samba/sme10/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch

From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 1 Sep 2016 08:08:23 +0200
Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
 servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christian Ambach <ambi@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Fri Sep  2 18:10:44 CEST 2016 on sn-devel-144

(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2)
---
 auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..5f5047a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -55,9 +55,11 @@ struct spnego_state {
 
        DATA_BLOB mech_types;
        size_t num_targs;
+       bool downgraded;
        bool mic_requested;
        bool needs_mic_sign;
        bool needs_mic_check;
+       bool may_skip_mic_check;
        bool done_mic_check;
 
        bool simulate_w2k;
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                         * Indicate the downgrade and request a
                                         * mic.
                                         */
+                                       spnego_state->downgraded = true;
                                        spnego_state->mic_requested = true;
                                        break;
                                }
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                        DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
                                 gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
                                 gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
-
+                       spnego_state->downgraded = true;
                        spnego_state->no_response_expected = false;
                        talloc_free(spnego_state->sub_sec_security);
                        nt_status = gensec_subcontext_start(spnego_state,
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                return NT_STATUS_INVALID_PARAMETER;
                        }
 
+                       if (spnego.negTokenTarg.mechListMIC.length == 0
+                           && spnego_state->may_skip_mic_check) {
+                               /*
+                                * In this case we don't require
+                                * a mechListMIC from the server.
+                                *
+                                * This works around bugs in the Azure
+                                * and Apple spnego implementations.
+                                *
+                                * See
+                                * https://bugzilla.samba.org/show_bug.cgi?id=11994
+                                */
+                               spnego_state->needs_mic_check = false;
+                               nt_status = NT_STATUS_OK;
+                               goto client_response;
+                       }
+
                        nt_status = gensec_check_packet(spnego_state->sub_sec_security,
                                                        spnego_state->mech_types.data,
                                                        spnego_state->mech_types.length,
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                         */
                                        new_spnego = false;
                                }
+
                                break;
 
                        case SPNEGO_ACCEPT_INCOMPLETE:
+                               if (spnego.negTokenTarg.mechListMIC.length > 0) {
+                                       new_spnego = true;
+                                       break;
+                               }
+
+                               if (spnego_state->downgraded) {
+                                       /*
+                                        * A downgrade should be protected if
+                                        * supported
+                                        */
+                                       break;
+                               }
+
+                               /*
+                                * The caller may just asked for
+                                * GENSEC_FEATURE_SESSION_KEY, this
+                                * is only reflected in the want_features.
+                                *
+                                * As it will imply
+                                * gensec_have_features(GENSEC_FEATURE_SIGN)
+                                * to return true.
+                                */
+                               if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+                                       break;
+                               }
+                               if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+                                       break;
+                               }
+                               /*
+                                * Here we're sure our preferred mech was
+                                * selected by the server and our caller doesn't
+                                * need GENSEC_FEATURE_SIGN nor
+                                * GENSEC_FEATURE_SEAL support.
+                                *
+                                * In this case we don't require
+                                * a mechListMIC from the server.
+                                *
+                                * This works around bugs in the Azure
+                                * and Apple spnego implementations.
+                                *
+                                * See
+                                * https://bugzilla.samba.org/show_bug.cgi?id=11994
+                                */
+                               spnego_state->may_skip_mic_check = true;
+                               break;
+
                        case SPNEGO_REQUEST_MIC:
                                if (spnego.negTokenTarg.mechListMIC.length > 0) {
                                        new_spnego = true;
-- 
2.8.0.rc3.226.g39d4020

1	From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001
2	From: Stefan Metzmacher <metze@samba.org>
3	Date: Thu, 1 Sep 2016 08:08:23 +0200
4	Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
5	servers
6
7	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
8
9	Signed-off-by: Stefan Metzmacher <metze@samba.org>
10	Reviewed-by: Christian Ambach <ambi@samba.org>
11
12	Autobuild-User(master): Christian Ambach <ambi@samba.org>
13	Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144
14
15	(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2)
16	---
17	auth/gensec/spnego.c \| 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
18	1 file changed, 68 insertions(+), 1 deletion(-)
19
20	diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
21	index ef30ab7..5f5047a 100644
22	--- a/auth/gensec/spnego.c
23	+++ b/auth/gensec/spnego.c
24	@@ -55,9 +55,11 @@ struct spnego_state {
25
26	DATA_BLOB mech_types;
27	size_t num_targs;
28	+ bool downgraded;
29	bool mic_requested;
30	bool needs_mic_sign;
31	bool needs_mic_check;
32	+ bool may_skip_mic_check;
33	bool done_mic_check;
34
35	bool simulate_w2k;
36	@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
37	* Indicate the downgrade and request a
38	* mic.
39	*/
40	+ spnego_state->downgraded = true;
41	spnego_state->mic_requested = true;
42	break;
43	}
44	@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
45	DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
46	gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
47	gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
48	-
49	+ spnego_state->downgraded = true;
50	spnego_state->no_response_expected = false;
51	talloc_free(spnego_state->sub_sec_security);
52	nt_status = gensec_subcontext_start(spnego_state,
53	@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
54	return NT_STATUS_INVALID_PARAMETER;
55	}
56
57	+ if (spnego.negTokenTarg.mechListMIC.length == 0
58	+ && spnego_state->may_skip_mic_check) {
59	+ /*
60	+ * In this case we don't require
61	+ * a mechListMIC from the server.
62	+ *
63	+ * This works around bugs in the Azure
64	+ * and Apple spnego implementations.
65	+ *
66	+ * See
67	+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
68	+ */
69	+ spnego_state->needs_mic_check = false;
70	+ nt_status = NT_STATUS_OK;
71	+ goto client_response;
72	+ }
73	+
74	nt_status = gensec_check_packet(spnego_state->sub_sec_security,
75	spnego_state->mech_types.data,
76	spnego_state->mech_types.length,
77	@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
78	*/
79	new_spnego = false;
80	}
81	+
82	break;
83
84	case SPNEGO_ACCEPT_INCOMPLETE:
85	+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
86	+ new_spnego = true;
87	+ break;
88	+ }
89	+
90	+ if (spnego_state->downgraded) {
91	+ /*
92	+ * A downgrade should be protected if
93	+ * supported
94	+ */
95	+ break;
96	+ }
97	+
98	+ /*
99	+ * The caller may just asked for
100	+ * GENSEC_FEATURE_SESSION_KEY, this
101	+ * is only reflected in the want_features.
102	+ *
103	+ * As it will imply
104	+ * gensec_have_features(GENSEC_FEATURE_SIGN)
105	+ * to return true.
106	+ */
107	+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
108	+ break;
109	+ }
110	+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
111	+ break;
112	+ }
113	+ /*
114	+ * Here we're sure our preferred mech was
115	+ * selected by the server and our caller doesn't
116	+ * need GENSEC_FEATURE_SIGN nor
117	+ * GENSEC_FEATURE_SEAL support.
118	+ *
119	+ * In this case we don't require
120	+ * a mechListMIC from the server.
121	+ *
122	+ * This works around bugs in the Azure
123	+ * and Apple spnego implementations.
124	+ *
125	+ * See
126	+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
127	+ */
128	+ spnego_state->may_skip_mic_check = true;
129	+ break;
130	+
131	case SPNEGO_REQUEST_MIC:
132	if (spnego.negTokenTarg.mechListMIC.length > 0) {
133	new_spnego = true;
134	--
135	2.8.0.rc3.226.g39d4020
136