1 /* 2 * Copyright (c) 2000-2001, Boris Popov 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Boris Popov. 16 * 4. Neither the name of the author nor the names of any co-contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 * 32 * $Id: smb_crypt.c,v 1.13 2005/01/26 23:50:50 lindak Exp $ 33 */ 34 35 /* 36 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 37 * Use is subject to license terms. 38 */ 39 40 /* 41 * NTLM support functions 42 * 43 * Some code from the driver: smb_smb.c, smb_crypt.c 44 */ 45 46 #include <sys/errno.h> 47 #include <sys/types.h> 48 #include <sys/md4.h> 49 #include <sys/md5.h> 50 51 #include <ctype.h> 52 #include <stdlib.h> 53 #include <strings.h> 54 55 #include <netsmb/smb_lib.h> 56 57 #include "private.h" 58 #include "charsets.h" 59 #include "smb_crypt.h" 60 #include "ntlm.h" 61 62 63 /* 64 * ntlm_compute_lm_hash 65 * 66 * Compute an LM hash given a password 67 * 68 * Output: 69 * hash: 16-byte "LanMan" (LM) hash. 70 * Inputs: 71 * ucpw: User's password, upper-case UTF-8 string. 72 * 73 * Source: Implementing CIFS (Chris Hertel) 74 * 75 * P14 = UCPW padded to 14-bytes, or truncated (as needed) 76 * result = Encrypt(Key=P14, Data=MagicString) 77 */ 78 int 79 ntlm_compute_lm_hash(uchar_t *hash, const char *pass) 80 { 81 static const uchar_t M8[8] = "KGS!@#$%"; 82 uchar_t P14[14 + 1]; 83 int err; 84 char *ucpw; 85 86 /* First, convert the p/w to upper case. */ 87 ucpw = utf8_str_toupper(pass); 88 if (ucpw == NULL) 89 return (ENOMEM); 90 91 /* Pad or truncate the upper-case P/W as needed. */ 92 bzero(P14, sizeof (P14)); 93 (void) strncpy((char *)P14, ucpw, 14); 94 95 /* Compute the hash. */ 96 err = smb_encrypt_DES(hash, NTLM_HASH_SZ, 97 P14, 14, M8, 8); 98 99 free(ucpw); 100 return (err); 101 } 102 103 /* 104 * ntlm_compute_nt_hash 105 * 106 * Compute an NT hash given a password in UTF-8. 107 * 108 * Output: 109 * hash: 16-byte "NT" hash. 110 * Inputs: 111 * upw: User's password, mixed-case UCS-2LE. 112 * pwlen: Size (in bytes) of upw 113 */ 114 int 115 ntlm_compute_nt_hash(uchar_t *hash, const char *pass) 116 { 117 MD4_CTX ctx; 118 uint16_t *unipw = NULL; 119 int pwsz; 120 121 /* First, convert the password to unicode. */ 122 unipw = convert_utf8_to_leunicode(pass); 123 if (unipw == NULL) 124 return (ENOMEM); 125 pwsz = unicode_strlen(unipw) << 1; 126 127 /* Compute the hash. */ 128 MD4Init(&ctx); 129 MD4Update(&ctx, unipw, pwsz); 130 MD4Final(hash, &ctx); 131 132 free(unipw); 133 return (0); 134 } 135 136 /* 137 * ntlm_v1_response 138 * 139 * Create an LM response from the given LM hash and challenge, 140 * or an NTLM repsonse from a given NTLM hash and challenge. 141 * Both response types are 24 bytes (NTLM_V1_RESP_SZ) 142 */ 143 static int 144 ntlm_v1_response(uchar_t *resp, 145 const uchar_t *hash, 146 const uchar_t *chal, int clen) 147 { 148 uchar_t S21[21]; 149 int err; 150 151 /* 152 * 14-byte LM Hash should be padded with 5 nul bytes to create 153 * a 21-byte string to be used in producing LM response 154 */ 155 bzero(&S21, sizeof (S21)); 156 bcopy(hash, S21, NTLM_HASH_SZ); 157 158 /* padded LM Hash -> LM Response */ 159 err = smb_encrypt_DES(resp, NTLM_V1_RESP_SZ, 160 S21, 21, chal, clen); 161 return (err); 162 } 163 164 /* 165 * Calculate an NTLMv1 session key (16 bytes). 166 */ 167 static void 168 ntlm_v1_session_key(uchar_t *ssn_key, const uchar_t *nt_hash) 169 { 170 MD4_CTX md4; 171 172 MD4Init(&md4); 173 MD4Update(&md4, nt_hash, NTLM_HASH_SZ); 174 MD4Final(ssn_key, &md4); 175 } 176 177 /* 178 * Compute both the LM(v1) response and the NTLM(v1) response, 179 * and put them in the mbdata chains passed. This allocates 180 * mbuf chains in the output args, which the caller frees. 181 */ 182 int 183 ntlm_put_v1_responses(struct smb_ctx *ctx, 184 struct mbdata *lm_mbp, struct mbdata *nt_mbp) 185 { 186 uchar_t *lmresp, *ntresp; 187 int err; 188 189 /* Get mbuf chain for the LM response. */ 190 if ((err = mb_init(lm_mbp, NTLM_V1_RESP_SZ)) != 0) 191 return (err); 192 193 /* Get mbuf chain for the NT response. */ 194 if ((err = mb_init(nt_mbp, NTLM_V1_RESP_SZ)) != 0) 195 return (err); 196 197 /* 198 * Compute the LM response, derived 199 * from the challenge and the ASCII 200 * password (if authflags allow). 201 */ 202 mb_fit(lm_mbp, NTLM_V1_RESP_SZ, (char **)&lmresp); 203 bzero(lmresp, NTLM_V1_RESP_SZ); 204 if (ctx->ct_authflags & SMB_AT_LM1) { 205 /* They asked to send the LM hash too. */ 206 err = ntlm_v1_response(lmresp, ctx->ct_lmhash, 207 ctx->ct_ntlm_chal, NTLM_CHAL_SZ); 208 if (err) 209 return (err); 210 } 211 212 /* 213 * Compute the NTLM response, derived from 214 * the challenge and the NT hash. 215 */ 216 mb_fit(nt_mbp, NTLM_V1_RESP_SZ, (char **)&ntresp); 217 bzero(ntresp, NTLM_V1_RESP_SZ); 218 err = ntlm_v1_response(ntresp, ctx->ct_nthash, 219 ctx->ct_ntlm_chal, NTLM_CHAL_SZ); 220 221 /* 222 * Compute the session key 223 */ 224 ntlm_v1_session_key(ctx->ct_ssn_key, ctx->ct_nthash); 225 226 return (err); 227 } 228 229 /* 230 * A variation on HMAC-MD5 known as HMACT64 is used by Windows systems. 231 * The HMACT64() function is the same as the HMAC-MD5() except that 232 * it truncates the input key to 64 bytes rather than hashing it down 233 * to 16 bytes using the MD5() function. 234 * 235 * Output: digest (16-bytes) 236 */ 237 static void 238 HMACT64(uchar_t *digest, 239 const uchar_t *key, size_t key_len, 240 const uchar_t *data, size_t data_len) 241 { 242 MD5_CTX context; 243 uchar_t k_ipad[64]; /* inner padding - key XORd with ipad */ 244 uchar_t k_opad[64]; /* outer padding - key XORd with opad */ 245 int i; 246 247 /* if key is longer than 64 bytes use only the first 64 bytes */ 248 if (key_len > 64) 249 key_len = 64; 250 251 /* 252 * The HMAC-MD5 (and HMACT64) transform looks like: 253 * 254 * MD5(K XOR opad, MD5(K XOR ipad, data)) 255 * 256 * where K is an n byte key 257 * ipad is the byte 0x36 repeated 64 times 258 * opad is the byte 0x5c repeated 64 times 259 * and data is the data being protected. 260 */ 261 262 /* start out by storing key in pads */ 263 bzero(k_ipad, sizeof (k_ipad)); 264 bzero(k_opad, sizeof (k_opad)); 265 bcopy(key, k_ipad, key_len); 266 bcopy(key, k_opad, key_len); 267 268 /* XOR key with ipad and opad values */ 269 for (i = 0; i < 64; i++) { 270 k_ipad[i] ^= 0x36; 271 k_opad[i] ^= 0x5c; 272 } 273 274 /* 275 * perform inner MD5 276 */ 277 MD5Init(&context); /* init context for 1st pass */ 278 MD5Update(&context, k_ipad, 64); /* start with inner pad */ 279 MD5Update(&context, data, data_len); /* then data of datagram */ 280 MD5Final(digest, &context); /* finish up 1st pass */ 281 282 /* 283 * perform outer MD5 284 */ 285 MD5Init(&context); /* init context for 2nd pass */ 286 MD5Update(&context, k_opad, 64); /* start with outer pad */ 287 MD5Update(&context, digest, 16); /* then results of 1st hash */ 288 MD5Final(digest, &context); /* finish up 2nd pass */ 289 } 290 291 292 /* 293 * Compute an NTLMv2 hash given the NTLMv1 hash, the user name, 294 * and the destination (machine or domain name). 295 * 296 * Output: 297 * v2hash: 16-byte NTLMv2 hash. 298 * Inputs: 299 * v1hash: 16-byte NTLMv1 hash. 300 * user: User name, UPPER-case UTF-8 string. 301 * destination: Domain or server, MIXED-case UTF-8 string. 302 */ 303 static int 304 ntlm_v2_hash(uchar_t *v2hash, const uchar_t *v1hash, 305 const char *user, const char *destination) 306 { 307 int ulen, dlen; 308 size_t ucs2len; 309 uint16_t *ucs2data = NULL; 310 char *utf8data = NULL; 311 int err = ENOMEM; 312 313 /* 314 * v2hash = HMACT64(v1hash, 16, concat(upcase(user), dest)) 315 * where "dest" is the domain or server name ("target name") 316 * Note: user name is converted to upper-case by the caller. 317 */ 318 319 /* utf8data = concat(user, dest) */ 320 ulen = strlen(user); 321 dlen = strlen(destination); 322 utf8data = malloc(ulen + dlen + 1); 323 if (utf8data == NULL) 324 goto out; 325 bcopy(user, utf8data, ulen); 326 bcopy(destination, utf8data + ulen, dlen + 1); 327 328 /* Convert to UCS-2LE */ 329 ucs2data = convert_utf8_to_leunicode(utf8data); 330 if (ucs2data == NULL) 331 goto out; 332 ucs2len = 2 * unicode_strlen(ucs2data); 333 334 HMACT64(v2hash, v1hash, NTLM_HASH_SZ, 335 (uchar_t *)ucs2data, ucs2len); 336 err = 0; 337 out: 338 if (ucs2data) 339 free(ucs2data); 340 if (utf8data) 341 free(utf8data); 342 return (err); 343 } 344 345 /* 346 * Compute a partial LMv2 or NTLMv2 response (first 16-bytes). 347 * The full response is composed by the caller by 348 * appending the client_data to the returned hash. 349 * 350 * Output: 351 * rhash: _partial_ LMv2/NTLMv2 response (first 16-bytes) 352 * Inputs: 353 * v2hash: 16-byte NTLMv2 hash. 354 * C8: Challenge from server (8 bytes) 355 * client_data: client nonce (for LMv2) or the 356 * "blob" from ntlm_build_target_info (NTLMv2) 357 */ 358 static int 359 ntlm_v2_resp_hash(uchar_t *rhash, 360 const uchar_t *v2hash, const uchar_t *C8, 361 const uchar_t *client_data, size_t cdlen) 362 { 363 size_t dlen; 364 uchar_t *data = NULL; 365 366 /* data = concat(C8, client_data) */ 367 dlen = 8 + cdlen; 368 data = malloc(dlen); 369 if (data == NULL) 370 return (ENOMEM); 371 bcopy(C8, data, 8); 372 bcopy(client_data, data + 8, cdlen); 373 374 HMACT64(rhash, v2hash, NTLM_HASH_SZ, data, dlen); 375 376 free(data); 377 return (0); 378 } 379 380 /* 381 * Calculate an NTLMv2 session key (16 bytes). 382 */ 383 static void 384 ntlm_v2_session_key(uchar_t *ssn_key, 385 const uchar_t *v2hash, 386 const uchar_t *ntresp) 387 { 388 389 /* session key uses only 1st 16 bytes of ntresp */ 390 HMACT64(ssn_key, v2hash, NTLM_HASH_SZ, ntresp, NTLM_HASH_SZ); 391 } 392 393 394 /* 395 * Compute both the LMv2 response and the NTLMv2 response, 396 * and put them in the mbdata chains passed. This allocates 397 * mbuf chains in the output args, which the caller frees. 398 * Also computes the session key. 399 */ 400 int 401 ntlm_put_v2_responses(struct smb_ctx *ctx, struct mbdata *ti_mbp, 402 struct mbdata *lm_mbp, struct mbdata *nt_mbp) 403 { 404 uchar_t *lmresp, *ntresp; 405 int err; 406 char *ucdom = NULL; /* user's domain */ 407 char *ucuser = NULL; /* account name */ 408 uchar_t v2hash[NTLM_HASH_SZ]; 409 struct mbuf *tim = ti_mbp->mb_top; 410 411 if ((err = mb_init(lm_mbp, M_MINSIZE)) != 0) 412 return (err); 413 if ((err = mb_init(nt_mbp, M_MINSIZE)) != 0) 414 return (err); 415 416 /* 417 * Convert the user name to upper-case, as 418 * that's what's used when computing LMv2 419 * and NTLMv2 responses. Also the domain. 420 */ 421 ucdom = utf8_str_toupper(ctx->ct_domain); 422 ucuser = utf8_str_toupper(ctx->ct_user); 423 if (ucdom == NULL || ucuser == NULL) { 424 err = ENOMEM; 425 goto out; 426 } 427 428 /* 429 * Compute the NTLMv2 hash (see above) 430 * Needs upper-case user, domain. 431 */ 432 err = ntlm_v2_hash(v2hash, ctx->ct_nthash, ucuser, ucdom); 433 if (err) 434 goto out; 435 436 /* 437 * Compute the LMv2 response, derived from 438 * the v2hash, the server challenge, and 439 * the client nonce (random bits). 440 * 441 * We compose it from two parts: 442 * 1: 16-byte response hash 443 * 2: Client nonce 444 */ 445 lmresp = (uchar_t *)lm_mbp->mb_pos; 446 mb_put_mem(lm_mbp, NULL, NTLM_HASH_SZ); 447 err = ntlm_v2_resp_hash(lmresp, 448 v2hash, ctx->ct_ntlm_chal, 449 ctx->ct_clnonce, NTLM_CHAL_SZ); 450 if (err) 451 goto out; 452 mb_put_mem(lm_mbp, ctx->ct_clnonce, NTLM_CHAL_SZ); 453 454 /* 455 * Compute the NTLMv2 response, derived 456 * from the server challenge and the 457 * "target info." blob passed in. 458 * 459 * Again composed from two parts: 460 * 1: 16-byte response hash 461 * 2: "target info." blob 462 */ 463 ntresp = (uchar_t *)nt_mbp->mb_pos; 464 mb_put_mem(nt_mbp, NULL, NTLM_HASH_SZ); 465 err = ntlm_v2_resp_hash(ntresp, 466 v2hash, ctx->ct_ntlm_chal, 467 (uchar_t *)tim->m_data, tim->m_len); 468 if (err) 469 goto out; 470 mb_put_mem(nt_mbp, tim->m_data, tim->m_len); 471 472 /* 473 * Compute the session key 474 */ 475 ntlm_v2_session_key(ctx->ct_ssn_key, v2hash, ntresp); 476 477 out: 478 if (err) { 479 mb_done(lm_mbp); 480 mb_done(nt_mbp); 481 } 482 free(ucdom); 483 free(ucuser); 484 485 return (err); 486 } 487 488 /* 489 * Helper for ntlm_build_target_info below. 490 * Put a name in the NTLMv2 "target info." blob. 491 */ 492 static void 493 smb_put_blob_name(struct mbdata *mbp, char *name, int type) 494 { 495 uint16_t *ucs = NULL; 496 int nlen; 497 498 if (name) 499 ucs = convert_utf8_to_leunicode(name); 500 if (ucs) 501 nlen = unicode_strlen(ucs); 502 else 503 nlen = 0; 504 505 nlen <<= 1; /* length in bytes, without null. */ 506 507 mb_put_uint16le(mbp, type); 508 mb_put_uint16le(mbp, nlen); 509 mb_put_mem(mbp, (char *)ucs, nlen); 510 511 if (ucs) 512 free(ucs); 513 } 514 515 /* 516 * Build an NTLMv2 "target info." blob. When called from NTLMSSP, 517 * the list of names comes from the Type 2 message. Otherwise, 518 * we create the name list here. 519 */ 520 int 521 ntlm_build_target_info(struct smb_ctx *ctx, struct mbuf *names, 522 struct mbdata *mbp) 523 { 524 struct timeval now; 525 uint64_t nt_time; 526 527 char *ucdom = NULL; /* user's domain */ 528 int err; 529 530 /* Get mbuf chain for the "target info". */ 531 if ((err = mb_init(mbp, M_MINSIZE)) != 0) 532 return (err); 533 534 /* 535 * Construct the client nonce by getting 536 * some random data from /dev/urandom 537 */ 538 err = smb_get_urandom(ctx->ct_clnonce, NTLM_CHAL_SZ); 539 if (err) 540 goto out; 541 542 /* 543 * Get the "NT time" for the target info header. 544 */ 545 (void) gettimeofday(&now, 0); 546 smb_time_local2NT(&now, 0, &nt_time); 547 548 /* 549 * Build the "target info." block. 550 * 551 * Based on information at: 552 * http://davenport.sourceforge.net/ntlm.html#theNtlmv2Response 553 * 554 * First the fixed-size part. 555 */ 556 mb_put_uint32le(mbp, 0x101); /* Blob signature */ 557 mb_put_uint32le(mbp, 0); /* reserved */ 558 mb_put_uint64le(mbp, nt_time); /* NT time stamp */ 559 mb_put_mem(mbp, ctx->ct_clnonce, NTLM_CHAL_SZ); 560 mb_put_uint32le(mbp, 0); /* unknown */ 561 562 /* 563 * Now put the list of names, either from the 564 * NTLMSSP Type 2 message or composed here. 565 */ 566 if (names) { 567 err = mb_put_mem(mbp, names->m_data, names->m_len); 568 } else { 569 /* Get upper-case names. */ 570 ucdom = utf8_str_toupper(ctx->ct_domain); 571 if (ucdom == NULL) { 572 err = ENOMEM; 573 goto out; 574 } 575 smb_put_blob_name(mbp, ucdom, NAMETYPE_DOMAIN_NB); 576 smb_put_blob_name(mbp, NULL, NAMETYPE_EOL); 577 /* OK, that's the whole "target info." blob! */ 578 } 579 err = 0; 580 581 out: 582 free(ucdom); 583 return (err); 584 } 585