This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "system/time.h"
-#include "auth/auth.h"
-#include "lib/crypto/crypto.h"
-#include "pstring.h"
+#include "auth/ntlmssp/ntlmssp.h"
+#include "auth/ntlmssp/msrpc_parse.h"
+#include "../lib/crypto/crypto.h"
+#include "libcli/auth/libcli_auth.h"
/*
This implements the X/Open SMB password encryption
It takes a password ('unix' string), a 8 byte "crypt key"
and puts 24 bytes of encrypted password into p24
- Returns False if password must have been truncated to create LM hash
+ Returns false if password must have been truncated to create LM hash
*/
-BOOL SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24])
+bool SMBencrypt(const char *passwd, const uint8_t *c8, uint8_t p24[24])
{
- BOOL ret;
+ bool ret;
uint8_t p21[21];
memset(p21,'\0',21);
* @param p16 return password hashed with md4, caller allocated 16 byte buffer
*/
-void E_md4hash(const char *passwd, uint8_t p16[16])
+bool E_md4hash(const char *passwd, uint8_t p16[16])
{
int len;
void *wpwd;
len = push_ucs2_talloc(NULL, &wpwd, passwd);
- SMB_ASSERT(len >= 2);
+ if (len < 2) {
+ /* We don't want to return fixed data, as most callers
+ * don't check */
+ mdfour(p16, (const uint8_t *)passwd, strlen(passwd));
+ return false;
+ }
len -= 2;
mdfour(p16, wpwd, len);
talloc_free(wpwd);
+ return true;
}
/**
* Creates the DES forward-only Hash of the users password in DOS ASCII charset
* @param passwd password in 'unix' charset.
* @param p16 return password hashed with DES, caller allocated 16 byte buffer
- * @return False if password was > 14 characters, and therefore may be incorrect, otherwise True
+ * @return false if password was > 14 characters, and therefore may be incorrect, otherwise true
* @note p16 is filled in regardless
*/
-BOOL E_deshash(const char *passwd, uint8_t p16[16])
+bool E_deshash(const char *passwd, uint8_t p16[16])
{
- BOOL ret = True;
- fstring dospwd;
+ bool ret = true;
+ char dospwd[256];
ZERO_STRUCT(dospwd);
-
+
/* Password must be converted to DOS charset - null terminated, uppercase. */
- push_ascii(dospwd, passwd, sizeof(dospwd), STR_UPPER|STR_TERMINATE);
-
- /* Only the fisrt 14 chars are considered, password need not be null terminated. */
+ push_string(dospwd, passwd, sizeof(dospwd), STR_ASCII|STR_UPPER|STR_TERMINATE);
+
+ /* Only the first 14 chars are considered, password need not be null terminated. */
E_P16((const uint8_t *)dospwd, p16);
if (strlen(dospwd) > 14) {
- ret = False;
+ ret = false;
}
ZERO_STRUCT(dospwd);
}
/* Does both the NTLMv2 owfs of a user's password */
-BOOL ntv2_owf_gen(const uint8_t owf[16],
+bool ntv2_owf_gen(const uint8_t owf[16],
const char *user_in, const char *domain_in,
- BOOL upper_case_domain, /* Transform the domain into UPPER case */
+ bool upper_case_domain, /* Transform the domain into UPPER case */
uint8_t kr_buf[16])
{
void *user;
HMACMD5Context ctx;
TALLOC_CTX *mem_ctx = talloc_init("ntv2_owf_gen for %s\\%s", domain_in, user_in);
+
if (!mem_ctx) {
- return False;
+ return false;
}
if (!user_in) {
user_in = strupper_talloc(mem_ctx, user_in);
if (user_in == NULL) {
talloc_free(mem_ctx);
- return False;
+ return false;
}
if (upper_case_domain) {
domain_in = strupper_talloc(mem_ctx, domain_in);
if (domain_in == NULL) {
talloc_free(mem_ctx);
- return False;
+ return false;
}
}
if (user_byte_len == (ssize_t)-1) {
DEBUG(0, ("push_uss2_talloc() for user returned -1 (probably talloc() failure)\n"));
talloc_free(mem_ctx);
- return False;
+ return false;
}
domain_byte_len = push_ucs2_talloc(mem_ctx, &domain, domain_in);
if (domain_byte_len == (ssize_t)-1) {
DEBUG(0, ("push_ucs2_talloc() for domain returned -1 (probably talloc() failure)\n"));
talloc_free(mem_ctx);
- return False;
+ return false;
}
SMB_ASSERT(user_byte_len >= 2);
#endif
talloc_free(mem_ctx);
- return True;
+ return true;
}
/* Does the des encryption from the NT or LM MD4 hash. */
/* Calculate the LM session key (effective length 40 bits,
but changes with each session) */
uint8_t p24[24];
- uint8_t p21[21];
+ uint8_t partial_lm_hash[14];
- memset(p21,'\0',21);
- memcpy(p21, lm_hash, 8);
- memset(p21 + 8, 0xbd, 8);
+ memcpy(partial_lm_hash, lm_hash, 8);
+ memset(partial_lm_hash + 8, 0xbd, 6);
- E_P24(p21, lm_resp, p24);
+ des_crypt56(p24, lm_resp, partial_lm_hash, 1);
+ des_crypt56(p24+8, lm_resp, partial_lm_hash + 7, 1);
memcpy(sess_key, p24, 16);
{
DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
- msrpc_gen(mem_ctx, &names_blob, "aaa",
+ msrpc_gen(mem_ctx, &names_blob,
+ "aaa",
NTLMSSP_NAME_TYPE_DOMAIN, domain,
NTLMSSP_NAME_TYPE_SERVER, hostname,
0, "");
return response;
}
-static DATA_BLOB NTLMv2_generate_response(const uint8_t ntlm_v2_hash[16],
+static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx,
+ const uint8_t ntlm_v2_hash[16],
const DATA_BLOB *server_chal,
const DATA_BLOB *names_blob)
{
DATA_BLOB ntlmv2_client_data;
DATA_BLOB final_response;
- TALLOC_CTX *mem_ctx = talloc_init("NTLMv2_generate_response internal context");
+ TALLOC_CTX *mem_ctx = talloc_named(out_mem_ctx, 0,
+ "NTLMv2_generate_response internal context");
if (!mem_ctx) {
return data_blob(NULL, 0);
/* Given that data, and the challenge from the server, generate a response */
SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response);
- final_response = data_blob(NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length);
+ final_response = data_blob_talloc(out_mem_ctx, NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length);
memcpy(final_response.data, ntlmv2_response, sizeof(ntlmv2_response));
return final_response;
}
-static DATA_BLOB LMv2_generate_response(const uint8_t ntlm_v2_hash[16],
+static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx,
+ const uint8_t ntlm_v2_hash[16],
const DATA_BLOB *server_chal)
{
uint8_t lmv2_response[16];
- DATA_BLOB lmv2_client_data = data_blob(NULL, 8);
- DATA_BLOB final_response = data_blob(NULL, 24);
+ DATA_BLOB lmv2_client_data = data_blob_talloc(mem_ctx, NULL, 8);
+ DATA_BLOB final_response = data_blob_talloc(mem_ctx, NULL,24);
/* LMv2 */
/* client-supplied random data */
return final_response;
}
-BOOL SMBNTLMv2encrypt_hash(const char *user, const char *domain, const uint8_t nt_hash[16],
+bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx,
+ const char *user, const char *domain, const uint8_t nt_hash[16],
const DATA_BLOB *server_chal,
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
the username and domain.
This prevents username swapping during the auth exchange
*/
- if (!ntv2_owf_gen(nt_hash, user, domain, True, ntlm_v2_hash)) {
- return False;
+ if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) {
+ return false;
}
if (nt_response) {
- *nt_response = NTLMv2_generate_response(ntlm_v2_hash, server_chal,
+ *nt_response = NTLMv2_generate_response(mem_ctx,
+ ntlm_v2_hash, server_chal,
names_blob);
if (user_session_key) {
- *user_session_key = data_blob(NULL, 16);
+ *user_session_key = data_blob_talloc(mem_ctx, NULL, 16);
/* The NTLMv2 calculations also provide a session key, for signing etc later */
/* use only the first 16 bytes of nt_response for session key */
/* LMv2 */
if (lm_response) {
- *lm_response = LMv2_generate_response(ntlm_v2_hash, server_chal);
+ *lm_response = LMv2_generate_response(mem_ctx,
+ ntlm_v2_hash, server_chal);
if (lm_session_key) {
- *lm_session_key = data_blob(NULL, 16);
+ *lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
/* The NTLMv2 calculations also provide a session key, for signing etc later */
/* use only the first 16 bytes of lm_response for session key */
}
}
- return True;
+ return true;
}
-BOOL SMBNTLMv2encrypt(const char *user, const char *domain, const char *password,
+bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
+ const char *user, const char *domain,
+ const char *password,
const DATA_BLOB *server_chal,
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
uint8_t nt_hash[16];
E_md4hash(password, nt_hash);
- return SMBNTLMv2encrypt_hash(user, domain, nt_hash, server_chal, names_blob,
+ return SMBNTLMv2encrypt_hash(mem_ctx,
+ user, domain, nt_hash, server_chal, names_blob,
lm_response, nt_response, lm_session_key, user_session_key);
}
encode a password buffer with a unicode password. The buffer
is filled with random data to make it harder to attack.
************************************************************/
-BOOL encode_pw_buffer(uint8_t buffer[516], const char *password, int string_flags)
+bool encode_pw_buffer(uint8_t buffer[516], const char *password, int string_flags)
{
uint8_t new_pw[512];
size_t new_pw_len;
+ /* the incoming buffer can be any alignment. */
+ string_flags |= STR_NOALIGN;
+
new_pw_len = push_string(new_pw,
password,
sizeof(new_pw), string_flags);
*/
SIVAL(buffer, 512, new_pw_len);
ZERO_STRUCT(new_pw);
- return True;
+ return true;
}
*new_pw_len is the length in bytes of the possibly mulitbyte
returned password including termination.
************************************************************/
-BOOL decode_pw_buffer(uint8_t in_buffer[516], char *new_pwrd,
- int new_pwrd_size, uint32_t *new_pw_len,
- int string_flags)
+bool decode_pw_buffer(uint8_t in_buffer[516], char *new_pwrd,
+ int new_pwrd_size, int string_flags)
{
int byte_len=0;
+ ssize_t converted_pw_len;
+
+ /* the incoming buffer can be any alignment. */
+ string_flags |= STR_NOALIGN;
/*
Warning !!! : This function is called from some rpc call.
/* Password cannot be longer than the size of the password buffer */
if ( (byte_len < 0) || (byte_len > 512)) {
- return False;
+ return false;
}
/* decode into the return buffer. Buffer length supplied */
- *new_pw_len = pull_string(new_pwrd, &in_buffer[512 - byte_len], new_pwrd_size,
+ converted_pw_len = pull_string(new_pwrd, &in_buffer[512 - byte_len], new_pwrd_size,
byte_len, string_flags);
+ if (converted_pw_len == -1) {
+ return false;
+ }
+
#ifdef DEBUG_PASSWORD
DEBUG(100,("decode_pw_buffer: new_pwrd: "));
- dump_data(100, (const uint8_t *)new_pwrd, *new_pw_len);
- DEBUG(100,("multibyte len:%d\n", *new_pw_len));
+ dump_data(100, (const uint8_t *)new_pwrd, converted_pw_len);
+ DEBUG(100,("multibyte len:%d\n", (int)converted_pw_len));
DEBUG(100,("original char len:%d\n", byte_len/2));
#endif
- return True;
+ return true;
+}
+
+/***********************************************************
+ encode a password buffer with an already unicode password. The
+ rest of the buffer is filled with random data to make it harder to attack.
+************************************************************/
+bool set_pw_in_buffer(uint8_t buffer[516], DATA_BLOB *password)
+{
+ if (password->length > 512) {
+ return false;
+ }
+
+ memcpy(&buffer[512 - password->length], password->data, password->length);
+
+ generate_random_buffer(buffer, 512 - password->length);
+
+ /*
+ * The length of the new password is in the last 4 bytes of
+ * the data buffer.
+ */
+ SIVAL(buffer, 512, password->length);
+ return true;
+}
+
+/***********************************************************
+ decode a password buffer
+ *new_pw_size is the length in bytes of the extracted unicode password
+************************************************************/
+bool extract_pw_from_buffer(TALLOC_CTX *mem_ctx,
+ uint8_t in_buffer[516], DATA_BLOB *new_pass)
+{
+ int byte_len=0;
+
+ /* The length of the new password is in the last 4 bytes of the data buffer. */
+
+ byte_len = IVAL(in_buffer, 512);
+
+#ifdef DEBUG_PASSWORD
+ dump_data(100, in_buffer, 516);
+#endif
+
+ /* Password cannot be longer than the size of the password buffer */
+ if ( (byte_len < 0) || (byte_len > 512)) {
+ return false;
+ }
+
+ *new_pass = data_blob_talloc(mem_ctx, &in_buffer[512 - byte_len], byte_len);
+
+ if (!new_pass->data) {
+ return false;
+ }
+
+ return true;
}
git.samba.org / kai / samba.git / blobdiff