/[smeserver]/rpms/samba/sme10/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Tue May 8 16:37:54 2018 UTC (6 years, 5 months ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
upgrade to samba-4.6.2-12

1 unnilennium 1.1 From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001
2     From: Stefan Metzmacher <metze@samba.org>
3     Date: Thu, 1 Sep 2016 08:08:23 +0200
4     Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
5     servers
6    
7     BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
8    
9     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10     Reviewed-by: Christian Ambach <ambi@samba.org>
11    
12     Autobuild-User(master): Christian Ambach <ambi@samba.org>
13     Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144
14    
15     (cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2)
16     ---
17     auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
18     1 file changed, 68 insertions(+), 1 deletion(-)
19    
20     diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
21     index ef30ab7..5f5047a 100644
22     --- a/auth/gensec/spnego.c
23     +++ b/auth/gensec/spnego.c
24     @@ -55,9 +55,11 @@ struct spnego_state {
25    
26     DATA_BLOB mech_types;
27     size_t num_targs;
28     + bool downgraded;
29     bool mic_requested;
30     bool needs_mic_sign;
31     bool needs_mic_check;
32     + bool may_skip_mic_check;
33     bool done_mic_check;
34    
35     bool simulate_w2k;
36     @@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
37     * Indicate the downgrade and request a
38     * mic.
39     */
40     + spnego_state->downgraded = true;
41     spnego_state->mic_requested = true;
42     break;
43     }
44     @@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
45     DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
46     gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
47     gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
48     -
49     + spnego_state->downgraded = true;
50     spnego_state->no_response_expected = false;
51     talloc_free(spnego_state->sub_sec_security);
52     nt_status = gensec_subcontext_start(spnego_state,
53     @@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
54     return NT_STATUS_INVALID_PARAMETER;
55     }
56    
57     + if (spnego.negTokenTarg.mechListMIC.length == 0
58     + && spnego_state->may_skip_mic_check) {
59     + /*
60     + * In this case we don't require
61     + * a mechListMIC from the server.
62     + *
63     + * This works around bugs in the Azure
64     + * and Apple spnego implementations.
65     + *
66     + * See
67     + * https://bugzilla.samba.org/show_bug.cgi?id=11994
68     + */
69     + spnego_state->needs_mic_check = false;
70     + nt_status = NT_STATUS_OK;
71     + goto client_response;
72     + }
73     +
74     nt_status = gensec_check_packet(spnego_state->sub_sec_security,
75     spnego_state->mech_types.data,
76     spnego_state->mech_types.length,
77     @@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
78     */
79     new_spnego = false;
80     }
81     +
82     break;
83    
84     case SPNEGO_ACCEPT_INCOMPLETE:
85     + if (spnego.negTokenTarg.mechListMIC.length > 0) {
86     + new_spnego = true;
87     + break;
88     + }
89     +
90     + if (spnego_state->downgraded) {
91     + /*
92     + * A downgrade should be protected if
93     + * supported
94     + */
95     + break;
96     + }
97     +
98     + /*
99     + * The caller may just asked for
100     + * GENSEC_FEATURE_SESSION_KEY, this
101     + * is only reflected in the want_features.
102     + *
103     + * As it will imply
104     + * gensec_have_features(GENSEC_FEATURE_SIGN)
105     + * to return true.
106     + */
107     + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
108     + break;
109     + }
110     + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
111     + break;
112     + }
113     + /*
114     + * Here we're sure our preferred mech was
115     + * selected by the server and our caller doesn't
116     + * need GENSEC_FEATURE_SIGN nor
117     + * GENSEC_FEATURE_SEAL support.
118     + *
119     + * In this case we don't require
120     + * a mechListMIC from the server.
121     + *
122     + * This works around bugs in the Azure
123     + * and Apple spnego implementations.
124     + *
125     + * See
126     + * https://bugzilla.samba.org/show_bug.cgi?id=11994
127     + */
128     + spnego_state->may_skip_mic_check = true;
129     + break;
130     +
131     case SPNEGO_REQUEST_MIC:
132     if (spnego.negTokenTarg.mechListMIC.length > 0) {
133     new_spnego = true;
134     --
135     2.8.0.rc3.226.g39d4020
136    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed