1/* 2 * Unix SMB/CIFS implementation. 3 * Version 3.0 4 * NTLMSSP Signing routines 5 * Copyright (C) Luke Kenneth Casson Leighton 1996-2001 6 * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2005 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 3 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, see <http://www.gnu.org/licenses/>. 20 */ 21 22#include "includes.h" 23#include "auth/ntlmssp/ntlmssp.h" 24#include "../librpc/gen_ndr/ntlmssp.h" 25#include "../libcli/auth/libcli_auth.h" 26#include "../lib/crypto/crypto.h" 27#include "auth/gensec/gensec.h" 28 29#define CLI_SIGN "session key to client-to-server signing key magic constant" 30#define CLI_SEAL "session key to client-to-server sealing key magic constant" 31#define SRV_SIGN "session key to server-to-client signing key magic constant" 32#define SRV_SEAL "session key to server-to-client sealing key magic constant" 33 34/** 35 * Some notes on the NTLM2 code: 36 * 37 * NTLM2 is a AEAD system. This means that the data encrypted is not 38 * all the data that is signed. In DCE-RPC case, the headers of the 39 * DCE-RPC packets are also signed. This prevents some of the 40 * fun-and-games one might have by changing them. 41 * 42 */ 43 44static void calc_ntlmv2_key(TALLOC_CTX *mem_ctx, 45 DATA_BLOB *subkey, 46 DATA_BLOB session_key, 47 const char *constant) 48{ 49 struct MD5Context ctx3; 50 *subkey = data_blob_talloc(mem_ctx, NULL, 16); 51 MD5Init(&ctx3); 52 MD5Update(&ctx3, session_key.data, session_key.length); 53 MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1); 54 MD5Final(subkey->data, &ctx3); 55} 56 57enum ntlmssp_direction { 58 NTLMSSP_SEND, 59 NTLMSSP_RECEIVE 60}; 61 62static NTSTATUS ntlmssp_make_packet_signature(struct gensec_ntlmssp_state *gensec_ntlmssp_state, 63 TALLOC_CTX *sig_mem_ctx, 64 const uint8_t *data, size_t length, 65 const uint8_t *whole_pdu, size_t pdu_length, 66 enum ntlmssp_direction direction, 67 DATA_BLOB *sig, bool encrypt_sig) 68{ 69 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { 70 71 HMACMD5Context ctx; 72 uint8_t digest[16]; 73 uint8_t seq_num[4]; 74 75 *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE); 76 if (!sig->data) { 77 return NT_STATUS_NO_MEMORY; 78 } 79 80 switch (direction) { 81 case NTLMSSP_SEND: 82 SIVAL(seq_num, 0, gensec_ntlmssp_state->crypt.ntlm2.send_seq_num); 83 gensec_ntlmssp_state->crypt.ntlm2.send_seq_num++; 84 hmac_md5_init_limK_to_64(gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.data, 85 gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.length, &ctx); 86 break; 87 case NTLMSSP_RECEIVE: 88 SIVAL(seq_num, 0, gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num); 89 gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num++; 90 hmac_md5_init_limK_to_64(gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, 91 gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.length, &ctx); 92 break; 93 } 94 hmac_md5_update(seq_num, sizeof(seq_num), &ctx); 95 hmac_md5_update(whole_pdu, pdu_length, &ctx); 96 hmac_md5_final(digest, &ctx); 97 98 if (encrypt_sig && gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { 99 switch (direction) { 100 case NTLMSSP_SEND: 101 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, digest, 8); 102 break; 103 case NTLMSSP_RECEIVE: 104 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, digest, 8); 105 break; 106 } 107 } 108 109 SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION); 110 memcpy(sig->data + 4, digest, 8); 111 memcpy(sig->data + 12, seq_num, 4); 112 113 DEBUG(10, ("NTLM2: created signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); 114 dump_data(11, sig->data, sig->length); 115 116 } else { 117 uint32_t crc; 118 crc = crc32_calc_buffer(data, length); 119 if (!msrpc_gen(sig_mem_ctx, 120 sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, gensec_ntlmssp_state->crypt.ntlm.seq_num)) { 121 return NT_STATUS_NO_MEMORY; 122 } 123 gensec_ntlmssp_state->crypt.ntlm.seq_num++; 124 125 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, sig->data+4, sig->length-4); 126 127 DEBUG(10, ("NTLM1: created signature over %llu bytes of input:\n", (unsigned long long)length)); 128 dump_data(11, sig->data, sig->length); 129 } 130 return NT_STATUS_OK; 131} 132 133/* TODO: make this non-public */ 134NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security, 135 TALLOC_CTX *sig_mem_ctx, 136 const uint8_t *data, size_t length, 137 const uint8_t *whole_pdu, size_t pdu_length, 138 DATA_BLOB *sig) 139{ 140 struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; 141 142 return ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 143 data, length, 144 whole_pdu, pdu_length, 145 NTLMSSP_SEND, sig, true); 146} 147 148/** 149 * Check the signature of an incoming packet 150 * 151 */ 152 153NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, 154 TALLOC_CTX *sig_mem_ctx, 155 const uint8_t *data, size_t length, 156 const uint8_t *whole_pdu, size_t pdu_length, 157 const DATA_BLOB *sig) 158{ 159 struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; 160 161 DATA_BLOB local_sig; 162 NTSTATUS nt_status; 163 164 if (!gensec_ntlmssp_state->session_key.length) { 165 DEBUG(3, ("NO session key, cannot check packet signature\n")); 166 return NT_STATUS_NO_USER_SESSION_KEY; 167 } 168 169 nt_status = ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 170 data, length, 171 whole_pdu, pdu_length, 172 NTLMSSP_RECEIVE, &local_sig, true); 173 174 if (!NT_STATUS_IS_OK(nt_status)) { 175 DEBUG(0, ("NTLMSSP packet check failed with %s\n", nt_errstr(nt_status))); 176 return nt_status; 177 } 178 179 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { 180 if (local_sig.length != sig->length || 181 memcmp(local_sig.data, 182 sig->data, sig->length) != 0) { 183 DEBUG(5, ("BAD SIG NTLM2: wanted signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); 184 dump_data(5, local_sig.data, local_sig.length); 185 186 DEBUG(5, ("BAD SIG: got signature over %llu bytes of input:\n", (unsigned long long)pdu_length)); 187 dump_data(5, sig->data, sig->length); 188 189 DEBUG(1, ("NTLMSSP NTLM2 packet check failed due to invalid signature on %llu bytes of input!\n", (unsigned long long)pdu_length)); 190 return NT_STATUS_ACCESS_DENIED; 191 } 192 } else { 193 if (local_sig.length != sig->length || 194 memcmp(local_sig.data + 8, 195 sig->data + 8, sig->length - 8) != 0) { 196 DEBUG(5, ("BAD SIG NTLM1: wanted signature of %llu bytes of input:\n", (unsigned long long)length)); 197 dump_data(5, local_sig.data, local_sig.length); 198 199 DEBUG(5, ("BAD SIG: got signature of %llu bytes of input:\n", (unsigned long long)length)); 200 dump_data(5, sig->data, sig->length); 201 202 DEBUG(1, ("NTLMSSP NTLM1 packet check failed due to invalid signature on %llu bytes of input:\n", (unsigned long long)length)); 203 return NT_STATUS_ACCESS_DENIED; 204 } 205 } 206 dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length); 207 208 return NT_STATUS_OK; 209} 210 211 212/** 213 * Seal data with the NTLMSSP algorithm 214 * 215 */ 216 217NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security, 218 TALLOC_CTX *sig_mem_ctx, 219 uint8_t *data, size_t length, 220 const uint8_t *whole_pdu, size_t pdu_length, 221 DATA_BLOB *sig) 222{ 223 struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; 224 NTSTATUS nt_status; 225 if (!gensec_ntlmssp_state->session_key.length) { 226 DEBUG(3, ("NO session key, cannot seal packet\n")); 227 return NT_STATUS_NO_USER_SESSION_KEY; 228 } 229 230 DEBUG(10,("ntlmssp_seal_data: seal\n")); 231 dump_data_pw("ntlmssp clear data\n", data, length); 232 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { 233 /* The order of these two operations matters - we must first seal the packet, 234 then seal the sequence number - this is becouse the send_seal_hash is not 235 constant, but is is rather updated with each iteration */ 236 nt_status = ntlmssp_make_packet_signature(gensec_ntlmssp_state, sig_mem_ctx, 237 data, length, 238 whole_pdu, pdu_length, 239 NTLMSSP_SEND, sig, false); 240 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, data, length); 241 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) { 242 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, sig->data+4, 8); 243 } 244 } else { 245 uint32_t crc; 246 crc = crc32_calc_buffer(data, length); 247 if (!msrpc_gen(sig_mem_ctx, 248 sig, "dddd", NTLMSSP_SIGN_VERSION, 0, crc, gensec_ntlmssp_state->crypt.ntlm.seq_num)) { 249 return NT_STATUS_NO_MEMORY; 250 } 251 252 /* The order of these two operations matters - we must 253 first seal the packet, then seal the sequence 254 number - this is becouse the ntlmssp_hash is not 255 constant, but is is rather updated with each 256 iteration */ 257 258 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length); 259 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, sig->data+4, sig->length-4); 260 /* increment counter on send */ 261 gensec_ntlmssp_state->crypt.ntlm.seq_num++; 262 nt_status = NT_STATUS_OK; 263 } 264 dump_data_pw("ntlmssp signature\n", sig->data, sig->length); 265 dump_data_pw("ntlmssp sealed data\n", data, length); 266 267 268 return nt_status; 269} 270 271/** 272 * Unseal data with the NTLMSSP algorithm 273 * 274 */ 275 276/* 277 wrappers for the ntlmssp_*() functions 278*/ 279NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security, 280 TALLOC_CTX *sig_mem_ctx, 281 uint8_t *data, size_t length, 282 const uint8_t *whole_pdu, size_t pdu_length, 283 const DATA_BLOB *sig) 284{ 285 struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; 286 if (!gensec_ntlmssp_state->session_key.length) { 287 DEBUG(3, ("NO session key, cannot unseal packet\n")); 288 return NT_STATUS_NO_USER_SESSION_KEY; 289 } 290 291 dump_data_pw("ntlmssp sealed data\n", data, length); 292 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { 293 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, data, length); 294 } else { 295 arcfour_crypt_sbox(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, data, length); 296 } 297 dump_data_pw("ntlmssp clear data\n", data, length); 298 return gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig); 299} 300 301/** 302 Initialise the state for NTLMSSP signing. 303*/ 304/* TODO: make this non-public */ 305NTSTATUS ntlmssp_sign_init(struct gensec_ntlmssp_state *gensec_ntlmssp_state) 306{ 307 TALLOC_CTX *mem_ctx = talloc_new(gensec_ntlmssp_state); 308 309 if (!mem_ctx) { 310 return NT_STATUS_NO_MEMORY; 311 } 312 313 DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n")); 314 debug_ntlmssp_flags(gensec_ntlmssp_state->neg_flags); 315 316 if (gensec_ntlmssp_state->session_key.length < 8) { 317 talloc_free(mem_ctx); 318 DEBUG(3, ("NO session key, cannot intialise signing\n")); 319 return NT_STATUS_NO_USER_SESSION_KEY; 320 } 321 322 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) 323 { 324 DATA_BLOB weak_session_key = gensec_ntlmssp_state->session_key; 325 const char *send_sign_const; 326 const char *send_seal_const; 327 const char *recv_sign_const; 328 const char *recv_seal_const; 329 330 DATA_BLOB send_seal_key; 331 DATA_BLOB recv_seal_key; 332 333 switch (gensec_ntlmssp_state->role) { 334 case NTLMSSP_CLIENT: 335 send_sign_const = CLI_SIGN; 336 send_seal_const = CLI_SEAL; 337 recv_sign_const = SRV_SIGN; 338 recv_seal_const = SRV_SEAL; 339 break; 340 case NTLMSSP_SERVER: 341 send_sign_const = SRV_SIGN; 342 send_seal_const = SRV_SEAL; 343 recv_sign_const = CLI_SIGN; 344 recv_seal_const = CLI_SEAL; 345 break; 346 default: 347 talloc_free(mem_ctx); 348 return NT_STATUS_INTERNAL_ERROR; 349 } 350 351 gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state); 352 NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state); 353 gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state); 354 NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state); 355 356 /** 357 Weaken NTLMSSP keys to cope with down-level 358 clients, servers and export restrictions. 359 360 We probably should have some parameters to control 361 this, once we get NTLM2 working. 362 */ 363 364 /* Key weakening was not performed on the master key 365 * for NTLM2 (in ntlmssp_weaken_keys()), but must be 366 * done on the encryption subkeys only. That is why 367 * we don't have this code for the ntlmv1 case. 368 */ 369 370 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) { 371 372 } else if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) { 373 weak_session_key.length = 7; 374 } else { /* forty bits */ 375 weak_session_key.length = 5; 376 } 377 dump_data_pw("NTLMSSP weakend master key:\n", 378 weak_session_key.data, 379 weak_session_key.length); 380 381 /* SEND: sign key */ 382 calc_ntlmv2_key(gensec_ntlmssp_state, 383 &gensec_ntlmssp_state->crypt.ntlm2.send_sign_key, 384 gensec_ntlmssp_state->session_key, send_sign_const); 385 dump_data_pw("NTLMSSP send sign key:\n", 386 gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.data, 387 gensec_ntlmssp_state->crypt.ntlm2.send_sign_key.length); 388 389 /* SEND: seal ARCFOUR pad */ 390 calc_ntlmv2_key(mem_ctx, 391 &send_seal_key, 392 weak_session_key, send_seal_const); 393 dump_data_pw("NTLMSSP send seal key:\n", 394 send_seal_key.data, 395 send_seal_key.length); 396 arcfour_init(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state, 397 &send_seal_key); 398 dump_data_pw("NTLMSSP send sesl hash:\n", 399 gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox, 400 sizeof(gensec_ntlmssp_state->crypt.ntlm2.send_seal_arcfour_state->sbox)); 401 402 /* RECV: sign key */ 403 calc_ntlmv2_key(gensec_ntlmssp_state, 404 &gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key, 405 gensec_ntlmssp_state->session_key, recv_sign_const); 406 dump_data_pw("NTLMSSP recv sign key:\n", 407 gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, 408 gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.length); 409 410 /* RECV: seal ARCFOUR pad */ 411 calc_ntlmv2_key(mem_ctx, 412 &recv_seal_key, 413 weak_session_key, recv_seal_const); 414 dump_data_pw("NTLMSSP recv seal key:\n", 415 recv_seal_key.data, 416 recv_seal_key.length); 417 arcfour_init(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state, 418 &recv_seal_key); 419 dump_data_pw("NTLMSSP receive seal hash:\n", 420 gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox, 421 sizeof(gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state->sbox)); 422 423 gensec_ntlmssp_state->crypt.ntlm2.send_seq_num = 0; 424 gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num = 0; 425 426 } else { 427 DATA_BLOB weak_session_key = ntlmssp_weakend_key(gensec_ntlmssp_state, mem_ctx); 428 DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n")); 429 430 gensec_ntlmssp_state->crypt.ntlm.arcfour_state = talloc(gensec_ntlmssp_state, struct arcfour_state); 431 NT_STATUS_HAVE_NO_MEMORY(gensec_ntlmssp_state->crypt.ntlm.arcfour_state); 432 433 arcfour_init(gensec_ntlmssp_state->crypt.ntlm.arcfour_state, 434 &weak_session_key); 435 dump_data_pw("NTLMSSP hash:\n", gensec_ntlmssp_state->crypt.ntlm.arcfour_state->sbox, 436 sizeof(gensec_ntlmssp_state->crypt.ntlm.arcfour_state->sbox)); 437 438 gensec_ntlmssp_state->crypt.ntlm.seq_num = 0; 439 } 440 441 talloc_free(mem_ctx); 442 return NT_STATUS_OK; 443} 444 445size_t gensec_ntlmssp_sig_size(struct gensec_security *gensec_security, size_t data_size) 446{ 447 return NTLMSSP_SIG_SIZE; 448} 449 450NTSTATUS gensec_ntlmssp_wrap(struct gensec_security *gensec_security, 451 TALLOC_CTX *sig_mem_ctx, 452 const DATA_BLOB *in, 453 DATA_BLOB *out) 454{ 455 DATA_BLOB sig; 456 NTSTATUS nt_status; 457 458 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { 459 460 *out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE); 461 if (!out->data) { 462 return NT_STATUS_NO_MEMORY; 463 } 464 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length); 465 466 nt_status = gensec_ntlmssp_seal_packet(gensec_security, sig_mem_ctx, 467 out->data + NTLMSSP_SIG_SIZE, 468 out->length - NTLMSSP_SIG_SIZE, 469 out->data + NTLMSSP_SIG_SIZE, 470 out->length - NTLMSSP_SIG_SIZE, 471 &sig); 472 473 if (NT_STATUS_IS_OK(nt_status)) { 474 memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE); 475 } 476 return nt_status; 477 478 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { 479 480 *out = data_blob_talloc(sig_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE); 481 if (!out->data) { 482 return NT_STATUS_NO_MEMORY; 483 } 484 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length); 485 486 nt_status = gensec_ntlmssp_sign_packet(gensec_security, sig_mem_ctx, 487 out->data + NTLMSSP_SIG_SIZE, 488 out->length - NTLMSSP_SIG_SIZE, 489 out->data + NTLMSSP_SIG_SIZE, 490 out->length - NTLMSSP_SIG_SIZE, 491 &sig); 492 493 if (NT_STATUS_IS_OK(nt_status)) { 494 memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE); 495 } 496 return nt_status; 497 498 } else { 499 *out = *in; 500 return NT_STATUS_OK; 501 } 502} 503 504 505NTSTATUS gensec_ntlmssp_unwrap(struct gensec_security *gensec_security, 506 TALLOC_CTX *sig_mem_ctx, 507 const DATA_BLOB *in, 508 DATA_BLOB *out) 509{ 510 DATA_BLOB sig; 511 512 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { 513 if (in->length < NTLMSSP_SIG_SIZE) { 514 return NT_STATUS_INVALID_PARAMETER; 515 } 516 sig.data = in->data; 517 sig.length = NTLMSSP_SIG_SIZE; 518 519 *out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE); 520 521 return gensec_ntlmssp_unseal_packet(gensec_security, sig_mem_ctx, 522 out->data, out->length, 523 out->data, out->length, 524 &sig); 525 526 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { 527 struct gensec_ntlmssp_state *gensec_ntlmssp_state = 528 (struct gensec_ntlmssp_state *)gensec_security->private_data; 529 NTSTATUS status; 530 uint32_t ntlm_seqnum; 531 struct arcfour_state ntlm_state; 532 uint32_t ntlm2_seqnum_r; 533 uint8_t ntlm2_key_r[16]; 534 struct arcfour_state ntlm2_state_r; 535 536 if (in->length < NTLMSSP_SIG_SIZE) { 537 return NT_STATUS_INVALID_PARAMETER; 538 } 539 sig.data = in->data; 540 sig.length = NTLMSSP_SIG_SIZE; 541 *out = data_blob_talloc(sig_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE); 542 543 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { 544 ntlm2_seqnum_r = gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num; 545 ntlm2_state_r = *gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state; 546 memcpy(ntlm2_key_r, 547 gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, 548 16); 549 } else { 550 ntlm_seqnum = gensec_ntlmssp_state->crypt.ntlm.seq_num; 551 ntlm_state = *gensec_ntlmssp_state->crypt.ntlm.arcfour_state; 552 } 553 554 status = gensec_ntlmssp_check_packet(gensec_security, sig_mem_ctx, 555 out->data, out->length, 556 out->data, out->length, 557 &sig); 558 if (!NT_STATUS_IS_OK(status)) { 559 NTSTATUS check_status = status; 560 /* 561 * The Windows LDAP libraries seems to have a bug 562 * and always use sealing even if only signing was 563 * negotiated. So we need to fallback. 564 */ 565 566 if (gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) { 567 gensec_ntlmssp_state->crypt.ntlm2.recv_seq_num = ntlm2_seqnum_r; 568 *gensec_ntlmssp_state->crypt.ntlm2.recv_seal_arcfour_state = ntlm2_state_r; 569 memcpy(gensec_ntlmssp_state->crypt.ntlm2.recv_sign_key.data, 570 ntlm2_key_r, 16); 571 } else { 572 gensec_ntlmssp_state->crypt.ntlm.seq_num = ntlm_seqnum; 573 *gensec_ntlmssp_state->crypt.ntlm.arcfour_state = ntlm_state; 574 } 575 576 status = gensec_ntlmssp_unseal_packet(gensec_security, 577 sig_mem_ctx, 578 out->data, 579 out->length, 580 out->data, 581 out->length, 582 &sig); 583 if (NT_STATUS_IS_OK(status)) { 584 gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; 585 } else { 586 status = check_status; 587 } 588 } 589 return status; 590 } else { 591 *out = *in; 592 return NT_STATUS_OK; 593 } 594} 595 596