[SCM] Samba Shared Repository - branch master updated

Christian Ambach ambi at samba.org
Fri Sep 2 16:11:02 UTC 2016 

The branch, master has been updated
       via  9b45ba5 gensec/spnego: work around missing server mechListMIC in SMB servers
      from  a7735be kcc: Fix a -Werror,-Wformat-security error

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9b45ba5cd53bd513eb777590815a0b8408af64e2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Sep 1 08:08:23 2016 +0200

    gensec/spnego: work around missing server mechListMIC in SMB servers
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Christian Ambach <ambi at samba.org>
    
    Autobuild-User(master): Christian Ambach <ambi at samba.org>
    Autobuild-Date(master): Fri Sep  2 18:10:44 CEST 2016 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
 auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..5f5047a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -55,9 +55,11 @@ struct spnego_state {
 
 	DATA_BLOB mech_types;
 	size_t num_targs;
+	bool downgraded;
 	bool mic_requested;
 	bool needs_mic_sign;
 	bool needs_mic_check;
+	bool may_skip_mic_check;
 	bool done_mic_check;
 
 	bool simulate_w2k;
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 					 * Indicate the downgrade and request a
 					 * mic.
 					 */
+					spnego_state->downgraded = true;
 					spnego_state->mic_requested = true;
 					break;
 				}
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
 				 gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
 				 gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
-
+			spnego_state->downgraded = true;
 			spnego_state->no_response_expected = false;
 			talloc_free(spnego_state->sub_sec_security);
 			nt_status = gensec_subcontext_start(spnego_state,
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 				return NT_STATUS_INVALID_PARAMETER;
 			}
 
+			if (spnego.negTokenTarg.mechListMIC.length == 0
+			    && spnego_state->may_skip_mic_check) {
+				/*
+				 * In this case we don't require
+				 * a mechListMIC from the server.
+				 *
+				 * This works around bugs in the Azure
+				 * and Apple spnego implementations.
+				 *
+				 * See
+				 * https://bugzilla.samba.org/show_bug.cgi?id=11994
+				 */
+				spnego_state->needs_mic_check = false;
+				nt_status = NT_STATUS_OK;
+				goto client_response;
+			}
+
 			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 							spnego_state->mech_types.data,
 							spnego_state->mech_types.length,
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 					 */
 					new_spnego = false;
 				}
+
 				break;
 
 			case SPNEGO_ACCEPT_INCOMPLETE:
+				if (spnego.negTokenTarg.mechListMIC.length > 0) {
+					new_spnego = true;
+					break;
+				}
+
+				if (spnego_state->downgraded) {
+					/*
+					 * A downgrade should be protected if
+					 * supported
+					 */
+					break;
+				}
+
+				/*
+				 * The caller may just asked for
+				 * GENSEC_FEATURE_SESSION_KEY, this
+				 * is only reflected in the want_features.
+				 *
+				 * As it will imply
+				 * gensec_have_features(GENSEC_FEATURE_SIGN)
+				 * to return true.
+				 */
+				if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+					break;
+				}
+				if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+					break;
+				}
+				/*
+				 * Here we're sure our preferred mech was
+				 * selected by the server and our caller doesn't
+				 * need GENSEC_FEATURE_SIGN nor
+				 * GENSEC_FEATURE_SEAL support.
+				 *
+				 * In this case we don't require
+				 * a mechListMIC from the server.
+				 *
+				 * This works around bugs in the Azure
+				 * and Apple spnego implementations.
+				 *
+				 * See
+				 * https://bugzilla.samba.org/show_bug.cgi?id=11994
+				 */
+				spnego_state->may_skip_mic_check = true;
+				break;
+
 			case SPNEGO_REQUEST_MIC:
 				if (spnego.negTokenTarg.mechListMIC.length > 0) {
 					new_spnego = true;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list