From fe1c7d62f540c118d36964389e0e1b9c9190eadd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 5 Aug 2014 11:38:30 -0400 Subject: Use a macro to define the ntlm signature size Avoids the look of magic numbers everywhere, and give some useful context to the code reader --- src/gss_signseal.c | 28 ++++++++++++++++------------ src/ntlm.h | 1 + src/ntlm_crypto.c | 24 ++++++++++++++---------- 3 files changed, 31 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/src/gss_signseal.c b/src/gss_signseal.c index 274317d..bf622ca 100644 --- a/src/gss_signseal.c +++ b/src/gss_signseal.c @@ -59,12 +59,12 @@ uint32_t gssntlm_get_mic(uint32_t *minor_status, } } - message_token->value = malloc(16); + message_token->value = malloc(NTLM_SIGNATURE_SIZE); if (!message_token->value) { *minor_status = ENOMEM; return GSS_S_FAILURE; } - message_token->length = 16; + message_token->length = NTLM_SIGNATURE_SIZE; message.data = message_buffer->value; message.length = message_buffer->length; @@ -96,7 +96,7 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status, struct gssntlm_ctx *ctx; struct ntlm_buffer message; uint8_t token[16]; - struct ntlm_buffer signature = { token, 16 }; + struct ntlm_buffer signature = { token, NTLM_SIGNATURE_SIZE }; uint32_t retmaj, retmin; *minor_status = 0; @@ -134,7 +134,8 @@ uint32_t gssntlm_verify_mic(uint32_t *minor_status, return GSS_S_FAILURE; } - if (memcmp(signature.data, message_token->value, 16) != 0) { + if (memcmp(signature.data, + message_token->value, NTLM_SIGNATURE_SIZE) != 0) { return GSS_S_BAD_SIG; } @@ -192,19 +193,20 @@ uint32_t gssntlm_wrap(uint32_t *minor_status, } } - output_message_buffer->value = malloc(input_message_buffer->length + 16); + output_message_buffer->length = + input_message_buffer->length + NTLM_SIGNATURE_SIZE; + output_message_buffer->value = malloc(output_message_buffer->length); if (!output_message_buffer->value) { *minor_status = ENOMEM; return GSS_S_FAILURE; } - output_message_buffer->length = input_message_buffer->length + 16; message.data = input_message_buffer->value; message.length = input_message_buffer->length; output.data = output_message_buffer->value; output.length = input_message_buffer->length; signature.data = &output.data[input_message_buffer->length]; - signature.length = 16; + signature.length = NTLM_SIGNATURE_SIZE; retmin = ntlm_seal(ctx->send.seal_handle, ctx->neg_flags, &ctx->send.sign_key, ctx->send.seq_num, &message, &output, &signature); @@ -232,7 +234,7 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, struct ntlm_buffer message; struct ntlm_buffer output; uint8_t sig[16]; - struct ntlm_buffer signature = { sig, 16 }; + struct ntlm_buffer signature = { sig, NTLM_SIGNATURE_SIZE }; uint32_t retmaj, retmin; *minor_status = 0; @@ -263,12 +265,13 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, } } - output_message_buffer->value = malloc(input_message_buffer->length - 16); + output_message_buffer->length = + input_message_buffer->length - NTLM_SIGNATURE_SIZE; + output_message_buffer->value = malloc(output_message_buffer->length); if (!output_message_buffer->value) { *minor_status = ENOMEM; return GSS_S_FAILURE; } - output_message_buffer->length = input_message_buffer->length - 16; message.data = input_message_buffer->value; message.length = input_message_buffer->length; @@ -283,7 +286,8 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status, return GSS_S_FAILURE; } - if (memcmp(&message.data[output.length], signature.data, 16) != 0) { + if (memcmp(&message.data[output.length], + signature.data, NTLM_SIGNATURE_SIZE) != 0) { safefree(output_message_buffer->value); return GSS_S_BAD_SIG; } @@ -320,7 +324,7 @@ uint32_t gssntlm_wrap_size_limit(uint32_t *minor_status, if (req_output_size < 16) { *max_input_size = 0; } else { - *max_input_size = req_output_size - 16; + *max_input_size = req_output_size - NTLM_SIGNATURE_SIZE; } return GSS_S_COMPLETE; diff --git a/src/ntlm.h b/src/ntlm.h index 9c5da00..08d2cd1 100644 --- a/src/ntlm.h +++ b/src/ntlm.h @@ -79,6 +79,7 @@ #define MSVAVFLAGS_MIC_PRESENT 0x02 #define MSVAVFLAGS_UNVERIFIED_SPN 0x04 +#define NTLM_SIGNATURE_SIZE 16 struct ntlm_ctx; diff --git a/src/ntlm_crypto.c b/src/ntlm_crypto.c index b2f42f0..401e897 100644 --- a/src/ntlm_crypto.c +++ b/src/ntlm_crypto.c @@ -630,14 +630,14 @@ static int ntlmv2_sign(struct ntlm_key *sign_key, uint32_t seq_num, struct ntlm_buffer seq = { le8seq, 4 }; struct ntlm_buffer *data[2]; struct ntlm_iov iov; - uint8_t hmac_sig[16]; - struct ntlm_buffer hmac = { hmac_sig, 16 }; + uint8_t hmac_sig[NTLM_SIGNATURE_SIZE]; + struct ntlm_buffer hmac = { hmac_sig, NTLM_SIGNATURE_SIZE }; struct ntlm_buffer rc4buf; struct ntlm_buffer rc4res; int ret; msg_sig = (union wire_msg_signature *)signature->data; - if (signature->length != 16) { + if (signature->length != NTLM_SIGNATURE_SIZE) { return EINVAL; } @@ -686,7 +686,7 @@ static int ntlmv1_sign(struct ntlm_rc4_handle *handle, int ret; msg_sig = (union wire_msg_signature *)signature->data; - if (signature->length != 16) { + if (signature->length != NTLM_SIGNATURE_SIZE) { return EINVAL; } @@ -764,7 +764,7 @@ int ntlm_unseal(struct ntlm_rc4_handle *handle, uint32_t flags, } msg_buffer = *message; - msg_buffer.length -= 16; + msg_buffer.length -= NTLM_SIGNATURE_SIZE; ret = RC4_UPDATE(handle, &msg_buffer, output); if (ret) return ret; @@ -809,8 +809,8 @@ int ntlm_verify_mic(struct ntlm_key *key, struct ntlm_buffer *authenticate_message, struct ntlm_buffer *mic) { - uint8_t micbuf[16]; - struct ntlm_buffer check_mic = { micbuf, 16 }; + uint8_t micbuf[NTLM_SIGNATURE_SIZE]; + struct ntlm_buffer check_mic = { micbuf, NTLM_SIGNATURE_SIZE }; struct wire_auth_msg *msg; size_t payload_offs; uint32_t flags; @@ -826,17 +826,21 @@ int ntlm_verify_mic(struct ntlm_key *key, payload_offs += sizeof(struct wire_version); } - if (payload_offs + 16 > authenticate_message->length) return EINVAL; + if (payload_offs + NTLM_SIGNATURE_SIZE > authenticate_message->length) { + return EINVAL; + } /* payload_offs now points at the MIC buffer, clear it off in order * to be able to calculate the original chcksum */ - memset(&authenticate_message->data[payload_offs], 0, 16); + memset(&authenticate_message->data[payload_offs], 0, NTLM_SIGNATURE_SIZE); ret = ntlm_mic(key, negotiate_message, challenge_message, authenticate_message, &check_mic); if (ret) return ret; - if (memcmp(mic->data, check_mic.data, 16) != 0) return EACCES; + if (memcmp(mic->data, check_mic.data, NTLM_SIGNATURE_SIZE) != 0) { + return EACCES; + } return 0; } -- cgit