You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
753 lines
24 KiB
753 lines
24 KiB
From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
|
|
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Date: Thu, 22 Feb 2018 11:54:45 +1300
|
|
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
|
|
with_cmocka flag
|
|
|
|
We have cmocka in third_party, so we are never without it.
|
|
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
|
|
by Andrew Bartlett)
|
|
---
|
|
selftest/tests.py | 18 ++++++++----------
|
|
1 file changed, 8 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
index 126e1184230..3f5097b680c 100644
|
|
--- a/selftest/tests.py
|
|
+++ b/selftest/tests.py
|
|
@@ -38,7 +38,6 @@ finally:
|
|
f.close()
|
|
|
|
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
|
|
-with_cmocka = ("HAVE_CMOCKA" in config_hash)
|
|
with_pam = ("WITH_PAM" in config_hash)
|
|
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
|
|
|
|
@@ -168,13 +167,12 @@ if with_pam:
|
|
valgrindify(python), pam_wrapper_so_path,
|
|
"$DOMAIN", "alice", "Secret007"])
|
|
|
|
-if with_cmocka:
|
|
- plantestsuite("samba.unittests.krb5samba", "none",
|
|
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
|
|
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
|
|
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
|
|
- plantestsuite("samba.unittests.lib_util_modules", "none",
|
|
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
|
|
+plantestsuite("samba.unittests.krb5samba", "none",
|
|
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
|
|
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
|
|
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
|
|
+plantestsuite("samba.unittests.lib_util_modules", "none",
|
|
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
|
|
|
|
- plantestsuite("samba.unittests.smb1cli_session", "none",
|
|
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
|
|
+plantestsuite("samba.unittests.smb1cli_session", "none",
|
|
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
|
|
--
|
|
2.14.4
|
|
|
|
|
|
From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
|
|
From: Andrew Bartlett <abartlet@samba.org>
|
|
Date: Fri, 27 Jul 2018 08:44:24 +1200
|
|
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
|
|
ntlm_password_check()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
|
|
libcli/auth/wscript_build | 13 ++
|
|
selftest/knownfail.d/ntlm | 2 +
|
|
selftest/tests.py | 2 +
|
|
4 files changed, 430 insertions(+)
|
|
create mode 100644 libcli/auth/tests/ntlm_check.c
|
|
create mode 100644 selftest/knownfail.d/ntlm
|
|
|
|
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
|
|
new file mode 100644
|
|
index 00000000000..e87a0a276d4
|
|
--- /dev/null
|
|
+++ b/libcli/auth/tests/ntlm_check.c
|
|
@@ -0,0 +1,413 @@
|
|
+/*
|
|
+ * Unit tests for the ntlm_check password hash check library.
|
|
+ *
|
|
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation; either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ *
|
|
+ */
|
|
+
|
|
+/*
|
|
+ * from cmocka.c:
|
|
+ * These headers or their equivalents should be included prior to
|
|
+ * including
|
|
+ * this header file.
|
|
+ *
|
|
+ * #include <stdarg.h>
|
|
+ * #include <stddef.h>
|
|
+ * #include <setjmp.h>
|
|
+ *
|
|
+ * This allows test applications to use custom definitions of C standard
|
|
+ * library functions and types.
|
|
+ *
|
|
+ */
|
|
+
|
|
+/*
|
|
+ * Note that the messaging routines (audit_message_send and get_event_server)
|
|
+ * are not tested by these unit tests. Currently they are for integration
|
|
+ * test support, and as such are exercised by the integration tests.
|
|
+ */
|
|
+#include <stdarg.h>
|
|
+#include <stddef.h>
|
|
+#include <setjmp.h>
|
|
+#include <cmocka.h>
|
|
+
|
|
+#include "includes.h"
|
|
+#include "../lib/crypto/crypto.h"
|
|
+#include "librpc/gen_ndr/netlogon.h"
|
|
+#include "libcli/auth/libcli_auth.h"
|
|
+#include "auth/credentials/credentials.h"
|
|
+
|
|
+struct ntlm_state {
|
|
+ const char *username;
|
|
+ const char *domain;
|
|
+ DATA_BLOB challenge;
|
|
+ DATA_BLOB ntlm;
|
|
+ DATA_BLOB lm;
|
|
+ DATA_BLOB ntlm_key;
|
|
+ DATA_BLOB lm_key;
|
|
+ const struct samr_Password *nt_hash;
|
|
+};
|
|
+
|
|
+static int test_ntlm_setup_with_options(void **state,
|
|
+ int flags, bool upn)
|
|
+{
|
|
+ NTSTATUS status;
|
|
+ DATA_BLOB challenge = {
|
|
+ .data = discard_const_p(uint8_t, "I am a teapot"),
|
|
+ .length = 8
|
|
+ };
|
|
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
|
|
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
|
|
+ NULL,
|
|
+ "serverdom");
|
|
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
|
|
+ cli_credentials_set_username(creds,
|
|
+ "testuser",
|
|
+ CRED_SPECIFIED);
|
|
+ cli_credentials_set_domain(creds,
|
|
+ "testdom",
|
|
+ CRED_SPECIFIED);
|
|
+ cli_credentials_set_workstation(creds,
|
|
+ "testwksta",
|
|
+ CRED_SPECIFIED);
|
|
+ cli_credentials_set_password(creds,
|
|
+ "testpass",
|
|
+ CRED_SPECIFIED);
|
|
+
|
|
+ if (upn) {
|
|
+ cli_credentials_set_principal(creds,
|
|
+ "testuser@samba.org",
|
|
+ CRED_SPECIFIED);
|
|
+ }
|
|
+
|
|
+ cli_credentials_get_ntlm_username_domain(creds,
|
|
+ ntlm_state,
|
|
+ &ntlm_state->username,
|
|
+ &ntlm_state->domain);
|
|
+
|
|
+ status = cli_credentials_get_ntlm_response(creds,
|
|
+ ntlm_state,
|
|
+ &flags,
|
|
+ challenge,
|
|
+ NULL,
|
|
+ target_info,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ &ntlm_state->lm_key,
|
|
+ &ntlm_state->ntlm_key);
|
|
+ ntlm_state->challenge = challenge;
|
|
+
|
|
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
|
|
+ ntlm_state);
|
|
+
|
|
+ if (!NT_STATUS_IS_OK(status)) {
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ *state = ntlm_state;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int test_ntlm_setup(void **state) {
|
|
+ return test_ntlm_setup_with_options(state, 0, false);
|
|
+}
|
|
+
|
|
+static int test_ntlm_and_lm_setup(void **state) {
|
|
+ return test_ntlm_setup_with_options(state,
|
|
+ CLI_CRED_LANMAN_AUTH,
|
|
+ false);
|
|
+}
|
|
+
|
|
+static int test_ntlm2_setup(void **state) {
|
|
+ return test_ntlm_setup_with_options(state,
|
|
+ CLI_CRED_NTLM2,
|
|
+ false);
|
|
+}
|
|
+
|
|
+static int test_ntlmv2_setup(void **state) {
|
|
+ return test_ntlm_setup_with_options(state,
|
|
+ CLI_CRED_NTLMv2_AUTH,
|
|
+ false);
|
|
+}
|
|
+
|
|
+static int test_ntlm_teardown(void **state)
|
|
+{
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ TALLOC_FREE(ntlm_state);
|
|
+ *state = NULL;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static void test_ntlm_allowed(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_ON,
|
|
+ 0,
|
|
+ &ntlm_state->challenge,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
|
|
+}
|
|
+
|
|
+static void test_ntlm_allowed_lm_supplied(void **state)
|
|
+{
|
|
+ return test_ntlm_allowed(state);
|
|
+}
|
|
+
|
|
+static void test_ntlm_disabled(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_DISABLED,
|
|
+ 0,
|
|
+ &ntlm_state->challenge,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
|
|
+}
|
|
+
|
|
+static void test_ntlm2(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_ON,
|
|
+ 0,
|
|
+ &ntlm_state->challenge,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ /*
|
|
+ * NTLM2 session security (where the real challenge is the
|
|
+ * MD5(challenge, client-challenge) (in the first 8 bytes of
|
|
+ * the lm) isn't decoded by ntlm_password_check(), it must
|
|
+ * first be converted back into normal NTLM by the NTLMSSP
|
|
+ * layer
|
|
+ */
|
|
+ assert_int_equal(NT_STATUS_V(status),
|
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
+}
|
|
+
|
|
+static void test_ntlm_mschapv2_only_allowed(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
|
|
+ MSV1_0_ALLOW_MSVCHAPV2,
|
|
+ &ntlm_state->challenge,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
|
|
+}
|
|
+
|
|
+static void test_ntlm_mschapv2_only_denied(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
|
|
+ 0,
|
|
+ &ntlm_state->challenge,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ assert_int_equal(NT_STATUS_V(status),
|
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
+}
|
|
+
|
|
+static void test_ntlmv2_only_ntlmv2(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_NTLMV2_ONLY,
|
|
+ 0,
|
|
+ &ntlm_state->challenge,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
|
|
+}
|
|
+
|
|
+static void test_ntlmv2_only_ntlm(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_NTLMV2_ONLY,
|
|
+ 0,
|
|
+ &ntlm_state->challenge,
|
|
+ &ntlm_state->lm,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ assert_int_equal(NT_STATUS_V(status),
|
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
+}
|
|
+
|
|
+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
|
|
+{
|
|
+ return test_ntlmv2_only_ntlm(state);
|
|
+}
|
|
+
|
|
+static void test_ntlmv2_only_ntlm_once(void **state)
|
|
+{
|
|
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
+ struct ntlm_state *ntlm_state
|
|
+ = talloc_get_type_abort(*state,
|
|
+ struct ntlm_state);
|
|
+ NTSTATUS status;
|
|
+ status = ntlm_password_check(ntlm_state,
|
|
+ false,
|
|
+ NTLM_AUTH_NTLMV2_ONLY,
|
|
+ 0,
|
|
+ &ntlm_state->challenge,
|
|
+ &data_blob_null,
|
|
+ &ntlm_state->ntlm,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->username,
|
|
+ ntlm_state->domain,
|
|
+ NULL,
|
|
+ ntlm_state->nt_hash,
|
|
+ &user_sess_key,
|
|
+ &lm_sess_key);
|
|
+
|
|
+ assert_int_equal(NT_STATUS_V(status),
|
|
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
+}
|
|
+
|
|
+int main(int argc, const char **argv)
|
|
+{
|
|
+ const struct CMUnitTest tests[] = {
|
|
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
|
|
+ test_ntlm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
|
|
+ test_ntlm_and_lm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
|
|
+ test_ntlm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlm2,
|
|
+ test_ntlm2_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
|
|
+ test_ntlm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
|
|
+ test_ntlm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
|
|
+ test_ntlm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
|
|
+ test_ntlm_and_lm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
|
|
+ test_ntlm_setup,
|
|
+ test_ntlm_teardown),
|
|
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
|
|
+ test_ntlmv2_setup,
|
|
+ test_ntlm_teardown)
|
|
+ };
|
|
+
|
|
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
|
|
+ return cmocka_run_group_tests(tests, NULL, NULL);
|
|
+}
|
|
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
|
|
index 475b7d69406..d319d9b879e 100644
|
|
--- a/libcli/auth/wscript_build
|
|
+++ b/libcli/auth/wscript_build
|
|
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
|
|
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
|
|
source='spnego_parse.c',
|
|
deps='asn1util')
|
|
+
|
|
+bld.SAMBA_BINARY(
|
|
+ 'test_ntlm_check',
|
|
+ source='tests/ntlm_check.c',
|
|
+ deps='''
|
|
+ NTLM_CHECK
|
|
+ CREDENTIALS_NTLM
|
|
+ samba-credentials
|
|
+ cmocka
|
|
+ talloc
|
|
+ ''',
|
|
+ install=False
|
|
+ )
|
|
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
|
|
new file mode 100644
|
|
index 00000000000..c6e6a3739ba
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/ntlm
|
|
@@ -0,0 +1,2 @@
|
|
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
|
|
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
|
|
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
index 3f5097b680c..dc6486c13f8 100644
|
|
--- a/selftest/tests.py
|
|
+++ b/selftest/tests.py
|
|
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
|
|
|
|
plantestsuite("samba.unittests.smb1cli_session", "none",
|
|
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
|
|
+plantestsuite("samba.unittests.ntlm_check", "none",
|
|
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
|
|
--
|
|
2.14.4
|
|
|
|
|
|
From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
Date: Wed, 14 Mar 2018 15:36:05 +0100
|
|
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
|
|
hash_password_check()
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
|
|
CVE-2018-1139: Weak authentication protocol allowed.
|
|
|
|
Guenther
|
|
|
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
libcli/auth/ntlm_check.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
|
|
index 3b02adc1d48..1c6499bd210 100644
|
|
--- a/libcli/auth/ntlm_check.c
|
|
+++ b/libcli/auth/ntlm_check.c
|
|
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
|
|
const struct samr_Password *stored_nt)
|
|
{
|
|
if (stored_nt == NULL) {
|
|
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
|
|
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
|
|
username));
|
|
}
|
|
|
|
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
|
|
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
|
|
return NT_STATUS_OK;
|
|
} else {
|
|
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
|
|
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
|
|
username));
|
|
return NT_STATUS_WRONG_PASSWORD;
|
|
}
|
|
|
|
} else if (client_lanman && stored_lanman) {
|
|
if (!lanman_auth) {
|
|
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
|
|
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
|
|
username));
|
|
return NT_STATUS_WRONG_PASSWORD;
|
|
}
|
|
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
|
|
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
|
|
return NT_STATUS_OK;
|
|
} else {
|
|
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
|
|
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
|
|
username));
|
|
return NT_STATUS_WRONG_PASSWORD;
|
|
}
|
|
--
|
|
2.14.4
|
|
|
|
|
|
From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
Date: Wed, 14 Mar 2018 15:35:01 +0100
|
|
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
|
|
ntlm_password_check().
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
|
|
CVE-2018-1139: Weak authentication protocol allowed.
|
|
|
|
Guenther
|
|
|
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
source3/utils/ntlm_auth.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
|
|
index 3f544902a24..8f77680416f 100644
|
|
--- a/source3/utils/ntlm_auth.c
|
|
+++ b/source3/utils/ntlm_auth.c
|
|
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
|
|
*pauthoritative = 1;
|
|
|
|
nt_status = ntlm_password_check(mem_ctx,
|
|
- true, true, 0,
|
|
+ true, NTLM_AUTH_ON, 0,
|
|
&auth4_context->challenge.data,
|
|
&user_info->password.response.lanman,
|
|
&user_info->password.response.nt,
|
|
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
|
|
|
|
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
|
|
nt_status = ntlm_password_check(mem_ctx,
|
|
- true, true, 0,
|
|
+ true,
|
|
+ NTLM_AUTH_ON,
|
|
+ 0,
|
|
&challenge,
|
|
&lm_response,
|
|
&nt_response,
|
|
--
|
|
2.14.4
|
|
|
|
|
|
From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
Date: Fri, 16 Mar 2018 17:25:12 +0100
|
|
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
|
|
via SMB1 when it is disabled.
|
|
|
|
Right now, this test will succeed.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
|
|
CVE-2018-1139: Weak authentication protocol allowed.
|
|
|
|
Guenther
|
|
|
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
source3/selftest/tests.py | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
|
index 9092c1776c8..034c014e5b8 100755
|
|
--- a/source3/selftest/tests.py
|
|
+++ b/source3/selftest/tests.py
|
|
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
|
|
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
|
|
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
|
|
|
|
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
|
|
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
|
|
for env in ["nt4_member", "ad_member"]:
|
|
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
|
|
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
|
|
--
|
|
2.14.4
|
|
|
|
|
|
From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
Date: Tue, 13 Mar 2018 16:56:20 +0100
|
|
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
|
|
when it is disabled via "ntlm auth".
|
|
|
|
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
|
|
|
|
Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
|
|
|
|
In order to demonstrate simply run:
|
|
|
|
smbclient //server/share -U user%password -mNT1 -c quit \
|
|
--option="client ntlmv2 auth"=no \
|
|
--option="client use spnego"=no
|
|
|
|
against a server that uses "ntlm auth = ntlmv2-only" (our default
|
|
setting).
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
|
|
CVE-2018-1139: Weak authentication protocol allowed.
|
|
|
|
Guenther
|
|
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
libcli/auth/ntlm_check.c | 2 +-
|
|
selftest/knownfail | 3 ++-
|
|
selftest/knownfail.d/ntlm | 2 --
|
|
3 files changed, 3 insertions(+), 4 deletions(-)
|
|
delete mode 100644 selftest/knownfail.d/ntlm
|
|
|
|
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
|
|
index 1c6499bd210..b68e9c87888 100644
|
|
--- a/libcli/auth/ntlm_check.c
|
|
+++ b/libcli/auth/ntlm_check.c
|
|
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
|
|
- I think this is related to Win9X pass-though authentication
|
|
*/
|
|
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
|
|
- if (ntlm_auth) {
|
|
+ if (ntlm_auth == NTLM_AUTH_ON) {
|
|
if (smb_pwd_check_ntlmv1(mem_ctx,
|
|
lm_response,
|
|
stored_nt->hash, challenge,
|
|
diff --git a/selftest/knownfail b/selftest/knownfail
|
|
index ba16fd72290..84776d4f35d 100644
|
|
--- a/selftest/knownfail
|
|
+++ b/selftest/knownfail
|
|
@@ -303,8 +303,9 @@
|
|
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
|
|
# fl2000dc doesn't support AES
|
|
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
|
|
-# nt4_member and ad_member don't support ntlmv1
|
|
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
|
|
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
|
|
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
|
|
#nt-vfs server blocks read with execute access
|
|
^samba4.smb2.read.access
|
|
#ntvfs server blocks copychunk with execute access on read handle
|
|
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
|
|
deleted file mode 100644
|
|
index c6e6a3739ba..00000000000
|
|
--- a/selftest/knownfail.d/ntlm
|
|
+++ /dev/null
|
|
@@ -1,2 +0,0 @@
|
|
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
|
|
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
|
|
--
|
|
2.14.4
|
|
|
|
|