From 62708fbd1bf6a54d880011ce7d95ee43e08cf30e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 May 2010 20:58:52 +1000 Subject: s3:ntlmssp Move ntlmssp_sign.c from source3 to common code. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This needs a small re-arrangement of the supporting code. Andrew Bartlett Signed-off-by: Stefan Metzmacher Signed-off-by: Günther Deschner --- libcli/auth/ntlmssp.c | 76 ++++++ libcli/auth/ntlmssp.h | 22 ++ libcli/auth/ntlmssp_private.h | 25 ++ libcli/auth/ntlmssp_sign.c | 573 ++++++++++++++++++++++++++++++++++++++++++ source3/Makefile.in | 3 +- source3/include/proto.h | 23 -- source3/libsmb/ntlmssp.c | 52 +--- source3/libsmb/ntlmssp_sign.c | 572 ----------------------------------------- 8 files changed, 699 insertions(+), 647 deletions(-) create mode 100644 libcli/auth/ntlmssp.c create mode 100644 libcli/auth/ntlmssp_private.h create mode 100644 libcli/auth/ntlmssp_sign.c delete mode 100644 source3/libsmb/ntlmssp_sign.c diff --git a/libcli/auth/ntlmssp.c b/libcli/auth/ntlmssp.c new file mode 100644 index 0000000000..1be764ec42 --- /dev/null +++ b/libcli/auth/ntlmssp.c @@ -0,0 +1,76 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + handle NLTMSSP, server side + + Copyright (C) Andrew Tridgell 2001 + Copyright (C) Andrew Bartlett 2001-2003 + Copyright (C) Andrew Bartlett 2005 (Updated from gensec). + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "../libcli/auth/ntlmssp.h" +#include "../libcli/auth/ntlmssp_private.h" + +/** + * Print out the NTLMSSP flags for debugging + * @param neg_flags The flags from the packet + */ +void debug_ntlmssp_flags(uint32_t neg_flags) +{ + DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags)); + + if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_OEM) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM\n")); + if (neg_flags & NTLMSSP_REQUEST_TARGET) + DEBUGADD(4, (" NTLMSSP_REQUEST_TARGET\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_SIGN) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_SEAL) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DATAGRAM\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NETWARE\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_NTLM) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n")); + if (neg_flags & NTLMSSP_REQUEST_NON_NT_SESSION_KEY) + DEBUGADD(4, (" NTLMSSP_REQUEST_NON_NT_SESSION_KEY\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_TARGET_INFO\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_VERSION) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_VERSION\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_128) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n")); + if (neg_flags & NTLMSSP_NEGOTIATE_56) + DEBUGADD(4, (" NTLMSSP_NEGOTIATE_56\n")); +} diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h index 97192b8c6f..d0a282c350 100644 --- a/libcli/auth/ntlmssp.h +++ b/libcli/auth/ntlmssp.h @@ -137,3 +137,25 @@ struct ntlmssp_state union ntlmssp_crypt_state *crypt; }; + +/* The following definitions come from libcli/auth/ntlmssp_sign.c */ + +NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) ; +NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig); +NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig); +NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state); diff --git a/libcli/auth/ntlmssp_private.h b/libcli/auth/ntlmssp_private.h new file mode 100644 index 0000000000..0f0c7dbba9 --- /dev/null +++ b/libcli/auth/ntlmssp_private.h @@ -0,0 +1,25 @@ +/* + * Unix SMB/CIFS implementation. + * Version 3.0 + * NTLMSSP Signing routines + * Copyright (C) Andrew Bartlett 2003-2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +/* For structures internal to the NTLMSSP implementation that should not be exposed */ + +/* The following definitions come from libcli/auth/ntlmssp.c */ + +void debug_ntlmssp_flags(uint32_t neg_flags); diff --git a/libcli/auth/ntlmssp_sign.c b/libcli/auth/ntlmssp_sign.c new file mode 100644 index 0000000000..61b52c6a61 --- /dev/null +++ b/libcli/auth/ntlmssp_sign.c @@ -0,0 +1,573 @@ +/* + * Unix SMB/CIFS implementation. + * Version 3.0 + * NTLMSSP Signing routines + * Copyright (C) Andrew Bartlett 2003-2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + */ + +#include "includes.h" +#include "../libcli/auth/ntlmssp.h" +#include "../libcli/auth/libcli_auth.h" +#include "../lib/crypto/md5.h" +#include "../lib/crypto/arcfour.h" +#include "../lib/crypto/hmacmd5.h" +#include "../lib/crypto/crc32.h" +#include "../libcli/auth/ntlmssp_private.h" + +#define CLI_SIGN "session key to client-to-server signing key magic constant" +#define CLI_SEAL "session key to client-to-server sealing key magic constant" +#define SRV_SIGN "session key to server-to-client signing key magic constant" +#define SRV_SEAL "session key to server-to-client sealing key magic constant" + +/** + * Some notes on the NTLM2 code: + * + * NTLM2 is a AEAD system. This means that the data encrypted is not + * all the data that is signed. In DCE-RPC case, the headers of the + * DCE-RPC packets are also signed. This prevents some of the + * fun-and-games one might have by changing them. + * + */ + +static void dump_arc4_state(const char *description, + struct arcfour_state *state) +{ + dump_data_pw(description, state->sbox, sizeof(state->sbox)); +} + +static void calc_ntlmv2_key(uint8_t subkey[16], + DATA_BLOB session_key, + const char *constant) +{ + struct MD5Context ctx3; + MD5Init(&ctx3); + MD5Update(&ctx3, session_key.data, session_key.length); + MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1); + MD5Final(subkey, &ctx3); +} + +enum ntlmssp_direction { + NTLMSSP_SEND, + NTLMSSP_RECEIVE +}; + +struct ntlmssp_crypt_direction { + uint32_t seq_num; + uint8_t sign_key[16]; + struct arcfour_state seal_state; +}; + +union ntlmssp_crypt_state { + /* NTLM */ + struct ntlmssp_crypt_direction ntlm; + + /* NTLM2 */ + struct { + struct ntlmssp_crypt_direction sending; + struct ntlmssp_crypt_direction receiving; + } ntlm2; +}; + +static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + enum ntlmssp_direction direction, + DATA_BLOB *sig, bool encrypt_sig) +{ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + HMACMD5Context ctx; + uint8_t digest[16]; + uint8_t seq_num[4]; + + *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE); + if (!sig->data) { + return NT_STATUS_NO_MEMORY; + } + + switch (direction) { + case NTLMSSP_SEND: + DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n", + ntlmssp_state->crypt->ntlm2.sending.seq_num, + (unsigned int)length, + (unsigned int)pdu_length)); + + SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num); + ntlmssp_state->crypt->ntlm2.sending.seq_num++; + hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.sending.sign_key, 16, &ctx); + break; + case NTLMSSP_RECEIVE: + + DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n", + ntlmssp_state->crypt->ntlm2.receiving.seq_num, + (unsigned int)length, + (unsigned int)pdu_length)); + + SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num); + ntlmssp_state->crypt->ntlm2.receiving.seq_num++; + hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16, &ctx); + break; + } + + dump_data_pw("pdu data ", whole_pdu, pdu_length); + + hmac_md5_update(seq_num, sizeof(seq_num), &ctx); + hmac_md5_update(whole_pdu, pdu_length, &ctx); + hmac_md5_final(digest, &ctx); + + if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { + switch (direction) { + case NTLMSSP_SEND: + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, + digest, 8); + break; + case NTLMSSP_RECEIVE: + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, + digest, 8); + break; + } + } + + SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION); + memcpy(sig->data + 4, digest, 8); + memcpy(sig->data + 12, seq_num, 4); + + dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length); + + } else { + bool ok; + uint32_t crc; + + crc = crc32_calc_buffer(data, length); + + ok = msrpc_gen(sig_mem_ctx, + sig, "dddd", + NTLMSSP_SIGN_VERSION, 0, crc, + ntlmssp_state->crypt->ntlm.seq_num); + if (!ok) { + return NT_STATUS_NO_MEMORY; + } + + ntlmssp_state->crypt->ntlm.seq_num++; + + dump_arc4_state("ntlmssp hash: \n", + &ntlmssp_state->crypt->ntlm.seal_state); + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, + sig->data+4, sig->length-4); + } + return NT_STATUS_OK; +} + +NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + NTSTATUS nt_status; + + if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot check sign packet\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + nt_status = ntlmssp_make_packet_signature(ntlmssp_state, + sig_mem_ctx, + data, length, + whole_pdu, pdu_length, + NTLMSSP_SEND, sig, true); + + return nt_status; +} + +/** + * Check the signature of an incoming packet + * @note caller *must* check that the signature is the size it expects + * + */ + +NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state, + const uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + DATA_BLOB local_sig; + NTSTATUS nt_status; + TALLOC_CTX *tmp_ctx; + + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot check packet signature\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + if (sig->length < 8) { + DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", + (unsigned long)sig->length)); + } + + tmp_ctx = talloc_new(ntlmssp_state); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + nt_status = ntlmssp_make_packet_signature(ntlmssp_state, + tmp_ctx, + data, length, + whole_pdu, pdu_length, + NTLMSSP_RECEIVE, + &local_sig, true); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("NTLMSSP packet sig creation failed with %s\n", + nt_errstr(nt_status))); + talloc_free(tmp_ctx); + return nt_status; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + if (local_sig.length != sig->length || + memcmp(local_sig.data, sig->data, sig->length) != 0) { + DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n")); + dump_data(5, local_sig.data, local_sig.length); + + DEBUG(5, ("BAD SIG: got signature of\n")); + dump_data(5, sig->data, sig->length); + + DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n")); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + } else { + if (local_sig.length != sig->length || + memcmp(local_sig.data + 8, sig->data + 8, sig->length - 8) != 0) { + DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n")); + dump_data(5, local_sig.data, local_sig.length); + + DEBUG(5, ("BAD SIG: got signature of\n")); + dump_data(5, sig->data, sig->length); + + DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n")); + talloc_free(tmp_ctx); + return NT_STATUS_ACCESS_DENIED; + } + } + dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length); + DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n")); + + talloc_free(tmp_ctx); + return NT_STATUS_OK; +} + +/** + * Seal data with the NTLMSSP algorithm + * + */ + +NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, + TALLOC_CTX *sig_mem_ctx, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + DATA_BLOB *sig) +{ + if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot seal packet\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + DEBUG(10,("ntlmssp_seal_data: seal\n")); + dump_data_pw("ntlmssp clear data\n", data, length); + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + NTSTATUS nt_status; + /* + * The order of these two operations matters - we + * must first seal the packet, then seal the + * sequence number - this is because the + * send_seal_hash is not constant, but is is rather + * updated with each iteration + */ + nt_status = ntlmssp_make_packet_signature(ntlmssp_state, + sig_mem_ctx, + data, length, + whole_pdu, pdu_length, + NTLMSSP_SEND, + sig, false); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, + data, length); + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, + sig->data+4, 8); + } + } else { + bool ok; + uint32_t crc; + + crc = crc32_calc_buffer(data, length); + + ok = msrpc_gen(sig_mem_ctx, + sig, "dddd", + NTLMSSP_SIGN_VERSION, 0, crc, + ntlmssp_state->crypt->ntlm.seq_num); + if (!ok) { + return NT_STATUS_NO_MEMORY; + } + + /* + * The order of these two operations matters - we + * must first seal the packet, then seal the + * sequence number - this is because the ntlmv1_arc4_state + * is not constant, but is is rather updated with + * each iteration + */ + + dump_arc4_state("ntlmv1 arc4 state:\n", + &ntlmssp_state->crypt->ntlm.seal_state); + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, + data, length); + + dump_arc4_state("ntlmv1 arc4 state:\n", + &ntlmssp_state->crypt->ntlm.seal_state); + + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, + sig->data+4, sig->length-4); + + ntlmssp_state->crypt->ntlm.seq_num++; + } + dump_data_pw("ntlmssp signature\n", sig->data, sig->length); + dump_data_pw("ntlmssp sealed data\n", data, length); + + return NT_STATUS_OK; +} + +/** + * Unseal data with the NTLMSSP algorithm + * + */ + +NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, + uint8_t *data, size_t length, + const uint8_t *whole_pdu, size_t pdu_length, + const DATA_BLOB *sig) +{ + NTSTATUS status; + if (!ntlmssp_state->session_key.length) { + DEBUG(3, ("NO session key, cannot unseal packet\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + DEBUG(10,("ntlmssp_unseal_packet: seal\n")); + dump_data_pw("ntlmssp sealed data\n", data, length); + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + /* First unseal the data. */ + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, + data, length); + dump_data_pw("ntlmv2 clear data\n", data, length); + } else { + arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, + data, length); + dump_data_pw("ntlmv1 clear data\n", data, length); + } + status = ntlmssp_check_packet(ntlmssp_state, + data, length, + whole_pdu, pdu_length, + sig); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n", + (unsigned long long)length)); + } + return status; +} + +/** + Initialise the state for NTLMSSP signing. +*/ +NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state) +{ + DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n")); + debug_ntlmssp_flags(ntlmssp_state->neg_flags); + + if (ntlmssp_state->session_key.length < 8) { + DEBUG(3, ("NO session key, cannot intialise signing\n")); + return NT_STATUS_NO_USER_SESSION_KEY; + } + + ntlmssp_state->crypt = talloc_zero(ntlmssp_state, + union ntlmssp_crypt_state); + if (ntlmssp_state->crypt == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + DATA_BLOB weak_session_key = ntlmssp_state->session_key; + const char *send_sign_const; + const char *send_seal_const; + const char *recv_sign_const; + const char *recv_seal_const; + uint8_t send_seal_key[16]; + DATA_BLOB send_seal_blob = data_blob_const(send_seal_key, + sizeof(send_seal_key)); + uint8_t recv_seal_key[16]; + DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key, + sizeof(recv_seal_key)); + + switch (ntlmssp_state->role) { + case NTLMSSP_CLIENT: + send_sign_const = CLI_SIGN; + send_seal_const = CLI_SEAL; + recv_sign_const = SRV_SIGN; + recv_seal_const = SRV_SEAL; + break; + case NTLMSSP_SERVER: + send_sign_const = SRV_SIGN; + send_seal_const = SRV_SEAL; + recv_sign_const = CLI_SIGN; + recv_seal_const = CLI_SEAL; + break; + default: + return NT_STATUS_INTERNAL_ERROR; + } + + /* + * Weaken NTLMSSP keys to cope with down-level + * clients, servers and export restrictions. + * + * We probably should have some parameters to + * control this, once we get NTLM2 working. + * + * Key weakening was not performed on the master key + * for NTLM2, but must be done on the encryption subkeys only. + */ + + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { + /* nothing to do */ + } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { + weak_session_key.length = 7; + } else { /* forty bits */ + weak_session_key.length = 5; + } + + dump_data_pw("NTLMSSP weakend master key:\n", + weak_session_key.data, + weak_session_key.length); + + /* SEND: sign key */ + calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key, + ntlmssp_state->session_key, send_sign_const); + dump_data_pw("NTLMSSP send sign key:\n", + ntlmssp_state->crypt->ntlm2.sending.sign_key, 16); + + /* SEND: seal ARCFOUR pad */ + calc_ntlmv2_key(send_seal_key, + weak_session_key, send_seal_const); + dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16); + + arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state, + &send_seal_blob); + + dump_arc4_state("NTLMSSP send seal arc4 state:\n", + &ntlmssp_state->crypt->ntlm2.sending.seal_state); + + /* SEND: seq num */ + ntlmssp_state->crypt->ntlm2.sending.seq_num = 0; + + /* RECV: sign key */ + calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key, + ntlmssp_state->session_key, recv_sign_const); + dump_data_pw("NTLMSSP recv sign key:\n", + ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16); + + /* RECV: seal ARCFOUR pad */ + calc_ntlmv2_key(recv_seal_key, + weak_session_key, recv_seal_const); + dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16); + + arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, + &recv_seal_blob); + + dump_arc4_state("NTLMSSP recv seal arc4 state:\n", + &ntlmssp_state->crypt->ntlm2.receiving.seal_state); + + /* RECV: seq num */ + ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0; + } else { + uint8_t weak_session_key[8]; + DATA_BLOB seal_session_key = ntlmssp_state->session_key; + bool do_weak = false; + + DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n")); + + /* + * Key weakening not performed on the master key for NTLM2 + * and does not occour for NTLM1. Therefore we only need + * to do this for the LM_KEY. + */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) { + do_weak = true; + } + + /* + * Nothing to weaken. + * We certainly don't want to 'extend' the length... + */ + if (seal_session_key.length < 16) { + /* TODO: is this really correct? */ + do_weak = false; + } + + if (do_weak) { + memcpy(weak_session_key, seal_session_key.data, 8); + seal_session_key = data_blob_const(weak_session_key, 8); + + /* + * LM key doesn't support 128 bit crypto, so this is + * the best we can do. If you negotiate 128 bit, but + * not 56, you end up with 40 bit... + */ + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { + weak_session_key[7] = 0xa0; + } else { /* forty bits */ + weak_session_key[5] = 0xe5; + weak_session_key[6] = 0x38; + weak_session_key[7] = 0xb0; + } + } + + arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state, + &seal_session_key); + + dump_arc4_state("NTLMv1 arc4 state:\n", + &ntlmssp_state->crypt->ntlm.seal_state); + + ntlmssp_state->crypt->ntlm.seq_num = 0; + } + + return NT_STATUS_OK; +} diff --git a/source3/Makefile.in b/source3/Makefile.in index f411eeef8a..b8c13cadbe 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -485,7 +485,8 @@ LIBSMB_ERR_OBJ = $(LIBSMB_ERR_OBJ0) $(LIBSMB_ERR_OBJ1) \ LIBSMB_OBJ0 = \ ../libcli/auth/ntlm_check.o \ libsmb/ntlmssp.o \ - libsmb/ntlmssp_sign.o \ + ../libcli/auth/ntlmssp.o \ + ../libcli/auth/ntlmssp_sign.o \ $(LIBNDR_NTLMSSP_OBJ) \ ../libcli/auth/ntlmssp_ndr.o diff --git a/source3/include/proto.h b/source3/include/proto.h index 472e1793ca..cae51e5ee3 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3135,7 +3135,6 @@ NTSTATUS nt_status_squash(NTSTATUS nt_status); /* The following definitions come from libsmb/ntlmssp.c */ -void debug_ntlmssp_flags(uint32 neg_flags); NTSTATUS ntlmssp_set_username(struct ntlmssp_state *ntlmssp_state, const char *user) ; NTSTATUS ntlmssp_set_hashes(struct ntlmssp_state *ntlmssp_state, const uint8_t lm_hash[16], @@ -3161,28 +3160,6 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, bool use_ntlmv2, struct ntlmssp_state **_ntlmssp_state); -/* The following definitions come from libsmb/ntlmssp_sign.c */ - -NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig); -NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) ; -NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig); -NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig); -NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state); - /* The following definitions come from libsmb/passchange.c */ NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c index 7095426cab..1d475172fe 100644 --- a/source3/libsmb/ntlmssp.c +++ b/source3/libsmb/ntlmssp.c @@ -23,6 +23,7 @@ #include "includes.h" #include "../libcli/auth/ntlmssp.h" +#include "../libcli/auth/ntlmssp_private.h" #include "../libcli/auth/libcli_auth.h" #include "../librpc/gen_ndr/ndr_ntlmssp.h" #include "../libcli/auth/ntlmssp_ndr.h" @@ -59,57 +60,6 @@ static const struct ntlmssp_callbacks { }; -/** - * Print out the NTLMSSP flags for debugging - * @param neg_flags The flags from the packet - */ - -void debug_ntlmssp_flags(uint32_t neg_flags) -{ - DEBUG(3,("Got NTLMSSP neg_flags=0x%08x\n", neg_flags)); - - if (neg_flags & NTLMSSP_NEGOTIATE_UNICODE) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_UNICODE\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_OEM) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM\n")); - if (neg_flags & NTLMSSP_REQUEST_TARGET) - DEBUGADD(4, (" NTLMSSP_REQUEST_TARGET\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_SIGN) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SIGN\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_SEAL) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_SEAL\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_DATAGRAM) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_DATAGRAM\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_LM_KEY\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_NETWARE) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NETWARE\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_NTLM) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_ALWAYS_SIGN\n")); - if (neg_flags & NTLMSSP_REQUEST_NON_NT_SESSION_KEY) - DEBUGADD(4, (" NTLMSSP_REQUEST_NON_NT_SESSION_KEY\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_NTLM2) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_NTLM2\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_TARGET_INFO\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_VERSION) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_VERSION\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_128) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_128\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_KEY_EXCH\n")); - if (neg_flags & NTLMSSP_NEGOTIATE_56) - DEBUGADD(4, (" NTLMSSP_NEGOTIATE_56\n")); -} - /** * Default challenge generation code. * diff --git a/source3/libsmb/ntlmssp_sign.c b/source3/libsmb/ntlmssp_sign.c deleted file mode 100644 index 8ae244b70b..0000000000 --- a/source3/libsmb/ntlmssp_sign.c +++ /dev/null @@ -1,572 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Version 3.0 - * NTLMSSP Signing routines - * Copyright (C) Andrew Bartlett 2003-2005 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include "includes.h" -#include "../libcli/auth/ntlmssp.h" -#include "../libcli/auth/libcli_auth.h" -#include "../lib/crypto/md5.h" -#include "../lib/crypto/arcfour.h" -#include "../lib/crypto/hmacmd5.h" -#include "../lib/crypto/crc32.h" - -#define CLI_SIGN "session key to client-to-server signing key magic constant" -#define CLI_SEAL "session key to client-to-server sealing key magic constant" -#define SRV_SIGN "session key to server-to-client signing key magic constant" -#define SRV_SEAL "session key to server-to-client sealing key magic constant" - -/** - * Some notes on the NTLM2 code: - * - * NTLM2 is a AEAD system. This means that the data encrypted is not - * all the data that is signed. In DCE-RPC case, the headers of the - * DCE-RPC packets are also signed. This prevents some of the - * fun-and-games one might have by changing them. - * - */ - -static void dump_arc4_state(const char *description, - struct arcfour_state *state) -{ - dump_data_pw(description, state->sbox, sizeof(state->sbox)); -} - -static void calc_ntlmv2_key(uint8_t subkey[16], - DATA_BLOB session_key, - const char *constant) -{ - struct MD5Context ctx3; - MD5Init(&ctx3); - MD5Update(&ctx3, session_key.data, session_key.length); - MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1); - MD5Final(subkey, &ctx3); -} - -enum ntlmssp_direction { - NTLMSSP_SEND, - NTLMSSP_RECEIVE -}; - -struct ntlmssp_crypt_direction { - uint32_t seq_num; - uint8_t sign_key[16]; - struct arcfour_state seal_state; -}; - -union ntlmssp_crypt_state { - /* NTLM */ - struct ntlmssp_crypt_direction ntlm; - - /* NTLM2 */ - struct { - struct ntlmssp_crypt_direction sending; - struct ntlmssp_crypt_direction receiving; - } ntlm2; -}; - -static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - enum ntlmssp_direction direction, - DATA_BLOB *sig, bool encrypt_sig) -{ - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - HMACMD5Context ctx; - uint8_t digest[16]; - uint8_t seq_num[4]; - - *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE); - if (!sig->data) { - return NT_STATUS_NO_MEMORY; - } - - switch (direction) { - case NTLMSSP_SEND: - DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n", - ntlmssp_state->crypt->ntlm2.sending.seq_num, - (unsigned int)length, - (unsigned int)pdu_length)); - - SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num); - ntlmssp_state->crypt->ntlm2.sending.seq_num++; - hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.sending.sign_key, 16, &ctx); - break; - case NTLMSSP_RECEIVE: - - DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n", - ntlmssp_state->crypt->ntlm2.receiving.seq_num, - (unsigned int)length, - (unsigned int)pdu_length)); - - SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num); - ntlmssp_state->crypt->ntlm2.receiving.seq_num++; - hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16, &ctx); - break; - } - - dump_data_pw("pdu data ", whole_pdu, pdu_length); - - hmac_md5_update(seq_num, sizeof(seq_num), &ctx); - hmac_md5_update(whole_pdu, pdu_length, &ctx); - hmac_md5_final(digest, &ctx); - - if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) { - switch (direction) { - case NTLMSSP_SEND: - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, - digest, 8); - break; - case NTLMSSP_RECEIVE: - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, - digest, 8); - break; - } - } - - SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION); - memcpy(sig->data + 4, digest, 8); - memcpy(sig->data + 12, seq_num, 4); - - dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length); - - } else { - bool ok; - uint32_t crc; - - crc = crc32_calc_buffer(data, length); - - ok = msrpc_gen(sig_mem_ctx, - sig, "dddd", - NTLMSSP_SIGN_VERSION, 0, crc, - ntlmssp_state->crypt->ntlm.seq_num); - if (!ok) { - return NT_STATUS_NO_MEMORY; - } - - ntlmssp_state->crypt->ntlm.seq_num++; - - dump_arc4_state("ntlmssp hash: \n", - &ntlmssp_state->crypt->ntlm.seal_state); - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, - sig->data+4, sig->length-4); - } - return NT_STATUS_OK; -} - -NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *sig_mem_ctx, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - NTSTATUS nt_status; - - if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { - DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - if (!ntlmssp_state->session_key.length) { - DEBUG(3, ("NO session key, cannot check sign packet\n")); - return NT_STATUS_NO_USER_SESSION_KEY; - } - - nt_status = ntlmssp_make_packet_signature(ntlmssp_state, - sig_mem_ctx, - data, length, - whole_pdu, pdu_length, - NTLMSSP_SEND, sig, true); - - return nt_status; -} - -/** - * Check the signature of an incoming packet - * @note caller *must* check that the signature is the size it expects - * - */ - -NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state, - const uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - DATA_BLOB local_sig; - NTSTATUS nt_status; - TALLOC_CTX *tmp_ctx; - - if (!ntlmssp_state->session_key.length) { - DEBUG(3, ("NO session key, cannot check packet signature\n")); - return NT_STATUS_NO_USER_SESSION_KEY; - } - - if (sig->length < 8) { - DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n", - (unsigned long)sig->length)); - } - - tmp_ctx = talloc_new(ntlmssp_state); - if (!tmp_ctx) { - return NT_STATUS_NO_MEMORY; - } - - nt_status = ntlmssp_make_packet_signature(ntlmssp_state, - tmp_ctx, - data, length, - whole_pdu, pdu_length, - NTLMSSP_RECEIVE, - &local_sig, true); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("NTLMSSP packet sig creation failed with %s\n", - nt_errstr(nt_status))); - talloc_free(tmp_ctx); - return nt_status; - } - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - if (local_sig.length != sig->length || - memcmp(local_sig.data, sig->data, sig->length) != 0) { - DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n")); - dump_data(5, local_sig.data, local_sig.length); - - DEBUG(5, ("BAD SIG: got signature of\n")); - dump_data(5, sig->data, sig->length); - - DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n")); - talloc_free(tmp_ctx); - return NT_STATUS_ACCESS_DENIED; - } - } else { - if (local_sig.length != sig->length || - memcmp(local_sig.data + 8, sig->data + 8, sig->length - 8) != 0) { - DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n")); - dump_data(5, local_sig.data, local_sig.length); - - DEBUG(5, ("BAD SIG: got signature of\n")); - dump_data(5, sig->data, sig->length); - - DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n")); - talloc_free(tmp_ctx); - return NT_STATUS_ACCESS_DENIED; - } - } - dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length); - DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n")); - - talloc_free(tmp_ctx); - return NT_STATUS_OK; -} - -/** - * Seal data with the NTLMSSP algorithm - * - */ - -NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, - TALLOC_CTX *sig_mem_ctx, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - DATA_BLOB *sig) -{ - if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { - DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n")); - return NT_STATUS_INVALID_PARAMETER; - } - - if (!ntlmssp_state->session_key.length) { - DEBUG(3, ("NO session key, cannot seal packet\n")); - return NT_STATUS_NO_USER_SESSION_KEY; - } - - DEBUG(10,("ntlmssp_seal_data: seal\n")); - dump_data_pw("ntlmssp clear data\n", data, length); - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - NTSTATUS nt_status; - /* - * The order of these two operations matters - we - * must first seal the packet, then seal the - * sequence number - this is because the - * send_seal_hash is not constant, but is is rather - * updated with each iteration - */ - nt_status = ntlmssp_make_packet_signature(ntlmssp_state, - sig_mem_ctx, - data, length, - whole_pdu, pdu_length, - NTLMSSP_SEND, - sig, false); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, - data, length); - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state, - sig->data+4, 8); - } - } else { - bool ok; - uint32_t crc; - - crc = crc32_calc_buffer(data, length); - - ok = msrpc_gen(sig_mem_ctx, - sig, "dddd", - NTLMSSP_SIGN_VERSION, 0, crc, - ntlmssp_state->crypt->ntlm.seq_num); - if (!ok) { - return NT_STATUS_NO_MEMORY; - } - - /* - * The order of these two operations matters - we - * must first seal the packet, then seal the - * sequence number - this is because the ntlmv1_arc4_state - * is not constant, but is is rather updated with - * each iteration - */ - - dump_arc4_state("ntlmv1 arc4 state:\n", - &ntlmssp_state->crypt->ntlm.seal_state); - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, - data, length); - - dump_arc4_state("ntlmv1 arc4 state:\n", - &ntlmssp_state->crypt->ntlm.seal_state); - - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, - sig->data+4, sig->length-4); - - ntlmssp_state->crypt->ntlm.seq_num++; - } - dump_data_pw("ntlmssp signature\n", sig->data, sig->length); - dump_data_pw("ntlmssp sealed data\n", data, length); - - return NT_STATUS_OK; -} - -/** - * Unseal data with the NTLMSSP algorithm - * - */ - -NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, - uint8_t *data, size_t length, - const uint8_t *whole_pdu, size_t pdu_length, - const DATA_BLOB *sig) -{ - NTSTATUS status; - if (!ntlmssp_state->session_key.length) { - DEBUG(3, ("NO session key, cannot unseal packet\n")); - return NT_STATUS_NO_USER_SESSION_KEY; - } - - DEBUG(10,("ntlmssp_unseal_packet: seal\n")); - dump_data_pw("ntlmssp sealed data\n", data, length); - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - /* First unseal the data. */ - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, - data, length); - dump_data_pw("ntlmv2 clear data\n", data, length); - } else { - arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state, - data, length); - dump_data_pw("ntlmv1 clear data\n", data, length); - } - status = ntlmssp_check_packet(ntlmssp_state, - data, length, - whole_pdu, pdu_length, - sig); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n", - (unsigned long long)length)); - } - return status; -} - -/** - Initialise the state for NTLMSSP signing. -*/ -NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state) -{ - DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n")); - debug_ntlmssp_flags(ntlmssp_state->neg_flags); - - if (ntlmssp_state->session_key.length < 8) { - DEBUG(3, ("NO session key, cannot intialise signing\n")); - return NT_STATUS_NO_USER_SESSION_KEY; - } - - ntlmssp_state->crypt = talloc_zero(ntlmssp_state, - union ntlmssp_crypt_state); - if (ntlmssp_state->crypt == NULL) { - return NT_STATUS_NO_MEMORY; - } - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - DATA_BLOB weak_session_key = ntlmssp_state->session_key; - const char *send_sign_const; - const char *send_seal_const; - const char *recv_sign_const; - const char *recv_seal_const; - uint8_t send_seal_key[16]; - DATA_BLOB send_seal_blob = data_blob_const(send_seal_key, - sizeof(send_seal_key)); - uint8_t recv_seal_key[16]; - DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key, - sizeof(recv_seal_key)); - - switch (ntlmssp_state->role) { - case NTLMSSP_CLIENT: - send_sign_const = CLI_SIGN; - send_seal_const = CLI_SEAL; - recv_sign_const = SRV_SIGN; - recv_seal_const = SRV_SEAL; - break; - case NTLMSSP_SERVER: - send_sign_const = SRV_SIGN; - send_seal_const = SRV_SEAL; - recv_sign_const = CLI_SIGN; - recv_seal_const = CLI_SEAL; - break; - default: - return NT_STATUS_INTERNAL_ERROR; - } - - /* - * Weaken NTLMSSP keys to cope with down-level - * clients, servers and export restrictions. - * - * We probably should have some parameters to - * control this, once we get NTLM2 working. - * - * Key weakening was not performed on the master key - * for NTLM2, but must be done on the encryption subkeys only. - */ - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { - /* nothing to do */ - } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { - weak_session_key.length = 7; - } else { /* forty bits */ - weak_session_key.length = 5; - } - - dump_data_pw("NTLMSSP weakend master key:\n", - weak_session_key.data, - weak_session_key.length); - - /* SEND: sign key */ - calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key, - ntlmssp_state->session_key, send_sign_const); - dump_data_pw("NTLMSSP send sign key:\n", - ntlmssp_state->crypt->ntlm2.sending.sign_key, 16); - - /* SEND: seal ARCFOUR pad */ - calc_ntlmv2_key(send_seal_key, - weak_session_key, send_seal_const); - dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16); - - arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state, - &send_seal_blob); - - dump_arc4_state("NTLMSSP send seal arc4 state:\n", - &ntlmssp_state->crypt->ntlm2.sending.seal_state); - - /* SEND: seq num */ - ntlmssp_state->crypt->ntlm2.sending.seq_num = 0; - - /* RECV: sign key */ - calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key, - ntlmssp_state->session_key, recv_sign_const); - dump_data_pw("NTLMSSP recv sign key:\n", - ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16); - - /* RECV: seal ARCFOUR pad */ - calc_ntlmv2_key(recv_seal_key, - weak_session_key, recv_seal_const); - dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16); - - arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state, - &recv_seal_blob); - - dump_arc4_state("NTLMSSP recv seal arc4 state:\n", - &ntlmssp_state->crypt->ntlm2.receiving.seal_state); - - /* RECV: seq num */ - ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0; - } else { - uint8_t weak_session_key[8]; - DATA_BLOB seal_session_key = ntlmssp_state->session_key; - bool do_weak = false; - - DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n")); - - /* - * Key weakening not performed on the master key for NTLM2 - * and does not occour for NTLM1. Therefore we only need - * to do this for the LM_KEY. - */ - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) { - do_weak = true; - } - - /* - * Nothing to weaken. - * We certainly don't want to 'extend' the length... - */ - if (seal_session_key.length < 16) { - /* TODO: is this really correct? */ - do_weak = false; - } - - if (do_weak) { - memcpy(weak_session_key, seal_session_key.data, 8); - seal_session_key = data_blob_const(weak_session_key, 8); - - /* - * LM key doesn't support 128 bit crypto, so this is - * the best we can do. If you negotiate 128 bit, but - * not 56, you end up with 40 bit... - */ - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { - weak_session_key[7] = 0xa0; - } else { /* forty bits */ - weak_session_key[5] = 0xe5; - weak_session_key[6] = 0x38; - weak_session_key[7] = 0xb0; - } - } - - arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state, - &seal_session_key); - - dump_arc4_state("NTLMv1 arc4 state:\n", - &ntlmssp_state->crypt->ntlm.seal_state); - - ntlmssp_state->crypt->ntlm.seq_num = 0; - } - - return NT_STATUS_OK; -} -- cgit