From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001

From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Date: Thu, 22 Feb 2018 11:54:45 +1300

Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set

 with_cmocka flag

We have cmocka in third_party, so we are never without it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6

by Andrew Bartlett)

---

 selftest/tests.py | 18 ++++++++----------

 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/selftest/tests.py b/selftest/tests.py

index 126e1184230..3f5097b680c 100644

--- a/selftest/tests.py

+++ b/selftest/tests.py

@@ -38,7 +38,6 @@ finally:

     f.close()

 have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)

-with_cmocka = ("HAVE_CMOCKA" in config_hash)

 with_pam = ("WITH_PAM" in config_hash)

 pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]

@@ -168,13 +167,12 @@ if with_pam:

                    valgrindify(python), pam_wrapper_so_path,

                    "$DOMAIN", "alice", "Secret007"])

-if with_cmocka:

-    plantestsuite("samba.unittests.krb5samba", "none",

-                  [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])

-    plantestsuite("samba.unittests.sambafs_srv_pipe", "none",

-                  [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])

-    plantestsuite("samba.unittests.lib_util_modules", "none",

-                  [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])

+plantestsuite("samba.unittests.krb5samba", "none",

+              [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])

+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",

+              [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])

+plantestsuite("samba.unittests.lib_util_modules", "none",

+              [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])

-    plantestsuite("samba.unittests.smb1cli_session", "none",

-                  [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])

+plantestsuite("samba.unittests.smb1cli_session", "none",

+              [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])

-- 

2.14.4

From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001

From: Andrew Bartlett <abartlet@samba.org>

Date: Fri, 27 Jul 2018 08:44:24 +1200

Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for

 ntlm_password_check()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

---

 libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++

 libcli/auth/wscript_build      |  13 ++

 selftest/knownfail.d/ntlm      |   2 +

 selftest/tests.py              |   2 +

 4 files changed, 430 insertions(+)

 create mode 100644 libcli/auth/tests/ntlm_check.c

 create mode 100644 selftest/knownfail.d/ntlm

diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c

new file mode 100644

index 00000000000..e87a0a276d4

--- /dev/null

+++ b/libcli/auth/tests/ntlm_check.c

@@ -0,0 +1,413 @@

+/*

+ * Unit tests for the ntlm_check password hash check library.

+ *

+ *  Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018

+ *

+ * This program is free software; you can redistribute it and/or modify

+ * it under the terms of the GNU General Public License as published by

+ * the Free Software Foundation; either version 3 of the License, or

+ * (at your option) any later version.

+ *

+ * This program is distributed in the hope that it will be useful,

+ * but WITHOUT ANY WARRANTY; without even the implied warranty of

+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ * GNU General Public License for more details.

+ *

+ * You should have received a copy of the GNU General Public License

+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.

+ *

+ */

+

+/*

+ * from cmocka.c:

+ * These headers or their equivalents should be included prior to

+ * including

+ * this header file.

+ *

+ * #include <stdarg.h>

+ * #include <stddef.h>

+ * #include <setjmp.h>

+ *

+ * This allows test applications to use custom definitions of C standard

+ * library functions and types.

+ *

+ */

+

+/*

+ * Note that the messaging routines (audit_message_send and get_event_server)

+ * are not tested by these unit tests.  Currently they are for integration

+ * test support, and as such are exercised by the integration tests.

+ */

+#include <stdarg.h>

+#include <stddef.h>

+#include <setjmp.h>

+#include <cmocka.h>

+

+#include "includes.h"

+#include "../lib/crypto/crypto.h"

+#include "librpc/gen_ndr/netlogon.h"

+#include "libcli/auth/libcli_auth.h"

+#include "auth/credentials/credentials.h"

+

+struct ntlm_state {

+	const char *username;

+	const char *domain;

+	DATA_BLOB challenge;

+	DATA_BLOB ntlm;

+	DATA_BLOB lm;

+	DATA_BLOB ntlm_key;

+	DATA_BLOB lm_key;

+	const struct samr_Password *nt_hash;

+};

+

+static int test_ntlm_setup_with_options(void **state,

+					int flags, bool upn)

+{

+	NTSTATUS status;

+	DATA_BLOB challenge = {

+		.data = discard_const_p(uint8_t, "I am a teapot"),

+		.length = 8

+	};

+	struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);

+	DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,

+							   NULL,

+							   "serverdom");

+	struct cli_credentials *creds = cli_credentials_init(ntlm_state);

+	cli_credentials_set_username(creds,

+				     "testuser",

+				     CRED_SPECIFIED);

+	cli_credentials_set_domain(creds,

+				   "testdom",

+				   CRED_SPECIFIED);

+	cli_credentials_set_workstation(creds,

+					"testwksta",

+					CRED_SPECIFIED);

+	cli_credentials_set_password(creds,

+				     "testpass",

+				     CRED_SPECIFIED);

+

+	if (upn) {

+		cli_credentials_set_principal(creds,

+					      "testuser@samba.org",

+					      CRED_SPECIFIED);

+	}

+

+	cli_credentials_get_ntlm_username_domain(creds,

+						 ntlm_state,

+						 &ntlm_state->username,

+						 &ntlm_state->domain);

+

+	status = cli_credentials_get_ntlm_response(creds,

+						   ntlm_state,

+						   &flags,

+						   challenge,

+						   NULL,

+						   target_info,

+						   &ntlm_state->lm,

+						   &ntlm_state->ntlm,

+						   &ntlm_state->lm_key,

+						   &ntlm_state->ntlm_key);

+	ntlm_state->challenge = challenge;

+

+	ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,

+							  ntlm_state);

+

+	if (!NT_STATUS_IS_OK(status)) {

+		return -1;

+	}

+

+	*state = ntlm_state;

+	return 0;

+}

+

+static int test_ntlm_setup(void **state) {

+	return test_ntlm_setup_with_options(state, 0, false);

+}

+

+static int test_ntlm_and_lm_setup(void **state) {

+	return test_ntlm_setup_with_options(state,

+					    CLI_CRED_LANMAN_AUTH,

+					    false);

+}

+

+static int test_ntlm2_setup(void **state) {

+	return test_ntlm_setup_with_options(state,

+					    CLI_CRED_NTLM2,

+					    false);

+}

+

+static int test_ntlmv2_setup(void **state) {

+	return test_ntlm_setup_with_options(state,

+					    CLI_CRED_NTLMv2_AUTH,

+					    false);

+}

+

+static int test_ntlm_teardown(void **state)

+{

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	TALLOC_FREE(ntlm_state);

+	*state = NULL;

+	return 0;

+}

+

+static void test_ntlm_allowed(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_ON,

+				     0,

+				     &ntlm_state->challenge,

+				     &ntlm_state->lm,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));

+}

+

+static void test_ntlm_allowed_lm_supplied(void **state)

+{

+	return test_ntlm_allowed(state);

+}

+

+static void test_ntlm_disabled(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_DISABLED,

+				     0,

+				     &ntlm_state->challenge,

+				     &ntlm_state->lm,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));

+}

+

+static void test_ntlm2(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_ON,

+				     0,

+				     &ntlm_state->challenge,

+				     &ntlm_state->lm,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	/*

+	 * NTLM2 session security (where the real challenge is the

+	 * MD5(challenge, client-challenge) (in the first 8 bytes of

+	 * the lm) isn't decoded by ntlm_password_check(), it must

+	 * first be converted back into normal NTLM by the NTLMSSP

+	 * layer

+	 */

+	assert_int_equal(NT_STATUS_V(status),

+			 NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));

+}

+

+static void test_ntlm_mschapv2_only_allowed(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,

+				     MSV1_0_ALLOW_MSVCHAPV2,

+				     &ntlm_state->challenge,

+				     &ntlm_state->lm,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));

+}

+

+static void test_ntlm_mschapv2_only_denied(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,

+				     0,

+				     &ntlm_state->challenge,

+				     &ntlm_state->lm,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	assert_int_equal(NT_STATUS_V(status),

+			 NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));

+}

+

+static void test_ntlmv2_only_ntlmv2(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_NTLMV2_ONLY,

+				     0,

+				     &ntlm_state->challenge,

+				     &ntlm_state->lm,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));

+}

+

+static void test_ntlmv2_only_ntlm(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_NTLMV2_ONLY,

+				     0,

+				     &ntlm_state->challenge,

+				     &ntlm_state->lm,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	assert_int_equal(NT_STATUS_V(status),

+			 NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));

+}

+

+static void test_ntlmv2_only_ntlm_and_lanman(void **state)

+{

+	return test_ntlmv2_only_ntlm(state);

+}

+

+static void test_ntlmv2_only_ntlm_once(void **state)

+{

+	DATA_BLOB user_sess_key, lm_sess_key;

+	struct ntlm_state *ntlm_state

+		= talloc_get_type_abort(*state,

+					struct ntlm_state);

+	NTSTATUS status;

+	status = ntlm_password_check(ntlm_state,

+				     false,

+				     NTLM_AUTH_NTLMV2_ONLY,

+				     0,

+				     &ntlm_state->challenge,

+				     &data_blob_null,

+				     &ntlm_state->ntlm,

+				     ntlm_state->username,

+				     ntlm_state->username,

+				     ntlm_state->domain,

+				     NULL,

+				     ntlm_state->nt_hash,

+				     &user_sess_key,

+				     &lm_sess_key);

+

+	assert_int_equal(NT_STATUS_V(status),

+			 NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));

+}

+

+int main(int argc, const char **argv)

+{

+	const struct CMUnitTest tests[] = {

+		cmocka_unit_test_setup_teardown(test_ntlm_allowed,

+						test_ntlm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,

+						test_ntlm_and_lm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlm_disabled,

+						test_ntlm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlm2,

+						test_ntlm2_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,

+						test_ntlm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,

+						test_ntlm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,

+						test_ntlm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,

+						test_ntlm_and_lm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,

+						test_ntlm_setup,

+						test_ntlm_teardown),

+		cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,

+						test_ntlmv2_setup,

+						test_ntlm_teardown)

+	};

+

+	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);

+	return cmocka_run_group_tests(tests, NULL, NULL);

+}

diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build

index 475b7d69406..d319d9b879e 100644

--- a/libcli/auth/wscript_build

+++ b/libcli/auth/wscript_build

@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',

 bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',

                     source='spnego_parse.c',

                     deps='asn1util')

+

+bld.SAMBA_BINARY(

+        'test_ntlm_check',

+        source='tests/ntlm_check.c',

+        deps='''

+             NTLM_CHECK

+             CREDENTIALS_NTLM

+             samba-credentials

+             cmocka

+             talloc

+        ''',

+        install=False

+    )

diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm

new file mode 100644

index 00000000000..c6e6a3739ba

--- /dev/null

+++ b/selftest/knownfail.d/ntlm

@@ -0,0 +1,2 @@

+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied

+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(

diff --git a/selftest/tests.py b/selftest/tests.py

index 3f5097b680c..dc6486c13f8 100644

--- a/selftest/tests.py

+++ b/selftest/tests.py

@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",

 plantestsuite("samba.unittests.smb1cli_session", "none",

               [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])

+plantestsuite("samba.unittests.ntlm_check", "none",

+              [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])

-- 

2.14.4

From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Wed, 14 Mar 2018 15:36:05 +0100

Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in

 hash_password_check()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 libcli/auth/ntlm_check.c | 8 ++++----

 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c

index 3b02adc1d48..1c6499bd210 100644

--- a/libcli/auth/ntlm_check.c

+++ b/libcli/auth/ntlm_check.c

@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,

 			     const struct samr_Password *stored_nt)

 {

 	if (stored_nt == NULL) {

-		DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 

+		DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",

 			 username));

 	}

@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,

 		if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {

 			return NT_STATUS_OK;

 		} else {

-			DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",

+			DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",

 				 username));

 			return NT_STATUS_WRONG_PASSWORD;

 		}

 	} else if (client_lanman && stored_lanman) {

 		if (!lanman_auth) {

-			DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",

+			DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",

 				 username));

 			return NT_STATUS_WRONG_PASSWORD;

 		}

@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,

 		if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {

 			return NT_STATUS_OK;

 		} else {

-			DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",

+			DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",

 				 username));

 			return NT_STATUS_WRONG_PASSWORD;

 		}

-- 

2.14.4

From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Wed, 14 Mar 2018 15:35:01 +0100

Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in

 ntlm_password_check().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/utils/ntlm_auth.c | 6 ++++--

 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c

index 3f544902a24..8f77680416f 100644

--- a/source3/utils/ntlm_auth.c

+++ b/source3/utils/ntlm_auth.c

@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,

 	*pauthoritative = 1;

 	nt_status = ntlm_password_check(mem_ctx,

-					true, true, 0,

+					true, NTLM_AUTH_ON, 0,

 					&auth4_context->challenge.data,

 					&user_info->password.response.lanman,

 					&user_info->password.response.nt,

@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod

 				nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);

 				nt_status = ntlm_password_check(mem_ctx,

-								true, true, 0,

+								true,

+								NTLM_AUTH_ON,

+								0,

 								&challenge,

 								&lm_response,

 								&nt_response,

-- 

2.14.4

From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Fri, 16 Mar 2018 17:25:12 +0100

Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used

 via SMB1 when it is disabled.

Right now, this test will succeed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/selftest/tests.py | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py

index 9092c1776c8..034c014e5b8 100755

--- a/source3/selftest/tests.py

+++ b/source3/selftest/tests.py

@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb

     plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])

     plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])

-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:

+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:

     for env in ["nt4_member", "ad_member"]:

         plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])

         plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])

-- 

2.14.4

From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Tue, 13 Mar 2018 16:56:20 +0100

Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1

 when it is disabled via "ntlm auth".

This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \

--option="client ntlmv2 auth"=no \

--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default

setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 libcli/auth/ntlm_check.c  | 2 +-

 selftest/knownfail        | 3 ++-

 selftest/knownfail.d/ntlm | 2 --

 3 files changed, 3 insertions(+), 4 deletions(-)

 delete mode 100644 selftest/knownfail.d/ntlm

diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c

index 1c6499bd210..b68e9c87888 100644

--- a/libcli/auth/ntlm_check.c