Line data Source code
1 : /*
2 : * Unix SMB/CIFS implementation.
3 : * Version 3.0
4 : * NTLMSSP Signing routines
5 : * Copyright (C) Andrew Bartlett 2003-2005
6 : *
7 : * This program is free software; you can redistribute it and/or modify
8 : * it under the terms of the GNU General Public License as published by
9 : * the Free Software Foundation; either version 3 of the License, or
10 : * (at your option) any later version.
11 : *
12 : * This program is distributed in the hope that it will be useful,
13 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 : * GNU General Public License for more details.
16 : *
17 : * You should have received a copy of the GNU General Public License
18 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 : */
20 :
21 : #include "includes.h"
22 : #include "../auth/ntlmssp/ntlmssp.h"
23 : #include "../libcli/auth/libcli_auth.h"
24 : #include "zlib.h"
25 : #include "../auth/ntlmssp/ntlmssp_private.h"
26 :
27 : #include "lib/crypto/gnutls_helpers.h"
28 : #include <gnutls/gnutls.h>
29 : #include <gnutls/crypto.h>
30 :
31 : #undef DBGC_CLASS
32 : #define DBGC_CLASS DBGC_AUTH
33 :
34 : #define CLI_SIGN "session key to client-to-server signing key magic constant"
35 : #define CLI_SEAL "session key to client-to-server sealing key magic constant"
36 : #define SRV_SIGN "session key to server-to-client signing key magic constant"
37 : #define SRV_SEAL "session key to server-to-client sealing key magic constant"
38 :
39 : /**
40 : * Some notes on the NTLM2 code:
41 : *
42 : * NTLM2 is a AEAD system. This means that the data encrypted is not
43 : * all the data that is signed. In DCE-RPC case, the headers of the
44 : * DCE-RPC packets are also signed. This prevents some of the
45 : * fun-and-games one might have by changing them.
46 : *
47 : */
48 :
49 268332 : static void dump_arc4_state(const char *description,
50 : gnutls_cipher_hd_t *state)
51 : {
52 268332 : DBG_DEBUG("%s\n", description);
53 268332 : }
54 :
55 517508 : static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
56 : DATA_BLOB session_key,
57 : const char *constant)
58 : {
59 517508 : gnutls_hash_hd_t hash_hnd = NULL;
60 2100 : int rc;
61 :
62 517508 : rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
63 517508 : if (rc < 0) {
64 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
65 : }
66 517508 : rc = gnutls_hash(hash_hnd, session_key.data, session_key.length);
67 517508 : if (rc < 0) {
68 0 : gnutls_hash_deinit(hash_hnd, NULL);
69 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
70 : }
71 517508 : rc = gnutls_hash(hash_hnd, constant, strlen(constant) + 1);
72 517508 : if (rc < 0) {
73 0 : gnutls_hash_deinit(hash_hnd, NULL);
74 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
75 : }
76 517508 : gnutls_hash_deinit(hash_hnd, subkey);
77 :
78 517508 : return NT_STATUS_OK;
79 : }
80 :
81 : enum ntlmssp_direction {
82 : NTLMSSP_SEND,
83 : NTLMSSP_RECEIVE
84 : };
85 :
86 1115020 : static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state,
87 : TALLOC_CTX *sig_mem_ctx,
88 : const uint8_t *data, size_t length,
89 : const uint8_t *whole_pdu, size_t pdu_length,
90 : enum ntlmssp_direction direction,
91 : DATA_BLOB *sig, bool encrypt_sig)
92 : {
93 1115020 : NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
94 529 : int rc;
95 :
96 1115020 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
97 1112321 : gnutls_hmac_hd_t hmac_hnd = NULL;
98 526 : uint8_t digest[16];
99 526 : uint8_t seq_num[4];
100 :
101 1112321 : *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
102 1112321 : if (!sig->data) {
103 0 : return NT_STATUS_NO_MEMORY;
104 : }
105 :
106 1112321 : switch (direction) {
107 558284 : case NTLMSSP_SEND:
108 558284 : DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
109 : ntlmssp_state->crypt->ntlm2.sending.seq_num,
110 : (unsigned int)length,
111 : (unsigned int)pdu_length));
112 :
113 558284 : SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num);
114 558284 : ntlmssp_state->crypt->ntlm2.sending.seq_num++;
115 :
116 558552 : rc = gnutls_hmac_init(&hmac_hnd,
117 : GNUTLS_MAC_MD5,
118 558284 : ntlmssp_state->crypt->ntlm2.sending.sign_key,
119 : 16);
120 558284 : if (rc < 0) {
121 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
122 : }
123 558016 : break;
124 554037 : case NTLMSSP_RECEIVE:
125 :
126 554037 : DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
127 : ntlmssp_state->crypt->ntlm2.receiving.seq_num,
128 : (unsigned int)length,
129 : (unsigned int)pdu_length));
130 :
131 554037 : SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num);
132 554037 : ntlmssp_state->crypt->ntlm2.receiving.seq_num++;
133 :
134 554295 : rc = gnutls_hmac_init(&hmac_hnd,
135 : GNUTLS_MAC_MD5,
136 554037 : ntlmssp_state->crypt->ntlm2.receiving.sign_key,
137 : 16);
138 554037 : if (rc < 0) {
139 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
140 : }
141 553779 : break;
142 : }
143 :
144 1112321 : dump_data_pw("pdu data ", whole_pdu, pdu_length);
145 :
146 1112321 : rc = gnutls_hmac(hmac_hnd, seq_num, sizeof(seq_num));
147 1112321 : if (rc < 0) {
148 0 : gnutls_hmac_deinit(hmac_hnd, NULL);
149 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
150 : }
151 1112321 : rc = gnutls_hmac(hmac_hnd, whole_pdu, pdu_length);
152 1112321 : if (rc < 0) {
153 0 : gnutls_hmac_deinit(hmac_hnd, NULL);
154 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
155 : }
156 1112321 : gnutls_hmac_deinit(hmac_hnd, digest);
157 :
158 1112321 : if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
159 630168 : switch (direction) {
160 76131 : case NTLMSSP_SEND:
161 76131 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
162 : digest,
163 : 8);
164 76131 : break;
165 554037 : case NTLMSSP_RECEIVE:
166 554037 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
167 : digest,
168 : 8);
169 554037 : break;
170 : }
171 630168 : if (rc < 0) {
172 0 : DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
173 : "%s packet signature failed: %s\n",
174 : direction == NTLMSSP_SEND ?
175 : "send" : "receive",
176 : gnutls_strerror(rc));
177 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
178 : }
179 : }
180 :
181 1112321 : SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
182 1112321 : memcpy(sig->data + 4, digest, 8);
183 1112321 : ZERO_ARRAY(digest);
184 1112321 : memcpy(sig->data + 12, seq_num, 4);
185 1112321 : ZERO_ARRAY(seq_num);
186 :
187 1112321 : dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length);
188 :
189 : } else {
190 3 : uint32_t crc;
191 :
192 2699 : crc = crc32(0, Z_NULL, 0);
193 2699 : crc = crc32(crc, data, length);
194 :
195 2702 : status = msrpc_gen(sig_mem_ctx,
196 : sig, "dddd",
197 : NTLMSSP_SIGN_VERSION, 0, crc,
198 2699 : ntlmssp_state->crypt->ntlm.seq_num);
199 2699 : if (!NT_STATUS_IS_OK(status)) {
200 0 : return status;
201 : }
202 :
203 2699 : ntlmssp_state->crypt->ntlm.seq_num++;
204 :
205 2699 : dump_arc4_state("ntlmssp hash: \n",
206 2696 : &ntlmssp_state->crypt->ntlm.seal_state);
207 2702 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
208 2699 : sig->data + 4,
209 2699 : sig->length - 4);
210 2699 : if (rc < 0) {
211 0 : DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
212 : "signature failed: %s\n",
213 : gnutls_strerror(rc));
214 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
215 : }
216 : }
217 :
218 1115020 : return NT_STATUS_OK;
219 : }
220 :
221 77204 : NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
222 : TALLOC_CTX *sig_mem_ctx,
223 : const uint8_t *data, size_t length,
224 : const uint8_t *whole_pdu, size_t pdu_length,
225 : DATA_BLOB *sig)
226 : {
227 269 : NTSTATUS nt_status;
228 :
229 77204 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
230 0 : DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
231 0 : return NT_STATUS_INVALID_PARAMETER;
232 : }
233 :
234 77204 : if (!ntlmssp_state->session_key.length) {
235 0 : DEBUG(3, ("NO session key, cannot check sign packet\n"));
236 0 : return NT_STATUS_NO_USER_SESSION_KEY;
237 : }
238 :
239 77204 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
240 : sig_mem_ctx,
241 : data, length,
242 : whole_pdu, pdu_length,
243 : NTLMSSP_SEND, sig, true);
244 :
245 77204 : return nt_status;
246 : }
247 :
248 : /**
249 : * Check the signature of an incoming packet
250 : * @note caller *must* check that the signature is the size it expects
251 : *
252 : */
253 :
254 555664 : NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
255 : const uint8_t *data, size_t length,
256 : const uint8_t *whole_pdu, size_t pdu_length,
257 : const DATA_BLOB *sig)
258 : {
259 261 : DATA_BLOB local_sig;
260 261 : NTSTATUS nt_status;
261 261 : TALLOC_CTX *tmp_ctx;
262 :
263 555664 : if (!ntlmssp_state->session_key.length) {
264 1 : DEBUG(3, ("NO session key, cannot check packet signature\n"));
265 1 : return NT_STATUS_NO_USER_SESSION_KEY;
266 : }
267 :
268 555663 : if (sig->length < 8) {
269 2 : DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
270 : (unsigned long)sig->length));
271 : }
272 :
273 555663 : tmp_ctx = talloc_new(ntlmssp_state);
274 555663 : if (!tmp_ctx) {
275 0 : return NT_STATUS_NO_MEMORY;
276 : }
277 :
278 555663 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
279 : tmp_ctx,
280 : data, length,
281 : whole_pdu, pdu_length,
282 : NTLMSSP_RECEIVE,
283 : &local_sig, true);
284 :
285 555663 : if (!NT_STATUS_IS_OK(nt_status)) {
286 0 : DEBUG(0,("NTLMSSP packet sig creation failed with %s\n",
287 : nt_errstr(nt_status)));
288 0 : talloc_free(tmp_ctx);
289 0 : return nt_status;
290 : }
291 :
292 555663 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
293 554295 : if (local_sig.length != sig->length ||
294 554035 : !mem_equal_const_time(local_sig.data, sig->data, sig->length)) {
295 6 : DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
296 6 : dump_data(5, local_sig.data, local_sig.length);
297 :
298 6 : DEBUG(5, ("BAD SIG: got signature of\n"));
299 6 : dump_data(5, sig->data, sig->length);
300 :
301 6 : DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
302 6 : talloc_free(tmp_ctx);
303 6 : return NT_STATUS_ACCESS_DENIED;
304 : }
305 : } else {
306 1627 : if (local_sig.length != sig->length ||
307 1625 : !mem_equal_const_time(local_sig.data + 8, sig->data + 8, sig->length - 8)) {
308 2 : DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
309 2 : dump_data(5, local_sig.data, local_sig.length);
310 :
311 2 : DEBUG(5, ("BAD SIG: got signature of\n"));
312 2 : dump_data(5, sig->data, sig->length);
313 :
314 2 : DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
315 2 : talloc_free(tmp_ctx);
316 2 : return NT_STATUS_ACCESS_DENIED;
317 : }
318 : }
319 555655 : dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length);
320 555655 : DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
321 :
322 555655 : talloc_free(tmp_ctx);
323 555655 : return NT_STATUS_OK;
324 : }
325 :
326 : /**
327 : * Seal data with the NTLMSSP algorithm
328 : *
329 : */
330 :
331 482753 : NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
332 : TALLOC_CTX *sig_mem_ctx,
333 : uint8_t *data, size_t length,
334 : const uint8_t *whole_pdu, size_t pdu_length,
335 : DATA_BLOB *sig)
336 : {
337 0 : int rc;
338 :
339 482753 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
340 0 : DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
341 0 : return NT_STATUS_INVALID_PARAMETER;
342 : }
343 :
344 482753 : if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
345 0 : DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
346 0 : return NT_STATUS_INVALID_PARAMETER;
347 : }
348 :
349 482753 : if (!ntlmssp_state->session_key.length) {
350 0 : DEBUG(3, ("NO session key, cannot seal packet\n"));
351 0 : return NT_STATUS_NO_USER_SESSION_KEY;
352 : }
353 :
354 482753 : DEBUG(10,("ntlmssp_seal_data: seal\n"));
355 482753 : dump_data_pw("ntlmssp clear data\n", data, length);
356 482753 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
357 0 : NTSTATUS nt_status;
358 : /*
359 : * The order of these two operations matters - we
360 : * must first seal the packet, then seal the
361 : * sequence number - this is because the
362 : * send_seal_hash is not constant, but is rather
363 : * updated with each iteration
364 : */
365 482153 : nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
366 : sig_mem_ctx,
367 : data, length,
368 : whole_pdu, pdu_length,
369 : NTLMSSP_SEND,
370 : sig, false);
371 482153 : if (!NT_STATUS_IS_OK(nt_status)) {
372 0 : return nt_status;
373 : }
374 :
375 482153 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
376 : data,
377 : length);
378 482153 : if (rc < 0) {
379 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
380 : "failed: %s\n",
381 : gnutls_strerror(rc));
382 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
383 : }
384 482153 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
385 482153 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
386 482153 : sig->data + 4,
387 : 8);
388 482153 : if (rc < 0) {
389 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
390 : "the EXCH signature data failed: %s\n",
391 : gnutls_strerror(rc));
392 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
393 : }
394 : }
395 : } else {
396 0 : NTSTATUS status;
397 0 : uint32_t crc;
398 :
399 600 : crc = crc32(0, Z_NULL, 0);
400 600 : crc = crc32(crc, data, length);
401 :
402 600 : status = msrpc_gen(sig_mem_ctx,
403 : sig, "dddd",
404 : NTLMSSP_SIGN_VERSION, 0, crc,
405 600 : ntlmssp_state->crypt->ntlm.seq_num);
406 600 : if (!NT_STATUS_IS_OK(status)) {
407 0 : return status;
408 : }
409 :
410 : /*
411 : * The order of these two operations matters - we
412 : * must first seal the packet, then seal the
413 : * sequence number - this is because the ntlmv1_arc4_state
414 : * is not constant, but is rather updated with
415 : * each iteration
416 : */
417 600 : dump_arc4_state("ntlmv1 arc4 state:\n",
418 600 : &ntlmssp_state->crypt->ntlm.seal_state);
419 600 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
420 : data,
421 : length);
422 600 : if (rc < 0) {
423 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
424 : "failed: %s\n",
425 : gnutls_strerror(rc));
426 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
427 : }
428 :
429 600 : dump_arc4_state("ntlmv1 arc4 state:\n",
430 600 : &ntlmssp_state->crypt->ntlm.seal_state);
431 :
432 600 : rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
433 600 : sig->data + 4,
434 600 : sig->length - 4);
435 600 : if (rc < 0) {
436 0 : DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
437 : "data failed: %s\n",
438 : gnutls_strerror(rc));
439 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
440 : }
441 :
442 600 : ntlmssp_state->crypt->ntlm.seq_num++;
443 : }
444 482753 : dump_data_pw("ntlmssp signature\n", sig->data, sig->length);
445 482753 : dump_data_pw("ntlmssp sealed data\n", data, length);
446 :
447 482753 : return NT_STATUS_OK;
448 : }
449 :
450 : /**
451 : * Unseal data with the NTLMSSP algorithm
452 : *
453 : */
454 :
455 482741 : NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
456 : uint8_t *data, size_t length,
457 : const uint8_t *whole_pdu, size_t pdu_length,
458 : const DATA_BLOB *sig)
459 : {
460 0 : NTSTATUS status;
461 0 : int rc;
462 :
463 482741 : if (!ntlmssp_state->session_key.length) {
464 0 : DEBUG(3, ("NO session key, cannot unseal packet\n"));
465 0 : return NT_STATUS_NO_USER_SESSION_KEY;
466 : }
467 :
468 482741 : DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
469 482741 : dump_data_pw("ntlmssp sealed data\n", data, length);
470 :
471 482741 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
472 : /* First unseal the data. */
473 482141 : rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
474 : data,
475 : length);
476 482141 : if (rc < 0) {
477 0 : DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
478 : "data failed: %s\n",
479 : gnutls_strerror(rc));
480 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
481 : }
482 482141 : dump_data_pw("ntlmv2 clear data\n", data, length);
483 : } else {
484 600 : rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
485 : data,
486 : length);
487 600 : if (rc < 0) {
488 0 : DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
489 : "data failed: %s\n",
490 : gnutls_strerror(rc));
491 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
492 : }
493 600 : dump_data_pw("ntlmv1 clear data\n", data, length);
494 : }
495 :
496 482741 : status = ntlmssp_check_packet(ntlmssp_state,
497 : data, length,
498 : whole_pdu, pdu_length,
499 : sig);
500 :
501 482741 : if (!NT_STATUS_IS_OK(status)) {
502 0 : DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n",
503 : (unsigned long long)length));
504 : }
505 482741 : return status;
506 : }
507 :
508 456123 : NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
509 : TALLOC_CTX *out_mem_ctx,
510 : const DATA_BLOB *in,
511 : DATA_BLOB *out)
512 : {
513 0 : NTSTATUS nt_status;
514 0 : DATA_BLOB sig;
515 :
516 456123 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
517 456123 : if (in->length + NTLMSSP_SIG_SIZE < in->length) {
518 0 : return NT_STATUS_INVALID_PARAMETER;
519 : }
520 :
521 456123 : *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
522 456123 : if (!out->data) {
523 0 : return NT_STATUS_NO_MEMORY;
524 : }
525 456123 : memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
526 :
527 456123 : nt_status = ntlmssp_seal_packet(ntlmssp_state, out_mem_ctx,
528 456123 : out->data + NTLMSSP_SIG_SIZE,
529 456123 : out->length - NTLMSSP_SIG_SIZE,
530 456123 : out->data + NTLMSSP_SIG_SIZE,
531 456123 : out->length - NTLMSSP_SIG_SIZE,
532 : &sig);
533 :
534 456123 : if (NT_STATUS_IS_OK(nt_status)) {
535 456123 : memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
536 456123 : talloc_free(sig.data);
537 : }
538 456123 : return nt_status;
539 :
540 0 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
541 0 : if (in->length + NTLMSSP_SIG_SIZE < in->length) {
542 0 : return NT_STATUS_INVALID_PARAMETER;
543 : }
544 :
545 0 : *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
546 0 : if (!out->data) {
547 0 : return NT_STATUS_NO_MEMORY;
548 : }
549 0 : memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
550 :
551 0 : nt_status = ntlmssp_sign_packet(ntlmssp_state, out_mem_ctx,
552 0 : out->data + NTLMSSP_SIG_SIZE,
553 0 : out->length - NTLMSSP_SIG_SIZE,
554 0 : out->data + NTLMSSP_SIG_SIZE,
555 0 : out->length - NTLMSSP_SIG_SIZE,
556 : &sig);
557 :
558 0 : if (NT_STATUS_IS_OK(nt_status)) {
559 0 : memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
560 0 : talloc_free(sig.data);
561 : }
562 0 : return nt_status;
563 : } else {
564 0 : *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
565 0 : if (!out->data) {
566 0 : return NT_STATUS_NO_MEMORY;
567 : }
568 0 : return NT_STATUS_OK;
569 : }
570 : }
571 :
572 456120 : NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
573 : TALLOC_CTX *out_mem_ctx,
574 : const DATA_BLOB *in,
575 : DATA_BLOB *out)
576 : {
577 0 : DATA_BLOB sig;
578 :
579 456120 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
580 456120 : if (in->length < NTLMSSP_SIG_SIZE) {
581 0 : return NT_STATUS_INVALID_PARAMETER;
582 : }
583 456120 : sig.data = in->data;
584 456120 : sig.length = NTLMSSP_SIG_SIZE;
585 :
586 456120 : *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
587 :
588 456120 : return ntlmssp_unseal_packet(ntlmssp_state,
589 : out->data, out->length,
590 456120 : out->data, out->length,
591 : &sig);
592 :
593 0 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
594 0 : if (in->length < NTLMSSP_SIG_SIZE) {
595 0 : return NT_STATUS_INVALID_PARAMETER;
596 : }
597 0 : sig.data = in->data;
598 0 : sig.length = NTLMSSP_SIG_SIZE;
599 :
600 0 : *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
601 :
602 0 : return ntlmssp_check_packet(ntlmssp_state,
603 0 : out->data, out->length,
604 0 : out->data, out->length,
605 : &sig);
606 : } else {
607 0 : *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
608 0 : if (!out->data) {
609 0 : return NT_STATUS_NO_MEMORY;
610 : }
611 0 : return NT_STATUS_OK;
612 : }
613 : }
614 :
615 : /**
616 : Initialise the state for NTLMSSP signing.
617 : */
618 135056 : NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
619 : bool reset_seqnums)
620 : {
621 566 : int rc;
622 :
623 135056 : DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
624 135056 : debug_ntlmssp_flags(ntlmssp_state->neg_flags);
625 :
626 135056 : if (ntlmssp_state->crypt == NULL) {
627 0 : return NT_STATUS_INVALID_PARAMETER_MIX;
628 : }
629 :
630 135056 : if (ntlmssp_state->force_wrap_seal &&
631 35038 : (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN))
632 : {
633 : /*
634 : * We need to handle NTLMSSP_NEGOTIATE_SIGN as
635 : * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
636 : * is requested.
637 : *
638 : * The negotiation of flags (and authentication)
639 : * is completed when ntlmssp_sign_init() is called
640 : * so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
641 : * was negotiated.
642 : */
643 35038 : ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
644 : }
645 :
646 135056 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
647 129377 : DATA_BLOB weak_session_key = ntlmssp_state->session_key;
648 525 : const char *send_sign_const;
649 525 : const char *send_seal_const;
650 525 : const char *recv_sign_const;
651 525 : const char *recv_seal_const;
652 129377 : uint8_t send_seal_key[16] = {0};
653 129377 : gnutls_datum_t send_seal_blob = {
654 : .data = send_seal_key,
655 : .size = sizeof(send_seal_key),
656 : };
657 129377 : uint8_t recv_seal_key[16] = {0};
658 129377 : gnutls_datum_t recv_seal_blob = {
659 : .data = recv_seal_key,
660 : .size = sizeof(recv_seal_key),
661 : };
662 525 : NTSTATUS status;
663 :
664 129377 : switch (ntlmssp_state->role) {
665 66744 : case NTLMSSP_CLIENT:
666 66744 : send_sign_const = CLI_SIGN;
667 66744 : send_seal_const = CLI_SEAL;
668 66744 : recv_sign_const = SRV_SIGN;
669 66744 : recv_seal_const = SRV_SEAL;
670 66744 : break;
671 62366 : case NTLMSSP_SERVER:
672 62366 : send_sign_const = SRV_SIGN;
673 62366 : send_seal_const = SRV_SEAL;
674 62366 : recv_sign_const = CLI_SIGN;
675 62366 : recv_seal_const = CLI_SEAL;
676 62366 : break;
677 0 : default:
678 0 : return NT_STATUS_INTERNAL_ERROR;
679 : }
680 :
681 : /*
682 : * Weaken NTLMSSP keys to cope with down-level
683 : * clients, servers and export restrictions.
684 : *
685 : * We probably should have some parameters to
686 : * control this, once we get NTLM2 working.
687 : *
688 : * Key weakening was not performed on the master key
689 : * for NTLM2, but must be done on the encryption subkeys only.
690 : */
691 :
692 129377 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
693 : /* nothing to do */
694 880 : } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
695 352 : weak_session_key.length = 7;
696 : } else { /* forty bits */
697 528 : weak_session_key.length = 5;
698 : }
699 :
700 129377 : dump_data_pw("NTLMSSP weakend master key:\n",
701 128852 : weak_session_key.data,
702 : weak_session_key.length);
703 :
704 : /* SEND: sign key */
705 129377 : status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key,
706 : ntlmssp_state->session_key, send_sign_const);
707 129377 : if (!NT_STATUS_IS_OK(status)) {
708 0 : return status;
709 : }
710 129377 : dump_data_pw("NTLMSSP send sign key:\n",
711 129377 : ntlmssp_state->crypt->ntlm2.sending.sign_key, 16);
712 :
713 : /* SEND: seal ARCFOUR pad */
714 129377 : status = calc_ntlmv2_key(send_seal_key,
715 : weak_session_key,
716 : send_seal_const);
717 129377 : if (!NT_STATUS_IS_OK(status)) {
718 0 : return status;
719 : }
720 129377 : dump_data_pw("NTLMSSP send seal key:\n",
721 : send_seal_key,
722 : sizeof(send_seal_key));
723 :
724 129377 : if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
725 62268 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
726 : }
727 129377 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
728 : GNUTLS_CIPHER_ARCFOUR_128,
729 : &send_seal_blob,
730 : NULL);
731 129377 : if (rc < 0) {
732 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
733 : gnutls_strerror(rc));
734 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
735 : }
736 :
737 129377 : dump_arc4_state("NTLMSSP send seal arc4 state:\n",
738 129377 : &ntlmssp_state->crypt->ntlm2.sending.seal_state);
739 :
740 : /* SEND: seq num */
741 129377 : if (reset_seqnums) {
742 70041 : ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
743 : }
744 :
745 : /* RECV: sign key */
746 129377 : status = calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key,
747 : ntlmssp_state->session_key, recv_sign_const);
748 129377 : if (!NT_STATUS_IS_OK(status)) {
749 0 : return status;
750 : }
751 129377 : dump_data_pw("NTLMSSP recv sign key:\n",
752 129377 : ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16);
753 :
754 : /* RECV: seal ARCFOUR pad */
755 129377 : status = calc_ntlmv2_key(recv_seal_key,
756 : weak_session_key,
757 : recv_seal_const);
758 129377 : if (!NT_STATUS_IS_OK(status)) {
759 0 : return status;
760 : }
761 129377 : dump_data_pw("NTLMSSP recv seal key:\n",
762 : recv_seal_key,
763 : sizeof(recv_seal_key));
764 :
765 129377 : if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
766 62268 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
767 : }
768 129377 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
769 : GNUTLS_CIPHER_ARCFOUR_128,
770 : &recv_seal_blob,
771 : NULL);
772 129377 : if (rc < 0) {
773 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
774 : gnutls_strerror(rc));
775 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
776 : }
777 :
778 129377 : dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
779 129377 : &ntlmssp_state->crypt->ntlm2.receiving.seal_state);
780 :
781 : /* RECV: seq num */
782 129377 : if (reset_seqnums) {
783 70041 : ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
784 : }
785 : } else {
786 5679 : gnutls_datum_t seal_session_key = {
787 5679 : .data = ntlmssp_state->session_key.data,
788 5679 : .size = ntlmssp_state->session_key.length,
789 : };
790 5679 : bool do_weak = false;
791 :
792 5679 : DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
793 :
794 : /*
795 : * Key weakening not performed on the master key for NTLM2
796 : * and does not occur for NTLM1. Therefore we only need
797 : * to do this for the LM_KEY.
798 : */
799 5679 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
800 0 : do_weak = true;
801 : }
802 :
803 : /*
804 : * Nothing to weaken.
805 : * We certainly don't want to 'extend' the length...
806 : */
807 5679 : if (ntlmssp_state->session_key.length < 16) {
808 : /* TODO: is this really correct? */
809 0 : do_weak = false;
810 : }
811 :
812 5678 : if (do_weak) {
813 0 : uint8_t weak_session_key[8];
814 :
815 0 : memcpy(weak_session_key, seal_session_key.data, 8);
816 0 : seal_session_key = (gnutls_datum_t) {
817 : .data = weak_session_key,
818 : .size = sizeof(weak_session_key),
819 : };
820 :
821 : /*
822 : * LM key doesn't support 128 bit crypto, so this is
823 : * the best we can do. If you negotiate 128 bit, but
824 : * not 56, you end up with 40 bit...
825 : */
826 0 : if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
827 0 : weak_session_key[7] = 0xa0;
828 : } else { /* forty bits */
829 0 : weak_session_key[5] = 0xe5;
830 0 : weak_session_key[6] = 0x38;
831 0 : weak_session_key[7] = 0xb0;
832 : }
833 : }
834 :
835 5679 : if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
836 2762 : gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
837 : }
838 5679 : rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
839 : GNUTLS_CIPHER_ARCFOUR_128,
840 : &seal_session_key,
841 : NULL);
842 5679 : if (rc < 0) {
843 0 : DBG_ERR("gnutls_cipher_init failed: %s\n",
844 : gnutls_strerror(rc));
845 0 : return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
846 : }
847 :
848 5679 : dump_arc4_state("NTLMv1 arc4 state:\n",
849 5679 : &ntlmssp_state->crypt->ntlm.seal_state);
850 :
851 5679 : if (reset_seqnums) {
852 4655 : ntlmssp_state->crypt->ntlm.seq_num = 0;
853 : }
854 : }
855 :
856 135056 : return NT_STATUS_OK;
857 : }
858 :
859 69500 : static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
860 : {
861 69500 : if (c->ntlm2.sending.seal_state != NULL) {
862 69500 : gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
863 69500 : c->ntlm2.sending.seal_state = NULL;
864 : }
865 69500 : if (c->ntlm2.receiving.seal_state != NULL) {
866 66587 : gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
867 66587 : c->ntlm2.receiving.seal_state = NULL;
868 : }
869 69500 : if (c->ntlm.seal_state != NULL) {
870 0 : gnutls_cipher_deinit(c->ntlm.seal_state);
871 0 : c->ntlm.seal_state = NULL;
872 : }
873 :
874 69500 : return 0;
875 : }
876 :
877 70026 : NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
878 : {
879 70026 : if (ntlmssp_state->session_key.length < 8) {
880 0 : DEBUG(3, ("NO session key, cannot initialise signing\n"));
881 0 : return NT_STATUS_NO_USER_SESSION_KEY;
882 : }
883 :
884 70026 : ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
885 : union ntlmssp_crypt_state);
886 70026 : if (ntlmssp_state->crypt == NULL) {
887 0 : return NT_STATUS_NO_MEMORY;
888 : }
889 70026 : talloc_set_destructor(ntlmssp_state->crypt,
890 : ntlmssp_crypt_free_gnutls_cipher_state);
891 :
892 70026 : return ntlmssp_sign_reset(ntlmssp_state, true);
893 : }
|