diff options
| author | Stefan Metzmacher <metze@samba.org> | 2016-11-24 09:12:59 +0100 |
|---|---|---|
| committer | Jule Anger <janger@samba.org> | 2021-11-08 10:52:13 +0100 |
| commit | 4290223ed40183e5f01c25da00df438b9ccf302a (patch) | |
| tree | acdfe0545b667006ddd9f6a1e7856d93d0094c62 | |
| parent | ec712adf5002eb4f3a36d55f0d7a8a196f24b214 (diff) | |
| download | samba-4290223ed40183e5f01c25da00df438b9ccf302a.tar.gz | |
CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source4/libcli/smb_composite/sesssetup.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index 6ee4929e8d7..a0a1f4baa56 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se struct composite_context *c; struct sesssetup_state *state; NTSTATUS status; + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(io->in.credentials); c = composite_create(session, session->transport->ev); if (c == NULL) return NULL; @@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* no session setup at all in earliest protocol varients */ if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { + if (krb5_state == CRED_MUST_USE_KERBEROS) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } ZERO_STRUCT(io->out); composite_done(c); return c; @@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* see what session setup interface we will use */ if (session->transport->negotiate.protocol < PROTOCOL_NT1) { + if (krb5_state == CRED_MUST_USE_KERBEROS) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_old(c, session, io, &state->req); } else if (!session->transport->options.use_spnego || !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { + if (krb5_state == CRED_MUST_USE_KERBEROS) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_nt1(c, session, io, &state->req); } else { struct tevent_req *subreq = NULL; |