From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2016 08:12:59 +0000 (+0100)
Subject: CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if... 
X-Git-Tag: samba-4.13.14~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4290223ed40183e5f01c25da00df438b9ccf302a;p=thirdparty%2Fsamba.git

CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos

We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
index 6ee4929e8d7..a0a1f4baa56 100644
--- a/source4/libcli/smb_composite/sesssetup.c
+++ b/source4/libcli/smb_composite/sesssetup.c
@@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
 	struct composite_context *c;
 	struct sesssetup_state *state;
 	NTSTATUS status;
+	enum credentials_use_kerberos krb5_state =
+		cli_credentials_get_kerberos_state(io->in.credentials);
 
 	c = composite_create(session, session->transport->ev);
 	if (c == NULL) return NULL;
@@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
 
 	/* no session setup at all in earliest protocol varients */
 	if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
+		if (krb5_state == CRED_MUST_USE_KERBEROS) {
+			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+			return c;
+		}
 		ZERO_STRUCT(io->out);
 		composite_done(c);
 		return c;
@@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
 
 	/* see what session setup interface we will use */
 	if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
+		if (krb5_state == CRED_MUST_USE_KERBEROS) {
+			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+			return c;
+		}
 		status = session_setup_old(c, session, io, &state->req);
 	} else if (!session->transport->options.use_spnego ||
 		   !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
+		if (krb5_state == CRED_MUST_USE_KERBEROS) {
+			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+			return c;
+		}
 		status = session_setup_nt1(c, session, io, &state->req);
 	} else {
 		struct tevent_req *subreq = NULL;