diff options
| author | Simo Sorce <simo@redhat.com> | 2014-08-06 22:59:38 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2014-08-06 23:59:38 -0400 |
| commit | a3e554fbf28fbf0c67d4511dec809069feed6d3b (patch) | |
| tree | 42c18310f19d761b251142f6c9d7413c9c8bc242 | |
| parent | fe1c7d62f540c118d36964389e0e1b9c9190eadd (diff) | |
| download | gss-ntlmssp-a3e554fbf28fbf0c67d4511dec809069feed6d3b.tar.gz gss-ntlmssp-a3e554fbf28fbf0c67d4511dec809069feed6d3b.tar.xz gss-ntlmssp-a3e554fbf28fbf0c67d4511dec809069feed6d3b.zip | |
Introduce ntlm_signseal_state
This structure keeps the crypto state closer to the crypto routines.
| -rw-r--r-- | src/gss_ntlmssp.h | 10 | ||||
| -rw-r--r-- | src/gss_sec_ctx.c | 23 | ||||
| -rw-r--r-- | src/gss_serialize.c | 14 | ||||
| -rw-r--r-- | src/gss_signseal.c | 38 | ||||
| -rw-r--r-- | src/ntlm.h | 76 | ||||
| -rw-r--r-- | src/ntlm_crypto.c | 123 | ||||
| -rw-r--r-- | tests/ntlmssptest.c | 31 |
7 files changed, 151 insertions, 164 deletions
diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h index 27ac6dc..0b4df0d 100644 --- a/src/gss_ntlmssp.h +++ b/src/gss_ntlmssp.h @@ -107,13 +107,6 @@ struct gssntlm_cred { } cred; }; -struct gssntlm_signseal { - struct ntlm_key sign_key; - struct ntlm_key seal_key; - struct ntlm_rc4_handle *seal_handle; - uint32_t seq_num; -}; - struct gssntlm_ctx { enum gssntlm_role { GSSNTLM_CLIENT, @@ -151,8 +144,7 @@ struct gssntlm_ctx { /* TODO: Add whitelist of servers we are allowed to communicate with */ struct ntlm_key exported_session_key; - struct gssntlm_signseal send; - struct gssntlm_signseal recv; + struct ntlm_signseal_state crypto_state; uint32_t int_flags; time_t expiration_time; diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index 84093e5..12a15c5 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -613,12 +613,7 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, if (protect) { retmin = ntlm_signseal_keys(in_flags, true, &ctx->exported_session_key, - &ctx->send.sign_key, - &ctx->recv.sign_key, - &ctx->send.seal_key, - &ctx->recv.seal_key, - &ctx->send.seal_handle, - &ctx->recv.seal_handle); + &ctx->crypto_state); if (retmin) { retmaj = GSS_S_FAILURE; goto done; @@ -736,8 +731,8 @@ uint32_t gssntlm_delete_sec_context(uint32_t *minor_status, gssntlm_int_release_name(&ctx->source_name); gssntlm_int_release_name(&ctx->target_name); - RC4_FREE(&ctx->send.seal_handle); - RC4_FREE(&ctx->recv.seal_handle); + RC4_FREE(&ctx->crypto_state.send.seal_handle); + RC4_FREE(&ctx->crypto_state.recv.seal_handle); safezero((uint8_t *)ctx, sizeof(struct gssntlm_ctx)); safefree(*context_handle); @@ -1320,12 +1315,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, NTLMSSP_NEGOTIATE_SEAL)) { retmin = ntlm_signseal_keys(ctx->neg_flags, false, &ctx->exported_session_key, - &ctx->send.sign_key, - &ctx->recv.sign_key, - &ctx->send.seal_key, - &ctx->recv.seal_key, - &ctx->send.seal_handle, - &ctx->recv.seal_handle); + &ctx->crypto_state); if (retmin) { retmaj = GSS_S_FAILURE; goto done; @@ -1483,8 +1473,9 @@ uint32_t gssntlm_set_sec_context_option(uint32_t *minor_status, return GSS_S_FAILURE; } - memcpy(&ctx->recv.seq_num, value->value, value->length); - ctx->send.seq_num = ctx->recv.seq_num; + memcpy(&ctx->crypto_state.recv.seq_num, + value->value, value->length); + ctx->crypto_state.send.seq_num = ctx->crypto_state.recv.seq_num; return GSS_S_COMPLETE; } else { *minor_status = EACCES; diff --git a/src/gss_serialize.c b/src/gss_serialize.c index ef35dd4..611d8be 100644 --- a/src/gss_serialize.c +++ b/src/gss_serialize.c @@ -192,7 +192,7 @@ static int export_name(struct export_state *state, } static int export_keys(struct export_state *state, - struct gssntlm_signseal *keys, + struct ntlm_signseal_handle *keys, struct export_keys *exp_keys) { uint8_t buf[258]; @@ -372,10 +372,10 @@ uint32_t gssntlm_export_sec_context(uint32_t *minor_status, &ectx->exported_session_key); if (ret) goto done; - ret = export_keys(&state, &ctx->send, &ectx->send); + ret = export_keys(&state, &ctx->crypto_state.send, &ectx->send); if (ret) goto done; - ret = export_keys(&state, &ctx->recv, &ectx->recv); + ret = export_keys(&state, &ctx->crypto_state.recv, &ectx->recv); if (ret) goto done; ectx->int_flags = ctx->int_flags; @@ -500,7 +500,7 @@ static uint32_t import_name(uint32_t *minor_status, static uint32_t import_keys(uint32_t *minor_status, struct export_state *state, struct export_keys *keys, - struct gssntlm_signseal *imp_keys) + struct ntlm_signseal_handle *imp_keys) { struct ntlm_buffer in; uint8_t *dest; @@ -701,10 +701,12 @@ uint32_t gssntlm_import_sec_context(uint32_t *minor_status, memset(&ctx->exported_session_key, 0, sizeof(struct ntlm_key)); } - maj = import_keys(minor_status, &state, &ectx->send, &ctx->send); + maj = import_keys(minor_status, &state, + &ectx->send, &ctx->crypto_state.send); if (maj != GSS_S_COMPLETE) goto done; - maj = import_keys(minor_status, &state, &ectx->recv, &ctx->recv); + maj = import_keys(minor_status, &state, + &ectx->recv, &ctx->crypto_state.recv); if (maj != GSS_S_COMPLETE) goto done; ctx->int_flags = ectx->int_flags; diff --git a/src/gss_signseal.c b/src/gss_signseal.c index bf622ca..7513c74 100644 --- a/src/gss_signseal.c +++ b/src/gss_signseal.c @@ -50,9 +50,7 @@ uint32_t gssntlm_get_mic(uint32_t *minor_status, if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) { /* must regenerate seal key */ - retmin = ntlm_seal_regen(&ctx->send.seal_key, - &ctx->send.seal_handle, - ctx->send.seq_num); + retmin = ntlm_seal_regen(&ctx->crypto_state, NTLM_SEND); if (retmin) { *minor_status = retmin; return GSS_S_FAILURE; @@ -70,8 +68,8 @@ uint32_t gssntlm_get_mic(uint32_t *minor_status, message.length = message_buffer->length; signature.data = message_token->value; signature.length = message_token->length; - retmin = ntlm_sign(&ctx->send.sign_key, ctx->send.seq_num, - ctx->send.seal_handle, ctx->neg_flags, + retmin = ntlm_sign(ctx->neg_flags, NTLM_SEND, + &ctx->crypto_state, &message, &signature); if (retmin) { *minor_status = retmin; @@ -81,7 +79,7 @@ uint32_t gssntlm_get_mic(uint32_t *minor_status, if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) { /* increment seq_num upon succesful signature */ - ctx->send.seq_num++; + ctx->crypto_state.send.seq_num++; } return GSS_S_COMPLETE; @@ -115,9 +113,7 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status, if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) { /* must regenerate seal key */ - retmin = ntlm_seal_regen(&ctx->recv.seal_key, - &ctx->recv.seal_handle, - ctx->recv.seq_num); + retmin = ntlm_seal_regen(&ctx->crypto_state, NTLM_RECV); if (retmin) { *minor_status = retmin; return GSS_S_FAILURE; @@ -126,8 +122,8 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status, message.data = message_buffer->value; message.length = message_buffer->length; - retmin = ntlm_sign(&ctx->recv.sign_key, ctx->recv.seq_num, - ctx->recv.seal_handle, ctx->neg_flags, + retmin = ntlm_sign(ctx->neg_flags, NTLM_RECV, + &ctx->crypto_state, &message, &signature); if (retmin) { *minor_status = retmin; @@ -141,7 +137,7 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status, if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) { /* increment seq_num upon succesful signature */ - ctx->recv.seq_num++; + ctx->crypto_state.recv.seq_num++; } return GSS_S_COMPLETE; @@ -184,9 +180,7 @@ uint32_t gssntlm_wrap(uint32_t *minor_status, if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) { /* must regenerate seal key */ - retmin = ntlm_seal_regen(&ctx->send.seal_key, - &ctx->send.seal_handle, - ctx->send.seq_num); + retmin = ntlm_seal_regen(&ctx->crypto_state, NTLM_SEND); if (retmin) { *minor_status = retmin; return GSS_S_FAILURE; @@ -207,8 +201,7 @@ uint32_t gssntlm_wrap(uint32_t *minor_status, output.length = input_message_buffer->length; signature.data = &output.data[input_message_buffer->length]; signature.length = NTLM_SIGNATURE_SIZE; - retmin = ntlm_seal(ctx->send.seal_handle, ctx->neg_flags, - &ctx->send.sign_key, ctx->send.seq_num, + retmin = ntlm_seal(ctx->neg_flags, &ctx->crypto_state, &message, &output, &signature); if (retmin) { *minor_status = retmin; @@ -218,7 +211,7 @@ uint32_t gssntlm_wrap(uint32_t *minor_status, if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) { /* increment seq_num upon succesful encryption */ - ctx->send.seq_num++; + ctx->crypto_state.send.seq_num++; } return GSS_S_COMPLETE; } @@ -256,9 +249,7 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, if (ctx->gss_flags & GSS_C_DATAGRAM_FLAG) { /* must regenerate seal key */ - retmin = ntlm_seal_regen(&ctx->recv.seal_key, - &ctx->recv.seal_handle, - ctx->send.seq_num); + retmin = ntlm_seal_regen(&ctx->crypto_state, NTLM_RECV); if (retmin) { *minor_status = retmin; return GSS_S_FAILURE; @@ -277,8 +268,7 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, message.length = input_message_buffer->length; output.data = output_message_buffer->value; output.length = output_message_buffer->length; - retmin = ntlm_unseal(ctx->recv.seal_handle, ctx->neg_flags, - &ctx->recv.sign_key, ctx->recv.seq_num, + retmin = ntlm_unseal(ctx->neg_flags, &ctx->crypto_state, &message, &output, &signature); if (retmin) { *minor_status = retmin; @@ -294,7 +284,7 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, if (!(ctx->gss_flags & GSS_C_DATAGRAM_FLAG)) { /* increment seq_num upon succesful encryption */ - ctx->recv.seq_num++; + ctx->crypto_state.recv.seq_num++; } return GSS_S_COMPLETE; } @@ -127,6 +127,21 @@ struct ntlm_key { size_t length; }; +struct ntlm_signseal_handle { + struct ntlm_key sign_key; + struct ntlm_key seal_key; + struct ntlm_rc4_handle *seal_handle; + uint32_t seq_num; +}; + +struct ntlm_signseal_state { + struct ntlm_signseal_handle send; + struct ntlm_signseal_handle recv; +}; + +#define NTLM_SEND 1 +#define NTLM_RECV 2 + /** * @brief Turns a utf8 password into an NT Hash * @@ -303,38 +318,25 @@ int ntlm_encrypted_session_key(struct ntlm_key *key, * * @param flags Incoming challenge/authenticate flags * @param client Wheter this ia a client or a server - * @param random_session_key The session key - * @param sign_send_key Resulting Signing key for send ops - * @param sign_recv_key Resulting Signing key for recv ops - * @param seal_send_key Resulting Sealing key for send ops - * @param seal_recv_key Resulting Sealing key for recv ops - * @param seal_send_handle Handle for RC4 encryption (v1 sealing) - * @param seal_recv_handle Handle for RC4 decryption (v1 sealing) + * @param session_key The session key + * @param signseal_state Sign and seal keys and state * * @return 0 on success or error. */ int ntlm_signseal_keys(uint32_t flags, bool client, - struct ntlm_key *random_session_key, - struct ntlm_key *sign_send_key, - struct ntlm_key *sign_recv_key, - struct ntlm_key *seal_send_key, - struct ntlm_key *seal_recv_key, - struct ntlm_rc4_handle **seal_send_handle, - struct ntlm_rc4_handle **seal_recv_handle); + struct ntlm_key *session_key, + struct ntlm_signseal_state *signseal_state); /** * @brief Regens the NTLM Seal key. * Used only in connectionless mode. See MS-NLMP 3.4 * - * @param seal_key The current sealing key - * @param seal_handle The current sealing handle - * @param seq_num The current (application provided) sequence number + * @param state Sign and seal keys and state + * @param direction Direction (NTLM_SEND or NTLM_RECV) * * @return 0 on success or error. */ -int ntlm_seal_regen(struct ntlm_key *seal_key, - struct ntlm_rc4_handle **seal_handle, - uint32_t seq_num); +int ntlm_seal_regen(struct ntlm_signseal_state *state, int direction); /** * @brief Verifies a 16 bit NT Response @@ -365,53 +367,51 @@ int ntlmv2_verify_lm_response(struct ntlm_buffer *nt_response, /** * @brief Create NTLM signature for the provided message * - * @param sign_key Signing key - * @param seq_num Sequence number - * @param handle Encryption handle * @param flags Negotiated flags + * @param state Sign and seal keys and state + * @param direction Direction (true for send) * @param message Message buffer * @param signature Preallocated byffer of 16 bytes for signature * * @return 0 on success, or an error */ -int ntlm_sign(struct ntlm_key *sign_key, uint32_t seq_num, - struct ntlm_rc4_handle *handle, uint32_t flags, - struct ntlm_buffer *message, struct ntlm_buffer *signature); +int ntlm_sign(uint32_t flags, int direction, + struct ntlm_signseal_state *state, + struct ntlm_buffer *message, + struct ntlm_buffer *signature); /** * @brief NTLM seal the provided message * - * @param handle Encryption handle * @param flags Negotiated flags - * @param sign_key Signing key - * @param seq_num Sequence number + * @param state Sign and seal keys and state * @param message Message buffer * @param output Output buffer * @param signature Signature * * @return 0 on success, or an error */ -int ntlm_seal(struct ntlm_rc4_handle *handle, uint32_t flags, - struct ntlm_key *sign_key, uint32_t seq_num, - struct ntlm_buffer *message, struct ntlm_buffer *output, +int ntlm_seal(uint32_t flags, + struct ntlm_signseal_state *state, + struct ntlm_buffer *message, + struct ntlm_buffer *output, struct ntlm_buffer *signature); /** * @brief NTLM unseal the provided message * - * @param handle Encryption handle * @param flags Negotiated flags - * @param sign_key Signing key - * @param seq_num Sequence number + * @param state Sign and seal keys and state * @param message Message buffer * @param output Output buffer * @param signature Signature * * @return 0 on success, or an error */ -int ntlm_unseal(struct ntlm_rc4_handle *handle, uint32_t flags, - struct ntlm_key *sign_key, uint32_t seq_num, - struct ntlm_buffer *message, struct ntlm_buffer *output, +int ntlm_unseal(uint32_t flags, + struct ntlm_signseal_state *state, + struct ntlm_buffer *message, + struct ntlm_buffer *output, struct ntlm_buffer *signature); /** diff --git a/src/ntlm_crypto.c b/src/ntlm_crypto.c index 401e897..33f5b65 100644 --- a/src/ntlm_crypto.c +++ b/src/ntlm_crypto.c @@ -481,13 +481,8 @@ static int ntlm_sealkey(uint32_t flags, bool mode, } int ntlm_signseal_keys(uint32_t flags, bool client, - struct ntlm_key *random_session_key, - struct ntlm_key *sign_send_key, - struct ntlm_key *sign_recv_key, - struct ntlm_key *seal_send_key, - struct ntlm_key *seal_recv_key, - struct ntlm_rc4_handle **seal_send_handle, - struct ntlm_rc4_handle **seal_recv_handle) + struct ntlm_key *session_key, + struct ntlm_signseal_state *state) { struct ntlm_buffer rc4_key; bool mode; @@ -495,39 +490,38 @@ int ntlm_signseal_keys(uint32_t flags, bool client, /* send key */ mode = client ? NTLM_MODE_CLIENT : NTLM_MODE_SERVER; - ret = ntlm_signkey(flags, mode, random_session_key, sign_send_key); + ret = ntlm_signkey(flags, mode, session_key, &state->send.sign_key); if (ret) return ret; /* recv key */ mode = client ? NTLM_MODE_SERVER : NTLM_MODE_CLIENT; - ret = ntlm_signkey(flags, mode, random_session_key, sign_recv_key); + ret = ntlm_signkey(flags, mode, session_key, &state->recv.sign_key); if (ret) return ret; /* send key */ mode = client ? NTLM_MODE_CLIENT : NTLM_MODE_SERVER; - ret = ntlm_sealkey(flags, mode, random_session_key, seal_send_key); + ret = ntlm_sealkey(flags, mode, session_key, &state->send.seal_key); if (ret) return ret; /* recv key */ mode = client ? NTLM_MODE_SERVER : NTLM_MODE_CLIENT; - ret = ntlm_sealkey(flags, mode, random_session_key, seal_recv_key); + ret = ntlm_sealkey(flags, mode, session_key, &state->recv.seal_key); if (ret) return ret; - rc4_key.data = seal_send_key->data; - rc4_key.length = seal_send_key->length; - ret = RC4_INIT(&rc4_key, NTLM_CIPHER_ENCRYPT, seal_send_handle); + rc4_key.data = state->send.seal_key.data; + rc4_key.length = state->send.seal_key.length; + ret = RC4_INIT(&rc4_key, NTLM_CIPHER_ENCRYPT, &state->send.seal_handle); if (ret) return ret; - rc4_key.data = seal_recv_key->data; - rc4_key.length = seal_recv_key->length; - ret = RC4_INIT(&rc4_key, NTLM_CIPHER_DECRYPT, seal_recv_handle); + rc4_key.data = state->recv.seal_key.data; + rc4_key.length = state->recv.seal_key.length; + ret = RC4_INIT(&rc4_key, NTLM_CIPHER_DECRYPT, &state->recv.seal_handle); if (ret) return ret; return 0; } -int ntlm_seal_regen(struct ntlm_key *seal_key, - struct ntlm_rc4_handle **seal_handle, - uint32_t seq_num) +int ntlm_seal_regen(struct ntlm_signseal_state *state, int direction) { + struct ntlm_signseal_handle *h; struct ntlm_buffer payload; struct ntlm_buffer result; uint8_t inbuf[20]; @@ -535,21 +529,27 @@ int ntlm_seal_regen(struct ntlm_key *seal_key, uint32_t le; int ret; - RC4_FREE(seal_handle); + if (direction == NTLM_SEND) { + h = &state->send; + } else { + h = &state->recv; + } + + RC4_FREE(&h->seal_handle); - memcpy(inbuf, seal_key->data, seal_key->length); - le = htole32(seq_num); - memcpy(&inbuf[seal_key->length], &le, 4); + memcpy(inbuf, h->seal_key.data, h->seal_key.length); + le = htole32(h->seq_num); + memcpy(&inbuf[h->seal_key.length], &le, 4); payload.data = inbuf; - payload.length = seal_key->length + 4; + payload.length = h->seal_key.length + 4; result.data = outbuf; result.length = 16; ret = MD5_HASH(&payload, &result); if (ret) return ret; - ret = RC4_INIT(&result, NTLM_CIPHER_ENCRYPT, seal_handle); + ret = RC4_INIT(&result, NTLM_CIPHER_ENCRYPT, &h->seal_handle); return ret; } @@ -707,19 +707,28 @@ static int ntlmv1_sign(struct ntlm_rc4_handle *handle, return 0; } -int ntlm_sign(struct ntlm_key *sign_key, uint32_t seq_num, - struct ntlm_rc4_handle *handle, uint32_t flags, - struct ntlm_buffer *message, struct ntlm_buffer *signature) +int ntlm_sign(uint32_t flags, int direction, + struct ntlm_signseal_state *state, + struct ntlm_buffer *message, + struct ntlm_buffer *signature) { + struct ntlm_signseal_handle *h; + + if (direction == NTLM_SEND) { + h = &state->send; + } else { + h = &state->recv; + } + if ((flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) && (flags & NTLMSSP_NEGOTIATE_SIGN)) { - return ntlmv2_sign(sign_key, seq_num, handle, + return ntlmv2_sign(&h->sign_key, h->seq_num, h->seal_handle, (flags & NTLMSSP_NEGOTIATE_KEY_EXCH), message, signature); } else if (flags & NTLMSSP_NEGOTIATE_SIGN) { - return ntlmv1_sign(handle, 0, seq_num, message, signature); + return ntlmv1_sign(h->seal_handle, 0, h->seq_num, message, signature); } else if (flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) { - uint32_t le_seq = htole32(seq_num); + uint32_t le_seq = htole32(h->seq_num); memcpy(signature->data, &le_seq, 4); memset(&signature->data[4], 0, 12); return 0; @@ -728,34 +737,40 @@ int ntlm_sign(struct ntlm_key *sign_key, uint32_t seq_num, return ENOTSUP; } -int ntlm_seal(struct ntlm_rc4_handle *handle, uint32_t flags, - struct ntlm_key *sign_key, uint32_t seq_num, - struct ntlm_buffer *message, struct ntlm_buffer *output, +int ntlm_seal(uint32_t flags, + struct ntlm_signseal_state *state, + struct ntlm_buffer *message, + struct ntlm_buffer *output, struct ntlm_buffer *signature) { + struct ntlm_signseal_handle *h; int ret; - if (flags & NTLMSSP_NEGOTIATE_SEAL) { - ret = RC4_UPDATE(handle, message, output); - if (ret) return ret; - - if (flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) { - return ntlmv2_sign(sign_key, seq_num, handle, - (flags & NTLMSSP_NEGOTIATE_KEY_EXCH), - message, signature); - } else { - return ntlmv1_sign(handle, 0, seq_num, message, signature); - } + if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) { + return ENOTSUP; } - return ENOTSUP; + h = &state->send; + + ret = RC4_UPDATE(h->seal_handle, message, output); + if (ret) return ret; + + if (flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) { + return ntlmv2_sign(&h->sign_key, h->seq_num, h->seal_handle, + (flags & NTLMSSP_NEGOTIATE_KEY_EXCH), + message, signature); + } else { + return ntlmv1_sign(h->seal_handle, 0, h->seq_num, message, signature); + } } -int ntlm_unseal(struct ntlm_rc4_handle *handle, uint32_t flags, - struct ntlm_key *sign_key, uint32_t seq_num, - struct ntlm_buffer *message, struct ntlm_buffer *output, +int ntlm_unseal(uint32_t flags, + struct ntlm_signseal_state *state, + struct ntlm_buffer *message, + struct ntlm_buffer *output, struct ntlm_buffer *signature) { + struct ntlm_signseal_handle *h; struct ntlm_buffer msg_buffer; int ret; @@ -763,18 +778,20 @@ int ntlm_unseal(struct ntlm_rc4_handle *handle, uint32_t flags, return ENOTSUP; } + h = &state->recv; + msg_buffer = *message; msg_buffer.length -= NTLM_SIGNATURE_SIZE; - ret = RC4_UPDATE(handle, &msg_buffer, output); + ret = RC4_UPDATE(h->seal_handle, &msg_buffer, output); if (ret) return ret; if (flags & NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) { - return ntlmv2_sign(sign_key, seq_num, handle, + return ntlmv2_sign(&h->sign_key, h->seq_num, h->seal_handle, (flags & NTLMSSP_NEGOTIATE_KEY_EXCH), output, signature); } else { - return ntlmv1_sign(handle, 0, seq_num, output, signature); + return ntlmv1_sign(h->seal_handle, 0, h->seq_num, output, signature); } } diff --git a/tests/ntlmssptest.c b/tests/ntlmssptest.c index ca2e61d..d1b334d 100644 --- a/tests/ntlmssptest.c +++ b/tests/ntlmssptest.c @@ -1423,12 +1423,7 @@ done: int test_GSS_Wrap_EX(struct ntlm_ctx *ctx, struct t_gsswrapex_data *data) { - struct ntlm_key sign_send_key; - struct ntlm_key sign_recv_key; - struct ntlm_key seal_send_key; - struct ntlm_key seal_recv_key; - struct ntlm_rc4_handle *seal_send_handle; - struct ntlm_rc4_handle *seal_recv_handle; + struct ntlm_signseal_state state; uint8_t outbuf[data->Ciphertext.length]; uint8_t signbuf[16]; struct ntlm_buffer output = { outbuf, data->Ciphertext.length }; @@ -1436,42 +1431,42 @@ int test_GSS_Wrap_EX(struct ntlm_ctx *ctx, struct t_gsswrapex_data *data) int ret; ret = ntlm_signseal_keys(data->flags, true, - &data->KeyExchangeKey, - &sign_send_key, &sign_recv_key, - &seal_send_key, &seal_recv_key, - &seal_send_handle, &seal_recv_handle); + &data->KeyExchangeKey, &state); if (ret) return ret; if (data->ClientSealKey.length) { - if (memcmp(seal_send_key.data, data->ClientSealKey.data, - data->ClientSealKey.length) != 0) { + if (memcmp(state.send.seal_key.data, + data->ClientSealKey.data, + data->ClientSealKey.length) != 0) { fprintf(stderr, "Client Sealing Keys differ!\n"); fprintf(stderr, "expected:\n%s", hex_to_dump(data->ClientSealKey.data, data->ClientSealKey.length)); fprintf(stderr, "obtained:\n%s", - hex_to_dump(seal_send_key.data, sign_send_key.length)); + hex_to_dump(state.send.seal_key.data, + state.send.seal_key.length)); ret = EINVAL; } } if (data->ClientSignKey.length) { - if (memcmp(sign_send_key.data, data->ClientSignKey.data, - data->ClientSignKey.length) != 0) { + if (memcmp(state.send.sign_key.data, + data->ClientSignKey.data, + data->ClientSignKey.length) != 0) { fprintf(stderr, "Client Signing Keys differ!\n"); fprintf(stderr, "expected:\n%s", hex_to_dump(data->ClientSignKey.data, data->ClientSignKey.length)); fprintf(stderr, "obtained:\n%s", - hex_to_dump(sign_send_key.data, sign_send_key.length)); + hex_to_dump(state.send.sign_key.data, + state.send.sign_key.length)); ret = EINVAL; } } if (ret) return ret; - ret = ntlm_seal(seal_send_handle, data->flags, - &sign_send_key, data->SeqNum, + ret = ntlm_seal(data->flags, &state, &data->Plaintext, &output, &signature); if (ret) { |