summaryrefslogtreecommitdiff
path: root/source3/libsmb/ntlmssp.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libsmb/ntlmssp.c')
-rw-r--r--source3/libsmb/ntlmssp.c43
1 files changed, 26 insertions, 17 deletions
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index c891ede9bb..e1ef69aed9 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -72,6 +72,8 @@ void debug_ntlmssp_flags(uint32 neg_flags)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_SEAL)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n"));
+ if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM_STYLE)
+ DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DATAGRAM_STYLE\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE)
@@ -86,6 +88,10 @@ void debug_ntlmssp_flags(uint32 neg_flags)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n"));
+ if (neg_flags & NTLMSSP_CHAL_ACCEPT_RESPONSE)
+ DEBUGADD(4, (" NTLMSSP_CHAL_ACCEPT_RESPONSE\n"));
+ if (neg_flags & NTLMSSP_CHAL_NON_NT_SESSION_KEY)
+ DEBUGADD(4, (" NTLMSSP_CHAL_NON_NT_SESSION_KEY\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n"));
if (neg_flags & NTLMSSP_CHAL_TARGET_INFO)
@@ -94,6 +100,8 @@ void debug_ntlmssp_flags(uint32 neg_flags)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n"));
if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)
DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n"));
+ if (neg_flags & NTLMSSP_NEGOTIATE_56)
+ DEBUGADD(4, (" NTLMSSP_NEGOTIATE_56\n"));
}
/**
@@ -382,11 +390,16 @@ static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
by the client lanman auth/lanman auth parameters, it isn't too bad.
*/
-void ntlmssp_weaken_keys(NTLMSSP_STATE *ntlmssp_state)
+DATA_BLOB ntlmssp_weaken_keys(NTLMSSP_STATE *ntlmssp_state, TALLOC_CTX *mem_ctx)
{
+ DATA_BLOB weakened_key = data_blob_talloc(mem_ctx,
+ ntlmssp_state->session_key.data,
+ ntlmssp_state->session_key.length);
+
/* Nothing to weaken. We certainly don't want to 'extend' the length... */
- if (ntlmssp_state->session_key.length < 8) {
- return;
+ if (weakened_key.length < 16) {
+ /* perhaps there was no key? */
+ return weakened_key;
}
/* Key weakening not performed on the master key for NTLM2
@@ -395,17 +408,19 @@ void ntlmssp_weaken_keys(NTLMSSP_STATE *ntlmssp_state)
*/
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
- if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
- ;
- } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
- ntlmssp_state->session_key.data[7] = 0xa0;
+ /* LM key doesn't support 128 bit crypto, so this is
+ * the best we can do. If you negotiate 128 bit, but
+ * not 56, you end up with 40 bit... */
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
+ weakened_key.data[7] = 0xa0;
} else { /* forty bits */
- ntlmssp_state->session_key.data[5] = 0xe5;
- ntlmssp_state->session_key.data[6] = 0x38;
- ntlmssp_state->session_key.data[7] = 0xb0;
+ weakened_key.data[5] = 0xe5;
+ weakened_key.data[6] = 0x38;
+ weakened_key.data[7] = 0xb0;
}
- ntlmssp_state->session_key.length = 8;
+ weakened_key.length = 8;
}
+ return weakened_key;
}
/**
@@ -775,9 +790,6 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->session_key = session_key;
}
- /* The client might need us to use a partial-strength session key */
- ntlmssp_weaken_keys(ntlmssp_state);
-
if (!NT_STATUS_IS_OK(nt_status)) {
ntlmssp_state->session_key = data_blob(NULL, 0);
} else if (ntlmssp_state->session_key.length) {
@@ -1093,9 +1105,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->session_key = session_key;
- /* The client might be using 56 or 40 bit weakened keys */
- ntlmssp_weaken_keys(ntlmssp_state);
-
ntlmssp_state->chal = challenge_blob;
ntlmssp_state->lm_resp = lm_response;
ntlmssp_state->nt_resp = nt_response;