summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-02-12 14:19:31 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:51:54 -0500
commite7630ebe47384328d6a4a44297cbd7d4f4ec8313 (patch)
tree77da419d54db26d146b31b9659ce3bdc268d0979 /source4
parente9e80966411d4b7f45e5e6322a6932751fae2996 (diff)
downloadsamba-e7630ebe47384328d6a4a44297cbd7d4f4ec8313.tar.gz
samba-e7630ebe47384328d6a4a44297cbd7d4f4ec8313.tar.bz2
samba-e7630ebe47384328d6a4a44297cbd7d4f4ec8313.zip
r13472: After Volker's advise, try every combination of parameters. This
isn't every parameter on NTLMSSP, but it is most of the important ones. This showed up that we had the '128bit && LM_KEY' case messed up. This isn't supported, so we must look instead at the 56 bit flag. Andrew Bartlett (This used to be commit 990da31b5f63f1e707651af8bf1a3241a8309811)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/ntlmssp/ntlmssp.c10
-rwxr-xr-xsource4/script/tests/test_session_key.sh35
2 files changed, 26 insertions, 19 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index d4edfb97aa..5d90ceadc3 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -302,16 +302,18 @@ DATA_BLOB ntlmssp_weakend_key(struct gensec_ntlmssp_state *gensec_ntlmssp_state,
to do this for the LM_KEY.
*/
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
-
- } else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
+ /* LM key doesn't support 128 bit crypto, so this is
+ * the best we can do. If you negotiate 128 bit, but
+ * not 56, you end up with 40 bit... */
+ if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
weakened_key.data[7] = 0xa0;
+ weakened_key.length = 8;
} else { /* forty bits */
weakened_key.data[5] = 0xe5;
weakened_key.data[6] = 0x38;
weakened_key.data[7] = 0xb0;
+ weakened_key.length = 8;
}
- weakened_key.length = 8;
}
return weakened_key;
}
diff --git a/source4/script/tests/test_session_key.sh b/source4/script/tests/test_session_key.sh
index ea23cab9d3..97a1634db0 100755
--- a/source4/script/tests/test_session_key.sh
+++ b/source4/script/tests/test_session_key.sh
@@ -18,22 +18,27 @@ incdir=`dirname $0`
failed=0
transport="ncacn_np"
+for bindoptions in validate seal; do
+ for keyexchange in "yes" "no"; do
+ for ntlm2 in "yes" "no"; do
+ for lm_key in "yes" "no"; do
for ntlmoptions in \
- "--option=usespnego=yes --option=ntlmssp_client:ntlm2=yes" \
- "--option=usespnego=yes --option=ntlmssp_client:ntlm2=no" \
- "--option=usespnego=yes --option=ntlmssp_client:ntlm2=yes --option=ntlmssp_client:128bit=no" \
- "--option=usespnego=yes --option=ntlmssp_client:ntlm2=no --option=ntlmssp_client:128bit=no" \
- "--option=usespnego=yes --option=ntlmssp_client:ntlm2=yes --option=ntlmssp_client:keyexchange=no" \
- "--option=usespnego=yes --option=ntlmssp_client:ntlm2=no --option=ntlmssp_client:keyexchange=no" \
- "--option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:keyexchange=no" \
- "--option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:keyexchange=yes" \
- "--option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:keyexchange=yes --option=ntlmssp_client:128bit=no" \
- "--option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:keyexchange=no --option=ntlmssp_client:128bit=no" \
- "--option=usespnego=no --option=clientntlmv2auth=yes" \
- "--option=usespnego=no" \
+ "-k no --option=usespnego=yes" \
+ "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no" \
+ "-k no --option=usespnego=yes --option=ntlmssp_client:56bit=yes" \
+ "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes" \
+ "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=no" \
+ "-k no --option=usespnego=yes --option=clientntlmv2auth=yes" \
+ "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no" \
+ "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes" \
+ "-k no --option=usespnego=no --option=clientntlmv2auth=yes" \
+ "-k no --option=usespnego=no" \
; do
- name="RPC-SECRETS on $transport with $ntlmoptions"
- testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" $ntlmoptions -U"$username"%"$password" -W $domain RPC-SECRETS "$*" || failed=`expr $failed + 1`
+ name="RPC-SECRETS on $transport:$server[$bindoptions] with NTLM2:$ntlm2 KEYEX:$keyexchange LM_KEY:$lm_key $ntlmoptions"
+ testit "$name" bin/smbtorture $TORTURE_OPTIONS $transport:"$server[$bindoptions]" --option=ntlmssp_client:keyexchange=$keyexchange --option=ntlmssp_client:ntlm2=$ntlm2 --option=ntlmssp_client:lm_key=$lm_key $ntlmoptions -U"$username"%"$password" -W $domain RPC-SECRETS "$*" || failed=`expr $failed + 1`
done
-
+ done
+ done
+ done
+done
testok $0 $failed