Completely omit CBs AV pairs when no CB provided

Although the MS-NLMP Spec says zero CBs should be equivalent to no CBs,
Windows apparently fails validation when CBs are optional and an all
zero CB is presented.

So avoid sending any CBs if we have none.
Also make sure to deal with missing CBs on the accpetor by ignoreing
missing CBs and setting the new GSS_C_CHANNEL_BOUND_FLAG in gss flags if
the CBs are present and matching.

Signed-off-by: Simo Sorce <[email protected]>

Author: simo5

src/gss_sec_ctx.c

@@ -942,6 +942,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
         }
 
         if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
+            uint8_t zero_cb[16] = { 0 };
             if (input_chan_bindings->initiator_addrtype != 0 ||
                 input_chan_bindings->initiator_address.length != 0 ||
                 input_chan_bindings->acceptor_addrtype != 0 ||
@@ -953,12 +954,23 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
             unhashed_cb.length = input_chan_bindings->application_data.length;
             unhashed_cb.data = input_chan_bindings->application_data.value;
 
-            /* TODO: optionally allow to ignore CBT if av_cb is null ? */
-            retmin = ntlm_verify_channel_bindings(&unhashed_cb, &av_cb);
-            if (retmin) {
+            if (av_cb.length && (av_cb.length != 16)) {
                 set_GSSERRS(retmin, GSS_S_DEFECTIVE_TOKEN);
                 goto done;
             }
+            if (av_cb.length &&
+                (memcmp(av_cb.data, zero_cb, 16) != 0)) {
+                retmin = ntlm_verify_channel_bindings(&unhashed_cb, &av_cb);
+                if (retmin) {
+                    set_GSSERRS(retmin, GSS_S_DEFECTIVE_TOKEN);
+                    goto done;
+/* This flag has been introduced only recently in MIT krb5 */
+#ifdef GSS_C_CHANNEL_BOUND_FLAG
+                } else {
+                    ctx->gss_flags |= GSS_C_CHANNEL_BOUND_FLAG;
+#endif /* GSS_C_CHANNEL_BOUND_FLAG */
+                }
+            }
         }
 
         if (ctx->neg_flags & (NTLMSSP_NEGOTIATE_SIGN |

src/ntlm.c

@@ -68,12 +68,6 @@ struct wire_single_host_data {
 };
 #pragma pack(pop)
 
-#pragma pack(push, 1)
-struct wire_channel_binding {
-    uint8_t md5_hash[16];
-};
-#pragma pack(pop)
-
 #pragma pack(push, 1)
 struct wire_ntlm_cli_chal {
     uint8_t resp_type;
@@ -560,7 +554,7 @@ int ntlm_encode_target_info(struct ntlm_ctx *ctx, char *nb_computer_name,
         av_target_name_len = strlen(av_target_name);
         max_size += 4 + av_target_name_len * 2;
     }
-    if (av_cb) {
+    if (av_cb && av_cb->length > 0) {
         max_size += 4 + av_cb->length;
     }
 
@@ -632,7 +626,7 @@ int ntlm_encode_target_info(struct ntlm_ctx *ctx, char *nb_computer_name,
                                            av_target_name_len);
         if (ret) goto done;
     }
-    if (av_cb) {
+    if (av_cb && av_cb->length > 0) {
         ret = ntlm_encode_av_pair_value(&buffer, &data_offs,
                                         MSV_AV_CHANNEL_BINDINGS, av_cb);
         if (ret) goto done;
@@ -791,7 +785,7 @@ int ntlm_process_target_info(struct ntlm_ctx *ctx, bool protect,
     uint32_t av_flags = 0;
     uint64_t srv_time = 0;
     uint8_t cb[16] = { 0 };
-    struct ntlm_buffer av_cb = { cb, 16 };
+    struct ntlm_buffer av_cb = { NULL, 0 };
     int ret = 0;
 
     /* TODO: check that returned netbios/dns names match ? */
@@ -824,6 +818,8 @@ int ntlm_process_target_info(struct ntlm_ctx *ctx, bool protect,
     }
 
     if (unhashed_cb->length > 0) {
+        av_cb.data = cb;
+        av_cb.length = 16;
         ret = ntlm_hash_channel_bindings(unhashed_cb, &av_cb);
         if (ret) goto done;
     }