def __init__(self, negotiate_flags, exported_session_key, source="client"):
"""
Initialises a security session context that can be used by libraries
that call ntlm-auth to sign and seal messages send to the server as
well as verify and unseal messages that have been received from the
server. This is similar to the GSS_Wrap functions specified in the
MS-NLMP document which does the same task.
:param negotiate_flags: The negotiate flag structure that has been
negotiated with the server
:param exported_session_key: A 128-bit session key used to derive
signing and sealing keys
:param source: The source of the message, only used in test scenarios
when testing out a server sealing and unsealing
"""
self.negotiate_flags = negotiate_flags
self.exported_session_key = exported_session_key
self.outgoing_seq_num = 0
self.incoming_seq_num = 0
client_sealing_key = \
compkeys.get_seal_key(self.negotiate_flags, exported_session_key,
SignSealConstants.CLIENT_SEALING)
server_sealing_key = \
compkeys.get_seal_key(self.negotiate_flags, exported_session_key,
SignSealConstants.SERVER_SEALING)
if source == "client":
self.outgoing_signing_key = \
compkeys.get_sign_key(exported_session_key,
SignSealConstants.CLIENT_SIGNING)
self.incoming_signing_key = \
compkeys.get_sign_key(exported_session_key,
SignSealConstants.SERVER_SIGNING)
self.outgoing_handle = ARC4(client_sealing_key)
self.incoming_handle = ARC4(server_sealing_key)
elif source == "server":
self.outgoing_signing_key = \
compkeys.get_sign_key(exported_session_key,
SignSealConstants.SERVER_SIGNING)
self.incoming_signing_key = \
compkeys.get_sign_key(exported_session_key,
SignSealConstants.CLIENT_SIGNING)
self.outgoing_handle = ARC4(server_sealing_key)
self.incoming_handle = ARC4(client_sealing_key)
else:
raise ValueError("Invalid source parameter %s, must be client "
"or server" % source)
def test_get_seal_key_ntlm2_128(self):
test_flags = 3800728115
expected = b"\x59\xf6\x00\x97\x3c\xc4\x96\x0a" \
b"\x25\x48\x0a\x7c\x19\x6e\x4c\x58"
exported_session_key = b"\x55" * 16
actual = compute_keys.get_seal_key(test_flags, exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_no_flag(self):
test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \
NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL
expected = b"\x55" * 16
exported_session_key = expected
actual = compute_keys.get_seal_key(test_flags, exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_ntlm2_128(self):
test_flags = ntlmv2_negotiate_flags
test_exported_session_key = session_base_key
expected = ntlmv2_seal_key
actual = compkeys.get_seal_key(test_flags, test_exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def __init__(self, negotiate_flags, exported_session_key, source="client"):
self.negotiate_flags = negotiate_flags
self.outgoing_seq_num = 0
self.incoming_seq_num = 0
client_sealing_key = compkeys.get_seal_key(self.negotiate_flags, exported_session_key, SignSealConstants.CLIENT_SEALING)
server_sealing_key = compkeys.get_seal_key(self.negotiate_flags, exported_session_key, SignSealConstants.SERVER_SEALING)
if source == "client":
self.outgoing_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.CLIENT_SIGNING)
self.incoming_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.SERVER_SIGNING)
self.outgoing_handle = ARC4(client_sealing_key)
self.incoming_handle = ARC4(server_sealing_key)
elif source == "server":
self.outgoing_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.SERVER_SIGNING)
self.incoming_signing_key = compkeys.get_sign_key(exported_session_key, SignSealConstants.CLIENT_SIGNING)
self.outgoing_handle = ARC4(server_sealing_key)
self.incoming_handle = ARC4(client_sealing_key)
else:
raise Exception("Invalid source parameter %s, must be client or server" % source)
def test_get_seal_key_ntlm1_40(self):
test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \
NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \
NegotiateFlags.NTLMSSP_NEGOTIATE_LM_KEY
# Not in document, custom test
expected = b"\x55\x55\x55\x55\x55\xe5\x38\xb0"
exported_session_key = b"\x55" * 16
actual = compute_keys.get_seal_key(test_flags, exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_no_flag(self):
test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \
NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL
test_exported_session_key = session_base_key
expected = session_base_key
actual = compkeys.get_seal_key(test_flags, test_exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_ntlm2_56(self):
test_flags = ntlmv1_with_ess_negotiate_flags
test_session_base_key = ntlmv1_with_ess_session_base_key
test_exported_session_key = compkeys._get_exchange_key_ntlm_v1(
test_flags, test_session_base_key, server_challenge,
ntlmv1_with_ess_lmv1_response, ntlmv1_with_ess_lmowfv1)
expected = ntlmv1_with_ess_seal_key
actual = compkeys.get_seal_key(test_flags, test_exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_ntlm1_40(self):
test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \
NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \
NegotiateFlags.NTLMSSP_NEGOTIATE_LM_KEY
test_exported_session_key = session_base_key
# Not in document, custom test
expected = HexToByte('55 55 55 55 55 e5 38 b0')
actual = compkeys.get_seal_key(test_flags, test_exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_ntlm2_40(self):
test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \
NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \
NegotiateFlags.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
test_session_base_key = ntlmv1_with_ess_session_base_key
test_exported_session_key = compkeys._get_exchange_key_ntlm_v1(
test_flags, test_session_base_key, server_challenge,
ntlmv1_with_ess_lmv1_response, ntlmv1_with_ess_lmowfv1)
# Not in document, custom test
expected = HexToByte('26 b2 c1 e7 7b e4 53 3d 55 5a 22 0a 0f de b9 6c')
actual = compkeys.get_seal_key(test_flags, test_exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_ntlm2_56(self):
test_flags = 2181726771
expected = b"\x04\xdd\x7f\x01\x4d\x85\x04\xd2" \
b"\x65\xa2\x5c\xc8\x6a\x3a\x7c\x06"
session_base_key = b"\xd8\x72\x62\xb0\xcd\xe4\xb1\xcb" \
b"\x74\x99\xbe\xcc\xcd\xf1\x07\x84"
server_challenge = b"\x01\x23\x45\x67\x89\xab\xcd\xef"
lm_challenge_response = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
b"\x00\x00\x00\x00\x00\x00\x00\x00" \
b"\x00\x00\x00\x00\x00\x00\x00\x00"
lm_hash = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
b"\x00\x00\x00\x00\x00\x00\x00\x00"
exported_session_key = compute_keys._get_exchange_key_ntlm_v1(
test_flags, session_base_key, server_challenge,
lm_challenge_response, lm_hash)
actual = compute_keys.get_seal_key(test_flags, exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
def test_get_seal_key_ntlm2_40(self):
test_flags = NegotiateFlags.NTLMSSP_NEGOTIATE_SIGN | \
NegotiateFlags.NTLMSSP_NEGOTIATE_SEAL | \
NegotiateFlags.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
# Not in document, custom test
expected = b"\x26\xb2\xc1\xe7\x7b\xe4\x53\x3d" \
b"\x55\x5a\x22\x0a\x0f\xde\xb9\x6c"
session_base_key = b"\xd8\x72\x62\xb0\xcd\xe4\xb1\xcb" \
b"\x74\x99\xbe\xcc\xcd\xf1\x07\x84"
server_challenge = b"\x01\x23\x45\x67\x89\xab\xcd\xef"
lm_challenge_response = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
b"\x00\x00\x00\x00\x00\x00\x00\x00" \
b"\x00\x00\x00\x00\x00\x00\x00\x00"
lm_hash = b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" \
b"\x00\x00\x00\x00\x00\x00\x00\x00"
exported_session_key = compute_keys._get_exchange_key_ntlm_v1(
test_flags, session_base_key, server_challenge,
lm_challenge_response, lm_hash)
actual = compute_keys.get_seal_key(test_flags, exported_session_key,
SignSealConstants.CLIENT_SEALING)
assert actual == expected
