exporting fields so they can be serialized
This commit is contained in:
Matthew Kanwisher
parent
e9221087f7
commit
d960dfe90e
@ -80,6 +80,8 @@ type ServerSession interface {
|
|||||||
GenerateChallengeMessage() (*messages.Challenge, error)
|
GenerateChallengeMessage() (*messages.Challenge, error)
|
||||||
ProcessAuthenticateMessage(*messages.Authenticate) error
|
ProcessAuthenticateMessage(*messages.Authenticate) error
|
||||||
|
|
||||||
|
GetSessionData() *SessionData
|
||||||
|
|
||||||
Version() int
|
Version() int
|
||||||
Seal(message []byte) ([]byte, error)
|
Seal(message []byte) ([]byte, error)
|
||||||
Sign(message []byte) ([]byte, error)
|
Sign(message []byte) ([]byte, error)
|
||||||
@ -114,10 +116,10 @@ type SessionData struct {
|
|||||||
sessionBaseKey []byte
|
sessionBaseKey []byte
|
||||||
mic []byte
|
mic []byte
|
||||||
|
|
||||||
clientSigningKey []byte
|
ClientSigningKey []byte
|
||||||
serverSigningKey []byte
|
ServerSigningKey []byte
|
||||||
clientSealingKey []byte
|
ClientSealingKey []byte
|
||||||
serverSealingKey []byte
|
ServerSealingKey []byte
|
||||||
|
|
||||||
clientHandle *rc4P.Cipher
|
clientHandle *rc4P.Cipher
|
||||||
serverHandle *rc4P.Cipher
|
serverHandle *rc4P.Cipher
|
||||||
|
|||||||
@ -98,10 +98,10 @@ func (n *V1Session) calculateKeys(ntlmRevisionCurrent uint8) (err error) {
|
|||||||
n.negotiateFlags = messages.NTLMSSP_NEGOTIATE_LM_KEY.Set(n.negotiateFlags)
|
n.negotiateFlags = messages.NTLMSSP_NEGOTIATE_LM_KEY.Set(n.negotiateFlags)
|
||||||
}
|
}
|
||||||
|
|
||||||
n.clientSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
n.ClientSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
||||||
n.serverSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
n.ServerSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
||||||
n.clientSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
n.ClientSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
||||||
n.serverSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
n.ServerSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -118,7 +118,7 @@ func ntlmV1Mac(message []byte, sequenceNumber int, handle *rc4P.Cipher, sealingK
|
|||||||
if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) && messages.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.IsSet(negotiateFlags) {
|
if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) && messages.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.IsSet(negotiateFlags) {
|
||||||
handle, _ = reinitSealingKey(sealingKey, sequenceNumber)
|
handle, _ = reinitSealingKey(sealingKey, sequenceNumber)
|
||||||
} else if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) {
|
} else if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) {
|
||||||
// CONOR: Reinitializing the rc4 cipher on every requst, but not using the
|
// CONOR: Reinitializing the rc4 cipher on every requst, but not using the
|
||||||
// algorithm as described in the MS-NTLM document. Just reinitialize it directly.
|
// algorithm as described in the MS-NTLM document. Just reinitialize it directly.
|
||||||
handle, _ = rc4Init(sealingKey)
|
handle, _ = rc4Init(sealingKey)
|
||||||
}
|
}
|
||||||
@ -127,22 +127,22 @@ func ntlmV1Mac(message []byte, sequenceNumber int, handle *rc4P.Cipher, sealingK
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (n *V1ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
func (n *V1ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
||||||
mac := ntlmV1Mac(message, sequenceNumber, n.serverHandle, n.serverSealingKey, n.serverSigningKey, n.negotiateFlags)
|
mac := ntlmV1Mac(message, sequenceNumber, n.serverHandle, n.ServerSealingKey, n.ServerSigningKey, n.negotiateFlags)
|
||||||
return mac, nil
|
return mac, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *V1ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
func (n *V1ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
||||||
mac := ntlmV1Mac(message, sequenceNumber, n.clientHandle, n.clientSealingKey, n.clientSigningKey, n.negotiateFlags)
|
mac := ntlmV1Mac(message, sequenceNumber, n.clientHandle, n.ClientSealingKey, n.ClientSigningKey, n.negotiateFlags)
|
||||||
return mac, nil
|
return mac, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *V1ServerSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
func (n *V1ServerSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
||||||
mac := ntlmV1Mac(message, sequenceNumber, n.clientHandle, n.clientSealingKey, n.clientSigningKey, n.negotiateFlags)
|
mac := ntlmV1Mac(message, sequenceNumber, n.clientHandle, n.ClientSealingKey, n.ClientSigningKey, n.negotiateFlags)
|
||||||
return macsEqual(mac, expectedMac), nil
|
return macsEqual(mac, expectedMac), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *V1ClientSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
func (n *V1ClientSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
||||||
mac := ntlmV1Mac(message, sequenceNumber, n.serverHandle, n.serverSealingKey, n.serverSigningKey, n.negotiateFlags)
|
mac := ntlmV1Mac(message, sequenceNumber, n.serverHandle, n.ServerSealingKey, n.ServerSigningKey, n.negotiateFlags)
|
||||||
return macsEqual(mac, expectedMac), nil
|
return macsEqual(mac, expectedMac), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -168,6 +168,10 @@ func (n *V1ServerSession) SetServerChallenge(challenge []byte) {
|
|||||||
n.serverChallenge = challenge
|
n.serverChallenge = challenge
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (n *V1ServerSession) GetSessionData() *SessionData {
|
||||||
|
return &n.SessionData
|
||||||
|
}
|
||||||
|
|
||||||
func (n *V1ServerSession) ProcessAuthenticateMessage(am *messages.Authenticate) (err error) {
|
func (n *V1ServerSession) ProcessAuthenticateMessage(am *messages.Authenticate) (err error) {
|
||||||
n.authenticateMessage = am
|
n.authenticateMessage = am
|
||||||
n.negotiateFlags = am.NegotiateFlags
|
n.negotiateFlags = am.NegotiateFlags
|
||||||
@ -218,11 +222,11 @@ func (n *V1ServerSession) ProcessAuthenticateMessage(am *messages.Authenticate)
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
n.clientHandle, err = rc4Init(n.clientSealingKey)
|
n.clientHandle, err = rc4Init(n.ClientSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
n.serverHandle, err = rc4Init(n.serverSealingKey)
|
n.serverHandle, err = rc4Init(n.ServerSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -311,11 +315,11 @@ func (n *V1ClientSession) ProcessChallengeMessage(cm *messages.Challenge) (err e
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
n.clientHandle, err = rc4Init(n.clientSealingKey)
|
n.clientHandle, err = rc4Init(n.ClientSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
n.serverHandle, err = rc4Init(n.serverSealingKey)
|
n.serverHandle, err = rc4Init(n.ServerSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -203,6 +203,6 @@ func TestNTLMv1WithClientChallenge(t *testing.T) {
|
|||||||
t.Errorf("Could not process authenticate message: %s", err)
|
t.Errorf("Could not process authenticate message: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
checkV1Value(t, "SealKey", server.clientSealingKey, "04dd7f014d8504d265a25cc86a3a7c06", nil)
|
checkV1Value(t, "SealKey", server.ClientSealingKey, "04dd7f014d8504d265a25cc86a3a7c06", nil)
|
||||||
checkV1Value(t, "SignKey", server.clientSigningKey, "60e799be5c72fc92922ae8ebe961fb8d", nil)
|
checkV1Value(t, "SignKey", server.ClientSigningKey, "60e799be5c72fc92922ae8ebe961fb8d", nil)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -46,6 +46,10 @@ func (n *V2Session) fetchResponseKeys() (err error) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (n *V2ServerSession) GetSessionData() *SessionData {
|
||||||
|
return &n.SessionData
|
||||||
|
}
|
||||||
|
|
||||||
// Define ComputeResponse(NegFlg, ResponseKeyNT, ResponseKeyLM, CHALLENGE_MESSAGE.ServerChallenge, ClientChallenge, Time, ServerName)
|
// Define ComputeResponse(NegFlg, ResponseKeyNT, ResponseKeyLM, CHALLENGE_MESSAGE.ServerChallenge, ClientChallenge, Time, ServerName)
|
||||||
// ServerNameBytes - The NtChallengeResponseFields.NTLMv2_RESPONSE.NTLMv2_CLIENT_CHALLENGE.AvPairs field structure of the AUTHENTICATE_MESSAGE payload.
|
// ServerNameBytes - The NtChallengeResponseFields.NTLMv2_RESPONSE.NTLMv2_CLIENT_CHALLENGE.AvPairs field structure of the AUTHENTICATE_MESSAGE payload.
|
||||||
func (n *V2Session) computeExpectedResponses(timestamp []byte, avPairBytes []byte) (err error) {
|
func (n *V2Session) computeExpectedResponses(timestamp []byte, avPairBytes []byte) (err error) {
|
||||||
@ -71,10 +75,10 @@ func (n *V2Session) calculateKeys(ntlmRevisionCurrent uint8) (err error) {
|
|||||||
n.negotiateFlags = messages.NTLMSSP_NEGOTIATE_LM_KEY.Set(n.negotiateFlags)
|
n.negotiateFlags = messages.NTLMSSP_NEGOTIATE_LM_KEY.Set(n.negotiateFlags)
|
||||||
}
|
}
|
||||||
|
|
||||||
n.clientSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
n.ClientSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
||||||
n.serverSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
n.ServerSigningKey = signKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
||||||
n.clientSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
n.ClientSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Client")
|
||||||
n.serverSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
n.ServerSealingKey = sealKey(n.negotiateFlags, n.exportedSessionKey, "Server")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -90,7 +94,7 @@ func ntlmV2Mac(message []byte, sequenceNumber int, handle *rc4P.Cipher, sealingK
|
|||||||
if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) && messages.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.IsSet(negotiateFlags) {
|
if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) && messages.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.IsSet(negotiateFlags) {
|
||||||
handle, _ = reinitSealingKey(sealingKey, sequenceNumber)
|
handle, _ = reinitSealingKey(sealingKey, sequenceNumber)
|
||||||
} else if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) {
|
} else if messages.NTLMSSP_NEGOTIATE_DATAGRAM.IsSet(negotiateFlags) {
|
||||||
// CONOR: Reinitializing the rc4 cipher on every requst, but not using the
|
// CONOR: Reinitializing the rc4 cipher on every requst, but not using the
|
||||||
// algorithm as described in the MS-NTLM document. Just reinitialize it directly.
|
// algorithm as described in the MS-NTLM document. Just reinitialize it directly.
|
||||||
handle, _ = rc4Init(sealingKey)
|
handle, _ = rc4Init(sealingKey)
|
||||||
}
|
}
|
||||||
@ -99,22 +103,22 @@ func ntlmV2Mac(message []byte, sequenceNumber int, handle *rc4P.Cipher, sealingK
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (n *V2ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
func (n *V2ServerSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
||||||
mac := ntlmV2Mac(message, sequenceNumber, n.serverHandle, n.serverSealingKey, n.serverSigningKey, n.negotiateFlags)
|
mac := ntlmV2Mac(message, sequenceNumber, n.serverHandle, n.ServerSealingKey, n.ServerSigningKey, n.negotiateFlags)
|
||||||
return mac, nil
|
return mac, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *V2ServerSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
func (n *V2ServerSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
||||||
mac := ntlmV2Mac(message, sequenceNumber, n.clientHandle, n.clientSealingKey, n.clientSigningKey, n.negotiateFlags)
|
mac := ntlmV2Mac(message, sequenceNumber, n.clientHandle, n.ClientSealingKey, n.ClientSigningKey, n.negotiateFlags)
|
||||||
return macsEqual(mac, expectedMac), nil
|
return macsEqual(mac, expectedMac), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *V2ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
func (n *V2ClientSession) Mac(message []byte, sequenceNumber int) ([]byte, error) {
|
||||||
mac := ntlmV2Mac(message, sequenceNumber, n.clientHandle, n.clientSealingKey, n.clientSigningKey, n.negotiateFlags)
|
mac := ntlmV2Mac(message, sequenceNumber, n.clientHandle, n.ClientSealingKey, n.ClientSigningKey, n.negotiateFlags)
|
||||||
return mac, nil
|
return mac, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (n *V2ClientSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
func (n *V2ClientSession) VerifyMac(message, expectedMac []byte, sequenceNumber int) (bool, error) {
|
||||||
mac := ntlmV2Mac(message, sequenceNumber, n.serverHandle, n.serverSealingKey, n.serverSigningKey, n.negotiateFlags)
|
mac := ntlmV2Mac(message, sequenceNumber, n.serverHandle, n.ServerSealingKey, n.ServerSigningKey, n.negotiateFlags)
|
||||||
return macsEqual(mac, expectedMac), nil
|
return macsEqual(mac, expectedMac), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -224,11 +228,11 @@ func (n *V2ServerSession) ProcessAuthenticateMessage(am *messages.Authenticate)
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
n.clientHandle, err = rc4Init(n.clientSealingKey)
|
n.clientHandle, err = rc4Init(n.ClientSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
n.serverHandle, err = rc4Init(n.serverSealingKey)
|
n.serverHandle, err = rc4Init(n.ServerSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -313,11 +317,11 @@ func (n *V2ClientSession) ProcessChallengeMessage(cm *messages.Challenge) (err e
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
n.clientHandle, err = rc4Init(n.clientSealingKey)
|
n.clientHandle, err = rc4Init(n.ClientSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
n.serverHandle, err = rc4Init(n.serverSealingKey)
|
n.serverHandle, err = rc4Init(n.ServerSealingKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -113,8 +113,8 @@ func TestNTLMv2(t *testing.T) {
|
|||||||
checkV2Value(t, "NTChallengeResponse", server.ntChallengeResponse[0:16], "68cd0ab851e51c96aabc927bebef6a1c", nil)
|
checkV2Value(t, "NTChallengeResponse", server.ntChallengeResponse[0:16], "68cd0ab851e51c96aabc927bebef6a1c", nil)
|
||||||
checkV2Value(t, "LMChallengeResponse", server.lmChallengeResponse, "86c35097ac9cec102554764a57cccc19aaaaaaaaaaaaaaaa", nil)
|
checkV2Value(t, "LMChallengeResponse", server.lmChallengeResponse, "86c35097ac9cec102554764a57cccc19aaaaaaaaaaaaaaaa", nil)
|
||||||
|
|
||||||
checkV2Value(t, "client seal key", server.clientSealingKey, "59f600973cc4960a25480a7c196e4c58", nil)
|
checkV2Value(t, "client seal key", server.ClientSealingKey, "59f600973cc4960a25480a7c196e4c58", nil)
|
||||||
checkV2Value(t, "client signing key", server.clientSigningKey, "4788dc861b4782f35d43fd98fe1a2d39", nil)
|
checkV2Value(t, "client signing key", server.ClientSigningKey, "4788dc861b4782f35d43fd98fe1a2d39", nil)
|
||||||
|
|
||||||
// Have the server generate an initial challenge message
|
// Have the server generate an initial challenge message
|
||||||
challenge, err := server.GenerateChallengeMessage()
|
challenge, err := server.GenerateChallengeMessage()
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user