r14701: Allow, with non-default options, NTLMSSP to access the LM session key,

even when not sending the LM response.  Needed to pass the
test_session_key against Win2k3.

Yes, I think this is a security flaw in the use of Win2k3-compatible NTLM.

Andrew Bartlett
(This used to be commit cb6c27b4f29878a6a904f798e228eea05cc658e1)

diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c
index aa9a113e8d9ea099df63e19974790b310b6296ca..1d181ae958a5a8434e50a788a8cfe33e2a132ecf 100644 (file)
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -144,6 +144,7 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
                /* LM Key is incompatible... */
                *flags &= ~CLI_CRED_LANMAN_AUTH;
        } else {
+               uint8_t lm_hash[16];
                nt_response = data_blob_talloc(mem_ctx, NULL, 24);
                SMBOWFencrypt(nt_hash->hash, challenge.data,
                              nt_response.data);
@@ -160,7 +161,6 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
                        if (!password) {
                                lm_response = nt_response;
                        } else {
-                               uint8_t lm_hash[16];
                                lm_response = data_blob_talloc(mem_ctx, NULL, 24);
                                if (!SMBencrypt(password,challenge.data,
                                                lm_response.data)) {
@@ -188,6 +188,15 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
                        /* LM Key is incompatible... */
                        lm_response = nt_response;
                        *flags &= ~CLI_CRED_LANMAN_AUTH;
+
+                       const char *password;
+                       password = cli_credentials_get_password(cred);
+                       if (password) {
+                               E_deshash(password, lm_hash);
+                               lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
+                               memcpy(lm_session_key.data, lm_hash, 8);
+                               memset(&lm_session_key.data[8], '\0', 8);
+                       }
                }
        }
        if (_lm_response) {

diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index 79f62349a67a6b99e2934632c6af21501c6ddc7d..1244c0dfbcfaabe2a0b4b8b221272fb4a7ee4539 100644 (file)
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -194,8 +194,9 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
        }
        
        if (!(flags & CLI_CRED_LANMAN_AUTH)) {
-               /* LM Key is incompatible... */
-               gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+               /* LM Key is still possible, just silly.  Fortunetly
+                * we require command line options to end up here */
+               /* gensec_ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY; */
        }
 
        if (!(flags & CLI_CRED_NTLM2)) {