CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index ede6f465122da0abcc88059e36996ace9c6a0c39..9186ce993e8c611136d1a0a9c11cbfbe43d79232 100644 (file)
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -118,7 +118,10 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 
        ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
 
-       if (lpcfg_lanman_auth(gensec_security->settings->lp_ctx) &&
+       ntlmssp_state->allow_lm_response =
+               lpcfg_lanman_auth(gensec_security->settings->lp_ctx);
+
+       if (ntlmssp_state->allow_lm_response &&
            gensec_setting_bool(gensec_security->settings,
                                "ntlmssp_server", "allow_lm_key", false))
        {

diff --git a/auth/ntlmssp/ntlmssp.h b/auth/ntlmssp/ntlmssp.h
index 31062e5f9195c8b1a179e76f96757c8be0b70711..8c254f36e83271e6a18ede0cd79baf2322077224 100644 (file)
--- a/auth/ntlmssp/ntlmssp.h
+++ b/auth/ntlmssp/ntlmssp.h
@@ -64,6 +64,7 @@ struct ntlmssp_state
        bool use_ccache;
        bool resume_ccache;
        bool use_nt_response;  /* Set to 'False' to debug what happens when the NT response is omited */
+       bool allow_lm_response;/* The LM_RESPONSE code is not very secure... */
        bool allow_lm_key;     /* The LM_KEY code is not very secure... */
 
        const char *user;

diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index c8b7c432f8ac212defd5d31614eba5a964266ccc..8a7d58ff57312cf614c02b66f1972b764ac8636e 100644 (file)
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -447,7 +447,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
        if (ntlmssp_state->use_nt_response) {
                flags |= CLI_CRED_NTLM_AUTH;
        }
-       if (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)) {
+       if (ntlmssp_state->allow_lm_response) {
                flags |= CLI_CRED_LANMAN_AUTH;
        }
 
@@ -474,7 +474,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
        }
 
        if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
-           && lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) {
+           && ntlmssp_state->allow_lm_key && lm_session_key.length == 16) {
                DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
                if (lm_response.length == 24) {
                        SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
@@ -582,7 +582,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 
        ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
 
-       ntlmssp_state->allow_lm_key = (lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx)
+       ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx);
+
+       ntlmssp_state->allow_lm_key = (ntlmssp_state->allow_lm_response
                                              && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
                                                  || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));