diff options
author | Andrew Tridgell <tridge@samba.org> | 2004-04-07 07:20:53 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:51:06 -0500 |
commit | 984bfce2d9de9eb73e09887b720d219566242398 (patch) | |
tree | 1b0e8dcec7a5fdc7986c64994d7e8deaa2829f08 /source4/libcli | |
parent | a8a42e7f53c67b09954ea2232830c07c6e011aa0 (diff) | |
download | samba-984bfce2d9de9eb73e09887b720d219566242398.tar.gz samba-984bfce2d9de9eb73e09887b720d219566242398.tar.bz2 samba-984bfce2d9de9eb73e09887b720d219566242398.zip |
r101: added lsa_SetSecret() and lsa_QuerySecret()
this required some crypto infrastructure and some sid utilities
(This used to be commit 37d0efa9c2af8532536bea88412f0dd3ed39ecfc)
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/auth/session.c | 133 | ||||
-rw-r--r-- | source4/libcli/config.m4 | 5 | ||||
-rw-r--r-- | source4/libcli/util/dom_sid.c | 90 | ||||
-rw-r--r-- | source4/libcli/util/smbdes.c | 2 |
4 files changed, 227 insertions, 3 deletions
diff --git a/source4/libcli/auth/session.c b/source4/libcli/auth/session.c new file mode 100644 index 0000000000..946b0fe62f --- /dev/null +++ b/source4/libcli/auth/session.c @@ -0,0 +1,133 @@ +/* + Unix SMB/CIFS implementation. + + code to encrypt/decrypt data using the user session key + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* + encrypt or decrypt a blob of data using the user session key + as used in lsa_SetSecret + + before calling, the out blob must be initialised to be the same size + as the in blob +*/ +void sess_crypt_blob(DATA_BLOB *out, const DATA_BLOB *in, const uint8 session_key[16], + BOOL forward) +{ + int i, k; + + for (i=0,k=0; + i<in->length; + i += 8, k += 7) { + uint8 bin[8], bout[8], key[7]; + + memset(bin, 0, 8); + memcpy(bin, &in->data[i], MIN(8, in->length-i)); + + if (k + 7 > 16) { + k = (16 - k); + } + memcpy(key, &session_key[k], 7); + + smbhash(bout, bin, key, forward?1:0); + + memcpy(&out->data[i], bout, MIN(8, in->length-i)); + } +} + + +/* + a convenient wrapper around sess_crypt_blob() for strings, using the LSA convention + + note that we round the length to a multiple of 8. This seems to be needed for + compatibility with windows + + caller should free using data_blob_free() +*/ +DATA_BLOB sess_encrypt_string(const char *str, const uint8 session_key[16]) +{ + DATA_BLOB ret, src; + int slen = strlen(str); + int dlen = (slen+7) & ~7; + + src = data_blob(NULL, 8+dlen); + if (!src.data) { + return data_blob(NULL, 0); + } + + ret = data_blob(NULL, 8+dlen); + if (!ret.data) { + data_blob_free(&src); + return data_blob(NULL, 0); + } + + SIVAL(src.data, 0, slen); + SIVAL(src.data, 4, 1); + memset(src.data+8, 0, dlen); + memcpy(src.data+8, str, slen); + + sess_crypt_blob(&ret, &src, session_key, True); + + data_blob_free(&src); + + return ret; +} + +/* + a convenient wrapper around sess_crypt_blob() for strings, using the LSA convention + + caller should free the returned string +*/ +char *sess_decrypt_string(DATA_BLOB *blob, const uint8 session_key[16]) +{ + DATA_BLOB out; + int slen; + char *ret; + + if (blob->length < 8) { + return NULL; + } + + out = data_blob(NULL, blob->length); + if (!out.data) { + return NULL; + } + + sess_crypt_blob(&out, blob, session_key, False); + + slen = IVAL(out.data, 0); + if (slen > blob->length - 8) { + DEBUG(0,("Invalid crypt length %d\n", slen)); + return NULL; + } + + if (IVAL(out.data, 4) != 1) { + DEBUG(0,("Unexpected revision number %d in session crypted string\n", + IVAL(out.data, 4))); + return NULL; + } + + ret = strndup(out.data+8, slen); + + data_blob_free(&out); + + return ret; +} diff --git a/source4/libcli/config.m4 b/source4/libcli/config.m4 index 7176f83ebc..ac8e7cbabb 100644 --- a/source4/libcli/config.m4 +++ b/source4/libcli/config.m4 @@ -18,13 +18,14 @@ SMB_SUBSYSTEM(LIBCLI_UTILS,[], libcli/util/smberr.o \ libcli/util/doserr.o libcli/util/errormap.o \ libcli/util/pwd_cache.o libcli/util/clierror.o libcli/util/cliutil.o \ - libcli/util/nterr.o libcli/util/smbdes.o libcli/util/smbencrypt.o], + libcli/util/nterr.o libcli/util/smbdes.o libcli/util/smbencrypt.o \ + libcli/util/dom_sid.o], libcli/util/libcli_utils_public_proto.h) SMB_SUBSYSTEM(LIBCLI_AUTH,[], [libcli/auth/ntlmssp.o libcli/auth/ntlmssp_parse.o \ libcli/auth/ntlmssp_sign.o libcli/auth/schannel.o \ - libcli/auth/credentials.o], + libcli/auth/credentials.o libcli/auth/session.o], libcli/auth/libcli_auth_public_proto.h) SMB_SUBSYSTEM(LIBCLI_NMB,[], diff --git a/source4/libcli/util/dom_sid.c b/source4/libcli/util/dom_sid.c new file mode 100644 index 0000000000..652f17a6b6 --- /dev/null +++ b/source4/libcli/util/dom_sid.c @@ -0,0 +1,90 @@ +/* + Unix SMB/CIFS implementation. + + routines to manipulate a "struct dom_sid" + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* + convert a string to a dom_sid, returning a talloc'd dom_sid +*/ +struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) +{ + struct dom_sid *ret; + unsigned int rev, ia, num_sub_auths, i; + char *p; + + if (strncasecmp(sidstr, "S-", 2)) { + return NULL; + } + + sidstr += 2; + + rev = strtol(sidstr, &p, 10); + if (*p != '-') { + return NULL; + } + sidstr = p+1; + + ia = strtol(sidstr, &p, 10); + if (*p != '-') { + return NULL; + } + sidstr = p+1; + + num_sub_auths = 0; + for (i=0;sidstr[i];i++) { + if (sidstr[i] == '-') num_sub_auths++; + } + + ret = talloc_p(mem_ctx, struct dom_sid); + if (!ret) { + return NULL; + } + + ret->sub_auths = talloc_array_p(mem_ctx, uint32, num_sub_auths); + if (!ret->sub_auths) { + return NULL; + } + + ret->sid_rev_num = rev; + ret->id_auth[0] = 0; + ret->id_auth[0] = 0; + ret->id_auth[1] = 0; + ret->id_auth[2] = ia >> 24; + ret->id_auth[3] = ia >> 16; + ret->id_auth[4] = ia >> 8; + ret->id_auth[5] = ia; + ret->num_auths = num_sub_auths; + + for (i=0;i<num_sub_auths;i++) { + ret->sub_auths[i] = strtol(sidstr, &p, 10); + if (p == sidstr) { + return NULL; + } + if (*p != '-' && i < num_sub_auths-1) { + return NULL; + } + sidstr = p+1; + } + + return ret; +} + diff --git a/source4/libcli/util/smbdes.c b/source4/libcli/util/smbdes.c index e5c4c6f3f1..d282b0135a 100644 --- a/source4/libcli/util/smbdes.c +++ b/source4/libcli/util/smbdes.c @@ -276,7 +276,7 @@ static void str_to_key(const unsigned char *str,unsigned char *key) } -static void smbhash(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw) +void smbhash(unsigned char *out, const unsigned char *in, const unsigned char *key, int forw) { int i; char outb[64]; |