Fix order of signature vs payload

The code was dead wrong and putting the cart before the horses.
The correct framing is to put the signature first an then the encrypted
payload. we were doing the opposite ... how embarrassing.

A milliong thanks to David Woodhouse for his persistence in testing and
assisting in finding out the issue.

diff --git a/src/gss_signseal.c b/src/gss_signseal.c
index 7a7a6732eeac45430c9cbf5293a20262cc15c80a..aaf82183eb56fb857615fd3f6f6c203b68590421 100644 (file)
--- a/src/gss_signseal.c
+++ b/src/gss_signseal.c
@@ -160,10 +160,10 @@ uint32_t gssntlm_wrap(uint32_t *minor_status,
 
     message.data = input_message_buffer->value;
     message.length = input_message_buffer->length;
-    output.data = output_message_buffer->value;
-    output.length = input_message_buffer->length;
-    signature.data = &output.data[input_message_buffer->length];
+    signature.data = output_message_buffer->value;
     signature.length = NTLM_SIGNATURE_SIZE;
+    output.data = (uint8_t *)output_message_buffer->value + NTLM_SIGNATURE_SIZE;
+    output.length = input_message_buffer->length;
     retmin = ntlm_seal(ctx->neg_flags, &ctx->crypto_state,
                        &message, &output, &signature);
     if (retmin) {
@@ -214,8 +214,8 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status,
         return GSS_S_FAILURE;
     }
 
-    message.data = input_message_buffer->value;
-    message.length = input_message_buffer->length;
+    message.data = (uint8_t *)input_message_buffer->value + NTLM_SIGNATURE_SIZE;
+    message.length = input_message_buffer->length - NTLM_SIGNATURE_SIZE;
     output.data = output_message_buffer->value;
     output.length = output_message_buffer->length;
     retmin = ntlm_unseal(ctx->neg_flags, &ctx->crypto_state,
@@ -226,7 +226,7 @@ uint32_t gssntlm_unwrap(uint32_t *minor_status,
         return GSS_S_FAILURE;
     }
 
-    if (memcmp(&message.data[output.length],
+    if (memcmp(input_message_buffer->value,
                signature.data, NTLM_SIGNATURE_SIZE) != 0) {
         safefree(output_message_buffer->value);
         return GSS_S_BAD_SIG;

diff --git a/src/ntlm_crypto.c b/src/ntlm_crypto.c
index 00ae561ab203952e2b24ef4eb900b4dbee6b20fe..0b72084de54fab824018772316cdf285a1a28aef 100644 (file)
--- a/src/ntlm_crypto.c
+++ b/src/ntlm_crypto.c
@@ -822,7 +822,6 @@ int ntlm_unseal(uint32_t flags,
                 struct ntlm_buffer *signature)
 {
     struct ntlm_signseal_handle *h;
-    struct ntlm_buffer msg_buffer;
     int ret;
 
     if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
@@ -835,10 +834,7 @@ int ntlm_unseal(uint32_t flags,
         h = &state->recv;
     }
 
-    msg_buffer = *message;
-    msg_buffer.length -= NTLM_SIGNATURE_SIZE;
-
-    ret = RC4_UPDATE(h->seal_handle, &msg_buffer, output);
+    ret = RC4_UPDATE(h->seal_handle, message, output);
     if (ret) return ret;
 
     if (state->ext_sec) {