diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2019-10-03 13:09:29 +0300 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2019-10-16 12:15:54 +0000 |
| commit | f340056428a6bbae2ebe245af3bbd7a44c1c50c9 (patch) | |
| tree | c6fd8489e4139e1c86eff41144c46346cf94a6b6 | |
| parent | de0841138e6def10a370e6b0630a9ca36a4870c4 (diff) | |
| download | samba-f340056428a6bbae2ebe245af3bbd7a44c1c50c9.tar.gz | |
spnego: ignore server mech_types list
We should not use the mech list sent by the server in the last
'negotiate' packet in CIFS protocol, as it is not protected and
may be subject to downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | auth/gensec/spnego.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 0b3fbdce7ac..dc73e324d99 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -511,7 +511,11 @@ static NTSTATUS gensec_spnego_client_negTokenInit_start( } n->mech_idx = 0; - n->mech_types = spnego_in->negTokenInit.mechTypes; + + /* Do not use server mech list as it isn't protected. Instead, get all + * supported mechs (excluding SPNEGO). */ + n->mech_types = gensec_security_oids(gensec_security, n, + GENSEC_OID_SPNEGO); if (n->mech_types == NULL) { return NT_STATUS_INVALID_PARAMETER; } @@ -658,13 +662,30 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish( DATA_BLOB *out) { struct spnego_data spnego_out; - const char *my_mechs[] = {NULL, NULL}; + const char * const *mech_types = NULL; bool ok; - my_mechs[0] = spnego_state->neg_oid; + if (n->mech_types == NULL) { + DBG_WARNING("No mech_types list\n"); + return NT_STATUS_INVALID_PARAMETER; + } + + for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) { + int cmp = strcmp(*mech_types, spnego_state->neg_oid); + + if (cmp == 0) { + break; + } + } + + if (*mech_types == NULL) { + DBG_ERR("Can't find selected sub mechanism in mech_types\n"); + return NT_STATUS_INVALID_PARAMETER; + } + /* compose reply */ spnego_out.type = SPNEGO_NEG_TOKEN_INIT; - spnego_out.negTokenInit.mechTypes = my_mechs; + spnego_out.negTokenInit.mechTypes = mech_types; spnego_out.negTokenInit.reqFlags = data_blob_null; spnego_out.negTokenInit.reqFlagsPadding = 0; spnego_out.negTokenInit.mechListMIC = data_blob_null; @@ -676,7 +697,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit_finish( } ok = spnego_write_mech_types(spnego_state, - my_mechs, + mech_types, &spnego_state->mech_types); if (!ok) { DBG_ERR("failed to write mechTypes\n"); |