samba36: Apply numerous security patches backported to 3.6 by Openwrt

These fixes address the following CVEs: CVE-2015-5252 CVE-2015-5370 CVE-2015-5296 CVE-2015-5299 CVE-2015-7560 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118
RMerl · Apr 18, 2016 · 3e5247a · 3e5247a
1 parent bbd59c7
commit 3e5247a
Show file tree

Hide file tree

Showing 156 changed files with 5,127 additions and 1,968 deletions.
diff --git a/release/src/router/samba36/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/release/src/router/samba36/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
 	</para>
 
 	<para>
-	The default value is <emphasis>plain</emphasis> which is not irritable 
-	to KRB5 clock skew errors. That implies synchronizing the time
-	with the KDC in the case of using <emphasis>sign</emphasis> or 
-	<emphasis>seal</emphasis>.
+	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
 	</para>
 </description>
-<value type="default">plain</value>
+<value type="default">sign</value>
 </samba:parameter>
diff --git a/release/src/router/samba36/docs-xml/smbdotconf/protocol/clientusespnego.xml b/release/src/router/samba36/docs-xml/smbdotconf/protocol/clientusespnego.xml
@@ -9,6 +9,11 @@
     supporting servers (including WindowsXP, Windows2000 and Samba
     3.0) to agree upon an authentication
     mechanism.  This enables Kerberos authentication in particular.</para>
+
+    <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
+    <constant>yes</constant> extended security (SPNEGO) is required
+    in order to use NTLMv2 only within NTLMSSP. This behavior was
+    introduced with the patches for CVE-2016-2111.</para>
 </description>
 
 <value type="default">yes</value>

diff --git a/release/src/router/samba36/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/release/src/router/samba36/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="allow dcerpc auth level connect"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether DCERPC services are allowed to
+	be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+	but no per message integrity nor privacy protection.</para>
+
+	<para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+	winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
+
+	<para>This option yields precedence to the implentation specific restrictions.
+	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+	While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
+	</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+
+</samba:parameter>
diff --git a/release/src/router/samba36/docs-xml/smbdotconf/security/clientipcsigning.xml b/release/src/router/samba36/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="client ipc signing"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_smb_signing_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+    connections as DCERPC transport inside of winbind. Possible values
+    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+    and <emphasis>disabled</emphasis>.
+    </para>
+
+    <para>When set to auto, SMB signing is offered, but not enforced and if set
+    to disabled, SMB signing is not offered either.</para>
+
+    <para>Connections from winbindd to Active Directory Domain Controllers
+    always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">mandatory</value>
+</samba:parameter>
diff --git a/release/src/router/samba36/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/release/src/router/samba36/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -28,6 +28,11 @@
     NTLMv2 by default, and some sites (particularly those following
     'best practice' security polices) only allow NTLMv2 responses, and
     not the weaker LM or NTLM.</para>
+
+    <para>When <smbconfoption name="client use spnego"/> is also set to
+    <constant>yes</constant> extended security (SPNEGO) is required
+    in order to use NTLMv2 only within NTLMSSP. This behavior was
+    introduced with the patches for CVE-2016-2111.</para>
 </description>
 <value type="default">yes</value>
 </samba:parameter>
diff --git a/release/src/router/samba36/docs-xml/smbdotconf/security/clientsigning.xml b/release/src/router/samba36/docs-xml/smbdotconf/security/clientsigning.xml
@@ -12,6 +12,9 @@
     <para>When set to auto, SMB signing is offered, but not enforced. 
     When set to mandatory, SMB signing is required and if set 
 	to disabled, SMB signing is not offered either.
+
+    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+    <smbconfoption name="client ipc signing"/> option.</para>
 </para>
 </description>
 

diff --git a/release/src/router/samba36/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/release/src/router/samba36/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="raw NTLMv2 auth"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
+    extended security (without SPNEGO) to use NTLMv2 authentication.</para>
+
+    <para>If this option, <command moreinfo="none">lanman auth</command>
+    and <command moreinfo="none">ntlm auth</command> are all disabled,
+    then only clients with SPNEGO support will be permitted.
+    That means NTLMv2 is only supported within NTLMSSP.</para>
+</description>
+
+<related>lanman auth</related>
+<related>ntlm auth</related>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/release/src/router/samba36/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/release/src/router/samba36/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether any requests from winbindd to domain controllers
+		pipe will be sealed. Disabling sealing can be useful for debugging
+		purposes.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/...e/src/router/samba36/source3/lib/bitmap.c → release/src/router/samba36/lib/util/bitmap.c b/...e/src/router/samba36/source3/lib/bitmap.c → release/src/router/samba36/lib/util/bitmap.c
@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "lib/util/bitmap.h"
 
 /* these functions provide a simple way to allocate integers from a
    pool without repetition */
@@ -29,12 +30,12 @@ struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n)
 {
 	struct bitmap *bm;
 
-	bm = TALLOC_P(mem_ctx, struct bitmap);
+	bm = talloc_zero(mem_ctx, struct bitmap);
 
 	if (!bm) return NULL;
 
 	bm->n = n;
-	bm->b = TALLOC_ZERO_ARRAY(bm, uint32, (n+31)/32);
+	bm->b = talloc_zero_array(bm, uint32_t, (n+31)/32);
 	if (!bm->b) {
 		TALLOC_FREE(bm);
 		return NULL;
@@ -51,7 +52,7 @@ int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src)
         int count = MIN(dst->n, src->n);
 
         SMB_ASSERT(dst->b != src->b);
-	memcpy(dst->b, src->b, sizeof(uint32)*((count+31)/32));
+	memcpy(dst->b, src->b, sizeof(uint32_t)*((count+31)/32));
 
         return count;
 }
@@ -64,10 +65,10 @@ bool bitmap_set(struct bitmap *bm, unsigned i)
 	if (i >= bm->n) {
 		DEBUG(0,("Setting invalid bitmap entry %d (of %d)\n",
 		      i, bm->n));
-		return False;
+		return false;
 	}
 	bm->b[i/32] |= (1<<(i%32));
-	return True;
+	return true;
 }
 
 /****************************************************************************
@@ -78,22 +79,22 @@ bool bitmap_clear(struct bitmap *bm, unsigned i)
 	if (i >= bm->n) {
 		DEBUG(0,("clearing invalid bitmap entry %d (of %d)\n",
 		      i, bm->n));
-		return False;
+		return false;
 	}
 	bm->b[i/32] &= ~(1<<(i%32));
-	return True;
+	return true;
 }
 
 /****************************************************************************
 query a bit in a bitmap
 ****************************************************************************/
 bool bitmap_query(struct bitmap *bm, unsigned i)
 {
-	if (i >= bm->n) return False;
+	if (i >= bm->n) return false;
 	if (bm->b[i/32] & (1<<(i%32))) {
-		return True;
+		return true;
 	}
-	return False;
+	return false;
 }
 
 /****************************************************************************

diff --git a/release/src/router/samba36/lib/util/bitmap.h b/release/src/router/samba36/lib/util/bitmap.h
@@ -0,0 +1,32 @@
+/*
+   Unix SMB/CIFS implementation.
+   simple bitmap functions
+   Copyright (C) Andrew Tridgell 1992-1998
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* The following definitions come from lib/bitmap.c  */
+
+struct bitmap {
+	uint32_t *b;
+	unsigned int n;
+};
+
+struct bitmap *bitmap_talloc(TALLOC_CTX *mem_ctx, int n);
+int bitmap_copy(struct bitmap * const dst, const struct bitmap * const src);
+bool bitmap_set(struct bitmap *bm, unsigned i);
+bool bitmap_clear(struct bitmap *bm, unsigned i);
+bool bitmap_query(struct bitmap *bm, unsigned i);
+int bitmap_find(struct bitmap *bm, unsigned ofs);
diff --git a/release/src/router/samba36/lib/util/wscript_build b/release/src/router/samba36/lib/util/wscript_build
@@ -99,5 +99,11 @@ bld.SAMBA_LIBRARY('tdb-wrap',
                   public_headers='tdb_wrap.h',
                   private_library=True,
                   local_include=False
-                  )
+                 )
+
+bld.SAMBA_LIBRARY('bitmap',
+		  source='bitmap.c',
+		  deps='talloc samba-util',
+                  local_include=False,
+		  private_library=True)
 
diff --git a/release/src/router/samba36/libcli/auth/ntlmssp.h b/release/src/router/samba36/libcli/auth/ntlmssp.h
@@ -83,6 +83,7 @@ struct ntlmssp_state
 	DATA_BLOB nt_resp;
 	DATA_BLOB session_key;
 
+	uint32_t required_flags;
 	uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
 
 	/**

diff --git a/release/src/router/samba36/libcli/auth/proto.h b/release/src/router/samba36/libcli/auth/proto.h
@@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
 		      const DATA_BLOB *names_blob,
 		      DATA_BLOB *lm_response, DATA_BLOB *nt_response, 
 		      DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+			const char *account_domain,
+			const DATA_BLOB response,
+			const struct netlogon_creds_CredentialState *creds,
+			const char *workgroup);
 
 /***********************************************************
  encode a password buffer with a unicode password.  The buffer