Bug #118838 for SMB: Bug in SMB::Auth 0.06

Fri Nov 18 10:27:27 2016 dan [...] moinescu.net - Ticket created

Subject:	Bug in SMB::Auth 0.06
Date:	Fri, 18 Nov 2016 17:27:10 +0200
To:	bug-SMB [...] rt.cpan.org, migo [...] homemail.com
From:	Dan Moinescu <dan [...] moinescu.net>

Hello Mikhael, I'm writing to report a bug in module SMB::Auth version 0.06 (http://search.cpan.org/~migo/SMB-0.06/) Function create_ntlmv2_hash has this line: return hmac_md5(encode('UTF-16LE', uc($username . $domain)), $ntlm_hash); which converts both username and domain to uppercase before encoding. However, the protocol says that only the username should be converted, while the domain is case sensitive: "note that the username is converted to uppercase, while the authentication target is case-sensitive and must match the case presented in the Target Name field." (quoted from http://davenport.sourceforge.net/ntlm.html#theNtlmv2Response) So the correct code is: return hmac_md5(encode('UTF-16LE', uc($username) . $domain), $ntlm_hash); Great job with the module, I'm using it together with Authen::SASL for authenticating via NTLMSSP to an LDAP server. Regards, Dan.

Message body is not shown because sender requested not to inline it.

Sat Apr 07 15:14:01 2018 migo [...] cpan.org - Correspondence added

Hi Dan, Thanks for nice words. I plan to address this issue in 0.08, together with some other work on SMB server.

Sat Apr 07 15:14:01 2018 The RT System itself - Status changed from 'new' to 'open'

Sat Apr 07 15:14:02 2018 migo [...] cpan.org - Taken

Thu May 03 17:47:45 2018 migo [...] cpan.org - Correspondence added

This should be fixed in 0.08. Please reply if anything is not working.

Thu May 03 17:47:46 2018 migo [...] cpan.org - Status changed from 'open' to 'resolved'

Thu May 03 17:47:46 2018 migo [...] cpan.org - Fixed in 0.08 added