git.samba.org / jelmer / samba4-debian.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 16e5c96)
r13472: After Volker's advise, try every combination of parameters. This
authorAndrew Bartlett <abartlet@samba.org>
Sun, 12 Feb 2006 14:19:31 +0000 (14:19 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:51:54 +0000 (13:51 -0500)
isn't every parameter on NTLMSSP, but it is most of the important
ones.

This showed up that we had the '128bit && LM_KEY' case messed up.
This isn't supported, so we must look instead at the 56 bit flag.

Andrew Bartlett

source/auth/ntlmssp/ntlmssp.c patch | blob | history
source/script/tests/test_session_key.sh patch | blob | history

diff --git a/source/auth/ntlmssp/ntlmssp.c b/source/auth/ntlmssp/ntlmssp.c
index d4edfb97aadecdc56449d41225208431e49c0a0a..5d90ceadc3d7630a803720b0e25ce1077fd8411f 100644 (file)
--- a/source/auth/ntlmssp/ntlmssp.c
+++ b/source/auth/ntlmssp/ntlmssp.c
@@ -302,16 +302,18 @@ DATA_BLOB ntlmssp_weakend_key(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
           to do this for the LM_KEY.  
        */
        if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
-               if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
-                       
-               } else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
+               /* LM key doesn't support 128 bit crypto, so this is
+                * the best we can do.  If you negotiate 128 bit, but
+                * not 56, you end up with 40 bit... */
+               if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
                        weakened_key.data[7] = 0xa0;
+                       weakened_key.length = 8;
                } else { /* forty bits */
                        weakened_key.data[5] = 0xe5;
                        weakened_key.data[6] = 0x38;
                        weakened_key.data[7] = 0xb0;
+                       weakened_key.length = 8;
                }
-               weakened_key.length = 8;
        }
        return weakened_key;
 }
diff --git a/source/script/tests/test_session_key.sh b/source/script/tests/test_session_key.sh
index ea23cab9d38c841b22abdd41956750f94596c047..97a1634db0f4528198fc6dff6c1ea5221ab64623 100755 (executable)
--- a/source/script/tests/test_session_key.sh
+++ b/source/script/tests/test_session_key.sh
@@ -18,22 +18,27 @@ incdir=`dirname $0`
 
 failed=0
 transport="ncacn_np"
+for bindoptions in validate seal; do
+ for keyexchange in "yes" "no"; do
+ for ntlm2 in "yes" "no"; do
+ for lm_key in "yes" "no"; do
   for ntlmoptions in \
-        "--option=usespnego=yes --option=ntlmssp_client:ntlm2=yes" \
-        "--option=usespnego=yes --option=ntlmssp_client:ntlm2=no" \
-        "--option=usespnego=yes --option=ntlmssp_client:ntlm2=yes --option=ntlmssp_client:128bit=no" \
-        "--option=usespnego=yes --option=ntlmssp_client:ntlm2=no  --option=ntlmssp_client:128bit=no" \
-        "--option=usespnego=yes --option=ntlmssp_client:ntlm2=yes --option=ntlmssp_client:keyexchange=no" \
-        "--option=usespnego=yes --option=ntlmssp_client:ntlm2=no  --option=ntlmssp_client:keyexchange=no" \
-        "--option=usespnego=yes --option=clientntlmv2auth=yes  --option=ntlmssp_client:keyexchange=no" \
-        "--option=usespnego=yes --option=clientntlmv2auth=yes  --option=ntlmssp_client:keyexchange=yes" \
-        "--option=usespnego=yes --option=clientntlmv2auth=yes  --option=ntlmssp_client:keyexchange=yes --option=ntlmssp_client:128bit=no" \
-        "--option=usespnego=yes --option=clientntlmv2auth=yes  --option=ntlmssp_client:keyexchange=no --option=ntlmssp_client:128bit=no" \
-        "--option=usespnego=no --option=clientntlmv2auth=yes" \
-        "--option=usespnego=no" \
+        "-k no --option=usespnego=yes" \
+        "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no" \
+        "-k no --option=usespnego=yes --option=ntlmssp_client:56bit=yes" \
+        "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes" \
+        "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=no" \
+        "-k no --option=usespnego=yes --option=clientntlmv2auth=yes" \
+        "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no" \
+        "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes" \
+        "-k no --option=usespnego=no --option=clientntlmv2auth=yes" \
+        "-k no --option=usespnego=no" \
     ; do
-   name="RPC-SECRETS on $transport with $ntlmoptions"
-   testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" $ntlmoptions -U"$username"%"$password" -W $domain RPC-SECRETS "$*" || failed=`expr $failed + 1`
+   name="RPC-SECRETS on $transport:$server[$bindoptions] with NTLM2:$ntlm2 KEYEX:$keyexchange LM_KEY:$lm_key $ntlmoptions"
+   testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" --option=ntlmssp_client:keyexchange=$keyexchange --option=ntlmssp_client:ntlm2=$ntlm2 --option=ntlmssp_client:lm_key=$lm_key $ntlmoptions -U"$username"%"$password" -W $domain RPC-SECRETS "$*" || failed=`expr $failed + 1`
   done
-
+ done
+ done
+ done
+done
 testok $0 $failed
Samba 4 Debian packaging