samba/sme10/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch

From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Sep 2016 08:08:23 +0200
Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
 servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Fri Sep  2 18:10:44 CEST 2016 on sn-devel-144

(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2)
---
 auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..5f5047a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -55,9 +55,11 @@ struct spnego_state {
 
        DATA_BLOB mech_types;
        size_t num_targs;
+       bool downgraded;
        bool mic_requested;
        bool needs_mic_sign;
        bool needs_mic_check;
+       bool may_skip_mic_check;
        bool done_mic_check;
 
        bool simulate_w2k;
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                         * Indicate the downgrade and request a
                                         * mic.
                                         */
+                                       spnego_state->downgraded = true;
                                        spnego_state->mic_requested = true;
                                        break;
                                }
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                        DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
                                 gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
                                 gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
-
+                       spnego_state->downgraded = true;
                        spnego_state->no_response_expected = false;
                        talloc_free(spnego_state->sub_sec_security);
                        nt_status = gensec_subcontext_start(spnego_state,
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                return NT_STATUS_INVALID_PARAMETER;
                        }
 
+                       if (spnego.negTokenTarg.mechListMIC.length == 0
+                           && spnego_state->may_skip_mic_check) {
+                               /*
+                                * In this case we don't require
+                                * a mechListMIC from the server.
+                                *
+                                * This works around bugs in the Azure
+                                * and Apple spnego implementations.
+                                *
+                                * See
+                                * https://bugzilla.samba.org/show_bug.cgi?id=11994
+                                */
+                               spnego_state->needs_mic_check = false;
+                               nt_status = NT_STATUS_OK;
+                               goto client_response;
+                       }
+
                        nt_status = gensec_check_packet(spnego_state->sub_sec_security,
                                                        spnego_state->mech_types.data,
                                                        spnego_state->mech_types.length,
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                         */
                                        new_spnego = false;
                                }
+
                                break;
 
                        case SPNEGO_ACCEPT_INCOMPLETE:
+                               if (spnego.negTokenTarg.mechListMIC.length > 0) {
+                                       new_spnego = true;
+                                       break;
+                               }
+
+                               if (spnego_state->downgraded) {
+                                       /*
+                                        * A downgrade should be protected if
+                                        * supported
+                                        */
+                                       break;
+                               }
+
+                               /*
+                                * The caller may just asked for
+                                * GENSEC_FEATURE_SESSION_KEY, this
+                                * is only reflected in the want_features.
+                                *
+                                * As it will imply
+                                * gensec_have_features(GENSEC_FEATURE_SIGN)
+                                * to return true.
+                                */
+                               if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+                                       break;
+                               }
+                               if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+                                       break;
+                               }
+                               /*
+                                * Here we're sure our preferred mech was
+                                * selected by the server and our caller doesn't
+                                * need GENSEC_FEATURE_SIGN nor
+                                * GENSEC_FEATURE_SEAL support.
+                                *
+                                * In this case we don't require
+                                * a mechListMIC from the server.
+                                *
+                                * This works around bugs in the Azure
+                                * and Apple spnego implementations.
+                                *
+                                * See
+                                * https://bugzilla.samba.org/show_bug.cgi?id=11994
+                                */
+                               spnego_state->may_skip_mic_check = true;
+                               break;
+
                        case SPNEGO_REQUEST_MIC:
                                if (spnego.negTokenTarg.mechListMIC.length > 0) {
                                        new_spnego = true;
-- 
2.8.0.rc3.226.g39d4020

1	unnilennium	1.1	From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001
2			From: Stefan Metzmacher <metze@samba.org>
3			Date: Thu, 1 Sep 2016 08:08:23 +0200
4			Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
5			servers
6
7			BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
8
9			Signed-off-by: Stefan Metzmacher <metze@samba.org>
10			Reviewed-by: Christian Ambach <ambi@samba.org>
11
12			Autobuild-User(master): Christian Ambach <ambi@samba.org>
13			Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144
14
15			(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2)
16			---
17			auth/gensec/spnego.c \| 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
18			1 file changed, 68 insertions(+), 1 deletion(-)
19
20			diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
21			index ef30ab7..5f5047a 100644
22			--- a/auth/gensec/spnego.c
23			+++ b/auth/gensec/spnego.c
24			@@ -55,9 +55,11 @@ struct spnego_state {
25
26			DATA_BLOB mech_types;
27			size_t num_targs;
28			+ bool downgraded;
29			bool mic_requested;
30			bool needs_mic_sign;
31			bool needs_mic_check;
32			+ bool may_skip_mic_check;
33			bool done_mic_check;
34
35			bool simulate_w2k;
36			@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
37			* Indicate the downgrade and request a
38			* mic.
39			*/
40			+ spnego_state->downgraded = true;
41			spnego_state->mic_requested = true;
42			break;
43			}
44			@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
45			DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
46			gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
47			gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
48			-
49			+ spnego_state->downgraded = true;
50			spnego_state->no_response_expected = false;
51			talloc_free(spnego_state->sub_sec_security);
52			nt_status = gensec_subcontext_start(spnego_state,
53			@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
54			return NT_STATUS_INVALID_PARAMETER;
55			}
56
57			+ if (spnego.negTokenTarg.mechListMIC.length == 0
58			+ && spnego_state->may_skip_mic_check) {
59			+ /*
60			+ * In this case we don't require
61			+ * a mechListMIC from the server.
62			+ *
63			+ * This works around bugs in the Azure
64			+ * and Apple spnego implementations.
65			+ *
66			+ * See
67			+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
68			+ */
69			+ spnego_state->needs_mic_check = false;
70			+ nt_status = NT_STATUS_OK;
71			+ goto client_response;
72			+ }
73			+
74			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
75			spnego_state->mech_types.data,
76			spnego_state->mech_types.length,
77			@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
78			*/
79			new_spnego = false;
80			}
81			+
82			break;
83
84			case SPNEGO_ACCEPT_INCOMPLETE:
85			+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
86			+ new_spnego = true;
87			+ break;
88			+ }
89			+
90			+ if (spnego_state->downgraded) {
91			+ /*
92			+ * A downgrade should be protected if
93			+ * supported
94			+ */
95			+ break;
96			+ }
97			+
98			+ /*
99			+ * The caller may just asked for
100			+ * GENSEC_FEATURE_SESSION_KEY, this
101			+ * is only reflected in the want_features.
102			+ *
103			+ * As it will imply
104			+ * gensec_have_features(GENSEC_FEATURE_SIGN)
105			+ * to return true.
106			+ */
107			+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
108			+ break;
109			+ }
110			+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
111			+ break;
112			+ }
113			+ /*
114			+ * Here we're sure our preferred mech was
115			+ * selected by the server and our caller doesn't
116			+ * need GENSEC_FEATURE_SIGN nor
117			+ * GENSEC_FEATURE_SEAL support.
118			+ *
119			+ * In this case we don't require
120			+ * a mechListMIC from the server.
121			+ *
122			+ * This works around bugs in the Azure
123			+ * and Apple spnego implementations.
124			+ *
125			+ * See
126			+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
127			+ */
128			+ spnego_state->may_skip_mic_check = true;
129			+ break;
130			+
131			case SPNEGO_REQUEST_MIC:
132			if (spnego.negTokenTarg.mechListMIC.length > 0) {
133			new_spnego = true;
134			--
135			2.8.0.rc3.226.g39d4020
136