2 * Unix SMB/CIFS implementation.
4 * NTLMSSP Signing routines
5 * Copyright (C) Andrew Bartlett 2003-2005
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "../auth/ntlmssp/ntlmssp.h"
23 #include "../libcli/auth/libcli_auth.h"
25 #include "../auth/ntlmssp/ntlmssp_private.h"
27 #include "lib/crypto/gnutls_helpers.h"
28 #include <gnutls/gnutls.h>
29 #include <gnutls/crypto.h>
32 #define DBGC_CLASS DBGC_AUTH
34 #define CLI_SIGN "session key to client-to-server signing key magic constant"
35 #define CLI_SEAL "session key to client-to-server sealing key magic constant"
36 #define SRV_SIGN "session key to server-to-client signing key magic constant"
37 #define SRV_SEAL "session key to server-to-client sealing key magic constant"
40 * Some notes on the NTLM2 code:
42 * NTLM2 is a AEAD system. This means that the data encrypted is not
43 * all the data that is signed. In DCE-RPC case, the headers of the
44 * DCE-RPC packets are also signed. This prevents some of the
45 * fun-and-games one might have by changing them.
49 static void dump_arc4_state(const char *description
,
50 gnutls_cipher_hd_t
*state
)
52 DBG_DEBUG("%s\n", description
);
55 static NTSTATUS
calc_ntlmv2_key(uint8_t subkey
[16],
56 DATA_BLOB session_key
,
59 gnutls_hash_hd_t hash_hnd
= NULL
;
62 rc
= gnutls_hash_init(&hash_hnd
, GNUTLS_DIG_MD5
);
64 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
66 rc
= gnutls_hash(hash_hnd
, session_key
.data
, session_key
.length
);
68 gnutls_hash_deinit(hash_hnd
, NULL
);
69 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
71 rc
= gnutls_hash(hash_hnd
, constant
, strlen(constant
) + 1);
73 gnutls_hash_deinit(hash_hnd
, NULL
);
74 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
76 gnutls_hash_deinit(hash_hnd
, subkey
);
81 enum ntlmssp_direction
{
86 static NTSTATUS
ntlmssp_make_packet_signature(struct ntlmssp_state
*ntlmssp_state
,
87 TALLOC_CTX
*sig_mem_ctx
,
88 const uint8_t *data
, size_t length
,
89 const uint8_t *whole_pdu
, size_t pdu_length
,
90 enum ntlmssp_direction direction
,
91 DATA_BLOB
*sig
, bool encrypt_sig
)
93 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
96 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
97 gnutls_hmac_hd_t hmac_hnd
= NULL
;
101 *sig
= data_blob_talloc(sig_mem_ctx
, NULL
, NTLMSSP_SIG_SIZE
);
103 return NT_STATUS_NO_MEMORY
;
108 DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
109 ntlmssp_state
->crypt
->ntlm2
.sending
.seq_num
,
110 (unsigned int)length
,
111 (unsigned int)pdu_length
));
113 SIVAL(seq_num
, 0, ntlmssp_state
->crypt
->ntlm2
.sending
.seq_num
);
114 ntlmssp_state
->crypt
->ntlm2
.sending
.seq_num
++;
116 rc
= gnutls_hmac_init(&hmac_hnd
,
118 ntlmssp_state
->crypt
->ntlm2
.sending
.sign_key
,
121 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
124 case NTLMSSP_RECEIVE
:
126 DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
127 ntlmssp_state
->crypt
->ntlm2
.receiving
.seq_num
,
128 (unsigned int)length
,
129 (unsigned int)pdu_length
));
131 SIVAL(seq_num
, 0, ntlmssp_state
->crypt
->ntlm2
.receiving
.seq_num
);
132 ntlmssp_state
->crypt
->ntlm2
.receiving
.seq_num
++;
134 rc
= gnutls_hmac_init(&hmac_hnd
,
136 ntlmssp_state
->crypt
->ntlm2
.receiving
.sign_key
,
139 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
144 dump_data_pw("pdu data ", whole_pdu
, pdu_length
);
146 rc
= gnutls_hmac(hmac_hnd
, seq_num
, sizeof(seq_num
));
148 gnutls_hmac_deinit(hmac_hnd
, NULL
);
149 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
151 rc
= gnutls_hmac(hmac_hnd
, whole_pdu
, pdu_length
);
153 gnutls_hmac_deinit(hmac_hnd
, NULL
);
154 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
156 gnutls_hmac_deinit(hmac_hnd
, digest
);
158 if (encrypt_sig
&& (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_KEY_EXCH
)) {
161 rc
= gnutls_cipher_encrypt(ntlmssp_state
->crypt
->ntlm2
.sending
.seal_state
,
165 case NTLMSSP_RECEIVE
:
166 rc
= gnutls_cipher_encrypt(ntlmssp_state
->crypt
->ntlm2
.receiving
.seal_state
,
172 DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
173 "%s packet signature failed: %s\n",
174 direction
== NTLMSSP_SEND
?
176 gnutls_strerror(rc
));
177 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
181 SIVAL(sig
->data
, 0, NTLMSSP_SIGN_VERSION
);
182 memcpy(sig
->data
+ 4, digest
, 8);
184 memcpy(sig
->data
+ 12, seq_num
, 4);
187 dump_data_pw("ntlmssp v2 sig ", sig
->data
, sig
->length
);
192 crc
= crc32(0, Z_NULL
, 0);
193 crc
= crc32(crc
, data
, length
);
195 status
= msrpc_gen(sig_mem_ctx
,
197 NTLMSSP_SIGN_VERSION
, 0, crc
,
198 ntlmssp_state
->crypt
->ntlm
.seq_num
);
199 if (!NT_STATUS_IS_OK(status
)) {
203 ntlmssp_state
->crypt
->ntlm
.seq_num
++;
205 dump_arc4_state("ntlmssp hash: \n",
206 &ntlmssp_state
->crypt
->ntlm
.seal_state
);
207 rc
= gnutls_cipher_encrypt(ntlmssp_state
->crypt
->ntlm
.seal_state
,
211 DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
212 "signature failed: %s\n",
213 gnutls_strerror(rc
));
214 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
221 NTSTATUS
ntlmssp_sign_packet(struct ntlmssp_state
*ntlmssp_state
,
222 TALLOC_CTX
*sig_mem_ctx
,
223 const uint8_t *data
, size_t length
,
224 const uint8_t *whole_pdu
, size_t pdu_length
,
229 if (!(ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SIGN
)) {
230 DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
231 return NT_STATUS_INVALID_PARAMETER
;
234 if (!ntlmssp_state
->session_key
.length
) {
235 DEBUG(3, ("NO session key, cannot check sign packet\n"));
236 return NT_STATUS_NO_USER_SESSION_KEY
;
239 nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
,
242 whole_pdu
, pdu_length
,
243 NTLMSSP_SEND
, sig
, true);
249 * Check the signature of an incoming packet
250 * @note caller *must* check that the signature is the size it expects
254 NTSTATUS
ntlmssp_check_packet(struct ntlmssp_state
*ntlmssp_state
,
255 const uint8_t *data
, size_t length
,
256 const uint8_t *whole_pdu
, size_t pdu_length
,
257 const DATA_BLOB
*sig
)
263 if (!ntlmssp_state
->session_key
.length
) {
264 DEBUG(3, ("NO session key, cannot check packet signature\n"));
265 return NT_STATUS_NO_USER_SESSION_KEY
;
268 if (sig
->length
< 8) {
269 DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
270 (unsigned long)sig
->length
));
273 tmp_ctx
= talloc_new(ntlmssp_state
);
275 return NT_STATUS_NO_MEMORY
;
278 nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
,
281 whole_pdu
, pdu_length
,
285 if (!NT_STATUS_IS_OK(nt_status
)) {
286 DEBUG(0,("NTLMSSP packet sig creation failed with %s\n",
287 nt_errstr(nt_status
)));
288 talloc_free(tmp_ctx
);
292 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
293 if (local_sig
.length
!= sig
->length
||
294 !mem_equal_const_time(local_sig
.data
, sig
->data
, sig
->length
)) {
295 DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
296 dump_data(5, local_sig
.data
, local_sig
.length
);
298 DEBUG(5, ("BAD SIG: got signature of\n"));
299 dump_data(5, sig
->data
, sig
->length
);
301 DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
302 talloc_free(tmp_ctx
);
303 return NT_STATUS_ACCESS_DENIED
;
306 if (local_sig
.length
!= sig
->length
||
307 !mem_equal_const_time(local_sig
.data
+ 8, sig
->data
+ 8, sig
->length
- 8)) {
308 DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
309 dump_data(5, local_sig
.data
, local_sig
.length
);
311 DEBUG(5, ("BAD SIG: got signature of\n"));
312 dump_data(5, sig
->data
, sig
->length
);
314 DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
315 talloc_free(tmp_ctx
);
316 return NT_STATUS_ACCESS_DENIED
;
319 dump_data_pw("checked ntlmssp signature\n", sig
->data
, sig
->length
);
320 DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
322 talloc_free(tmp_ctx
);
327 * Seal data with the NTLMSSP algorithm
331 NTSTATUS
ntlmssp_seal_packet(struct ntlmssp_state
*ntlmssp_state
,
332 TALLOC_CTX
*sig_mem_ctx
,
333 uint8_t *data
, size_t length
,
334 const uint8_t *whole_pdu
, size_t pdu_length
,
339 if (!(ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SEAL
)) {
340 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
341 return NT_STATUS_INVALID_PARAMETER
;
344 if (!(ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SIGN
)) {
345 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
346 return NT_STATUS_INVALID_PARAMETER
;
349 if (!ntlmssp_state
->session_key
.length
) {
350 DEBUG(3, ("NO session key, cannot seal packet\n"));
351 return NT_STATUS_NO_USER_SESSION_KEY
;
354 DEBUG(10,("ntlmssp_seal_data: seal\n"));
355 dump_data_pw("ntlmssp clear data\n", data
, length
);
356 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
359 * The order of these two operations matters - we
360 * must first seal the packet, then seal the
361 * sequence number - this is because the
362 * send_seal_hash is not constant, but is is rather
363 * updated with each iteration
365 nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
,
368 whole_pdu
, pdu_length
,
371 if (!NT_STATUS_IS_OK(nt_status
)) {
375 rc
= gnutls_cipher_encrypt(ntlmssp_state
->crypt
->ntlm2
.sending
.seal_state
,
379 DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
381 gnutls_strerror(rc
));
382 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
384 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_KEY_EXCH
) {
385 rc
= gnutls_cipher_encrypt(ntlmssp_state
->crypt
->ntlm2
.sending
.seal_state
,
389 DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
390 "the EXCH signature data failed: %s\n",
391 gnutls_strerror(rc
));
392 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
399 crc
= crc32(0, Z_NULL
, 0);
400 crc
= crc32(crc
, data
, length
);
402 status
= msrpc_gen(sig_mem_ctx
,
404 NTLMSSP_SIGN_VERSION
, 0, crc
,
405 ntlmssp_state
->crypt
->ntlm
.seq_num
);
406 if (!NT_STATUS_IS_OK(status
)) {
411 * The order of these two operations matters - we
412 * must first seal the packet, then seal the
413 * sequence number - this is because the ntlmv1_arc4_state
414 * is not constant, but is is rather updated with
417 dump_arc4_state("ntlmv1 arc4 state:\n",
418 &ntlmssp_state
->crypt
->ntlm
.seal_state
);
419 rc
= gnutls_cipher_encrypt(ntlmssp_state
->crypt
->ntlm
.seal_state
,
423 DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
425 gnutls_strerror(rc
));
426 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
429 dump_arc4_state("ntlmv1 arc4 state:\n",
430 &ntlmssp_state
->crypt
->ntlm
.seal_state
);
432 rc
= gnutls_cipher_encrypt(ntlmssp_state
->crypt
->ntlm
.seal_state
,
436 DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
438 gnutls_strerror(rc
));
439 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
442 ntlmssp_state
->crypt
->ntlm
.seq_num
++;
444 dump_data_pw("ntlmssp signature\n", sig
->data
, sig
->length
);
445 dump_data_pw("ntlmssp sealed data\n", data
, length
);
451 * Unseal data with the NTLMSSP algorithm
455 NTSTATUS
ntlmssp_unseal_packet(struct ntlmssp_state
*ntlmssp_state
,
456 uint8_t *data
, size_t length
,
457 const uint8_t *whole_pdu
, size_t pdu_length
,
458 const DATA_BLOB
*sig
)
463 if (!ntlmssp_state
->session_key
.length
) {
464 DEBUG(3, ("NO session key, cannot unseal packet\n"));
465 return NT_STATUS_NO_USER_SESSION_KEY
;
468 DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
469 dump_data_pw("ntlmssp sealed data\n", data
, length
);
471 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
472 /* First unseal the data. */
473 rc
= gnutls_cipher_decrypt(ntlmssp_state
->crypt
->ntlm2
.receiving
.seal_state
,
477 DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
479 gnutls_strerror(rc
));
480 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
482 dump_data_pw("ntlmv2 clear data\n", data
, length
);
484 rc
= gnutls_cipher_decrypt(ntlmssp_state
->crypt
->ntlm
.seal_state
,
488 DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
490 gnutls_strerror(rc
));
491 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
493 dump_data_pw("ntlmv1 clear data\n", data
, length
);
496 status
= ntlmssp_check_packet(ntlmssp_state
,
498 whole_pdu
, pdu_length
,
501 if (!NT_STATUS_IS_OK(status
)) {
502 DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n",
503 (unsigned long long)length
));
508 NTSTATUS
ntlmssp_wrap(struct ntlmssp_state
*ntlmssp_state
,
509 TALLOC_CTX
*out_mem_ctx
,
516 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SEAL
) {
517 if (in
->length
+ NTLMSSP_SIG_SIZE
< in
->length
) {
518 return NT_STATUS_INVALID_PARAMETER
;
521 *out
= data_blob_talloc(out_mem_ctx
, NULL
, in
->length
+ NTLMSSP_SIG_SIZE
);
523 return NT_STATUS_NO_MEMORY
;
525 memcpy(out
->data
+ NTLMSSP_SIG_SIZE
, in
->data
, in
->length
);
527 nt_status
= ntlmssp_seal_packet(ntlmssp_state
, out_mem_ctx
,
528 out
->data
+ NTLMSSP_SIG_SIZE
,
529 out
->length
- NTLMSSP_SIG_SIZE
,
530 out
->data
+ NTLMSSP_SIG_SIZE
,
531 out
->length
- NTLMSSP_SIG_SIZE
,
534 if (NT_STATUS_IS_OK(nt_status
)) {
535 memcpy(out
->data
, sig
.data
, NTLMSSP_SIG_SIZE
);
536 talloc_free(sig
.data
);
540 } else if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SIGN
) {
541 if (in
->length
+ NTLMSSP_SIG_SIZE
< in
->length
) {
542 return NT_STATUS_INVALID_PARAMETER
;
545 *out
= data_blob_talloc(out_mem_ctx
, NULL
, in
->length
+ NTLMSSP_SIG_SIZE
);
547 return NT_STATUS_NO_MEMORY
;
549 memcpy(out
->data
+ NTLMSSP_SIG_SIZE
, in
->data
, in
->length
);
551 nt_status
= ntlmssp_sign_packet(ntlmssp_state
, out_mem_ctx
,
552 out
->data
+ NTLMSSP_SIG_SIZE
,
553 out
->length
- NTLMSSP_SIG_SIZE
,
554 out
->data
+ NTLMSSP_SIG_SIZE
,
555 out
->length
- NTLMSSP_SIG_SIZE
,
558 if (NT_STATUS_IS_OK(nt_status
)) {
559 memcpy(out
->data
, sig
.data
, NTLMSSP_SIG_SIZE
);
560 talloc_free(sig
.data
);
564 *out
= data_blob_talloc(out_mem_ctx
, in
->data
, in
->length
);
566 return NT_STATUS_NO_MEMORY
;
572 NTSTATUS
ntlmssp_unwrap(struct ntlmssp_state
*ntlmssp_state
,
573 TALLOC_CTX
*out_mem_ctx
,
579 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SEAL
) {
580 if (in
->length
< NTLMSSP_SIG_SIZE
) {
581 return NT_STATUS_INVALID_PARAMETER
;
584 sig
.length
= NTLMSSP_SIG_SIZE
;
586 *out
= data_blob_talloc(out_mem_ctx
, in
->data
+ NTLMSSP_SIG_SIZE
, in
->length
- NTLMSSP_SIG_SIZE
);
588 return ntlmssp_unseal_packet(ntlmssp_state
,
589 out
->data
, out
->length
,
590 out
->data
, out
->length
,
593 } else if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SIGN
) {
594 if (in
->length
< NTLMSSP_SIG_SIZE
) {
595 return NT_STATUS_INVALID_PARAMETER
;
598 sig
.length
= NTLMSSP_SIG_SIZE
;
600 *out
= data_blob_talloc(out_mem_ctx
, in
->data
+ NTLMSSP_SIG_SIZE
, in
->length
- NTLMSSP_SIG_SIZE
);
602 return ntlmssp_check_packet(ntlmssp_state
,
603 out
->data
, out
->length
,
604 out
->data
, out
->length
,
607 *out
= data_blob_talloc(out_mem_ctx
, in
->data
, in
->length
);
609 return NT_STATUS_NO_MEMORY
;
616 Initialise the state for NTLMSSP signing.
618 NTSTATUS
ntlmssp_sign_reset(struct ntlmssp_state
*ntlmssp_state
,
623 DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
624 debug_ntlmssp_flags(ntlmssp_state
->neg_flags
);
626 if (ntlmssp_state
->crypt
== NULL
) {
627 return NT_STATUS_INVALID_PARAMETER_MIX
;
630 if (ntlmssp_state
->force_wrap_seal
&&
631 (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SIGN
))
634 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
635 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
638 * The negotiation of flags (and authentication)
639 * is completed when ntlmssp_sign_init() is called
640 * so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
643 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_SEAL
;
646 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
647 DATA_BLOB weak_session_key
= ntlmssp_state
->session_key
;
648 const char *send_sign_const
;
649 const char *send_seal_const
;
650 const char *recv_sign_const
;
651 const char *recv_seal_const
;
652 uint8_t send_seal_key
[16] = {0};
653 gnutls_datum_t send_seal_blob
= {
654 .data
= send_seal_key
,
655 .size
= sizeof(send_seal_key
),
657 uint8_t recv_seal_key
[16] = {0};
658 gnutls_datum_t recv_seal_blob
= {
659 .data
= recv_seal_key
,
660 .size
= sizeof(recv_seal_key
),
664 switch (ntlmssp_state
->role
) {
666 send_sign_const
= CLI_SIGN
;
667 send_seal_const
= CLI_SEAL
;
668 recv_sign_const
= SRV_SIGN
;
669 recv_seal_const
= SRV_SEAL
;
672 send_sign_const
= SRV_SIGN
;
673 send_seal_const
= SRV_SEAL
;
674 recv_sign_const
= CLI_SIGN
;
675 recv_seal_const
= CLI_SEAL
;
678 return NT_STATUS_INTERNAL_ERROR
;
682 * Weaken NTLMSSP keys to cope with down-level
683 * clients, servers and export restrictions.
685 * We probably should have some parameters to
686 * control this, once we get NTLM2 working.
688 * Key weakening was not performed on the master key
689 * for NTLM2, but must be done on the encryption subkeys only.
692 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_128
) {
694 } else if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_56
) {
695 weak_session_key
.length
= 7;
696 } else { /* forty bits */
697 weak_session_key
.length
= 5;
700 dump_data_pw("NTLMSSP weakend master key:\n",
701 weak_session_key
.data
,
702 weak_session_key
.length
);
705 status
= calc_ntlmv2_key(ntlmssp_state
->crypt
->ntlm2
.sending
.sign_key
,
706 ntlmssp_state
->session_key
, send_sign_const
);
707 if (!NT_STATUS_IS_OK(status
)) {
710 dump_data_pw("NTLMSSP send sign key:\n",
711 ntlmssp_state
->crypt
->ntlm2
.sending
.sign_key
, 16);
713 /* SEND: seal ARCFOUR pad */
714 status
= calc_ntlmv2_key(send_seal_key
,
717 if (!NT_STATUS_IS_OK(status
)) {
720 dump_data_pw("NTLMSSP send seal key:\n",
722 sizeof(send_seal_key
));
724 if (ntlmssp_state
->crypt
->ntlm2
.sending
.seal_state
!= NULL
) {
725 gnutls_cipher_deinit(ntlmssp_state
->crypt
->ntlm2
.sending
.seal_state
);
727 rc
= gnutls_cipher_init(&ntlmssp_state
->crypt
->ntlm2
.sending
.seal_state
,
728 GNUTLS_CIPHER_ARCFOUR_128
,
732 DBG_ERR("gnutls_cipher_init failed: %s\n",
733 gnutls_strerror(rc
));
734 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
737 dump_arc4_state("NTLMSSP send seal arc4 state:\n",
738 &ntlmssp_state
->crypt
->ntlm2
.sending
.seal_state
);
742 ntlmssp_state
->crypt
->ntlm2
.sending
.seq_num
= 0;
746 status
= calc_ntlmv2_key(ntlmssp_state
->crypt
->ntlm2
.receiving
.sign_key
,
747 ntlmssp_state
->session_key
, recv_sign_const
);
748 if (!NT_STATUS_IS_OK(status
)) {
751 dump_data_pw("NTLMSSP recv sign key:\n",
752 ntlmssp_state
->crypt
->ntlm2
.receiving
.sign_key
, 16);
754 /* RECV: seal ARCFOUR pad */
755 status
= calc_ntlmv2_key(recv_seal_key
,
758 if (!NT_STATUS_IS_OK(status
)) {
761 dump_data_pw("NTLMSSP recv seal key:\n",
763 sizeof(recv_seal_key
));
765 if (ntlmssp_state
->crypt
->ntlm2
.receiving
.seal_state
!= NULL
) {
766 gnutls_cipher_deinit(ntlmssp_state
->crypt
->ntlm2
.receiving
.seal_state
);
768 rc
= gnutls_cipher_init(&ntlmssp_state
->crypt
->ntlm2
.receiving
.seal_state
,
769 GNUTLS_CIPHER_ARCFOUR_128
,
773 DBG_ERR("gnutls_cipher_init failed: %s\n",
774 gnutls_strerror(rc
));
775 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
778 dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
779 &ntlmssp_state
->crypt
->ntlm2
.receiving
.seal_state
);
783 ntlmssp_state
->crypt
->ntlm2
.receiving
.seq_num
= 0;
786 gnutls_datum_t seal_session_key
= {
787 .data
= ntlmssp_state
->session_key
.data
,
788 .size
= ntlmssp_state
->session_key
.length
,
790 bool do_weak
= false;
792 DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
795 * Key weakening not performed on the master key for NTLM2
796 * and does not occur for NTLM1. Therefore we only need
797 * to do this for the LM_KEY.
799 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_LM_KEY
) {
805 * We certainly don't want to 'extend' the length...
807 if (ntlmssp_state
->session_key
.length
< 16) {
808 /* TODO: is this really correct? */
813 uint8_t weak_session_key
[8];
815 memcpy(weak_session_key
, seal_session_key
.data
, 8);
816 seal_session_key
= (gnutls_datum_t
) {
817 .data
= weak_session_key
,
818 .size
= sizeof(weak_session_key
),
822 * LM key doesn't support 128 bit crypto, so this is
823 * the best we can do. If you negotiate 128 bit, but
824 * not 56, you end up with 40 bit...
826 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_56
) {
827 weak_session_key
[7] = 0xa0;
828 } else { /* forty bits */
829 weak_session_key
[5] = 0xe5;
830 weak_session_key
[6] = 0x38;
831 weak_session_key
[7] = 0xb0;
835 if (ntlmssp_state
->crypt
->ntlm
.seal_state
!= NULL
) {
836 gnutls_cipher_deinit(ntlmssp_state
->crypt
->ntlm
.seal_state
);
838 rc
= gnutls_cipher_init(&ntlmssp_state
->crypt
->ntlm
.seal_state
,
839 GNUTLS_CIPHER_ARCFOUR_128
,
843 DBG_ERR("gnutls_cipher_init failed: %s\n",
844 gnutls_strerror(rc
));
845 return gnutls_error_to_ntstatus(rc
, NT_STATUS_NTLM_BLOCKED
);
848 dump_arc4_state("NTLMv1 arc4 state:\n",
849 &ntlmssp_state
->crypt
->ntlm
.seal_state
);
852 ntlmssp_state
->crypt
->ntlm
.seq_num
= 0;
859 static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state
*c
)
861 if (c
->ntlm2
.sending
.seal_state
!= NULL
) {
862 gnutls_cipher_deinit(c
->ntlm2
.sending
.seal_state
);
863 c
->ntlm2
.sending
.seal_state
= NULL
;
865 if (c
->ntlm2
.receiving
.seal_state
!= NULL
) {
866 gnutls_cipher_deinit(c
->ntlm2
.receiving
.seal_state
);
867 c
->ntlm2
.receiving
.seal_state
= NULL
;
869 if (c
->ntlm
.seal_state
!= NULL
) {
870 gnutls_cipher_deinit(c
->ntlm
.seal_state
);
871 c
->ntlm
.seal_state
= NULL
;
877 NTSTATUS
ntlmssp_sign_init(struct ntlmssp_state
*ntlmssp_state
)
879 if (ntlmssp_state
->session_key
.length
< 8) {
880 DEBUG(3, ("NO session key, cannot initialise signing\n"));
881 return NT_STATUS_NO_USER_SESSION_KEY
;
884 ntlmssp_state
->crypt
= talloc_zero(ntlmssp_state
,
885 union ntlmssp_crypt_state
);
886 if (ntlmssp_state
->crypt
== NULL
) {
887 return NT_STATUS_NO_MEMORY
;
889 talloc_set_destructor(ntlmssp_state
->crypt
,
890 ntlmssp_crypt_free_gnutls_cipher_state
);
892 return ntlmssp_sign_reset(ntlmssp_state
, true);