CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
authorStefan Metzmacher <metze@samba.org>
Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:24 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source4/libcli/ldap/ldap_bind.c

index db8de4e0ed4fe91cbbdc2e10545d0fd83f6cd123..79478e775d8115c52cabb7d8234c7f0bd359106d 100644 (file)
@@ -495,6 +495,20 @@ try_logon_again:
        conn->bind.type = LDAP_BIND_SASL;
        conn->bind.creds = creds;
 
+       if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+               if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+
+               if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+       } else if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+               if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+       }
+
        if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
            !gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
                return NT_STATUS_OK;