Line data Source code
1 : /*
2 : * Unix SMB/CIFS implementation.
3 : * Version 3.0
4 : * NTLMSSP Signing routines
5 : * Copyright (C) Andrew Bartlett 2003-2005
6 : *
7 : * This program is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU General Public License as published by
9 : * the Free Software Foundation; either version 3 of the License, or
10 : * (at your option) any later version.
11 : *
12 : * This program is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU General Public License
18 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include "includes.h"
22 : #include "../auth/ntlmssp/ntlmssp.h"
23 : #include "../libcli/auth/libcli_auth.h"
24 : #include "zlib.h"
25 : #include "../auth/ntlmssp/ntlmssp_private.h"
26 :
27 : #include "lib/crypto/gnutls_helpers.h"
28 : #include <gnutls/gnutls.h>
29 : #include <gnutls/crypto.h>
30 :
31 : #undef DBGC_CLASS
32 : #define DBGC_CLASS DBGC_AUTH
33 :
34 : #define CLI_SIGN "session key to client-to-server signing key magic constant"
35 : #define CLI_SEAL "session key to client-to-server sealing key magic constant"
36 : #define SRV_SIGN "session key to server-to-client signing key magic constant"
37 : #define SRV_SEAL "session key to server-to-client sealing key magic constant"
38 :
39 : /**
40 : * Some notes on the NTLM2 code:
41 : *
42 : * NTLM2 is a AEAD system. This means that the data encrypted is not
43 : * all the data that is signed. In DCE-RPC case, the headers of the
44 : * DCE-RPC packets are also signed. This prevents some of the
45 : * fun-and-games one might have by changing them.
46 : *
47 : */
48 :
49 275056 : static void dump_arc4_state(const char *description,
50 : gnutls_cipher_hd_t *state)
51 : {
52 275056 : DBG_DEBUG("%s\n", description);
53 275056 : }
54 :
55 529684 : static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
56 : DATA_BLOB session_key,
57 : const char *constant)
58 : {
59 529684 : gnutls_hash_hd_t hash_hnd = NULL;
60 2212 : int rc;
61 :
62 529684 : rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
63 529684 : if (rc < 0) {
64 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
65 : }
66 529684 : rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
67 529684 : if (rc < 0) {
68 0 : gnutls_hash_deinit(hash_hnd, NULL);
69 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
70 : }
71 529684 : rc = gnutls_hash(hash_hnd, constant, strlen(constant) + 1);
72 529684 : if (rc < 0) {
73 0 : gnutls_hash_deinit(hash_hnd, NULL);
74 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
75 : }
76 529684 : gnutls_hash_deinit(hash_hnd, subkey);
77 :
78 529684 : return NT_STATUS_OK;
79 : }
80 :
81 : enum ntlmssp_direction {
82 : NTLMSSP_SEND,
83 : NTLMSSP_RECEIVE
84 : };
85 :
86 1120077 : static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state,
87 : TALLOC_CTX *sig_mem_ctx,
88 : const uint8_t *data, size_t length,
89 : const uint8_t *whole_pdu, size_t pdu_length,
90 : enum ntlmssp_direction direction,
91 : DATA_BLOB *sig, bool encrypt_sig)
92 : {
93 1120077 : NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
94 557 : int rc;
95 :
96 1120077 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
97 1117378 : gnutls_hmac_hd_t hmac_hnd = NULL;
98 554 : uint8_t digest[16];
99 554 : uint8_t seq_num[4];
100 :
101 1117378 : *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
102 1117378 : if (!sig->data) {
103 0 : return NT_STATUS_NO_MEMORY;
104 : }
105 :
106 1117378 : switch (direction) {
107 560650 : case NTLMSSP_SEND:
108 560650 : DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
109 : ntlmssp_state->crypt->ntlm2.sending.seq_num,
110 : (unsigned int)length,
111 : (unsigned int)pdu_length));
112 :
113 560650 : SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num);
114 560650 : ntlmssp_state->crypt->ntlm2.sending.seq_num++;
115 :
116 560932 : rc = gnutls_hmac_init(&hmac_hnd,
117 : GNUTLS_MAC_MD5,
118 560650 : ntlmssp_state->crypt->ntlm2.sending.sign_key,
119 : 16);
120 560650 : if (rc < 0) {
121 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
122 : }
123 560368 : break;
124 556728 : case NTLMSSP_RECEIVE:
125 :
126 556728 : DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
127 : ntlmssp_state->crypt->ntlm2.receiving.seq_num,
128 : (unsigned int)length,
129 : (unsigned int)pdu_length));
130 :
131 556728 : SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num);
132 556728 : ntlmssp_state->crypt->ntlm2.receiving.seq_num++;
133 :
134 557000 : rc = gnutls_hmac_init(&hmac_hnd,
135 : GNUTLS_MAC_MD5,
136 556728 : ntlmssp_state->crypt->ntlm2.receiving.sign_key,
137 : 16);
138 556728 : if (rc < 0) {
139 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
140 : }
141 556456 : break;
142 : }
143 :
144 1117378 : dump_data_pw("pdu data ", whole_pdu, pdu_length);
145 :
146 1117378 : rc = gnutls_hmac(hmac_hnd, seq_num, sizeof(seq_num));
147 1117378 : if (rc < 0) {
148 0 : gnutls_hmac_deinit(hmac_hnd, NULL);
149 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
150 : }
151 1117378 : rc = gnutls_hmac(hmac_hnd, whole_pdu, pdu_length);
152 1117378 : if (rc < 0) {
153 0 : gnutls_hmac_deinit(hmac_hnd, NULL);
154 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
155 : }
156 1117378 : gnutls_hmac_deinit(hmac_hnd, digest);
157 :
158 1117378 : if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
159 634345 : switch (direction) {
160 77617 : case NTLMSSP_SEND:
161 77617 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
162 : digest,
163 : 8);
164 77617 : break;
165 556728 : case NTLMSSP_RECEIVE:
166 556728 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
167 : digest,
168 : 8);
169 556728 : break;
170 : }
171 634345 : if (rc < 0) {
172 0 : DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
173 : "%s packet signature failed: %s\n",
174 : direction == NTLMSSP_SEND ?
175 : "send" : "receive",
176 : gnutls_strerror(rc));
177 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
178 : }
179 : }
180 :
181 1117378 : SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
182 1117378 : memcpy(sig->data + 4, digest, 8);
183 1117378 : ZERO_ARRAY(digest);
184 1117378 : memcpy(sig->data + 12, seq_num, 4);
185 1117378 : ZERO_ARRAY(seq_num);
186 :
187 1117378 : dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length);
188 :
189 : } else {
190 3 : uint32_t crc;
191 :
192 2699 : crc = crc32(0, Z_NULL, 0);
193 2699 : crc = crc32(crc, data, length);
194 :
195 2702 : status = msrpc_gen(sig_mem_ctx,
196 : sig, "dddd",
197 : NTLMSSP_SIGN_VERSION, 0, crc,
198 2699 : ntlmssp_state->crypt->ntlm.seq_num);
199 2699 : if (!NT_STATUS_IS_OK(status)) {
200 0 : return status;
201 : }
202 :
203 2699 : ntlmssp_state->crypt->ntlm.seq_num++;
204 :
205 2699 : dump_arc4_state("ntlmssp hash: \n",
206 2696 : &ntlmssp_state->crypt->ntlm.seal_state);
207 2702 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
208 2699 : sig->data + 4,
209 2699 : sig->length - 4);
210 2699 : if (rc < 0) {
211 0 : DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
212 : "signature failed: %s\n",
213 : gnutls_strerror(rc));
214 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
215 : }
216 : }
217 :
218 1120077 : return NT_STATUS_OK;
219 : }
220 :
221 78690 : NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
222 : TALLOC_CTX *sig_mem_ctx,
223 : const uint8_t *data, size_t length,
224 : const uint8_t *whole_pdu, size_t pdu_length,
225 : DATA_BLOB *sig)
226 : {
227 283 : NTSTATUS nt_status;
228 :
229 78690 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
230 0 : DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
231 0 : return NT_STATUS_INVALID_PARAMETER;
232 : }
233 :
234 78690 : if (!ntlmssp_state->session_key.length) {
235 0 : DEBUG(3, ("NO session key, cannot check sign packet\n"));
236 0 : return NT_STATUS_NO_USER_SESSION_KEY;
237 : }
238 :
239 78690 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
240 : sig_mem_ctx,
241 : data, length,
242 : whole_pdu, pdu_length,
243 : NTLMSSP_SEND, sig, true);
244 :
245 78690 : return nt_status;
246 : }
247 :
248 : /**
249 : * Check the signature of an incoming packet
250 : * @note caller *must* check that the signature is the size it expects
251 : *
252 : */
253 :
254 558355 : NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
255 : const uint8_t *data, size_t length,
256 : const uint8_t *whole_pdu, size_t pdu_length,
257 : const DATA_BLOB *sig)
258 : {
259 275 : DATA_BLOB local_sig;
260 275 : NTSTATUS nt_status;
261 275 : TALLOC_CTX *tmp_ctx;
262 :
263 558355 : if (!ntlmssp_state->session_key.length) {
264 1 : DEBUG(3, ("NO session key, cannot check packet signature\n"));
265 1 : return NT_STATUS_NO_USER_SESSION_KEY;
266 : }
267 :
268 558354 : if (sig->length < 8) {
269 2 : DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
270 : (unsigned long)sig->length));
271 : }
272 :
273 558354 : tmp_ctx = talloc_new(ntlmssp_state);
274 558354 : if (!tmp_ctx) {
275 0 : return NT_STATUS_NO_MEMORY;
276 : }
277 :
278 558354 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
279 : tmp_ctx,
280 : data, length,
281 : whole_pdu, pdu_length,
282 : NTLMSSP_RECEIVE,
283 : &local_sig, true);
284 :
285 558354 : if (!NT_STATUS_IS_OK(nt_status)) {
286 0 : DEBUG(0,("NTLMSSP packet sig creation failed with %s\n",
287 : nt_errstr(nt_status)));
288 0 : talloc_free(tmp_ctx);
289 0 : return nt_status;
290 : }
291 :
292 558354 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
293 557000 : if (local_sig.length != sig->length ||
294 556726 : !mem_equal_const_time(local_sig.data, sig->data, sig->length)) {
295 6 : DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
296 6 : dump_data(5, local_sig.data, local_sig.length);
297 :
298 6 : DEBUG(5, ("BAD SIG: got signature of\n"));
299 6 : dump_data(5, sig->data, sig->length);
300 :
301 6 : DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
302 6 : talloc_free(tmp_ctx);
303 6 : return NT_STATUS_ACCESS_DENIED;
304 : }
305 : } else {
306 1627 : if (local_sig.length != sig->length ||
307 1625 : !mem_equal_const_time(local_sig.data + 8, sig->data + 8, sig->length - 8)) {
308 2 : DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
309 2 : dump_data(5, local_sig.data, local_sig.length);
310 :
311 2 : DEBUG(5, ("BAD SIG: got signature of\n"));
312 2 : dump_data(5, sig->data, sig->length);
313 :
314 2 : DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
315 2 : talloc_free(tmp_ctx);
316 2 : return NT_STATUS_ACCESS_DENIED;
317 : }
318 : }
319 558346 : dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length);
320 558346 : DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
321 :
322 558346 : talloc_free(tmp_ctx);
323 558346 : return NT_STATUS_OK;
324 : }
325 :
326 : /**
327 : * Seal data with the NTLMSSP algorithm
328 : *
329 : */
330 :
331 483633 : NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
332 : TALLOC_CTX *sig_mem_ctx,
333 : uint8_t *data, size_t length,
334 : const uint8_t *whole_pdu, size_t pdu_length,
335 : DATA_BLOB *sig)
336 : {
337 0 : int rc;
338 :
339 483633 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
340 0 : DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
341 0 : return NT_STATUS_INVALID_PARAMETER;
342 : }
343 :
344 483633 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
345 0 : DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
346 0 : return NT_STATUS_INVALID_PARAMETER;
347 : }
348 :
349 483633 : if (!ntlmssp_state->session_key.length) {
350 0 : DEBUG(3, ("NO session key, cannot seal packet\n"));
351 0 : return NT_STATUS_NO_USER_SESSION_KEY;
352 : }
353 :
354 483633 : DEBUG(10,("ntlmssp_seal_data: seal\n"));
355 483633 : dump_data_pw("ntlmssp clear data\n", data, length);
356 483633 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
357 0 : NTSTATUS nt_status;
358 : /*
359 : * The order of these two operations matters - we
360 : * must first seal the packet, then seal the
361 : * sequence number - this is because the
362 : * send_seal_hash is not constant, but is rather
363 : * updated with each iteration
364 : */
365 483033 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
366 : sig_mem_ctx,
367 : data, length,
368 : whole_pdu, pdu_length,
369 : NTLMSSP_SEND,
370 : sig, false);
371 483033 : if (!NT_STATUS_IS_OK(nt_status)) {
372 0 : return nt_status;
373 : }
374 :
375 483033 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
376 : data,
377 : length);
378 483033 : if (rc < 0) {
379 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
380 : "failed: %s\n",
381 : gnutls_strerror(rc));
382 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
383 : }
384 483033 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
385 483033 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
386 483033 : sig->data + 4,
387 : 8);
388 483033 : if (rc < 0) {
389 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
390 : "the EXCH signature data failed: %s\n",
391 : gnutls_strerror(rc));
392 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
393 : }
394 : }
395 : } else {
396 0 : NTSTATUS status;
397 0 : uint32_t crc;
398 :
399 600 : crc = crc32(0, Z_NULL, 0);
400 600 : crc = crc32(crc, data, length);
401 :
402 600 : status = msrpc_gen(sig_mem_ctx,
403 : sig, "dddd",
404 : NTLMSSP_SIGN_VERSION, 0, crc,
405 600 : ntlmssp_state->crypt->ntlm.seq_num);
406 600 : if (!NT_STATUS_IS_OK(status)) {
407 0 : return status;
408 : }
409 :
410 : /*
411 : * The order of these two operations matters - we
412 : * must first seal the packet, then seal the
413 : * sequence number - this is because the ntlmv1_arc4_state
414 : * is not constant, but is rather updated with
415 : * each iteration
416 : */
417 600 : dump_arc4_state("ntlmv1 arc4 state:\n",
418 600 : &ntlmssp_state->crypt->ntlm.seal_state);
419 600 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
420 : data,
421 : length);
422 600 : if (rc < 0) {
423 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
424 : "failed: %s\n",
425 : gnutls_strerror(rc));
426 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
427 : }
428 :
429 600 : dump_arc4_state("ntlmv1 arc4 state:\n",
430 600 : &ntlmssp_state->crypt->ntlm.seal_state);
431 :
432 600 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
433 600 : sig->data + 4,
434 600 : sig->length - 4);
435 600 : if (rc < 0) {
436 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
437 : "data failed: %s\n",
438 : gnutls_strerror(rc));
439 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
440 : }
441 :
442 600 : ntlmssp_state->crypt->ntlm.seq_num++;
443 : }
444 483633 : dump_data_pw("ntlmssp signature\n", sig->data, sig->length);
445 483633 : dump_data_pw("ntlmssp sealed data\n", data, length);
446 :
447 483633 : return NT_STATUS_OK;
448 : }
449 :
450 : /**
451 : * Unseal data with the NTLMSSP algorithm
452 : *
453 : */
454 :
455 483620 : NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
456 : uint8_t *data, size_t length,
457 : const uint8_t *whole_pdu, size_t pdu_length,
458 : const DATA_BLOB *sig)
459 : {
460 0 : NTSTATUS status;
461 0 : int rc;
462 :
463 483620 : if (!ntlmssp_state->session_key.length) {
464 0 : DEBUG(3, ("NO session key, cannot unseal packet\n"));
465 0 : return NT_STATUS_NO_USER_SESSION_KEY;
466 : }
467 :
468 483620 : DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
469 483620 : dump_data_pw("ntlmssp sealed data\n", data, length);
470 :
471 483620 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
472 : /* First unseal the data. */
473 483020 : rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
474 : data,
475 : length);
476 483020 : if (rc < 0) {
477 0 : DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
478 : "data failed: %s\n",
479 : gnutls_strerror(rc));
480 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
481 : }
482 483020 : dump_data_pw("ntlmv2 clear data\n", data, length);
483 : } else {
484 600 : rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
485 : data,
486 : length);
487 600 : if (rc < 0) {
488 0 : DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
489 : "data failed: %s\n",
490 : gnutls_strerror(rc));
491 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
492 : }
493 600 : dump_data_pw("ntlmv1 clear data\n", data, length);
494 : }
495 :
496 483620 : status = ntlmssp_check_packet(ntlmssp_state,
497 : data, length,
498 : whole_pdu, pdu_length,
499 : sig);
500 :
501 483620 : if (!NT_STATUS_IS_OK(status)) {
502 0 : DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n",
503 : (unsigned long long)length));
504 : }
505 483620 : return status;
506 : }
507 :
508 456886 : NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
509 : TALLOC_CTX *out_mem_ctx,
510 : const DATA_BLOB *in,
511 : DATA_BLOB *out)
512 : {
513 0 : NTSTATUS nt_status;
514 0 : DATA_BLOB sig;
515 :
516 456886 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
517 456886 : if (in->length + NTLMSSP_SIG_SIZE < in->length) {
518 0 : return NT_STATUS_INVALID_PARAMETER;
519 : }
520 :
521 456886 : *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
522 456886 : if (!out->data) {
523 0 : return NT_STATUS_NO_MEMORY;
524 : }
525 456886 : memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
526 :
527 456886 : nt_status = ntlmssp_seal_packet(ntlmssp_state, out_mem_ctx,
528 456886 : out->data + NTLMSSP_SIG_SIZE,
529 456886 : out->length - NTLMSSP_SIG_SIZE,
530 456886 : out->data + NTLMSSP_SIG_SIZE,
531 456886 : out->length - NTLMSSP_SIG_SIZE,
532 : &sig);
533 :
534 456886 : if (NT_STATUS_IS_OK(nt_status)) {
535 456886 : memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
536 456886 : talloc_free(sig.data);
537 : }
538 456886 : return nt_status;
539 :
540 0 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
541 0 : if (in->length + NTLMSSP_SIG_SIZE < in->length) {
542 0 : return NT_STATUS_INVALID_PARAMETER;
543 : }
544 :
545 0 : *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
546 0 : if (!out->data) {
547 0 : return NT_STATUS_NO_MEMORY;
548 : }
549 0 : memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
550 :
551 0 : nt_status = ntlmssp_sign_packet(ntlmssp_state, out_mem_ctx,
552 0 : out->data + NTLMSSP_SIG_SIZE,
553 0 : out->length - NTLMSSP_SIG_SIZE,
554 0 : out->data + NTLMSSP_SIG_SIZE,
555 0 : out->length - NTLMSSP_SIG_SIZE,
556 : &sig);
557 :
558 0 : if (NT_STATUS_IS_OK(nt_status)) {
559 0 : memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
560 0 : talloc_free(sig.data);
561 : }
562 0 : return nt_status;
563 : } else {
564 0 : *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
565 0 : if (!out->data) {
566 0 : return NT_STATUS_NO_MEMORY;
567 : }
568 0 : return NT_STATUS_OK;
569 : }
570 : }
571 :
572 456882 : NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
573 : TALLOC_CTX *out_mem_ctx,
574 : const DATA_BLOB *in,
575 : DATA_BLOB *out)
576 : {
577 0 : DATA_BLOB sig;
578 :
579 456882 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
580 456882 : if (in->length < NTLMSSP_SIG_SIZE) {
581 0 : return NT_STATUS_INVALID_PARAMETER;
582 : }
583 456882 : sig.data = in->data;
584 456882 : sig.length = NTLMSSP_SIG_SIZE;
585 :
586 456882 : *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
587 :
588 456882 : return ntlmssp_unseal_packet(ntlmssp_state,
589 : out->data, out->length,
590 456882 : out->data, out->length,
591 : &sig);
592 :
593 0 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
594 0 : if (in->length < NTLMSSP_SIG_SIZE) {
595 0 : return NT_STATUS_INVALID_PARAMETER;
596 : }
597 0 : sig.data = in->data;
598 0 : sig.length = NTLMSSP_SIG_SIZE;
599 :
600 0 : *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
601 :
602 0 : return ntlmssp_check_packet(ntlmssp_state,
603 0 : out->data, out->length,
604 0 : out->data, out->length,
605 : &sig);
606 : } else {
607 0 : *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
608 0 : if (!out->data) {
609 0 : return NT_STATUS_NO_MEMORY;
610 : }
611 0 : return NT_STATUS_OK;
612 : }
613 : }
614 :
615 : /**
616 : Initialise the state for NTLMSSP signing.
617 : */
618 138736 : NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
619 : bool reset_seqnums)
620 : {
621 634 : int rc;
622 :
623 138736 : DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
624 138736 : debug_ntlmssp_flags(ntlmssp_state->neg_flags);
625 :
626 138736 : if (ntlmssp_state->crypt == NULL) {
627 0 : return NT_STATUS_INVALID_PARAMETER_MIX;
628 : }
629 :
630 138736 : if (ntlmssp_state->force_wrap_seal &&
631 35224 : (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN))
632 : {
633 : /*
634 : * We need to handle NTLMSSP_NEGOTIATE_SIGN as
635 : * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
636 : * is requested.
637 : *
638 : * The negotiation of flags (and authentication)
639 : * is completed when ntlmssp_sign_init() is called
640 : * so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
641 : * was negotiated.
642 : */
643 35224 : ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
644 : }
645 :
646 138736 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
647 132421 : DATA_BLOB weak_session_key = ntlmssp_state->session_key;
648 553 : const char *send_sign_const;
649 553 : const char *send_seal_const;
650 553 : const char *recv_sign_const;
651 553 : const char *recv_seal_const;
652 132421 : uint8_t send_seal_key[16] = {0};
653 132421 : gnutls_datum_t send_seal_blob = {
654 : .data = send_seal_key,
655 : .size = sizeof(send_seal_key),
656 : };
657 132421 : uint8_t recv_seal_key[16] = {0};
658 132421 : gnutls_datum_t recv_seal_blob = {
659 : .data = recv_seal_key,
660 : .size = sizeof(recv_seal_key),
661 : };
662 553 : NTSTATUS status;
663 :
664 132421 : switch (ntlmssp_state->role) {
665 68053 : case NTLMSSP_CLIENT:
666 68053 : send_sign_const = CLI_SIGN;
667 68053 : send_seal_const = CLI_SEAL;
668 68053 : recv_sign_const = SRV_SIGN;
669 68053 : recv_seal_const = SRV_SEAL;
670 68053 : break;
671 64087 : case NTLMSSP_SERVER:
672 64087 : send_sign_const = SRV_SIGN;
673 64087 : send_seal_const = SRV_SEAL;
674 64087 : recv_sign_const = CLI_SIGN;
675 64087 : recv_seal_const = CLI_SEAL;
676 64087 : break;
677 0 : default:
678 0 : return NT_STATUS_INTERNAL_ERROR;
679 : }
680 :
681 : /*
682 : * Weaken NTLMSSP keys to cope with down-level
683 : * clients, servers and export restrictions.
684 : *
685 : * We probably should have some parameters to
686 : * control this, once we get NTLM2 working.
687 : *
688 : * Key weakening was not performed on the master key
689 : * for NTLM2, but must be done on the encryption subkeys only.
690 : */
691 :
692 132421 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
693 : /* nothing to do */
694 880 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
695 352 : weak_session_key.length = 7;
696 : } else { /* forty bits */
697 528 : weak_session_key.length = 5;
698 : }
699 :
700 132421 : dump_data_pw("NTLMSSP weakend master key:\n",
701 131868 : weak_session_key.data,
702 : weak_session_key.length);
703 :
704 : /* SEND: sign key */
705 132421 : status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key,
706 : ntlmssp_state->session_key, send_sign_const);
707 132421 : if (!NT_STATUS_IS_OK(status)) {
708 0 : return status;
709 : }
710 132421 : dump_data_pw("NTLMSSP send sign key:\n",
711 132421 : ntlmssp_state->crypt->ntlm2.sending.sign_key, 16);
712 :
713 : /* SEND: seal ARCFOUR pad */
714 132421 : status = calc_ntlmv2_key(send_seal_key,
715 : weak_session_key,
716 : send_seal_const);
717 132421 : if (!NT_STATUS_IS_OK(status)) {
718 0 : return status;
719 : }
720 132421 : dump_data_pw("NTLMSSP send seal key:\n",
721 : send_seal_key,
722 : sizeof(send_seal_key));
723 :
724 132421 : if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
725 63925 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
726 : }
727 132421 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
728 : GNUTLS_CIPHER_ARCFOUR_128,
729 : &send_seal_blob,
730 : NULL);
731 132421 : if (rc < 0) {
732 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
733 : gnutls_strerror(rc));
734 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
735 : }
736 :
737 132421 : dump_arc4_state("NTLMSSP send seal arc4 state:\n",
738 132421 : &ntlmssp_state->crypt->ntlm2.sending.seal_state);
739 :
740 : /* SEND: seq num */
741 132421 : if (reset_seqnums) {
742 71426 : ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
743 : }
744 :
745 : /* RECV: sign key */
746 132421 : status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key,
747 : ntlmssp_state->session_key, recv_sign_const);
748 132421 : if (!NT_STATUS_IS_OK(status)) {
749 0 : return status;
750 : }
751 132421 : dump_data_pw("NTLMSSP recv sign key:\n",
752 132421 : ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16);
753 :
754 : /* RECV: seal ARCFOUR pad */
755 132421 : status = calc_ntlmv2_key(recv_seal_key,
756 : weak_session_key,
757 : recv_seal_const);
758 132421 : if (!NT_STATUS_IS_OK(status)) {
759 0 : return status;
760 : }
761 132421 : dump_data_pw("NTLMSSP recv seal key:\n",
762 : recv_seal_key,
763 : sizeof(recv_seal_key));
764 :
765 132421 : if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
766 63925 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
767 : }
768 132421 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
769 : GNUTLS_CIPHER_ARCFOUR_128,
770 : &recv_seal_blob,
771 : NULL);
772 132421 : if (rc < 0) {
773 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
774 : gnutls_strerror(rc));
775 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
776 : }
777 :
778 132421 : dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
779 132421 : &ntlmssp_state->crypt->ntlm2.receiving.seal_state);
780 :
781 : /* RECV: seq num */
782 132421 : if (reset_seqnums) {
783 71426 : ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
784 : }
785 : } else {
786 6315 : gnutls_datum_t seal_session_key = {
787 6315 : .data = ntlmssp_state->session_key.data,
788 6315 : .size = ntlmssp_state->session_key.length,
789 : };
790 6315 : bool do_weak = false;
791 :
792 6315 : DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
793 :
794 : /*
795 : * Key weakening not performed on the master key for NTLM2
796 : * and does not occur for NTLM1. Therefore we only need
797 : * to do this for the LM_KEY.
798 : */
799 6315 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
800 0 : do_weak = true;
801 : }
802 :
803 : /*
804 : * Nothing to weaken.
805 : * We certainly don't want to 'extend' the length...
806 : */
807 6315 : if (ntlmssp_state->session_key.length < 16) {
808 : /* TODO: is this really correct? */
809 0 : do_weak = false;
810 : }
811 :
812 6314 : if (do_weak) {
813 0 : uint8_t weak_session_key[8];
814 :
815 0 : memcpy(weak_session_key, seal_session_key.data, 8);
816 0 : seal_session_key = (gnutls_datum_t) {
817 : .data = weak_session_key,
818 : .size = sizeof(weak_session_key),
819 : };
820 :
821 : /*
822 : * LM key doesn't support 128 bit crypto, so this is
823 : * the best we can do. If you negotiate 128 bit, but
824 : * not 56, you end up with 40 bit...
825 : */
826 0 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
827 0 : weak_session_key[7] = 0xa0;
828 : } else { /* forty bits */
829 0 : weak_session_key[5] = 0xe5;
830 0 : weak_session_key[6] = 0x38;
831 0 : weak_session_key[7] = 0xb0;
832 : }
833 : }
834 :
835 6315 : if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
836 3080 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
837 : }
838 6315 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
839 : GNUTLS_CIPHER_ARCFOUR_128,
840 : &seal_session_key,
841 : NULL);
842 6315 : if (rc < 0) {
843 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
844 : gnutls_strerror(rc));
845 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
846 : }
847 :
848 6315 : dump_arc4_state("NTLMv1 arc4 state:\n",
849 6315 : &ntlmssp_state->crypt->ntlm.seal_state);
850 :
851 6315 : if (reset_seqnums) {
852 5291 : ntlmssp_state->crypt->ntlm.seq_num = 0;
853 : }
854 : }
855 :
856 138736 : return NT_STATUS_OK;
857 : }
858 :
859 71203 : static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
860 : {
861 71203 : if (c->ntlm2.sending.seal_state != NULL) {
862 71203 : gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
863 71203 : c->ntlm2.sending.seal_state = NULL;
864 : }
865 71203 : if (c->ntlm2.receiving.seal_state != NULL) {
866 67972 : gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
867 67972 : c->ntlm2.receiving.seal_state = NULL;
868 : }
869 71203 : if (c->ntlm.seal_state != NULL) {
870 0 : gnutls_cipher_deinit(c->ntlm.seal_state);
871 0 : c->ntlm.seal_state = NULL;
872 : }
873 :
874 71203 : return 0;
875 : }
876 :
877 71731 : NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
878 : {
879 71731 : if (ntlmssp_state->session_key.length < 8) {
880 0 : DEBUG(3, ("NO session key, cannot initialise signing\n"));
881 0 : return NT_STATUS_NO_USER_SESSION_KEY;
882 : }
883 :
884 71731 : ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
885 : union ntlmssp_crypt_state);
886 71731 : if (ntlmssp_state->crypt == NULL) {
887 0 : return NT_STATUS_NO_MEMORY;
888 : }
889 71731 : talloc_set_destructor(ntlmssp_state->crypt,
890 : ntlmssp_crypt_free_gnutls_cipher_state);
891 :
892 71731 : return ntlmssp_sign_reset(ntlmssp_state, true);
893 : }
|