関数 | |
void | SMBencrypt_hash (const uchar lm_hash[16], const uchar *c8, uchar p24[24]) |
BOOL | SMBencrypt (const char *passwd, const uchar *c8, uchar p24[24]) |
void | E_md4hash (const char *passwd, uchar p16[16]) |
Creates the MD4 Hash of the users password in NT UNICODE. | |
void | E_md5hash (const uchar salt[16], const uchar nthash[16], uchar hash_out[16]) |
Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash. | |
BOOL | E_deshash (const char *passwd, uchar p16[16]) |
Creates the DES forward-only Hash of the users password in DOS ASCII charset | |
void | nt_lm_owf_gen (const char *pwd, uchar nt_p16[16], uchar p16[16]) |
Creates the MD4 and DES (LM) Hash of the users password. | |
BOOL | ntv2_owf_gen (const uchar owf[16], const char *user_in, const char *domain_in, BOOL upper_case_domain, uchar kr_buf[16]) |
void | SMBOWFencrypt (const uchar passwd[16], const uchar *c8, uchar p24[24]) |
void | NTLMSSPOWFencrypt (const uchar passwd[8], const uchar *ntlmchalresp, uchar p24[24]) |
void | SMBNTencrypt_hash (const uchar nt_hash[16], uchar *c8, uchar *p24) |
void | SMBNTencrypt (const char *passwd, uchar *c8, uchar *p24) |
void | SMBOWFencrypt_ntv2 (const uchar kr[16], const DATA_BLOB *srv_chal, const DATA_BLOB *cli_chal, uchar resp_buf[16]) |
void | SMBsesskeygen_ntv2 (const uchar kr[16], const uchar *nt_resp, uint8 sess_key[16]) |
void | SMBsesskeygen_ntv1 (const uchar kr[16], const uchar *nt_resp, uint8 sess_key[16]) |
void | SMBsesskeygen_lm_sess_key (const uchar lm_hash[16], const uchar lm_resp[24], uint8 sess_key[16]) |
DATA_BLOB | NTLMv2_generate_names_blob (const char *hostname, const char *domain) |
static DATA_BLOB | NTLMv2_generate_client_data (const DATA_BLOB *names_blob) |
static DATA_BLOB | NTLMv2_generate_response (const uchar ntlm_v2_hash[16], const DATA_BLOB *server_chal, const DATA_BLOB *names_blob) |
static DATA_BLOB | LMv2_generate_response (const uchar ntlm_v2_hash[16], const DATA_BLOB *server_chal) |
BOOL | SMBNTLMv2encrypt_hash (const char *user, const char *domain, const uchar nt_hash[16], const DATA_BLOB *server_chal, const DATA_BLOB *names_blob, DATA_BLOB *lm_response, DATA_BLOB *nt_response, DATA_BLOB *user_session_key) |
BOOL | SMBNTLMv2encrypt (const char *user, const char *domain, const char *password, const DATA_BLOB *server_chal, const DATA_BLOB *names_blob, DATA_BLOB *lm_response, DATA_BLOB *nt_response, DATA_BLOB *user_session_key) |
BOOL | encode_pw_buffer (uint8 buffer[516], const char *password, int string_flags) |
BOOL | decode_pw_buffer (uint8 in_buffer[516], char *new_pwrd, int new_pwrd_size, uint32 *new_pw_len, int string_flags) |
void | encode_or_decode_arc4_passwd_buffer (unsigned char pw_buf[532], const DATA_BLOB *psession_key) |
void | sess_crypt_blob (DATA_BLOB *out, const DATA_BLOB *in, const DATA_BLOB *session_key, int forward) |
char * | decrypt_trustdom_secret (const char *pass, DATA_BLOB *data_in) |
void SMBencrypt_hash | ( | const uchar | lm_hash[16], | |
const uchar * | c8, | |||
uchar | p24[24] | |||
) |
smbencrypt.c の 28 行で定義されています。
参照先 dump_data()・SMBOWFencrypt().
参照元 ntlmssp_client_challenge()・SMBencrypt().
00029 { 00030 uchar p21[21]; 00031 00032 memset(p21,'\0',21); 00033 memcpy(p21, lm_hash, 16); 00034 00035 SMBOWFencrypt(p21, c8, p24); 00036 00037 #ifdef DEBUG_PASSWORD 00038 DEBUG(100,("SMBencrypt_hash: lm#, challenge, response\n")); 00039 dump_data(100, (const char *)p21, 16); 00040 dump_data(100, (const char *)c8, 8); 00041 dump_data(100, (const char *)p24, 24); 00042 #endif 00043 }
BOOL SMBencrypt | ( | const char * | passwd, | |
const uchar * | c8, | |||
uchar | p24[24] | |||
) |
smbencrypt.c の 53 行で定義されています。
参照先 E_deshash()・SMBencrypt_hash().
参照元 cli_send_tconX()・cli_session_setup_lanman2()・cli_session_setup_nt1()・make_user_info_for_reply()・py_auth_crap()・py_auth_smbd()・rpccli_netlogon_sam_logon()・test_lm_ntlm_broken()・wbinfo_auth_crap()・winbindd_dual_pam_auth_samlogon().
00054 { 00055 BOOL ret; 00056 uchar lm_hash[16]; 00057 00058 ret = E_deshash(passwd, lm_hash); 00059 SMBencrypt_hash(lm_hash, c8, p24); 00060 return ret; 00061 }
void E_md4hash | ( | const char * | passwd, | |
uchar | p16[16] | |||
) |
Creates the MD4 Hash of the users password in NT UNICODE.
passwd | password in 'unix' charset. | |
p16 | return password hashed with md4, caller allocated 16 byte buffer |
smbencrypt.c の 69 行で定義されています。
参照先 len・mdfour()・push_ucs2()・strlen_w().
参照元 check_oem_password()・check_passwd_history()・check_trustdomain_security()・cli_session_setup_nt1()・decrypt_trustdom_secret()・get_trust_pw_hash()・manage_ntlm_change_password_1_request()・net_rpc_join_newstyle()・netdom_join_domain()・nt_lm_owf_gen()・ntlmssp_set_password()・pdb_set_plaintext_passwd()・rpc_oldjoin_internals()・rpccli_samr_chgpasswd3()・rpccli_samr_chgpasswd_user()・secrets_fetch_trust_account_password()・SMBNTencrypt()・SMBNTLMv2encrypt()・store_memory_creds()・test_lm_ntlm_broken()・test_ntlm_in_both()・trust_pw_change_and_store_it()・winbindd_dual_pam_auth_cached()・winbindd_store_creds().
00070 { 00071 int len; 00072 smb_ucs2_t wpwd[129]; 00073 00074 /* Password must be converted to NT unicode - null terminated. */ 00075 push_ucs2(NULL, wpwd, (const char *)passwd, 256, STR_UNICODE|STR_NOALIGN|STR_TERMINATE); 00076 /* Calculate length in bytes */ 00077 len = strlen_w(wpwd) * sizeof(int16); 00078 00079 mdfour(p16, (unsigned char *)wpwd, len); 00080 ZERO_STRUCT(wpwd); 00081 }
void E_md5hash | ( | const uchar | salt[16], | |
const uchar | nthash[16], | |||
uchar | hash_out[16] | |||
) |
Creates the MD5 Hash of a combination of 16 byte salt and 16 byte NT hash.
16 | byte salt. | |
16 | byte NT hash. | |
16 | byte return hashed with md5, caller allocated 16 byte buffer |
smbencrypt.c の 90 行で定義されています。
参照先 MD5Final()・MD5Init()・MD5Update().
参照元 check_passwd_history()・pdb_set_plaintext_passwd()・wcache_save_creds()・winbindd_dual_pam_auth_cached().
00091 { 00092 struct MD5Context tctx; 00093 uchar array[32]; 00094 00095 memset(hash_out, '\0', 16); 00096 memcpy(array, salt, 16); 00097 memcpy(&array[16], nthash, 16); 00098 MD5Init(&tctx); 00099 MD5Update(&tctx, array, 32); 00100 MD5Final(hash_out, &tctx); 00101 }
BOOL E_deshash | ( | const char * | passwd, | |
uchar | p16[16] | |||
) |
Creates the DES forward-only Hash of the users password in DOS ASCII charset
passwd | password in 'unix' charset. | |
p16 | return password hashed with DES, caller allocated 16 byte buffer |
smbencrypt.c の 111 行で定義されています。
参照先 E_P16()・push_ascii().
参照元 check_oem_password()・cli_oem_change_password()・cli_session_setup_nt1()・manage_ntlm_change_password_1_request()・nt_lm_owf_gen()・ntlmssp_set_password()・pdb_set_plaintext_passwd()・rpccli_samr_chgpasswd3()・rpccli_samr_chgpasswd_user()・SMBencrypt()・store_memory_creds()・test_lm_ntlm_broken()・test_ntlm_in_both()・test_ntlm_in_lm().
00112 { 00113 BOOL ret = True; 00114 fstring dospwd; 00115 ZERO_STRUCT(dospwd); 00116 00117 /* Password must be converted to DOS charset - null terminated, uppercase. */ 00118 push_ascii(dospwd, passwd, sizeof(dospwd), STR_UPPER|STR_TERMINATE); 00119 00120 /* Only the fisrt 14 chars are considered, password need not be null terminated. */ 00121 E_P16((const unsigned char *)dospwd, p16); 00122 00123 if (strlen(dospwd) > 14) { 00124 ret = False; 00125 } 00126 00127 ZERO_STRUCT(dospwd); 00128 00129 return ret; 00130 }
void nt_lm_owf_gen | ( | const char * | pwd, | |
uchar | nt_p16[16], | |||
uchar | p16[16] | |||
) |
Creates the MD4 and DES (LM) Hash of the users password.
MD4 is of the NT Unicode, DES is of the DOS UPPERCASE password.
passwd | password in 'unix' charset. | |
nt_p16 | return password hashed with md4, caller allocated 16 byte buffer | |
p16 | return password hashed with des, caller allocated 16 byte buffer |
smbencrypt.c の 141 行で定義されています。
参照先 dump_data()・E_deshash()・E_md4hash().
参照元 _cleanup_failures()・check_oem_password()・init_sam_from_ldap()・local_pw_check()・rpccli_netlogon_sam_logon().
00142 { 00143 /* Calculate the MD4 hash (NT compatible) of the password */ 00144 memset(nt_p16, '\0', 16); 00145 E_md4hash(pwd, nt_p16); 00146 00147 #ifdef DEBUG_PASSWORD 00148 DEBUG(100,("nt_lm_owf_gen: pwd, nt#\n")); 00149 dump_data(120, pwd, strlen(pwd)); 00150 dump_data(100, (char *)nt_p16, 16); 00151 #endif 00152 00153 E_deshash(pwd, (uchar *)p16); 00154 00155 #ifdef DEBUG_PASSWORD 00156 DEBUG(100,("nt_lm_owf_gen: pwd, lm#\n")); 00157 dump_data(120, pwd, strlen(pwd)); 00158 dump_data(100, (char *)p16, 16); 00159 #endif 00160 }
BOOL ntv2_owf_gen | ( | const uchar | owf[16], | |
const char * | user_in, | |||
const char * | domain_in, | |||
BOOL | upper_case_domain, | |||
uchar | kr_buf[16] | |||
) |
smbencrypt.c の 163 行で定義されています。
参照先 ctx・dump_data()・hmac_md5_final()・hmac_md5_init_limK_to_64()・hmac_md5_update()・push_ucs2_allocate()・strupper_w().
参照元 smb_pwd_check_ntlmv2()・SMBNTLMv2encrypt_hash().
00167 { 00168 smb_ucs2_t *user; 00169 smb_ucs2_t *domain; 00170 00171 size_t user_byte_len; 00172 size_t domain_byte_len; 00173 00174 HMACMD5Context ctx; 00175 00176 user_byte_len = push_ucs2_allocate(&user, user_in); 00177 if (user_byte_len == (size_t)-1) { 00178 DEBUG(0, ("push_uss2_allocate() for user returned -1 (probably malloc() failure)\n")); 00179 return False; 00180 } 00181 00182 domain_byte_len = push_ucs2_allocate(&domain, domain_in); 00183 if (domain_byte_len == (size_t)-1) { 00184 DEBUG(0, ("push_uss2_allocate() for domain returned -1 (probably malloc() failure)\n")); 00185 SAFE_FREE(user); 00186 return False; 00187 } 00188 00189 strupper_w(user); 00190 00191 if (upper_case_domain) 00192 strupper_w(domain); 00193 00194 SMB_ASSERT(user_byte_len >= 2); 00195 SMB_ASSERT(domain_byte_len >= 2); 00196 00197 /* We don't want null termination */ 00198 user_byte_len = user_byte_len - 2; 00199 domain_byte_len = domain_byte_len - 2; 00200 00201 hmac_md5_init_limK_to_64(owf, 16, &ctx); 00202 hmac_md5_update((const unsigned char *)user, user_byte_len, &ctx); 00203 hmac_md5_update((const unsigned char *)domain, domain_byte_len, &ctx); 00204 hmac_md5_final(kr_buf, &ctx); 00205 00206 #ifdef DEBUG_PASSWORD 00207 DEBUG(100, ("ntv2_owf_gen: user, domain, owfkey, kr\n")); 00208 dump_data(100, (const char *)user, user_byte_len); 00209 dump_data(100, (const char *)domain, domain_byte_len); 00210 dump_data(100, (const char *)owf, 16); 00211 dump_data(100, (const char *)kr_buf, 16); 00212 #endif 00213 00214 SAFE_FREE(user); 00215 SAFE_FREE(domain); 00216 return True; 00217 }
void SMBOWFencrypt | ( | const uchar | passwd[16], | |
const uchar * | c8, | |||
uchar | p24[24] | |||
) |
smbencrypt.c の 220 行で定義されています。
参照先 E_P24().
参照元 make_user_info_netlogon_interactive()・smb_pwd_check_ntlmv1()・SMBencrypt_hash()・SMBNTencrypt_hash()・SMBsesskeygen_lm_sess_key().
00221 { 00222 uchar p21[21]; 00223 00224 ZERO_STRUCT(p21); 00225 00226 memcpy(p21, passwd, 16); 00227 E_P24(p21, c8, p24); 00228 }
void NTLMSSPOWFencrypt | ( | const uchar | passwd[8], | |
const uchar * | ntlmchalresp, | |||
uchar | p24[24] | |||
) |
smbencrypt.c の 231 行で定義されています。
参照先 dump_data()・E_P24().
00232 { 00233 uchar p21[21]; 00234 00235 memset(p21,'\0',21); 00236 memcpy(p21, passwd, 8); 00237 memset(p21 + 8, 0xbd, 8); 00238 00239 E_P24(p21, ntlmchalresp, p24); 00240 #ifdef DEBUG_PASSWORD 00241 DEBUG(100,("NTLMSSPOWFencrypt: p21, c8, p24\n")); 00242 dump_data(100, (char *)p21, 21); 00243 dump_data(100, (const char *)ntlmchalresp, 8); 00244 dump_data(100, (char *)p24, 24); 00245 #endif 00246 }
void SMBNTencrypt_hash | ( | const uchar | nt_hash[16], | |
uchar * | c8, | |||
uchar * | p24 | |||
) |
smbencrypt.c の 251 行で定義されています。
参照先 dump_data()・SMBOWFencrypt().
参照元 ntlmssp_client_challenge()・SMBNTencrypt().
00252 { 00253 uchar p21[21]; 00254 00255 memset(p21,'\0',21); 00256 memcpy(p21, nt_hash, 16); 00257 SMBOWFencrypt(p21, c8, p24); 00258 00259 #ifdef DEBUG_PASSWORD 00260 DEBUG(100,("SMBNTencrypt: nt#, challenge, response\n")); 00261 dump_data(100, (char *)p21, 16); 00262 dump_data(100, (char *)c8, 8); 00263 dump_data(100, (char *)p24, 24); 00264 #endif 00265 }
void SMBNTencrypt | ( | const char * | passwd, | |
uchar * | c8, | |||
uchar * | p24 | |||
) |
smbencrypt.c の 269 行で定義されています。
参照先 E_md4hash()・SMBNTencrypt_hash().
参照元 cli_session_setup_nt1()・py_auth_crap()・py_auth_smbd()・rpccli_netlogon_sam_logon()・test_lm_ntlm_broken()・test_ntlm_in_both()・test_ntlm_in_lm()・wbinfo_auth_crap()・winbindd_dual_pam_auth_samlogon().
00270 { 00271 uchar nt_hash[16]; 00272 E_md4hash(passwd, nt_hash); 00273 SMBNTencrypt_hash(nt_hash, c8, p24); 00274 }
void SMBOWFencrypt_ntv2 | ( | const uchar | kr[16], | |
const DATA_BLOB * | srv_chal, | |||
const DATA_BLOB * | cli_chal, | |||
uchar | resp_buf[16] | |||
) |
smbencrypt.c の 277 行で定義されています。
参照先 ctx・data_blob_::data・dump_data()・hmac_md5_final()・hmac_md5_init_limK_to_64()・hmac_md5_update()・data_blob_::length.
参照元 LMv2_generate_response()・NTLMv2_generate_response()・smb_pwd_check_ntlmv2().
00281 { 00282 HMACMD5Context ctx; 00283 00284 hmac_md5_init_limK_to_64(kr, 16, &ctx); 00285 hmac_md5_update(srv_chal->data, srv_chal->length, &ctx); 00286 hmac_md5_update(cli_chal->data, cli_chal->length, &ctx); 00287 hmac_md5_final(resp_buf, &ctx); 00288 00289 #ifdef DEBUG_PASSWORD 00290 DEBUG(100, ("SMBOWFencrypt_ntv2: srv_chal, cli_chal, resp_buf\n")); 00291 dump_data(100, (const char *)srv_chal->data, srv_chal->length); 00292 dump_data(100, (const char *)cli_chal->data, cli_chal->length); 00293 dump_data(100, (const char *)resp_buf, 16); 00294 #endif 00295 }
void SMBsesskeygen_ntv2 | ( | const uchar | kr[16], | |
const uchar * | nt_resp, | |||
uint8 | sess_key[16] | |||
) |
smbencrypt.c の 297 行で定義されています。
参照先 ctx・dump_data()・hmac_md5_final()・hmac_md5_init_limK_to_64()・hmac_md5_update().
参照元 smb_pwd_check_ntlmv2()・SMBNTLMv2encrypt_hash().
00299 { 00300 /* a very nice, 128 bit, variable session key */ 00301 00302 HMACMD5Context ctx; 00303 00304 hmac_md5_init_limK_to_64(kr, 16, &ctx); 00305 hmac_md5_update(nt_resp, 16, &ctx); 00306 hmac_md5_final((unsigned char *)sess_key, &ctx); 00307 00308 #ifdef DEBUG_PASSWORD 00309 DEBUG(100, ("SMBsesskeygen_ntv2:\n")); 00310 dump_data(100, (const char *)sess_key, 16); 00311 #endif 00312 }
void SMBsesskeygen_ntv1 | ( | const uchar | kr[16], | |
const uchar * | nt_resp, | |||
uint8 | sess_key[16] | |||
) |
smbencrypt.c の 314 行で定義されています。
参照先 dump_data()・mdfour().
参照元 cli_session_setup_nt1()・ntlm_password_check()・ntlmssp_client_challenge()・smb_pwd_check_ntlmv1()・test_lm_ntlm_broken()・test_ntlm_in_both().
00316 { 00317 /* yes, this session key does not change - yes, this 00318 is a problem - but it is 128 bits */ 00319 00320 mdfour((unsigned char *)sess_key, kr, 16); 00321 00322 #ifdef DEBUG_PASSWORD 00323 DEBUG(100, ("SMBsesskeygen_ntv1:\n")); 00324 dump_data(100, (const char *)sess_key, 16); 00325 #endif 00326 }
void SMBsesskeygen_lm_sess_key | ( | const uchar | lm_hash[16], | |
const uchar | lm_resp[24], | |||
uint8 | sess_key[16] | |||
) |
smbencrypt.c の 328 行で定義されています。
参照先 dump_data()・SMBOWFencrypt().
参照元 ntlmssp_client_challenge()・ntlmssp_server_auth().
00331 { 00332 uchar p24[24]; 00333 uchar partial_lm_hash[16]; 00334 00335 memcpy(partial_lm_hash, lm_hash, 8); 00336 memset(partial_lm_hash + 8, 0xbd, 8); 00337 00338 SMBOWFencrypt(partial_lm_hash, lm_resp, p24); 00339 00340 memcpy(sess_key, p24, 16); 00341 00342 #ifdef DEBUG_PASSWORD 00343 DEBUG(100, ("SMBsesskeygen_lmv1_jerry:\n")); 00344 dump_data(100, (const char *)sess_key, 16); 00345 #endif 00346 }
DATA_BLOB NTLMv2_generate_names_blob | ( | const char * | hostname, | |
const char * | domain | |||
) |
smbencrypt.c の 348 行で定義されています。
参照先 data_blob()・msrpc_gen().
参照元 cli_session_setup_nt1()・test_lmv2_ntlmv2_broken()・wbinfo_auth_crap()・winbindd_dual_pam_auth_samlogon().
00350 { 00351 DATA_BLOB names_blob = data_blob(NULL, 0); 00352 00353 msrpc_gen(&names_blob, "aaa", 00354 NTLMSSP_NAME_TYPE_DOMAIN, domain, 00355 NTLMSSP_NAME_TYPE_SERVER, hostname, 00356 0, ""); 00357 return names_blob; 00358 }
smbencrypt.c の 360 行で定義されています。
参照先 data_blob_::data・data_blob()・generate_random_buffer()・data_blob_::length・msrpc_gen()・put_long_date().
参照元 NTLMv2_generate_response().
00361 { 00362 uchar client_chal[8]; 00363 DATA_BLOB response = data_blob(NULL, 0); 00364 char long_date[8]; 00365 00366 generate_random_buffer(client_chal, sizeof(client_chal)); 00367 00368 put_long_date(long_date, time(NULL)); 00369 00370 /* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */ 00371 00372 msrpc_gen(&response, "ddbbdb", 00373 0x00000101, /* Header */ 00374 0, /* 'Reserved' */ 00375 long_date, 8, /* Timestamp */ 00376 client_chal, 8, /* client challenge */ 00377 0, /* Unknown */ 00378 names_blob->data, names_blob->length); /* End of name list */ 00379 00380 return response; 00381 }
static DATA_BLOB NTLMv2_generate_response | ( | const uchar | ntlm_v2_hash[16], | |
const DATA_BLOB * | server_chal, | |||
const DATA_BLOB * | names_blob | |||
) | [static] |
smbencrypt.c の 383 行で定義されています。
参照先 data_blob_::data・data_blob()・data_blob_free()・data_blob_::length・NTLMv2_generate_client_data()・SMBOWFencrypt_ntv2().
00386 { 00387 uchar ntlmv2_response[16]; 00388 DATA_BLOB ntlmv2_client_data; 00389 DATA_BLOB final_response; 00390 00391 /* NTLMv2 */ 00392 /* generate some data to pass into the response function - including 00393 the hostname and domain name of the server */ 00394 ntlmv2_client_data = NTLMv2_generate_client_data(names_blob); 00395 00396 /* Given that data, and the challenge from the server, generate a response */ 00397 SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response); 00398 00399 final_response = data_blob(NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length); 00400 00401 memcpy(final_response.data, ntlmv2_response, sizeof(ntlmv2_response)); 00402 00403 memcpy(final_response.data+sizeof(ntlmv2_response), 00404 ntlmv2_client_data.data, ntlmv2_client_data.length); 00405 00406 data_blob_free(&ntlmv2_client_data); 00407 00408 return final_response; 00409 }
static DATA_BLOB LMv2_generate_response | ( | const uchar | ntlm_v2_hash[16], | |
const DATA_BLOB * | server_chal | |||
) | [static] |
smbencrypt.c の 411 行で定義されています。
参照先 data_blob_::data・data_blob()・data_blob_free()・generate_random_buffer()・data_blob_::length・SMBOWFencrypt_ntv2().
00413 { 00414 uchar lmv2_response[16]; 00415 DATA_BLOB lmv2_client_data = data_blob(NULL, 8); 00416 DATA_BLOB final_response = data_blob(NULL, 24); 00417 00418 /* LMv2 */ 00419 /* client-supplied random data */ 00420 generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length); 00421 00422 /* Given that data, and the challenge from the server, generate a response */ 00423 SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &lmv2_client_data, lmv2_response); 00424 memcpy(final_response.data, lmv2_response, sizeof(lmv2_response)); 00425 00426 /* after the first 16 bytes is the random data we generated above, 00427 so the server can verify us with it */ 00428 memcpy(final_response.data+sizeof(lmv2_response), 00429 lmv2_client_data.data, lmv2_client_data.length); 00430 00431 data_blob_free(&lmv2_client_data); 00432 00433 return final_response; 00434 }
BOOL SMBNTLMv2encrypt_hash | ( | const char * | user, | |
const char * | domain, | |||
const uchar | nt_hash[16], | |||
const DATA_BLOB * | server_chal, | |||
const DATA_BLOB * | names_blob, | |||
DATA_BLOB * | lm_response, | |||
DATA_BLOB * | nt_response, | |||
DATA_BLOB * | user_session_key | |||
) |
smbencrypt.c の 436 行で定義されています。
参照先 data_blob_::data・data_blob()・LMv2_generate_response()・NTLMv2_generate_response()・ntv2_owf_gen()・SMBsesskeygen_ntv2().
参照元 ntlmssp_client_challenge()・SMBNTLMv2encrypt().
00441 { 00442 uchar ntlm_v2_hash[16]; 00443 00444 /* We don't use the NT# directly. Instead we use it mashed up with 00445 the username and domain. 00446 This prevents username swapping during the auth exchange 00447 */ 00448 if (!ntv2_owf_gen(nt_hash, user, domain, False, ntlm_v2_hash)) { 00449 return False; 00450 } 00451 00452 if (nt_response) { 00453 *nt_response = NTLMv2_generate_response(ntlm_v2_hash, server_chal, 00454 names_blob); 00455 if (user_session_key) { 00456 *user_session_key = data_blob(NULL, 16); 00457 00458 /* The NTLMv2 calculations also provide a session key, for signing etc later */ 00459 /* use only the first 16 bytes of nt_response for session key */ 00460 SMBsesskeygen_ntv2(ntlm_v2_hash, nt_response->data, user_session_key->data); 00461 } 00462 } 00463 00464 /* LMv2 */ 00465 00466 if (lm_response) { 00467 *lm_response = LMv2_generate_response(ntlm_v2_hash, server_chal); 00468 } 00469 00470 return True; 00471 }
BOOL SMBNTLMv2encrypt | ( | const char * | user, | |
const char * | domain, | |||
const char * | password, | |||
const DATA_BLOB * | server_chal, | |||
const DATA_BLOB * | names_blob, | |||
DATA_BLOB * | lm_response, | |||
DATA_BLOB * | nt_response, | |||
DATA_BLOB * | user_session_key | |||
) |
smbencrypt.c の 475 行で定義されています。
参照先 E_md4hash()・SMBNTLMv2encrypt_hash().
参照元 cli_session_setup_nt1()・test_lmv2_ntlmv2_broken()・wbinfo_auth_crap()・winbindd_dual_pam_auth_samlogon().
00480 { 00481 uchar nt_hash[16]; 00482 E_md4hash(password, nt_hash); 00483 00484 return SMBNTLMv2encrypt_hash(user, domain, nt_hash, 00485 server_chal, 00486 names_blob, 00487 lm_response, nt_response, 00488 user_session_key); 00489 }
BOOL encode_pw_buffer | ( | uint8 | buffer[516], | |
const char * | password, | |||
int | string_flags | |||
) |
smbencrypt.c の 495 行で定義されています。
参照元 cac_SamSetPassword()・cli_oem_change_password()・init_q_srv_pwset2()・manage_ntlm_change_password_1_request()・net_rpc_join_newstyle()・netdom_join_domain()・rpc_trustdom_add_internals()・rpc_user_add_internals()・rpc_user_password_internals()・rpccli_samr_chgpasswd3()・rpccli_samr_chgpasswd_user().
00496 { 00497 uchar new_pw[512]; 00498 size_t new_pw_len; 00499 00500 /* the incoming buffer can be any alignment. */ 00501 string_flags |= STR_NOALIGN; 00502 00503 new_pw_len = push_string(NULL, new_pw, 00504 password, 00505 sizeof(new_pw), string_flags); 00506 00507 memcpy(&buffer[512 - new_pw_len], new_pw, new_pw_len); 00508 00509 generate_random_buffer(buffer, 512 - new_pw_len); 00510 00511 /* 00512 * The length of the new password is in the last 4 bytes of 00513 * the data buffer. 00514 */ 00515 SIVAL(buffer, 512, new_pw_len); 00516 ZERO_STRUCT(new_pw); 00517 return True; 00518 }
BOOL decode_pw_buffer | ( | uint8 | in_buffer[516], | |
char * | new_pwrd, | |||
int | new_pwrd_size, | |||
uint32 * | new_pw_len, | |||
int | string_flags | |||
) |
smbencrypt.c の 527 行で定義されています。
参照先 dump_data().
参照元 check_oem_password()・set_user_info_23()・set_user_info_pw().
00530 { 00531 int byte_len=0; 00532 00533 /* the incoming buffer can be any alignment. */ 00534 string_flags |= STR_NOALIGN; 00535 00536 /* 00537 Warning !!! : This function is called from some rpc call. 00538 The password IN the buffer may be a UNICODE string. 00539 The password IN new_pwrd is an ASCII string 00540 If you reuse that code somewhere else check first. 00541 */ 00542 00543 /* The length of the new password is in the last 4 bytes of the data buffer. */ 00544 00545 byte_len = IVAL(in_buffer, 512); 00546 00547 #ifdef DEBUG_PASSWORD 00548 dump_data(100, (const char *)in_buffer, 516); 00549 #endif 00550 00551 /* Password cannot be longer than the size of the password buffer */ 00552 if ( (byte_len < 0) || (byte_len > 512)) { 00553 DEBUG(0, ("decode_pw_buffer: incorrect password length (%d).\n", byte_len)); 00554 DEBUG(0, ("decode_pw_buffer: check that 'encrypt passwords = yes'\n")); 00555 return False; 00556 } 00557 00558 /* decode into the return buffer. Buffer length supplied */ 00559 *new_pw_len = pull_string(NULL, new_pwrd, &in_buffer[512 - byte_len], new_pwrd_size, 00560 byte_len, string_flags); 00561 00562 #ifdef DEBUG_PASSWORD 00563 DEBUG(100,("decode_pw_buffer: new_pwrd: ")); 00564 dump_data(100, (const char *)new_pwrd, *new_pw_len); 00565 DEBUG(100,("multibyte len:%d\n", *new_pw_len)); 00566 DEBUG(100,("original char len:%d\n", byte_len/2)); 00567 #endif 00568 00569 return True; 00570 }
void encode_or_decode_arc4_passwd_buffer | ( | unsigned char | pw_buf[532], | |
const DATA_BLOB * | psession_key | |||
) |
smbencrypt.c の 576 行で定義されています。
参照先 data_blob_::data・data_blob_::length・MD5Final()・MD5Init()・MD5Update()・SamOEMhash().
参照元 _samr_set_userinfo()・_samr_set_userinfo2().
00577 { 00578 struct MD5Context tctx; 00579 unsigned char key_out[16]; 00580 00581 /* Confounder is last 16 bytes. */ 00582 00583 MD5Init(&tctx); 00584 MD5Update(&tctx, &pw_buf[516], 16); 00585 MD5Update(&tctx, psession_key->data, psession_key->length); 00586 MD5Final(key_out, &tctx); 00587 /* arc4 with key_out. */ 00588 SamOEMhash(pw_buf, key_out, 516); 00589 }
void sess_crypt_blob | ( | DATA_BLOB * | out, | |
const DATA_BLOB * | in, | |||
const DATA_BLOB * | session_key, | |||
int | forward | |||
) |
smbencrypt.c の 596 行で定義されています。
参照先 data_blob_::data・des_crypt56()・MD5Context::in・data_blob_::length.
参照元 decrypt_trustdom_secret().
00597 { 00598 int i, k; 00599 00600 for (i=0,k=0; 00601 i<in->length; 00602 i += 8, k += 7) { 00603 uint8 bin[8], bout[8], key[7]; 00604 00605 memset(bin, 0, 8); 00606 memcpy(bin, &in->data[i], MIN(8, in->length-i)); 00607 00608 if (k + 7 > session_key->length) { 00609 k = (session_key->length - k); 00610 } 00611 memcpy(key, &session_key->data[k], 7); 00612 00613 des_crypt56(bout, bin, key, forward?1:0); 00614 00615 memcpy(&out->data[i], bout, MIN(8, in->length-i)); 00616 } 00617 }
char* decrypt_trustdom_secret | ( | const char * | pass, | |
DATA_BLOB * | data_in | |||
) |
smbencrypt.c の 627 行で定義されています。
参照先 data_blob_::data・data_blob()・data_blob_free()・E_md4hash()・data_blob_::length・mdfour()・rpcstr_pull()・sess_crypt_blob().
参照元 display_trust_dom_info_4()・vampire_trusted_domain().
00628 { 00629 DATA_BLOB data_out, sess_key; 00630 uchar nt_hash[16]; 00631 uint32_t length; 00632 uint32_t version; 00633 fstring cleartextpwd; 00634 00635 if (!data_in || !pass) 00636 return NULL; 00637 00638 /* generate md4 password-hash derived from the NT UNICODE password */ 00639 E_md4hash(pass, nt_hash); 00640 00641 /* hashed twice with md4 */ 00642 mdfour(nt_hash, nt_hash, 16); 00643 00644 /* 16-Byte session-key */ 00645 sess_key = data_blob(nt_hash, 16); 00646 if (sess_key.data == NULL) 00647 return NULL; 00648 00649 data_out = data_blob(NULL, data_in->length); 00650 if (data_out.data == NULL) 00651 return NULL; 00652 00653 /* decrypt with des3 */ 00654 sess_crypt_blob(&data_out, data_in, &sess_key, 0); 00655 00656 /* 4 Byte length, 4 Byte version */ 00657 length = IVAL(data_out.data, 0); 00658 version = IVAL(data_out.data, 4); 00659 00660 if (length > data_in->length - 8) { 00661 DEBUG(0,("decrypt_trustdom_secret: invalid length (%d)\n", length)); 00662 return NULL; 00663 } 00664 00665 if (version != 1) { 00666 DEBUG(0,("decrypt_trustdom_secret: unknown version number (%d)\n", version)); 00667 return NULL; 00668 } 00669 00670 rpcstr_pull(cleartextpwd, data_out.data + 8, sizeof(fstring), length, 0 ); 00671 00672 #ifdef DEBUG_PASSWORD 00673 DEBUG(100,("decrypt_trustdom_secret: length is: %d, version is: %d, password is: %s\n", 00674 length, version, cleartextpwd)); 00675 #endif 00676 00677 data_blob_free(&data_out); 00678 data_blob_free(&sess_key); 00679 00680 return SMB_STRDUP(cleartextpwd); 00681 00682 }