1 |
From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001 |
2 |
From: Stefan Metzmacher <metze@samba.org> |
3 |
Date: Thu, 1 Sep 2016 08:08:23 +0200 |
4 |
Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB |
5 |
servers |
6 |
|
7 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994 |
8 |
|
9 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
10 |
Reviewed-by: Christian Ambach <ambi@samba.org> |
11 |
|
12 |
Autobuild-User(master): Christian Ambach <ambi@samba.org> |
13 |
Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144 |
14 |
|
15 |
(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2) |
16 |
--- |
17 |
auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++- |
18 |
1 file changed, 68 insertions(+), 1 deletion(-) |
19 |
|
20 |
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c |
21 |
index ef30ab7..5f5047a 100644 |
22 |
--- a/auth/gensec/spnego.c |
23 |
+++ b/auth/gensec/spnego.c |
24 |
@@ -55,9 +55,11 @@ struct spnego_state { |
25 |
|
26 |
DATA_BLOB mech_types; |
27 |
size_t num_targs; |
28 |
+ bool downgraded; |
29 |
bool mic_requested; |
30 |
bool needs_mic_sign; |
31 |
bool needs_mic_check; |
32 |
+ bool may_skip_mic_check; |
33 |
bool done_mic_check; |
34 |
|
35 |
bool simulate_w2k; |
36 |
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ |
37 |
* Indicate the downgrade and request a |
38 |
* mic. |
39 |
*/ |
40 |
+ spnego_state->downgraded = true; |
41 |
spnego_state->mic_requested = true; |
42 |
break; |
43 |
} |
44 |
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA |
45 |
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n", |
46 |
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid), |
47 |
gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech))); |
48 |
- |
49 |
+ spnego_state->downgraded = true; |
50 |
spnego_state->no_response_expected = false; |
51 |
talloc_free(spnego_state->sub_sec_security); |
52 |
nt_status = gensec_subcontext_start(spnego_state, |
53 |
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA |
54 |
return NT_STATUS_INVALID_PARAMETER; |
55 |
} |
56 |
|
57 |
+ if (spnego.negTokenTarg.mechListMIC.length == 0 |
58 |
+ && spnego_state->may_skip_mic_check) { |
59 |
+ /* |
60 |
+ * In this case we don't require |
61 |
+ * a mechListMIC from the server. |
62 |
+ * |
63 |
+ * This works around bugs in the Azure |
64 |
+ * and Apple spnego implementations. |
65 |
+ * |
66 |
+ * See |
67 |
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994 |
68 |
+ */ |
69 |
+ spnego_state->needs_mic_check = false; |
70 |
+ nt_status = NT_STATUS_OK; |
71 |
+ goto client_response; |
72 |
+ } |
73 |
+ |
74 |
nt_status = gensec_check_packet(spnego_state->sub_sec_security, |
75 |
spnego_state->mech_types.data, |
76 |
spnego_state->mech_types.length, |
77 |
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA |
78 |
*/ |
79 |
new_spnego = false; |
80 |
} |
81 |
+ |
82 |
break; |
83 |
|
84 |
case SPNEGO_ACCEPT_INCOMPLETE: |
85 |
+ if (spnego.negTokenTarg.mechListMIC.length > 0) { |
86 |
+ new_spnego = true; |
87 |
+ break; |
88 |
+ } |
89 |
+ |
90 |
+ if (spnego_state->downgraded) { |
91 |
+ /* |
92 |
+ * A downgrade should be protected if |
93 |
+ * supported |
94 |
+ */ |
95 |
+ break; |
96 |
+ } |
97 |
+ |
98 |
+ /* |
99 |
+ * The caller may just asked for |
100 |
+ * GENSEC_FEATURE_SESSION_KEY, this |
101 |
+ * is only reflected in the want_features. |
102 |
+ * |
103 |
+ * As it will imply |
104 |
+ * gensec_have_features(GENSEC_FEATURE_SIGN) |
105 |
+ * to return true. |
106 |
+ */ |
107 |
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { |
108 |
+ break; |
109 |
+ } |
110 |
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { |
111 |
+ break; |
112 |
+ } |
113 |
+ /* |
114 |
+ * Here we're sure our preferred mech was |
115 |
+ * selected by the server and our caller doesn't |
116 |
+ * need GENSEC_FEATURE_SIGN nor |
117 |
+ * GENSEC_FEATURE_SEAL support. |
118 |
+ * |
119 |
+ * In this case we don't require |
120 |
+ * a mechListMIC from the server. |
121 |
+ * |
122 |
+ * This works around bugs in the Azure |
123 |
+ * and Apple spnego implementations. |
124 |
+ * |
125 |
+ * See |
126 |
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994 |
127 |
+ */ |
128 |
+ spnego_state->may_skip_mic_check = true; |
129 |
+ break; |
130 |
+ |
131 |
case SPNEGO_REQUEST_MIC: |
132 |
if (spnego.negTokenTarg.mechListMIC.length > 0) { |
133 |
new_spnego = true; |
134 |
-- |
135 |
2.8.0.rc3.226.g39d4020 |
136 |
|