2 * Unix SMB/CIFS implementation.
4 * NTLMSSP Signing routines
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-2001
6 * Copyright (C) Andrew Bartlett 2003
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software Foundation,
20 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 #define CLI_SIGN "session key to client-to-server signing key magic constant"
26 #define CLI_SEAL "session key to client-to-server sealing key magic constant"
27 #define SRV_SIGN "session key to server-to-client signing key magic constant"
28 #define SRV_SEAL "session key to server-to-client sealing key magic constant"
30 static void NTLMSSPcalc_ap( unsigned char *hash
, unsigned char *data
, int len
)
32 unsigned char index_i
= hash
[256];
33 unsigned char index_j
= hash
[257];
36 for (ind
= 0; ind
< len
; ind
++)
42 index_j
+= hash
[index_i
];
45 hash
[index_i
] = hash
[index_j
];
48 t
= hash
[index_i
] + hash
[index_j
];
49 data
[ind
] = data
[ind
] ^ hash
[t
];
56 static void calc_hash(unsigned char hash
[258], const char *k2
, int k2l
)
61 for (ind
= 0; ind
< 256; ind
++)
63 hash
[ind
] = (unsigned char)ind
;
66 for (ind
= 0; ind
< 256; ind
++)
70 j
+= (hash
[ind
] + k2
[ind
%k2l
]);
81 static void calc_ntlmv2_hash(unsigned char hash
[258], unsigned char digest
[16],
82 DATA_BLOB session_key
,
85 struct MD5Context ctx3
;
87 /* NOTE: This code is currently complate fantasy - it's
88 got more in common with reality than the previous code
89 (the LM session key is not the right thing to use) but
90 it still needs work */
93 MD5Update(&ctx3
, session_key
.data
, session_key
.length
);
94 MD5Update(&ctx3
, (const unsigned char *)constant
, strlen(constant
)+1);
95 MD5Final(digest
, &ctx3
);
97 calc_hash(hash
, digest
, 16);
100 enum ntlmssp_direction
{
105 static NTSTATUS
ntlmssp_make_packet_signature(NTLMSSP_STATE
*ntlmssp_state
,
106 const uchar
*data
, size_t length
,
107 enum ntlmssp_direction direction
,
110 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
114 SIVAL(seq_num
, 0, ntlmssp_state
->ntlmssp_seq_num
);
116 hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state
->send_sign_const
), 16, &ctx
);
117 hmac_md5_update(seq_num
, 4, &ctx
);
118 hmac_md5_update(data
, length
, &ctx
);
119 hmac_md5_final(digest
, &ctx
);
121 if (!msrpc_gen(sig
, "dBd", NTLMSSP_SIGN_VERSION
, digest
, 8 /* only copy first 8 bytes */
122 , ntlmssp_state
->ntlmssp_seq_num
)) {
123 return NT_STATUS_NO_MEMORY
;
126 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_KEY_EXCH
) {
129 NTLMSSPcalc_ap(ntlmssp_state
->send_sign_hash
, sig
->data
+4, sig
->length
-4);
131 case NTLMSSP_RECEIVE
:
132 NTLMSSPcalc_ap(ntlmssp_state
->recv_sign_hash
, sig
->data
+4, sig
->length
-4);
138 crc
= crc32_calc_buffer((const char *)data
, length
);
139 if (!msrpc_gen(sig
, "dddd", NTLMSSP_SIGN_VERSION
, 0, crc
, ntlmssp_state
->ntlmssp_seq_num
)) {
140 return NT_STATUS_NO_MEMORY
;
143 dump_data_pw("ntlmssp hash:\n", ntlmssp_state
->ntlmssp_hash
,
144 sizeof(ntlmssp_state
->ntlmssp_hash
));
145 NTLMSSPcalc_ap(ntlmssp_state
->ntlmssp_hash
, sig
->data
+4, sig
->length
-4);
150 NTSTATUS
ntlmssp_sign_packet(NTLMSSP_STATE
*ntlmssp_state
,
151 const uchar
*data
, size_t length
,
155 if (!ntlmssp_state
->session_key
.length
) {
156 DEBUG(3, ("NO session key, cannot check sign packet\n"));
157 return NT_STATUS_NO_USER_SESSION_KEY
;
160 nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
, data
, length
, NTLMSSP_SEND
, sig
);
162 /* increment counter on send */
163 ntlmssp_state
->ntlmssp_seq_num
++;
168 * Check the signature of an incoming packet
169 * @note caller *must* check that the signature is the size it expects
173 NTSTATUS
ntlmssp_check_packet(NTLMSSP_STATE
*ntlmssp_state
,
174 const uchar
*data
, size_t length
,
175 const DATA_BLOB
*sig
)
180 if (!ntlmssp_state
->session_key
.length
) {
181 DEBUG(3, ("NO session key, cannot check packet signature\n"));
182 return NT_STATUS_NO_USER_SESSION_KEY
;
185 if (sig
->length
< 8) {
186 DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
187 (unsigned long)sig
->length
));
190 nt_status
= ntlmssp_make_packet_signature(ntlmssp_state
, data
,
191 length
, NTLMSSP_RECEIVE
, &local_sig
);
193 if (!NT_STATUS_IS_OK(nt_status
)) {
194 DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status
)));
198 if (memcmp(sig
->data
+sig
->length
- 8, local_sig
.data
+local_sig
.length
- 8, 8) != 0) {
199 DEBUG(5, ("BAD SIG: wanted signature of\n"));
200 dump_data(5, (const char *)local_sig
.data
, local_sig
.length
);
202 DEBUG(5, ("BAD SIG: got signature of\n"));
203 dump_data(5, (const char *)(sig
->data
), sig
->length
);
205 DEBUG(0, ("NTLMSSP packet check failed due to invalid signature!\n"));
206 return NT_STATUS_ACCESS_DENIED
;
209 /* increment counter on recieive */
210 ntlmssp_state
->ntlmssp_seq_num
++;
217 * Seal data with the NTLMSSP algorithm
221 NTSTATUS
ntlmssp_seal_packet(NTLMSSP_STATE
*ntlmssp_state
,
222 uchar
*data
, size_t length
,
225 if (!ntlmssp_state
->session_key
.length
) {
226 DEBUG(3, ("NO session key, cannot seal packet\n"));
227 return NT_STATUS_NO_USER_SESSION_KEY
;
230 DEBUG(10,("ntlmssp_seal_data: seal\n"));
231 dump_data_pw("ntlmssp clear data\n", data
, length
);
232 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
236 SIVAL(seq_num
, 0, ntlmssp_state
->ntlmssp_seq_num
);
238 hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state
->send_sign_const
), 16, &ctx
);
239 hmac_md5_update((const unsigned char *)seq_num
, 4, &ctx
);
240 hmac_md5_update(data
, length
, &ctx
);
241 hmac_md5_final(digest
, &ctx
);
243 if (!msrpc_gen(sig
, "dBd", NTLMSSP_SIGN_VERSION
, digest
, 8 /* only copy first 8 bytes */
244 , ntlmssp_state
->ntlmssp_seq_num
)) {
245 return NT_STATUS_NO_MEMORY
;
248 dump_data_pw("ntlmssp client sealing hash:\n",
249 ntlmssp_state
->send_seal_hash
,
250 sizeof(ntlmssp_state
->send_seal_hash
));
251 NTLMSSPcalc_ap(ntlmssp_state
->send_seal_hash
, data
, length
);
252 dump_data_pw("ntlmssp client signing hash:\n",
253 ntlmssp_state
->send_sign_hash
,
254 sizeof(ntlmssp_state
->send_sign_hash
));
255 NTLMSSPcalc_ap(ntlmssp_state
->send_sign_hash
, sig
->data
+4, sig
->length
-4);
258 crc
= crc32_calc_buffer((const char *)data
, length
);
259 if (!msrpc_gen(sig
, "dddd", NTLMSSP_SIGN_VERSION
, 0, crc
, ntlmssp_state
->ntlmssp_seq_num
)) {
260 return NT_STATUS_NO_MEMORY
;
263 /* The order of these two operations matters - we must first seal the packet,
264 then seal the sequence number - this is becouse the ntlmssp_hash is not
265 constant, but is is rather updated with each iteration */
267 dump_data_pw("ntlmssp hash:\n", ntlmssp_state
->ntlmssp_hash
,
268 sizeof(ntlmssp_state
->ntlmssp_hash
));
269 NTLMSSPcalc_ap(ntlmssp_state
->ntlmssp_hash
, data
, length
);
271 dump_data_pw("ntlmssp hash:\n", ntlmssp_state
->ntlmssp_hash
,
272 sizeof(ntlmssp_state
->ntlmssp_hash
));
273 NTLMSSPcalc_ap(ntlmssp_state
->ntlmssp_hash
, sig
->data
+4, sig
->length
-4);
275 dump_data_pw("ntlmssp sealed data\n", data
, length
);
277 /* increment counter on send */
278 ntlmssp_state
->ntlmssp_seq_num
++;
284 * Unseal data with the NTLMSSP algorithm
288 NTSTATUS
ntlmssp_unseal_packet(NTLMSSP_STATE
*ntlmssp_state
,
289 uchar
*data
, size_t length
,
292 if (!ntlmssp_state
->session_key
.length
) {
293 DEBUG(3, ("NO session key, cannot unseal packet\n"));
294 return NT_STATUS_NO_USER_SESSION_KEY
;
297 DEBUG(10,("ntlmssp__unseal_data: seal\n"));
298 dump_data_pw("ntlmssp sealed data\n", data
, length
);
299 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
) {
300 NTLMSSPcalc_ap(ntlmssp_state
->recv_seal_hash
, data
, length
);
302 dump_data_pw("ntlmssp hash:\n", ntlmssp_state
->ntlmssp_hash
,
303 sizeof(ntlmssp_state
->ntlmssp_hash
));
304 NTLMSSPcalc_ap(ntlmssp_state
->ntlmssp_hash
, data
, length
);
306 dump_data_pw("ntlmssp clear data\n", data
, length
);
308 return ntlmssp_check_packet(ntlmssp_state
, data
, length
, sig
);
312 Initialise the state for NTLMSSP signing.
314 NTSTATUS
ntlmssp_sign_init(NTLMSSP_STATE
*ntlmssp_state
)
316 unsigned char p24
[24];
319 DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
320 debug_ntlmssp_flags(ntlmssp_state
->neg_flags
);
322 if (!ntlmssp_state
->session_key
.length
) {
323 DEBUG(3, ("NO session key, cannot intialise signing\n"));
324 return NT_STATUS_NO_USER_SESSION_KEY
;
327 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_NTLM2
)
329 const char *send_sign_const
;
330 const char *send_seal_const
;
331 const char *recv_sign_const
;
332 const char *recv_seal_const
;
334 switch (ntlmssp_state
->role
) {
336 send_sign_const
= CLI_SIGN
;
337 send_seal_const
= CLI_SEAL
;
338 recv_sign_const
= SRV_SIGN
;
339 recv_seal_const
= SRV_SEAL
;
342 send_sign_const
= SRV_SIGN
;
343 send_seal_const
= SRV_SEAL
;
344 recv_sign_const
= CLI_SIGN
;
345 recv_seal_const
= CLI_SEAL
;
349 calc_ntlmv2_hash(ntlmssp_state
->send_sign_hash
,
350 ntlmssp_state
->send_sign_const
,
351 ntlmssp_state
->session_key
, send_sign_const
);
352 dump_data_pw("NTLMSSP send sign hash:\n",
353 ntlmssp_state
->send_sign_hash
,
354 sizeof(ntlmssp_state
->send_sign_hash
));
356 calc_ntlmv2_hash(ntlmssp_state
->send_seal_hash
,
357 ntlmssp_state
->send_seal_const
,
358 ntlmssp_state
->session_key
, send_seal_const
);
359 dump_data_pw("NTLMSSP send sesl hash:\n",
360 ntlmssp_state
->send_seal_hash
,
361 sizeof(ntlmssp_state
->send_seal_hash
));
363 calc_ntlmv2_hash(ntlmssp_state
->recv_sign_hash
,
364 ntlmssp_state
->recv_sign_const
,
365 ntlmssp_state
->session_key
, recv_sign_const
);
366 dump_data_pw("NTLMSSP receive sign hash:\n",
367 ntlmssp_state
->recv_sign_hash
,
368 sizeof(ntlmssp_state
->recv_sign_hash
));
370 calc_ntlmv2_hash(ntlmssp_state
->recv_seal_hash
,
371 ntlmssp_state
->recv_seal_const
,
372 ntlmssp_state
->session_key
, recv_seal_const
);
373 dump_data_pw("NTLMSSP receive seal hash:\n",
374 ntlmssp_state
->recv_sign_hash
,
375 sizeof(ntlmssp_state
->recv_sign_hash
));
378 else if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_LM_KEY
) {
379 if (!ntlmssp_state
->session_key
.data
|| ntlmssp_state
->session_key
.length
< 8) {
380 /* can't sign or check signatures yet */
381 DEBUG(5, ("NTLMSSP Sign/Seal - cannot use LM KEY yet\n"));
382 return NT_STATUS_UNSUCCESSFUL
;
385 DEBUG(5, ("NTLMSSP Sign/Seal - using LM KEY\n"));
387 calc_hash(ntlmssp_state
->ntlmssp_hash
, (const char *)(ntlmssp_state
->session_key
.data
), 8);
388 dump_data_pw("NTLMSSP hash:\n", ntlmssp_state
->ntlmssp_hash
,
389 sizeof(ntlmssp_state
->ntlmssp_hash
));
391 if (!ntlmssp_state
->session_key
.data
|| ntlmssp_state
->session_key
.length
< 16) {
392 /* can't sign or check signatures yet */
393 DEBUG(5, ("NTLMSSP Sign/Seal - cannot use NT KEY yet\n"));
394 return NT_STATUS_UNSUCCESSFUL
;
397 DEBUG(5, ("NTLMSSP Sign/Seal - using NT KEY\n"));
399 calc_hash(ntlmssp_state
->ntlmssp_hash
, (const char *)(ntlmssp_state
->session_key
.data
), 16);
400 dump_data_pw("NTLMSSP hash:\n", ntlmssp_state
->ntlmssp_hash
,
401 sizeof(ntlmssp_state
->ntlmssp_hash
));
404 ntlmssp_state
->ntlmssp_seq_num
= 0;