r995: - renamed many of our crypto routines to use the industry standard

  names rather than our crazy naming scheme. So DES is now called
  des_crypt() rather than smbhash()

- added the code from the solution of the ADS crypto challenge that
  allows Samba to correctly handle a 128 bit session key in all of the
  netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard
  from PADL for solving this one!

- restructured the server side rpc authentication to allow for other
  than NTLMSSP sign and seal. This commit just adds the structure, the
  next commit will add schannel server side support.

- added 128 bit session key support to our client side code, and
  testing against w2k3 with smbtorture. Works well.
(This used to be commit 729b2f41c924a0b435d44a14209e6dacc2304cee)

6 files changed, 131 insertions, 70 deletions

diff --git a/source4/libcli/auth/credentials.c b/source4/libcli/auth/credentials.c
index cf6d0cca62..27a3e32cf3 100644
--- a/source4/libcli/auth/credentials.c
+++ b/source4/libcli/auth/credentials.c
@@ -24,38 +24,66 @@
 #include "includes.h"
 
 /*
-  initialise the credentials state 
+  initialise the credentials state for old-style 64 bit session keys
 
   this call is made after the netr_ServerReqChallenge call
 */
-static void creds_init(struct creds_CredentialState *creds,
-		       const struct netr_Credential *client_challenge,
-		       const struct netr_Credential *server_challenge,
-		       const uint8_t machine_password[16])
+static void creds_init_64bit(struct creds_CredentialState *creds,
+			     const struct netr_Credential *client_challenge,
+			     const struct netr_Credential *server_challenge,
+			     const uint8_t machine_password[16])
 {
-	struct netr_Credential time_cred;
 	uint32_t sum[2];
 	uint8_t sum2[8];
 
-	dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
-	dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
-	dump_data_pw("Machine Pass", machine_password, 16);
-
 	sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0);
 	sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4);
 
 	SIVAL(sum2,0,sum[0]);
 	SIVAL(sum2,4,sum[1]);
 
-	cred_hash1(creds->session_key, sum2, machine_password);
+	ZERO_STRUCT(creds->session_key);
 
-	SIVAL(time_cred.data, 0, IVAL(client_challenge->data, 0));
-	SIVAL(time_cred.data, 4, IVAL(client_challenge->data, 4));
-	cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1);
+	des_crypt128(creds->session_key, sum2, machine_password);
 
-	SIVAL(time_cred.data, 0, IVAL(server_challenge->data, 0));
-	SIVAL(time_cred.data, 4, IVAL(server_challenge->data, 4));
-	cred_hash2(creds->server.data, time_cred.data, creds->session_key, 1);
+	des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
+	des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
+
+	creds->seed = creds->client;
+}
+
+/*
+  initialise the credentials state for ADS-style 128 bit session keys
+
+  this call is made after the netr_ServerReqChallenge call
+*/
+static void creds_init_128bit(struct creds_CredentialState *creds,
+			      const struct netr_Credential *client_challenge,
+			      const struct netr_Credential *server_challenge,
+			      const uint8_t machine_password[16])
+{
+	unsigned char zero[4], tmp[16];
+	HMACMD5Context ctx;
+	struct MD5Context md5;
+
+	ZERO_STRUCT(creds->session_key);
+
+	memset(zero, 0, sizeof(zero));
+
+	hmac_md5_init_rfc2104(machine_password, 16, &ctx);	
+	MD5Init(&md5);
+	MD5Update(&md5, zero, sizeof(zero));
+	MD5Update(&md5, client_challenge->data, 8);
+	MD5Update(&md5, server_challenge->data, 8);
+	MD5Final(tmp, &md5);
+	hmac_md5_update(tmp, 16, &ctx);
+	hmac_md5_final(creds->session_key, &ctx);
+
+	creds->client = *client_challenge;
+	creds->server = *server_challenge;
+
+	des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
+	des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
 
 	creds->seed = creds->client;
 }
@@ -77,7 +105,7 @@ static void creds_step(struct creds_CredentialState *creds)
 
 	DEBUG(5,("\tseed+time   %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
 
-	cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1);
+	des_crypt112(creds->client.data, time_cred.data, creds->session_key, 1);
 
 	DEBUG(5,("\tCLIENT      %08x:%08x\n", 
 		 IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
@@ -88,7 +116,7 @@ static void creds_step(struct creds_CredentialState *creds)
 	DEBUG(5,("\tseed+time+1 %08x:%08x\n", 
 		 IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
 
-	cred_hash2(creds->server.data, time_cred.data, creds->session_key, 1);
+	des_crypt112(creds->server.data, time_cred.data, creds->session_key, 1);
 
 	DEBUG(5,("\tSERVER      %08x:%08x\n", 
 		 IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
@@ -103,7 +131,7 @@ static void creds_step(struct creds_CredentialState *creds)
 void creds_des_encrypt(struct creds_CredentialState *creds, struct netr_Password *pass)
 {
 	struct netr_Password tmp;
-	cred_hash3(tmp.data, pass->data, creds->session_key, 1);
+	des_crypt112_16(tmp.data, pass->data, creds->session_key, 1);
 	*pass = tmp;
 }
 
@@ -113,7 +141,7 @@ void creds_des_encrypt(struct creds_CredentialState *creds, struct netr_Password
 void creds_des_decrypt(struct creds_CredentialState *creds, struct netr_Password *pass)
 {
 	struct netr_Password tmp;
-	cred_hash3(tmp.data, pass->data, creds->session_key, 0);
+	des_crypt112_16(tmp.data, pass->data, creds->session_key, 0);
 	*pass = tmp;
 }
 
@@ -122,12 +150,9 @@ void creds_des_decrypt(struct creds_CredentialState *creds, struct netr_Password
 */
 void creds_arcfour_crypt(struct creds_CredentialState *creds, char *data, size_t len)
 {
-	DATA_BLOB session_key = data_blob(NULL, 16);
-	
-	memcpy(&session_key.data[0], creds->session_key, 8);
-	memset(&session_key.data[8], '\0', 8);
+	DATA_BLOB session_key = data_blob(creds->session_key, 16);
 
-	SamOEMhashBlob(data, len, &session_key);
+	arcfour_crypt_blob(data, len, &session_key);
 
 	data_blob_free(&session_key);
 }
@@ -145,10 +170,24 @@ void creds_client_init(struct creds_CredentialState *creds,
 		       const struct netr_Credential *client_challenge,
 		       const struct netr_Credential *server_challenge,
 		       const uint8_t machine_password[16],
-		       struct netr_Credential *initial_credential)
+		       struct netr_Credential *initial_credential,
+		       uint32_t negotiate_flags)
 {
 	creds->sequence = time(NULL);
-	creds_init(creds, client_challenge, server_challenge, machine_password);
+	creds->negotiate_flags = negotiate_flags;
+
+	dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
+	dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
+	dump_data_pw("Machine Pass", machine_password, 16);
+
+	if (negotiate_flags & NETLOGON_NEG_128BIT) {
+		creds_init_128bit(creds, client_challenge, server_challenge, machine_password);
+	} else {
+		creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
+	}
+
+	dump_data_pw("Session key", creds->session_key, 16);
+	dump_data_pw("Credential ", creds->client.data, 8);
 
 	*initial_credential = creds->client;
 }
@@ -198,9 +237,16 @@ void creds_server_init(struct creds_CredentialState *creds,
 		       const struct netr_Credential *client_challenge,
 		       const struct netr_Credential *server_challenge,
 		       const uint8_t machine_password[16],
-		       struct netr_Credential *initial_credential)
+		       struct netr_Credential *initial_credential,
+		       uint32_t negotiate_flags)
 {
-	creds_init(creds, client_challenge, server_challenge, machine_password);
+	if (negotiate_flags & NETLOGON_NEG_128BIT) {
+		creds_init_128bit(creds, client_challenge, server_challenge, 
+				  machine_password);
+	} else {
+		creds_init_64bit(creds, client_challenge, server_challenge, 
+				 machine_password);
+	}
 
 	*initial_credential = creds->server;
 }
diff --git a/source4/libcli/auth/credentials.h b/source4/libcli/auth/credentials.h
index 20eed73cc0..de0e086278 100644
--- a/source4/libcli/auth/credentials.h
+++ b/source4/libcli/auth/credentials.h
@@ -21,7 +21,8 @@
 */
 
 struct creds_CredentialState {
-	uint8_t session_key[8];
+	uint32_t negotiate_flags;
+	uint8_t session_key[16];
 	uint32_t sequence;
 	struct netr_Credential seed;
 	struct netr_Credential client;
@@ -29,6 +30,9 @@ struct creds_CredentialState {
 };
 
 
+#define NETLOGON_NEG_128BIT 0x4000
+
+
 /* for the timebeing, use the same neg flags as Samba3. */
 /* The 7 here seems to be required to get Win2k not to downgrade us
    to NT4.  Actually, anything other than 1ff would seem to do... */
diff --git a/source4/libcli/auth/ntlmssp.c b/source4/libcli/auth/ntlmssp.c
index 49935f0acb..5916faf513 100644
--- a/source4/libcli/auth/ntlmssp.c
+++ b/source4/libcli/auth/ntlmssp.c
@@ -792,9 +792,9 @@ static NTSTATUS ntlmssp_server_postauth(struct ntlmssp_state *ntlmssp_state,
 			dump_data_pw("KEY_EXCH session key (enc):\n", 
 				     ntlmssp_state->encrypted_session_key.data, 
 				     ntlmssp_state->encrypted_session_key.length);
-			SamOEMhash(ntlmssp_state->encrypted_session_key.data, 
-				   session_key.data, 
-				   ntlmssp_state->encrypted_session_key.length);
+			arcfour_crypt(ntlmssp_state->encrypted_session_key.data, 
+				      session_key.data, 
+				      ntlmssp_state->encrypted_session_key.length);
 			ntlmssp_state->session_key = data_blob_talloc(ntlmssp_state->mem_ctx, 
 								      ntlmssp_state->encrypted_session_key.data, 
 								      ntlmssp_state->encrypted_session_key.length);
@@ -1191,7 +1191,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
 		encrypted_session_key = data_blob_talloc(ntlmssp_state->mem_ctx, 
 							 client_session_key, sizeof(client_session_key));
 		dump_data_pw("KEY_EXCH session key:\n", encrypted_session_key.data, encrypted_session_key.length);
-		SamOEMhash(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
+		arcfour_crypt(encrypted_session_key.data, session_key.data, encrypted_session_key.length);
 		dump_data_pw("KEY_EXCH session key (enc):\n", encrypted_session_key.data, encrypted_session_key.length);
 
 		/* Mark the new session key as the 'real' session key */
diff --git a/source4/libcli/auth/schannel.c b/source4/libcli/auth/schannel.c
index 666eb811ae..294873feff 100644
--- a/source4/libcli/auth/schannel.c
+++ b/source4/libcli/auth/schannel.c
@@ -35,7 +35,7 @@ static void netsec_deal_with_seq_num(struct schannel_state *state,
 
 	hmac_md5(state->session_key, zeros, sizeof(zeros), digest1);
 	hmac_md5(digest1, packet_digest, 8, sequence_key);
-	SamOEMhash(seq_num, sequence_key, 8);
+	arcfour_crypt(seq_num, sequence_key, 8);
 
 	state->seq_num++;
 }
@@ -113,8 +113,8 @@ NTSTATUS schannel_unseal_packet(struct schannel_state *state,
 	SIVAL(seq_num, 4, state->initiator?0:0x80);
 
 	netsec_get_sealing_key(state->session_key, seq_num, sealing_key);
-	SamOEMhash(confounder, sealing_key, 8);
-	SamOEMhash(data, sealing_key, length);
+	arcfour_crypt(confounder, sealing_key, 8);
+	arcfour_crypt(data, sealing_key, length);
 
 	schannel_digest(state->session_key, 
 			netsec_sig, confounder, 
@@ -204,8 +204,8 @@ NTSTATUS schannel_seal_packet(struct schannel_state *state,
 			data, length, digest_final);
 
 	netsec_get_sealing_key(state->session_key, seq_num, sealing_key);
-	SamOEMhash(confounder, sealing_key, 8);
-	SamOEMhash(data, sealing_key, length);
+	arcfour_crypt(confounder, sealing_key, 8);
+	arcfour_crypt(data, sealing_key, length);
 
 	netsec_deal_with_seq_num(state, digest_final, seq_num);
 
diff --git a/source4/libcli/auth/session.c b/source4/libcli/auth/session.c
index 1176d7fd0d..598f2d4f28 100644
--- a/source4/libcli/auth/session.c
+++ b/source4/libcli/auth/session.c
@@ -47,7 +47,7 @@ void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *sessi
 		}
 		memcpy(key, &session_key->data[k], 7);
 
-		smbhash(bout, bin, key, forward?1:0);
+		des_crypt56(bout, bin, key, forward?1:0);
 
 		memcpy(&out->data[i], bout, MIN(8, in->length-i));
 	}
diff --git a/source4/libcli/util/smbdes.c b/source4/libcli/util/smbdes.c
index 967d0ffb82..2492f9a1ba 100644
--- a/source4/libcli/util/smbdes.c
+++ b/source4/libcli/util/smbdes.c
@@ -273,8 +273,10 @@ static void str_to_key(const uint8_t *str,uint8_t *key)
 	}
 }
 
-
-void smbhash(uint8_t *out, const uint8_t *in, const uint8_t *key, int forw)
+/*
+  basic des crypt using a 56 bit (7 byte) key
+*/
+void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw)
 {
 	int i;
 	char outb[64];
@@ -305,58 +307,67 @@ void smbhash(uint8_t *out, const uint8_t *in, const uint8_t *key, int forw)
 void E_P16(const uint8_t *p14,uint8_t *p16)
 {
 	const uint8_t sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
-	smbhash(p16, sp8, p14, 1);
-	smbhash(p16+8, sp8, p14+7, 1);
+	des_crypt56(p16, sp8, p14, 1);
+	des_crypt56(p16+8, sp8, p14+7, 1);
 }
 
 void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24)
 {
-	smbhash(p24, c8, p21, 1);
-	smbhash(p24+8, c8, p21+7, 1);
-	smbhash(p24+16, c8, p21+14, 1);
+	des_crypt56(p24, c8, p21, 1);
+	des_crypt56(p24+8, c8, p21+7, 1);
+	des_crypt56(p24+16, c8, p21+14, 1);
 }
 
 void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out)
 {
-	smbhash(out, in, p14, 0);
-        smbhash(out+8, in+8, p14+7, 0);
+	des_crypt56(out, in, p14, 0);
+        des_crypt56(out+8, in+8, p14+7, 0);
 }
 
 void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
 {
-        smbhash(out, in, p14, 1);
-        smbhash(out+8, in+8, p14+7, 1);
+        des_crypt56(out, in, p14, 1);
+        des_crypt56(out+8, in+8, p14+7, 1);
 }
 
-void cred_hash1(uint8_t *out, const uint8_t *in, const uint8_t *key)
+/* des encryption with a 128 bit key */
+void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16])
 {
 	uint8_t buf[8];
-
-	smbhash(buf, in, key, 1);
-	smbhash(out, buf, key+9, 1);
+	des_crypt56(buf, in, key, 1);
+	des_crypt56(out, buf, key+9, 1);
 }
 
-void cred_hash2(uint8_t *out, const uint8_t *in, const uint8_t *key, int forw)
+/* des encryption with a 64 bit key */
+void des_crypt64(uint8_t out[8], const uint8_t in[8], const uint8_t key[8], int forw)
 {
 	uint8_t buf[8];
 	uint8_t key2[8];
 	ZERO_STRUCT(key2);
-	smbhash(buf, in, key, forw);
+	des_crypt56(buf, in, key, forw);
 	key2[0] = key[7];
-	smbhash(out, buf, key2, forw);
+	des_crypt56(out, buf, key2, forw);
 }
 
-void cred_hash3(uint8_t *out, uint8_t *in, const uint8_t *key, int forw)
+/* des encryption with a 112 bit (14 byte) key */
+void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw)
 {
-        uint8_t key2[8];
-	ZERO_STRUCT(key2);
-        smbhash(out, in, key, forw);
-        key2[0] = key[7];
-        smbhash(out + 8, in + 8, key2, forw);
+	uint8_t buf[8];
+	des_crypt56(buf, in, key, forw);
+	des_crypt56(out, buf, key+7, forw);
 }
 
+/* des encryption of a 16 byte lump of data with a 112 bit key */
+void des_crypt112_16(uint8_t out[16], uint8_t in[16], const uint8_t key[14], int forw)
+{
+        des_crypt56(out, in, key, forw);
+        des_crypt56(out + 8, in + 8, key+7, forw);
+}
 
-void SamOEMhashBlob(uint8_t *data, int len, const DATA_BLOB *key)
+/*
+  arcfour encryption with a blob key
+*/
+void arcfour_crypt_blob(uint8_t *data, int len, const DATA_BLOB *key)
 {
 	uint8_t s_box[256];
 	uint8_t index_i = 0;
@@ -397,11 +408,11 @@ void SamOEMhashBlob(uint8_t *data, int len, const DATA_BLOB *key)
   a varient that assumes a 16 byte key. This should be removed
   when the last user is gone
 */
-void SamOEMhash(uint8_t *data, const uint8_t keystr[16], int len)
+void arcfour_crypt(uint8_t *data, const uint8_t keystr[16], int len)
 {
 	DATA_BLOB key = data_blob(keystr, 16);
 	
-	SamOEMhashBlob(data, len, &key);
+	arcfour_crypt_blob(data, len, &key);
 
 	data_blob_free(&key);
 }
@@ -419,6 +430,6 @@ void sam_pwd_hash(uint_t rid, const uint8_t *in, uint8_t *out, int forw)
 	s[2] = s[6] = s[10]        = (uint8_t)((rid >> 16) & 0xFF);
 	s[3] = s[7] = s[11]        = (uint8_t)((rid >> 24) & 0xFF);
 
-	smbhash(out, in, s, forw);
-	smbhash(out+8, in+8, s+7, forw);
+	des_crypt56(out, in, s, forw);
+	des_crypt56(out+8, in+8, s+7, forw);
 }