summaryrefslogtreecommitdiff
path: root/source3/libsmb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-03-16 21:27:58 +1100
committerAndrew Bartlett <abartlet@samba.org>2009-04-14 16:23:35 +1000
commitf28f113d8e76824b080359c90efd9c92de533740 (patch)
tree063c8cf44e1a26adce9128f3e24ee55274292090 /source3/libsmb
parentfd3be5c4e5e185115eec59752a22f7f354f860ca (diff)
downloadsamba-f28f113d8e76824b080359c90efd9c92de533740.tar.gz
samba-f28f113d8e76824b080359c90efd9c92de533740.tar.bz2
samba-f28f113d8e76824b080359c90efd9c92de533740.zip
Rework Samba3 to use new libcli/auth code (partial)
This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett
Diffstat (limited to 'source3/libsmb')
-rw-r--r--source3/libsmb/clirap.c2
-rw-r--r--source3/libsmb/credentials.c86
-rw-r--r--source3/libsmb/ntlm_check.c470
-rw-r--r--source3/libsmb/ntlmssp.c30
-rw-r--r--source3/libsmb/ntlmssp_parse.c384
-rw-r--r--source3/libsmb/smbdes.c421
-rw-r--r--source3/libsmb/smbencrypt.c898
-rw-r--r--source3/libsmb/trusts_util.c1
8 files changed, 26 insertions, 2266 deletions
diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
index 3f95e77aee..cc8c9ba67f 100644
--- a/source3/libsmb/clirap.c
+++ b/source3/libsmb/clirap.c
@@ -468,7 +468,7 @@ bool cli_oem_change_password(struct cli_state *cli, const char *user, const char
DEBUG(100,("make_oem_passwd_hash\n"));
dump_data(100, data, 516);
#endif
- SamOEMhash( (unsigned char *)data, (unsigned char *)old_pw_hash, 516);
+ arcfour_crypt( (unsigned char *)data, (unsigned char *)old_pw_hash, 516);
/*
* Now place the old password hash in the data.
diff --git a/source3/libsmb/credentials.c b/source3/libsmb/credentials.c
index 9ba460f869..0d7bde0c09 100644
--- a/source3/libsmb/credentials.c
+++ b/source3/libsmb/credentials.c
@@ -19,6 +19,8 @@
*/
#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "libcli/auth/libcli_auth.h"
/****************************************************************************
Represent a credential as a string.
@@ -278,84 +280,12 @@ bool netlogon_creds_server_step(struct dcinfo *dc,
return true;
}
-/****************************************************************************
- Create a client credential struct.
-****************************************************************************/
-
-void creds_client_init(uint32 neg_flags,
- struct dcinfo *dc,
- struct netr_Credential *clnt_chal,
- struct netr_Credential *srv_chal,
- const unsigned char mach_pw[16],
- struct netr_Credential *init_chal_out)
-{
- dc->sequence = time(NULL);
-
- DEBUG(10,("creds_client_init: neg_flags : %x\n", (unsigned int)neg_flags));
- DEBUG(10,("creds_client_init: client chal : %s\n", credstr(clnt_chal->data) ));
- DEBUG(10,("creds_client_init: server chal : %s\n", credstr(srv_chal->data) ));
- dump_data_pw("creds_client_init: machine pass", (const unsigned char *)mach_pw, 16);
-
- /* Generate the session key and the next client and server creds. */
- if (neg_flags & NETLOGON_NEG_128BIT) {
- creds_init_128(dc,
- clnt_chal,
- srv_chal,
- mach_pw);
- } else {
- creds_init_64(dc,
- clnt_chal,
- srv_chal,
- mach_pw);
- }
-
- dump_data_pw("creds_client_init: session key", dc->sess_key, 16);
-
- DEBUG(10,("creds_client_init: clnt : %s\n", credstr(dc->clnt_chal.data) ));
- DEBUG(10,("creds_client_init: server : %s\n", credstr(dc->srv_chal.data) ));
- DEBUG(10,("creds_client_init: seed : %s\n", credstr(dc->seed_chal.data) ));
-
- memcpy(init_chal_out->data, dc->clnt_chal.data, 8);
-}
-
-/****************************************************************************
- Check a credential returned by the server.
-****************************************************************************/
-
-bool netlogon_creds_client_check(const struct dcinfo *dc,
- const struct netr_Credential *rcv_srv_chal_in)
-{
- if (memcmp(dc->srv_chal.data, rcv_srv_chal_in->data,
- sizeof(dc->srv_chal.data))) {
-
- DEBUG(0,("netlogon_creds_client_check: credentials check failed.\n"));
- DEBUGADD(5,("netlogon_creds_client_check: challenge : %s\n",
- credstr(rcv_srv_chal_in->data)));
- DEBUGADD(5,("calculated: %s\n", credstr(dc->srv_chal.data)));
- return false;
- }
-
- DEBUG(10,("netlogon_creds_client_check: credentials check OK.\n"));
-
- return true;
-}
-
-
-/****************************************************************************
- Step the client credentials to the next element in the chain, updating the
- current client and server credentials and the seed
- produce the next authenticator in the sequence ready to send to
- the server
-****************************************************************************/
-
-void netlogon_creds_client_step(struct dcinfo *dc,
- struct netr_Authenticator *next_cred_out)
+void cred_hash3(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw)
{
- dc->sequence += 2;
- creds_step(dc);
- creds_reseed(dc);
+ unsigned char key2[8];
- memcpy(&next_cred_out->cred.data, &dc->clnt_chal.data,
- sizeof(next_cred_out->cred.data));
- next_cred_out->timestamp = dc->sequence;
+ memset(key2,'\0',8);
+ des_crypt56(out, in, key, forw);
+ key2[0] = key[7];
+ des_crypt56(out + 8, in + 8, key2, forw);
}
diff --git a/source3/libsmb/ntlm_check.c b/source3/libsmb/ntlm_check.c
deleted file mode 100644
index 9380a83ea0..0000000000
--- a/source3/libsmb/ntlm_check.c
+++ /dev/null
@@ -1,470 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Password and authentication handling
- Copyright (C) Andrew Tridgell 1992-2000
- Copyright (C) Luke Kenneth Casson Leighton 1996-2000
- Copyright (C) Andrew Bartlett 2001-2003
- Copyright (C) Gerald Carter 2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_AUTH
-
-/****************************************************************************
- Core of smb password checking routine.
-****************************************************************************/
-
-static bool smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
- const uchar *part_passwd,
- const DATA_BLOB *sec_blob,
- DATA_BLOB *user_sess_key)
-{
- /* Finish the encryption of part_passwd. */
- uchar p24[24];
-
- if (part_passwd == NULL) {
- DEBUG(10,("No password set - DISALLOWING access\n"));
- /* No password set - always false ! */
- return false;
- }
-
- if (sec_blob->length != 8) {
- DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n",
- (unsigned long)sec_blob->length));
- return false;
- }
-
- if (nt_response->length != 24) {
- DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n",
- (unsigned long)nt_response->length));
- return false;
- }
-
- SMBOWFencrypt(part_passwd, sec_blob->data, p24);
- if (user_sess_key != NULL) {
- *user_sess_key = data_blob(NULL, 16);
- SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
- }
-
-
-#if DEBUG_PASSWORD
- DEBUG(100,("Part password (P16) was |\n"));
- dump_data(100, part_passwd, 16);
- DEBUGADD(100,("Password from client was |\n"));
- dump_data(100, nt_response->data, nt_response->length);
- DEBUGADD(100,("Given challenge was |\n"));
- dump_data(100, sec_blob->data, sec_blob->length);
- DEBUGADD(100,("Value from encryption was |\n"));
- dump_data(100, p24, 24);
-#endif
- return (memcmp(p24, nt_response->data, 24) == 0);
-}
-
-/****************************************************************************
- Core of smb password checking routine. (NTLMv2, LMv2)
- Note: The same code works with both NTLMv2 and LMv2.
-****************************************************************************/
-
-static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
- const DATA_BLOB *ntv2_response,
- const uint8_t *part_passwd,
- const DATA_BLOB *sec_blob,
- const char *user, const char *domain,
- bool upper_case_domain, /* should the domain be transformed into upper case? */
- DATA_BLOB *user_sess_key)
-{
- /* Finish the encryption of part_passwd. */
- uint8_t kr[16];
- uint8_t value_from_encryption[16];
- uint8_t client_response[16];
- DATA_BLOB client_key_data;
- bool res;
-
- if (part_passwd == NULL) {
- DEBUG(10,("No password set - DISALLOWING access\n"));
- /* No password set - always false */
- return false;
- }
-
- if (sec_blob->length != 8) {
- DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n",
- (unsigned long)sec_blob->length));
- return false;
- }
-
- if (ntv2_response->length < 24) {
- /* We MUST have more than 16 bytes, or the stuff below will go
- crazy. No known implementation sends less than the 24 bytes
- for LMv2, let alone NTLMv2. */
- DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n",
- (unsigned long)ntv2_response->length));
- return false;
- }
-
- client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
- /*
- todo: should we be checking this for anything? We can't for LMv2,
- but for NTLMv2 it is meant to contain the current time etc.
- */
-
- memcpy(client_response, ntv2_response->data, sizeof(client_response));
-
- if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
- return false;
- }
-
- SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
- if (user_sess_key != NULL) {
- *user_sess_key = data_blob(NULL, 16);
- SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
- }
-
-#if DEBUG_PASSWORD
- DEBUG(100,("Part password (P16) was |\n"));
- dump_data(100, part_passwd, 16);
- DEBUGADD(100,("Password from client was |\n"));
- dump_data(100, ntv2_response->data, ntv2_response->length);
- DEBUGADD(100,("Variable data from client was |\n"));
- dump_data(100, client_key_data.data, client_key_data.length);
- DEBUGADD(100,("Given challenge was |\n"));
- dump_data(100, sec_blob->data, sec_blob->length);
- DEBUGADD(100,("Value from encryption was |\n"));
- dump_data(100, value_from_encryption, 16);
-#endif
- data_blob_clear_free(&client_key_data);
- res = (memcmp(value_from_encryption, client_response, 16) == 0);
- if ((!res) && (user_sess_key != NULL))
- data_blob_clear_free(user_sess_key);
- return res;
-}
-
-/**
- * Check a challenge-response password against the value of the NT or
- * LM password hash.
- *
- * @param mem_ctx talloc context
- * @param challenge 8-byte challenge. If all zero, forces plaintext comparison
- * @param nt_response 'unicode' NT response to the challenge, or unicode password
- * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
- * @param username internal Samba username, for log messages
- * @param client_username username the client used
- * @param client_domain domain name the client used (may be mapped)
- * @param nt_pw MD4 unicode password from our passdb or similar
- * @param lm_pw LANMAN ASCII password from our passdb or similar
- * @param user_sess_key User session key
- * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
- */
-
-NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- const DATA_BLOB *challenge,
- const DATA_BLOB *lm_response,
- const DATA_BLOB *nt_response,
- const DATA_BLOB *lm_interactive_pwd,
- const DATA_BLOB *nt_interactive_pwd,
- const char *username,
- const char *client_username,
- const char *client_domain,
- const uint8_t *lm_pw, const uint8_t *nt_pw,
- DATA_BLOB *user_sess_key,
- DATA_BLOB *lm_sess_key)
-{
- unsigned char zeros[8];
-
- ZERO_STRUCT(zeros);
-
- if (nt_pw == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
- username));
- }
-
- if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) {
- if (nt_interactive_pwd->length != 16) {
- DEBUG(3,("ntlm_password_check: Interactive logon: Invalid NT password length (%d) supplied for user %s\n", (int)nt_interactive_pwd->length,
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) {
- if (user_sess_key) {
- *user_sess_key = data_blob(NULL, 16);
- SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data);
- }
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- } else if (lm_interactive_pwd && lm_interactive_pwd->length && lm_pw) {
- if (lm_interactive_pwd->length != 16) {
- DEBUG(3,("ntlm_password_check: Interactive logon: Invalid LANMAN password length (%d) supplied for user %s\n", (int)lm_interactive_pwd->length,
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- if (!lp_lanman_auth()) {
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- if (memcmp(lm_interactive_pwd->data, lm_pw, 16) == 0) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- }
-
- /* Check for cleartext netlogon. Used by Exchange 5.5. */
- if (challenge->length == sizeof(zeros) &&
- (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
-
- DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
- username));
- if (nt_pw && nt_response->length) {
- unsigned char pwhash[16];
- mdfour(pwhash, nt_response->data, nt_response->length);
- if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- } else if (!lp_lanman_auth()) {
- DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
- username));
-
- } else if (lm_pw && lm_response->length) {
- uchar dospwd[14];
- uchar p16[16];
- ZERO_STRUCT(dospwd);
-
- memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
- /* Only the fisrt 14 chars are considered, password need not be null terminated. */
-
- /* we *might* need to upper-case the string here */
- E_P16((const unsigned char *)dospwd, p16);
-
- if (memcmp(p16, lm_pw, sizeof(p16)) == 0) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- } else {
- DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- }
-
- if (nt_response->length != 0 && nt_response->length < 24) {
- DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n",
- (unsigned long)nt_response->length, username));
- }
-
- if (nt_response->length >= 24 && nt_pw) {
- if (nt_response->length > 24) {
- /* We have the NT MD4 hash challenge available - see if we can
- use it
- */
- DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
- if (smb_pwd_check_ntlmv2(mem_ctx,
- nt_response,
- nt_pw, challenge,
- client_username,
- client_domain,
- False,
- user_sess_key)) {
- return NT_STATUS_OK;
- }
-
- DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
- if (smb_pwd_check_ntlmv2(mem_ctx,
- nt_response,
- nt_pw, challenge,
- client_username,
- client_domain,
- true,
- user_sess_key)) {
- return NT_STATUS_OK;
- }
-
- DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
- if (smb_pwd_check_ntlmv2(mem_ctx,
- nt_response,
- nt_pw, challenge,
- client_username,
- "",
- False,
- user_sess_key)) {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
- return NT_STATUS_WRONG_PASSWORD;
- }
- }
-
- if (lp_ntlm_auth()) {
- /* We have the NT MD4 hash challenge available - see if we can
- use it (ie. does it exist in the smbpasswd file).
- */
- DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
- if (smb_pwd_check_ntlmv1(nt_response,
- nt_pw, challenge,
- user_sess_key)) {
- /* The LM session key for this response is not very secure,
- so use it only if we otherwise allow LM authentication */
-
- if (lp_lanman_auth() && lm_pw) {
- uint8_t first_8_lm_hash[16];
- memcpy(first_8_lm_hash, lm_pw, 8);
- memset(first_8_lm_hash + 8, '\0', 8);
- if (lm_sess_key) {
- *lm_sess_key = data_blob(first_8_lm_hash, 16);
- }
- }
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
- } else {
- DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
- username));
- /* no return, becouse we might pick up LMv2 in the LM field */
- }
- }
-
- if (lm_response->length == 0) {
- DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
- username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- if (lm_response->length < 24) {
- DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n",
- (unsigned long)nt_response->length, username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- if (!lp_lanman_auth()) {
- DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
- username));
- } else if (!lm_pw) {
- DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
- username));
- } else {
- DEBUG(4,("ntlm_password_check: Checking LM password\n"));
- if (smb_pwd_check_ntlmv1(lm_response,
- lm_pw, challenge,
- NULL)) {
- uint8_t first_8_lm_hash[16];
- memcpy(first_8_lm_hash, lm_pw, 8);
- memset(first_8_lm_hash + 8, '\0', 8);
- if (user_sess_key) {
- *user_sess_key = data_blob(first_8_lm_hash, 16);
- }
-
- if (lm_sess_key) {
- *lm_sess_key = data_blob(first_8_lm_hash, 16);
- }
- return NT_STATUS_OK;
- }
- }
-
- if (!nt_pw) {
- DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
- - related to Win9X, legacy NAS pass-though authentication
- */
- DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
- if (smb_pwd_check_ntlmv2(mem_ctx,
- lm_response,
- nt_pw, challenge,
- client_username,
- client_domain,
- false,
- NULL)) {
- return NT_STATUS_OK;
- }
-
- DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
- if (smb_pwd_check_ntlmv2(mem_ctx,
- lm_response,
- nt_pw, challenge,
- client_username,
- client_domain,
- true,
- NULL)) {
- return NT_STATUS_OK;
- }
-
- DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
- if (smb_pwd_check_ntlmv2(mem_ctx,
- lm_response,
- nt_pw, challenge,
- client_username,
- "",
- false,
- NULL)) {
- return NT_STATUS_OK;
- }
-
- /* Apparently NT accepts NT responses in the LM field
- - I think this is related to Win9X pass-though authentication
- */
- DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (lp_ntlm_auth()) {
- if (smb_pwd_check_ntlmv1(lm_response,
- nt_pw, challenge,
- NULL)) {
- /* The session key for this response is still very odd.
- It not very secure, so use it only if we otherwise
- allow LM authentication */
-
- if (lp_lanman_auth() && lm_pw) {
- uint8_t first_8_lm_hash[16];
- memcpy(first_8_lm_hash, lm_pw, 8);
- memset(first_8_lm_hash + 8, '\0', 8);
- if (user_sess_key) {
- *user_sess_key = data_blob(first_8_lm_hash, 16);
- }
-
- if (lm_sess_key) {
- *lm_sess_key = data_blob(first_8_lm_hash, 16);
- }
- }
- return NT_STATUS_OK;
- }
- DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
- } else {
- DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
- }
- return NT_STATUS_WRONG_PASSWORD;
-}
-
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 0764f97d85..f9976902d8 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -22,6 +22,7 @@
*/
#include "includes.h"
+#include "../libcli/auth/libcli_auth.h"
static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
DATA_BLOB reply, DATA_BLOB *next_request);
@@ -873,9 +874,9 @@ static NTSTATUS ntlmssp_server_auth(struct ntlmssp_state *ntlmssp_state,
ntlmssp_state->session_key = session_key;
} else {
dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
- SamOEMhash(encrypted_session_key.data,
- session_key.data,
- encrypted_session_key.length);
+ arcfour_crypt_blob(encrypted_session_key.data,
+ encrypted_session_key.length,
+ &session_key);
ntlmssp_state->session_key = data_blob_talloc(
ntlmssp_state, encrypted_session_key.data,
encrypted_session_key.length);
@@ -1079,7 +1080,6 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
/* not doing NLTM2 without a password */
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
} else if (ntlmssp_state->use_ntlmv2) {
-
if (!struct_blob.length) {
/* be lazy, match win2k - we can't do NTLMv2 without it */
DEBUG(1, ("Server did not provide 'target information', required for NTLMv2\n"));
@@ -1089,11 +1089,13 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
/* TODO: if the remote server is standalone, then we should replace 'domain'
with the server name as supplied above */
- if (!SMBNTLMv2encrypt_hash(ntlmssp_state->user,
- ntlmssp_state->domain,
- ntlmssp_state->nt_hash, &challenge_blob,
- &struct_blob,
- &lm_response, &nt_response, &session_key)) {
+ if (!SMBNTLMv2encrypt_hash(ntlmssp_state,
+ ntlmssp_state->user,
+ ntlmssp_state->domain,
+ ntlmssp_state->nt_hash, &challenge_blob,
+ &struct_blob,
+ &lm_response, &nt_response, NULL,
+ &session_key)) {
data_blob_free(&challenge_blob);
data_blob_free(&struct_blob);
return NT_STATUS_NO_MEMORY;
@@ -1122,12 +1124,12 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
nt_response = data_blob_talloc(ntlmssp_state, NULL, 24);
SMBNTencrypt_hash(ntlmssp_state->nt_hash,
- session_nonce_hash,
- nt_response.data);
+ session_nonce_hash,
+ nt_response.data);
session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
- SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, NULL, user_session_key);
+ SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, user_session_key);
hmac_md5(user_session_key, session_nonce, sizeof(session_nonce), session_key.data);
dump_data_pw("NTLM2 session key:\n", session_key.data, session_key.length);
} else {
@@ -1150,7 +1152,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
session_key.data);
dump_data_pw("LM session key\n", session_key.data, session_key.length);
} else {
- SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, NULL, session_key.data);
+ SMBsesskeygen_ntv1(ntlmssp_state->nt_hash, session_key.data);
dump_data_pw("NT session key:\n", session_key.data, session_key.length);
}
}
@@ -1166,7 +1168,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
/* Encrypt the new session key with the old one */
encrypted_session_key = data_blob(client_session_key, sizeof(client_session_key));
dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
- SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
+ arcfour_crypt_blob(encrypted_session_key.data, encrypted_session_key.length, &session_key);
dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
/* Mark the new session key as the 'real' session key */
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c
deleted file mode 100644
index 98c50596be..0000000000
--- a/source3/libsmb/ntlmssp_parse.c
+++ /dev/null
@@ -1,384 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- simple kerberos5/SPNEGO routines
- Copyright (C) Andrew Tridgell 2001
- Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
- Copyright (C) Andrew Bartlett 2002-2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-
-/*
- this is a tiny msrpc packet generator. I am only using this to
- avoid tying this code to a particular varient of our rpc code. This
- generator is not general enough for all our rpc needs, its just
- enough for the spnego/ntlmssp code
-
- format specifiers are:
-
- U = unicode string (input is unix string)
- a = address (input is char *unix_string)
- (1 byte type, 1 byte length, unicode/ASCII string, all inline)
- A = ASCII string (input is unix string)
- B = data blob (pointer + length)
- b = data blob in header (pointer + length)
- D
- d = word (4 bytes)
- C = constant ascii string
- */
-bool msrpc_gen(DATA_BLOB *blob,
- const char *format, ...)
-{
- int i, n;
- va_list ap;
- char *s;
- uint8 *b;
- int head_size=0, data_size=0;
- int head_ofs, data_ofs;
-
- /* first scan the format to work out the header and body size */
- va_start(ap, format);
- for (i=0; format[i]; i++) {
- switch (format[i]) {
- case 'U':
- s = va_arg(ap, char *);
- head_size += 8;
- data_size += str_charnum(s) * 2;
- break;
- case 'A':
- s = va_arg(ap, char *);
- head_size += 8;
- data_size += str_ascii_charnum(s);
- break;
- case 'a':
- n = va_arg(ap, int);
- s = va_arg(ap, char *);
- data_size += (str_charnum(s) * 2) + 4;
- break;
- case 'B':
- b = va_arg(ap, uint8 *);
- head_size += 8;
- data_size += va_arg(ap, int);
- break;
- case 'b':
- b = va_arg(ap, uint8 *);
- head_size += va_arg(ap, int);
- break;
- case 'd':
- n = va_arg(ap, int);
- head_size += 4;
- break;
- case 'C':
- s = va_arg(ap, char *);
- head_size += str_charnum(s) + 1;
- break;
- }
- }
- va_end(ap);
-
- /* allocate the space, then scan the format
- * again to fill in the values */
-
- *blob = data_blob(NULL, head_size + data_size);
-
- head_ofs = 0;
- data_ofs = head_size;
-
- va_start(ap, format);
- for (i=0; format[i]; i++) {
- switch (format[i]) {
- case 'U':
- s = va_arg(ap, char *);
- n = str_charnum(s);
- SSVAL(blob->data, head_ofs, n*2); head_ofs += 2;
- SSVAL(blob->data, head_ofs, n*2); head_ofs += 2;
- SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4;
- push_string_check(blob->data+data_ofs,
- s, n*2, STR_UNICODE|STR_NOALIGN);
- data_ofs += n*2;
- break;
- case 'A':
- s = va_arg(ap, char *);
- n = str_ascii_charnum(s);
- SSVAL(blob->data, head_ofs, n); head_ofs += 2;
- SSVAL(blob->data, head_ofs, n); head_ofs += 2;
- SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4;
- push_string_check(blob->data+data_ofs,
- s, n, STR_ASCII|STR_NOALIGN);
- data_ofs += n;
- break;
- case 'a':
- n = va_arg(ap, int);
- SSVAL(blob->data, data_ofs, n); data_ofs += 2;
- s = va_arg(ap, char *);
- n = str_charnum(s);
- SSVAL(blob->data, data_ofs, n*2); data_ofs += 2;
- if (0 < n) {
- push_string_check(blob->data+data_ofs, s, n*2,
- STR_UNICODE|STR_NOALIGN);
- }
- data_ofs += n*2;
- break;
-
- case 'B':
- b = va_arg(ap, uint8 *);
- n = va_arg(ap, int);
- SSVAL(blob->data, head_ofs, n); head_ofs += 2;
- SSVAL(blob->data, head_ofs, n); head_ofs += 2;
- SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4;
- if (n && b) /* don't follow null pointers... */
- memcpy(blob->data+data_ofs, b, n);
- data_ofs += n;
- break;
- case 'd':
- n = va_arg(ap, int);
- SIVAL(blob->data, head_ofs, n); head_ofs += 4;
- break;
- case 'b':
- b = va_arg(ap, uint8 *);
- n = va_arg(ap, int);
- memcpy(blob->data + head_ofs, b, n);
- head_ofs += n;
- break;
- case 'C':
- s = va_arg(ap, char *);
- n = str_charnum(s) + 1;
- head_ofs += push_string_check(blob->data+head_ofs, s, n,
- STR_ASCII|STR_TERMINATE);
- break;
- }
- }
- va_end(ap);
-
- return true;
-}
-
-
-/* a helpful macro to avoid running over the end of our blob */
-#define NEED_DATA(amount) \
-if ((head_ofs + amount) > blob->length) { \
- va_end(ap); \
- return False; \
-}
-
-/*
- this is a tiny msrpc packet parser. This the the partner of msrpc_gen
-
- format specifiers are:
-
- U = unicode string (output is unix string)
- A = ascii string
- B = data blob
- b = data blob in header
- d = word (4 bytes)
- C = constant ascii string
- */
-
-bool msrpc_parse(const DATA_BLOB *blob,
- const char *format, ...)
-{
- int i;
- va_list ap;
- char **ps, *s;
- DATA_BLOB *b;
- size_t head_ofs = 0;
- uint16 len1, len2;
- uint32 ptr;
- uint32 *v;
-
- va_start(ap, format);
- for (i=0; format[i]; i++) {
- switch (format[i]) {
- case 'U':
- NEED_DATA(8);
- len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
- len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
- ptr = IVAL(blob->data, head_ofs); head_ofs += 4;
-
- ps = va_arg(ap, char **);
- if (len1 == 0 && len2 == 0) {
- *ps = smb_xstrdup("");
- } else {
- /* make sure its in the right format
- * be strict */
- if ((len1 != len2) || (ptr + len1 < ptr) ||
- (ptr + len1 < len1) ||
- (ptr + len1 > blob->length)) {
- va_end(ap);
- return false;
- }
- if (len1 & 1) {
- /* if odd length and unicode */
- va_end(ap);
- return false;
- }
- if (blob->data + ptr <
- (uint8 *)(unsigned long)ptr ||
- blob->data + ptr < blob->data) {
- va_end(ap);
- return false;
- }
-
- if (0 < len1) {
- char *p = NULL;
- pull_string_talloc(talloc_tos(),
- NULL,
- 0,
- &p,
- blob->data + ptr,
- len1,
- STR_UNICODE|STR_NOALIGN);
- if (p) {
- (*ps) = smb_xstrdup(p);
- TALLOC_FREE(p);
- } else {
- (*ps) = smb_xstrdup("");
- }
- } else {
- (*ps) = smb_xstrdup("");
- }
- }
- break;
- case 'A':
- NEED_DATA(8);
- len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
- len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
- ptr = IVAL(blob->data, head_ofs); head_ofs += 4;
-
- ps = va_arg(ap, char **);
- /* make sure its in the right format - be strict */
- if (len1 == 0 && len2 == 0) {
- *ps = smb_xstrdup("");
- } else {
- if ((len1 != len2) || (ptr + len1 < ptr) ||
- (ptr + len1 < len1) ||
- (ptr + len1 > blob->length)) {
- va_end(ap);
- return false;
- }
-
- if (blob->data + ptr <
- (uint8 *)(unsigned long)ptr ||
- blob->data + ptr < blob->data) {
- va_end(ap);
- return false;
- }
-
- if (0 < len1) {
- char *p = NULL;
- pull_string_talloc(talloc_tos(),
- NULL,
- 0,
- &p,
- blob->data + ptr,
- len1,
- STR_ASCII|STR_NOALIGN);
- if (p) {
- (*ps) = smb_xstrdup(p);
- TALLOC_FREE(p);
- } else {
- (*ps) = smb_xstrdup("");
- }
- } else {
- (*ps) = smb_xstrdup("");
- }
- }
- break;
- case 'B':
- NEED_DATA(8);
- len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
- len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
- ptr = IVAL(blob->data, head_ofs); head_ofs += 4;
-
- b = (DATA_BLOB *)va_arg(ap, void *);
- if (len1 == 0 && len2 == 0) {
- *b = data_blob_null;
- } else {
- /* make sure its in the right format
- * be strict */
- if ((len1 != len2) || (ptr + len1 < ptr) ||
- (ptr + len1 < len1) ||
- (ptr + len1 > blob->length)) {
- va_end(ap);
- return false;
- }
-
- if (blob->data + ptr <
- (uint8 *)(unsigned long)ptr ||
- blob->data + ptr < blob->data) {
- va_end(ap);
- return false;
- }
-
- *b = data_blob(blob->data + ptr, len1);
- }
- break;
- case 'b':
- b = (DATA_BLOB *)va_arg(ap, void *);
- len1 = va_arg(ap, unsigned);
- /* make sure its in the right format - be strict */
- NEED_DATA(len1);
- if (blob->data + head_ofs < (uint8 *)head_ofs ||
- blob->data + head_ofs < blob->data) {
- va_end(ap);
- return false;
- }
-
- *b = data_blob(blob->data + head_ofs, len1);
- head_ofs += len1;
- break;
- case 'd':
- v = va_arg(ap, uint32 *);
- NEED_DATA(4);
- *v = IVAL(blob->data, head_ofs); head_ofs += 4;
- break;
- case 'C':
- s = va_arg(ap, char *);
-
- if (blob->data + head_ofs < (uint8 *)head_ofs ||
- blob->data + head_ofs < blob->data) {
- va_end(ap);
- return false;
- }
-
- {
- char *p = NULL;
- size_t ret = pull_string_talloc(talloc_tos(),
- NULL,
- 0,
- &p,
- blob->data+head_ofs,
- blob->length - head_ofs,
- STR_ASCII|STR_TERMINATE);
- if (ret == (size_t)-1 || p == NULL) {
- va_end(ap);
- return false;
- }
- head_ofs += ret;
- if (strcmp(s, p) != 0) {
- TALLOC_FREE(p);
- va_end(ap);
- return false;
- }
- TALLOC_FREE(p);
- }
- break;
- }
- }
- va_end(ap);
-
- return True;
-}
diff --git a/source3/libsmb/smbdes.c b/source3/libsmb/smbdes.c
deleted file mode 100644
index 8087d66799..0000000000
--- a/source3/libsmb/smbdes.c
+++ /dev/null
@@ -1,421 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- a partial implementation of DES designed for use in the
- SMB authentication protocol
-
- Copyright (C) Andrew Tridgell 1998
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-
-/* NOTES:
-
- This code makes no attempt to be fast! In fact, it is a very
- slow implementation
-
- This code is NOT a complete DES implementation. It implements only
- the minimum necessary for SMB authentication, as used by all SMB
- products (including every copy of Microsoft Windows95 ever sold)
-
- In particular, it can only do a unchained forward DES pass. This
- means it is not possible to use this code for encryption/decryption
- of data, instead it is only useful as a "hash" algorithm.
-
- There is no entry point into this code that allows normal DES operation.
-
- I believe this means that this code does not come under ITAR
- regulations but this is NOT a legal opinion. If you are concerned
- about the applicability of ITAR regulations to this code then you
- should confirm it for yourself (and maybe let me know if you come
- up with a different answer to the one above)
-*/
-
-
-#define uchar unsigned char
-
-static const uchar perm1[56] = {57, 49, 41, 33, 25, 17, 9,
- 1, 58, 50, 42, 34, 26, 18,
- 10, 2, 59, 51, 43, 35, 27,
- 19, 11, 3, 60, 52, 44, 36,
- 63, 55, 47, 39, 31, 23, 15,
- 7, 62, 54, 46, 38, 30, 22,
- 14, 6, 61, 53, 45, 37, 29,
- 21, 13, 5, 28, 20, 12, 4};
-
-static const uchar perm2[48] = {14, 17, 11, 24, 1, 5,
- 3, 28, 15, 6, 21, 10,
- 23, 19, 12, 4, 26, 8,
- 16, 7, 27, 20, 13, 2,
- 41, 52, 31, 37, 47, 55,
- 30, 40, 51, 45, 33, 48,
- 44, 49, 39, 56, 34, 53,
- 46, 42, 50, 36, 29, 32};
-
-static const uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2,
- 60, 52, 44, 36, 28, 20, 12, 4,
- 62, 54, 46, 38, 30, 22, 14, 6,
- 64, 56, 48, 40, 32, 24, 16, 8,
- 57, 49, 41, 33, 25, 17, 9, 1,
- 59, 51, 43, 35, 27, 19, 11, 3,
- 61, 53, 45, 37, 29, 21, 13, 5,
- 63, 55, 47, 39, 31, 23, 15, 7};
-
-static const uchar perm4[48] = { 32, 1, 2, 3, 4, 5,
- 4, 5, 6, 7, 8, 9,
- 8, 9, 10, 11, 12, 13,
- 12, 13, 14, 15, 16, 17,
- 16, 17, 18, 19, 20, 21,
- 20, 21, 22, 23, 24, 25,
- 24, 25, 26, 27, 28, 29,
- 28, 29, 30, 31, 32, 1};
-
-static const uchar perm5[32] = { 16, 7, 20, 21,
- 29, 12, 28, 17,
- 1, 15, 23, 26,
- 5, 18, 31, 10,
- 2, 8, 24, 14,
- 32, 27, 3, 9,
- 19, 13, 30, 6,
- 22, 11, 4, 25};
-
-
-static const uchar perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32,
- 39, 7, 47, 15, 55, 23, 63, 31,
- 38, 6, 46, 14, 54, 22, 62, 30,
- 37, 5, 45, 13, 53, 21, 61, 29,
- 36, 4, 44, 12, 52, 20, 60, 28,
- 35, 3, 43, 11, 51, 19, 59, 27,
- 34, 2, 42, 10, 50, 18, 58, 26,
- 33, 1, 41, 9, 49, 17, 57, 25};
-
-
-static const uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
-
-static const uchar sbox[8][4][16] = {
- {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
- {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
- {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
- {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
-
- {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
- {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
- {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
- {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
-
- {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
- {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
- {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
- {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
-
- {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
- {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
- {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
- {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
-
- {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
- {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
- {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
- {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
-
- {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
- {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
- {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
- {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
-
- {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
- {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
- {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
- {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
-
- {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
- {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
- {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
- {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
-
-static void permute(char *out, const char *in, const uchar *p, int n)
-{
- int i;
- for (i=0;i<n;i++)
- out[i] = in[p[i]-1];
-}
-
-static void lshift(char *d, int count, int n)
-{
- char out[64];
- int i;
- for (i=0;i<n;i++)
- out[i] = d[(i+count)%n];
- for (i=0;i<n;i++)
- d[i] = out[i];
-}
-
-static void concat(char *out, char *in1, char *in2, int l1, int l2)
-{
- while (l1--)
- *out++ = *in1++;
- while (l2--)
- *out++ = *in2++;
-}
-
-static void x_or(char *out, char *in1, char *in2, int n)
-{
- int i;
- for (i=0;i<n;i++)
- out[i] = in1[i] ^ in2[i];
-}
-
-static void dohash(char *out, char *in, char *key, int forw)
-{
- int i, j, k;
- char pk1[56];
- char c[28];
- char d[28];
- char cd[56];
- char ki[16][48];
- char pd1[64];
- char l[32], r[32];
- char rl[64];
-
- permute(pk1, key, perm1, 56);
-
- for (i=0;i<28;i++)
- c[i] = pk1[i];
- for (i=0;i<28;i++)
- d[i] = pk1[i+28];
-
- for (i=0;i<16;i++) {
- lshift(c, sc[i], 28);
- lshift(d, sc[i], 28);
-
- concat(cd, c, d, 28, 28);
- permute(ki[i], cd, perm2, 48);
- }
-
- permute(pd1, in, perm3, 64);
-
- for (j=0;j<32;j++) {
- l[j] = pd1[j];
- r[j] = pd1[j+32];
- }
-
- for (i=0;i<16;i++) {
- char er[48];
- char erk[48];
- char b[8][6];
- char cb[32];
- char pcb[32];
- char r2[32];
-
- permute(er, r, perm4, 48);
-
- x_or(erk, er, ki[forw ? i : 15 - i], 48);
-
- for (j=0;j<8;j++)
- for (k=0;k<6;k++)
- b[j][k] = erk[j*6 + k];
-
- for (j=0;j<8;j++) {
- int m, n;
- m = (b[j][0]<<1) | b[j][5];
-
- n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4];
-
- for (k=0;k<4;k++)
- b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0;
- }
-
- for (j=0;j<8;j++)
- for (k=0;k<4;k++)
- cb[j*4+k] = b[j][k];
- permute(pcb, cb, perm5, 32);
-
- x_or(r2, l, pcb, 32);
-
- for (j=0;j<32;j++)
- l[j] = r[j];
-
- for (j=0;j<32;j++)
- r[j] = r2[j];
- }
-
- concat(rl, r, l, 32, 32);
-
- permute(out, rl, perm6, 64);
-}
-
-/* Convert a 7 byte string to an 8 byte key. */
-static void str_to_key(const unsigned char str[7], unsigned char key[8])
-{
- int i;
-
- key[0] = str[0]>>1;
- key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
- key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
- key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
- key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
- key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
- key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
- key[7] = str[6]&0x7F;
- for (i=0;i<8;i++) {
- key[i] = (key[i]<<1);
- }
-}
-
-
-void des_crypt56(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw)
-{
- int i;
- char outb[64];
- char inb[64];
- char keyb[64];
- unsigned char key2[8];
-
- str_to_key(key, key2);
-
- for (i=0;i<64;i++) {
- inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
- keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
- outb[i] = 0;
- }
-
- dohash(outb, inb, keyb, forw);
-
- for (i=0;i<8;i++) {
- out[i] = 0;
- }
-
- for (i=0;i<64;i++) {
- if (outb[i])
- out[i/8] |= (1<<(7-(i%8)));
- }
-}
-
-void E_P16(const unsigned char *p14,unsigned char *p16)
-{
- unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
- des_crypt56(p16, sp8, p14, 1);
- des_crypt56(p16+8, sp8, p14+7, 1);
-}
-
-void E_P24(const unsigned char *p21, const unsigned char *c8, unsigned char *p24)
-{
- des_crypt56(p24, c8, p21, 1);
- des_crypt56(p24+8, c8, p21+7, 1);
- des_crypt56(p24+16, c8, p21+14, 1);
-}
-
-void D_P16(const unsigned char *p14, const unsigned char *in, unsigned char *out)
-{
- des_crypt56(out, in, p14, 0);
- des_crypt56(out+8, in+8, p14+7, 0);
-}
-
-void E_old_pw_hash( unsigned char *p14, const unsigned char *in, unsigned char *out)
-{
- des_crypt56(out, in, p14, 1);
- des_crypt56(out+8, in+8, p14+7, 1);
-}
-
-/* forward des encryption with a 128 bit key */
-void des_crypt128(unsigned char out[8], const unsigned char in[8], const unsigned char key[16])
-{
- unsigned char buf[8];
-
- des_crypt56(buf, in, key, 1);
- des_crypt56(out, buf, key+9, 1);
-}
-
-/* forward des encryption with a 64 bit key */
-void des_crypt64(unsigned char out[8], const unsigned char in[8], const unsigned char key[8])
-{
- unsigned char buf[8];
- unsigned char key2[8];
-
- memset(key2,'\0',8);
- des_crypt56(buf, in, key, 1);
- key2[0] = key[7];
- des_crypt56(out, buf, key2, 1);
-}
-
-/* des encryption with a 112 bit (14 byte) key */
-/* Note that if the forw is 1, and key is actually 8 bytes of key, followed by 6 bytes of zeros,
- this is identical to des_crypt64(). JRA. */
-
-void des_crypt112(unsigned char out[8], const unsigned char in[8], const unsigned char key[14], int forw)
-{
- unsigned char buf[8];
- des_crypt56(buf, in, key, forw);
- des_crypt56(out, buf, key+7, forw);
-}
-
-void cred_hash3(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw)
-{
- unsigned char key2[8];
-
- memset(key2,'\0',8);
- des_crypt56(out, in, key, forw);
- key2[0] = key[7];
- des_crypt56(out + 8, in + 8, key2, forw);
-}
-
-/* des encryption of a 16 byte lump of data with a 112 bit key */
-/* Note that if the key is actually 8 bytes of key, followed by 6 bytes of zeros,
- this is identical to cred_hash3(). JRA. */
-
-void des_crypt112_16(unsigned char out[16], unsigned char in[16], const unsigned char key[14], int forw)
-{
- des_crypt56(out, in, key, forw);
- des_crypt56(out + 8, in + 8, key+7, forw);
-}
-
-/*****************************************************************
- arc4 crypt/decrypt with a 16 byte key.
-*****************************************************************/
-
-void SamOEMhash( unsigned char *data, const unsigned char key[16], size_t len)
-{
- struct arcfour_state arc4_state;
- const DATA_BLOB keyblob = data_blob_const(key, 16);
-
- arcfour_init(&arc4_state, &keyblob);
- arcfour_crypt_sbox(&arc4_state, data, len);
-}
-
-void SamOEMhashBlob( unsigned char *data, size_t len, DATA_BLOB *key)
-{
- struct arcfour_state arc4_state;
-
- arcfour_init(&arc4_state, key);
- arcfour_crypt_sbox(&arc4_state, data, len);
-}
-
-/* Decode a sam password hash into a password. The password hash is the
- same method used to store passwords in the NT registry. The DES key
- used is based on the RID of the user. */
-
-void sam_pwd_hash(unsigned int rid, const uchar *in, uchar *out, int forw)
-{
- uchar s[14];
-
- s[0] = s[4] = s[8] = s[12] = (uchar)(rid & 0xFF);
- s[1] = s[5] = s[9] = s[13] = (uchar)((rid >> 8) & 0xFF);
- s[2] = s[6] = s[10] = (uchar)((rid >> 16) & 0xFF);
- s[3] = s[7] = s[11] = (uchar)((rid >> 24) & 0xFF);
-
- des_crypt56(out, in, s, forw);
- des_crypt56(out+8, in+8, s+7, forw);
-}
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
deleted file mode 100644
index 27702b9f42..0000000000
--- a/source3/libsmb/smbencrypt.c
+++ /dev/null
@@ -1,898 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- SMB parameters and setup
- Copyright (C) Andrew Tridgell 1992-1998
- Modified by Jeremy Allison 1995.
- Copyright (C) Jeremy Allison 1995-2000.
- Copyright (C) Luke Kennethc Casson Leighton 1996-2000.
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2002-2003
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "../lib/util/byteorder.h"
-
-void SMBencrypt_hash(const uchar lm_hash[16], const uchar *c8, uchar p24[24])
-{
- uchar p21[21];
-
- memset(p21,'\0',21);
- memcpy(p21, lm_hash, 16);
-
- SMBOWFencrypt(p21, c8, p24);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("SMBencrypt_hash: lm#, challenge, response\n"));
- dump_data(100, p21, 16);
- dump_data(100, c8, 8);
- dump_data(100, p24, 24);
-#endif
-}
-
-/*
- This implements the X/Open SMB password encryption
- It takes a password ('unix' string), a 8 byte "crypt key"
- and puts 24 bytes of encrypted password into p24
-
- Returns False if password must have been truncated to create LM hash
-*/
-
-bool SMBencrypt(const char *passwd, const uchar *c8, uchar p24[24])
-{
- bool ret;
- uchar lm_hash[16];
-
- ret = E_deshash(passwd, lm_hash);
- SMBencrypt_hash(lm_hash, c8, p24);
- return ret;
-}
-
-/**
- * Creates the MD4 Hash of the users password in NT UNICODE.
- * @param passwd password in 'unix' charset.
- * @param p16 return password hashed with md4, caller allocated 16 byte buffer
- */
-
-void E_md4hash(const char *passwd, uchar p16[16])
-{
- int len;
- smb_ucs2_t wpwd[129];
-
- /* Password must be converted to NT unicode - null terminated. */
- push_ucs2(NULL, wpwd, (const char *)passwd, 256, STR_UNICODE|STR_NOALIGN|STR_TERMINATE);
- /* Calculate length in bytes */
- len = strlen_w(wpwd) * sizeof(int16);
-
- mdfour(p16, (unsigned char *)wpwd, len);
- ZERO_STRUCT(wpwd);
-}
-
-/**
- * Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash.
- * @param 16 byte salt.
- * @param 16 byte NT hash.
- * @param 16 byte return hashed with md5, caller allocated 16 byte buffer
- */
-
-void E_md5hash(const uchar salt[16], const uchar nthash[16], uchar hash_out[16])
-{
- struct MD5Context tctx;
- uchar array[32];
-
- memset(hash_out, '\0', 16);
- memcpy(array, salt, 16);
- memcpy(&array[16], nthash, 16);
- MD5Init(&tctx);
- MD5Update(&tctx, array, 32);
- MD5Final(hash_out, &tctx);
-}
-
-/**
- * Creates the DES forward-only Hash of the users password in DOS ASCII charset
- * @param passwd password in 'unix' charset.
- * @param p16 return password hashed with DES, caller allocated 16 byte buffer
- * @return False if password was > 14 characters, and therefore may be incorrect, otherwise True
- * @note p16 is filled in regardless
- */
-
-bool E_deshash(const char *passwd, uchar p16[16])
-{
- bool ret = True;
- fstring dospwd;
- ZERO_STRUCT(dospwd);
-
- /* Password must be converted to DOS charset - null terminated, uppercase. */
- push_ascii(dospwd, passwd, sizeof(dospwd), STR_UPPER|STR_TERMINATE);
-
- /* Only the fisrt 14 chars are considered, password need not be null terminated. */
- E_P16((const unsigned char *)dospwd, p16);
-
- if (strlen(dospwd) > 14) {
- ret = False;
- }
-
- ZERO_STRUCT(dospwd);
-
- return ret;
-}
-
-/**
- * Creates the MD4 and DES (LM) Hash of the users password.
- * MD4 is of the NT Unicode, DES is of the DOS UPPERCASE password.
- * @param passwd password in 'unix' charset.
- * @param nt_p16 return password hashed with md4, caller allocated 16 byte buffer
- * @param p16 return password hashed with des, caller allocated 16 byte buffer
- */
-
-/* Does both the NT and LM owfs of a user's password */
-void nt_lm_owf_gen(const char *pwd, uchar nt_p16[16], uchar p16[16])
-{
- /* Calculate the MD4 hash (NT compatible) of the password */
- memset(nt_p16, '\0', 16);
- E_md4hash(pwd, nt_p16);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("nt_lm_owf_gen: pwd, nt#\n"));
- dump_data(120, (uint8 *)pwd, strlen(pwd));
- dump_data(100, nt_p16, 16);
-#endif
-
- E_deshash(pwd, (uchar *)p16);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("nt_lm_owf_gen: pwd, lm#\n"));
- dump_data(120, (uint8 *)pwd, strlen(pwd));
- dump_data(100, p16, 16);
-#endif
-}
-
-/* Does both the NTLMv2 owfs of a user's password */
-bool ntv2_owf_gen(const uchar owf[16],
- const char *user_in, const char *domain_in,
- bool upper_case_domain, /* Transform the domain into UPPER case */
- uchar kr_buf[16])
-{
- smb_ucs2_t *user;
- smb_ucs2_t *domain;
-
- size_t user_byte_len;
- size_t domain_byte_len;
-
- HMACMD5Context ctx;
-
- if (!push_ucs2_talloc(NULL, &user, user_in, &user_byte_len)) {
- DEBUG(0, ("push_uss2_talloc() for user failed: %s\n",
- strerror(errno)));
- return False;
- }
-
- if (!push_ucs2_talloc(NULL, &domain, domain_in, &domain_byte_len)) {
- DEBUG(0, ("push_uss2_talloc() for domain failed: %s\n",
- strerror(errno)));
- TALLOC_FREE(user);
- return False;
- }
-
- strupper_w(user);
-
- if (upper_case_domain)
- strupper_w(domain);
-
- SMB_ASSERT(user_byte_len >= 2);
- SMB_ASSERT(domain_byte_len >= 2);
-
- /* We don't want null termination */
- user_byte_len = user_byte_len - 2;
- domain_byte_len = domain_byte_len - 2;
-
- hmac_md5_init_limK_to_64(owf, 16, &ctx);
- hmac_md5_update((const unsigned char *)user, user_byte_len, &ctx);
- hmac_md5_update((const unsigned char *)domain, domain_byte_len, &ctx);
- hmac_md5_final(kr_buf, &ctx);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("ntv2_owf_gen: user, domain, owfkey, kr\n"));
- dump_data(100, (uint8 *)user, user_byte_len);
- dump_data(100, (uint8 *)domain, domain_byte_len);
- dump_data(100, (uint8 *)owf, 16);
- dump_data(100, (uint8 *)kr_buf, 16);
-#endif
-
- TALLOC_FREE(user);
- TALLOC_FREE(domain);
- return True;
-}
-
-/* Does the des encryption from the NT or LM MD4 hash. */
-void SMBOWFencrypt(const uchar passwd[16], const uchar *c8, uchar p24[24])
-{
- uchar p21[21];
-
- ZERO_STRUCT(p21);
-
- memcpy(p21, passwd, 16);
- E_P24(p21, c8, p24);
-}
-
-/* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */
-void NTLMSSPOWFencrypt(const uchar passwd[8], const uchar *ntlmchalresp, uchar p24[24])
-{
- uchar p21[21];
-
- memset(p21,'\0',21);
- memcpy(p21, passwd, 8);
- memset(p21 + 8, 0xbd, 8);
-
- E_P24(p21, ntlmchalresp, p24);
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("NTLMSSPOWFencrypt: p21, c8, p24\n"));
- dump_data(100, p21, 21);
- dump_data(100, ntlmchalresp, 8);
- dump_data(100, p24, 24);
-#endif
-}
-
-
-/* Does the des encryption. */
-
-void SMBNTencrypt_hash(const uchar nt_hash[16], uchar *c8, uchar *p24)
-{
- uchar p21[21];
-
- memset(p21,'\0',21);
- memcpy(p21, nt_hash, 16);
- SMBOWFencrypt(p21, c8, p24);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("SMBNTencrypt: nt#, challenge, response\n"));
- dump_data(100, p21, 16);
- dump_data(100, c8, 8);
- dump_data(100, p24, 24);
-#endif
-}
-
-/* Does the NT MD4 hash then des encryption. Plaintext version of the above. */
-
-void SMBNTencrypt(const char *passwd, uchar *c8, uchar *p24)
-{
- uchar nt_hash[16];
- E_md4hash(passwd, nt_hash);
- SMBNTencrypt_hash(nt_hash, c8, p24);
-}
-
-/* Does the md5 encryption from the Key Response for NTLMv2. */
-void SMBOWFencrypt_ntv2(const uchar kr[16],
- const DATA_BLOB *srv_chal,
- const DATA_BLOB *cli_chal,
- uchar resp_buf[16])
-{
- HMACMD5Context ctx;
-
- hmac_md5_init_limK_to_64(kr, 16, &ctx);
- hmac_md5_update(srv_chal->data, srv_chal->length, &ctx);
- hmac_md5_update(cli_chal->data, cli_chal->length, &ctx);
- hmac_md5_final(resp_buf, &ctx);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, cli_chal, resp_buf\n"));
- dump_data(100, srv_chal->data, srv_chal->length);
- dump_data(100, cli_chal->data, cli_chal->length);
- dump_data(100, resp_buf, 16);
-#endif
-}
-
-void SMBsesskeygen_ntv2(const uchar kr[16],
- const uchar * nt_resp, uint8 sess_key[16])
-{
- /* a very nice, 128 bit, variable session key */
-
- HMACMD5Context ctx;
-
- hmac_md5_init_limK_to_64(kr, 16, &ctx);
- hmac_md5_update(nt_resp, 16, &ctx);
- hmac_md5_final((unsigned char *)sess_key, &ctx);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("SMBsesskeygen_ntv2:\n"));
- dump_data(100, sess_key, 16);
-#endif
-}
-
-void SMBsesskeygen_ntv1(const uchar kr[16],
- const uchar * nt_resp, uint8 sess_key[16])
-{
- /* yes, this session key does not change - yes, this
- is a problem - but it is 128 bits */
-
- mdfour((unsigned char *)sess_key, kr, 16);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("SMBsesskeygen_ntv1:\n"));
- dump_data(100, sess_key, 16);
-#endif
-}
-
-void SMBsesskeygen_lm_sess_key(const uchar lm_hash[16],
- const uchar lm_resp[24], /* only uses 8 */
- uint8 sess_key[16])
-{
- uchar p24[24];
- uchar partial_lm_hash[16];
-
- memcpy(partial_lm_hash, lm_hash, 8);
- memset(partial_lm_hash + 8, 0xbd, 8);
-
- SMBOWFencrypt(partial_lm_hash, lm_resp, p24);
-
- memcpy(sess_key, p24, 16);
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("SMBsesskeygen_lmv1_jerry:\n"));
- dump_data(100, sess_key, 16);
-#endif
-}
-
-DATA_BLOB NTLMv2_generate_names_blob(const char *hostname,
- const char *domain)
-{
- DATA_BLOB names_blob = data_blob_null;
-
- msrpc_gen(&names_blob, "aaa",
- NTLMSSP_NAME_TYPE_DOMAIN, domain,
- NTLMSSP_NAME_TYPE_SERVER, hostname,
- 0, "");
- return names_blob;
-}
-
-static DATA_BLOB NTLMv2_generate_client_data(const DATA_BLOB *names_blob)
-{
- uchar client_chal[8];
- DATA_BLOB response = data_blob_null;
- char long_date[8];
-
- generate_random_buffer(client_chal, sizeof(client_chal));
-
- put_long_date(long_date, time(NULL));
-
- /* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */
-
- msrpc_gen(&response, "ddbbdb",
- 0x00000101, /* Header */
- 0, /* 'Reserved' */
- long_date, 8, /* Timestamp */
- client_chal, 8, /* client challenge */
- 0, /* Unknown */
- names_blob->data, names_blob->length); /* End of name list */
-
- return response;
-}
-
-static DATA_BLOB NTLMv2_generate_response(const uchar ntlm_v2_hash[16],
- const DATA_BLOB *server_chal,
- const DATA_BLOB *names_blob)
-{
- uchar ntlmv2_response[16];
- DATA_BLOB ntlmv2_client_data;
- DATA_BLOB final_response;
-
- /* NTLMv2 */
- /* generate some data to pass into the response function - including
- the hostname and domain name of the server */
- ntlmv2_client_data = NTLMv2_generate_client_data(names_blob);
-
- /* Given that data, and the challenge from the server, generate a response */
- SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response);
-
- final_response = data_blob(NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length);
-
- memcpy(final_response.data, ntlmv2_response, sizeof(ntlmv2_response));
-
- memcpy(final_response.data+sizeof(ntlmv2_response),
- ntlmv2_client_data.data, ntlmv2_client_data.length);
-
- data_blob_free(&ntlmv2_client_data);
-
- return final_response;
-}
-
-static DATA_BLOB LMv2_generate_response(const uchar ntlm_v2_hash[16],
- const DATA_BLOB *server_chal)
-{
- uchar lmv2_response[16];
- DATA_BLOB lmv2_client_data = data_blob(NULL, 8);
- DATA_BLOB final_response = data_blob(NULL, 24);
-
- /* LMv2 */
- /* client-supplied random data */
- generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length);
-
- /* Given that data, and the challenge from the server, generate a response */
- SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &lmv2_client_data, lmv2_response);
- memcpy(final_response.data, lmv2_response, sizeof(lmv2_response));
-
- /* after the first 16 bytes is the random data we generated above,
- so the server can verify us with it */
- memcpy(final_response.data+sizeof(lmv2_response),
- lmv2_client_data.data, lmv2_client_data.length);
-
- data_blob_free(&lmv2_client_data);
-
- return final_response;
-}
-
-bool SMBNTLMv2encrypt_hash(const char *user, const char *domain, const uchar nt_hash[16],
- const DATA_BLOB *server_chal,
- const DATA_BLOB *names_blob,
- DATA_BLOB *lm_response, DATA_BLOB *nt_response,
- DATA_BLOB *user_session_key)
-{
- uchar ntlm_v2_hash[16];
-
- /* We don't use the NT# directly. Instead we use it mashed up with
- the username and domain.
- This prevents username swapping during the auth exchange
- */
- if (!ntv2_owf_gen(nt_hash, user, domain, False, ntlm_v2_hash)) {
- return False;
- }
-
- if (nt_response) {
- *nt_response = NTLMv2_generate_response(ntlm_v2_hash, server_chal,
- names_blob);
- if (user_session_key) {
- *user_session_key = data_blob(NULL, 16);
-
- /* The NTLMv2 calculations also provide a session key, for signing etc later */
- /* use only the first 16 bytes of nt_response for session key */
- SMBsesskeygen_ntv2(ntlm_v2_hash, nt_response->data, user_session_key->data);
- }
- }
-
- /* LMv2 */
-
- if (lm_response) {
- *lm_response = LMv2_generate_response(ntlm_v2_hash, server_chal);
- }
-
- return True;
-}
-
-/* Plaintext version of the above. */
-
-bool SMBNTLMv2encrypt(const char *user, const char *domain, const char *password,
- const DATA_BLOB *server_chal,
- const DATA_BLOB *names_blob,
- DATA_BLOB *lm_response, DATA_BLOB *nt_response,
- DATA_BLOB *user_session_key)
-{
- uchar nt_hash[16];
- E_md4hash(password, nt_hash);
-
- return SMBNTLMv2encrypt_hash(user, domain, nt_hash,
- server_chal,
- names_blob,
- lm_response, nt_response,
- user_session_key);
-}
-
-/***********************************************************
- encode a password buffer with a unicode password. The buffer
- is filled with random data to make it harder to attack.
-************************************************************/
-bool encode_pw_buffer(uint8 buffer[516], const char *password, int string_flags)
-{
- uchar new_pw[512];
- size_t new_pw_len;
-
- /* the incoming buffer can be any alignment. */
- string_flags |= STR_NOALIGN;
-
- new_pw_len = push_string_check(new_pw,
- password,
- sizeof(new_pw), string_flags);
-
- memcpy(&buffer[512 - new_pw_len], new_pw, new_pw_len);
-
- generate_random_buffer(buffer, 512 - new_pw_len);
-
- /*
- * The length of the new password is in the last 4 bytes of
- * the data buffer.
- */
- SIVAL(buffer, 512, new_pw_len);
- ZERO_STRUCT(new_pw);
- return True;
-}
-
-
-/***********************************************************
- decode a password buffer
- *new_pw_len is the length in bytes of the possibly mulitbyte
- returned password including termination.
-************************************************************/
-
-bool decode_pw_buffer(TALLOC_CTX *ctx,
- uint8 in_buffer[516],
- char **pp_new_pwrd,
- uint32 *new_pw_len,
- int string_flags)
-{
- int byte_len=0;
-
- *pp_new_pwrd = NULL;
- *new_pw_len = 0;
-
- /* the incoming buffer can be any alignment. */
- string_flags |= STR_NOALIGN;
-
- /*
- Warning !!! : This function is called from some rpc call.
- The password IN the buffer may be a UNICODE string.
- The password IN new_pwrd is an ASCII string
- If you reuse that code somewhere else check first.
- */
-
- /* The length of the new password is in the last 4 bytes of the data buffer. */
-
- byte_len = IVAL(in_buffer, 512);
-
-#ifdef DEBUG_PASSWORD
- dump_data(100, in_buffer, 516);
-#endif
-
- /* Password cannot be longer than the size of the password buffer */
- if ( (byte_len < 0) || (byte_len > 512)) {
- DEBUG(0, ("decode_pw_buffer: incorrect password length (%d).\n", byte_len));
- DEBUG(0, ("decode_pw_buffer: check that 'encrypt passwords = yes'\n"));
- return false;
- }
-
- /* decode into the return buffer. */
- *new_pw_len = pull_string_talloc(ctx,
- NULL,
- 0,
- pp_new_pwrd,
- &in_buffer[512 - byte_len],
- byte_len,
- string_flags);
-
- if (!*pp_new_pwrd || *new_pw_len == 0) {
- DEBUG(0, ("decode_pw_buffer: pull_string_talloc failed\n"));
- return false;
- }
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("decode_pw_buffer: new_pwrd: "));
- dump_data(100, (uint8 *)*pp_new_pwrd, *new_pw_len);
- DEBUG(100,("multibyte len:%d\n", *new_pw_len));
- DEBUG(100,("original char len:%d\n", byte_len/2));
-#endif
-
- return true;
-}
-
-/***********************************************************
- Decode an arc4 encrypted password change buffer.
-************************************************************/
-
-void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_BLOB *psession_key)
-{
- struct MD5Context tctx;
- unsigned char key_out[16];
-
- /* Confounder is last 16 bytes. */
-
- MD5Init(&tctx);
- MD5Update(&tctx, &pw_buf[516], 16);
- MD5Update(&tctx, psession_key->data, psession_key->length);
- MD5Final(key_out, &tctx);
- /* arc4 with key_out. */
- SamOEMhash(pw_buf, key_out, 516);
-}
-
-/***********************************************************
- Encrypt/Decrypt used for LSA secrets and trusted domain
- passwords.
-************************************************************/
-
-void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, int forward)
-{
- int i, k;
-
- for (i=0,k=0;
- i<in->length;
- i += 8, k += 7) {
- uint8 bin[8], bout[8], key[7];
-
- memset(bin, 0, 8);
- memcpy(bin, &in->data[i], MIN(8, in->length-i));
-
- if (k + 7 > session_key->length) {
- k = (session_key->length - k);
- }
- memcpy(key, &session_key->data[k], 7);
-
- des_crypt56(bout, bin, key, forward?1:0);
-
- memcpy(&out->data[i], bout, MIN(8, in->length-i));
- }
-}
-
-/* Decrypts password-blob with session-key
- * @param nt_hash NT hash for the session key
- * @param data_in DATA_BLOB encrypted password
- *
- * Returns cleartext password in CH_UNIX
- * Caller must free the returned string
- */
-
-char *decrypt_trustdom_secret(uint8_t nt_hash[16], DATA_BLOB *data_in)
-{
- DATA_BLOB data_out, sess_key;
- uint32_t length;
- uint32_t version;
- fstring cleartextpwd;
-
- if (!data_in || !nt_hash)
- return NULL;
-
- /* hashed twice with md4 */
- mdfour(nt_hash, nt_hash, 16);
-
- /* 16-Byte session-key */
- sess_key = data_blob(nt_hash, 16);
- if (sess_key.data == NULL)
- return NULL;
-
- data_out = data_blob(NULL, data_in->length);
- if (data_out.data == NULL)
- return NULL;
-
- /* decrypt with des3 */
- sess_crypt_blob(&data_out, data_in, &sess_key, 0);
-
- /* 4 Byte length, 4 Byte version */
- length = IVAL(data_out.data, 0);
- version = IVAL(data_out.data, 4);
-
- if (length > data_in->length - 8) {
- DEBUG(0,("decrypt_trustdom_secret: invalid length (%d)\n", length));
- return NULL;
- }
-
- if (version != 1) {
- DEBUG(0,("decrypt_trustdom_secret: unknown version number (%d)\n", version));
- return NULL;
- }
-
- rpcstr_pull(cleartextpwd, data_out.data + 8, sizeof(fstring), length, 0 );
-
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("decrypt_trustdom_secret: length is: %d, version is: %d, password is: %s\n",
- length, version, cleartextpwd));
-#endif
-
- data_blob_free(&data_out);
- data_blob_free(&sess_key);
-
- return SMB_STRDUP(cleartextpwd);
-
-}
-
-/* encode a wkssvc_PasswordBuffer:
- *
- * similar to samr_CryptPasswordEx. Different: 8byte confounder (instead of
- * 16byte), confounder in front of the 516 byte buffer (instead of after that
- * buffer), calling MD5Update() first with session_key and then with confounder
- * (vice versa in samr) - Guenther */
-
-void encode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
- const char *pwd,
- DATA_BLOB *session_key,
- struct wkssvc_PasswordBuffer **pwd_buf)
-{
- uint8_t buffer[516];
- struct MD5Context ctx;
- struct wkssvc_PasswordBuffer *my_pwd_buf = NULL;
- DATA_BLOB confounded_session_key;
- int confounder_len = 8;
- uint8_t confounder[8];
-
- my_pwd_buf = talloc_zero(mem_ctx, struct wkssvc_PasswordBuffer);
- if (!my_pwd_buf) {
- return;
- }
-
- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-
- encode_pw_buffer(buffer, pwd, STR_UNICODE);
-
- generate_random_buffer((uint8_t *)confounder, confounder_len);
-
- MD5Init(&ctx);
- MD5Update(&ctx, session_key->data, session_key->length);
- MD5Update(&ctx, confounder, confounder_len);
- MD5Final(confounded_session_key.data, &ctx);
-
- SamOEMhashBlob(buffer, 516, &confounded_session_key);
-
- memcpy(&my_pwd_buf->data[0], confounder, confounder_len);
- memcpy(&my_pwd_buf->data[8], buffer, 516);
-
- data_blob_free(&confounded_session_key);
-
- *pwd_buf = my_pwd_buf;
-}
-
-WERROR decode_wkssvc_join_password_buffer(TALLOC_CTX *mem_ctx,
- struct wkssvc_PasswordBuffer *pwd_buf,
- DATA_BLOB *session_key,
- char **pwd)
-{
- uint8_t buffer[516];
- struct MD5Context ctx;
- uint32_t pwd_len;
-
- DATA_BLOB confounded_session_key;
-
- int confounder_len = 8;
- uint8_t confounder[8];
-
- *pwd = NULL;
-
- if (!pwd_buf) {
- return WERR_BAD_PASSWORD;
- }
-
- if (session_key->length != 16) {
- DEBUG(10,("invalid session key\n"));
- return WERR_BAD_PASSWORD;
- }
-
- confounded_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-
- memcpy(&confounder, &pwd_buf->data[0], confounder_len);
- memcpy(&buffer, &pwd_buf->data[8], 516);
-
- MD5Init(&ctx);
- MD5Update(&ctx, session_key->data, session_key->length);
- MD5Update(&ctx, confounder, confounder_len);
- MD5Final(confounded_session_key.data, &ctx);
-
- SamOEMhashBlob(buffer, 516, &confounded_session_key);
-
- if (!decode_pw_buffer(mem_ctx, buffer, pwd, &pwd_len, STR_UNICODE)) {
- data_blob_free(&confounded_session_key);
- return WERR_BAD_PASSWORD;
- }
-
- data_blob_free(&confounded_session_key);
-
- return WERR_OK;
-}
-
-DATA_BLOB decrypt_drsuapi_blob(TALLOC_CTX *mem_ctx,
- const DATA_BLOB *session_key,
- bool rcrypt,
- uint32_t rid,
- const DATA_BLOB *buffer)
-{
- DATA_BLOB confounder;
- DATA_BLOB enc_buffer;
-
- struct MD5Context md5;
- uint8_t _enc_key[16];
- DATA_BLOB enc_key;
-
- DATA_BLOB dec_buffer;
-
- uint32_t crc32_given;
- uint32_t crc32_calc;
- DATA_BLOB checked_buffer;
-
- DATA_BLOB plain_buffer;
-
- /*
- * the combination "c[3] s[1] e[1] d[0]..."
- * was successful!!!!!!!!!!!!!!!!!!!!!!!!!!
- */
-
- /*
- * the first 16 bytes at the beginning are the confounder
- * followed by the 4 byte crc32 checksum
- */
- if (buffer->length < 20) {
- return data_blob_const(NULL, 0);
- }
- confounder = data_blob_const(buffer->data, 16);
- enc_buffer = data_blob_const(buffer->data + 16, buffer->length - 16);
-
- /*
- * build the encryption key md5 over the session key followed
- * by the confounder
- *
- * here the gensec session key is used and
- * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
- */
- enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
- MD5Init(&md5);
- MD5Update(&md5, session_key->data, session_key->length);
- MD5Update(&md5, confounder.data, confounder.length);
- MD5Final(enc_key.data, &md5);
-
- /*
- * copy the encrypted buffer part and
- * decrypt it using the created encryption key using arcfour
- */
- dec_buffer = data_blob_talloc(mem_ctx, enc_buffer.data, enc_buffer.length);
- if (!dec_buffer.data) {
- return data_blob_const(NULL, 0);
- }
- SamOEMhashBlob(dec_buffer.data, dec_buffer.length, &enc_key);
-
- /*
- * the first 4 byte are the crc32 checksum
- * of the remaining bytes
- */
- crc32_given = IVAL(dec_buffer.data, 0);
- crc32_calc = crc32_calc_buffer(dec_buffer.data + 4 , dec_buffer.length - 4);
- if (crc32_given != crc32_calc) {
- DEBUG(1,("CRC32: given[0x%08X] calc[0x%08X]\n",
- crc32_given, crc32_calc));
- return data_blob_const(NULL, 0);
- }
- checked_buffer = data_blob_talloc(mem_ctx, dec_buffer.data + 4, dec_buffer.length - 4);
- if (!checked_buffer.data) {
- return data_blob_const(NULL, 0);
- }
-
- /*
- * some attributes seem to be in a usable form after this decryption
- * (supplementalCredentials, priorValue, currentValue, trustAuthOutgoing,
- * trustAuthIncoming, initialAuthOutgoing, initialAuthIncoming)
- * At least supplementalCredentials contains plaintext
- * like "Primary:Kerberos" (in unicode form)
- *
- * some attributes seem to have some additional encryption
- * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
- *
- * it's the sam_rid_crypt() function, as the value is constant,
- * so it doesn't depend on sessionkeys.
- */
- if (rcrypt) {
- uint32_t i, num_hashes;
-
- if ((checked_buffer.length % 16) != 0) {
- return data_blob_const(NULL, 0);
- }
-
- plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
- if (!plain_buffer.data) {
- return data_blob_const(NULL, 0);
- }
-
- num_hashes = plain_buffer.length / 16;
- for (i = 0; i < num_hashes; i++) {
- uint32_t offset = i * 16;
- sam_pwd_hash(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
- }
- } else {
- plain_buffer = checked_buffer;
- }
-
- return plain_buffer;
-}
-
-
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 5b6bc00c57..929816e92d 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -19,6 +19,7 @@
*/
#include "includes.h"
+#include "../libcli/auth/libcli_auth.h"
/*********************************************************
Change the domain password on the PDC.