CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index db8de4e0ed4..79478e775d8 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -495,6 +495,20 @@ try_logon_again:
 	conn->bind.type = LDAP_BIND_SASL;
 	conn->bind.creds = creds;
 
+	if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+		if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+
+		if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+	} else if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+		if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN)) {
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+	}
+
 	if (!gensec_have_feature(conn->gensec, GENSEC_FEATURE_SIGN) &&
 	    !gensec_have_feature(conn->gensec, GENSEC_FEATURE_SEAL)) {
 		return NT_STATUS_OK;