libcli/samsync/decrypt.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Extract the user/system database from a remote SamSync server
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   7    Copyright (C) Guenther Deschner <gd@samba.org> 2008
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23
  24 #include "includes.h"
  25 #include "libnet/libnet.h"
  26 #include "../lib/crypto/crypto.h"
  27 #include "../libcli/auth/libcli_auth.h"
  28 #include "../libcli/samsync/samsync.h"
  29
  30 /**
  31  * Decrypt and extract the user's passwords.
  32  *
  33  * The writes decrypted (no longer 'RID encrypted' or arcfour encrypted)
  34  * passwords back into the structure
  35  */
  36
  37 static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
  38                          struct creds_CredentialState *creds,
  39                          enum netr_SamDatabaseID database_id,
  40                          struct netr_DELTA_ENUM *delta)
  41 {
  42
  43         uint32_t rid = delta->delta_id_union.rid;
  44         struct netr_DELTA_USER *user = delta->delta_union.user;
  45         struct samr_Password lm_hash;
  46         struct samr_Password nt_hash;
  47         unsigned char zero_buf[16];
  48
  49         memset(zero_buf, '\0', sizeof(zero_buf));
  50
  51         /* Note that win2000 may send us all zeros
  52          * for the hashes if it doesn't
  53          * think this channel is secure enough. */
  54         if (user->lm_password_present) {
  55                 if (memcmp(user->lmpassword.hash, zero_buf, 16) != 0) {
  56                         sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0);
  57                 } else {
  58                         memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
  59                 }
  60                 user->lmpassword = lm_hash;
  61         }
  62
  63         if (user->nt_password_present) {
  64                 if (memcmp(user->ntpassword.hash, zero_buf, 16) != 0) {
  65                         sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0);
  66                 } else {
  67                         memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
  68                 }
  69                 user->ntpassword = nt_hash;
  70         }
  71
  72         if (user->user_private_info.SensitiveData) {
  73                 DATA_BLOB data;
  74                 struct netr_USER_KEYS keys;
  75                 enum ndr_err_code ndr_err;
  76                 data.data = user->user_private_info.SensitiveData;
  77                 data.length = user->user_private_info.DataLength;
  78                 creds_arcfour_crypt(creds, data.data, data.length);
  79                 user->user_private_info.SensitiveData = data.data;
  80                 user->user_private_info.DataLength = data.length;
  81
  82                 ndr_err = ndr_pull_struct_blob(&data, mem_ctx, NULL, &keys,
  83                         (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
  84                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  85                         dump_data(10, data.data, data.length);
  86                         return ndr_map_error2ntstatus(ndr_err);
  87                 }
  88
  89                 /* Note that win2000 may send us all zeros
  90                  * for the hashes if it doesn't
  91                  * think this channel is secure enough. */
  92                 if (keys.keys.keys2.lmpassword.length == 16) {
  93                         if (memcmp(keys.keys.keys2.lmpassword.pwd.hash,
  94                                         zero_buf, 16) != 0) {
  95                                 sam_rid_crypt(rid,
  96                                               keys.keys.keys2.lmpassword.pwd.hash,
  97                                               lm_hash.hash, 0);
  98                         } else {
  99                                 memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
 100                         }
 101                         user->lmpassword = lm_hash;
 102                         user->lm_password_present = true;
 103                 }
 104                 if (keys.keys.keys2.ntpassword.length == 16) {
 105                         if (memcmp(keys.keys.keys2.ntpassword.pwd.hash,
 106                                                 zero_buf, 16) != 0) {
 107                                 sam_rid_crypt(rid,
 108                                               keys.keys.keys2.ntpassword.pwd.hash,
 109                                               nt_hash.hash, 0);
 110                         } else {
 111                                 memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
 112                         }
 113                         user->ntpassword = nt_hash;
 114                         user->nt_password_present = true;
 115                 }
 116                 /* TODO: rid decrypt history fields */
 117         }
 118         return NT_STATUS_OK;
 119 }
 120
 121 /**
 122  * Decrypt and extract the secrets
 123  *
 124  * The writes decrypted secrets back into the structure
 125  */
 126 static NTSTATUS fix_secret(TALLOC_CTX *mem_ctx,
 127                            struct creds_CredentialState *creds,
 128                            enum netr_SamDatabaseID database,
 129                            struct netr_DELTA_ENUM *delta)
 130 {
 131         struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
 132         creds_arcfour_crypt(creds, secret->current_cipher.cipher_data,
 133                             secret->current_cipher.maxlen);
 134
 135         creds_arcfour_crypt(creds, secret->old_cipher.cipher_data,
 136                             secret->old_cipher.maxlen);
 137
 138         return NT_STATUS_OK;
 139 }
 140
 141 /**
 142  * Fix up the delta, dealing with encryption issues so that the final
 143  * callback need only do the printing or application logic
 144  */
 145
 146 NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
 147                            struct creds_CredentialState *creds,
 148                            enum netr_SamDatabaseID database_id,
 149                            struct netr_DELTA_ENUM *delta)
 150 {
 151         NTSTATUS status = NT_STATUS_OK;
 152
 153         switch (delta->delta_type) {
 154                 case NETR_DELTA_USER:
 155
 156                         status = fix_user(mem_ctx,
 157                                           creds,
 158                                           database_id,
 159                                           delta);
 160                         break;
 161                 case NETR_DELTA_SECRET:
 162
 163                         status = fix_secret(mem_ctx,
 164                                             creds,
 165                                             database_id,
 166                                             delta);
 167                         break;
 168                 default:
 169                         break;
 170         }
 171
 172         return status;
 173 }
 174