CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS

In future we can do a more fine granted negotiation
and assert specific security features.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

4 files changed, 33 insertions, 18 deletions

diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index fe9e5d46623..bf3b8c0dd5f 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -247,7 +247,11 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 	DEBUG(3, ("Got challenge flags:\n"));
 	debug_ntlmssp_flags(chal_flags);
 
-	ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, ntlmssp_state->allow_lm_key);
+	nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
+					     chal_flags, "challenge");
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
 
 	if (ntlmssp_state->unicode) {
 		if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h
index 29eca356660..e938e5cad8f 100644
--- a/auth/ntlmssp/ntlmssp_private.h
+++ b/auth/ntlmssp/ntlmssp_private.h
@@ -59,8 +59,8 @@ NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
 /* The following definitions come from auth/ntlmssp_util.c  */
 
 void debug_ntlmssp_flags(uint32_t neg_flags);
-void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-			      uint32_t neg_flags, bool allow_lm);
+NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+				  uint32_t neg_flags, const char *name);
 const DATA_BLOB ntlmssp_version_blob(void);
 
 /* The following definitions come from auth/ntlmssp_server.c  */
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 4bb2a64eac1..513d4a6e456 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -117,7 +117,10 @@ NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security
 		}
 	}
 
-	ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state->allow_lm_key);
+	status = ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, "negotiate");
+	if (!NT_STATUS_IS_OK(status)){
+		return status;
+	}
 
 	/* Ask our caller what challenge they would like in the packet */
 	if (auth_context->get_ntlm_challenge) {
@@ -331,8 +334,14 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security,
 
 	talloc_steal(state, state->encrypted_session_key.data);
 
-	if (auth_flags)
-		ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key);
+	if (auth_flags != 0) {
+		nt_status = ntlmssp_handle_neg_flags(ntlmssp_state,
+						     auth_flags,
+						     "authenticate");
+		if (!NT_STATUS_IS_OK(nt_status)){
+			return nt_status;
+		}
+	}
 
 	if (DEBUGLEVEL >= 10) {
 		struct AUTHENTICATE_MESSAGE *authenticate = talloc(
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index bfe27f9526d..8f11df1a3ca 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -70,10 +70,10 @@ void debug_ntlmssp_flags(uint32_t neg_flags)
 	debug_ntlmssp_flags_raw(4, neg_flags);
 }
 
-void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
-			      uint32_t neg_flags, bool allow_lm)
+NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+				  uint32_t flags, const char *name)
 {
-	if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
+	if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
 		ntlmssp_state->unicode = true;
@@ -83,7 +83,7 @@ void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
 		ntlmssp_state->unicode = false;
 	}
 
-	if ((neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) && allow_lm) {
+	if ((flags & NTLMSSP_NEGOTIATE_LM_KEY) && ntlmssp_state->allow_lm_key) {
 		/* other end forcing us to use LM */
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
 		ntlmssp_state->use_ntlmv2 = false;
@@ -91,37 +91,39 @@ void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
 	}
 
-	if (!(neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+	if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
 	}
 
-	if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+	if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
 	}
 
-	if (!(neg_flags & NTLMSSP_NEGOTIATE_128)) {
+	if (!(flags & NTLMSSP_NEGOTIATE_128)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
 	}
 
-	if (!(neg_flags & NTLMSSP_NEGOTIATE_56)) {
+	if (!(flags & NTLMSSP_NEGOTIATE_56)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
 	}
 
-	if (!(neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+	if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
 	}
 
-	if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+	if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
 	}
 
-	if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
+	if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
 	}
 
-	if ((neg_flags & NTLMSSP_REQUEST_TARGET)) {
+	if ((flags & NTLMSSP_REQUEST_TARGET)) {
 		ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
 	}
+
+	return NT_STATUS_OK;
 }
 
 /* Does this blob looks like it could be NTLMSSP? */