Add function to verify Channel Binding Token

2 files changed, 27 insertions, 0 deletions

diff --git a/src/ntlm.h b/src/ntlm.h
index da734c8..7c2f70c 100644
--- a/src/ntlm.h
+++ b/src/ntlm.h
@@ -461,6 +461,16 @@ int ntlm_verify_mic(struct ntlm_key *key,
 int ntlm_hash_channel_bindings(struct ntlm_buffer *unhashed,
                                struct ntlm_buffer *signature);
 
+/**
+ * @brief   Verifies Channel binding signature from unhashed data.
+ *
+ * @param unhashed      The unhashed channel bindings data
+ * @param signature     The recieved MD5 signature to check against
+ *
+ * @return 0 on success, EACCES if the CBT fails to verify, or an error
+ */
+int ntlm_verify_channel_bindings(struct ntlm_buffer *unhashed,
+                                 struct ntlm_buffer *signature);
 
 /* ############## ENCODING / DECODING ############## */
 
diff --git a/src/ntlm_crypto.c b/src/ntlm_crypto.c
index a0b7f24..bf4878a 100644
--- a/src/ntlm_crypto.c
+++ b/src/ntlm_crypto.c
@@ -866,3 +866,20 @@ int ntlm_hash_channel_bindings(struct ntlm_buffer *unhashed,
     safefree(input.data);
     return ret;
 }
+
+int ntlm_verify_channel_bindings(struct ntlm_buffer *unhashed,
+                                 struct ntlm_buffer *signature)
+{
+    uint8_t cbbuf[16];
+    struct ntlm_buffer cb = { cbbuf, 16 };
+    int ret;
+
+    if (signature->length != 16) return EINVAL;
+
+    ret = ntlm_hash_channel_bindings(unhashed, &cb);
+    if (ret) return ret;
+
+    if (memcmp(cb.data, signature->data, 16) != 0) return EACCES;
+
+    return 0;
+}