CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN

It's important to check if got the GENSEC_FEATURE_SIGN and if the caller
wanted it.

The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly
negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN
to the SPNEGO glue code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 49933cb11b9cbc532cf0c0ddfc2d2065a87dd97f..e91692bb0cd2ba88606838584cf6f7f9fba58d8c 100644 (file)
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -538,7 +538,7 @@ done:
 
        ntlmssp_state->expected_state = NTLMSSP_DONE;
 
-       if (gensec_security->want_features & (GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL)) {
+       if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
                nt_status = ntlmssp_sign_init(ntlmssp_state);
                if (!NT_STATUS_IS_OK(nt_status)) {
                        DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n",

diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 513d4a6e456c2b4b63eec1afbd66a010f6cbedd3..7013df783297733e631a3a6fdbe5fcfec5b54139 100644 (file)
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -598,7 +598,7 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
                talloc_steal(ntlmssp_state, session_key.data);
        }
 
-       if (ntlmssp_state->session_key.length) {
+       if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
                nt_status = ntlmssp_sign_init(ntlmssp_state);
        }