CVE-2016-2112: s3:libads: make sure we detect downgrade attacks
authorStefan Metzmacher <metze@samba.org>
Thu, 24 Mar 2016 14:50:49 +0000 (15:50 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:24 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
source3/libads/sasl.c

index e205e9f22955789d192efe0cebcc2bba7f118670..4fcd733681b95c7aad244ce1ef94e082c5cca456 100644 (file)
@@ -276,6 +276,37 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
        data_blob_free(&blob_in);
        data_blob_free(&blob_out);
 
+       if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+               bool ok;
+
+               ok = gensec_have_feature(auth_generic_state->gensec_security,
+                                        GENSEC_FEATURE_SEAL);
+               if (!ok) {
+                       DEBUG(0,("The gensec feature sealing request, but unavailable\n"));
+                       TALLOC_FREE(auth_generic_state);
+                       return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+               }
+
+               ok = gensec_have_feature(auth_generic_state->gensec_security,
+                                        GENSEC_FEATURE_SIGN);
+               if (!ok) {
+                       DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+                       TALLOC_FREE(auth_generic_state);
+                       return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+               }
+
+       } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+               bool ok;
+
+               ok = gensec_have_feature(auth_generic_state->gensec_security,
+                                        GENSEC_FEATURE_SIGN);
+               if (!ok) {
+                       DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+                       TALLOC_FREE(auth_generic_state);
+                       return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+               }
+       }
+
        if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
                size_t max_wrapped = gensec_max_wrapped_size(auth_generic_state->gensec_security);
                ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);