mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
We don't need to change the protocol version because: 1. An old client may provide the "initial_blob" (which was and is still ignored when going via the wbcCredentialCache() function) and the new winbindd won't use new_spnego. 2. A new client will just get a zero byte from an old winbindd. As it uses talloc_zero() to create struct winbindd_response. 3. Changing the version number would introduce problems with backports to older Samba versions. New clients which are capable of using the new_spnego field will use "negotiate_blob" instead of "initial_blob". BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
parent
83c71586dc
commit
2063692367
@ -1286,7 +1286,17 @@ wbcErr wbcCtxCredentialCache(struct wbcContext *ctx,
|
||||
}
|
||||
|
||||
for (i=0; i<params->num_blobs; i++) {
|
||||
if (strcasecmp(params->blobs[i].name, "initial_blob") == 0) {
|
||||
/*
|
||||
* Older callers may used to provide the NEGOTIATE request
|
||||
* as "initial_blob", but it was completely ignored by winbindd.
|
||||
*
|
||||
* So we keep ignoring it.
|
||||
*
|
||||
* A new callers that is capable to support "new_spnego",
|
||||
* will provide the NEGOTIATE request as "negotiate_blob"
|
||||
* instead.
|
||||
*/
|
||||
if (strcasecmp(params->blobs[i].name, "negotiate_blob") == 0) {
|
||||
if (initial_blob != NULL) {
|
||||
status = WBC_ERR_INVALID_PARAM;
|
||||
goto fail;
|
||||
@ -1384,6 +1394,15 @@ wbcErr wbcCtxCredentialCache(struct wbcContext *ctx,
|
||||
if (!WBC_ERROR_IS_OK(status)) {
|
||||
goto fail;
|
||||
}
|
||||
if (response.data.ccache_ntlm_auth.new_spnego) {
|
||||
status = wbcAddNamedBlob(
|
||||
&result->num_blobs, &result->blobs, "new_spnego", 0,
|
||||
&response.data.ccache_ntlm_auth.new_spnego,
|
||||
sizeof(response.data.ccache_ntlm_auth.new_spnego));
|
||||
if (!WBC_ERROR_IS_OK(status)) {
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
*info = result;
|
||||
result = NULL;
|
||||
|
@ -488,6 +488,7 @@ struct winbindd_response {
|
||||
struct {
|
||||
uint8_t session_key[16];
|
||||
uint32_t auth_blob_len; /* blob in extra_data */
|
||||
uint8_t new_spnego;
|
||||
} ccache_ntlm_auth;
|
||||
struct {
|
||||
fstring dc_unc;
|
||||
|
@ -50,7 +50,8 @@ static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username,
|
||||
const DATA_BLOB challenge_msg,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB *auth_msg,
|
||||
uint8_t session_key[16])
|
||||
uint8_t session_key[16],
|
||||
uint8_t *new_spnego)
|
||||
{
|
||||
NTSTATUS status;
|
||||
struct auth_generic_state *auth_generic_state = NULL;
|
||||
@ -144,6 +145,8 @@ static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username,
|
||||
memcpy(session_key, session_key_blob.data, 16);
|
||||
data_blob_free(&session_key_blob);
|
||||
*auth_msg = reply;
|
||||
*new_spnego = gensec_have_feature(auth_generic_state->gensec_security,
|
||||
GENSEC_FEATURE_NEW_SPNEGO);
|
||||
status = NT_STATUS_OK;
|
||||
|
||||
done:
|
||||
@ -272,7 +275,8 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
|
||||
result = do_ntlm_auth_with_stored_pw(
|
||||
name_user, name_domain, entry->pass,
|
||||
initial, challenge, talloc_tos(), &auth,
|
||||
state->response->data.ccache_ntlm_auth.session_key);
|
||||
state->response->data.ccache_ntlm_auth.session_key,
|
||||
&state->response->data.ccache_ntlm_auth.new_spnego);
|
||||
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
goto process_result;
|
||||
|
Loading…
Reference in New Issue
Block a user