Line data Source code
1 : /*
2 : * Unix SMB/CIFS implementation.
3 : * Version 3.0
4 : * NTLMSSP Signing routines
5 : * Copyright (C) Andrew Bartlett 2003-2005
6 : *
7 : * This program is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU General Public License as published by
9 : * the Free Software Foundation; either version 3 of the License, or
10 : * (at your option) any later version.
11 : *
12 : * This program is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU General Public License
18 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include "includes.h"
22 : #include "../auth/ntlmssp/ntlmssp.h"
23 : #include "../libcli/auth/libcli_auth.h"
24 : #include "zlib.h"
25 : #include "../auth/ntlmssp/ntlmssp_private.h"
26 :
27 : #include "lib/crypto/gnutls_helpers.h"
28 : #include <gnutls/gnutls.h>
29 : #include <gnutls/crypto.h>
30 :
31 : #undef DBGC_CLASS
32 : #define DBGC_CLASS DBGC_AUTH
33 :
34 : #define CLI_SIGN "session key to client-to-server signing key magic constant"
35 : #define CLI_SEAL "session key to client-to-server sealing key magic constant"
36 : #define SRV_SIGN "session key to server-to-client signing key magic constant"
37 : #define SRV_SEAL "session key to server-to-client sealing key magic constant"
38 :
39 : /**
40 : * Some notes on the NTLM2 code:
41 : *
42 : * NTLM2 is a AEAD system. This means that the data encrypted is not
43 : * all the data that is signed. In DCE-RPC case, the headers of the
44 : * DCE-RPC packets are also signed. This prevents some of the
45 : * fun-and-games one might have by changing them.
46 : *
47 : */
48 :
49 270856 : static void dump_arc4_state(const char *description,
50 : gnutls_cipher_hd_t *state)
51 : {
52 270856 : DBG_DEBUG("%s\n", description);
53 270856 : }
54 :
55 521716 : static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
56 : DATA_BLOB session_key,
57 : const char *constant)
58 : {
59 521716 : gnutls_hash_hd_t hash_hnd = NULL;
60 2100 : int rc;
61 :
62 521716 : rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
63 521716 : if (rc < 0) {
64 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
65 : }
66 521716 : rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
67 521716 : if (rc < 0) {
68 0 : gnutls_hash_deinit(hash_hnd, NULL);
69 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
70 : }
71 521716 : rc = gnutls_hash(hash_hnd, constant, strlen(constant) + 1);
72 521716 : if (rc < 0) {
73 0 : gnutls_hash_deinit(hash_hnd, NULL);
74 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
75 : }
76 521716 : gnutls_hash_deinit(hash_hnd, subkey);
77 :
78 521716 : return NT_STATUS_OK;
79 : }
80 :
81 : enum ntlmssp_direction {
82 : NTLMSSP_SEND,
83 : NTLMSSP_RECEIVE
84 : };
85 :
86 1121130 : static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state,
87 : TALLOC_CTX *sig_mem_ctx,
88 : const uint8_t *data, size_t length,
89 : const uint8_t *whole_pdu, size_t pdu_length,
90 : enum ntlmssp_direction direction,
91 : DATA_BLOB *sig, bool encrypt_sig)
92 : {
93 1121130 : NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
94 529 : int rc;
95 :
96 1121130 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
97 1118431 : gnutls_hmac_hd_t hmac_hnd = NULL;
98 526 : uint8_t digest[16];
99 526 : uint8_t seq_num[4];
100 :
101 1118431 : *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
102 1118431 : if (!sig->data) {
103 0 : return NT_STATUS_NO_MEMORY;
104 : }
105 :
106 1118431 : switch (direction) {
107 561118 : case NTLMSSP_SEND:
108 561118 : DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
109 : ntlmssp_state->crypt->ntlm2.sending.seq_num,
110 : (unsigned int)length,
111 : (unsigned int)pdu_length));
112 :
113 561118 : SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num);
114 561118 : ntlmssp_state->crypt->ntlm2.sending.seq_num++;
115 :
116 561386 : rc = gnutls_hmac_init(&hmac_hnd,
117 : GNUTLS_MAC_MD5,
118 561118 : ntlmssp_state->crypt->ntlm2.sending.sign_key,
119 : 16);
120 561118 : if (rc < 0) {
121 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
122 : }
123 560850 : break;
124 557313 : case NTLMSSP_RECEIVE:
125 :
126 557313 : DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
127 : ntlmssp_state->crypt->ntlm2.receiving.seq_num,
128 : (unsigned int)length,
129 : (unsigned int)pdu_length));
130 :
131 557313 : SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num);
132 557313 : ntlmssp_state->crypt->ntlm2.receiving.seq_num++;
133 :
134 557571 : rc = gnutls_hmac_init(&hmac_hnd,
135 : GNUTLS_MAC_MD5,
136 557313 : ntlmssp_state->crypt->ntlm2.receiving.sign_key,
137 : 16);
138 557313 : if (rc < 0) {
139 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
140 : }
141 557055 : break;
142 : }
143 :
144 1118431 : dump_data_pw("pdu data ", whole_pdu, pdu_length);
145 :
146 1118431 : rc = gnutls_hmac(hmac_hnd, seq_num, sizeof(seq_num));
147 1118431 : if (rc < 0) {
148 0 : gnutls_hmac_deinit(hmac_hnd, NULL);
149 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
150 : }
151 1118431 : rc = gnutls_hmac(hmac_hnd, whole_pdu, pdu_length);
152 1118431 : if (rc < 0) {
153 0 : gnutls_hmac_deinit(hmac_hnd, NULL);
154 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
155 : }
156 1118431 : gnutls_hmac_deinit(hmac_hnd, digest);
157 :
158 1118431 : if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
159 634638 : switch (direction) {
160 77325 : case NTLMSSP_SEND:
161 77325 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
162 : digest,
163 : 8);
164 77325 : break;
165 557313 : case NTLMSSP_RECEIVE:
166 557313 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
167 : digest,
168 : 8);
169 557313 : break;
170 : }
171 634638 : if (rc < 0) {
172 0 : DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
173 : "%s packet signature failed: %s\n",
174 : direction == NTLMSSP_SEND ?
175 : "send" : "receive",
176 : gnutls_strerror(rc));
177 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
178 : }
179 : }
180 :
181 1118431 : SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
182 1118431 : memcpy(sig->data + 4, digest, 8);
183 1118431 : ZERO_ARRAY(digest);
184 1118431 : memcpy(sig->data + 12, seq_num, 4);
185 1118431 : ZERO_ARRAY(seq_num);
186 :
187 1118431 : dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length);
188 :
189 : } else {
190 3 : uint32_t crc;
191 :
192 2699 : crc = crc32(0, Z_NULL, 0);
193 2699 : crc = crc32(crc, data, length);
194 :
195 2702 : status = msrpc_gen(sig_mem_ctx,
196 : sig, "dddd",
197 : NTLMSSP_SIGN_VERSION, 0, crc,
198 2699 : ntlmssp_state->crypt->ntlm.seq_num);
199 2699 : if (!NT_STATUS_IS_OK(status)) {
200 0 : return status;
201 : }
202 :
203 2699 : ntlmssp_state->crypt->ntlm.seq_num++;
204 :
205 2699 : dump_arc4_state("ntlmssp hash: \n",
206 2696 : &ntlmssp_state->crypt->ntlm.seal_state);
207 2702 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
208 2699 : sig->data + 4,
209 2699 : sig->length - 4);
210 2699 : if (rc < 0) {
211 0 : DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
212 : "signature failed: %s\n",
213 : gnutls_strerror(rc));
214 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
215 : }
216 : }
217 :
218 1121130 : return NT_STATUS_OK;
219 : }
220 :
221 78398 : NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
222 : TALLOC_CTX *sig_mem_ctx,
223 : const uint8_t *data, size_t length,
224 : const uint8_t *whole_pdu, size_t pdu_length,
225 : DATA_BLOB *sig)
226 : {
227 269 : NTSTATUS nt_status;
228 :
229 78398 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
230 0 : DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
231 0 : return NT_STATUS_INVALID_PARAMETER;
232 : }
233 :
234 78398 : if (!ntlmssp_state->session_key.length) {
235 0 : DEBUG(3, ("NO session key, cannot check sign packet\n"));
236 0 : return NT_STATUS_NO_USER_SESSION_KEY;
237 : }
238 :
239 78398 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
240 : sig_mem_ctx,
241 : data, length,
242 : whole_pdu, pdu_length,
243 : NTLMSSP_SEND, sig, true);
244 :
245 78398 : return nt_status;
246 : }
247 :
248 : /**
249 : * Check the signature of an incoming packet
250 : * @note caller *must* check that the signature is the size it expects
251 : *
252 : */
253 :
254 558940 : NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
255 : const uint8_t *data, size_t length,
256 : const uint8_t *whole_pdu, size_t pdu_length,
257 : const DATA_BLOB *sig)
258 : {
259 261 : DATA_BLOB local_sig;
260 261 : NTSTATUS nt_status;
261 261 : TALLOC_CTX *tmp_ctx;
262 :
263 558940 : if (!ntlmssp_state->session_key.length) {
264 1 : DEBUG(3, ("NO session key, cannot check packet signature\n"));
265 1 : return NT_STATUS_NO_USER_SESSION_KEY;
266 : }
267 :
268 558939 : if (sig->length < 8) {
269 2 : DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
270 : (unsigned long)sig->length));
271 : }
272 :
273 558939 : tmp_ctx = talloc_new(ntlmssp_state);
274 558939 : if (!tmp_ctx) {
275 0 : return NT_STATUS_NO_MEMORY;
276 : }
277 :
278 558939 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
279 : tmp_ctx,
280 : data, length,
281 : whole_pdu, pdu_length,
282 : NTLMSSP_RECEIVE,
283 : &local_sig, true);
284 :
285 558939 : if (!NT_STATUS_IS_OK(nt_status)) {
286 0 : DEBUG(0,("NTLMSSP packet sig creation failed with %s\n",
287 : nt_errstr(nt_status)));
288 0 : talloc_free(tmp_ctx);
289 0 : return nt_status;
290 : }
291 :
292 558939 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
293 557571 : if (local_sig.length != sig->length ||
294 557311 : !mem_equal_const_time(local_sig.data, sig->data, sig->length)) {
295 6 : DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
296 6 : dump_data(5, local_sig.data, local_sig.length);
297 :
298 6 : DEBUG(5, ("BAD SIG: got signature of\n"));
299 6 : dump_data(5, sig->data, sig->length);
300 :
301 6 : DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
302 6 : talloc_free(tmp_ctx);
303 6 : return NT_STATUS_ACCESS_DENIED;
304 : }
305 : } else {
306 1627 : if (local_sig.length != sig->length ||
307 1625 : !mem_equal_const_time(local_sig.data + 8, sig->data + 8, sig->length - 8)) {
308 2 : DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
309 2 : dump_data(5, local_sig.data, local_sig.length);
310 :
311 2 : DEBUG(5, ("BAD SIG: got signature of\n"));
312 2 : dump_data(5, sig->data, sig->length);
313 :
314 2 : DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
315 2 : talloc_free(tmp_ctx);
316 2 : return NT_STATUS_ACCESS_DENIED;
317 : }
318 : }
319 558931 : dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length);
320 558931 : DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
321 :
322 558931 : talloc_free(tmp_ctx);
323 558931 : return NT_STATUS_OK;
324 : }
325 :
326 : /**
327 : * Seal data with the NTLMSSP algorithm
328 : *
329 : */
330 :
331 484393 : NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
332 : TALLOC_CTX *sig_mem_ctx,
333 : uint8_t *data, size_t length,
334 : const uint8_t *whole_pdu, size_t pdu_length,
335 : DATA_BLOB *sig)
336 : {
337 0 : int rc;
338 :
339 484393 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
340 0 : DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
341 0 : return NT_STATUS_INVALID_PARAMETER;
342 : }
343 :
344 484393 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
345 0 : DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
346 0 : return NT_STATUS_INVALID_PARAMETER;
347 : }
348 :
349 484393 : if (!ntlmssp_state->session_key.length) {
350 0 : DEBUG(3, ("NO session key, cannot seal packet\n"));
351 0 : return NT_STATUS_NO_USER_SESSION_KEY;
352 : }
353 :
354 484393 : DEBUG(10,("ntlmssp_seal_data: seal\n"));
355 484393 : dump_data_pw("ntlmssp clear data\n", data, length);
356 484393 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
357 0 : NTSTATUS nt_status;
358 : /*
359 : * The order of these two operations matters - we
360 : * must first seal the packet, then seal the
361 : * sequence number - this is because the
362 : * send_seal_hash is not constant, but is rather
363 : * updated with each iteration
364 : */
365 483793 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
366 : sig_mem_ctx,
367 : data, length,
368 : whole_pdu, pdu_length,
369 : NTLMSSP_SEND,
370 : sig, false);
371 483793 : if (!NT_STATUS_IS_OK(nt_status)) {
372 0 : return nt_status;
373 : }
374 :
375 483793 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
376 : data,
377 : length);
378 483793 : if (rc < 0) {
379 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
380 : "failed: %s\n",
381 : gnutls_strerror(rc));
382 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
383 : }
384 483793 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
385 483793 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
386 483793 : sig->data + 4,
387 : 8);
388 483793 : if (rc < 0) {
389 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
390 : "the EXCH signature data failed: %s\n",
391 : gnutls_strerror(rc));
392 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
393 : }
394 : }
395 : } else {
396 0 : NTSTATUS status;
397 0 : uint32_t crc;
398 :
399 600 : crc = crc32(0, Z_NULL, 0);
400 600 : crc = crc32(crc, data, length);
401 :
402 600 : status = msrpc_gen(sig_mem_ctx,
403 : sig, "dddd",
404 : NTLMSSP_SIGN_VERSION, 0, crc,
405 600 : ntlmssp_state->crypt->ntlm.seq_num);
406 600 : if (!NT_STATUS_IS_OK(status)) {
407 0 : return status;
408 : }
409 :
410 : /*
411 : * The order of these two operations matters - we
412 : * must first seal the packet, then seal the
413 : * sequence number - this is because the ntlmv1_arc4_state
414 : * is not constant, but is rather updated with
415 : * each iteration
416 : */
417 600 : dump_arc4_state("ntlmv1 arc4 state:\n",
418 600 : &ntlmssp_state->crypt->ntlm.seal_state);
419 600 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
420 : data,
421 : length);
422 600 : if (rc < 0) {
423 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
424 : "failed: %s\n",
425 : gnutls_strerror(rc));
426 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
427 : }
428 :
429 600 : dump_arc4_state("ntlmv1 arc4 state:\n",
430 600 : &ntlmssp_state->crypt->ntlm.seal_state);
431 :
432 600 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
433 600 : sig->data + 4,
434 600 : sig->length - 4);
435 600 : if (rc < 0) {
436 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
437 : "data failed: %s\n",
438 : gnutls_strerror(rc));
439 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
440 : }
441 :
442 600 : ntlmssp_state->crypt->ntlm.seq_num++;
443 : }
444 484393 : dump_data_pw("ntlmssp signature\n", sig->data, sig->length);
445 484393 : dump_data_pw("ntlmssp sealed data\n", data, length);
446 :
447 484393 : return NT_STATUS_OK;
448 : }
449 :
450 : /**
451 : * Unseal data with the NTLMSSP algorithm
452 : *
453 : */
454 :
455 484383 : NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
456 : uint8_t *data, size_t length,
457 : const uint8_t *whole_pdu, size_t pdu_length,
458 : const DATA_BLOB *sig)
459 : {
460 0 : NTSTATUS status;
461 0 : int rc;
462 :
463 484383 : if (!ntlmssp_state->session_key.length) {
464 0 : DEBUG(3, ("NO session key, cannot unseal packet\n"));
465 0 : return NT_STATUS_NO_USER_SESSION_KEY;
466 : }
467 :
468 484383 : DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
469 484383 : dump_data_pw("ntlmssp sealed data\n", data, length);
470 :
471 484383 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
472 : /* First unseal the data. */
473 483783 : rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
474 : data,
475 : length);
476 483783 : if (rc < 0) {
477 0 : DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
478 : "data failed: %s\n",
479 : gnutls_strerror(rc));
480 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
481 : }
482 483783 : dump_data_pw("ntlmv2 clear data\n", data, length);
483 : } else {
484 600 : rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
485 : data,
486 : length);
487 600 : if (rc < 0) {
488 0 : DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
489 : "data failed: %s\n",
490 : gnutls_strerror(rc));
491 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
492 : }
493 600 : dump_data_pw("ntlmv1 clear data\n", data, length);
494 : }
495 :
496 484383 : status = ntlmssp_check_packet(ntlmssp_state,
497 : data, length,
498 : whole_pdu, pdu_length,
499 : sig);
500 :
501 484383 : if (!NT_STATUS_IS_OK(status)) {
502 0 : DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n",
503 : (unsigned long long)length));
504 : }
505 484383 : return status;
506 : }
507 :
508 456646 : NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
509 : TALLOC_CTX *out_mem_ctx,
510 : const DATA_BLOB *in,
511 : DATA_BLOB *out)
512 : {
513 0 : NTSTATUS nt_status;
514 0 : DATA_BLOB sig;
515 :
516 456646 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
517 456646 : if (in->length + NTLMSSP_SIG_SIZE < in->length) {
518 0 : return NT_STATUS_INVALID_PARAMETER;
519 : }
520 :
521 456646 : *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
522 456646 : if (!out->data) {
523 0 : return NT_STATUS_NO_MEMORY;
524 : }
525 456646 : memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
526 :
527 456646 : nt_status = ntlmssp_seal_packet(ntlmssp_state, out_mem_ctx,
528 456646 : out->data + NTLMSSP_SIG_SIZE,
529 456646 : out->length - NTLMSSP_SIG_SIZE,
530 456646 : out->data + NTLMSSP_SIG_SIZE,
531 456646 : out->length - NTLMSSP_SIG_SIZE,
532 : &sig);
533 :
534 456646 : if (NT_STATUS_IS_OK(nt_status)) {
535 456646 : memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
536 456646 : talloc_free(sig.data);
537 : }
538 456646 : return nt_status;
539 :
540 0 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
541 0 : if (in->length + NTLMSSP_SIG_SIZE < in->length) {
542 0 : return NT_STATUS_INVALID_PARAMETER;
543 : }
544 :
545 0 : *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
546 0 : if (!out->data) {
547 0 : return NT_STATUS_NO_MEMORY;
548 : }
549 0 : memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
550 :
551 0 : nt_status = ntlmssp_sign_packet(ntlmssp_state, out_mem_ctx,
552 0 : out->data + NTLMSSP_SIG_SIZE,
553 0 : out->length - NTLMSSP_SIG_SIZE,
554 0 : out->data + NTLMSSP_SIG_SIZE,
555 0 : out->length - NTLMSSP_SIG_SIZE,
556 : &sig);
557 :
558 0 : if (NT_STATUS_IS_OK(nt_status)) {
559 0 : memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
560 0 : talloc_free(sig.data);
561 : }
562 0 : return nt_status;
563 : } else {
564 0 : *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
565 0 : if (!out->data) {
566 0 : return NT_STATUS_NO_MEMORY;
567 : }
568 0 : return NT_STATUS_OK;
569 : }
570 : }
571 :
572 456645 : NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
573 : TALLOC_CTX *out_mem_ctx,
574 : const DATA_BLOB *in,
575 : DATA_BLOB *out)
576 : {
577 0 : DATA_BLOB sig;
578 :
579 456645 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
580 456645 : if (in->length < NTLMSSP_SIG_SIZE) {
581 0 : return NT_STATUS_INVALID_PARAMETER;
582 : }
583 456645 : sig.data = in->data;
584 456645 : sig.length = NTLMSSP_SIG_SIZE;
585 :
586 456645 : *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
587 :
588 456645 : return ntlmssp_unseal_packet(ntlmssp_state,
589 : out->data, out->length,
590 456645 : out->data, out->length,
591 : &sig);
592 :
593 0 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
594 0 : if (in->length < NTLMSSP_SIG_SIZE) {
595 0 : return NT_STATUS_INVALID_PARAMETER;
596 : }
597 0 : sig.data = in->data;
598 0 : sig.length = NTLMSSP_SIG_SIZE;
599 :
600 0 : *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
601 :
602 0 : return ntlmssp_check_packet(ntlmssp_state,
603 0 : out->data, out->length,
604 0 : out->data, out->length,
605 : &sig);
606 : } else {
607 0 : *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
608 0 : if (!out->data) {
609 0 : return NT_STATUS_NO_MEMORY;
610 : }
611 0 : return NT_STATUS_OK;
612 : }
613 : }
614 :
615 : /**
616 : Initialise the state for NTLMSSP signing.
617 : */
618 136528 : NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
619 : bool reset_seqnums)
620 : {
621 566 : int rc;
622 :
623 136528 : DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
624 136528 : debug_ntlmssp_flags(ntlmssp_state->neg_flags);
625 :
626 136528 : if (ntlmssp_state->crypt == NULL) {
627 0 : return NT_STATUS_INVALID_PARAMETER_MIX;
628 : }
629 :
630 136528 : if (ntlmssp_state->force_wrap_seal &&
631 35132 : (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN))
632 : {
633 : /*
634 : * We need to handle NTLMSSP_NEGOTIATE_SIGN as
635 : * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
636 : * is requested.
637 : *
638 : * The negotiation of flags (and authentication)
639 : * is completed when ntlmssp_sign_init() is called
640 : * so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
641 : * was negotiated.
642 : */
643 35132 : ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
644 : }
645 :
646 136528 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
647 130429 : DATA_BLOB weak_session_key = ntlmssp_state->session_key;
648 525 : const char *send_sign_const;
649 525 : const char *send_seal_const;
650 525 : const char *recv_sign_const;
651 525 : const char *recv_seal_const;
652 130429 : uint8_t send_seal_key[16] = {0};
653 130429 : gnutls_datum_t send_seal_blob = {
654 : .data = send_seal_key,
655 : .size = sizeof(send_seal_key),
656 : };
657 130429 : uint8_t recv_seal_key[16] = {0};
658 130429 : gnutls_datum_t recv_seal_blob = {
659 : .data = recv_seal_key,
660 : .size = sizeof(recv_seal_key),
661 : };
662 525 : NTSTATUS status;
663 :
664 130429 : switch (ntlmssp_state->role) {
665 67007 : case NTLMSSP_CLIENT:
666 67007 : send_sign_const = CLI_SIGN;
667 67007 : send_seal_const = CLI_SEAL;
668 67007 : recv_sign_const = SRV_SIGN;
669 67007 : recv_seal_const = SRV_SEAL;
670 67007 : break;
671 63155 : case NTLMSSP_SERVER:
672 63155 : send_sign_const = SRV_SIGN;
673 63155 : send_seal_const = SRV_SEAL;
674 63155 : recv_sign_const = CLI_SIGN;
675 63155 : recv_seal_const = CLI_SEAL;
676 63155 : break;
677 0 : default:
678 0 : return NT_STATUS_INTERNAL_ERROR;
679 : }
680 :
681 : /*
682 : * Weaken NTLMSSP keys to cope with down-level
683 : * clients, servers and export restrictions.
684 : *
685 : * We probably should have some parameters to
686 : * control this, once we get NTLM2 working.
687 : *
688 : * Key weakening was not performed on the master key
689 : * for NTLM2, but must be done on the encryption subkeys only.
690 : */
691 :
692 130429 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
693 : /* nothing to do */
694 880 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
695 352 : weak_session_key.length = 7;
696 : } else { /* forty bits */
697 528 : weak_session_key.length = 5;
698 : }
699 :
700 130429 : dump_data_pw("NTLMSSP weakend master key:\n",
701 129904 : weak_session_key.data,
702 : weak_session_key.length);
703 :
704 : /* SEND: sign key */
705 130429 : status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key,
706 : ntlmssp_state->session_key, send_sign_const);
707 130429 : if (!NT_STATUS_IS_OK(status)) {
708 0 : return status;
709 : }
710 130429 : dump_data_pw("NTLMSSP send sign key:\n",
711 130429 : ntlmssp_state->crypt->ntlm2.sending.sign_key, 16);
712 :
713 : /* SEND: seal ARCFOUR pad */
714 130429 : status = calc_ntlmv2_key(send_seal_key,
715 : weak_session_key,
716 : send_seal_const);
717 130429 : if (!NT_STATUS_IS_OK(status)) {
718 0 : return status;
719 : }
720 130429 : dump_data_pw("NTLMSSP send seal key:\n",
721 : send_seal_key,
722 : sizeof(send_seal_key));
723 :
724 130429 : if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
725 63012 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
726 : }
727 130429 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
728 : GNUTLS_CIPHER_ARCFOUR_128,
729 : &send_seal_blob,
730 : NULL);
731 130429 : if (rc < 0) {
732 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
733 : gnutls_strerror(rc));
734 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
735 : }
736 :
737 130429 : dump_arc4_state("NTLMSSP send seal arc4 state:\n",
738 130429 : &ntlmssp_state->crypt->ntlm2.sending.seal_state);
739 :
740 : /* SEND: seq num */
741 130429 : if (reset_seqnums) {
742 70351 : ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
743 : }
744 :
745 : /* RECV: sign key */
746 130429 : status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key,
747 : ntlmssp_state->session_key, recv_sign_const);
748 130429 : if (!NT_STATUS_IS_OK(status)) {
749 0 : return status;
750 : }
751 130429 : dump_data_pw("NTLMSSP recv sign key:\n",
752 130429 : ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16);
753 :
754 : /* RECV: seal ARCFOUR pad */
755 130429 : status = calc_ntlmv2_key(recv_seal_key,
756 : weak_session_key,
757 : recv_seal_const);
758 130429 : if (!NT_STATUS_IS_OK(status)) {
759 0 : return status;
760 : }
761 130429 : dump_data_pw("NTLMSSP recv seal key:\n",
762 : recv_seal_key,
763 : sizeof(recv_seal_key));
764 :
765 130429 : if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
766 63012 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
767 : }
768 130429 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
769 : GNUTLS_CIPHER_ARCFOUR_128,
770 : &recv_seal_blob,
771 : NULL);
772 130429 : if (rc < 0) {
773 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
774 : gnutls_strerror(rc));
775 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
776 : }
777 :
778 130429 : dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
779 130429 : &ntlmssp_state->crypt->ntlm2.receiving.seal_state);
780 :
781 : /* RECV: seq num */
782 130429 : if (reset_seqnums) {
783 70351 : ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
784 : }
785 : } else {
786 6099 : gnutls_datum_t seal_session_key = {
787 6099 : .data = ntlmssp_state->session_key.data,
788 6099 : .size = ntlmssp_state->session_key.length,
789 : };
790 6099 : bool do_weak = false;
791 :
792 6099 : DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
793 :
794 : /*
795 : * Key weakening not performed on the master key for NTLM2
796 : * and does not occur for NTLM1. Therefore we only need
797 : * to do this for the LM_KEY.
798 : */
799 6099 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
800 0 : do_weak = true;
801 : }
802 :
803 : /*
804 : * Nothing to weaken.
805 : * We certainly don't want to 'extend' the length...
806 : */
807 6099 : if (ntlmssp_state->session_key.length < 16) {
808 : /* TODO: is this really correct? */
809 0 : do_weak = false;
810 : }
811 :
812 6098 : if (do_weak) {
813 0 : uint8_t weak_session_key[8];
814 :
815 0 : memcpy(weak_session_key, seal_session_key.data, 8);
816 0 : seal_session_key = (gnutls_datum_t) {
817 : .data = weak_session_key,
818 : .size = sizeof(weak_session_key),
819 : };
820 :
821 : /*
822 : * LM key doesn't support 128 bit crypto, so this is
823 : * the best we can do. If you negotiate 128 bit, but
824 : * not 56, you end up with 40 bit...
825 : */
826 0 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
827 0 : weak_session_key[7] = 0xa0;
828 : } else { /* forty bits */
829 0 : weak_session_key[5] = 0xe5;
830 0 : weak_session_key[6] = 0x38;
831 0 : weak_session_key[7] = 0xb0;
832 : }
833 : }
834 :
835 6099 : if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
836 2972 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
837 : }
838 6099 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
839 : GNUTLS_CIPHER_ARCFOUR_128,
840 : &seal_session_key,
841 : NULL);
842 6099 : if (rc < 0) {
843 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
844 : gnutls_strerror(rc));
845 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
846 : }
847 :
848 6099 : dump_arc4_state("NTLMv1 arc4 state:\n",
849 6099 : &ntlmssp_state->crypt->ntlm.seal_state);
850 :
851 6099 : if (reset_seqnums) {
852 5075 : ntlmssp_state->crypt->ntlm.seq_num = 0;
853 : }
854 : }
855 :
856 136528 : return NT_STATUS_OK;
857 : }
858 :
859 70018 : static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
860 : {
861 70018 : if (c->ntlm2.sending.seal_state != NULL) {
862 70018 : gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
863 70018 : c->ntlm2.sending.seal_state = NULL;
864 : }
865 70018 : if (c->ntlm2.receiving.seal_state != NULL) {
866 66895 : gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
867 66895 : c->ntlm2.receiving.seal_state = NULL;
868 : }
869 70018 : if (c->ntlm.seal_state != NULL) {
870 0 : gnutls_cipher_deinit(c->ntlm.seal_state);
871 0 : c->ntlm.seal_state = NULL;
872 : }
873 :
874 70018 : return 0;
875 : }
876 :
877 70544 : NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
878 : {
879 70544 : if (ntlmssp_state->session_key.length < 8) {
880 0 : DEBUG(3, ("NO session key, cannot initialise signing\n"));
881 0 : return NT_STATUS_NO_USER_SESSION_KEY;
882 : }
883 :
884 70544 : ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
885 : union ntlmssp_crypt_state);
886 70544 : if (ntlmssp_state->crypt == NULL) {
887 0 : return NT_STATUS_NO_MEMORY;
888 : }
889 70544 : talloc_set_destructor(ntlmssp_state->crypt,
890 : ntlmssp_crypt_free_gnutls_cipher_state);
891 :
892 70544 : return ntlmssp_sign_reset(ntlmssp_state, true);
893 : }
|
