|
|
b6b438 |
From 7dbe3c67368a1b5d81564b61650f1e85beb4e1c8 Mon Sep 17 00:00:00 2001
|
|
|
b6b438 |
From: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
Date: Wed, 13 Nov 2019 12:52:44 +0100
|
|
|
b6b438 |
Subject: [PATCH 142/187] libcli:auth: Check return code of
|
|
|
b6b438 |
SMBOWFencrypt_ntv2()
|
|
|
b6b438 |
|
|
|
b6b438 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195
|
|
|
b6b438 |
|
|
|
b6b438 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
b6b438 |
(cherry picked from commit 3db2ca2dcf367a6c57071a76668d19f3cbf62565)
|
|
|
b6b438 |
---
|
|
|
b6b438 |
libcli/auth/ntlm_check.c | 18 +++++++++++++++---
|
|
|
b6b438 |
libcli/auth/smbencrypt.c | 20 ++++++++++++++++++--
|
|
|
b6b438 |
2 files changed, 33 insertions(+), 5 deletions(-)
|
|
|
b6b438 |
|
|
|
b6b438 |
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
|
|
|
b6b438 |
index ba0051d7aea..5058add3811 100644
|
|
|
b6b438 |
--- a/libcli/auth/ntlm_check.c
|
|
|
b6b438 |
+++ b/libcli/auth/ntlm_check.c
|
|
|
b6b438 |
@@ -93,6 +93,7 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
|
|
|
b6b438 |
uint8_t kr[16];
|
|
|
b6b438 |
uint8_t value_from_encryption[16];
|
|
|
b6b438 |
DATA_BLOB client_key_data;
|
|
|
b6b438 |
+ NTSTATUS status;
|
|
|
b6b438 |
|
|
|
b6b438 |
if (part_passwd == NULL) {
|
|
|
b6b438 |
DEBUG(10,("No password set - DISALLOWING access\n"));
|
|
|
b6b438 |
@@ -125,7 +126,13 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
|
|
|
b6b438 |
return false;
|
|
|
b6b438 |
}
|
|
|
b6b438 |
|
|
|
b6b438 |
- SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
|
|
|
b6b438 |
+ status = SMBOWFencrypt_ntv2(kr,
|
|
|
b6b438 |
+ sec_blob,
|
|
|
b6b438 |
+ &client_key_data,
|
|
|
b6b438 |
+ value_from_encryption);
|
|
|
b6b438 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
b6b438 |
+ return false;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
|
|
|
b6b438 |
#if DEBUG_PASSWORD
|
|
|
b6b438 |
DEBUG(100,("Part password (P16) was |\n"));
|
|
|
b6b438 |
@@ -142,7 +149,6 @@ static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
|
|
|
b6b438 |
data_blob_clear_free(&client_key_data);
|
|
|
b6b438 |
if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) {
|
|
|
b6b438 |
if (user_sess_key != NULL) {
|
|
|
b6b438 |
- NTSTATUS status;
|
|
|
b6b438 |
*user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
|
|
|
b6b438 |
|
|
|
b6b438 |
status = SMBsesskeygen_ntv2(kr,
|
|
|
b6b438 |
@@ -202,7 +208,13 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
|
|
|
b6b438 |
return false;
|
|
|
b6b438 |
}
|
|
|
b6b438 |
|
|
|
b6b438 |
- SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
|
|
|
b6b438 |
+ status = SMBOWFencrypt_ntv2(kr,
|
|
|
b6b438 |
+ sec_blob,
|
|
|
b6b438 |
+ &client_key_data,
|
|
|
b6b438 |
+ value_from_encryption);
|
|
|
b6b438 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
b6b438 |
+ return false;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
*user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
|
|
|
b6b438 |
status = SMBsesskeygen_ntv2(kr,
|
|
|
b6b438 |
value_from_encryption,
|
|
|
b6b438 |
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
|
|
|
b6b438 |
index e7ed0630cdc..e33d29de19d 100644
|
|
|
b6b438 |
--- a/libcli/auth/smbencrypt.c
|
|
|
b6b438 |
+++ b/libcli/auth/smbencrypt.c
|
|
|
b6b438 |
@@ -493,6 +493,7 @@ static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx,
|
|
|
b6b438 |
uint8_t ntlmv2_response[16];
|
|
|
b6b438 |
DATA_BLOB ntlmv2_client_data;
|
|
|
b6b438 |
DATA_BLOB final_response;
|
|
|
b6b438 |
+ NTSTATUS status;
|
|
|
b6b438 |
|
|
|
b6b438 |
TALLOC_CTX *mem_ctx = talloc_named(out_mem_ctx, 0,
|
|
|
b6b438 |
"NTLMv2_generate_response internal context");
|
|
|
b6b438 |
@@ -507,7 +508,14 @@ static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx,
|
|
|
b6b438 |
ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, nttime, names_blob);
|
|
|
b6b438 |
|
|
|
b6b438 |
/* Given that data, and the challenge from the server, generate a response */
|
|
|
b6b438 |
- SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response);
|
|
|
b6b438 |
+ status = SMBOWFencrypt_ntv2(ntlm_v2_hash,
|
|
|
b6b438 |
+ server_chal,
|
|
|
b6b438 |
+ &ntlmv2_client_data,
|
|
|
b6b438 |
+ ntlmv2_response);
|
|
|
b6b438 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
b6b438 |
+ talloc_free(mem_ctx);
|
|
|
b6b438 |
+ return data_blob(NULL, 0);
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
|
|
|
b6b438 |
final_response = data_blob_talloc(out_mem_ctx, NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length);
|
|
|
b6b438 |
|
|
|
b6b438 |
@@ -528,13 +536,21 @@ static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx,
|
|
|
b6b438 |
uint8_t lmv2_response[16];
|
|
|
b6b438 |
DATA_BLOB lmv2_client_data = data_blob_talloc(mem_ctx, NULL, 8);
|
|
|
b6b438 |
DATA_BLOB final_response = data_blob_talloc(mem_ctx, NULL,24);
|
|
|
b6b438 |
+ NTSTATUS status;
|
|
|
b6b438 |
|
|
|
b6b438 |
/* LMv2 */
|
|
|
b6b438 |
/* client-supplied random data */
|
|
|
b6b438 |
generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length);
|
|
|
b6b438 |
|
|
|
b6b438 |
/* Given that data, and the challenge from the server, generate a response */
|
|
|
b6b438 |
- SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &lmv2_client_data, lmv2_response);
|
|
|
b6b438 |
+ status = SMBOWFencrypt_ntv2(ntlm_v2_hash,
|
|
|
b6b438 |
+ server_chal,
|
|
|
b6b438 |
+ &lmv2_client_data,
|
|
|
b6b438 |
+ lmv2_response);
|
|
|
b6b438 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
b6b438 |
+ data_blob_free(&lmv2_client_data);
|
|
|
b6b438 |
+ return data_blob(NULL, 0);
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
memcpy(final_response.data, lmv2_response, sizeof(lmv2_response));
|
|
|
b6b438 |
|
|
|
b6b438 |
/* after the first 16 bytes is the random data we generated above,
|
|
|
b6b438 |
--
|
|
|
b6b438 |
2.23.0
|
|
|
b6b438 |
|