CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
authorStefan Metzmacher <metze@samba.org>
Fri, 20 Nov 2015 10:42:55 +0000 (11:42 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:22 +0000 (19:25 +0200)
New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.

With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
auth/gensec/spnego.c

index 9c5e51daead724e6fa1d47ecd6910d9e196f7f2a..ea2430804337f9ad51acbceaaab64b4e16d28058 100644 (file)
@@ -970,13 +970,15 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                }
 
                /* Server didn't like our choice of mech, and chose something else */
-               if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) &&
+               if (((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
+                    (spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC)) &&
                    spnego.negTokenTarg.supportedMech &&
                    strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) {
                        DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
-                                gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech), 
-                                gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid)));
+                                gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
+                                gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
 
+                       spnego_state->no_response_expected = false;
                        talloc_free(spnego_state->sub_sec_security);
                        nt_status = gensec_subcontext_start(spnego_state,
                                                            gensec_security,