp.c
29 @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom
33 +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
36 + if (feature & NTLMSSP_FEATURE_SIGN) {
37 + if (ntlmssp_state->session_key.length == 0) {
40 + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
45 + if (feature & NTLMSSP_FEATURE_SEAL) {
46 + if (ntlmssp_state->session_key.length == 0) {
49 + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
54 + if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
55 + if (ntlmssp_state->session_key.length > 0) {
64 * Request features for the NTLMSSP negotiation
70 From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001
71 From: Ralph Boehme <slow@samba.org>
72 Date: Thu, 24 Mar 2016 16:22:36 +0100
73 Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade
75 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
77 Pair-programmed-with: Ralph Boehme <slow@samba.org>
79 Signed-off-by: Stefan Metzmacher <metze@samba.org>
80 Signed-off-by: Ralph Boehme <slow@samba.org>
82 source3/libads/sasl.c | 31 +++++++++++++++++++++++++++++++
83 1 file changed, 31 insertions(+)
85 diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
86 index e7daa8a..6690f83 100644
87 --- a/source3/libads/sasl.c
88 +++ b/source3/libads/sasl.c
89 @@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
90 /* we have a reference conter on ntlmssp_state, if we are signing
91 then the state will be kept by the signing engine */
93 + if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
96 + ok = ntlmssp_have_feature(ntlmssp_state,
97 + NTLMSSP_FEATURE_SEAL);
99 + DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
100 + TALLOC_FREE(ntlmssp_state);
101 + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
104 + ok = ntlmssp_have_feature(ntlmssp_state,
105 + NTLMSSP_FEATURE_SIGN);
107 + DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
108 + TALLOC_FREE(ntlmssp_state);
109 + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
112 + } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
115 + ok = ntlmssp_have_feature(ntlmssp_state,
116 + NTLMSSP_FEATURE_SIGN);
118 + DEBUG(0,("The gensec feature signing request, but unavailable\n"));
119 + TALLOC_FREE(ntlmssp_state);
120 + return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
124 if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
125 ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
126 ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
131 From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001
132 From: Andrew Bartlett <abartlet@samba.org>
133 Date: Fri, 5 Sep 2014 17:38:38 +1200
134 Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl
137 This is to disrupt MITM attacks between us and our DC
139 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
141 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
142 Signed-off-by: Garming Sam <garming@catalyst.net.nz>
143 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
144 (backported from commit afe02d12f444ad9a6abf31a61f578320520263a9)
146 docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 +++-----
147 source3/param/loadparm.c | 2 ++
148 2 files changed, 5 insertions(+), 5 deletions(-)
150 diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
151 index a926cec..a7c4395 100644
152 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
153 +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
158 - The default value is <emphasis>plain</emphasis> which is not irritable
159 - to KRB5 clock skew errors. That implies synchronizing the time
160 - with the KDC in the case of using <emphasis>sign</emphasis> or
161 - <emphasis>seal</emphasis>.
162 + The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
163 + with the KDC in the case of using <emphasis>Kerberos</emphasis>.
166 -<value type="default">plain</value>
167 +<value type="default">sign</value>
169 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
170 index 7065cf6..c5249b7 100644
171 --- a/source3/param/loadparm.c
172 +++ b/source3/param/loadparm.c
173 @@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals)
174 Globals.ldap_debug_level = 0;
175 Globals.ldap_debug_threshold = 10;
177 + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
179 /* This is what we tell the afs client. in reality we set the token
180 * to never expire, though, when this runs out the afs client will
181 * forget the token. Set to 0 to get NEVERDATE.*/
projects / ipfire-2.x.git / blob