From d876a22732d83ddf8e37ead89e6f23bf7aa0d69c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 29 Oct 2013 12:19:01 +0100
Subject: Remove generation and handling of LM hashes

https://fedorahosted.org/freeipa/ticket/3795
---
 util/ipa_pwd.h      |  11 +--
 util/ipa_pwd_ntlm.c | 210 +++++++++++++---------------------------------------
 2 files changed, 52 insertions(+), 169 deletions(-)

(limited to 'util')

diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index a6990cac6..bc07549cc 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -74,15 +74,6 @@ int ipapwd_generate_new_history(char *password,
                                 char ***new_pwd_history,
                                 int *new_pwd_hlen);
 
-struct ntlm_keys {
-    uint8_t lm[16];
-    uint8_t nt[16];
-};
-
-int encode_ntlm_keys(char *newPasswd,
-                     char *upperPasswd,
-                     bool do_lm_hash,
-                     bool do_nt_hash,
-                     struct ntlm_keys *keys);
+int encode_nt_key(char *newPasswd, uint8_t *nt_key);
 
 #endif
diff --git a/util/ipa_pwd_ntlm.c b/util/ipa_pwd_ntlm.c
index a3399b58e..8ffa66660 100644
--- a/util/ipa_pwd_ntlm.c
+++ b/util/ipa_pwd_ntlm.c
@@ -32,178 +32,70 @@
 #define KTF_UTF8 "UTF-8"
 #define KTF_UCS2 "UCS-2LE"
 
-static const uint8_t parity_table[128] = {
-      1,  2,  4,  7,  8, 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31,
-     32, 35, 37, 38, 41, 42, 44, 47, 49, 50, 52, 55, 56, 59, 61, 62,
-     64, 67, 69, 70, 73, 74, 76, 79, 81, 82, 84, 87, 88, 91, 93, 94,
-     97, 98,100,103,104,107,109,110,112,115,117,118,121,122,124,127,
-    128,131,133,134,137,138,140,143,145,146,148,151,152,155,157,158,
-    161,162,164,167,168,171,173,174,176,179,181,182,185,186,188,191,
-    193,194,196,199,200,203,205,206,208,211,213,214,217,218,220,223,
-    224,227,229,230,233,234,236,239,241,242,244,247,248,251,253,254
-};
-
-static void lm_shuffle(uint8_t *out, uint8_t *in)
-{
-    out[0] = parity_table[in[0]>>1];
-    out[1] = parity_table[((in[0]<<6)|(in[1]>>2)) & 0x7F];
-    out[2] = parity_table[((in[1]<<5)|(in[2]>>3)) & 0x7F];
-    out[3] = parity_table[((in[2]<<4)|(in[3]>>4)) & 0x7F];
-    out[4] = parity_table[((in[3]<<3)|(in[4]>>5)) & 0x7F];
-    out[5] = parity_table[((in[4]<<2)|(in[5]>>6)) & 0x7F];
-    out[6] = parity_table[((in[5]<<1)|(in[6]>>7)) & 0x7F];
-    out[7] = parity_table[in[6] & 0x7F];
-}
-
-/* create the lm and nt hashes
+/* create the nt hash
    newPassword: the clear text utf8 password
-   upperPasswd: upper case version of clear text utf8 password
-   do_lm_hash: determine if LM hash is generated
-   do_nt_hash: determine if NT hash is generated
-   keys[out]: array with generated hashes
+   nt_key[out]: array with generated hash
 */
-int encode_ntlm_keys(char *newPasswd,
-                     char *upperPasswd,
-                     bool do_lm_hash,
-                     bool do_nt_hash,
-                     struct ntlm_keys *keys)
+int encode_nt_key(char *newPasswd, uint8_t *nt_key)
 {
     int ret = 0;
+    iconv_t cd;
+    size_t cs, il, ol, sl;
+    char *inc, *outc;
+    char *ucs2Passwd;
+    MD4_CTX md4ctx;
+
+    /* TODO: must store the dos charset somewhere in the directory */
+    cd = iconv_open(KTF_UCS2, KTF_UTF8);
+    if (cd == (iconv_t)(-1)) {
+        ret = -1;
+        goto done;
+    }
 
-    /* do lanman first */
-    if (do_lm_hash) {
-        iconv_t cd;
-        size_t cs, il, ol;
-        char *inc, *outc;
-        char *asciiPasswd;
-        DES_key_schedule schedule;
-        DES_cblock deskey;
-        DES_cblock magic = "KGS!@#$%";
-
-        if (upperPasswd == NULL) {
-            ret = -1;
-            goto done;
-        }
-        il = strlen(upperPasswd);
-
-        /* TODO: must store the dos charset somewhere in the directory */
-        cd = iconv_open(KTF_DOS_CHARSET, KTF_UTF8);
-        if (cd == (iconv_t)(-1)) {
-            ret = -1;
-            goto done;
-        }
-
-        /* an ascii string can only be smaller than or equal to an utf8 one */
-        ol = il;
-        if (ol < 14) ol = 14;
-        asciiPasswd = calloc(ol+1, 1);
-        if (!asciiPasswd) {
-            iconv_close(cd);
-            ret = -1;
-            goto done;
-        }
-
-        inc = upperPasswd;
-        outc = asciiPasswd;
-        cs = iconv(cd, &inc, &il, &outc, &ol);
-        if (cs == -1) {
-            ret = -1;
-            free(asciiPasswd);
-            iconv_close(cd);
-            goto done;
-        }
+    il = strlen(newPasswd);
 
-        /* done with these */
+    /* an ucs2 string can be at most double than an utf8 one */
+    sl = ol = (il+1)*2;
+    ucs2Passwd = calloc(ol, 1);
+    if (!ucs2Passwd) {
+        ret = -1;
         iconv_close(cd);
-
-        /* we are interested only in the first 14 ASCII chars for lanman */
-        if (strlen(asciiPasswd) > 14) {
-            asciiPasswd[14] = '\0';
-        }
-
-        /* first half */
-        lm_shuffle(deskey, (uint8_t *)asciiPasswd);
-
-        DES_set_key_unchecked(&deskey, &schedule);
-        DES_ecb_encrypt(&magic, (DES_cblock *)keys->lm,
-                        &schedule, DES_ENCRYPT);
-
-        /* second half */
-        lm_shuffle(deskey, (uint8_t *)&asciiPasswd[7]);
-
-        DES_set_key_unchecked(&deskey, &schedule);
-        DES_ecb_encrypt(&magic, (DES_cblock *)&(keys->lm[8]),
-                        &schedule, DES_ENCRYPT);
-
-        /* done with it */
-        free(asciiPasswd);
-
-    } else {
-        memset(keys->lm, 0, 16);
+        goto done;
     }
 
-    if (do_nt_hash) {
-        iconv_t cd;
-        size_t cs, il, ol, sl;
-        char *inc, *outc;
-        char *ucs2Passwd;
-        MD4_CTX md4ctx;
-
-        /* TODO: must store the dos charset somewhere in the directory */
-        cd = iconv_open(KTF_UCS2, KTF_UTF8);
-        if (cd == (iconv_t)(-1)) {
-            ret = -1;
-            goto done;
-        }
-
-        il = strlen(newPasswd);
-
-        /* an ucs2 string can be at most double than an utf8 one */
-        sl = ol = (il+1)*2;
-        ucs2Passwd = calloc(ol, 1);
-        if (!ucs2Passwd) {
-            ret = -1;
-            iconv_close(cd);
-            goto done;
-        }
-
-        inc = newPasswd;
-        outc = ucs2Passwd;
-        cs = iconv(cd, &inc, &il, &outc, &ol);
-        if (cs == -1) {
-            ret = -1;
-            free(ucs2Passwd);
-            iconv_close(cd);
-            goto done;
-        }
-
-        /* done with it */
+    inc = newPasswd;
+    outc = ucs2Passwd;
+    cs = iconv(cd, &inc, &il, &outc, &ol);
+    if (cs == -1) {
+        ret = -1;
+        free(ucs2Passwd);
         iconv_close(cd);
+        goto done;
+    }
 
-        /* get the final ucs2 string length */
-        sl -= ol;
+    /* done with it */
+    iconv_close(cd);
 
-        ret = MD4_Init(&md4ctx);
-        if (ret == 0) {
-            ret = -1;
-            free(ucs2Passwd);
-            goto done;
-        }
-        ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
-        if (ret == 0) {
-            ret = -1;
-            free(ucs2Passwd);
-            goto done;
-        }
-        ret = MD4_Final(keys->nt, &md4ctx);
-        if (ret == 0) {
-            ret = -1;
-            free(ucs2Passwd);
-            goto done;
-        }
+    /* get the final ucs2 string length */
+    sl -= ol;
 
-    } else {
-        memset(keys->nt, 0, 16);
+    ret = MD4_Init(&md4ctx);
+    if (ret == 0) {
+        ret = -1;
+        free(ucs2Passwd);
+        goto done;
+    }
+    ret = MD4_Update(&md4ctx, ucs2Passwd, sl);
+    if (ret == 0) {
+        ret = -1;
+        free(ucs2Passwd);
+        goto done;
+    }
+    ret = MD4_Final(nt_key, &md4ctx);
+    if (ret == 0) {
+        ret = -1;
+        free(ucs2Passwd);
+        goto done;
     }
 
     ret = 0;
-- 
cgit