r13470: Thanks to a report from VL:

We were causing mayhem by weakening the keys at the wrong point in time.

I think this is the correct place to do it.  The session key for SMB
signing, and the 'smb session key' (used for encrypting password sets)
is never weakened.

The session key used for bulk data encryption/signing is weakened.

This also makes more sense, when we look at the NTLM2 code.

Andrew Bartlett
(This used to be commit 3fd32a12094ff2b6df52f5ab2af7c0ffceb5a4a0)

1 files changed, 22 insertions, 8 deletions

diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index e1c748c558..d4edfb97aa 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -64,6 +64,8 @@ void debug_ntlmssp_flags(uint32_t neg_flags)
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_SIGN\n"));
 	if (neg_flags & NTLMSSP_NEGOTIATE_SEAL) 
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_SEAL\n"));
+	if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM_STYLE) 
+		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_DATAGRAM_STYLE\n"));
 	if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) 
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_LM_KEY\n"));
 	if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE) 
@@ -78,6 +80,10 @@ void debug_ntlmssp_flags(uint32_t neg_flags)
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n"));
 	if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) 
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n"));
+	if (neg_flags & NTLMSSP_CHAL_ACCEPT_RESPONSE) 
+		DEBUGADD(4, ("  NTLMSSP_CHAL_ACCEPT_RESPONSE\n"));
+	if (neg_flags & NTLMSSP_CHAL_NON_NT_SESSION_KEY) 
+		DEBUGADD(4, ("  NTLMSSP_CHAL_NON_NT_SESSION_KEY\n"));
 	if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2) 
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_NTLM2\n"));
 	if (neg_flags & NTLMSSP_CHAL_TARGET_INFO) 
@@ -86,6 +92,8 @@ void debug_ntlmssp_flags(uint32_t neg_flags)
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_128\n"));
 	if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) 
 		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_KEY_EXCH\n"));
+	if (neg_flags & NTLMSSP_NEGOTIATE_56) 
+		DEBUGADD(4, ("  NTLMSSP_NEGOTIATE_56\n"));
 }
 
 static NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security, 
@@ -277,11 +285,16 @@ void ntlmssp_handle_neg_flags(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
    by the client lanman auth/lanman auth parameters, it isn't too bad.
 */
 
-void ntlmssp_weaken_keys(struct gensec_ntlmssp_state *gensec_ntlmssp_state) 
+DATA_BLOB ntlmssp_weakend_key(struct gensec_ntlmssp_state *gensec_ntlmssp_state, 
+			      TALLOC_CTX *mem_ctx) 
 {
+	DATA_BLOB weakened_key = data_blob_talloc(mem_ctx, 
+						  gensec_ntlmssp_state->session_key.data, 
+						  gensec_ntlmssp_state->session_key.length);
 	/* Nothing to weaken.  We certainly don't want to 'extend' the length... */
-	if (gensec_ntlmssp_state->session_key.length < 8) {
-		return;
+	if (weakened_key.length < 16) {
+		/* perhaps there was no key? */
+		return weakened_key;
 	}
 
 	/* Key weakening not performed on the master key for NTLM2
@@ -292,14 +305,15 @@ void ntlmssp_weaken_keys(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
 		if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
 			
 		} else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
-			gensec_ntlmssp_state->session_key.data[7] = 0xa0;
+			weakened_key.data[7] = 0xa0;
 		} else { /* forty bits */
-			gensec_ntlmssp_state->session_key.data[5] = 0xe5;
-			gensec_ntlmssp_state->session_key.data[6] = 0x38;
-			gensec_ntlmssp_state->session_key.data[7] = 0xb0;
+			weakened_key.data[5] = 0xe5;
+			weakened_key.data[6] = 0x38;
+			weakened_key.data[7] = 0xb0;
 		}
-		gensec_ntlmssp_state->session_key.length = 8;
+		weakened_key.length = 8;
 	}
+	return weakened_key;
 }
 
 static BOOL gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,