diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-04-22 10:04:38 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-29 09:39:28 +0200 |
commit | 622a603c4b7a82eb9f6da37bb7e17b1ad4108b85 (patch) | |
tree | 39ad60a0b43c3e71f1b08d17f250752acb98890e | |
parent | bc2331bc8c208713ff4ca11b37b10c6ee714190b (diff) | |
download | samba-622a603c4b7a82eb9f6da37bb7e17b1ad4108b85.tar.gz |
auth/spnego: only try to verify the mechListMic if signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e)
-rw-r--r-- | auth/gensec/spnego.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 3f30eaacd3a..e691db81949 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -885,6 +885,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA case SPNEGO_SERVER_TARG: { NTSTATUS nt_status; + bool have_sign = true; bool new_spnego = false; if (!in.length) { @@ -947,18 +948,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA goto server_response; } + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); if (spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } - if (spnego.negTokenTarg.mechListMIC.length > 0) { + if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) { nt_status = gensec_check_packet(spnego_state->sub_sec_security, spnego_state->mech_types.data, spnego_state->mech_types.length, @@ -1142,8 +1145,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (spnego_state->no_response_expected && !spnego_state->done_mic_check) { + bool have_sign = true; bool new_spnego = false; + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); @@ -1170,16 +1176,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego_state->mic_requested) { - bool sign; - - sign = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_SIGN); - if (sign) { + if (have_sign) { new_spnego = true; } } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } |