sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-20 22:50:26 +03:00
Code

CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade

Browse Source 
New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.

With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2015-11-20 11:42:55 +01:00
parent 9440fa898f
commit 3673533644
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
auth/gensec/spnego.c
View File

@ -970,13 +970,15 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
/* Server didn't like our choice of mech, and chose something else */
if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) &&
if (((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
(spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC)) &&
spnego.negTokenTarg.supportedMech &&
strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) {
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech),
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid)));
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
spnego_state->no_response_expected = false;
talloc_free(spnego_state->sub_sec_security);
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,