Check "auth event notification" param in log_json
[nivanova/samba-autobuild/.git] / auth / ntlmssp / ntlmssp_sign.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  Version 3.0
4  *  NTLMSSP Signing routines
5  *  Copyright (C) Andrew Bartlett 2003-2005
6  *
7  *  This program is free software; you can redistribute it and/or modify
8  *  it under the terms of the GNU General Public License as published by
9  *  the Free Software Foundation; either version 3 of the License, or
10  *  (at your option) any later version.
11  *
12  *  This program is distributed in the hope that it will be useful,
13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  *  GNU General Public License for more details.
16  *
17  *  You should have received a copy of the GNU General Public License
18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20
21 #include "includes.h"
22 #include "../auth/ntlmssp/ntlmssp.h"
23 #include "../libcli/auth/libcli_auth.h"
24 #include "../lib/crypto/md5.h"
25 #include "../lib/crypto/hmacmd5.h"
26 #include "../lib/crypto/crc32.h"
27 #include "../auth/ntlmssp/ntlmssp_private.h"
28
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_AUTH
31
32 #define CLI_SIGN "session key to client-to-server signing key magic constant"
33 #define CLI_SEAL "session key to client-to-server sealing key magic constant"
34 #define SRV_SIGN "session key to server-to-client signing key magic constant"
35 #define SRV_SEAL "session key to server-to-client sealing key magic constant"
36
37 /**
38  * Some notes on the NTLM2 code:
39  *
40  * NTLM2 is a AEAD system.  This means that the data encrypted is not
41  * all the data that is signed.  In DCE-RPC case, the headers of the
42  * DCE-RPC packets are also signed.  This prevents some of the
43  * fun-and-games one might have by changing them.
44  *
45  */
46
47 static void dump_arc4_state(const char *description,
48                             struct arcfour_state *state)
49 {
50         dump_data_pw(description, state->sbox, sizeof(state->sbox));
51 }
52
53 static void calc_ntlmv2_key(uint8_t subkey[16],
54                             DATA_BLOB session_key,
55                             const char *constant)
56 {
57         MD5_CTX ctx3;
58         MD5Init(&ctx3);
59         MD5Update(&ctx3, session_key.data, session_key.length);
60         MD5Update(&ctx3, (const uint8_t *)constant, strlen(constant)+1);
61         MD5Final(subkey, &ctx3);
62 }
63
64 enum ntlmssp_direction {
65         NTLMSSP_SEND,
66         NTLMSSP_RECEIVE
67 };
68
69 static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_state,
70                                               TALLOC_CTX *sig_mem_ctx,
71                                               const uint8_t *data, size_t length,
72                                               const uint8_t *whole_pdu, size_t pdu_length,
73                                               enum ntlmssp_direction direction,
74                                               DATA_BLOB *sig, bool encrypt_sig)
75 {
76         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
77                 HMACMD5Context ctx;
78                 uint8_t digest[16];
79                 uint8_t seq_num[4];
80
81                 *sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
82                 if (!sig->data) {
83                         return NT_STATUS_NO_MEMORY;
84                 }
85
86                 switch (direction) {
87                 case NTLMSSP_SEND:
88                         DEBUG(100,("ntlmssp_make_packet_signature: SEND seq = %u, len = %u, pdu_len = %u\n",
89                                 ntlmssp_state->crypt->ntlm2.sending.seq_num,
90                                 (unsigned int)length,
91                                 (unsigned int)pdu_length));
92
93                         SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.sending.seq_num);
94                         ntlmssp_state->crypt->ntlm2.sending.seq_num++;
95                         hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.sending.sign_key, 16, &ctx);
96                         break;
97                 case NTLMSSP_RECEIVE:
98
99                         DEBUG(100,("ntlmssp_make_packet_signature: RECV seq = %u, len = %u, pdu_len = %u\n",
100                                 ntlmssp_state->crypt->ntlm2.receiving.seq_num,
101                                 (unsigned int)length,
102                                 (unsigned int)pdu_length));
103
104                         SIVAL(seq_num, 0, ntlmssp_state->crypt->ntlm2.receiving.seq_num);
105                         ntlmssp_state->crypt->ntlm2.receiving.seq_num++;
106                         hmac_md5_init_limK_to_64(ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16, &ctx);
107                         break;
108                 }
109
110                 dump_data_pw("pdu data ", whole_pdu, pdu_length);
111
112                 hmac_md5_update(seq_num, sizeof(seq_num), &ctx);
113                 hmac_md5_update(whole_pdu, pdu_length, &ctx);
114                 hmac_md5_final(digest, &ctx);
115
116                 if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
117                         switch (direction) {
118                         case NTLMSSP_SEND:
119                                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
120                                                    digest, 8);
121                                 break;
122                         case NTLMSSP_RECEIVE:
123                                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
124                                                    digest, 8);
125                                 break;
126                         }
127                 }
128
129                 SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
130                 memcpy(sig->data + 4, digest, 8);
131                 memcpy(sig->data + 12, seq_num, 4);
132
133                 dump_data_pw("ntlmssp v2 sig ", sig->data, sig->length);
134
135         } else {
136                 NTSTATUS status;
137                 uint32_t crc;
138
139                 crc = crc32_calc_buffer(data, length);
140
141                 status = msrpc_gen(sig_mem_ctx,
142                                sig, "dddd",
143                                NTLMSSP_SIGN_VERSION, 0, crc,
144                                ntlmssp_state->crypt->ntlm.seq_num);
145                 if (!NT_STATUS_IS_OK(status)) {
146                         return status;
147                 }
148
149                 ntlmssp_state->crypt->ntlm.seq_num++;
150
151                 dump_arc4_state("ntlmssp hash: \n",
152                                 &ntlmssp_state->crypt->ntlm.seal_state);
153                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
154                                    sig->data+4, sig->length-4);
155         }
156         return NT_STATUS_OK;
157 }
158
159 NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
160                              TALLOC_CTX *sig_mem_ctx,
161                              const uint8_t *data, size_t length,
162                              const uint8_t *whole_pdu, size_t pdu_length,
163                              DATA_BLOB *sig)
164 {
165         NTSTATUS nt_status;
166
167         if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
168                 DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
169                 return NT_STATUS_INVALID_PARAMETER;
170         }
171
172         if (!ntlmssp_state->session_key.length) {
173                 DEBUG(3, ("NO session key, cannot check sign packet\n"));
174                 return NT_STATUS_NO_USER_SESSION_KEY;
175         }
176
177         nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
178                                                   sig_mem_ctx,
179                                                   data, length,
180                                                   whole_pdu, pdu_length,
181                                                   NTLMSSP_SEND, sig, true);
182
183         return nt_status;
184 }
185
186 /**
187  * Check the signature of an incoming packet
188  * @note caller *must* check that the signature is the size it expects
189  *
190  */
191
192 NTSTATUS ntlmssp_check_packet(struct ntlmssp_state *ntlmssp_state,
193                               const uint8_t *data, size_t length,
194                               const uint8_t *whole_pdu, size_t pdu_length,
195                               const DATA_BLOB *sig)
196 {
197         DATA_BLOB local_sig;
198         NTSTATUS nt_status;
199         TALLOC_CTX *tmp_ctx;
200
201         if (!ntlmssp_state->session_key.length) {
202                 DEBUG(3, ("NO session key, cannot check packet signature\n"));
203                 return NT_STATUS_NO_USER_SESSION_KEY;
204         }
205
206         if (sig->length < 8) {
207                 DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
208                           (unsigned long)sig->length));
209         }
210
211         tmp_ctx = talloc_new(ntlmssp_state);
212         if (!tmp_ctx) {
213                 return NT_STATUS_NO_MEMORY;
214         }
215
216         nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
217                                                   tmp_ctx,
218                                                   data, length,
219                                                   whole_pdu, pdu_length,
220                                                   NTLMSSP_RECEIVE,
221                                                   &local_sig, true);
222
223         if (!NT_STATUS_IS_OK(nt_status)) {
224                 DEBUG(0,("NTLMSSP packet sig creation failed with %s\n",
225                          nt_errstr(nt_status)));
226                 talloc_free(tmp_ctx);
227                 return nt_status;
228         }
229
230         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
231                 if (local_sig.length != sig->length ||
232                     memcmp(local_sig.data, sig->data, sig->length) != 0) {
233                         DEBUG(5, ("BAD SIG NTLM2: wanted signature of\n"));
234                         dump_data(5, local_sig.data, local_sig.length);
235
236                         DEBUG(5, ("BAD SIG: got signature of\n"));
237                         dump_data(5, sig->data, sig->length);
238
239                         DEBUG(0, ("NTLMSSP NTLM2 packet check failed due to invalid signature!\n"));
240                         talloc_free(tmp_ctx);
241                         return NT_STATUS_ACCESS_DENIED;
242                 }
243         } else {
244                 if (local_sig.length != sig->length ||
245                     memcmp(local_sig.data + 8, sig->data + 8, sig->length - 8) != 0) {
246                         DEBUG(5, ("BAD SIG NTLM1: wanted signature of\n"));
247                         dump_data(5, local_sig.data, local_sig.length);
248
249                         DEBUG(5, ("BAD SIG: got signature of\n"));
250                         dump_data(5, sig->data, sig->length);
251
252                         DEBUG(0, ("NTLMSSP NTLM1 packet check failed due to invalid signature!\n"));
253                         talloc_free(tmp_ctx);
254                         return NT_STATUS_ACCESS_DENIED;
255                 }
256         }
257         dump_data_pw("checked ntlmssp signature\n", sig->data, sig->length);
258         DEBUG(10,("ntlmssp_check_packet: NTLMSSP signature OK !\n"));
259
260         talloc_free(tmp_ctx);
261         return NT_STATUS_OK;
262 }
263
264 /**
265  * Seal data with the NTLMSSP algorithm
266  *
267  */
268
269 NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
270                              TALLOC_CTX *sig_mem_ctx,
271                              uint8_t *data, size_t length,
272                              const uint8_t *whole_pdu, size_t pdu_length,
273                              DATA_BLOB *sig)
274 {
275         if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
276                 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
277                 return NT_STATUS_INVALID_PARAMETER;
278         }
279
280         if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
281                 DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
282                 return NT_STATUS_INVALID_PARAMETER;
283         }
284
285         if (!ntlmssp_state->session_key.length) {
286                 DEBUG(3, ("NO session key, cannot seal packet\n"));
287                 return NT_STATUS_NO_USER_SESSION_KEY;
288         }
289
290         DEBUG(10,("ntlmssp_seal_data: seal\n"));
291         dump_data_pw("ntlmssp clear data\n", data, length);
292         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
293                 NTSTATUS nt_status;
294                 /*
295                  * The order of these two operations matters - we
296                  * must first seal the packet, then seal the
297                  * sequence number - this is because the
298                  * send_seal_hash is not constant, but is is rather
299                  * updated with each iteration
300                  */
301                 nt_status = ntlmssp_make_packet_signature(ntlmssp_state,
302                                                           sig_mem_ctx,
303                                                           data, length,
304                                                           whole_pdu, pdu_length,
305                                                           NTLMSSP_SEND,
306                                                           sig, false);
307                 if (!NT_STATUS_IS_OK(nt_status)) {
308                         return nt_status;
309                 }
310
311                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
312                                    data, length);
313                 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
314                         arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
315                                            sig->data+4, 8);
316                 }
317         } else {
318                 NTSTATUS status;
319                 uint32_t crc;
320
321                 crc = crc32_calc_buffer(data, length);
322
323                 status = msrpc_gen(sig_mem_ctx,
324                                sig, "dddd",
325                                NTLMSSP_SIGN_VERSION, 0, crc,
326                                ntlmssp_state->crypt->ntlm.seq_num);
327                 if (!NT_STATUS_IS_OK(status)) {
328                         return status;
329                 }
330
331                 /*
332                  * The order of these two operations matters - we
333                  * must first seal the packet, then seal the
334                  * sequence number - this is because the ntlmv1_arc4_state
335                  * is not constant, but is is rather updated with
336                  * each iteration
337                  */
338
339                 dump_arc4_state("ntlmv1 arc4 state:\n",
340                                 &ntlmssp_state->crypt->ntlm.seal_state);
341                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
342                                    data, length);
343
344                 dump_arc4_state("ntlmv1 arc4 state:\n",
345                                 &ntlmssp_state->crypt->ntlm.seal_state);
346
347                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
348                                    sig->data+4, sig->length-4);
349
350                 ntlmssp_state->crypt->ntlm.seq_num++;
351         }
352         dump_data_pw("ntlmssp signature\n", sig->data, sig->length);
353         dump_data_pw("ntlmssp sealed data\n", data, length);
354
355         return NT_STATUS_OK;
356 }
357
358 /**
359  * Unseal data with the NTLMSSP algorithm
360  *
361  */
362
363 NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
364                                uint8_t *data, size_t length,
365                                const uint8_t *whole_pdu, size_t pdu_length,
366                                const DATA_BLOB *sig)
367 {
368         NTSTATUS status;
369         if (!ntlmssp_state->session_key.length) {
370                 DEBUG(3, ("NO session key, cannot unseal packet\n"));
371                 return NT_STATUS_NO_USER_SESSION_KEY;
372         }
373
374         DEBUG(10,("ntlmssp_unseal_packet: seal\n"));
375         dump_data_pw("ntlmssp sealed data\n", data, length);
376
377         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
378                 /* First unseal the data. */
379                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
380                                    data, length);
381                 dump_data_pw("ntlmv2 clear data\n", data, length);
382         } else {
383                 arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
384                                    data, length);
385                 dump_data_pw("ntlmv1 clear data\n", data, length);
386         }
387         status = ntlmssp_check_packet(ntlmssp_state,
388                                       data, length,
389                                       whole_pdu, pdu_length,
390                                       sig);
391
392         if (!NT_STATUS_IS_OK(status)) {
393                 DEBUG(1,("NTLMSSP packet check for unseal failed due to invalid signature on %llu bytes of input:\n",
394                          (unsigned long long)length));
395         }
396         return status;
397 }
398
399 NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
400                       TALLOC_CTX *out_mem_ctx,
401                       const DATA_BLOB *in,
402                       DATA_BLOB *out)
403 {
404         NTSTATUS nt_status;
405         DATA_BLOB sig;
406
407         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
408                 if (in->length + NTLMSSP_SIG_SIZE < in->length) {
409                         return NT_STATUS_INVALID_PARAMETER;
410                 }
411
412                 *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
413                 if (!out->data) {
414                         return NT_STATUS_NO_MEMORY;
415                 }
416                 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
417
418                 nt_status = ntlmssp_seal_packet(ntlmssp_state, out_mem_ctx,
419                                                 out->data + NTLMSSP_SIG_SIZE,
420                                                 out->length - NTLMSSP_SIG_SIZE,
421                                                 out->data + NTLMSSP_SIG_SIZE,
422                                                 out->length - NTLMSSP_SIG_SIZE,
423                                                 &sig);
424
425                 if (NT_STATUS_IS_OK(nt_status)) {
426                         memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
427                         talloc_free(sig.data);
428                 }
429                 return nt_status;
430
431         } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
432                 if (in->length + NTLMSSP_SIG_SIZE < in->length) {
433                         return NT_STATUS_INVALID_PARAMETER;
434                 }
435
436                 *out = data_blob_talloc(out_mem_ctx, NULL, in->length + NTLMSSP_SIG_SIZE);
437                 if (!out->data) {
438                         return NT_STATUS_NO_MEMORY;
439                 }
440                 memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
441
442                 nt_status = ntlmssp_sign_packet(ntlmssp_state, out_mem_ctx,
443                                                 out->data + NTLMSSP_SIG_SIZE,
444                                                 out->length - NTLMSSP_SIG_SIZE,
445                                                 out->data + NTLMSSP_SIG_SIZE,
446                                                 out->length - NTLMSSP_SIG_SIZE,
447                                                 &sig);
448
449                 if (NT_STATUS_IS_OK(nt_status)) {
450                         memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
451                         talloc_free(sig.data);
452                 }
453                 return nt_status;
454         } else {
455                 *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
456                 if (!out->data) {
457                         return NT_STATUS_NO_MEMORY;
458                 }
459                 return NT_STATUS_OK;
460         }
461 }
462
463 NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
464                         TALLOC_CTX *out_mem_ctx,
465                         const DATA_BLOB *in,
466                         DATA_BLOB *out)
467 {
468         DATA_BLOB sig;
469
470         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
471                 if (in->length < NTLMSSP_SIG_SIZE) {
472                         return NT_STATUS_INVALID_PARAMETER;
473                 }
474                 sig.data = in->data;
475                 sig.length = NTLMSSP_SIG_SIZE;
476
477                 *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
478
479                 return ntlmssp_unseal_packet(ntlmssp_state,
480                                              out->data, out->length,
481                                              out->data, out->length,
482                                              &sig);
483
484         } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
485                 if (in->length < NTLMSSP_SIG_SIZE) {
486                         return NT_STATUS_INVALID_PARAMETER;
487                 }
488                 sig.data = in->data;
489                 sig.length = NTLMSSP_SIG_SIZE;
490
491                 *out = data_blob_talloc(out_mem_ctx, in->data + NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
492
493                 return ntlmssp_check_packet(ntlmssp_state,
494                                             out->data, out->length,
495                                             out->data, out->length,
496                                             &sig);
497         } else {
498                 *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
499                 if (!out->data) {
500                         return NT_STATUS_NO_MEMORY;
501                 }
502                 return NT_STATUS_OK;
503         }
504 }
505
506 /**
507    Initialise the state for NTLMSSP signing.
508 */
509 NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
510                             bool reset_seqnums)
511 {
512         DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
513         debug_ntlmssp_flags(ntlmssp_state->neg_flags);
514
515         if (ntlmssp_state->crypt == NULL) {
516                 return NT_STATUS_INVALID_PARAMETER_MIX;
517         }
518
519         if (ntlmssp_state->force_wrap_seal &&
520             (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN))
521         {
522                 /*
523                  * We need to handle NTLMSSP_NEGOTIATE_SIGN as
524                  * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
525                  * is requested.
526                  *
527                  * The negotiation of flags (and authentication)
528                  * is completed when ntlmssp_sign_init() is called
529                  * so we can safely pretent NTLMSSP_NEGOTIATE_SEAL
530                  * was negotiated.
531                  */
532                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
533         }
534
535         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
536                 DATA_BLOB weak_session_key = ntlmssp_state->session_key;
537                 const char *send_sign_const;
538                 const char *send_seal_const;
539                 const char *recv_sign_const;
540                 const char *recv_seal_const;
541                 uint8_t send_seal_key[16];
542                 DATA_BLOB send_seal_blob = data_blob_const(send_seal_key,
543                                            sizeof(send_seal_key));
544                 uint8_t recv_seal_key[16];
545                 DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key,
546                                            sizeof(recv_seal_key));
547
548                 switch (ntlmssp_state->role) {
549                 case NTLMSSP_CLIENT:
550                         send_sign_const = CLI_SIGN;
551                         send_seal_const = CLI_SEAL;
552                         recv_sign_const = SRV_SIGN;
553                         recv_seal_const = SRV_SEAL;
554                         break;
555                 case NTLMSSP_SERVER:
556                         send_sign_const = SRV_SIGN;
557                         send_seal_const = SRV_SEAL;
558                         recv_sign_const = CLI_SIGN;
559                         recv_seal_const = CLI_SEAL;
560                         break;
561                 default:
562                         return NT_STATUS_INTERNAL_ERROR;
563                 }
564
565                 /*
566                  * Weaken NTLMSSP keys to cope with down-level
567                  * clients, servers and export restrictions.
568                  *
569                  * We probably should have some parameters to
570                  * control this, once we get NTLM2 working.
571                  *
572                  * Key weakening was not performed on the master key
573                  * for NTLM2, but must be done on the encryption subkeys only.
574                  */
575
576                 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_128) {
577                         /* nothing to do */
578                 } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
579                         weak_session_key.length = 7;
580                 } else { /* forty bits */
581                         weak_session_key.length = 5;
582                 }
583
584                 dump_data_pw("NTLMSSP weakend master key:\n",
585                              weak_session_key.data,
586                              weak_session_key.length);
587
588                 /* SEND: sign key */
589                 calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.sending.sign_key,
590                                 ntlmssp_state->session_key, send_sign_const);
591                 dump_data_pw("NTLMSSP send sign key:\n",
592                              ntlmssp_state->crypt->ntlm2.sending.sign_key, 16);
593
594                 /* SEND: seal ARCFOUR pad */
595                 calc_ntlmv2_key(send_seal_key,
596                                 weak_session_key, send_seal_const);
597                 dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16);
598
599                 arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
600                              &send_seal_blob);
601
602                 dump_arc4_state("NTLMSSP send seal arc4 state:\n",
603                                 &ntlmssp_state->crypt->ntlm2.sending.seal_state);
604
605                 /* SEND: seq num */
606                 if (reset_seqnums) {
607                         ntlmssp_state->crypt->ntlm2.sending.seq_num = 0;
608                 }
609
610                 /* RECV: sign key */
611                 calc_ntlmv2_key(ntlmssp_state->crypt->ntlm2.receiving.sign_key,
612                                 ntlmssp_state->session_key, recv_sign_const);
613                 dump_data_pw("NTLMSSP recv sign key:\n",
614                              ntlmssp_state->crypt->ntlm2.receiving.sign_key, 16);
615
616                 /* RECV: seal ARCFOUR pad */
617                 calc_ntlmv2_key(recv_seal_key,
618                                 weak_session_key, recv_seal_const);
619                 dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16);
620
621                 arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
622                              &recv_seal_blob);
623
624                 dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
625                                 &ntlmssp_state->crypt->ntlm2.receiving.seal_state);
626
627                 /* RECV: seq num */
628                 if (reset_seqnums) {
629                         ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
630                 }
631         } else {
632                 uint8_t weak_session_key[8];
633                 DATA_BLOB seal_session_key = ntlmssp_state->session_key;
634                 bool do_weak = false;
635
636                 DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
637
638                 /*
639                  * Key weakening not performed on the master key for NTLM2
640                  * and does not occour for NTLM1. Therefore we only need
641                  * to do this for the LM_KEY.
642                  */
643                 if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) {
644                         do_weak = true;
645                 }
646
647                 /*
648                  * Nothing to weaken.
649                  * We certainly don't want to 'extend' the length...
650                  */
651                 if (seal_session_key.length < 16) {
652                         /* TODO: is this really correct? */
653                         do_weak = false;
654                 }
655
656                 if (do_weak) {
657                         memcpy(weak_session_key, seal_session_key.data, 8);
658                         seal_session_key = data_blob_const(weak_session_key, 8);
659
660                         /*
661                          * LM key doesn't support 128 bit crypto, so this is
662                          * the best we can do. If you negotiate 128 bit, but
663                          * not 56, you end up with 40 bit...
664                          */
665                         if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_56) {
666                                 weak_session_key[7] = 0xa0;
667                         } else { /* forty bits */
668                                 weak_session_key[5] = 0xe5;
669                                 weak_session_key[6] = 0x38;
670                                 weak_session_key[7] = 0xb0;
671                         }
672                 }
673
674                 arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state,
675                              &seal_session_key);
676
677                 dump_arc4_state("NTLMv1 arc4 state:\n",
678                                 &ntlmssp_state->crypt->ntlm.seal_state);
679
680                 if (reset_seqnums) {
681                         ntlmssp_state->crypt->ntlm.seq_num = 0;
682                 }
683         }
684
685         return NT_STATUS_OK;
686 }
687
688 NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
689 {
690         if (ntlmssp_state->session_key.length < 8) {
691                 DEBUG(3, ("NO session key, cannot initialise signing\n"));
692                 return NT_STATUS_NO_USER_SESSION_KEY;
693         }
694
695         ntlmssp_state->crypt = talloc_zero(ntlmssp_state,
696                                            union ntlmssp_crypt_state);
697         if (ntlmssp_state->crypt == NULL) {
698                 return NT_STATUS_NO_MEMORY;
699         }
700
701         return ntlmssp_sign_reset(ntlmssp_state, true);
702 }