Add the VerifyMac method.

src/ntlm/helpers.go

@@ -36,6 +36,21 @@ func zeroPaddedBytes(bytes []byte, offset int, size int) []byte {
 	return newSlice
 }
 
+func macsEqual(slice1, slice2 []byte) bool {
+	if len(slice1) != len(slice2) {
+		return false
+	}
+	for i := 0; i < len(slice1); i++ {
+		// bytes between 4 and 7 (inclusive) contains random
+		// data that should be ignored while comparing the
+		// macs
+		if (i < 4 || i > 7) && slice1[i] != slice2[i] {
+			return false
+		}
+	}
+	return true
+}
+
 func utf16FromString(s string) []byte {
 	encoded := utf16.Encode([]rune(s))
 	// TODO: I'm sure there is an easier way to do the conversion from utf16 to bytes

src/ntlm/helpers_test.go

@@ -13,3 +13,21 @@ func TestUTf16ToString(t *testing.T) {
 		t.Errorf("UTF16ToString failed got %s expected %s", hex.EncodeToString(result), "5500730065007200")
 	}
 }
+
+func TestMacsEquals(t *testing.T) {
+	// the macsEqual should ignore the values in the second 4 bytes
+	firstSlice := []byte{0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xf0, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}
+	secondSlice := []byte{0xf1, 0xf2, 0xf3, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xf9, 0xf0, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}
+	if !macsEqual(firstSlice, secondSlice) {
+		t.Errorf("Expected macsEqual(%v, %v) to be true", firstSlice, secondSlice)
+	}
+}
+
+func TestMacsEqualsFail(t *testing.T) {
+	// the last bytes in the following test case should cause macsEqual to return false
+	firstSlice := []byte{0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xf0, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff}
+	secondSlice := []byte{0xf1, 0xf2, 0xf3, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xf9, 0xf0, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xfe}
+	if macsEqual(firstSlice, secondSlice) {
+		t.Errorf("Expected macsEqual(%v, %v) to be false", firstSlice, secondSlice)
+	}
+}

src/ntlm/ntlm.go

@@ -80,6 +80,7 @@ type ServerSession interface {
 	Seal(message []byte) ([]byte, error)
 	Sign(message []byte) ([]byte, error)
 	Mac(message []byte, sequenceNumber int) ([]byte, error)
+	VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error)
 }
 
 // This struct collects NTLM data structures and keys that are used across all types of NTLM requests

src/ntlm/ntlmv1.go

@@ -112,6 +112,15 @@ func (n *V1Session) Mac(message []byte, sequenceNumber int) ([]byte, error) {
 	return sig.Bytes(), nil
 }
 
+func (n *V1Session) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
+	// TODO: Need to keep track of the sequence number for connection oriented NTLM
+	if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(n.negotiateFlags) {
+		n.clientHandle, _ = reinitSealingKey(n.clientSealingKey, sequenceNumber)
+	}
+	sig := mac(n.negotiateFlags, n.clientHandle, n.clientSigningKey, uint32(sequenceNumber), message)
+	return macsEqual(sig.Bytes(), expectedMac), nil
+}
+
 /**************
  Server Session
 **************/

src/ntlm/ntlmv2.go

@@ -86,6 +86,19 @@ func (n *V2Session) Mac(message []byte, sequenceNumber int) ([]byte, error) {
 	return sig.Bytes(), nil
 }
 
+func (n *V2Session) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
+	// TODO: Need to keep track of the sequence number for connection oriented NTLM
+	if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(n.negotiateFlags) && messages.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.IsSet(n.negotiateFlags) {
+		n.clientHandle, _ = reinitSealingKey(n.clientSealingKey, sequenceNumber)
+	} else if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(n.negotiateFlags) {
+		// CONOR: Reinitializing the rc4 cipher on every requst, but not using the 
+		// algorithm as described in the MS-NTLM document. Just reinitialize it directly.
+		n.clientHandle, _ = rc4Init(n.clientSealingKey)
+	}
+	sig := mac(n.negotiateFlags, n.clientHandle, n.clientSigningKey, uint32(sequenceNumber), message)
+	return macsEqual(sig.Bytes(), expectedMac), nil
+}
+
 /**************
  Server Session
 **************/