s3:ntlmssp Use a TALLOC_CTX for ntlmssp_sign_packet() and ntlmssp_seal_packet()
[amitay/samba.git] / source3 / libsmb / ntlmssp_sign.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  Version 3.0
4  *  NTLMSSP Signing routines
5  *  Copyright (C) Andrew Bartlett 2003-2005
6  *
7  *  This program is free software; you can redistribute it and/or modify
8  *  it under the terms of the GNU General Public License as published by
9  *  the Free Software Foundation; either version 3 of the License, or
10  *  (at your option) any later version.
11  *
12  *  This program is distributed in the hope that it will be useful,
13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  *  GNU General Public License for more details.
16  *
17  *  You should have received a copy of the GNU General Public License
18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20
21 #include "includes.h"
22 #include "../libcli/auth/ntlmssp.h"
23 #include "../libcli/auth/libcli_auth.h"
24 #include "../lib/crypto/md5.h"
25 #include "../lib/crypto/arcfour.h"
26 #include "../lib/crypto/hmacmd5.h"
27 #include "../lib/crypto/crc32.h"
28
29 #define CLI_SIGN "session key to client-to-server signing key magic constant"
30 #define CLI_SEAL "session key to client-to-server sealing key magic constant"
31 #define SRV_SIGN "session key to server-to-client signing key magic constant"
32 #define SRV_SEAL "session key to server-to-client sealing key magic constant"
33
34 /**
35  * Some notes on the NTLM2 code:
36  *
37  * NTLM2 is a AEAD system.  This means that the data encrypted is not
38  * all the data that is signed.  In DCE-RPC case, the headers of the
39  * DCE-RPC packets are also signed.  This prevents some of the
40  * fun-and-games one might have by changing them.
41  *
42  */
43
44 static void dump_arc4_state(const char *description,
45                             struct arcfour_state *state)
46 {
47         dump_data_pw(description, state->sbox, sizeof(state->sbox));
48 }
49
50 static void calc_ntlmv2_key(uint8_t subkey[16],
51                             DATA_BLOB session_key,
52                             const char *constant)
53 {
54         struct MD5Context ctx3;
55         MD5Init(&ctx3);
56         MD5Update(&ctx3, session_key.data, session_key.length);
57         MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1);
58         MD5Final(subkey, &ctx3);
59 }
60
61 enum ntlmssp_direction {
62         NTLMSSP_SEND,
63         NTLMSSP_RECEIVE
64 };
65
66 struct ntlmssp_crypt_direction {
67         uint32_t seq_num;
68         uint8_t sign_key[16];
69         struct arcfour_state seal_state;
70 };
71
72 union ntlmssp_crypt_state {
73         /* NTLM */
74         struct ntlmssp_crypt_direction ntlm;
75
76         /* NTLM2 */
77         struct {
78                 struct ntlmssp_crypt_direction sending;
79                 struct ntlmssp_crypt_direction receiving;
80         } ntlm2;
81 };
82
83 static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state,
84                                               TALLOC_CTX *sig_mem_ctx,
85                                               const uint8_t *data, size_t length,
86                                               const uint8_t *whole_pdu, size_t pdu_length,
87                                               enum ntlmssp_direction direction,
88                                               DATA_BLOB *sig, bool encrypt_sig)
89 {
90         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
91                 HMACMD5Context ctx;
92                 uint8_t digest[16];
93                 uint8_t seq_num[4];
94
95                 *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
96                 if (!sig->data) {
97                         return NT_STATUS_NO_MEMORY;
98                 }
99
100                 switch (direction) {
101                 case NTLMSSP_SEND:
102                         DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
103                                 ntlmssp_state->crypt->ntlm2.sending.seq_num,
104                                 (unsigned int)length,
105                                 (unsigned int)pdu_length));
106
107                         SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num);
108                         ntlmssp_state->crypt->ntlm2.sending.seq_num++;
109                         hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.sending.sign_key, 16, &ctx);
110                         break;
111                 case NTLMSSP_RECEIVE:
112
113                         DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
114                                 ntlmssp_state->crypt->ntlm2.receiving.seq_num,
115                                 (unsigned int)length,
116                                 (unsigned int)pdu_length));
117
118                         SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num);
119                         ntlmssp_state->crypt->ntlm2.receiving.seq_num++;
120                         hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16, &ctx);
121                         break;
122                 }
123
124                 dump_data_pw("pdu data ", whole_pdu, pdu_length);
125
126                 hmac_md5_update(seq_num, sizeof(seq_num), &ctx);
127                 hmac_md5_update(whole_pdu, pdu_length, &ctx);
128                 hmac_md5_final(digest, &ctx);
129
130                 if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
131                         switch (direction) {
132                         case NTLMSSP_SEND:
133                                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
134                                                    digest, 8);
135                                 break;
136                         case NTLMSSP_RECEIVE:
137                                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
138                                                    digest, 8);
139                                 break;
140                         }
141                 }
142
143                 SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
144                 memcpy(sig->data + 4, digest, 8);
145                 memcpy(sig->data + 12, seq_num, 4);
146
147                 dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length);
148
149         } else {
150                 bool ok;
151                 uint32_t crc;
152
153                 crc = crc32_calc_buffer(data, length);
154
155                 ok = msrpc_gen(sig_mem_ctx,
156                                sig, "dddd",
157                                NTLMSSP_SIGN_VERSION, 0, crc,
158                                ntlmssp_state->crypt->ntlm.seq_num);
159                 if (!ok) {
160                         return NT_STATUS_NO_MEMORY;
161                 }
162
163                 ntlmssp_state->crypt->ntlm.seq_num++;
164
165                 dump_arc4_state("ntlmssp hash: \n",
166                                 &ntlmssp_state->crypt->ntlm.seal_state);
167                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
168                                    sig->data+4, sig->length-4);
169         }
170         return NT_STATUS_OK;
171 }
172
173 NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
174                              TALLOC_CTX *sig_mem_ctx,
175                              const uint8_t *data, size_t length,
176                              const uint8_t *whole_pdu, size_t pdu_length,
177                              DATA_BLOB *sig)
178 {
179         NTSTATUS nt_status;
180
181         if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
182                 DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
183                 return NT_STATUS_INVALID_PARAMETER;
184         }
185
186         if (!ntlmssp_state->session_key.length) {
187                 DEBUG(3, ("NO session key, cannot check sign packet\n"));
188                 return NT_STATUS_NO_USER_SESSION_KEY;
189         }
190
191         nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
192                                                   sig_mem_ctx,
193                                                   data, length,
194                                                   whole_pdu, pdu_length,
195                                                   NTLMSSP_SEND, sig, true);
196
197         return nt_status;
198 }
199
200 /**
201  * Check the signature of an incoming packet
202  * @note caller *must* check that the signature is the size it expects
203  *
204  */
205
206 NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
207                               const uint8_t *data, size_t length,
208                               const uint8_t *whole_pdu, size_t pdu_length,
209                               const DATA_BLOB *sig)
210 {
211         DATA_BLOB local_sig;
212         NTSTATUS nt_status;
213         TALLOC_CTX *tmp_ctx;
214
215         if (!ntlmssp_state->session_key.length) {
216                 DEBUG(3, ("NO session key, cannot check packet signature\n"));
217                 return NT_STATUS_NO_USER_SESSION_KEY;
218         }
219
220         if (sig->length < 8) {
221                 DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
222                           (unsigned long)sig->length));
223         }
224
225         tmp_ctx = talloc_new(ntlmssp_state);
226         if (!tmp_ctx) {
227                 return NT_STATUS_NO_MEMORY;
228         }
229
230         nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
231                                                   tmp_ctx,
232                                                   data, length,
233                                                   whole_pdu, pdu_length,
234                                                   NTLMSSP_RECEIVE,
235                                                   &local_sig, true);
236
237         if (!NT_STATUS_IS_OK(nt_status)) {
238                 DEBUG(0,("NTLMSSP packet sig creation failed with %s\n",
239                          nt_errstr(nt_status)));
240                 talloc_free(tmp_ctx);
241                 return nt_status;
242         }
243
244         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
245                 if (local_sig.length != sig->length ||
246                     memcmp(local_sig.data, sig->data, sig->length) != 0) {
247                         DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
248                         dump_data(5, local_sig.data, local_sig.length);
249
250                         DEBUG(5, ("BAD SIG: got signature of\n"));
251                         dump_data(5, sig->data, sig->length);
252
253                         DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
254                         talloc_free(tmp_ctx);
255                         return NT_STATUS_ACCESS_DENIED;
256                 }
257         } else {
258                 if (local_sig.length != sig->length ||
259                     memcmp(local_sig.data + 8, sig->data + 8, sig->length - 8) != 0) {
260                         DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
261                         dump_data(5, local_sig.data, local_sig.length);
262
263                         DEBUG(5, ("BAD SIG: got signature of\n"));
264                         dump_data(5, sig->data, sig->length);
265
266                         DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
267                         talloc_free(tmp_ctx);
268                         return NT_STATUS_ACCESS_DENIED;
269                 }
270         }
271         dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length);
272         DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
273
274         talloc_free(tmp_ctx);
275         return NT_STATUS_OK;
276 }
277
278 /**
279  * Seal data with the NTLMSSP algorithm
280  *
281  */
282
283 NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
284                              TALLOC_CTX *sig_mem_ctx,
285                              uint8_t *data, size_t length,
286                              const uint8_t *whole_pdu, size_t pdu_length,
287                              DATA_BLOB *sig)
288 {
289         if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
290                 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
291                 return NT_STATUS_INVALID_PARAMETER;
292         }
293
294         if (!ntlmssp_state->session_key.length) {
295                 DEBUG(3, ("NO session key, cannot seal packet\n"));
296                 return NT_STATUS_NO_USER_SESSION_KEY;
297         }
298
299         DEBUG(10,("ntlmssp_seal_data: seal\n"));
300         dump_data_pw("ntlmssp clear data\n", data, length);
301         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
302                 NTSTATUS nt_status;
303                 /*
304                  * The order of these two operations matters - we
305                  * must first seal the packet, then seal the
306                  * sequence number - this is because the
307                  * send_seal_hash is not constant, but is is rather
308                  * updated with each iteration
309                  */
310                 nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
311                                                           sig_mem_ctx,
312                                                           data, length,
313                                                           whole_pdu, pdu_length,
314                                                           NTLMSSP_SEND,
315                                                           sig, false);
316                 if (!NT_STATUS_IS_OK(nt_status)) {
317                         return nt_status;
318                 }
319
320                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
321                                    data, length);
322                 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
323                         arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
324                                            sig->data+4, 8);
325                 }
326         } else {
327                 bool ok;
328                 uint32_t crc;
329
330                 crc = crc32_calc_buffer(data, length);
331
332                 ok = msrpc_gen(sig_mem_ctx,
333                                sig, "dddd",
334                                NTLMSSP_SIGN_VERSION, 0, crc,
335                                ntlmssp_state->crypt->ntlm.seq_num);
336                 if (!ok) {
337                         return NT_STATUS_NO_MEMORY;
338                 }
339
340                 /*
341                  * The order of these two operations matters - we
342                  * must first seal the packet, then seal the
343                  * sequence number - this is because the ntlmv1_arc4_state
344                  * is not constant, but is is rather updated with
345                  * each iteration
346                  */
347
348                 dump_arc4_state("ntlmv1 arc4 state:\n",
349                                 &ntlmssp_state->crypt->ntlm.seal_state);
350                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
351                                    data, length);
352
353                 dump_arc4_state("ntlmv1 arc4 state:\n",
354                                 &ntlmssp_state->crypt->ntlm.seal_state);
355
356                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
357                                    sig->data+4, sig->length-4);
358
359                 ntlmssp_state->crypt->ntlm.seq_num++;
360         }
361         dump_data_pw("ntlmssp signature\n", sig->data, sig->length);
362         dump_data_pw("ntlmssp sealed data\n", data, length);
363
364         return NT_STATUS_OK;
365 }
366
367 /**
368  * Unseal data with the NTLMSSP algorithm
369  *
370  */
371
372 NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
373                                uint8_t *data, size_t length,
374                                const uint8_t *whole_pdu, size_t pdu_length,
375                                const DATA_BLOB *sig)
376 {
377         NTSTATUS status;
378         if (!ntlmssp_state->session_key.length) {
379                 DEBUG(3, ("NO session key, cannot unseal packet\n"));
380                 return NT_STATUS_NO_USER_SESSION_KEY;
381         }
382
383         DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
384         dump_data_pw("ntlmssp sealed data\n", data, length);
385
386         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
387                 /* First unseal the data. */
388                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
389                                    data, length);
390                 dump_data_pw("ntlmv2 clear data\n", data, length);
391         } else {
392                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
393                                    data, length);
394                 dump_data_pw("ntlmv1 clear data\n", data, length);
395         }
396         status = ntlmssp_check_packet(ntlmssp_state,
397                                       data, length,
398                                       whole_pdu, pdu_length,
399                                       sig);
400
401         if (!NT_STATUS_IS_OK(status)) {
402                 DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n",
403                          (unsigned long long)length));
404         }
405         return status;
406 }
407
408 /**
409    Initialise the state for NTLMSSP signing.
410 */
411 NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
412 {
413         DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
414         debug_ntlmssp_flags(ntlmssp_state->neg_flags);
415
416         if (ntlmssp_state->session_key.length < 8) {
417                 DEBUG(3, ("NO session key, cannot intialise signing\n"));
418                 return NT_STATUS_NO_USER_SESSION_KEY;
419         }
420
421         ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
422                                            union ntlmssp_crypt_state);
423         if (ntlmssp_state->crypt == NULL) {
424                 return NT_STATUS_NO_MEMORY;
425         }
426
427         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
428                 DATA_BLOB weak_session_key = ntlmssp_state->session_key;
429                 const char *send_sign_const;
430                 const char *send_seal_const;
431                 const char *recv_sign_const;
432                 const char *recv_seal_const;
433                 uint8_t send_seal_key[16];
434                 DATA_BLOB send_seal_blob = data_blob_const(send_seal_key,
435                                            sizeof(send_seal_key));
436                 uint8_t recv_seal_key[16];
437                 DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key,
438                                            sizeof(recv_seal_key));
439
440                 switch (ntlmssp_state->role) {
441                 case NTLMSSP_CLIENT:
442                         send_sign_const = CLI_SIGN;
443                         send_seal_const = CLI_SEAL;
444                         recv_sign_const = SRV_SIGN;
445                         recv_seal_const = SRV_SEAL;
446                         break;
447                 case NTLMSSP_SERVER:
448                         send_sign_const = SRV_SIGN;
449                         send_seal_const = SRV_SEAL;
450                         recv_sign_const = CLI_SIGN;
451                         recv_seal_const = CLI_SEAL;
452                         break;
453                 default:
454                         return NT_STATUS_INTERNAL_ERROR;
455                 }
456
457                 /*
458                  * Weaken NTLMSSP keys to cope with down-level
459                  * clients, servers and export restrictions.
460                  *
461                  * We probably should have some parameters to
462                  * control this, once we get NTLM2 working.
463                  *
464                  * Key weakening was not performed on the master key
465                  * for NTLM2, but must be done on the encryption subkeys only.
466                  */
467
468                 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
469                         /* nothing to do */
470                 } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
471                         weak_session_key.length = 7;
472                 } else { /* forty bits */
473                         weak_session_key.length = 5;
474                 }
475
476                 dump_data_pw("NTLMSSP weakend master key:\n",
477                              weak_session_key.data,
478                              weak_session_key.length);
479
480                 /* SEND: sign key */
481                 calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key,
482                                 ntlmssp_state->session_key, send_sign_const);
483                 dump_data_pw("NTLMSSP send sign key:\n",
484                              ntlmssp_state->crypt->ntlm2.sending.sign_key, 16);
485
486                 /* SEND: seal ARCFOUR pad */
487                 calc_ntlmv2_key(send_seal_key,
488                                 weak_session_key, send_seal_const);
489                 dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16);
490
491                 arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
492                              &send_seal_blob);
493
494                 dump_arc4_state("NTLMSSP send seal arc4 state:\n",
495                                 &ntlmssp_state->crypt->ntlm2.sending.seal_state);
496
497                 /* SEND: seq num */
498                 ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
499
500                 /* RECV: sign key */
501                 calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key,
502                                 ntlmssp_state->session_key, recv_sign_const);
503                 dump_data_pw("NTLMSSP recv sign key:\n",
504                              ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16);
505
506                 /* RECV: seal ARCFOUR pad */
507                 calc_ntlmv2_key(recv_seal_key,
508                                 weak_session_key, recv_seal_const);
509                 dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16);
510
511                 arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
512                              &recv_seal_blob);
513
514                 dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
515                                 &ntlmssp_state->crypt->ntlm2.receiving.seal_state);
516
517                 /* RECV: seq num */
518                 ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
519         } else {
520                 uint8_t weak_session_key[8];
521                 DATA_BLOB seal_session_key = ntlmssp_state->session_key;
522                 bool do_weak = false;
523
524                 DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
525
526                 /*
527                  * Key weakening not performed on the master key for NTLM2
528                  * and does not occour for NTLM1. Therefore we only need
529                  * to do this for the LM_KEY.
530                  */
531                 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
532                         do_weak = true;
533                 }
534
535                 /*
536                  * Nothing to weaken.
537                  * We certainly don't want to 'extend' the length...
538                  */
539                 if (seal_session_key.length < 16) {
540                         /* TODO: is this really correct? */
541                         do_weak = false;
542                 }
543
544                 if (do_weak) {
545                         memcpy(weak_session_key, seal_session_key.data, 8);
546                         seal_session_key = data_blob_const(weak_session_key, 8);
547
548                         /*
549                          * LM key doesn't support 128 bit crypto, so this is
550                          * the best we can do. If you negotiate 128 bit, but
551                          * not 56, you end up with 40 bit...
552                          */
553                         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
554                                 weak_session_key[7] = 0xa0;
555                         } else { /* forty bits */
556                                 weak_session_key[5] = 0xe5;
557                                 weak_session_key[6] = 0x38;
558                                 weak_session_key[7] = 0xb0;
559                         }
560                 }
561
562                 arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state,
563                              &seal_session_key);
564
565                 dump_arc4_state("NTLMv1 arc4 state:\n",
566                                 &ntlmssp_state->crypt->ntlm.seal_state);
567
568                 ntlmssp_state->crypt->ntlm.seq_num = 0;
569         }
570
571         return NT_STATUS_OK;
572 }