CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index db8de4e0ed4fe91cbbdc2e10545d0fd83f6cd123..79478e775d8115c52cabb7d8234c7f0bd359106d 100644 (file)
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -495,6 +495,20 @@ try_logon_again:
        conn->bind.type = LDAP_BIND_SASL;
        conn->bind.creds = creds;
 
+       if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+               if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+
+               if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+       } else if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+               if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
+                       return NT_STATUS_INVALID_NETWORK_RESPONSE;
+               }
+       }
+
        if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
            !gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
                return NT_STATUS_OK;