From d3e7266676f3516c4d5493d11cf75099365b69dc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 30 Dec 2009 17:57:54 +0100 Subject: s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner --- source4/auth/ntlmssp/ntlmssp_sign.c | 145 ++++++++++++++++++------------------ 1 file changed, 73 insertions(+), 72 deletions(-) (limited to 'source4/auth/ntlmssp/ntlmssp_sign.c') diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c index 62b5f61766..7877439962 100644 --- a/source4/auth/ntlmssp/ntlmssp_sign.c +++ b/source4/auth/ntlmssp/ntlmssp_sign.c @@ -58,14 +58,14 @@ enum ntlmssp_direction { NTLMSSP_RECEIVE }; -static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gensec_ntlmssp_state, +static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, enum ntlmssp_direction direction, DATA_BLOB *sig, bool encrypt_sig) { - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { HMACMD5Context ctx; uint8_t digest[16]; @@ -78,29 +78,29 @@ static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gense switch (direction) { case NTLMSSP_SEND: - SIVAL(seq_num, 0, gensec_ntlmssp_state->crypt.ntlm2.send_seq_num); - gensec_ntlmssp_state->crypt.ntlm2.send_seq_num++; - hmac_md5_init_limK_to_64(gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.data, - gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.length, &ctx); + SIVAL(seq_num, 0, ntlmssp_state->crypt.ntlm2.send_seq_num); + ntlmssp_state->crypt.ntlm2.send_seq_num++; + hmac_md5_init_limK_to_64(ntlmssp_state->crypt.ntlm2.send_sign_key.data, + ntlmssp_state->crypt.ntlm2.send_sign_key.length, &ctx); break; case NTLMSSP_RECEIVE: - SIVAL(seq_num, 0, gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num); - gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num++; - hmac_md5_init_limK_to_64(gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, - gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.length, &ctx); + SIVAL(seq_num, 0, ntlmssp_state->crypt.ntlm2.recv_seq_num); + ntlmssp_state->crypt.ntlm2.recv_seq_num++; + hmac_md5_init_limK_to_64(ntlmssp_state->crypt.ntlm2.recv_sign_key.data, + ntlmssp_state->crypt.ntlm2.recv_sign_key.length, &ctx); break; } hmac_md5_update(seq_num, sizeof(seq_num), &ctx); hmac_md5_update(whole_pdu, pdu_length, &ctx); hmac_md5_final(digest, &ctx); - if (encrypt_sig && gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { + if (encrypt_sig && ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { switch (direction) { case NTLMSSP_SEND: - arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, digest, 8); + arcfour_crypt_sbox(ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, digest, 8); break; case NTLMSSP_RECEIVE: - arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, digest, 8); + arcfour_crypt_sbox(ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, digest, 8); break; } } @@ -116,12 +116,13 @@ static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gense uint32_t crc; crc = crc32_calc_buffer(data, length); if (!msrpc_gen(sig_mem_ctx, - sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, gensec_ntlmssp_state->crypt.ntlm.seq_num)) { + sig, "dddd", NTLMSSP_SIGN_VERSION, 0, + crc, ntlmssp_state->crypt.ntlm.seq_num)) { return NT_STATUS_NO_MEMORY; } - gensec_ntlmssp_state->crypt.ntlm.seq_num++; + ntlmssp_state->crypt.ntlm.seq_num++; - arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, sig->data+4, sig->length-4); + arcfour_crypt_sbox(ntlmssp_state->crypt.ntlm.arcfour_state, sig->data+4, sig->length-4); DEBUG(10, ("NTLM1: created signature over %llu bytes of input:\n", (unsigned long long)length)); dump_data(11, sig->data, sig->length); @@ -129,7 +130,7 @@ static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gense return NT_STATUS_OK; } -NTSTATUS ntlmssp_sign_packet(struct gensec_ntlmssp_state *ntlmssp_state, +NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, @@ -147,7 +148,7 @@ NTSTATUS ntlmssp_sign_packet(struct gensec_ntlmssp_state *ntlmssp_state, * */ -NTSTATUS ntlmssp_check_packet(struct gensec_ntlmssp_state *ntlmssp_state, +NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, @@ -211,7 +212,7 @@ NTSTATUS ntlmssp_check_packet(struct gensec_ntlmssp_state *ntlmssp_state, * */ -NTSTATUS ntlmssp_seal_packet(struct gensec_ntlmssp_state *ntlmssp_state, +NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *sig_mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, @@ -271,7 +272,7 @@ NTSTATUS ntlmssp_seal_packet(struct gensec_ntlmssp_state *ntlmssp_state, * */ -NTSTATUS ntlmssp_unseal_packet(struct gensec_ntlmssp_state *ntlmssp_state, +NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *sig_mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, @@ -303,26 +304,26 @@ NTSTATUS ntlmssp_unseal_packet(struct gensec_ntlmssp_state *ntlmssp_state, Initialise the state for NTLMSSP signing. */ /* TODO: make this non-public */ -NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) +NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state) { - TALLOC_CTX *mem_ctx = talloc_new(gensec_ntlmssp_state); + TALLOC_CTX *mem_ctx = talloc_new(ntlmssp_state); if (!mem_ctx) { return NT_STATUS_NO_MEMORY; } DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n")); - debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags); + debug_ntlmssp_flags(ntlmssp_state->neg_flags); - if (gensec_ntlmssp_state->session_key.length < 8) { + if (ntlmssp_state->session_key.length < 8) { talloc_free(mem_ctx); DEBUG(3, ("NO session key, cannot intialise signing\n")); return NT_STATUS_NO_USER_SESSION_KEY; } - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - DATA_BLOB weak_session_key = gensec_ntlmssp_state->session_key; + DATA_BLOB weak_session_key = ntlmssp_state->session_key; const char *send_sign_const; const char *send_seal_const; const char *recv_sign_const; @@ -331,7 +332,7 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) DATA_BLOB send_seal_key; DATA_BLOB recv_seal_key; - switch (gensec_ntlmssp_state->role) { + switch (ntlmssp_state->role) { case NTLMSSP_CLIENT: send_sign_const = CLI_SIGN; send_seal_const = CLI_SEAL; @@ -349,10 +350,10 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) return NT_STATUS_INTERNAL_ERROR; } - gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state); - NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state); - gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state); - NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state); + ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state = talloc(ntlmssp_state, struct arcfour_state); + NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state); + ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state = talloc(ntlmssp_state, struct arcfour_state); + NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state); /** Weaken NTLMSSP keys to cope with down-level @@ -368,9 +369,9 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) * we don't have this code for the ntlmv1 case. */ - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { - } else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { + } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { weak_session_key.length = 7; } else { /* forty bits */ weak_session_key.length = 5; @@ -380,12 +381,12 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) weak_session_key.length); /* SEND: sign key */ - calc_ntlmv2_key(gensec_ntlmssp_state, - &gensec_ntlmssp_state->crypt.ntlm2.send_sign_key, - gensec_ntlmssp_state->session_key, send_sign_const); + calc_ntlmv2_key(ntlmssp_state, + &ntlmssp_state->crypt.ntlm2.send_sign_key, + ntlmssp_state->session_key, send_sign_const); dump_data_pw("NTLMSSP send sign key:\n", - gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.data, - gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.length); + ntlmssp_state->crypt.ntlm2.send_sign_key.data, + ntlmssp_state->crypt.ntlm2.send_sign_key.length); /* SEND: seal ARCFOUR pad */ calc_ntlmv2_key(mem_ctx, @@ -394,19 +395,19 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) dump_data_pw("NTLMSSP send seal key:\n", send_seal_key.data, send_seal_key.length); - arcfour_init(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, + arcfour_init(ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, &send_seal_key); dump_data_pw("NTLMSSP send sesl hash:\n", - gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox, - sizeof(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox)); + ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox, + sizeof(ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox)); /* RECV: sign key */ - calc_ntlmv2_key(gensec_ntlmssp_state, - &gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key, - gensec_ntlmssp_state->session_key, recv_sign_const); + calc_ntlmv2_key(ntlmssp_state, + &ntlmssp_state->crypt.ntlm2.recv_sign_key, + ntlmssp_state->session_key, recv_sign_const); dump_data_pw("NTLMSSP recv sign key:\n", - gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, - gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.length); + ntlmssp_state->crypt.ntlm2.recv_sign_key.data, + ntlmssp_state->crypt.ntlm2.recv_sign_key.length); /* RECV: seal ARCFOUR pad */ calc_ntlmv2_key(mem_ctx, @@ -415,28 +416,28 @@ NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key.data, recv_seal_key.length); - arcfour_init(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, + arcfour_init(ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, &recv_seal_key); dump_data_pw("NTLMSSP receive seal hash:\n", - gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox, - sizeof(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox)); + ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox, + sizeof(ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox)); - gensec_ntlmssp_state->crypt.ntlm2.send_seq_num = 0; - gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num = 0; + ntlmssp_state->crypt.ntlm2.send_seq_num = 0; + ntlmssp_state->crypt.ntlm2.recv_seq_num = 0; } else { - DATA_BLOB weak_session_key = ntlmssp_weakend_key(gensec_ntlmssp_state, mem_ctx); + DATA_BLOB weak_session_key = ntlmssp_weakend_key(ntlmssp_state, mem_ctx); DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n")); - gensec_ntlmssp_state->crypt.ntlm.arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state); - NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm.arcfour_state); + ntlmssp_state->crypt.ntlm.arcfour_state = talloc(ntlmssp_state, struct arcfour_state); + NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->crypt.ntlm.arcfour_state); - arcfour_init(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, + arcfour_init(ntlmssp_state->crypt.ntlm.arcfour_state, &weak_session_key); - dump_data_pw("NTLMSSP hash:\n", gensec_ntlmssp_state->crypt.ntlm.arcfour_state->sbox, - sizeof(gensec_ntlmssp_state->crypt.ntlm.arcfour_state->sbox)); + dump_data_pw("NTLMSSP hash:\n", ntlmssp_state->crypt.ntlm.arcfour_state->sbox, + sizeof(ntlmssp_state->crypt.ntlm.arcfour_state->sbox)); - gensec_ntlmssp_state->crypt.ntlm.seq_num = 0; + ntlmssp_state->crypt.ntlm.seq_num = 0; } talloc_free(mem_ctx); @@ -594,7 +595,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, struct gensec_ntlmssp_context *gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data, struct gensec_ntlmssp_context); - struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_ntlmssp->ntlmssp_state; + struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; DATA_BLOB sig; if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { @@ -626,15 +627,15 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, sig.length = NTLMSSP_SIG_SIZE; *out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE); - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - ntlm2_seqnum_r = gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num; - ntlm2_state_r = *gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state; + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + ntlm2_seqnum_r = ntlmssp_state->crypt.ntlm2.recv_seq_num; + ntlm2_state_r = *ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state; memcpy(ntlm2_key_r, - gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, + ntlmssp_state->crypt.ntlm2.recv_sign_key.data, 16); } else { - ntlm_seqnum = gensec_ntlmssp_state->crypt.ntlm.seq_num; - ntlm_state = *gensec_ntlmssp_state->crypt.ntlm.arcfour_state; + ntlm_seqnum = ntlmssp_state->crypt.ntlm.seq_num; + ntlm_state = *ntlmssp_state->crypt.ntlm.arcfour_state; } status = gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, @@ -649,14 +650,14 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, * negotiated. So we need to fallback. */ - if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { - gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num = ntlm2_seqnum_r; - *gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state = ntlm2_state_r; - memcpy(gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, + if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { + ntlmssp_state->crypt.ntlm2.recv_seq_num = ntlm2_seqnum_r; + *ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state = ntlm2_state_r; + memcpy(ntlmssp_state->crypt.ntlm2.recv_sign_key.data, ntlm2_key_r, 16); } else { - gensec_ntlmssp_state->crypt.ntlm.seq_num = ntlm_seqnum; - *gensec_ntlmssp_state->crypt.ntlm.arcfour_state = ntlm_state; + ntlmssp_state->crypt.ntlm.seq_num = ntlm_seqnum; + *ntlmssp_state->crypt.ntlm.arcfour_state = ntlm_state; } status = gensec_ntlmssp_unseal_packet(gensec_security, @@ -667,7 +668,7 @@ NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, out->length, &sig); if (NT_STATUS_IS_OK(status)) { - gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } else { status = check_status; } -- cgit