[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Tue Aug 10 05:00:49 MDT 2010
The branch, master has been updated
via 4969b3d... s3:ntlmssp Always call ntlmssp_sign_init()
via 617ec07... s3:ntlmssp Don't use talloc_tos() for NTLMSSP blobs for now
via d112557... s3:ntlmssp Don't permit LM_KEY in combination with NTLMv2
via f6cc686... s3:ntlmssp Don't reply with the LM_KEY negotiation flag when not available
via 3c0a17a... s3:ntlmssp Don't use the lm key if the user didn't supply one.
via f744e42... s3:ntlmssp Add extra DEBUG() message for auth system failures
via e0c94d1... s3:ntlmssp Redirect lp_lanman_auth() via 'allow_lm_key'
from 78fa58f... libcli/auth/ntlmssp: remove outdated comment. The version flag is well understood now.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4969b3de632c1545d7ea5997c52b85aa4baaf4d8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 20:48:17 2010 +1000
s3:ntlmssp Always call ntlmssp_sign_init()
There is no code path that sets nt_status before this point, without
a return.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd at samba.org>
commit 617ec0733dad40c9441b1e1533fb3d99bf22c24f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 20:41:54 2010 +1000
s3:ntlmssp Don't use talloc_tos() for NTLMSSP blobs for now
This code will, I hope, soon be merged in common, and the Samba4
use case does not currently support talloc_tos() properly. Use another
context for now.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd at samba.org>
commit d112557a05b23480abd3f2f52c1c7b8ded2b4f66
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 20:24:35 2010 +1000
s3:ntlmssp Don't permit LM_KEY in combination with NTLMv2
This is another 'belts and braces' check to avoid the use of the
weak 'LM_KEY' encryption when the client has chosen NTLMv2.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd at samba.org>
commit f6cc686036281ee9b467ba18e96ee5086b89bef7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 19:43:06 2010 +1000
s3:ntlmssp Don't reply with the LM_KEY negotiation flag when not available
This ensures the client isn't confused and we don't enter this
weaker authentication scheme when we don't really, really need to.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd at samba.org>
commit 3c0a17a1274df1b38b3acd9335192cd78730b01c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 19:01:34 2010 +1000
s3:ntlmssp Don't use the lm key if the user didn't supply one.
This may help to avoid a number of possible MITM attacks where LM_KEY is
spoofed into the session. If the login wasn't with lanman
(and so the user chose to disclose their lanman response),
don't disclose back anything based on their lanman password.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd at samba.org>
commit f744e42bd08cd724da09b5b04bafb68de07888cc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 18:35:25 2010 +1000
s3:ntlmssp Add extra DEBUG() message for auth system failures
Andrew Bartlett
Signed-off-by: Günther Deschner <gd at samba.org>
commit e0c94d14b3ddc6f20e8f37b2a01b045ca2ad7375
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Aug 6 18:18:51 2010 +1000
s3:ntlmssp Redirect lp_lanman_auth() via 'allow_lm_key'
This will allow this to be handled via common code in the future
Andrew Bartlett
Signed-off-by: Günther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/libsmb/ntlmssp.c | 42 +++++++++++++++++++++++++++++++-----------
1 files changed, 31 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 784a347..6815358 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -325,11 +325,13 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
}
}
- ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
+ ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, ntlmssp_state->allow_lm_key);
/* Ask our caller what challenge they would like in the packet */
status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge: %s\n",
+ nt_errstr(status)));
return status;
}
@@ -414,7 +416,7 @@ static NTSTATUS ntlmssp_server_negotiate(struct ntlmssp_state *ntlmssp_state,
if (DEBUGLEVEL >= 10) {
struct CHALLENGE_MESSAGE *challenge = talloc(
- talloc_tos(), struct CHALLENGE_MESSAGE);
+ ntlmssp_state, struct CHALLENGE_MESSAGE);
if (challenge != NULL) {
challenge->NegotiateFlags = chal_flags;
status = ntlmssp_pull_CHALLENGE_MESSAGE(
@@ -518,11 +520,11 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
}
if (auth_flags)
- ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, lp_lanman_auth());
+ ntlmssp_handle_neg_flags(ntlmssp_state, auth_flags, ntlmssp_state->allow_lm_key);
if (DEBUGLEVEL >= 10) {
struct AUTHENTICATE_MESSAGE *authenticate = talloc(
- talloc_tos(), struct AUTHENTICATE_MESSAGE);
+ ntlmssp_state, struct AUTHENTICATE_MESSAGE);
if (authenticate != NULL) {
NTSTATUS status;
authenticate->NegotiateFlags = auth_flags;
@@ -615,7 +617,10 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM2 session key.\n"));
session_key = data_blob_null;
}
- } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
+ } else if ((ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
+ /* Ensure we can never get here on NTLMv2 */
+ && (ntlmssp_state->nt_resp.length == 0 || ntlmssp_state->nt_resp.length == 24)) {
+
if (lm_session_key.data && lm_session_key.length >= 8) {
if (ntlmssp_state->lm_resp.data && ntlmssp_state->lm_resp.length == 24) {
session_key = data_blob_talloc(ntlmssp_state,
@@ -633,13 +638,16 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
if (session_key.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
- SMBsesskeygen_lm_sess_key(
- lm_session_key.data, zeros,
- session_key.data);
+ SMBsesskeygen_lm_sess_key(zeros, zeros,
+ session_key.data);
+ DEBUG(10,("ntlmssp_server_auth: Created NTLM session key.\n"));
}
dump_data_pw("LM session key:\n", session_key.data,
session_key.length);
} else {
+ /* LM Key not selected */
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+
DEBUG(10,("ntlmssp_server_auth: Failed to create NTLM session key.\n"));
session_key = data_blob_null;
}
@@ -647,13 +655,25 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
session_key = user_session_key;
DEBUG(10,("ntlmssp_server_auth: Using unmodified nt session key.\n"));
dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
+
+ /* LM Key not selected */
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+
} else if (lm_session_key.data) {
+ /* Very weird to have LM key, but no user session key, but anyway.. */
session_key = lm_session_key;
DEBUG(10,("ntlmssp_server_auth: Using unmodified lm session key.\n"));
dump_data_pw("unmodified session key:\n", session_key.data, session_key.length);
+
+ /* LM Key not selected */
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+
} else {
DEBUG(10,("ntlmssp_server_auth: Failed to create unmodified session key.\n"));
session_key = data_blob_null;
+
+ /* LM Key not selected */
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
}
/* With KEY_EXCH, the client supplies the proposed session key,
@@ -683,9 +703,7 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->session_key = session_key;
}
- if (!NT_STATUS_IS_OK(nt_status)) {
- ntlmssp_state->session_key = data_blob_null;
- } else if (ntlmssp_state->session_key.length) {
+ if (ntlmssp_state->session_key.length) {
nt_status = ntlmssp_sign_init(ntlmssp_state);
}
@@ -744,6 +762,8 @@ NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
+ ntlmssp_state->allow_lm_key = lp_lanman_auth();
+
ntlmssp_state->neg_flags =
NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_56 |
--
Samba Shared Repository
More information about the samba-cvs
mailing list