1 |
unnilennium |
1.1 |
From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
3 |
|
|
Date: Thu, 1 Sep 2016 08:08:23 +0200 |
4 |
|
|
Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB |
5 |
|
|
servers |
6 |
|
|
|
7 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994 |
8 |
|
|
|
9 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
10 |
|
|
Reviewed-by: Christian Ambach <ambi@samba.org> |
11 |
|
|
|
12 |
|
|
Autobuild-User(master): Christian Ambach <ambi@samba.org> |
13 |
|
|
Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144 |
14 |
|
|
|
15 |
|
|
(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2) |
16 |
|
|
--- |
17 |
|
|
auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++- |
18 |
|
|
1 file changed, 68 insertions(+), 1 deletion(-) |
19 |
|
|
|
20 |
|
|
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c |
21 |
|
|
index ef30ab7..5f5047a 100644 |
22 |
|
|
--- a/auth/gensec/spnego.c |
23 |
|
|
+++ b/auth/gensec/spnego.c |
24 |
|
|
@@ -55,9 +55,11 @@ struct spnego_state { |
25 |
|
|
|
26 |
|
|
DATA_BLOB mech_types; |
27 |
|
|
size_t num_targs; |
28 |
|
|
+ bool downgraded; |
29 |
|
|
bool mic_requested; |
30 |
|
|
bool needs_mic_sign; |
31 |
|
|
bool needs_mic_check; |
32 |
|
|
+ bool may_skip_mic_check; |
33 |
|
|
bool done_mic_check; |
34 |
|
|
|
35 |
|
|
bool simulate_w2k; |
36 |
|
|
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ |
37 |
|
|
* Indicate the downgrade and request a |
38 |
|
|
* mic. |
39 |
|
|
*/ |
40 |
|
|
+ spnego_state->downgraded = true; |
41 |
|
|
spnego_state->mic_requested = true; |
42 |
|
|
break; |
43 |
|
|
} |
44 |
|
|
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA |
45 |
|
|
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n", |
46 |
|
|
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid), |
47 |
|
|
gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech))); |
48 |
|
|
- |
49 |
|
|
+ spnego_state->downgraded = true; |
50 |
|
|
spnego_state->no_response_expected = false; |
51 |
|
|
talloc_free(spnego_state->sub_sec_security); |
52 |
|
|
nt_status = gensec_subcontext_start(spnego_state, |
53 |
|
|
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA |
54 |
|
|
return NT_STATUS_INVALID_PARAMETER; |
55 |
|
|
} |
56 |
|
|
|
57 |
|
|
+ if (spnego.negTokenTarg.mechListMIC.length == 0 |
58 |
|
|
+ && spnego_state->may_skip_mic_check) { |
59 |
|
|
+ /* |
60 |
|
|
+ * In this case we don't require |
61 |
|
|
+ * a mechListMIC from the server. |
62 |
|
|
+ * |
63 |
|
|
+ * This works around bugs in the Azure |
64 |
|
|
+ * and Apple spnego implementations. |
65 |
|
|
+ * |
66 |
|
|
+ * See |
67 |
|
|
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994 |
68 |
|
|
+ */ |
69 |
|
|
+ spnego_state->needs_mic_check = false; |
70 |
|
|
+ nt_status = NT_STATUS_OK; |
71 |
|
|
+ goto client_response; |
72 |
|
|
+ } |
73 |
|
|
+ |
74 |
|
|
nt_status = gensec_check_packet(spnego_state->sub_sec_security, |
75 |
|
|
spnego_state->mech_types.data, |
76 |
|
|
spnego_state->mech_types.length, |
77 |
|
|
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA |
78 |
|
|
*/ |
79 |
|
|
new_spnego = false; |
80 |
|
|
} |
81 |
|
|
+ |
82 |
|
|
break; |
83 |
|
|
|
84 |
|
|
case SPNEGO_ACCEPT_INCOMPLETE: |
85 |
|
|
+ if (spnego.negTokenTarg.mechListMIC.length > 0) { |
86 |
|
|
+ new_spnego = true; |
87 |
|
|
+ break; |
88 |
|
|
+ } |
89 |
|
|
+ |
90 |
|
|
+ if (spnego_state->downgraded) { |
91 |
|
|
+ /* |
92 |
|
|
+ * A downgrade should be protected if |
93 |
|
|
+ * supported |
94 |
|
|
+ */ |
95 |
|
|
+ break; |
96 |
|
|
+ } |
97 |
|
|
+ |
98 |
|
|
+ /* |
99 |
|
|
+ * The caller may just asked for |
100 |
|
|
+ * GENSEC_FEATURE_SESSION_KEY, this |
101 |
|
|
+ * is only reflected in the want_features. |
102 |
|
|
+ * |
103 |
|
|
+ * As it will imply |
104 |
|
|
+ * gensec_have_features(GENSEC_FEATURE_SIGN) |
105 |
|
|
+ * to return true. |
106 |
|
|
+ */ |
107 |
|
|
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { |
108 |
|
|
+ break; |
109 |
|
|
+ } |
110 |
|
|
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { |
111 |
|
|
+ break; |
112 |
|
|
+ } |
113 |
|
|
+ /* |
114 |
|
|
+ * Here we're sure our preferred mech was |
115 |
|
|
+ * selected by the server and our caller doesn't |
116 |
|
|
+ * need GENSEC_FEATURE_SIGN nor |
117 |
|
|
+ * GENSEC_FEATURE_SEAL support. |
118 |
|
|
+ * |
119 |
|
|
+ * In this case we don't require |
120 |
|
|
+ * a mechListMIC from the server. |
121 |
|
|
+ * |
122 |
|
|
+ * This works around bugs in the Azure |
123 |
|
|
+ * and Apple spnego implementations. |
124 |
|
|
+ * |
125 |
|
|
+ * See |
126 |
|
|
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994 |
127 |
|
|
+ */ |
128 |
|
|
+ spnego_state->may_skip_mic_check = true; |
129 |
|
|
+ break; |
130 |
|
|
+ |
131 |
|
|
case SPNEGO_REQUEST_MIC: |
132 |
|
|
if (spnego.negTokenTarg.mechListMIC.length > 0) { |
133 |
|
|
new_spnego = true; |
134 |
|
|
-- |
135 |
|
|
2.8.0.rc3.226.g39d4020 |
136 |
|
|
|