search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: smbd: Remove unused and commented out check_path_syntax_smb2_msdfs().
[Samba.git] / auth / ntlmssp / ntlmssp_sign.c
blobb9be182e3f260a5095f031e73d2499f43b8bb882
1 /*
2 * Unix SMB/CIFS implementation.
3 * Version 3.0
4 * NTLMSSP Signing routines
5 * Copyright (C) Andrew Bartlett 2003-2005
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../auth/ntlmssp/ntlmssp.h"
23 #include "../libcli/auth/libcli_auth.h"
24 #include "zlib.h"
25 #include "../auth/ntlmssp/ntlmssp_private.h"
26
27 #include "lib/crypto/gnutls_helpers.h"
28 #include <gnutls/gnutls.h>
29 #include <gnutls/crypto.h>
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_AUTH
33
34 #define CLI_SIGN "session key to client-to-server signing key magic constant"
35 #define CLI_SEAL "session key to client-to-server sealing key magic constant"
36 #define SRV_SIGN "session key to server-to-client signing key magic constant"
37 #define SRV_SEAL "session key to server-to-client sealing key magic constant"
38
39 /**
40 * Some notes on the NTLM2 code:
41 *
42 * NTLM2 is a AEAD system. This means that the data encrypted is not
43 * all the data that is signed. In DCE-RPC case, the headers of the
44 * DCE-RPC packets are also signed. This prevents some of the
45 * fun-and-games one might have by changing them.
46 *
47 */
48
49 static void dump_arc4_state(const char *description,
50 gnutls_cipher_hd_t *state)
51 {
52 DBG_DEBUG("%s\n", description);
53 }
54
55 static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
56 DATA_BLOB session_key,
57 const char *constant)
58 {
59 gnutls_hash_hd_t hash_hnd = NULL;
60 int rc;
61
62 rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
63 if (rc < 0) {
64 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
65 }
66 rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
67 if (rc < 0) {
68 gnutls_hash_deinit(hash_hnd, NULL);
69 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
70 }
71 rc = gnutls_hash(hash_hnd, constant, strlen(constant) + 1);
72 if (rc < 0) {
73 gnutls_hash_deinit(hash_hnd, NULL);
74 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
75 }
76 gnutls_hash_deinit(hash_hnd, subkey);
77
78 return NT_STATUS_OK;
79 }
80
81 enum ntlmssp_direction {
82 NTLMSSP_SEND,
83 NTLMSSP_RECEIVE
84 };
85
86 static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state,
87 TALLOC_CTX *sig_mem_ctx,
88 const uint8_t *data, size_t length,
89 const uint8_t *whole_pdu, size_t pdu_length,
90 enum ntlmssp_direction direction,
91 DATA_BLOB *sig, bool encrypt_sig)
92 {
93 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
94 int rc;
95
96 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
97 gnutls_hmac_hd_t hmac_hnd = NULL;
98 uint8_t digest[16];
99 uint8_t seq_num[4];
100
101 *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
102 if (!sig->data) {
103 return NT_STATUS_NO_MEMORY;
104 }
105
106 switch (direction) {
107 case NTLMSSP_SEND:
108 DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
109 ntlmssp_state->crypt->ntlm2.sending.seq_num,
110 (unsigned int)length,
111 (unsigned int)pdu_length));
112
113 SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num);
114 ntlmssp_state->crypt->ntlm2.sending.seq_num++;
115
116 rc = gnutls_hmac_init(&hmac_hnd,
117 GNUTLS_MAC_MD5,
118 ntlmssp_state->crypt->ntlm2.sending.sign_key,
119 16);
120 if (rc < 0) {
121 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
122 }
123 break;
124 case NTLMSSP_RECEIVE:
125
126 DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
127 ntlmssp_state->crypt->ntlm2.receiving.seq_num,
128 (unsigned int)length,
129 (unsigned int)pdu_length));
130
131 SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num);
132 ntlmssp_state->crypt->ntlm2.receiving.seq_num++;
133
134 rc = gnutls_hmac_init(&hmac_hnd,
135 GNUTLS_MAC_MD5,
136 ntlmssp_state->crypt->ntlm2.receiving.sign_key,
137 16);
138 if (rc < 0) {
139 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
140 }
141 break;
142 }
143
144 dump_data_pw("pdu data ", whole_pdu, pdu_length);
145
146 rc = gnutls_hmac(hmac_hnd, seq_num, sizeof(seq_num));
147 if (rc < 0) {
148 gnutls_hmac_deinit(hmac_hnd, NULL);
149 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
150 }
151 rc = gnutls_hmac(hmac_hnd, whole_pdu, pdu_length);
152 if (rc < 0) {
153 gnutls_hmac_deinit(hmac_hnd, NULL);
154 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
155 }
156 gnutls_hmac_deinit(hmac_hnd, digest);
157
158 if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
159 switch (direction) {
160 case NTLMSSP_SEND:
161 rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
162 digest,
163 8);
164 break;
165 case NTLMSSP_RECEIVE:
166 rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
167 digest,
168 8);
169 break;
170 }
171 if (rc < 0) {
172 DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
173 "%s packet signature failed: %s\n",
174 direction == NTLMSSP_SEND ?
175 "send" : "receive",
176 gnutls_strerror(rc));
177 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
178 }
179 }
180
181 SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
182 memcpy(sig->data + 4, digest, 8);
183 ZERO_ARRAY(digest);
184 memcpy(sig->data + 12, seq_num, 4);
185 ZERO_ARRAY(seq_num);
186
187 dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length);
188
189 } else {
190 uint32_t crc;
191
192 crc = crc32(0, Z_NULL, 0);
193 crc = crc32(crc, data, length);
194
195 status = msrpc_gen(sig_mem_ctx,
196 sig, "dddd",
197 NTLMSSP_SIGN_VERSION, 0, crc,
198 ntlmssp_state->crypt->ntlm.seq_num);
199 if (!NT_STATUS_IS_OK(status)) {
200 return status;
201 }
202
203 ntlmssp_state->crypt->ntlm.seq_num++;
204
205 dump_arc4_state("ntlmssp hash: \n",
206 &ntlmssp_state->crypt->ntlm.seal_state);
207 rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
208 sig->data + 4,
209 sig->length - 4);
210 if (rc < 0) {
211 DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
212 "signature failed: %s\n",
213 gnutls_strerror(rc));
214 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
215 }
216 }
217
218 return NT_STATUS_OK;
219 }
220
221 NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
222 TALLOC_CTX *sig_mem_ctx,
223 const uint8_t *data, size_t length,
224 const uint8_t *whole_pdu, size_t pdu_length,
225 DATA_BLOB *sig)
226 {
227 NTSTATUS nt_status;
228
229 if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
230 DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
231 return NT_STATUS_INVALID_PARAMETER;
232 }
233
234 if (!ntlmssp_state->session_key.length) {
235 DEBUG(3, ("NO session key, cannot check sign packet\n"));
236 return NT_STATUS_NO_USER_SESSION_KEY;
237 }
238
239 nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
240 sig_mem_ctx,
241 data, length,
242 whole_pdu, pdu_length,
243 NTLMSSP_SEND, sig, true);
244
245 return nt_status;
246 }
247
248 /**
249 * Check the signature of an incoming packet
250 * @note caller *must* check that the signature is the size it expects
251 *
252 */
253
254 NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
255 const uint8_t *data, size_t length,
256 const uint8_t *whole_pdu, size_t pdu_length,
257 const DATA_BLOB *sig)
258 {
259 DATA_BLOB local_sig;
260 NTSTATUS nt_status;
261 TALLOC_CTX *tmp_ctx;
262
263 if (!ntlmssp_state->session_key.length) {
264 DEBUG(3, ("NO session key, cannot check packet signature\n"));
265 return NT_STATUS_NO_USER_SESSION_KEY;
266 }
267
268 if (sig->length < 8) {
269 DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
270 (unsigned long)sig->length));
271 }
272
273 tmp_ctx = talloc_new(ntlmssp_state);
274 if (!tmp_ctx) {
275 return NT_STATUS_NO_MEMORY;
276 }
277
278 nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
279 tmp_ctx,
280 data, length,
281 whole_pdu, pdu_length,
282 NTLMSSP_RECEIVE,
283 &local_sig, true);
284
285 if (!NT_STATUS_IS_OK(nt_status)) {
286 DEBUG(0,("NTLMSSP packet sig creation failed with %s\n",
287 nt_errstr(nt_status)));
288 talloc_free(tmp_ctx);
289 return nt_status;
290 }
291
292 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
293 if (local_sig.length != sig->length ||
294 !mem_equal_const_time(local_sig.data, sig->data, sig->length)) {
295 DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
296 dump_data(5, local_sig.data, local_sig.length);
297
298 DEBUG(5, ("BAD SIG: got signature of\n"));
299 dump_data(5, sig->data, sig->length);
300
301 DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
302 talloc_free(tmp_ctx);
303 return NT_STATUS_ACCESS_DENIED;
304 }
305 } else {
306 if (local_sig.length != sig->length ||
307 !mem_equal_const_time(local_sig.data + 8, sig->data + 8, sig->length - 8)) {
308 DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
309 dump_data(5, local_sig.data, local_sig.length);
310
311 DEBUG(5, ("BAD SIG: got signature of\n"));
312 dump_data(5, sig->data, sig->length);
313
314 DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
315 talloc_free(tmp_ctx);
316 return NT_STATUS_ACCESS_DENIED;
317 }
318 }
319 dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length);
320 DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
321
322 talloc_free(tmp_ctx);
323 return NT_STATUS_OK;
324 }
325
326 /**
327 * Seal data with the NTLMSSP algorithm
328 *
329 */
330
331 NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
332 TALLOC_CTX *sig_mem_ctx,
333 uint8_t *data, size_t length,
334 const uint8_t *whole_pdu, size_t pdu_length,
335 DATA_BLOB *sig)
336 {
337 int rc;
338
339 if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
340 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
341 return NT_STATUS_INVALID_PARAMETER;
342 }
343
344 if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
345 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
346 return NT_STATUS_INVALID_PARAMETER;
347 }
348
349 if (!ntlmssp_state->session_key.length) {
350 DEBUG(3, ("NO session key, cannot seal packet\n"));
351 return NT_STATUS_NO_USER_SESSION_KEY;
352 }
353
354 DEBUG(10,("ntlmssp_seal_data: seal\n"));
355 dump_data_pw("ntlmssp clear data\n", data, length);
356 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
357 NTSTATUS nt_status;
358 /*
359 * The order of these two operations matters - we
360 * must first seal the packet, then seal the
361 * sequence number - this is because the
362 * send_seal_hash is not constant, but is is rather
363 * updated with each iteration
364 */
365 nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
366 sig_mem_ctx,
367 data, length,
368 whole_pdu, pdu_length,
369 NTLMSSP_SEND,
370 sig, false);
371 if (!NT_STATUS_IS_OK(nt_status)) {
372 return nt_status;
373 }
374
375 rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
376 data,
377 length);
378 if (rc < 0) {
379 DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
380 "failed: %s\n",
381 gnutls_strerror(rc));
382 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
383 }
384 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
385 rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
386 sig->data + 4,
387 8);
388 if (rc < 0) {
389 DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
390 "the EXCH signature data failed: %s\n",
391 gnutls_strerror(rc));
392 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
393 }
394 }
395 } else {
396 NTSTATUS status;
397 uint32_t crc;
398
399 crc = crc32(0, Z_NULL, 0);
400 crc = crc32(crc, data, length);
401
402 status = msrpc_gen(sig_mem_ctx,
403 sig, "dddd",
404 NTLMSSP_SIGN_VERSION, 0, crc,
405 ntlmssp_state->crypt->ntlm.seq_num);
406 if (!NT_STATUS_IS_OK(status)) {
407 return status;
408 }
409
410 /*
411 * The order of these two operations matters - we
412 * must first seal the packet, then seal the
413 * sequence number - this is because the ntlmv1_arc4_state
414 * is not constant, but is is rather updated with
415 * each iteration
416 */
417 dump_arc4_state("ntlmv1 arc4 state:\n",
418 &ntlmssp_state->crypt->ntlm.seal_state);
419 rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
420 data,
421 length);
422 if (rc < 0) {
423 DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
424 "failed: %s\n",
425 gnutls_strerror(rc));
426 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
427 }
428
429 dump_arc4_state("ntlmv1 arc4 state:\n",
430 &ntlmssp_state->crypt->ntlm.seal_state);
431
432 rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
433 sig->data + 4,
434 sig->length - 4);
435 if (rc < 0) {
436 DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
437 "data failed: %s\n",
438 gnutls_strerror(rc));
439 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
440 }
441
442 ntlmssp_state->crypt->ntlm.seq_num++;
443 }
444 dump_data_pw("ntlmssp signature\n", sig->data, sig->length);
445 dump_data_pw("ntlmssp sealed data\n", data, length);
446
447 return NT_STATUS_OK;
448 }
449
450 /**
451 * Unseal data with the NTLMSSP algorithm
452 *
453 */
454
455 NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
456 uint8_t *data, size_t length,
457 const uint8_t *whole_pdu, size_t pdu_length,
458 const DATA_BLOB *sig)
459 {
460 NTSTATUS status;
461 int rc;
462
463 if (!ntlmssp_state->session_key.length) {
464 DEBUG(3, ("NO session key, cannot unseal packet\n"));
465 return NT_STATUS_NO_USER_SESSION_KEY;
466 }
467
468 DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
469 dump_data_pw("ntlmssp sealed data\n", data, length);
470
471 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
472 /* First unseal the data. */
473 rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
474 data,
475 length);
476 if (rc < 0) {
477 DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
478 "data failed: %s\n",
479 gnutls_strerror(rc));
480 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
481 }
482 dump_data_pw("ntlmv2 clear data\n", data, length);
483 } else {
484 rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
485 data,
486 length);
487 if (rc < 0) {
488 DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
489 "data failed: %s\n",
490 gnutls_strerror(rc));
491 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
492 }
493 dump_data_pw("ntlmv1 clear data\n", data, length);
494 }
495
496 status = ntlmssp_check_packet(ntlmssp_state,
497 data, length,
498 whole_pdu, pdu_length,
499 sig);
500
501 if (!NT_STATUS_IS_OK(status)) {
502 DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n",
503 (unsigned long long)length));
504 }
505 return status;
506 }
507
508 NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
509 TALLOC_CTX *out_mem_ctx,
510 const DATA_BLOB *in,
511 DATA_BLOB *out)
512 {
513 NTSTATUS nt_status;
514 DATA_BLOB sig;
515
516 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
517 if (in->length + NTLMSSP_SIG_SIZE < in->length) {
518 return NT_STATUS_INVALID_PARAMETER;
519 }
520
521 *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
522 if (!out->data) {
523 return NT_STATUS_NO_MEMORY;
524 }
525 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
526
527 nt_status = ntlmssp_seal_packet(ntlmssp_state, out_mem_ctx,
528 out->data + NTLMSSP_SIG_SIZE,
529 out->length - NTLMSSP_SIG_SIZE,
530 out->data + NTLMSSP_SIG_SIZE,
531 out->length - NTLMSSP_SIG_SIZE,
532 &sig);
533
534 if (NT_STATUS_IS_OK(nt_status)) {
535 memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
536 talloc_free(sig.data);
537 }
538 return nt_status;
539
540 } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
541 if (in->length + NTLMSSP_SIG_SIZE < in->length) {
542 return NT_STATUS_INVALID_PARAMETER;
543 }
544
545 *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
546 if (!out->data) {
547 return NT_STATUS_NO_MEMORY;
548 }
549 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
550
551 nt_status = ntlmssp_sign_packet(ntlmssp_state, out_mem_ctx,
552 out->data + NTLMSSP_SIG_SIZE,
553 out->length - NTLMSSP_SIG_SIZE,
554 out->data + NTLMSSP_SIG_SIZE,
555 out->length - NTLMSSP_SIG_SIZE,
556 &sig);
557
558 if (NT_STATUS_IS_OK(nt_status)) {
559 memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
560 talloc_free(sig.data);
561 }
562 return nt_status;
563 } else {
564 *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
565 if (!out->data) {
566 return NT_STATUS_NO_MEMORY;
567 }
568 return NT_STATUS_OK;
569 }
570 }
571
572 NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
573 TALLOC_CTX *out_mem_ctx,
574 const DATA_BLOB *in,
575 DATA_BLOB *out)
576 {
577 DATA_BLOB sig;
578
579 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
580 if (in->length < NTLMSSP_SIG_SIZE) {
581 return NT_STATUS_INVALID_PARAMETER;
582 }
583 sig.data = in->data;
584 sig.length = NTLMSSP_SIG_SIZE;
585
586 *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
587
588 return ntlmssp_unseal_packet(ntlmssp_state,
589 out->data, out->length,
590 out->data, out->length,
591 &sig);
592
593 } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
594 if (in->length < NTLMSSP_SIG_SIZE) {
595 return NT_STATUS_INVALID_PARAMETER;
596 }
597 sig.data = in->data;
598 sig.length = NTLMSSP_SIG_SIZE;
599
600 *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
601
602 return ntlmssp_check_packet(ntlmssp_state,
603 out->data, out->length,
604 out->data, out->length,
605 &sig);
606 } else {
607 *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
608 if (!out->data) {
609 return NT_STATUS_NO_MEMORY;
610 }
611 return NT_STATUS_OK;
612 }
613 }
614
615 /**
616 Initialise the state for NTLMSSP signing.
617 */
618 NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
619 bool reset_seqnums)
620 {
621 int rc;
622
623 DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
624 debug_ntlmssp_flags(ntlmssp_state->neg_flags);
625
626 if (ntlmssp_state->crypt == NULL) {
627 return NT_STATUS_INVALID_PARAMETER_MIX;
628 }
629
630 if (ntlmssp_state->force_wrap_seal &&
631 (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN))
632 {
633 /*
634 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
635 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
636 * is requested.
637 *
638 * The negotiation of flags (and authentication)
639 * is completed when ntlmssp_sign_init() is called
640 * so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
641 * was negotiated.
642 */
643 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
644 }
645
646 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
647 DATA_BLOB weak_session_key = ntlmssp_state->session_key;
648 const char *send_sign_const;
649 const char *send_seal_const;
650 const char *recv_sign_const;
651 const char *recv_seal_const;
652 uint8_t send_seal_key[16] = {0};
653 gnutls_datum_t send_seal_blob = {
654 .data = send_seal_key,
655 .size = sizeof(send_seal_key),
656 };
657 uint8_t recv_seal_key[16] = {0};
658 gnutls_datum_t recv_seal_blob = {
659 .data = recv_seal_key,
660 .size = sizeof(recv_seal_key),
661 };
662 NTSTATUS status;
663
664 switch (ntlmssp_state->role) {
665 case NTLMSSP_CLIENT:
666 send_sign_const = CLI_SIGN;
667 send_seal_const = CLI_SEAL;
668 recv_sign_const = SRV_SIGN;
669 recv_seal_const = SRV_SEAL;
670 break;
671 case NTLMSSP_SERVER:
672 send_sign_const = SRV_SIGN;
673 send_seal_const = SRV_SEAL;
674 recv_sign_const = CLI_SIGN;
675 recv_seal_const = CLI_SEAL;
676 break;
677 default:
678 return NT_STATUS_INTERNAL_ERROR;
679 }
680
681 /*
682 * Weaken NTLMSSP keys to cope with down-level
683 * clients, servers and export restrictions.
684 *
685 * We probably should have some parameters to
686 * control this, once we get NTLM2 working.
687 *
688 * Key weakening was not performed on the master key
689 * for NTLM2, but must be done on the encryption subkeys only.
690 */
691
692 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
693 /* nothing to do */
694 } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
695 weak_session_key.length = 7;
696 } else { /* forty bits */
697 weak_session_key.length = 5;
698 }
699
700 dump_data_pw("NTLMSSP weakend master key:\n",
701 weak_session_key.data,
702 weak_session_key.length);
703
704 /* SEND: sign key */
705 status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key,
706 ntlmssp_state->session_key, send_sign_const);
707 if (!NT_STATUS_IS_OK(status)) {
708 return status;
709 }
710 dump_data_pw("NTLMSSP send sign key:\n",
711 ntlmssp_state->crypt->ntlm2.sending.sign_key, 16);
712
713 /* SEND: seal ARCFOUR pad */
714 status = calc_ntlmv2_key(send_seal_key,
715 weak_session_key,
716 send_seal_const);
717 if (!NT_STATUS_IS_OK(status)) {
718 return status;
719 }
720 dump_data_pw("NTLMSSP send seal key:\n",
721 send_seal_key,
722 sizeof(send_seal_key));
723
724 if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
725 gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
726 }
727 rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
728 GNUTLS_CIPHER_ARCFOUR_128,
729 &send_seal_blob,
730 NULL);
731 if (rc < 0) {
732 DBG_ERR("gnutls_cipher_init failed: %s\n",
733 gnutls_strerror(rc));
734 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
735 }
736
737 dump_arc4_state("NTLMSSP send seal arc4 state:\n",
738 &ntlmssp_state->crypt->ntlm2.sending.seal_state);
739
740 /* SEND: seq num */
741 if (reset_seqnums) {
742 ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
743 }
744
745 /* RECV: sign key */
746 status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key,
747 ntlmssp_state->session_key, recv_sign_const);
748 if (!NT_STATUS_IS_OK(status)) {
749 return status;
750 }
751 dump_data_pw("NTLMSSP recv sign key:\n",
752 ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16);
753
754 /* RECV: seal ARCFOUR pad */
755 status = calc_ntlmv2_key(recv_seal_key,
756 weak_session_key,
757 recv_seal_const);
758 if (!NT_STATUS_IS_OK(status)) {
759 return status;
760 }
761 dump_data_pw("NTLMSSP recv seal key:\n",
762 recv_seal_key,
763 sizeof(recv_seal_key));
764
765 if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
766 gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
767 }
768 rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
769 GNUTLS_CIPHER_ARCFOUR_128,
770 &recv_seal_blob,
771 NULL);
772 if (rc < 0) {
773 DBG_ERR("gnutls_cipher_init failed: %s\n",
774 gnutls_strerror(rc));
775 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
776 }
777
778 dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
779 &ntlmssp_state->crypt->ntlm2.receiving.seal_state);
780
781 /* RECV: seq num */
782 if (reset_seqnums) {
783 ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
784 }
785 } else {
786 gnutls_datum_t seal_session_key = {
787 .data = ntlmssp_state->session_key.data,
788 .size = ntlmssp_state->session_key.length,
789 };
790 bool do_weak = false;
791
792 DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
793
794 /*
795 * Key weakening not performed on the master key for NTLM2
796 * and does not occur for NTLM1. Therefore we only need
797 * to do this for the LM_KEY.
798 */
799 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
800 do_weak = true;
801 }
802
803 /*
804 * Nothing to weaken.
805 * We certainly don't want to 'extend' the length...
806 */
807 if (ntlmssp_state->session_key.length < 16) {
808 /* TODO: is this really correct? */
809 do_weak = false;
810 }
811
812 if (do_weak) {
813 uint8_t weak_session_key[8];
814
815 memcpy(weak_session_key, seal_session_key.data, 8);
816 seal_session_key = (gnutls_datum_t) {
817 .data = weak_session_key,
818 .size = sizeof(weak_session_key),
819 };
820
821 /*
822 * LM key doesn't support 128 bit crypto, so this is
823 * the best we can do. If you negotiate 128 bit, but
824 * not 56, you end up with 40 bit...
825 */
826 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
827 weak_session_key[7] = 0xa0;
828 } else { /* forty bits */
829 weak_session_key[5] = 0xe5;
830 weak_session_key[6] = 0x38;
831 weak_session_key[7] = 0xb0;
832 }
833 }
834
835 if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
836 gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
837 }
838 rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
839 GNUTLS_CIPHER_ARCFOUR_128,
840 &seal_session_key,
841 NULL);
842 if (rc < 0) {
843 DBG_ERR("gnutls_cipher_init failed: %s\n",
844 gnutls_strerror(rc));
845 return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
846 }
847
848 dump_arc4_state("NTLMv1 arc4 state:\n",
849 &ntlmssp_state->crypt->ntlm.seal_state);
850
851 if (reset_seqnums) {
852 ntlmssp_state->crypt->ntlm.seq_num = 0;
853 }
854 }
855
856 return NT_STATUS_OK;
857 }
858
859 static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
860 {
861 if (c->ntlm2.sending.seal_state != NULL) {
862 gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
863 c->ntlm2.sending.seal_state = NULL;
864 }
865 if (c->ntlm2.receiving.seal_state != NULL) {
866 gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
867 c->ntlm2.receiving.seal_state = NULL;
868 }
869 if (c->ntlm.seal_state != NULL) {
870 gnutls_cipher_deinit(c->ntlm.seal_state);
871 c->ntlm.seal_state = NULL;
872 }
873
874 return 0;
875 }
876
877 NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
878 {
879 if (ntlmssp_state->session_key.length < 8) {
880 DEBUG(3, ("NO session key, cannot initialise signing\n"));
881 return NT_STATUS_NO_USER_SESSION_KEY;
882 }
883
884 ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
885 union ntlmssp_crypt_state);
886 if (ntlmssp_state->crypt == NULL) {
887 return NT_STATUS_NO_MEMORY;
888 }
889 talloc_set_destructor(ntlmssp_state->crypt,
890 ntlmssp_crypt_free_gnutls_cipher_state);
891
892 return ntlmssp_sign_reset(ntlmssp_state, true);
893 }
Samba GIT mirror