CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/credentials/credentials.h

@@ -80,7 +80,9 @@ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALL
 					      const char **domain);
 NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
 					   int *flags,
-					   DATA_BLOB challenge, DATA_BLOB target_info, 
+					   DATA_BLOB challenge,
+					   const NTTIME *server_timestamp,
+					   DATA_BLOB target_info,
 					   DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, 
 					   DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key);
 const char *cli_credentials_get_realm(struct cli_credentials *cred);

auth/credentials/credentials_ntlm.c

@@ -30,7 +30,9 @@
 
 _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
 					   int *flags,
-					   DATA_BLOB challenge, DATA_BLOB target_info, 
+					   DATA_BLOB challenge,
+					   const NTTIME *server_timestamp,
+					   DATA_BLOB target_info,
 					   DATA_BLOB *_lm_response, DATA_BLOB *_nt_response, 
 					   DATA_BLOB *_lm_session_key, DATA_BLOB *_session_key) 
 {

auth/ntlmssp/ntlmssp_client.c

@@ -228,6 +228,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	const char *user = NULL, *domain = NULL, *workstation = NULL;
 	bool is_anonymous = false;
 	const DATA_BLOB version_blob = ntlmssp_version_blob();
+	const NTTIME *server_timestamp = NULL;
 
 	TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
 	if (!mem_ctx) {
@@ -454,10 +455,10 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	}
 
 	nt_status = cli_credentials_get_ntlm_response(gensec_security->credentials, mem_ctx,
-						      &flags, challenge_blob, target_info,
+						      &flags, challenge_blob,
+						      server_timestamp, target_info,
 						      &lm_response, &nt_response,
 						      &lm_session_key, &session_key);
-
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}

source4/libcli/smb_composite/sesssetup.c

@@ -332,6 +332,7 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
 		nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
 							      &flags, 
 							      session->transport->negotiate.secblob, 
+							      NULL, /* server_timestamp */
 							      names_blob,
 							      &state->setup.nt1.in.password1,
 							      &state->setup.nt1.in.password2,
@@ -426,6 +427,7 @@ static NTSTATUS session_setup_old(struct composite_context *c,
 		nt_status = cli_credentials_get_ntlm_response(io->in.credentials, state, 
 							      &flags, 
 							      session->transport->negotiate.secblob, 
+							      NULL, /* server_timestamp */
 							      names_blob,
 							      &state->setup.old.in.password,
 							      NULL,

source4/torture/rpc/netlogon.c

@@ -882,6 +882,7 @@ static bool test_netlogon_ops_args(struct dcerpc_pipe *p, struct torture_context
 	status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);

source4/torture/rpc/remote_pac.c

@@ -735,6 +735,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
 	status = cli_credentials_get_ntlm_response(client_creds, tctx,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);

source4/torture/rpc/samba3rpc.c

@@ -1192,7 +1192,7 @@ static bool schan(struct torture_context *tctx,
 			cli_credentials_get_workstation(user_creds),
 			cli_credentials_get_domain(user_creds));
 		status = cli_credentials_get_ntlm_response(
-			user_creds, mem_ctx, &flags, chal, names_blob,
+			user_creds, mem_ctx, &flags, chal, NULL, names_blob,
 			&lm_resp, &nt_resp, NULL, NULL);
 		if (!NT_STATUS_IS_OK(status)) {
 			torture_comment(tctx, "cli_credentials_get_ntlm_response failed:"

source4/torture/rpc/samr.c

@@ -3096,6 +3096,7 @@ static bool test_SamLogon(struct torture_context *tctx,
 		status = cli_credentials_get_ntlm_response(test_credentials, tctx,
 							   &flags,
 							   chal,
+							   NULL, /* server_timestamp */
 							   names_blob,
 							   &lm_resp, &nt_resp,
 							   NULL, NULL);

source4/torture/rpc/schannel.c

@@ -87,6 +87,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx,
 	status = cli_credentials_get_ntlm_response(cmdline_credentials, tctx,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);
@@ -853,6 +854,7 @@ static bool torture_schannel_bench_start(struct torture_schannel_bench_conn *con
 	status = cli_credentials_get_ntlm_response(user_creds, conn->tmp,
 						   &flags,
 						   chal,
+						   NULL, /* server_timestamp */
 						   names_blob,
 						   &lm_resp, &nt_resp,
 						   NULL, NULL);