Fix up auth logic for non-negotiate auth (#76)

jborean93 · Feb 1, 2021 · 06d9343 · 06d9343
1 parent 9d9339e
commit 06d9343
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * Fixed up secure negotiation logic when connecting to older SMB dialects
 * Will attempt to perform secure negotiation even on older dialects that may not implement it properly
 * Added `ClientConfig` option `require_secure_negotiate` to globally turn off secure negotiation if the client wishes
+* Fix explicit `ntlm` or `kerberos` authentication when the server response with the initial SPNEGO mech list token
 
 
 ## 1.3.0 - 2021-01-23

diff --git a/smbprotocol/session.py b/smbprotocol/session.py
@@ -267,8 +267,10 @@ def connect(self):
 
         self.connection.preauth_session_table[self.session_id] = self
         in_token = self.connection.gss_negotiate_token
+        if self.auth_protocol != 'negotiate':
+            in_token = None  # The GSS Negotiate Token can only be used for Negotiate auth.
 
-        while not context.complete or not in_token:
+        while not context.complete or in_token:
             try:
                 out_token = context.step(in_token)
             except spnego.exceptions.SpnegoError as err:

diff --git a/tests/test_session.py b/tests/test_session.py
@@ -327,3 +327,28 @@ def test_setup_session_with_ms_gss_token(self, smb_real):
             assert session.signing_required
         finally:
             connection.disconnect(True)
+
+    def test_setup_session_with_ntlm_only(self, smb_real):
+        connection = Connection(uuid.uuid4(), smb_real[2], smb_real[3])
+        connection.connect()
+
+        session = Session(connection, smb_real[0], smb_real[1], False, auth_protocol='ntlm')
+        try:
+            session.connect()
+            assert len(session.application_key) == 16
+            assert session.application_key != session.session_key
+            assert len(session.decryption_key) == 16
+            assert session.decryption_key != session.session_key
+            assert not session.encrypt_data
+            assert len(session.encryption_key) == 16
+            assert session.encryption_key != session.session_key
+            assert len(session.connection.preauth_integrity_hash_value) == 2
+            assert len(session.preauth_integrity_hash_value) == 3
+            assert not session.require_encryption
+            assert session.session_id is not None
+            assert len(session.session_key) == 16
+            assert len(session.signing_key) == 16
+            assert session.signing_key != session.session_key
+            assert session.signing_required
+        finally:
+            connection.disconnect()