From 73f0d5f5a62edbcfeb8f79fffa422416b83edf3e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 6 Dec 2018 18:11:14 +0100
Subject: [PATCH 030/187] auth:ntlmssp: Use GnuTLS RC4 for ntlmssp signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7bd502dcdb44c7d0f8a56b2ba489ae8cf2b886bd)
---
auth/ntlmssp/ntlmssp_private.h | 5 +-
auth/ntlmssp/ntlmssp_sign.c | 212 ++++++++++++++++++++++++++-------
2 files changed, 174 insertions(+), 43 deletions(-)
diff --git a/auth/ntlmssp/ntlmssp_private.h b/auth/ntlmssp/ntlmssp_private.h
index 95ec6374f51..4d84e3347b6 100644
--- a/auth/ntlmssp/ntlmssp_private.h
+++ b/auth/ntlmssp/ntlmssp_private.h
@@ -20,14 +20,15 @@
/* For structures internal to the NTLMSSP implementation that should not be exposed */
-#include "../lib/crypto/arcfour.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
struct auth_session_info;
struct ntlmssp_crypt_direction {
uint32_t seq_num;
uint8_t sign_key[16];
- struct arcfour_state seal_state;
+ gnutls_cipher_hd_t seal_state;
};
union ntlmssp_crypt_state {
diff --git a/auth/ntlmssp/ntlmssp_sign.c b/auth/ntlmssp/ntlmssp_sign.c
index 8ba2e246b34..89f1aa04f7a 100644
--- a/auth/ntlmssp/ntlmssp_sign.c
+++ b/auth/ntlmssp/ntlmssp_sign.c
@@ -47,9 +47,9 @@
*/
static void dump_arc4_state(const char *description,
- struct arcfour_state *state)
+ gnutls_cipher_hd_t *state)
{
- dump_data_pw(description, state->sbox, sizeof(state->sbox));
+ DBG_DEBUG("%s\n", description);
}
static NTSTATUS calc_ntlmv2_key(uint8_t subkey[16],
@@ -90,13 +90,13 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
enum ntlmssp_direction direction,
DATA_BLOB *sig, bool encrypt_sig)
{
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ int rc;
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
gnutls_hmac_hd_t hmac_hnd = NULL;
uint8_t digest[16];
uint8_t seq_num[4];
- int rc;
*sig = data_blob_talloc(sig_mem_ctx, NULL, NTLMSSP_SIG_SIZE);
if (!sig->data) {
@@ -158,14 +158,24 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
if (encrypt_sig && (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
switch (direction) {
case NTLMSSP_SEND:
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- digest, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ digest,
+ 8);
break;
case NTLMSSP_RECEIVE:
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- digest, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ digest,
+ 8);
break;
}
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLMv2 EXCH "
+ "%s packet signature failed: %s\n",
+ direction == NTLMSSP_SEND ?
+ "send" : "receive",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
SIVAL(sig->data, 0, NTLMSSP_SIGN_VERSION);
@@ -194,8 +204,15 @@ static NTSTATUS ntlmssp_make_packet_signature(struct ntlmssp_state *ntlmssp_stat
dump_arc4_state("ntlmssp hash: \n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt for NTLM packet "
+ "signature failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
return NT_STATUS_OK;
@@ -317,6 +334,8 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig)
{
+ int rc;
+
if (!(ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -353,11 +372,25 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
return nt_status;
}
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- data, length);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing the data "
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- sig->data+4, 8);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ sig->data + 4,
+ 8);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv2 sealing "
+ "the EXCH signature data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
}
} else {
NTSTATUS status;
@@ -381,17 +414,30 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
* is not constant, but is is rather updated with
* each iteration
*/
-
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing data"
+ "failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("ntlmv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- sig->data+4, sig->length-4);
+ rc = gnutls_cipher_encrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ sig->data + 4,
+ sig->length - 4);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_encrypt ntlmv1 sealing signing "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
ntlmssp_state->crypt->ntlm.seq_num++;
}
@@ -412,6 +458,8 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB *sig)
{
NTSTATUS status;
+ int rc;
+
if (!ntlmssp_state->session_key.length) {
DEBUG(3, ("NO session key, cannot unseal packet\n"));
return NT_STATUS_NO_USER_SESSION_KEY;
@@ -422,14 +470,29 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state *ntlmssp_state,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
/* First unseal the data. */
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- data, length);
+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv2 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv2 clear data\n", data, length);
} else {
- arcfour_crypt_sbox(&ntlmssp_state->crypt->ntlm.seal_state,
- data, length);
+ rc = gnutls_cipher_decrypt(ntlmssp_state->crypt->ntlm.seal_state,
+ data,
+ length);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_decrypt ntlmv1 unsealing the "
+ "data failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_data_pw("ntlmv1 clear data\n", data, length);
}
+
status = ntlmssp_check_packet(ntlmssp_state,
data, length,
whole_pdu, pdu_length,
@@ -555,6 +618,8 @@ NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
bool reset_seqnums)
{
+ int rc;
+
DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
@@ -584,12 +649,16 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
const char *send_seal_const;
const char *recv_sign_const;
const char *recv_seal_const;
- uint8_t send_seal_key[16];
- DATA_BLOB send_seal_blob = data_blob_const(send_seal_key,
- sizeof(send_seal_key));
- uint8_t recv_seal_key[16];
- DATA_BLOB recv_seal_blob = data_blob_const(recv_seal_key,
- sizeof(recv_seal_key));
+ uint8_t send_seal_key[16] = {0};
+ gnutls_datum_t send_seal_blob = {
+ .data = send_seal_key,
+ .size = sizeof(send_seal_key),
+ };
+ uint8_t recv_seal_key[16] = {0};
+ gnutls_datum_t recv_seal_blob = {
+ .data = recv_seal_key,
+ .size = sizeof(recv_seal_key),
+ };
NTSTATUS status;
switch (ntlmssp_state->role) {
@@ -648,10 +717,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP send seal key:\n", send_seal_key, 16);
+ dump_data_pw("NTLMSSP send seal key:\n",
+ send_seal_key,
+ sizeof(send_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
- &send_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.sending.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.sending.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.sending.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &send_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP send seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.sending.seal_state);
@@ -677,10 +758,22 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- dump_data_pw("NTLMSSP recv seal key:\n", recv_seal_key, 16);
+ dump_data_pw("NTLMSSP recv seal key:\n",
+ recv_seal_key,
+ sizeof(recv_seal_key));
- arcfour_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
- &recv_seal_blob);
+ if (ntlmssp_state->crypt->ntlm2.receiving.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm2.receiving.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm2.receiving.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &recv_seal_blob,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMSSP recv seal arc4 state:\n",
&ntlmssp_state->crypt->ntlm2.receiving.seal_state);
@@ -690,8 +783,10 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->crypt->ntlm2.receiving.seq_num = 0;
}
} else {
- uint8_t weak_session_key[8];
- DATA_BLOB seal_session_key = ntlmssp_state->session_key;
+ gnutls_datum_t seal_session_key = {
+ .data = ntlmssp_state->session_key.data,
+ .size = ntlmssp_state->session_key.length,
+ };
bool do_weak = false;
DEBUG(5, ("NTLMSSP Sign/Seal - using NTLM1\n"));
@@ -709,14 +804,19 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
* Nothing to weaken.
* We certainly don't want to 'extend' the length...
*/
- if (seal_session_key.length < 16) {
+ if (ntlmssp_state->session_key.length < 16) {
/* TODO: is this really correct? */
do_weak = false;
}
if (do_weak) {
+ uint8_t weak_session_key[8];
+
memcpy(weak_session_key, seal_session_key.data, 8);
- seal_session_key = data_blob_const(weak_session_key, 8);
+ seal_session_key = (gnutls_datum_t) {
+ .data = weak_session_key,
+ .size = sizeof(weak_session_key),
+ };
/*
* LM key doesn't support 128 bit crypto, so this is
@@ -732,8 +832,18 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
}
}
- arcfour_init(&ntlmssp_state->crypt->ntlm.seal_state,
- &seal_session_key);
+ if (ntlmssp_state->crypt->ntlm.seal_state != NULL) {
+ gnutls_cipher_deinit(ntlmssp_state->crypt->ntlm.seal_state);
+ }
+ rc = gnutls_cipher_init(&ntlmssp_state->crypt->ntlm.seal_state,
+ GNUTLS_CIPHER_ARCFOUR_128,
+ &seal_session_key,
+ NULL);
+ if (rc < 0) {
+ DBG_ERR("gnutls_cipher_init failed: %s\n",
+ gnutls_strerror(rc));
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_NTLM_BLOCKED);
+ }
dump_arc4_state("NTLMv1 arc4 state:\n",
&ntlmssp_state->crypt->ntlm.seal_state);
@@ -746,6 +856,24 @@ NTSTATUS ntlmssp_sign_reset(struct ntlmssp_state *ntlmssp_state,
return NT_STATUS_OK;
}
+static int ntlmssp_crypt_free_gnutls_cipher_state(union ntlmssp_crypt_state *c)
+{
+ if (c->ntlm2.sending.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.sending.seal_state);
+ c->ntlm2.sending.seal_state = NULL;
+ }
+ if (c->ntlm2.receiving.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm2.receiving.seal_state);
+ c->ntlm2.receiving.seal_state = NULL;
+ }
+ if (c->ntlm.seal_state != NULL) {
+ gnutls_cipher_deinit(c->ntlm.seal_state);
+ c->ntlm.seal_state = NULL;
+ }
+
+ return 0;
+}
+
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
{
if (ntlmssp_state->session_key.length < 8) {
@@ -758,6 +886,8 @@ NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state)
if (ntlmssp_state->crypt == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ talloc_set_destructor(ntlmssp_state->crypt,
+ ntlmssp_crypt_free_gnutls_cipher_state);
return ntlmssp_sign_reset(ntlmssp_state, true);
}
--
2.23.0