2 * Unix SMB/CIFS implementation.
4 * NTLMSSP Signing routines
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-2001
6 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "auth/ntlmssp/ntlmssp.h"
24 #include "auth/gensec/gensec.h"
25 #include "../libcli/auth/ntlmssp_private.h"
27 NTSTATUS
gensec_ntlmssp_sign_packet(struct gensec_security
*gensec_security
,
28 TALLOC_CTX
*sig_mem_ctx
,
29 const uint8_t *data
, size_t length
,
30 const uint8_t *whole_pdu
, size_t pdu_length
,
33 struct gensec_ntlmssp_context
*gensec_ntlmssp
=
34 talloc_get_type_abort(gensec_security
->private_data
,
35 struct gensec_ntlmssp_context
);
38 nt_status
= ntlmssp_sign_packet(gensec_ntlmssp
->ntlmssp_state
,
41 whole_pdu
, pdu_length
,
47 NTSTATUS
gensec_ntlmssp_check_packet(struct gensec_security
*gensec_security
,
48 TALLOC_CTX
*sig_mem_ctx
,
49 const uint8_t *data
, size_t length
,
50 const uint8_t *whole_pdu
, size_t pdu_length
,
53 struct gensec_ntlmssp_context
*gensec_ntlmssp
=
54 talloc_get_type_abort(gensec_security
->private_data
,
55 struct gensec_ntlmssp_context
);
58 nt_status
= ntlmssp_check_packet(gensec_ntlmssp
->ntlmssp_state
,
60 whole_pdu
, pdu_length
,
66 NTSTATUS
gensec_ntlmssp_seal_packet(struct gensec_security
*gensec_security
,
67 TALLOC_CTX
*sig_mem_ctx
,
68 uint8_t *data
, size_t length
,
69 const uint8_t *whole_pdu
, size_t pdu_length
,
72 struct gensec_ntlmssp_context
*gensec_ntlmssp
=
73 talloc_get_type_abort(gensec_security
->private_data
,
74 struct gensec_ntlmssp_context
);
77 nt_status
= ntlmssp_seal_packet(gensec_ntlmssp
->ntlmssp_state
,
80 whole_pdu
, pdu_length
,
87 wrappers for the ntlmssp_*() functions
89 NTSTATUS
gensec_ntlmssp_unseal_packet(struct gensec_security
*gensec_security
,
90 TALLOC_CTX
*sig_mem_ctx
,
91 uint8_t *data
, size_t length
,
92 const uint8_t *whole_pdu
, size_t pdu_length
,
95 struct gensec_ntlmssp_context
*gensec_ntlmssp
=
96 talloc_get_type_abort(gensec_security
->private_data
,
97 struct gensec_ntlmssp_context
);
100 nt_status
= ntlmssp_unseal_packet(gensec_ntlmssp
->ntlmssp_state
,
102 whole_pdu
, pdu_length
,
108 size_t gensec_ntlmssp_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
110 return NTLMSSP_SIG_SIZE
;
113 NTSTATUS
gensec_ntlmssp_wrap(struct gensec_security
*gensec_security
,
114 TALLOC_CTX
*sig_mem_ctx
,
121 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
123 *out
= data_blob_talloc(sig_mem_ctx
, NULL
, in
->length
+ NTLMSSP_SIG_SIZE
);
125 return NT_STATUS_NO_MEMORY
;
127 memcpy(out
->data
+ NTLMSSP_SIG_SIZE
, in
->data
, in
->length
);
129 nt_status
= gensec_ntlmssp_seal_packet(gensec_security
, sig_mem_ctx
,
130 out
->data
+ NTLMSSP_SIG_SIZE
,
131 out
->length
- NTLMSSP_SIG_SIZE
,
132 out
->data
+ NTLMSSP_SIG_SIZE
,
133 out
->length
- NTLMSSP_SIG_SIZE
,
136 if (NT_STATUS_IS_OK(nt_status
)) {
137 memcpy(out
->data
, sig
.data
, NTLMSSP_SIG_SIZE
);
141 } else if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
143 *out
= data_blob_talloc(sig_mem_ctx
, NULL
, in
->length
+ NTLMSSP_SIG_SIZE
);
145 return NT_STATUS_NO_MEMORY
;
147 memcpy(out
->data
+ NTLMSSP_SIG_SIZE
, in
->data
, in
->length
);
149 nt_status
= gensec_ntlmssp_sign_packet(gensec_security
, sig_mem_ctx
,
150 out
->data
+ NTLMSSP_SIG_SIZE
,
151 out
->length
- NTLMSSP_SIG_SIZE
,
152 out
->data
+ NTLMSSP_SIG_SIZE
,
153 out
->length
- NTLMSSP_SIG_SIZE
,
156 if (NT_STATUS_IS_OK(nt_status
)) {
157 memcpy(out
->data
, sig
.data
, NTLMSSP_SIG_SIZE
);
168 NTSTATUS
gensec_ntlmssp_unwrap(struct gensec_security
*gensec_security
,
169 TALLOC_CTX
*sig_mem_ctx
,
173 struct gensec_ntlmssp_context
*gensec_ntlmssp
=
174 talloc_get_type_abort(gensec_security
->private_data
,
175 struct gensec_ntlmssp_context
);
176 struct ntlmssp_state
*ntlmssp_state
= gensec_ntlmssp
->ntlmssp_state
;
179 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
180 if (in
->length
< NTLMSSP_SIG_SIZE
) {
181 return NT_STATUS_INVALID_PARAMETER
;
184 sig
.length
= NTLMSSP_SIG_SIZE
;
186 *out
= data_blob_talloc(sig_mem_ctx
, in
->data
+ NTLMSSP_SIG_SIZE
, in
->length
- NTLMSSP_SIG_SIZE
);
188 return gensec_ntlmssp_unseal_packet(gensec_security
, sig_mem_ctx
,
189 out
->data
, out
->length
,
190 out
->data
, out
->length
,
193 } else if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
195 struct ntlmssp_crypt_direction save_direction
;
197 if (in
->length
< NTLMSSP_SIG_SIZE
) {
198 return NT_STATUS_INVALID_PARAMETER
;
201 sig
.length
= NTLMSSP_SIG_SIZE
;
202 *out
= data_blob_talloc(sig_mem_ctx
, in
->data
+ NTLMSSP_SIG_SIZE
, in
->length
- NTLMSSP_SIG_SIZE
);
204 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
205 save_direction
= ntlmssp_state
->crypt
->ntlm2
.receiving
;
207 save_direction
= ntlmssp_state
->crypt
->ntlm
;
210 status
= gensec_ntlmssp_check_packet(gensec_security
, sig_mem_ctx
,
211 out
->data
, out
->length
,
212 out
->data
, out
->length
,
214 if (!NT_STATUS_IS_OK(status
)) {
215 NTSTATUS check_status
= status
;
217 * The Windows LDAP libraries seems to have a bug
218 * and always use sealing even if only signing was
219 * negotiated. So we need to fallback.
222 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
223 ntlmssp_state
->crypt
->ntlm2
.receiving
= save_direction
;
225 ntlmssp_state
->crypt
->ntlm
= save_direction
;
228 status
= gensec_ntlmssp_unseal_packet(gensec_security
,
235 if (NT_STATUS_IS_OK(status
)) {
236 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_SEAL
;
238 status
= check_status
;
242 if (!NT_STATUS_IS_OK(status
)) {
243 DEBUG(1, ("NTLMSSP packet check for unwrap failed due to invalid signature\n"));