sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

spnego: ignore server mech_types list

Browse Source 
We should not use the mech list sent by the server in the last
'negotiate' packet in CIFS protocol, as it is not protected and
may be subject to downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Isaac Boukris 2019-10-03 13:09:29 +03:00 committed by Andreas Schneider
parent efb43ecb8e
commit 37daeb220e
1 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
auth/gensec/spnego.c
View File

@ -511,7 +511,11 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start(
}
n->mech_idx = 0;
n->mech_types = spnego_in->negTokenInit.mechTypes;
/* Do not use server mech list as it isn't protected. Instead, get all
* supported mechs (excluding SPNEGO). */
n->mech_types = gensec_security_oids(gensec_security, n,
GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
@ -658,13 +662,30 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
DATA_BLOB *out)
{
struct spnego_data spnego_out;
const char *my_mechs[] = {NULL, NULL};
const char * const *mech_types = NULL;
bool ok;
my_mechs[0] = spnego_state->neg_oid;
if (n->mech_types == NULL) {
DBG_WARNING("No mech_types list\n");
return NT_STATUS_INVALID_PARAMETER;
}
for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
int cmp = strcmp(*mech_types, spnego_state->neg_oid);
if (cmp == 0) {
break;
}
}
if (*mech_types == NULL) {
DBG_ERR("Can't find selected sub mechanism in mech_types\n");
return NT_STATUS_INVALID_PARAMETER;
}
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
spnego_out.negTokenInit.mechTypes = my_mechs;
spnego_out.negTokenInit.mechTypes = mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
spnego_out.negTokenInit.mechListMIC = data_blob_null;
@ -676,7 +697,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish(
}
ok = spnego_write_mech_types(spnego_state,
my_mechs,
mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");