2 Unix SMB/Netbios implementation.
4 code to manipulate domain credentials
5 Copyright (C) Andrew Tridgell 1997
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 extern int DEBUGLEVEL;
25 /****************************************************************************
26 setup the session key.
27 Input: 8 byte challenge block
28 8 byte server challenge block
29 16 byte md4 encrypted password
32 ****************************************************************************/
33 void cred_session_key(DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal, char *pass,
34 uint32 session_key[2])
37 unsigned char sum2[8];
38 unsigned char netsesskey[8];
40 sum[0] = IVAL(clnt_chal->data, 0) + IVAL(srv_chal->data, 0);
41 sum[1] = IVAL(clnt_chal->data, 4) + IVAL(srv_chal->data, 4);
46 cred_hash1(netsesskey, sum2,(unsigned char *)pass);
48 session_key[0] = IVAL(netsesskey, 0);
49 session_key[1] = IVAL(netsesskey, 4);
52 DEBUG(4,("cred_session_key\n"));
54 DEBUG(5,(" clnt_chal: %lx %lx\n", clnt_chal->data[0], clnt_chal->data[1]));
55 DEBUG(5,(" srv_chal : %lx %lx\n", srv_chal ->data[0], srv_chal ->data[1]));
56 DEBUG(5,(" clnt+srv : %lx %lx\n", sum [0], sum [1]));
57 DEBUG(5,(" sess_key : %lx %lx\n", session_key [0], session_key [1]));
61 /****************************************************************************
66 8 byte stored credential
71 ****************************************************************************/
72 void cred_create(uint32 session_key[2], DOM_CHAL *stor_cred, UTIME timestamp,
76 unsigned char calc_cred[8];
77 unsigned char timecred[8];
78 unsigned char netsesskey[8];
80 SIVAL(netsesskey, 0, session_key[0]);
81 SIVAL(netsesskey, 4, session_key[1]);
83 SIVAL(timecred, 0, IVAL(stor_cred, 0) + timestamp.time);
84 SIVAL(timecred, 4, IVAL(stor_cred, 4));
86 cred_hash2(calc_cred, timecred, netsesskey);
88 cred->data[0] = IVAL(calc_cred, 0);
89 cred->data[1] = IVAL(calc_cred, 4);
91 time_cred.data[0] = IVAL(timecred, 0);
92 time_cred.data[1] = IVAL(timecred, 4);
95 DEBUG(4,("cred_create\n"));
97 DEBUG(5,(" sess_key : %lx %lx\n", session_key [0], session_key [1]));
98 DEBUG(5,(" stor_cred: %lx %lx\n", stor_cred->data[0], stor_cred->data[1]));
99 DEBUG(5,(" timestamp: %lx\n" , timestamp.time));
100 DEBUG(5,(" timecred : %lx %lx\n", time_cred .data[0], time_cred .data[1]));
101 DEBUG(5,(" calc_cred: %lx %lx\n", cred ->data[0], cred ->data[1]));
105 /****************************************************************************
106 check a supplied credential
109 8 byte received credential
111 8 byte stored credential
115 returns 1 if computed credential matches received credential
117 ****************************************************************************/
118 int cred_assert(DOM_CHAL *cred, uint32 session_key[2], DOM_CHAL *stored_cred,
123 cred_create(session_key, stored_cred, timestamp, &cred2);
126 DEBUG(4,("cred_assert\n"));
128 DEBUG(5,(" challenge : %lx %lx\n", cred->data[0], cred->data[1]));
129 DEBUG(5,(" calculated: %lx %lx\n", cred2.data[0], cred2.data[1]));
131 if (memcmp(cred->data, cred2.data, 8) == 0)
133 DEBUG(5, ("credentials check ok\n"));
138 DEBUG(5, ("credentials check wrong\n"));
144 /****************************************************************************
145 checks credentials; generates next step in the credential chain
146 ****************************************************************************/
147 BOOL clnt_deal_with_creds(uint32 sess_key[2],
148 DOM_CRED *sto_clnt_cred, DOM_CRED *rcv_srv_cred)
153 DEBUG(5,("clnt_deal_with_creds: %d\n", __LINE__));
155 /* increment client time by one second */
156 new_clnt_time.time = sto_clnt_cred->timestamp.time + 1;
158 /* check that the received server credentials are valid */
159 if (!cred_assert(&(rcv_srv_cred->challenge), sess_key,
160 &(sto_clnt_cred->challenge), new_clnt_time))
165 /* first 4 bytes of the new seed is old client 4 bytes + clnt time + 1 */
166 new_cred = IVAL(sto_clnt_cred->challenge.data, 0);
167 new_cred += new_clnt_time.time;
169 /* store new seed in client credentials */
170 SIVAL(sto_clnt_cred->challenge.data, 0, new_cred);
172 DEBUG(5,(" new clnt cred: %lx %lx\n", sto_clnt_cred->challenge.data[0],
173 sto_clnt_cred->challenge.data[1]));
178 /****************************************************************************
179 checks credentials; generates next step in the credential chain
180 ****************************************************************************/
181 BOOL deal_with_creds(uint32 sess_key[2],
182 DOM_CRED *sto_clnt_cred,
183 DOM_CRED *rcv_clnt_cred, DOM_CRED *rtn_srv_cred)
188 DEBUG(5,("deal_with_creds: %d\n", __LINE__));
190 /* check that the received client credentials are valid */
191 if (!cred_assert(&(rcv_clnt_cred->challenge), sess_key,
192 &(sto_clnt_cred->challenge), rcv_clnt_cred->timestamp))
197 /* increment client time by one second */
198 new_clnt_time.time = rcv_clnt_cred->timestamp.time + 1;
200 /* first 4 bytes of the new seed is old client 4 bytes + clnt time + 1 */
201 new_cred = IVAL(sto_clnt_cred->challenge.data, 0);
202 new_cred += new_clnt_time.time;
204 DEBUG(5,("deal_with_creds: new_cred[0]=%lx\n", new_cred));
206 /* doesn't matter that server time is 0 */
207 rtn_srv_cred->timestamp.time = 0;
209 DEBUG(5,("deal_with_creds: new_clnt_time=%lx\n", new_clnt_time.time));
211 /* create return credentials for inclusion in the reply */
212 cred_create(sess_key, &(sto_clnt_cred->challenge), new_clnt_time,
213 &(rtn_srv_cred->challenge));
215 DEBUG(5,("deal_with_creds: clnt_cred[0]=%lx\n",
216 sto_clnt_cred->challenge.data[0]));
218 /* store new seed in client credentials */
219 SIVAL(sto_clnt_cred->challenge.data, 0, new_cred);