CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
authorStefan Metzmacher <metze@samba.org>
Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:24 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source4/libcli/ldap/ldap_bind.c

index d2f4ca7e4acfb9df9adb83d61d813ca0446fe113..db8de4e0ed4fe91cbbdc2e10545d0fd83f6cd123 100644 (file)
@@ -32,6 +32,7 @@
 #include "auth/credentials/credentials.h"
 #include "lib/stream/packet.h"
 #include "param/param.h"
+#include "param/loadparm.h"
 
 struct ldap_simple_creds {
        const char *dn;
@@ -216,7 +217,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
        struct ldap_SearchResEntry *search;
        int count, i;
        bool first = true;
-
+       int wrap_flags = 0;
        const char **sasl_names;
        uint32_t old_gensec_features;
        static const char *supported_sasl_mech_attrs[] = {
@@ -285,6 +286,21 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn,
 
        gensec_init();
 
+       if (conn->sockets.active == conn->sockets.tls) {
+               /*
+                * require Kerberos SIGN/SEAL only if we don't use SSL
+                * Windows seem not to like double encryption
+                */
+               wrap_flags = 0;
+       } else if (cli_credentials_is_anonymous(creds)) {
+               /*
+                * anonymous isn't protected
+                */
+               wrap_flags = 0;
+       } else {
+               wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx);
+       }
+
 try_logon_again:
        /*
          we loop back here on a logon failure, and re-create the
@@ -301,10 +317,8 @@ try_logon_again:
                goto failed;
        }
 
-       /* require Kerberos SIGN/SEAL only if we don't use SSL
-        * Windows seem not to like double encryption */
        old_gensec_features = cli_credentials_get_gensec_features(creds);
-       if (conn->sockets.active == conn->sockets.tls) {
+       if (wrap_flags == 0) {
                cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
        }
 
@@ -320,6 +334,14 @@ try_logon_again:
         * context, so we don't tatoo it ) */
        cli_credentials_set_gensec_features(creds, old_gensec_features);
 
+       if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+               gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
+               gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
+       }
+       if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+               gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
+       }
+
        /*
         * This is an indication for the NTLMSSP backend to
         * also encrypt when only GENSEC_FEATURE_SIGN is requested