diff options
Diffstat (limited to 'source/libsmb/smbencrypt.c')
| -rw-r--r-- | source/libsmb/smbencrypt.c | 369 |
1 files changed, 140 insertions, 229 deletions
diff --git a/source/libsmb/smbencrypt.c b/source/libsmb/smbencrypt.c index db265c4bf7c..9d862444e0e 100644 --- a/source/libsmb/smbencrypt.c +++ b/source/libsmb/smbencrypt.c @@ -1,10 +1,9 @@ /* - Unix SMB/CIFS implementation. + Unix SMB/Netbios implementation. + Version 1.9. SMB parameters and setup Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995. - Copyright (C) Jeremy Allison 1995-2000. - Copyright (C) Luke Kennethc Casson Leighton 1996-2000. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,164 +21,104 @@ */ #include "includes.h" + #include "byteorder.h" /* This implements the X/Open SMB password encryption - It takes a password ('unix' string), a 8 byte "crypt key" - and puts 24 bytes of encrypted password into p24 */ -void SMBencrypt(const char *passwd, const uchar *c8, uchar p24[24]) + It takes a password, a 8 byte "crypt key" and puts 24 bytes of + encrypted password into p24 */ +void SMBencrypt(const uchar *passwd, uchar *c8, uchar *p24) { - uchar p21[21]; + uchar p14[15], p21[21]; memset(p21,'\0',21); - E_deshash(passwd, p21); + memset(p14,'\0',14); + StrnCpy((char *)p14,(const char *)passwd,14); + + strupper((char *)p14); + E_P16(p14, p21); SMBOWFencrypt(p21, c8, p24); #ifdef DEBUG_PASSWORD DEBUG(100,("SMBencrypt: lm#, challenge, response\n")); dump_data(100, (char *)p21, 16); - dump_data(100, (const char *)c8, 8); + dump_data(100, (char *)c8, 8); dump_data(100, (char *)p24, 24); #endif } -/** +/* * Creates the MD4 Hash of the users password in NT UNICODE. - * @param passwd password in 'unix' charset. - * @param p16 return password hashed with md4, caller allocated 16 byte buffer */ -void E_md4hash(const char *passwd, uchar p16[16]) +void E_md4hash(const uchar *passwd, uchar *p16) { int len; - smb_ucs2_t wpwd[129]; + int16 wpwd[129]; + /* Password cannot be longer than 128 characters */ + len = strlen((const char *)passwd); + if(len > 128) + len = 128; /* Password must be converted to NT unicode - null terminated. */ - push_ucs2(NULL, wpwd, (const char *)passwd, 256, STR_UNICODE|STR_NOALIGN|STR_TERMINATE); + dos_struni2((char *)wpwd, (const char *)passwd, 256); /* Calculate length in bytes */ - len = strlen_w(wpwd) * sizeof(int16); + len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16); mdfour(p16, (unsigned char *)wpwd, len); - ZERO_STRUCT(wpwd); } -/** - * Creates the DES forward-only Hash of the users password in DOS ASCII charset - * @param passwd password in 'unix' charset. - * @param p16 return password hashed with DES, caller allocated 16 byte buffer - */ - -void E_deshash(const char *passwd, uchar p16[16]) +/* Does both the NT and LM owfs of a user's password */ +void nt_lm_owf_gen(char *pwd, uchar nt_p16[16], uchar p16[16]) { - uchar dospwd[15]; /* Password must not be > 14 chars long. */ - ZERO_STRUCT(dospwd); - ZERO_STRUCTP(p16); - - /* Password must be converted to DOS charset - null terminated, uppercase. */ - push_ascii(dospwd, (const char *)passwd, sizeof(dospwd), STR_UPPER|STR_TERMINATE); + char passwd[514]; - E_P16(dospwd, p16); + memset(passwd,'\0',514); + safe_strcpy( passwd, pwd, sizeof(passwd)-1); - ZERO_STRUCT(dospwd); -} - -/** - * Creates the MD4 and DES (LM) Hash of the users password. - * MD4 is of the NT Unicode, DES is of the DOS UPPERCASE password. - * @param passwd password in 'unix' charset. - * @param nt_p16 return password hashed with md4, caller allocated 16 byte buffer - * @param p16 return password hashed with des, caller allocated 16 byte buffer - */ - -/* Does both the NT and LM owfs of a user's password */ -void nt_lm_owf_gen(const char *pwd, uchar nt_p16[16], uchar p16[16]) -{ /* Calculate the MD4 hash (NT compatible) of the password */ memset(nt_p16, '\0', 16); - E_md4hash(pwd, nt_p16); + E_md4hash((uchar *)passwd, nt_p16); #ifdef DEBUG_PASSWORD DEBUG(100,("nt_lm_owf_gen: pwd, nt#\n")); - dump_data(120, pwd, strlen(pwd)); + dump_data(120, passwd, strlen(passwd)); dump_data(100, (char *)nt_p16, 16); #endif - E_deshash(pwd, (uchar *)p16); - -#ifdef DEBUG_PASSWORD - DEBUG(100,("nt_lm_owf_gen: pwd, lm#\n")); - dump_data(120, pwd, strlen(pwd)); - dump_data(100, (char *)p16, 16); -#endif -} - -/* Does both the NTLMv2 owfs of a user's password */ -BOOL ntv2_owf_gen(const uchar owf[16], - const char *user_in, const char *domain_in, uchar kr_buf[16]) -{ - smb_ucs2_t *user; - smb_ucs2_t *domain; - - int user_byte_len; - int domain_byte_len; - - HMACMD5Context ctx; - - user_byte_len = push_ucs2_allocate(&user, user_in); - if (user_byte_len < 0) { - DEBUG(0, ("push_uss2_allocate() for user returned %d (probably malloc() failure)\n", user_byte_len)); - return False; - } + /* Mangle the passwords into Lanman format */ + passwd[14] = '\0'; + strupper(passwd); - domain_byte_len = push_ucs2_allocate(&domain, domain_in); - if (domain_byte_len < 0) { - DEBUG(0, ("push_uss2_allocate() for domain returned %d (probably malloc() failure)\n", user_byte_len)); - return False; - } - - strupper_w(user); - strupper_w(domain); - - /* We don't want null termination */ - user_byte_len = user_byte_len - 2; - domain_byte_len = domain_byte_len - 2; - - SMB_ASSERT(user_byte_len >= 0); - SMB_ASSERT(domain_byte_len >= 0); + /* Calculate the SMB (lanman) hash functions of the password */ - hmac_md5_init_limK_to_64(owf, 16, &ctx); - hmac_md5_update((const unsigned char *)user, user_byte_len, &ctx); - hmac_md5_update((const unsigned char *)domain, domain_byte_len, &ctx); - hmac_md5_final(kr_buf, &ctx); + memset(p16, '\0', 16); + E_P16((uchar *) passwd, (uchar *)p16); #ifdef DEBUG_PASSWORD - DEBUG(100, ("ntv2_owf_gen: user, domain, owfkey, kr\n")); - dump_data(100, (const char *)user, user_byte_len); - dump_data(100, (const char *)domain, domain_byte_len); - dump_data(100, owf, 16); - dump_data(100, kr_buf, 16); + DEBUG(100,("nt_lm_owf_gen: pwd, lm#\n")); + dump_data(120, passwd, strlen(passwd)); + dump_data(100, (char *)p16, 16); #endif - - SAFE_FREE(user); - SAFE_FREE(domain); - return True; + /* clear out local copy of user's password (just being paranoid). */ + memset(passwd, '\0', sizeof(passwd)); } /* Does the des encryption from the NT or LM MD4 hash. */ -void SMBOWFencrypt(const uchar passwd[16], const uchar *c8, uchar p24[24]) +void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24]) { uchar p21[21]; - - ZERO_STRUCT(p21); + + memset(p21,'\0',21); memcpy(p21, passwd, 16); E_P24(p21, c8, p24); } /* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */ -void NTLMSSPOWFencrypt(const uchar passwd[8], const uchar *ntlmchalresp, uchar p24[24]) +void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24]) { uchar p21[21]; @@ -191,7 +130,7 @@ void NTLMSSPOWFencrypt(const uchar passwd[8], const uchar *ntlmchalresp, uchar p #ifdef DEBUG_PASSWORD DEBUG(100,("NTLMSSPOWFencrypt: p21, c8, p24\n")); dump_data(100, (char *)p21, 21); - dump_data(100, (const char *)ntlmchalresp, 8); + dump_data(100, (char *)ntlmchalresp, 8); dump_data(100, (char *)p24, 24); #endif } @@ -199,7 +138,7 @@ void NTLMSSPOWFencrypt(const uchar passwd[8], const uchar *ntlmchalresp, uchar p /* Does the NT MD4 hash then des encryption. */ -void SMBNTencrypt(const char *passwd, uchar *c8, uchar *p24) +void SMBNTencrypt(const uchar *passwd, uchar *c8, uchar *p24) { uchar p21[21]; @@ -233,8 +172,16 @@ BOOL make_oem_passwd_hash(char data[516], const char *passwd, uchar old_pw_hash[ * decrypt. JRA. */ generate_random_buffer((unsigned char *)data, 516, False); - push_string(NULL, &data[512 - new_pw_len], passwd, new_pw_len, - STR_NOALIGN | (unicode?STR_UNICODE:STR_ASCII)); + if (unicode) + { + /* Note that passwd should be in DOS oem character set. */ + dos_struni2( &data[512 - new_pw_len], passwd, 512); + } + else + { + /* Note that passwd should be in DOS oem character set. */ + fstrcpy( &data[512 - new_pw_len], passwd); + } SIVAL(data, 512, new_pw_len); #ifdef DEBUG_PASSWORD @@ -246,81 +193,48 @@ BOOL make_oem_passwd_hash(char data[516], const char *passwd, uchar old_pw_hash[ return True; } -/* Does the md5 encryption from the NT hash for NTLMv2. */ -void SMBOWFencrypt_ntv2(const uchar kr[16], - const DATA_BLOB srv_chal, - const DATA_BLOB cli_chal, - uchar resp_buf[16]) -{ - HMACMD5Context ctx; - - hmac_md5_init_limK_to_64(kr, 16, &ctx); - hmac_md5_update(srv_chal.data, srv_chal.length, &ctx); - hmac_md5_update(cli_chal.data, cli_chal.length, &ctx); - hmac_md5_final(resp_buf, &ctx); - -#ifdef DEBUG_PASSWORD - DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, cli_chal, resp_buf\n")); - dump_data(100, srv_chal.data, srv_chal.length); - dump_data(100, cli_chal.data, cli_chal.length); - dump_data(100, resp_buf, 16); -#endif -} - -void SMBsesskeygen_ntv2(const uchar kr[16], - const uchar * nt_resp, uint8 sess_key[16]) -{ - HMACMD5Context ctx; - - hmac_md5_init_limK_to_64(kr, 16, &ctx); - hmac_md5_update(nt_resp, 16, &ctx); - hmac_md5_final((unsigned char *)sess_key, &ctx); - -#ifdef DEBUG_PASSWORD - DEBUG(100, ("SMBsesskeygen_ntv2:\n")); - dump_data(100, sess_key, 16); -#endif -} - -void SMBsesskeygen_ntv1(const uchar kr[16], - const uchar * nt_resp, uint8 sess_key[16]) -{ - mdfour((unsigned char *)sess_key, kr, 16); - -#ifdef DEBUG_PASSWORD - DEBUG(100, ("SMBsesskeygen_ntv1:\n")); - dump_data(100, sess_key, 16); -#endif -} - /*********************************************************** - encode a password buffer. The caller gets to figure out - what to put in it. + Encode a password buffer. ************************************************************/ -BOOL encode_pw_buffer(char buffer[516], char *new_pw, int new_pw_length) + +BOOL encode_pw_buffer(char buffer[516], const char *new_pass, + int new_pw_len, BOOL nt_pass_set) { generate_random_buffer((unsigned char *)buffer, 516, True); - memcpy(&buffer[512 - new_pw_length], new_pw, new_pw_length); - - /* + if (new_pw_len < 0 || new_pw_len > 512) + return False; + + if (nt_pass_set) { + new_pw_len *= 2; + dos_struni2(&buffer[512 - new_pw_len], new_pass, 256); + } else { + memcpy(&buffer[512 - new_pw_len], new_pass, new_pw_len); + } + + /* * The length of the new password is in the last 4 bytes of * the data buffer. */ - SIVAL(buffer, 512, new_pw_length); - + SIVAL(buffer, 512, new_pw_len); + return True; } /*********************************************************** decode a password buffer - *new_pw_len is the length in bytes of the possibly mulitbyte - returned password including termination. ************************************************************/ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd, - int new_pwrd_size, uint32 *new_pw_len) + int new_pwrd_size, uint32 *new_pw_len, + uchar nt_p16[16], uchar p16[16]) { + char *pw; + + int uni_pw_len=0; int byte_len=0; + char unicode_passwd[514]; + char lm_ascii_passwd[514]; + char passwd[514]; /* Warning !!! : This function is called from some rpc call. @@ -329,6 +243,13 @@ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd, If you reuse that code somewhere else check first. */ + ZERO_STRUCT(unicode_passwd); + ZERO_STRUCT(lm_ascii_passwd); + ZERO_STRUCT(passwd); + + memset(nt_p16, '\0', 16); + memset(p16, '\0', 16); + /* The length of the new password is in the last 4 bytes of the data buffer. */ byte_len = IVAL(in_buffer, 512); @@ -340,79 +261,69 @@ BOOL decode_pw_buffer(char in_buffer[516], char *new_pwrd, /* Password cannot be longer than 128 characters */ if ( (byte_len < 0) || (byte_len > new_pwrd_size - 1)) { DEBUG(0, ("decode_pw_buffer: incorrect password length (%d).\n", byte_len)); - DEBUG(0, ("decode_pw_buffer: check that 'encrypt passwords = yes'\n")); return False; } + + uni_pw_len = byte_len/2; + pw = dos_unistrn2((uint16 *)(&in_buffer[512 - byte_len]), byte_len); + memcpy(passwd, pw, uni_pw_len); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("nt_lm_owf_gen: passwd: ")); + dump_data(100, (char *)passwd, uni_pw_len); + DEBUG(100,("len:%d\n", uni_pw_len)); +#endif + memcpy(unicode_passwd, &in_buffer[512 - byte_len], byte_len); + + mdfour(nt_p16, (unsigned char *)unicode_passwd, byte_len); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("nt_lm_owf_gen: nt#:")); + dump_data(100, (char *)nt_p16, 16); + DEBUG(100,("\n")); +#endif + + /* Mangle the passwords into Lanman format */ + memcpy(lm_ascii_passwd, passwd, uni_pw_len); + lm_ascii_passwd[14] = '\0'; + strupper(lm_ascii_passwd); - /* decode into the return buffer. Buffer must be a pstring */ - *new_pw_len = pull_string(NULL, new_pwrd, &in_buffer[512 - byte_len], new_pwrd_size, byte_len, STR_UNICODE); + /* Calculate the SMB (lanman) hash functions of the password */ + E_P16((uchar *) lm_ascii_passwd, (uchar *)p16); #ifdef DEBUG_PASSWORD - DEBUG(100,("decode_pw_buffer: new_pwrd: ")); - dump_data(100, (char *)new_pwrd, *new_pw_len); - DEBUG(100,("multibyte len:%d\n", *new_pw_len)); - DEBUG(100,("original char len:%d\n", byte_len/2)); + DEBUG(100,("nt_lm_owf_gen: lm#:")); + dump_data(100, (char *)p16, 16); + DEBUG(100,("\n")); #endif + + /* copy the password and it's length to the return buffer */ + *new_pw_len=uni_pw_len; + memcpy(new_pwrd, passwd, uni_pw_len); + new_pwrd[uni_pw_len]='\0'; + + + /* clear out local copy of user's password (just being paranoid). */ + ZERO_STRUCT(unicode_passwd); + ZERO_STRUCT(lm_ascii_passwd); + ZERO_STRUCT(passwd); return True; -} - -/*********************************************************** - SMB signing - setup the MAC key. -************************************************************/ -void cli_calculate_mac_key(struct cli_state *cli, const char *ntpasswd, const uchar resp[24]) -{ - /* Get first 16 bytes. */ - E_md4hash(ntpasswd,&cli->sign_info.mac_key[0]); - memcpy(&cli->sign_info.mac_key[16],resp,24); - cli->sign_info.mac_key_len = 40; - cli->sign_info.use_smb_signing = True; - - /* These calls are INCONPATIBLE with SMB signing */ - cli->readbraw_supported = False; - cli->writebraw_supported = False; - - /* Reset the sequence number in case we had a previous (aborted) attempt */ - cli->sign_info.send_seq_num = 0; } -/*********************************************************** - SMB signing - calculate a MAC to send. -************************************************************/ - -void cli_caclulate_sign_mac(struct cli_state *cli) +/* Calculate the NT owfs of a user's password */ +void nt_owf_genW(const UNISTR2 *pwd, uchar nt_p16[16]) { - unsigned char calc_md5_mac[16]; - struct MD5Context md5_ctx; - - if (cli->sign_info.temp_smb_signing) { - memcpy(&cli->outbuf[smb_ss_field], "SignRequest", 8); - cli->sign_info.temp_smb_signing = False; - return; - } - - if (!cli->sign_info.use_smb_signing) { - return; - } + char buf[512]; + int i; + + for (i = 0; i < MIN(pwd->uni_str_len, sizeof(buf) / 2); i++) + SIVAL(buf, i * 2, pwd->buffer[i]); - /* - * Firstly put the sequence number into the first 4 bytes. - * and zero out the next 4 bytes. - */ - SIVAL(cli->outbuf, smb_ss_field, cli->sign_info.send_seq_num); - SIVAL(cli->outbuf, smb_ss_field + 4, 0); - - /* Calculate the 16 byte MAC and place first 8 bytes into the field. */ - MD5Init(&md5_ctx); - MD5Update(&md5_ctx, cli->sign_info.mac_key, cli->sign_info.mac_key_len); - MD5Update(&md5_ctx, cli->outbuf + 4, smb_len(cli->outbuf)); - MD5Final(calc_md5_mac, &md5_ctx); - - memcpy(&cli->outbuf[smb_ss_field], calc_md5_mac, 8); -/* cli->outbuf[smb_ss_field+2]=0; - Uncomment this to test if the remote server actually verifies signitures...*/ - cli->sign_info.send_seq_num++; - cli->sign_info.reply_seq_num = cli->sign_info.send_seq_num; - cli->sign_info.send_seq_num++; + /* Calculate the MD4 hash (NT compatible) of the password */ + mdfour(nt_p16, (unsigned char *)buf, pwd->uni_str_len * 2); + + /* clear out local copy of user's password (just being paranoid). */ + ZERO_STRUCT(buf); } |