xref: /illumos-gate/usr/src/lib/libsmbfs/smb/ntlm.c (revision 3c573fcc51430b02603f62713f3f5d1b0b1aed1c)
1 /*
2  * Copyright (c) 2000-2001, Boris Popov
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *    This product includes software developed by Boris Popov.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  *
32  * $Id: smb_crypt.c,v 1.13 2005/01/26 23:50:50 lindak Exp $
33  */
34 
35 /*
36  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
37  * Use is subject to license terms.
38  */
39 
40 /*
41  * NTLM support functions
42  *
43  * Some code from the driver: smb_smb.c, smb_crypt.c
44  */
45 
46 #include <sys/errno.h>
47 #include <sys/types.h>
48 #include <sys/md4.h>
49 #include <sys/md5.h>
50 
51 #include <ctype.h>
52 #include <stdlib.h>
53 #include <strings.h>
54 
55 #include <netsmb/smb_lib.h>
56 
57 #include "private.h"
58 #include "charsets.h"
59 #include "smb_crypt.h"
60 #include "ntlm.h"
61 
62 
63 /*
64  * ntlm_compute_lm_hash
65  *
66  * Compute an LM hash given a password
67  *
68  * Output:
69  *	hash: 16-byte "LanMan" (LM) hash.
70  * Inputs:
71  *	ucpw: User's password, upper-case UTF-8 string.
72  *
73  * Source: Implementing CIFS (Chris Hertel)
74  *
75  * P14 = UCPW padded to 14-bytes, or truncated (as needed)
76  * result = Encrypt(Key=P14, Data=MagicString)
77  */
78 int
79 ntlm_compute_lm_hash(uchar_t *hash, const char *pass)
80 {
81 	static const uchar_t M8[8] = "KGS!@#$%";
82 	uchar_t P14[14 + 1];
83 	int err;
84 	char *ucpw;
85 
86 	/* First, convert the p/w to upper case. */
87 	ucpw = utf8_str_toupper(pass);
88 	if (ucpw == NULL)
89 		return (ENOMEM);
90 
91 	/* Pad or truncate the upper-case P/W as needed. */
92 	bzero(P14, sizeof (P14));
93 	(void) strncpy((char *)P14, ucpw, 14);
94 
95 	/* Compute the hash. */
96 	err = smb_encrypt_DES(hash, NTLM_HASH_SZ,
97 	    P14, 14, M8, 8);
98 
99 	free(ucpw);
100 	return (err);
101 }
102 
103 /*
104  * ntlm_compute_nt_hash
105  *
106  * Compute an NT hash given a password in UTF-8.
107  *
108  * Output:
109  *	hash: 16-byte "NT" hash.
110  * Inputs:
111  *	upw: User's password, mixed-case UCS-2LE.
112  *	pwlen: Size (in bytes) of upw
113  */
114 int
115 ntlm_compute_nt_hash(uchar_t *hash, const char *pass)
116 {
117 	MD4_CTX ctx;
118 	uint16_t *unipw = NULL;
119 	int pwsz;
120 
121 	/* First, convert the password to unicode. */
122 	unipw = convert_utf8_to_leunicode(pass);
123 	if (unipw == NULL)
124 		return (ENOMEM);
125 	pwsz = unicode_strlen(unipw) << 1;
126 
127 	/* Compute the hash. */
128 	MD4Init(&ctx);
129 	MD4Update(&ctx, unipw, pwsz);
130 	MD4Final(hash, &ctx);
131 
132 	free(unipw);
133 	return (0);
134 }
135 
136 /*
137  * ntlm_v1_response
138  *
139  * Create an LM response from the given LM hash and challenge,
140  * or an NTLM repsonse from a given NTLM hash and challenge.
141  * Both response types are 24 bytes (NTLM_V1_RESP_SZ)
142  */
143 static int
144 ntlm_v1_response(uchar_t *resp,
145     const uchar_t *hash,
146     const uchar_t *chal, int clen)
147 {
148 	uchar_t S21[21];
149 	int err;
150 
151 	/*
152 	 * 14-byte LM Hash should be padded with 5 nul bytes to create
153 	 * a 21-byte string to be used in producing LM response
154 	 */
155 	bzero(&S21, sizeof (S21));
156 	bcopy(hash, S21, NTLM_HASH_SZ);
157 
158 	/* padded LM Hash -> LM Response */
159 	err = smb_encrypt_DES(resp, NTLM_V1_RESP_SZ,
160 	    S21, 21, chal, clen);
161 	return (err);
162 }
163 
164 /*
165  * Calculate an NTLMv1 session key (16 bytes).
166  */
167 static void
168 ntlm_v1_session_key(uchar_t *ssn_key, const uchar_t *nt_hash)
169 {
170 	MD4_CTX md4;
171 
172 	MD4Init(&md4);
173 	MD4Update(&md4, nt_hash, NTLM_HASH_SZ);
174 	MD4Final(ssn_key, &md4);
175 }
176 
177 /*
178  * Compute both the LM(v1) response and the NTLM(v1) response,
179  * and put them in the mbdata chains passed.  This allocates
180  * mbuf chains in the output args, which the caller frees.
181  */
182 int
183 ntlm_put_v1_responses(struct smb_ctx *ctx,
184 	struct mbdata *lm_mbp, struct mbdata *nt_mbp)
185 {
186 	uchar_t *lmresp, *ntresp;
187 	int err;
188 
189 	/* Get mbuf chain for the LM response. */
190 	if ((err = mb_init(lm_mbp, NTLM_V1_RESP_SZ)) != 0)
191 		return (err);
192 
193 	/* Get mbuf chain for the NT response. */
194 	if ((err = mb_init(nt_mbp, NTLM_V1_RESP_SZ)) != 0)
195 		return (err);
196 
197 	/*
198 	 * Compute the LM response, derived
199 	 * from the challenge and the ASCII
200 	 * password (if authflags allow).
201 	 */
202 	mb_fit(lm_mbp, NTLM_V1_RESP_SZ, (char **)&lmresp);
203 	bzero(lmresp, NTLM_V1_RESP_SZ);
204 	if (ctx->ct_authflags & SMB_AT_LM1) {
205 		/* They asked to send the LM hash too. */
206 		err = ntlm_v1_response(lmresp, ctx->ct_lmhash,
207 		    ctx->ct_ntlm_chal, NTLM_CHAL_SZ);
208 		if (err)
209 			return (err);
210 	}
211 
212 	/*
213 	 * Compute the NTLM response, derived from
214 	 * the challenge and the NT hash.
215 	 */
216 	mb_fit(nt_mbp, NTLM_V1_RESP_SZ, (char **)&ntresp);
217 	bzero(ntresp, NTLM_V1_RESP_SZ);
218 	err = ntlm_v1_response(ntresp, ctx->ct_nthash,
219 	    ctx->ct_ntlm_chal, NTLM_CHAL_SZ);
220 
221 	/*
222 	 * Compute the session key
223 	 */
224 	ntlm_v1_session_key(ctx->ct_ssn_key, ctx->ct_nthash);
225 
226 	return (err);
227 }
228 
229 /*
230  * A variation on HMAC-MD5 known as HMACT64 is used by Windows systems.
231  * The HMACT64() function is the same as the HMAC-MD5() except that
232  * it truncates the input key to 64 bytes rather than hashing it down
233  * to 16 bytes using the MD5() function.
234  *
235  * Output: digest (16-bytes)
236  */
237 static void
238 HMACT64(uchar_t *digest,
239     const uchar_t *key, size_t key_len,
240     const uchar_t *data, size_t data_len)
241 {
242 	MD5_CTX context;
243 	uchar_t k_ipad[64];	/* inner padding - key XORd with ipad */
244 	uchar_t k_opad[64];	/* outer padding - key XORd with opad */
245 	int i;
246 
247 	/* if key is longer than 64 bytes use only the first 64 bytes */
248 	if (key_len > 64)
249 		key_len = 64;
250 
251 	/*
252 	 * The HMAC-MD5 (and HMACT64) transform looks like:
253 	 *
254 	 * MD5(K XOR opad, MD5(K XOR ipad, data))
255 	 *
256 	 * where K is an n byte key
257 	 * ipad is the byte 0x36 repeated 64 times
258 	 * opad is the byte 0x5c repeated 64 times
259 	 * and data is the data being protected.
260 	 */
261 
262 	/* start out by storing key in pads */
263 	bzero(k_ipad, sizeof (k_ipad));
264 	bzero(k_opad, sizeof (k_opad));
265 	bcopy(key, k_ipad, key_len);
266 	bcopy(key, k_opad, key_len);
267 
268 	/* XOR key with ipad and opad values */
269 	for (i = 0; i < 64; i++) {
270 		k_ipad[i] ^= 0x36;
271 		k_opad[i] ^= 0x5c;
272 	}
273 
274 	/*
275 	 * perform inner MD5
276 	 */
277 	MD5Init(&context);			/* init context for 1st pass */
278 	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
279 	MD5Update(&context, data, data_len);	/* then data of datagram */
280 	MD5Final(digest, &context);		/* finish up 1st pass */
281 
282 	/*
283 	 * perform outer MD5
284 	 */
285 	MD5Init(&context);			/* init context for 2nd pass */
286 	MD5Update(&context, k_opad, 64);	/* start with outer pad */
287 	MD5Update(&context, digest, 16);	/* then results of 1st hash */
288 	MD5Final(digest, &context);		/* finish up 2nd pass */
289 }
290 
291 
292 /*
293  * Compute an NTLMv2 hash given the NTLMv1 hash, the user name,
294  * and the destination (machine or domain name).
295  *
296  * Output:
297  *	v2hash: 16-byte NTLMv2 hash.
298  * Inputs:
299  *	v1hash: 16-byte NTLMv1 hash.
300  *	user: User name, UPPER-case UTF-8 string.
301  *	destination: Domain or server, MIXED-case UTF-8 string.
302  */
303 static int
304 ntlm_v2_hash(uchar_t *v2hash, const uchar_t *v1hash,
305     const char *user, const char *destination)
306 {
307 	int ulen, dlen;
308 	size_t ucs2len;
309 	uint16_t *ucs2data = NULL;
310 	char *utf8data = NULL;
311 	int err = ENOMEM;
312 
313 	/*
314 	 * v2hash = HMACT64(v1hash, 16, concat(upcase(user), dest))
315 	 * where "dest" is the domain or server name ("target name")
316 	 * Note: user name is converted to upper-case by the caller.
317 	 */
318 
319 	/* utf8data = concat(user, dest) */
320 	ulen = strlen(user);
321 	dlen = strlen(destination);
322 	utf8data = malloc(ulen + dlen + 1);
323 	if (utf8data == NULL)
324 		goto out;
325 	bcopy(user, utf8data, ulen);
326 	bcopy(destination, utf8data + ulen, dlen + 1);
327 
328 	/* Convert to UCS-2LE */
329 	ucs2data = convert_utf8_to_leunicode(utf8data);
330 	if (ucs2data == NULL)
331 		goto out;
332 	ucs2len = 2 * unicode_strlen(ucs2data);
333 
334 	HMACT64(v2hash, v1hash, NTLM_HASH_SZ,
335 	    (uchar_t *)ucs2data, ucs2len);
336 	err = 0;
337 out:
338 	if (ucs2data)
339 		free(ucs2data);
340 	if (utf8data)
341 		free(utf8data);
342 	return (err);
343 }
344 
345 /*
346  * Compute a partial LMv2 or NTLMv2 response (first 16-bytes).
347  * The full response is composed by the caller by
348  * appending the client_data to the returned hash.
349  *
350  * Output:
351  *	rhash: _partial_ LMv2/NTLMv2 response (first 16-bytes)
352  * Inputs:
353  *	v2hash: 16-byte NTLMv2 hash.
354  *	C8: Challenge from server (8 bytes)
355  *	client_data: client nonce (for LMv2) or the
356  *	  "blob" from ntlm_build_target_info (NTLMv2)
357  */
358 static int
359 ntlm_v2_resp_hash(uchar_t *rhash,
360     const uchar_t *v2hash, const uchar_t *C8,
361     const uchar_t *client_data, size_t cdlen)
362 {
363 	size_t dlen;
364 	uchar_t *data = NULL;
365 
366 	/* data = concat(C8, client_data) */
367 	dlen = 8 + cdlen;
368 	data = malloc(dlen);
369 	if (data == NULL)
370 		return (ENOMEM);
371 	bcopy(C8, data, 8);
372 	bcopy(client_data, data + 8, cdlen);
373 
374 	HMACT64(rhash, v2hash, NTLM_HASH_SZ, data, dlen);
375 
376 	free(data);
377 	return (0);
378 }
379 
380 /*
381  * Calculate an NTLMv2 session key (16 bytes).
382  */
383 static void
384 ntlm_v2_session_key(uchar_t *ssn_key,
385 	const uchar_t *v2hash,
386 	const uchar_t *ntresp)
387 {
388 
389 	/* session key uses only 1st 16 bytes of ntresp */
390 	HMACT64(ssn_key, v2hash, NTLM_HASH_SZ, ntresp, NTLM_HASH_SZ);
391 }
392 
393 
394 /*
395  * Compute both the LMv2 response and the NTLMv2 response,
396  * and put them in the mbdata chains passed.  This allocates
397  * mbuf chains in the output args, which the caller frees.
398  * Also computes the session key.
399  */
400 int
401 ntlm_put_v2_responses(struct smb_ctx *ctx, struct mbdata *ti_mbp,
402 	struct mbdata *lm_mbp, struct mbdata *nt_mbp)
403 {
404 	uchar_t *lmresp, *ntresp;
405 	int err;
406 	char *ucdom = NULL;	/* user's domain */
407 	char *ucuser = NULL;	/* account name */
408 	uchar_t v2hash[NTLM_HASH_SZ];
409 	struct mbuf *tim = ti_mbp->mb_top;
410 
411 	if ((err = mb_init(lm_mbp, M_MINSIZE)) != 0)
412 		return (err);
413 	if ((err = mb_init(nt_mbp, M_MINSIZE)) != 0)
414 		return (err);
415 
416 	/*
417 	 * Convert the user name to upper-case, as
418 	 * that's what's used when computing LMv2
419 	 * and NTLMv2 responses.  Also the domain.
420 	 */
421 	ucdom  = utf8_str_toupper(ctx->ct_domain);
422 	ucuser = utf8_str_toupper(ctx->ct_user);
423 	if (ucdom == NULL || ucuser == NULL) {
424 		err = ENOMEM;
425 		goto out;
426 	}
427 
428 	/*
429 	 * Compute the NTLMv2 hash (see above)
430 	 * Needs upper-case user, domain.
431 	 */
432 	err = ntlm_v2_hash(v2hash, ctx->ct_nthash, ucuser, ucdom);
433 	if (err)
434 		goto out;
435 
436 	/*
437 	 * Compute the LMv2 response, derived from
438 	 * the v2hash, the server challenge, and
439 	 * the client nonce (random bits).
440 	 *
441 	 * We compose it from two parts:
442 	 *	1: 16-byte response hash
443 	 *	2: Client nonce
444 	 */
445 	lmresp = (uchar_t *)lm_mbp->mb_pos;
446 	mb_put_mem(lm_mbp, NULL, NTLM_HASH_SZ);
447 	err = ntlm_v2_resp_hash(lmresp,
448 	    v2hash, ctx->ct_ntlm_chal,
449 	    ctx->ct_clnonce, NTLM_CHAL_SZ);
450 	if (err)
451 		goto out;
452 	mb_put_mem(lm_mbp, ctx->ct_clnonce, NTLM_CHAL_SZ);
453 
454 	/*
455 	 * Compute the NTLMv2 response, derived
456 	 * from the server challenge and the
457 	 * "target info." blob passed in.
458 	 *
459 	 * Again composed from two parts:
460 	 *	1: 16-byte response hash
461 	 *	2: "target info." blob
462 	 */
463 	ntresp = (uchar_t *)nt_mbp->mb_pos;
464 	mb_put_mem(nt_mbp, NULL, NTLM_HASH_SZ);
465 	err = ntlm_v2_resp_hash(ntresp,
466 	    v2hash, ctx->ct_ntlm_chal,
467 	    (uchar_t *)tim->m_data, tim->m_len);
468 	if (err)
469 		goto out;
470 	mb_put_mem(nt_mbp, tim->m_data, tim->m_len);
471 
472 	/*
473 	 * Compute the session key
474 	 */
475 	ntlm_v2_session_key(ctx->ct_ssn_key, v2hash, ntresp);
476 
477 out:
478 	if (err) {
479 		mb_done(lm_mbp);
480 		mb_done(nt_mbp);
481 	}
482 	free(ucdom);
483 	free(ucuser);
484 
485 	return (err);
486 }
487 
488 /*
489  * Helper for ntlm_build_target_info below.
490  * Put a name in the NTLMv2 "target info." blob.
491  */
492 static void
493 smb_put_blob_name(struct mbdata *mbp, char *name, int type)
494 {
495 	uint16_t *ucs = NULL;
496 	int nlen;
497 
498 	if (name)
499 		ucs = convert_utf8_to_leunicode(name);
500 	if (ucs)
501 		nlen = unicode_strlen(ucs);
502 	else
503 		nlen = 0;
504 
505 	nlen <<= 1;	/* length in bytes, without null. */
506 
507 	mb_put_uint16le(mbp, type);
508 	mb_put_uint16le(mbp, nlen);
509 	mb_put_mem(mbp, (char *)ucs, nlen);
510 
511 	if (ucs)
512 		free(ucs);
513 }
514 
515 /*
516  * Build an NTLMv2 "target info." blob.  When called from NTLMSSP,
517  * the list of names comes from the Type 2 message.  Otherwise,
518  * we create the name list here.
519  */
520 int
521 ntlm_build_target_info(struct smb_ctx *ctx, struct mbuf *names,
522 	struct mbdata *mbp)
523 {
524 	struct timeval now;
525 	uint64_t nt_time;
526 
527 	char *ucdom = NULL;	/* user's domain */
528 	int err;
529 
530 	/* Get mbuf chain for the "target info". */
531 	if ((err = mb_init(mbp, M_MINSIZE)) != 0)
532 		return (err);
533 
534 	/*
535 	 * Construct the client nonce by getting
536 	 * some random data from /dev/urandom
537 	 */
538 	err = smb_get_urandom(ctx->ct_clnonce, NTLM_CHAL_SZ);
539 	if (err)
540 		goto out;
541 
542 	/*
543 	 * Get the "NT time" for the target info header.
544 	 */
545 	(void) gettimeofday(&now, 0);
546 	smb_time_local2NT(&now, 0, &nt_time);
547 
548 	/*
549 	 * Build the "target info." block.
550 	 *
551 	 * Based on information at:
552 	 * http://davenport.sourceforge.net/ntlm.html#theNtlmv2Response
553 	 *
554 	 * First the fixed-size part.
555 	 */
556 	mb_put_uint32le(mbp, 0x101);	/* Blob signature */
557 	mb_put_uint32le(mbp, 0);		/* reserved */
558 	mb_put_uint64le(mbp, nt_time);	/* NT time stamp */
559 	mb_put_mem(mbp, ctx->ct_clnonce, NTLM_CHAL_SZ);
560 	mb_put_uint32le(mbp, 0);		/* unknown */
561 
562 	/*
563 	 * Now put the list of names, either from the
564 	 * NTLMSSP Type 2 message or composed here.
565 	 */
566 	if (names) {
567 		err = mb_put_mem(mbp, names->m_data, names->m_len);
568 	} else {
569 		/* Get upper-case names. */
570 		ucdom  = utf8_str_toupper(ctx->ct_domain);
571 		if (ucdom == NULL) {
572 			err = ENOMEM;
573 			goto out;
574 		}
575 		smb_put_blob_name(mbp, ucdom, NAMETYPE_DOMAIN_NB);
576 		smb_put_blob_name(mbp, NULL, NAMETYPE_EOL);
577 		/* OK, that's the whole "target info." blob! */
578 	}
579 	err = 0;
580 
581 out:
582 	free(ucdom);
583 	return (err);
584 }
585