diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-11-20 11:42:55 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:22 +0200 |
commit | 4ec38db6f17a4f998a8e38291b599dd08b6a6192 (patch) | |
tree | 091b10e11afe6bfd72925a927e9872f192935b98 /auth | |
parent | 4106fde3186e410a32af2fdfc765398c9eb530dc (diff) | |
download | samba-4ec38db6f17a4f998a8e38291b599dd08b6a6192.tar.gz |
CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.
With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/gensec/spnego.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 9c5e51daead..ea243080433 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -970,13 +970,15 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } /* Server didn't like our choice of mech, and chose something else */ - if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) && + if (((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) || + (spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC)) && spnego.negTokenTarg.supportedMech && strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) { DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n", - gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech), - gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid))); + gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid), + gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech))); + spnego_state->no_response_expected = false; talloc_free(spnego_state->sub_sec_security); nt_status = gensec_subcontext_start(spnego_state, gensec_security, |