diff options
| author | Stefan Metzmacher <metze@samba.org> | 2016-04-22 10:04:38 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2016-04-29 12:06:26 +0200 |
| commit | d7e9f094056b6aac302fd74977f23bfb84087294 (patch) | |
| tree | ffb404962f396117923b6ff7e6a06e55ff426f5a | |
| parent | 40c1d53a983f943798f6f689eeeca18d7751fa63 (diff) | |
| download | samba-d7e9f094056b6aac302fd74977f23bfb84087294.tar.gz | |
auth/spnego: only try to verify the mechListMic if signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e)
| -rw-r--r-- | auth/gensec/spnego.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 33a4b4688a3..1b234272134 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -885,6 +885,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA case SPNEGO_SERVER_TARG: { NTSTATUS nt_status; + bool have_sign = true; bool new_spnego = false; if (!in.length) { @@ -947,18 +948,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA goto server_response; } + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); if (spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } - if (spnego.negTokenTarg.mechListMIC.length > 0) { + if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) { nt_status = gensec_check_packet(spnego_state->sub_sec_security, spnego_state->mech_types.data, spnego_state->mech_types.length, @@ -1142,8 +1145,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (spnego_state->no_response_expected && !spnego_state->done_mic_check) { + bool have_sign = true; bool new_spnego = false; + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); @@ -1170,16 +1176,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego_state->mic_requested) { - bool sign; - - sign = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_SIGN); - if (sign) { + if (have_sign) { new_spnego = true; } } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } |