sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
102,568 Commits 60 Branches 1,144 Tags 452 MiB
b720575f16
Commit Graph

102568 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ralph Boehme
b720575f16 CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT 
SMB_SIGNING_IPC_DEFAULT must be used from s3 client code when opening
RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
a046ffd6cd CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
57b04e805d CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
b6debbcfec CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
68d6c10e5e CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
57f0b0c6c0 CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
5721234328 CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
35ce75ec9e CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
f65f618e96 CVE-2016-2115: docs-xml: add "client ipc signing" option 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
8ff6a955f5 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
1dd4378b34 CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:26 +02:00
Ralph Boehme
99f2bbccbd CVE-2016-2114: s3:smbd: enforce "server signing = mandatory" 
This fixes a regression that was introduced by commit
abb24bf8e8
("s3:smbd: make use of better SMB signing negotiation").

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:26 +02:00
Ralph Boehme
80adeb01fe CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:26 +02:00
Stefan Metzmacher
5cb4ee27f8 CVE-2016-2114: s3:smbd: use the correct default values for "smb signing" 
This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.

The main logic for this hides in lpcfg_server_signing_allowed().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
44dd523d6c CVE-2016-2114: s4:smb2_server: fix session setup with required signing 
The client can't sign the session setup request...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
6ad9ba72a7 CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible" 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
7cf3318fa9 CVE-2016-2113: selftest: use "tls verify peer = no_check" 
Individual tests will check the more secure values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
942e4ed851 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
45ff760cf3 CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
4b679c350a CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
e72b2c94b5 CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2362c0353b CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check" 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
64a9cd2a38 CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
b5681c4125 CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert 
The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
6e22abd977 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes" 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2b40fb8509 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc 
We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
e71be8099a CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options 
The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
c5c5735c1f CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc 
This uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
28f1af7e50 CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
0cd2acef79 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
dedba1f070 CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:25 +02:00
Stefan Metzmacher
98ff297ed0 CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
05692ec958 CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
1da744b2f9 CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
ed863ef46a CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
20859a22c4 CVE-2016-2112: s3:libads: make sure we detect downgrade attacks 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
1dc40a08f0 CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no" 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
5ab1db006e CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
70452c90a5 CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
4fb6867495 CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
a1900b5bd6 CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes" 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
6cd48add11 CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
2c73047ecf CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
a711399d30 CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
894aad5f71 CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
c985ffd884 CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes" 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
f10589c0e1 CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
bbb066a12a CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
93e3f25d42 CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA 
This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00
Stefan Metzmacher
fb20f135f0 CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA 
This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
 2016-04-12 19:25:24 +02:00