source: branches/samba-3.2.x/source/libsmb/credentials.c@ 612

Last change on this file since 612 was 272, checked in by Herwig Bauernfeind, 17 years ago

Update 3.2 to 3.2.12
File size: 12.1 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 code to manipulate domain credentials
4 Copyright (C) Andrew Tridgell 1997-1998
5 Largely rewritten by Jeremy Allison 2005.
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19*/
20
21#include "includes.h"
22
23/****************************************************************************
24 Represent a credential as a string.
25****************************************************************************/
26
27char *credstr(const unsigned char *cred)
28{
29 char *result;
30 result = talloc_asprintf(talloc_tos(),
31 "%02X%02X%02X%02X%02X%02X%02X%02X",
32 cred[0], cred[1], cred[2], cred[3],
33 cred[4], cred[5], cred[6], cred[7]);
34 SMB_ASSERT(result != NULL);
35 return result;
36}
37
38/****************************************************************************
39 Setup the session key and the client and server creds in dc.
40 ADS-style 128 bit session keys.
41 Used by both client and server creds setup.
42****************************************************************************/
43
44static void creds_init_128(struct dcinfo *dc,
45 const struct netr_Credential *clnt_chal_in,
46 const struct netr_Credential *srv_chal_in,
47 const unsigned char mach_pw[16])
48{
49 unsigned char zero[4], tmp[16];
50 HMACMD5Context ctx;
51 struct MD5Context md5;
52
53 /* Just in case this isn't already there */
54 memcpy(dc->mach_pw, mach_pw, 16);
55
56 ZERO_STRUCT(dc->sess_key);
57
58 memset(zero, 0, sizeof(zero));
59
60 hmac_md5_init_rfc2104(mach_pw, 16, &ctx);
61 MD5Init(&md5);
62 MD5Update(&md5, zero, sizeof(zero));
63 MD5Update(&md5, clnt_chal_in->data, 8);
64 MD5Update(&md5, srv_chal_in->data, 8);
65 MD5Final(tmp, &md5);
66 hmac_md5_update(tmp, sizeof(tmp), &ctx);
67 hmac_md5_final(dc->sess_key, &ctx);
68
69 /* debug output */
70 DEBUG(5,("creds_init_128\n"));
71 DEBUG(5,("\tclnt_chal_in: %s\n", credstr(clnt_chal_in->data)));
72 DEBUG(5,("\tsrv_chal_in : %s\n", credstr(srv_chal_in->data)));
73 dump_data_pw("\tsession_key ", (const unsigned char *)dc->sess_key, 16);
74
75 /* Generate the next client and server creds. */
76
77 des_crypt112(dc->clnt_chal.data, /* output */
78 clnt_chal_in->data, /* input */
79 dc->sess_key, /* input */
80 1);
81
82 des_crypt112(dc->srv_chal.data, /* output */
83 srv_chal_in->data, /* input */
84 dc->sess_key, /* input */
85 1);
86
87 /* Seed is the client chal. */
88 memcpy(dc->seed_chal.data, dc->clnt_chal.data, 8);
89}
90
91/****************************************************************************
92 Setup the session key and the client and server creds in dc.
93 Used by both client and server creds setup.
94****************************************************************************/
95
96static void creds_init_64(struct dcinfo *dc,
97 const struct netr_Credential *clnt_chal_in,
98 const struct netr_Credential *srv_chal_in,
99 const unsigned char mach_pw[16])
100{
101 uint32 sum[2];
102 unsigned char sum2[8];
103
104 /* Just in case this isn't already there */
105 if (dc->mach_pw != mach_pw) {
106 memcpy(dc->mach_pw, mach_pw, 16);
107 }
108
109 sum[0] = IVAL(clnt_chal_in->data, 0) + IVAL(srv_chal_in->data, 0);
110 sum[1] = IVAL(clnt_chal_in->data, 4) + IVAL(srv_chal_in->data, 4);
111
112 SIVAL(sum2,0,sum[0]);
113 SIVAL(sum2,4,sum[1]);
114
115 ZERO_STRUCT(dc->sess_key);
116
117 des_crypt128(dc->sess_key, sum2, dc->mach_pw);
118
119 /* debug output */
120 DEBUG(5,("creds_init_64\n"));
121 DEBUG(5,("\tclnt_chal_in: %s\n", credstr(clnt_chal_in->data)));
122 DEBUG(5,("\tsrv_chal_in : %s\n", credstr(srv_chal_in->data)));
123 DEBUG(5,("\tclnt+srv : %s\n", credstr(sum2)));
124 DEBUG(5,("\tsess_key_out : %s\n", credstr(dc->sess_key)));
125
126 /* Generate the next client and server creds. */
127
128 des_crypt112(dc->clnt_chal.data, /* output */
129 clnt_chal_in->data, /* input */
130 dc->sess_key, /* input */
131 1);
132
133 des_crypt112(dc->srv_chal.data, /* output */
134 srv_chal_in->data, /* input */
135 dc->sess_key, /* input */
136 1);
137
138 /* Seed is the client chal. */
139 memcpy(dc->seed_chal.data, dc->clnt_chal.data, 8);
140}
141
142/****************************************************************************
143 Utility function to step credential chain one forward.
144 Deliberately doesn't update the seed. See reseed comment below.
145****************************************************************************/
146
147static void creds_step(struct dcinfo *dc)
148{
149 DOM_CHAL time_chal;
150
151 DEBUG(5,("\tsequence = 0x%x\n", (unsigned int)dc->sequence ));
152
153 DEBUG(5,("\tseed: %s\n", credstr(dc->seed_chal.data) ));
154
155 SIVAL(time_chal.data, 0, IVAL(dc->seed_chal.data, 0) + dc->sequence);
156 SIVAL(time_chal.data, 4, IVAL(dc->seed_chal.data, 4));
157
158 DEBUG(5,("\tseed+seq %s\n", credstr(time_chal.data) ));
159
160 des_crypt112(dc->clnt_chal.data, time_chal.data, dc->sess_key, 1);
161
162 DEBUG(5,("\tCLIENT %s\n", credstr(dc->clnt_chal.data) ));
163
164 SIVAL(time_chal.data, 0, IVAL(dc->seed_chal.data, 0) + dc->sequence + 1);
165 SIVAL(time_chal.data, 4, IVAL(dc->seed_chal.data, 4));
166
167 DEBUG(5,("\tseed+seq+1 %s\n", credstr(time_chal.data) ));
168
169 des_crypt112(dc->srv_chal.data, time_chal.data, dc->sess_key, 1);
170
171 DEBUG(5,("\tSERVER %s\n", credstr(dc->srv_chal.data) ));
172}
173
174/****************************************************************************