summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/ntlmssp/ntlmssp_sign.c6
-rw-r--r--source4/torture/auth/ntlmssp.c17
2 files changed, 20 insertions, 3 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 316bb257ff..52cbf01ea9 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -168,7 +168,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
}
if (sig->length < 8) {
- DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
+ DEBUG(1, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
(unsigned long)sig->length));
}
@@ -192,7 +192,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
DEBUG(5, ("BAD SIG: got signature over %llu bytes of input:\n", (unsigned long long)pdu_length));
dump_data(5, sig->data, sig->length);
- DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length));
+ DEBUG(1, ("NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length));
return NT_STATUS_ACCESS_DENIED;
}
} else {
@@ -205,7 +205,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
DEBUG(5, ("BAD SIG: got signature of %llu bytes of input:\n", (unsigned long long)length));
dump_data(5, sig->data, sig->length);
- DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length));
+ DEBUG(1, ("NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length));
return NT_STATUS_ACCESS_DENIED;
}
}
diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
index a7c3b03c39..096640301d 100644
--- a/source4/torture/auth/ntlmssp.c
+++ b/source4/torture/auth/ntlmssp.c
@@ -72,6 +72,18 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
torture_assert(tctx, 0 == memcmp(sig.data, expected_sig.data, sig.length),
"data mismatch");
+ torture_assert_ntstatus_equal(tctx,
+ gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+ data.data, data.length, data.data, data.length, &sig),
+ NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)");
+
+ gensec_ntlmssp_state->session_key = data_blob(NULL, 0);
+
+ torture_assert_ntstatus_equal(tctx,
+ gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+ data.data, data.length, data.data, data.length, &sig),
+ NT_STATUS_NO_USER_SESSION_KEY, "Check of just signed packet without a session key should fail");
+
talloc_free(gensec_security);
torture_assert_ntstatus_ok(tctx,
@@ -114,6 +126,11 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
torture_assert(tctx, 0 == memcmp(sig.data+8, expected_sig.data+8, sig.length-8),
"data mismatch");
+ torture_assert_ntstatus_equal(tctx,
+ gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+ data.data, data.length, data.data, data.length, &sig),
+ NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)");
+
talloc_free(gensec_security);
return true;
}