search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:rpc_client/rpc_transport_tstream: timeout should be unsigned int
[Samba/gbeck.git] / source4 / auth / ntlmssp / ntlmssp_sign.c
blob8cde44150a43d57ded3472c7e7fbfdcd00ef6a17
1 /*
2 * Unix SMB/CIFS implementation.
3 * Version 3.0
4 * NTLMSSP Signing routines
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-2001
6 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2005
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "auth/ntlmssp/ntlmssp.h"
24 #include "auth/gensec/gensec.h"
25 #include "../libcli/auth/ntlmssp_private.h"
26
27 NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
28 TALLOC_CTX *sig_mem_ctx,
29 const uint8_t *data, size_t length,
30 const uint8_t *whole_pdu, size_t pdu_length,
31 DATA_BLOB *sig)
32 {
33 struct gensec_ntlmssp_context *gensec_ntlmssp =
34 talloc_get_type_abort(gensec_security->private_data,
35 struct gensec_ntlmssp_context);
36 NTSTATUS nt_status;
37
38 nt_status = ntlmssp_sign_packet(gensec_ntlmssp->ntlmssp_state,
39 sig_mem_ctx,
40 data, length,
41 whole_pdu, pdu_length,
42 sig);
43
44 return nt_status;
45 }
46
47 NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
48 TALLOC_CTX *sig_mem_ctx,
49 const uint8_t *data, size_t length,
50 const uint8_t *whole_pdu, size_t pdu_length,
51 const DATA_BLOB *sig)
52 {
53 struct gensec_ntlmssp_context *gensec_ntlmssp =
54 talloc_get_type_abort(gensec_security->private_data,
55 struct gensec_ntlmssp_context);
56 NTSTATUS nt_status;
57
58 nt_status = ntlmssp_check_packet(gensec_ntlmssp->ntlmssp_state,
59 data, length,
60 whole_pdu, pdu_length,
61 sig);
62
63 return nt_status;
64 }
65
66 NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
67 TALLOC_CTX *sig_mem_ctx,
68 uint8_t *data, size_t length,
69 const uint8_t *whole_pdu, size_t pdu_length,
70 DATA_BLOB *sig)
71 {
72 struct gensec_ntlmssp_context *gensec_ntlmssp =
73 talloc_get_type_abort(gensec_security->private_data,
74 struct gensec_ntlmssp_context);
75 NTSTATUS nt_status;
76
77 nt_status = ntlmssp_seal_packet(gensec_ntlmssp->ntlmssp_state,
78 sig_mem_ctx,
79 data, length,
80 whole_pdu, pdu_length,
81 sig);
82
83 return nt_status;
84 }
85
86 /*
87 wrappers for the ntlmssp_*() functions
88 */
89 NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
90 TALLOC_CTX *sig_mem_ctx,
91 uint8_t *data, size_t length,
92 const uint8_t *whole_pdu, size_t pdu_length,
93 const DATA_BLOB *sig)
94 {
95 struct gensec_ntlmssp_context *gensec_ntlmssp =
96 talloc_get_type_abort(gensec_security->private_data,
97 struct gensec_ntlmssp_context);
98 NTSTATUS nt_status;
99
100 nt_status = ntlmssp_unseal_packet(gensec_ntlmssp->ntlmssp_state,
101 data, length,
102 whole_pdu, pdu_length,
103 sig);
104
105 return nt_status;
106 }
107
108 size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size)
109 {
110 return NTLMSSP_SIG_SIZE;
111 }
112
113 NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security,
114 TALLOC_CTX *sig_mem_ctx,
115 const DATA_BLOB *in,
116 DATA_BLOB *out)
117 {
118 DATA_BLOB sig;
119 NTSTATUS nt_status;
120
121 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
122
123 *out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
124 if (!out->data) {
125 return NT_STATUS_NO_MEMORY;
126 }
127 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
128
129 nt_status = gensec_ntlmssp_seal_packet(gensec_security, sig_mem_ctx,
130 out->data + NTLMSSP_SIG_SIZE,
131 out->length - NTLMSSP_SIG_SIZE,
132 out->data + NTLMSSP_SIG_SIZE,
133 out->length - NTLMSSP_SIG_SIZE,
134 &sig);
135
136 if (NT_STATUS_IS_OK(nt_status)) {
137 memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
138 }
139 return nt_status;
140
141 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
142
143 *out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
144 if (!out->data) {
145 return NT_STATUS_NO_MEMORY;
146 }
147 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
148
149 nt_status = gensec_ntlmssp_sign_packet(gensec_security, sig_mem_ctx,
150 out->data + NTLMSSP_SIG_SIZE,
151 out->length - NTLMSSP_SIG_SIZE,
152 out->data + NTLMSSP_SIG_SIZE,
153 out->length - NTLMSSP_SIG_SIZE,
154 &sig);
155
156 if (NT_STATUS_IS_OK(nt_status)) {
157 memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
158 }
159 return nt_status;
160
161 } else {
162 *out = *in;
163 return NT_STATUS_OK;
164 }
165 }
166
167
168 NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
169 TALLOC_CTX *sig_mem_ctx,
170 const DATA_BLOB *in,
171 DATA_BLOB *out)
172 {
173 struct gensec_ntlmssp_context *gensec_ntlmssp =
174 talloc_get_type_abort(gensec_security->private_data,
175 struct gensec_ntlmssp_context);
176 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
177 DATA_BLOB sig;
178
179 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
180 if (in->length < NTLMSSP_SIG_SIZE) {
181 return NT_STATUS_INVALID_PARAMETER;
182 }
183 sig.data = in->data;
184 sig.length = NTLMSSP_SIG_SIZE;
185
186 *out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
187
188 return gensec_ntlmssp_unseal_packet(gensec_security, sig_mem_ctx,
189 out->data, out->length,
190 out->data, out->length,
191 &sig);
192
193 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
194 NTSTATUS status;
195 struct ntlmssp_crypt_direction save_direction;
196
197 if (in->length < NTLMSSP_SIG_SIZE) {
198 return NT_STATUS_INVALID_PARAMETER;
199 }
200 sig.data = in->data;
201 sig.length = NTLMSSP_SIG_SIZE;
202 *out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
203
204 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
205 save_direction = ntlmssp_state->crypt->ntlm2.receiving;
206 } else {
207 save_direction = ntlmssp_state->crypt->ntlm;
208 }
209
210 status = gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx,
211 out->data, out->length,
212 out->data, out->length,
213 &sig);
214 if (!NT_STATUS_IS_OK(status)) {
215 NTSTATUS check_status = status;
216 /*
217 * The Windows LDAP libraries seems to have a bug
218 * and always use sealing even if only signing was
219 * negotiated. So we need to fallback.
220 */
221
222 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
223 ntlmssp_state->crypt->ntlm2.receiving = save_direction;
224 } else {
225 ntlmssp_state->crypt->ntlm = save_direction;
226 }
227
228 status = gensec_ntlmssp_unseal_packet(gensec_security,
229 sig_mem_ctx,
230 out->data,
231 out->length,
232 out->data,
233 out->length,
234 &sig);
235 if (NT_STATUS_IS_OK(status)) {
236 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
237 } else {
238 status = check_status;
239 }
240 }
241
242 if (!NT_STATUS_IS_OK(status)) {
243 DEBUG(1, ("NTLMSSP packet check for unwrap failed due to invalid signature\n"));
244 }
245 return status;
246 } else {
247 *out = *in;
248 return NT_STATUS_OK;
249 }
250 }
251
WIP