From 6bc07fac0aa2610cb604f767f6bab195cd4ec190 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 24 Apr 2024 10:46:37 +0200 Subject: [PATCH] BACKPORT auth/ntlmssp: from master --- auth/ntlmssp/ntlmssp_client.c | 2 ++ auth/ntlmssp/ntlmssp_server.c | 62 ++++++++++++++++++----------------- auth/ntlmssp/ntlmssp_util.c | 11 +++++++ 3 files changed, 45 insertions(+), 30 deletions(-) diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index 4332930b6843..ce9786de6a1e 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -599,6 +599,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, SingleHost->Value.AvSingleHost.remaining = data_blob_null; } + if (!(gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL) + || gensec_security->channel_bindings != NULL) { struct AV_PAIR *ChannelBindings = NULL; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 1f67fd0de7d3..0632b12de614 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -710,39 +710,41 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_security *gensec_security, } } - nt_status = ntlmssp_hash_channel_bindings(gensec_security, - server_channel_bindings); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } + if (gensec_security->channel_bindings != NULL) { + nt_status = ntlmssp_hash_channel_bindings(gensec_security, + server_channel_bindings); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } - ok = mem_equal_const_time(client_channel_bindings, + ok = mem_equal_const_time(client_channel_bindings, + server_channel_bindings, + 16); + if (!ok && gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL) { + /* + * Unlike kerberos, explicit 16 zeros in + * MsvChannelBindings are not enough to + * pass the optional check. + * + * So we only let it through without explicit + * MsvChannelBindings. + */ + ok = (client_channel_bindings == zero_channel_bindings); + } + if (!ok) { + DBG_WARNING("Invalid channel bindings for " + "user=[%s] domain=[%s] workstation=[%s]\n", + ntlmssp_state->user, + ntlmssp_state->domain, + ntlmssp_state->client.netbios_name); + dump_data(DBGLVL_WARNING, + client_channel_bindings, + 16); + dump_data(DBGLVL_WARNING, server_channel_bindings, 16); - if (!ok && gensec_security->want_features & GENSEC_FEATURE_CB_OPTIONAL) { - /* - * Unlike kerberos, explicit 16 zeros in - * MsvChannelBindings are not enough to - * pass the optional check. - * - * So we only let it through without explicit - * MsvChannelBindings. - */ - ok = (client_channel_bindings == zero_channel_bindings); - } - if (!ok) { - DBG_WARNING("Invalid channel bindings for " - "user=[%s] domain=[%s] workstation=[%s]\n", - ntlmssp_state->user, - ntlmssp_state->domain, - ntlmssp_state->client.netbios_name); - dump_data(DBGLVL_WARNING, - client_channel_bindings, - 16); - dump_data(DBGLVL_WARNING, - server_channel_bindings, - 16); - return NT_STATUS_BAD_BINDINGS; + return NT_STATUS_BAD_BINDINGS; + } } nttime_to_timeval(&endtime, ntlmssp_state->server.challenge_endtime); diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c index 14d69fc9dfdf..b8dc84e1652b 100644 --- a/auth/ntlmssp/ntlmssp_util.c +++ b/auth/ntlmssp/ntlmssp_util.c @@ -239,8 +239,10 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security, return NT_STATUS_OK; } + GNUTLS_FIPS140_SET_LAX_MODE(); rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5); if (rc < 0) { + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } @@ -248,12 +250,14 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security, rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf)); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } SIVAL(uint32buf, 0, cb->initiator_address.length); rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf)); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } if (cb->initiator_address.length > 0) { @@ -262,6 +266,7 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security, cb->initiator_address.length); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } } @@ -269,12 +274,14 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security, rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf)); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } SIVAL(uint32buf, 0, cb->acceptor_address.length); rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf)); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } if (cb->acceptor_address.length > 0) { @@ -283,6 +290,7 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security, cb->acceptor_address.length); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } } @@ -290,6 +298,7 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security, rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf)); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } if (cb->application_data.length > 0) { @@ -298,10 +307,12 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security, cb->application_data.length); if (rc < 0) { gnutls_hash_deinit(hash_hnd, NULL); + GNUTLS_FIPS140_SET_STRICT_MODE(); return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); } } gnutls_hash_deinit(hash_hnd, cb_hash); + GNUTLS_FIPS140_SET_STRICT_MODE(); return NT_STATUS_OK; } -- 2.34.1