From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 22 Apr 2016 08:04:38 +0000 (+0200)
Subject: auth/spnego: only try to verify the mechListMic if signing was negotiated.
X-Git-Tag: samba-4.2.12~17
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=d7e9f094056b6aac302fd74977f23bfb84087294

auth/spnego: only try to verify the mechListMic if signing was negotiated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e)
---

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 33a4b4688a3..1b234272134 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -885,6 +885,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 	case SPNEGO_SERVER_TARG:
 	{
 		NTSTATUS nt_status;
+		bool have_sign = true;
 		bool new_spnego = false;
 
 		if (!in.length) {
@@ -947,18 +948,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			goto server_response;
 		}
 
+		have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+						GENSEC_FEATURE_SIGN);
 		new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 						 GENSEC_FEATURE_NEW_SPNEGO);
 		if (spnego.negTokenTarg.mechListMIC.length > 0) {
 			new_spnego = true;
 		}
 
-		if (new_spnego) {
+		if (have_sign && new_spnego) {
 			spnego_state->needs_mic_check = true;
 			spnego_state->needs_mic_sign = true;
 		}
 
-		if (spnego.negTokenTarg.mechListMIC.length > 0) {
+		if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
 			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 							spnego_state->mech_types.data,
 							spnego_state->mech_types.length,
@@ -1142,8 +1145,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		if (spnego_state->no_response_expected &&
 		    !spnego_state->done_mic_check)
 		{
+			bool have_sign = true;
 			bool new_spnego = false;
 
+			have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+							GENSEC_FEATURE_SIGN);
 			new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 							 GENSEC_FEATURE_NEW_SPNEGO);
 
@@ -1170,16 +1176,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			}
 
 			if (spnego_state->mic_requested) {
-				bool sign;
-
-				sign = gensec_have_feature(spnego_state->sub_sec_security,
-							   GENSEC_FEATURE_SIGN);
-				if (sign) {
+				if (have_sign) {
 					new_spnego = true;
 				}
 			}
 
-			if (new_spnego) {
+			if (have_sign && new_spnego) {
 				spnego_state->needs_mic_check = true;
 				spnego_state->needs_mic_sign = true;
 			}