2 Unix SMB/CIFS implementation.
3 code to manipulate domain credentials
4 Copyright (C) Andrew Tridgell 1997-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /****************************************************************************
24 represent a credential as a string
25 ****************************************************************************/
26 char *credstr(uchar *cred)
29 slprintf(buf, sizeof(buf) - 1, "%02X%02X%02X%02X%02X%02X%02X%02X",
30 cred[0], cred[1], cred[2], cred[3],
31 cred[4], cred[5], cred[6], cred[7]);
36 /****************************************************************************
37 setup the session key.
38 Input: 8 byte challenge block
39 8 byte server challenge block
40 16 byte md4 encrypted password
43 ****************************************************************************/
44 void cred_session_key(DOM_CHAL *clnt_chal, DOM_CHAL *srv_chal, char *pass,
48 unsigned char sum2[8];
50 sum[0] = IVAL(clnt_chal->data, 0) + IVAL(srv_chal->data, 0);
51 sum[1] = IVAL(clnt_chal->data, 4) + IVAL(srv_chal->data, 4);
56 cred_hash1(session_key, sum2,(unsigned char *)pass);
59 DEBUG(4,("cred_session_key\n"));
61 DEBUG(5,(" clnt_chal: %s\n", credstr(clnt_chal->data)));
62 DEBUG(5,(" srv_chal : %s\n", credstr(srv_chal->data)));
63 DEBUG(5,(" clnt+srv : %s\n", credstr(sum2)));
64 DEBUG(5,(" sess_key : %s\n", credstr(session_key)));
68 /****************************************************************************
73 8 byte stored credential
78 ****************************************************************************/
79 void cred_create(uchar session_key[8], DOM_CHAL *stor_cred, UTIME timestamp,
84 SIVAL(time_cred.data, 0, IVAL(stor_cred->data, 0) + timestamp.time);
85 SIVAL(time_cred.data, 4, IVAL(stor_cred->data, 4));
87 cred_hash2(cred->data, time_cred.data, session_key);
90 DEBUG(4,("cred_create\n"));
92 DEBUG(5,(" sess_key : %s\n", credstr(session_key)));
93 DEBUG(5,(" stor_cred: %s\n", credstr(stor_cred->data)));
94 DEBUG(5,(" timestamp: %x\n" , timestamp.time));
95 DEBUG(5,(" timecred : %s\n", credstr(time_cred.data)));
96 DEBUG(5,(" calc_cred: %s\n", credstr(cred->data)));
100 /****************************************************************************
101 check a supplied credential
104 8 byte received credential
106 8 byte stored credential
110 returns 1 if computed credential matches received credential
112 ****************************************************************************/
113 int cred_assert(DOM_CHAL *cred, uchar session_key[8], DOM_CHAL *stored_cred,
118 cred_create(session_key, stored_cred, timestamp, &cred2);
121 DEBUG(4,("cred_assert\n"));
123 DEBUG(5,(" challenge : %s\n", credstr(cred->data)));
124 DEBUG(5,(" calculated: %s\n", credstr(cred2.data)));
126 if (memcmp(cred->data, cred2.data, 8) == 0)
128 DEBUG(5, ("credentials check ok\n"));
133 DEBUG(5, ("credentials check wrong\n"));
139 /****************************************************************************
140 checks credentials; generates next step in the credential chain
141 ****************************************************************************/
142 BOOL clnt_deal_with_creds(uchar sess_key[8],
143 DOM_CRED *sto_clnt_cred, DOM_CRED *rcv_srv_cred)
148 DEBUG(5,("clnt_deal_with_creds: %d\n", __LINE__));
150 /* increment client time by one second */
151 new_clnt_time.time = sto_clnt_cred->timestamp.time + 1;
153 /* check that the received server credentials are valid */
154 if (!cred_assert(&rcv_srv_cred->challenge, sess_key,
155 &sto_clnt_cred->challenge, new_clnt_time))
160 /* first 4 bytes of the new seed is old client 4 bytes + clnt time + 1 */
161 new_cred = IVAL(sto_clnt_cred->challenge.data, 0);
162 new_cred += new_clnt_time.time;
164 /* store new seed in client credentials */
165 SIVAL(sto_clnt_cred->challenge.data, 0, new_cred);
167 DEBUG(5,(" new clnt cred: %s\n", credstr(sto_clnt_cred->challenge.data)));
172 /****************************************************************************
173 checks credentials; generates next step in the credential chain
174 ****************************************************************************/
175 BOOL deal_with_creds(uchar sess_key[8],
176 DOM_CRED *sto_clnt_cred,
177 DOM_CRED *rcv_clnt_cred, DOM_CRED *rtn_srv_cred)
182 DEBUG(5,("deal_with_creds: %d\n", __LINE__));
184 /* check that the received client credentials are valid */
185 if (!cred_assert(&rcv_clnt_cred->challenge, sess_key,
186 &sto_clnt_cred->challenge, rcv_clnt_cred->timestamp))
191 /* increment client time by one second */
192 new_clnt_time.time = rcv_clnt_cred->timestamp.time + 1;
194 /* first 4 bytes of the new seed is old client 4 bytes + clnt time + 1 */
195 new_cred = IVAL(sto_clnt_cred->challenge.data, 0);
196 new_cred += new_clnt_time.time;
198 DEBUG(5,("deal_with_creds: new_cred[0]=%x\n", new_cred));
200 /* doesn't matter that server time is 0 */
201 rtn_srv_cred->timestamp.time = 0;
203 DEBUG(5,("deal_with_creds: new_clnt_time=%x\n", new_clnt_time.time));
205 /* create return credentials for inclusion in the reply */
206 cred_create(sess_key, &sto_clnt_cred->challenge, new_clnt_time,
207 &rtn_srv_cred->challenge);
209 DEBUG(5,("deal_with_creds: clnt_cred=%s\n", credstr(sto_clnt_cred->challenge.data)));
211 /* store new seed in client credentials */
212 SIVAL(sto_clnt_cred->challenge.data, 0, new_cred);