summaryrefslogtreecommitdiff
path: root/source4/auth/ntlmssp
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/ntlmssp')
-rw-r--r--source4/auth/ntlmssp/ntlmssp.c49
-rw-r--r--source4/auth/ntlmssp/ntlmssp.h1
-rw-r--r--source4/auth/ntlmssp/ntlmssp_sign.c107
3 files changed, 53 insertions, 104 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 339c219f62..82d6dd0e8f 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -185,25 +185,6 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
return status;
}
- gensec_ntlmssp_state->have_features = 0;
-
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SIGN;
- }
-
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SEAL;
- }
-
- if (gensec_ntlmssp_state->session_key.data) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_SESSION_KEY;
- }
-
- /* only NTLMv2 can handle async replies */
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
- gensec_ntlmssp_state->have_features |= GENSEC_FEATURE_ASYNC_REPLIES;
- }
-
return status;
}
@@ -317,10 +298,35 @@ static BOOL gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
uint32_t feature)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
- if (gensec_ntlmssp_state->have_features & feature) {
+ if (feature & GENSEC_FEATURE_SIGN) {
+ if (!gensec_ntlmssp_state->session_key.length) {
+ return False;
+ }
+ if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ return True;
+ }
+ }
+ if (feature & GENSEC_FEATURE_SEAL) {
+ if (!gensec_ntlmssp_state->session_key.length) {
+ return False;
+ }
+ if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ return True;
+ }
+ }
+ if (feature & GENSEC_FEATURE_SESSION_KEY) {
+ if (gensec_ntlmssp_state->session_key.length) {
+ return True;
+ }
+ }
+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
return True;
}
-
+ if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
+ if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ return True;
+ }
+ }
return False;
}
@@ -335,7 +341,6 @@ NTSTATUS gensec_ntlmssp_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->auth_context = NULL;
gensec_ntlmssp_state->server_info = NULL;
- gensec_ntlmssp_state->have_features = 0;
gensec_security->private_data = gensec_ntlmssp_state;
return NT_STATUS_OK;
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h
index 36d12a9820..2ee069bada 100644
--- a/source4/auth/ntlmssp/ntlmssp.h
+++ b/source4/auth/ntlmssp/ntlmssp.h
@@ -180,7 +180,6 @@ struct gensec_ntlmssp_state
struct auth_context *auth_context;
struct auth_serversupplied_info *server_info;
- uint32_t have_features;
};
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c
index 960841ecf2..75c6cf845b 100644
--- a/source4/auth/ntlmssp/ntlmssp_sign.c
+++ b/source4/auth/ntlmssp/ntlmssp_sign.c
@@ -49,7 +49,7 @@ static void calc_ntlmv2_key(TALLOC_CTX *mem_ctx,
*subkey = data_blob_talloc(mem_ctx, NULL, 16);
MD5Init(&ctx3);
MD5Update(&ctx3, session_key.data, session_key.length);
- MD5Update(&ctx3, constant, strlen(constant)+1);
+ MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1);
MD5Final(subkey->data, &ctx3);
}
@@ -131,21 +131,6 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
- if (!gensec_ntlmssp_state->session_key.length) {
- DEBUG(3, ("NO session key, cannot check sign packet\n"));
- return NT_STATUS_NO_USER_SESSION_KEY;
- }
-
- if (!(gensec_security->want_features & GENSEC_FEATURE_SIGN)) {
- DEBUG(3, ("GENSEC Signing not requested - cannot sign packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
- DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
return ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx,
data, length,
whole_pdu, pdu_length,
@@ -173,11 +158,6 @@ NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (!(gensec_security->want_features & (GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SIGN))) {
- DEBUG(3, ("GENSEC Signing/Sealing not requested - cannot check packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (sig->length < 8) {
DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
(unsigned long)sig->length));
@@ -244,17 +224,6 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GENSEC Sealing not requested - cannot seal packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
- DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-
DEBUG(10,("ntlmssp_seal_data: seal\n"));
dump_data_pw("ntlmssp clear data\n", data, length);
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
@@ -317,43 +286,14 @@ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (!(gensec_security->want_features & GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GENSEC Sealing not requested - cannot unseal packet!\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
dump_data_pw("ntlmssp sealed data\n", data, length);
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, data, length);
-
- nt_status = ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx,
- data, length,
- whole_pdu, pdu_length,
- NTLMSSP_RECEIVE, &local_sig, True);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- if (local_sig.length != sig->length ||
- memcmp(local_sig.data,
- sig->data, sig->length) != 0) {
- DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
- dump_data(5, local_sig.data, local_sig.length);
-
- DEBUG(5, ("BAD SIG: got signature of\n"));
- dump_data(5, sig->data, sig->length);
-
- DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
- return NT_STATUS_ACCESS_DENIED;
- }
-
- dump_data_pw("ntlmssp clear data\n", data, length);
- return NT_STATUS_OK;
} else {
arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length);
- dump_data_pw("ntlmssp clear data\n", data, length);
- return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
+ dump_data_pw("ntlmssp clear data\n", data, length);
+ return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
}
/**
@@ -406,11 +346,18 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state)
NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state);
/**
- Weaken NTLMSSP keys to cope with down-level clients, servers and export restrictions.
+ Weaken NTLMSSP keys to cope with down-level
+ clients, servers and export restrictions.
- We probably should have some parameters to control this, once we get NTLM2 working.
+ We probably should have some parameters to control
+ this, once we get NTLM2 working.
*/
+ /* Key weakening was not performed on the master key
+ * for NTLM2 (in ntlmssp_weaken_keys()), but must be
+ * done on the encryption subkeys only. That is why
+ * we don't have this code for the ntlmv1 case.
+ */
if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
@@ -500,35 +447,34 @@ NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security,
DATA_BLOB sig;
NTSTATUS nt_status;
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
-
+
nt_status = gensec_ntlmssp_seal_packet(gensec_security, sig_mem_ctx,
out->data + NTLMSSP_SIG_SIZE,
out->length - NTLMSSP_SIG_SIZE,
out->data + NTLMSSP_SIG_SIZE,
out->length - NTLMSSP_SIG_SIZE,
&sig);
-
+
if (NT_STATUS_IS_OK(nt_status)) {
memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
}
return nt_status;
- } else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)
- || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
*out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
nt_status = gensec_ntlmssp_sign_packet(gensec_security, sig_mem_ctx,
- out->data + NTLMSSP_SIG_SIZE,
- out->length - NTLMSSP_SIG_SIZE,
- out->data + NTLMSSP_SIG_SIZE,
- out->length - NTLMSSP_SIG_SIZE,
- &sig);
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ &sig);
if (NT_STATUS_IS_OK(nt_status)) {
memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
@@ -550,7 +496,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
DATA_BLOB sig;
- if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
if (in->length < NTLMSSP_SIG_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -564,8 +510,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
out->data, out->length,
&sig);
- } else if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)
- || (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
if (in->length < NTLMSSP_SIG_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -575,9 +520,9 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security,
*out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx,
- out->data, out->length,
- out->data, out->length,
- &sig);
+ out->data, out->length,
+ out->data, out->length,
+ &sig);
} else {
*out = *in;
return NT_STATUS_OK;