diff --git a/source/auth/ntlmssp/ntlmssp_sign.c b/source/auth/ntlmssp/ntlmssp_sign.c index 316bb257ff3..52cbf01ea9c 100644 --- a/source/auth/ntlmssp/ntlmssp_sign.c +++ b/source/auth/ntlmssp/ntlmssp_sign.c @@ -168,7 +168,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, } if (sig->length < 8) { - DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", + DEBUG(1, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", (unsigned long)sig->length)); } @@ -192,7 +192,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, DEBUG(5, ("BAD SIG: got signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); dump_data(5, sig->data, sig->length); - DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length)); + DEBUG(1, ("NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length)); return NT_STATUS_ACCESS_DENIED; } } else { @@ -205,7 +205,7 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, DEBUG(5, ("BAD SIG: got signature of %llu bytes of input:\n", (unsigned long long)length)); dump_data(5, sig->data, sig->length); - DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length)); + DEBUG(1, ("NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length)); return NT_STATUS_ACCESS_DENIED; } } diff --git a/source/torture/auth/ntlmssp.c b/source/torture/auth/ntlmssp.c index a7c3b03c394..096640301da 100644 --- a/source/torture/auth/ntlmssp.c +++ b/source/torture/auth/ntlmssp.c @@ -72,6 +72,18 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) torture_assert(tctx, 0 == memcmp(sig.data, expected_sig.data, sig.length), "data mismatch"); + torture_assert_ntstatus_equal(tctx, + gensec_ntlmssp_check_packet(gensec_security, gensec_security, + data.data, data.length, data.data, data.length, &sig), + NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)"); + + gensec_ntlmssp_state->session_key = data_blob(NULL, 0); + + torture_assert_ntstatus_equal(tctx, + gensec_ntlmssp_check_packet(gensec_security, gensec_security, + data.data, data.length, data.data, data.length, &sig), + NT_STATUS_NO_USER_SESSION_KEY, "Check of just signed packet without a session key should fail"); + talloc_free(gensec_security); torture_assert_ntstatus_ok(tctx, @@ -114,6 +126,11 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) torture_assert(tctx, 0 == memcmp(sig.data+8, expected_sig.data+8, sig.length-8), "data mismatch"); + torture_assert_ntstatus_equal(tctx, + gensec_ntlmssp_check_packet(gensec_security, gensec_security, + data.data, data.length, data.data, data.length, &sig), + NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)"); + talloc_free(gensec_security); return true; }