package/network/services/samba36/patches/025-CVE-2016-2112-v3-6.patch

   1 From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
   2 From: Andreas Schneider <asn@cryptomilk.org>
   3 Date: Wed, 30 Mar 2016 16:55:44 +0200
   4 Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
   5  ntlmssp_have_feature()
   6
   7 Signed-off-by: Andreas Schneider <asn@samba.org>
   8 ---
   9  source3/include/proto.h  |  1 +
  10  source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
  11  2 files changed, 31 insertions(+)
  12
  13 --- a/source3/include/proto.h
  14 +++ b/source3/include/proto.h
  15 @@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
  16  NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
  17  void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
  18  void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
  19 +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
  20  NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
  21                         const DATA_BLOB in, DATA_BLOB *out) ;
  22  NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
  23 --- a/source3/libsmb/ntlmssp.c
  24 +++ b/source3/libsmb/ntlmssp.c
  25 @@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
  26         return NT_STATUS_OK;
  27  }
  28
  29 +bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
  30 +                         uint32_t feature)
  31 +{
  32 +       if (feature & NTLMSSP_FEATURE_SIGN) {
  33 +               if (ntlmssp_state->session_key.length == 0) {
  34 +                       return false;
  35 +               }
  36 +               if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
  37 +                       return true;
  38 +               }
  39 +       }
  40 +
  41 +       if (feature & NTLMSSP_FEATURE_SEAL) {
  42 +               if (ntlmssp_state->session_key.length == 0) {
  43 +                       return false;
  44 +               }
  45 +               if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
  46 +                       return true;
  47 +               }
  48 +       }
  49 +
  50 +       if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
  51 +               if (ntlmssp_state->session_key.length > 0) {
  52 +                       return true;
  53 +               }
  54 +       }
  55 +
  56 +       return false;
  57 +}
  58 +
  59  /**
  60   * Request features for the NTLMSSP negotiation
  61   *
  62 --- a/source3/libads/sasl.c
  63 +++ b/source3/libads/sasl.c
  64 @@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
  65         /* we have a reference conter on ntlmssp_state, if we are signing
  66            then the state will be kept by the signing engine */
  67
  68 +       if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
  69 +               bool ok;
  70 +
  71 +               ok = ntlmssp_have_feature(ntlmssp_state,
  72 +                                         NTLMSSP_FEATURE_SEAL);
  73 +               if (!ok) {
  74 +                       DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
  75 +                       TALLOC_FREE(ntlmssp_state);
  76 +                       return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
  77 +               }
  78 +
  79 +               ok = ntlmssp_have_feature(ntlmssp_state,
  80 +                                         NTLMSSP_FEATURE_SIGN);
  81 +               if (!ok) {
  82 +                       DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
  83 +                       TALLOC_FREE(ntlmssp_state);
  84 +                       return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
  85 +               }
  86 +
  87 +       } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
  88 +               bool ok;
  89 +
  90 +               ok = ntlmssp_have_feature(ntlmssp_state,
  91 +                                         NTLMSSP_FEATURE_SIGN);
  92 +               if (!ok) {
  93 +                       DEBUG(0,("The gensec feature signing request, but unavailable\n"));
  94 +                       TALLOC_FREE(ntlmssp_state);
  95 +                       return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
  96 +               }
  97 +       }
  98 +
  99         if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
 100                 ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
 101                 ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
 102 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
 103 +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
 104 @@ -34,11 +34,9 @@
 105         </para>
 106
 107         <para>
 108 -       The default value is <emphasis>plain</emphasis> which is not irritable
 109 -       to KRB5 clock skew errors. That implies synchronizing the time
 110 -       with the KDC in the case of using <emphasis>sign</emphasis> or
 111 -       <emphasis>seal</emphasis>.
 112 +       The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
 113 +       with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 114         </para>
 115  </description>
 116 -<value type="default">plain</value>
 117 +<value type="default">sign</value>
 118  </samba:parameter>
 119 --- a/source3/param/loadparm.c
 120 +++ b/source3/param/loadparm.c
 121 @@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
 122         Globals.ldap_debug_level = 0;
 123         Globals.ldap_debug_threshold = 10;
 124
 125 +       Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
 126 +
 127         /* This is what we tell the afs client. in reality we set the token
 128          * to never expire, though, when this runs out the afs client will
 129          * forget the token. Set to 0 to get NEVERDATE.*/