mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
Make it clear that we cannot sign if we don't have a session key.
(This used to be commit a2f6dec05b
)
This commit is contained in:
parent
e8984d6b9a
commit
d4954eff57
@ -53,7 +53,7 @@ static void NTLMSSPcalc_ap( unsigned char *hash, unsigned char *data, int len)
|
||||
hash[257] = index_j;
|
||||
}
|
||||
|
||||
static void calc_hash(unsigned char *hash, const char *k2, int k2l)
|
||||
static void calc_hash(unsigned char hash[258], const char *k2, int k2l)
|
||||
{
|
||||
unsigned char j = 0;
|
||||
int ind;
|
||||
@ -78,7 +78,7 @@ static void calc_hash(unsigned char *hash, const char *k2, int k2l)
|
||||
hash[257] = 0;
|
||||
}
|
||||
|
||||
static void calc_ntlmv2_hash(unsigned char hash[16], char digest[16],
|
||||
static void calc_ntlmv2_hash(unsigned char hash[258], unsigned char digest[16],
|
||||
DATA_BLOB session_key,
|
||||
const char *constant)
|
||||
{
|
||||
@ -91,8 +91,8 @@ static void calc_ntlmv2_hash(unsigned char hash[16], char digest[16],
|
||||
|
||||
MD5Init(&ctx3);
|
||||
MD5Update(&ctx3, session_key.data, session_key.length);
|
||||
MD5Update(&ctx3, (const unsigned char *)constant, strlen(constant));
|
||||
MD5Final((unsigned char *)digest, &ctx3);
|
||||
MD5Update(&ctx3, (const unsigned char *)constant, strlen(constant)+1);
|
||||
MD5Final(digest, &ctx3);
|
||||
|
||||
calc_hash(hash, digest, 16);
|
||||
}
|
||||
@ -109,12 +109,12 @@ static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_STATE *ntlmssp_state,
|
||||
{
|
||||
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
|
||||
HMACMD5Context ctx;
|
||||
char seq_num[4];
|
||||
uchar seq_num[4];
|
||||
uchar digest[16];
|
||||
SIVAL(seq_num, 0, ntlmssp_state->ntlmssp_seq_num);
|
||||
|
||||
hmac_md5_init_limK_to_64((const unsigned char *)(ntlmssp_state->send_sign_const), 16, &ctx);
|
||||
hmac_md5_update((const unsigned char *)seq_num, 4, &ctx);
|
||||
hmac_md5_update(seq_num, 4, &ctx);
|
||||
hmac_md5_update(data, length, &ctx);
|
||||
hmac_md5_final(digest, &ctx);
|
||||
|
||||
@ -122,13 +122,16 @@ static NTSTATUS ntlmssp_make_packet_signature(NTLMSSP_STATE *ntlmssp_state,
|
||||
, ntlmssp_state->ntlmssp_seq_num)) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
switch (direction) {
|
||||
case NTLMSSP_SEND:
|
||||
NTLMSSPcalc_ap(ntlmssp_state->send_sign_hash, sig->data+4, sig->length-4);
|
||||
break;
|
||||
case NTLMSSP_RECEIVE:
|
||||
NTLMSSPcalc_ap(ntlmssp_state->recv_sign_hash, sig->data+4, sig->length-4);
|
||||
break;
|
||||
|
||||
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
|
||||
switch (direction) {
|
||||
case NTLMSSP_SEND:
|
||||
NTLMSSPcalc_ap(ntlmssp_state->send_sign_hash, sig->data+4, sig->length-4);
|
||||
break;
|
||||
case NTLMSSP_RECEIVE:
|
||||
NTLMSSPcalc_ap(ntlmssp_state->recv_sign_hash, sig->data+4, sig->length-4);
|
||||
break;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
uint32 crc;
|
||||
@ -148,7 +151,13 @@ NTSTATUS ntlmssp_sign_packet(NTLMSSP_STATE *ntlmssp_state,
|
||||
const uchar *data, size_t length,
|
||||
DATA_BLOB *sig)
|
||||
{
|
||||
NTSTATUS nt_status = ntlmssp_make_packet_signature(ntlmssp_state, data, length, NTLMSSP_SEND, sig);
|
||||
NTSTATUS nt_status;
|
||||
if (!ntlmssp_state->session_key.length) {
|
||||
DEBUG(3, ("NO session key, cannot check sign packet\n"));
|
||||
return NT_STATUS_NO_USER_SESSION_KEY;
|
||||
}
|
||||
|
||||
nt_status = ntlmssp_make_packet_signature(ntlmssp_state, data, length, NTLMSSP_SEND, sig);
|
||||
|
||||
/* increment counter on send */
|
||||
ntlmssp_state->ntlmssp_seq_num++;
|
||||
@ -168,6 +177,11 @@ NTSTATUS ntlmssp_check_packet(NTLMSSP_STATE *ntlmssp_state,
|
||||
DATA_BLOB local_sig;
|
||||
NTSTATUS nt_status;
|
||||
|
||||
if (!ntlmssp_state->session_key.length) {
|
||||
DEBUG(3, ("NO session key, cannot check packet signature\n"));
|
||||
return NT_STATUS_NO_USER_SESSION_KEY;
|
||||
}
|
||||
|
||||
if (sig->length < 8) {
|
||||
DEBUG(0, ("NTLMSSP packet check failed due to short signature (%lu bytes)!\n",
|
||||
(unsigned long)sig->length));
|
||||
@ -208,6 +222,11 @@ NTSTATUS ntlmssp_seal_packet(NTLMSSP_STATE *ntlmssp_state,
|
||||
uchar *data, size_t length,
|
||||
DATA_BLOB *sig)
|
||||
{
|
||||
if (!ntlmssp_state->session_key.length) {
|
||||
DEBUG(3, ("NO session key, cannot seal packet\n"));
|
||||
return NT_STATUS_NO_USER_SESSION_KEY;
|
||||
}
|
||||
|
||||
DEBUG(10,("ntlmssp_seal_data: seal\n"));
|
||||
dump_data_pw("ntlmssp clear data\n", data, length);
|
||||
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
|
||||
@ -270,6 +289,11 @@ NTSTATUS ntlmssp_unseal_packet(NTLMSSP_STATE *ntlmssp_state,
|
||||
uchar *data, size_t length,
|
||||
DATA_BLOB *sig)
|
||||
{
|
||||
if (!ntlmssp_state->session_key.length) {
|
||||
DEBUG(3, ("NO session key, cannot unseal packet\n"));
|
||||
return NT_STATUS_NO_USER_SESSION_KEY;
|
||||
}
|
||||
|
||||
DEBUG(10,("ntlmssp__unseal_data: seal\n"));
|
||||
dump_data_pw("ntlmssp sealed data\n", data, length);
|
||||
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
|
||||
@ -295,6 +319,11 @@ NTSTATUS ntlmssp_sign_init(NTLMSSP_STATE *ntlmssp_state)
|
||||
DEBUG(3, ("NTLMSSP Sign/Seal - Initialising with flags:\n"));
|
||||
debug_ntlmssp_flags(ntlmssp_state->neg_flags);
|
||||
|
||||
if (!ntlmssp_state->session_key.length) {
|
||||
DEBUG(3, ("NO session key, cannot intialise signing\n"));
|
||||
return NT_STATUS_NO_USER_SESSION_KEY;
|
||||
}
|
||||
|
||||
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
|
||||
{
|
||||
const char *send_sign_const;
|
||||
|
Loading…
Reference in New Issue
Block a user