smbencrypt.c
来自「samba最新软件」· C语言 代码 · 共 541 行 · 第 1/2 页
C
541 行
#endif}void SMBsesskeygen_lm_sess_key(const uint8_t lm_hash[16], const uint8_t lm_resp[24], /* only uses 8 */ uint8_t sess_key[16]){ /* Calculate the LM session key (effective length 40 bits, but changes with each session) */ uint8_t p24[24]; uint8_t partial_lm_hash[14]; memcpy(partial_lm_hash, lm_hash, 8); memset(partial_lm_hash + 8, 0xbd, 6); des_crypt56(p24, lm_resp, partial_lm_hash, 1); des_crypt56(p24+8, lm_resp, partial_lm_hash + 7, 1); memcpy(sess_key, p24, 16);#ifdef DEBUG_PASSWORD DEBUG(100, ("SMBsesskeygen_lm_sess_key: \n")); dump_data(100, sess_key, 16);#endif}DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx, struct smb_iconv_convenience *iconv_convenience, const char *hostname, const char *domain){ DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0); msrpc_gen(mem_ctx, iconv_convenience, &names_blob, "aaa", NTLMSSP_NAME_TYPE_DOMAIN, domain, NTLMSSP_NAME_TYPE_SERVER, hostname, 0, ""); return names_blob;}static DATA_BLOB NTLMv2_generate_client_data(TALLOC_CTX *mem_ctx, const DATA_BLOB *names_blob) { uint8_t client_chal[8]; DATA_BLOB response = data_blob(NULL, 0); uint8_t long_date[8]; NTTIME nttime; unix_to_nt_time(&nttime, time(NULL)); generate_random_buffer(client_chal, sizeof(client_chal)); push_nttime(long_date, 0, nttime); /* See http://www.ubiqx.org/cifs/SMB.html#SMB.8.5 */ msrpc_gen(mem_ctx, NULL, &response, "ddbbdb", 0x00000101, /* Header */ 0, /* 'Reserved' */ long_date, 8, /* Timestamp */ client_chal, 8, /* client challenge */ 0, /* Unknown */ names_blob->data, names_blob->length); /* End of name list */ return response;}static DATA_BLOB NTLMv2_generate_response(TALLOC_CTX *out_mem_ctx, const uint8_t ntlm_v2_hash[16], const DATA_BLOB *server_chal, const DATA_BLOB *names_blob){ uint8_t ntlmv2_response[16]; DATA_BLOB ntlmv2_client_data; DATA_BLOB final_response; TALLOC_CTX *mem_ctx = talloc_named(out_mem_ctx, 0, "NTLMv2_generate_response internal context"); if (!mem_ctx) { return data_blob(NULL, 0); } /* NTLMv2 */ /* generate some data to pass into the response function - including the hostname and domain name of the server */ ntlmv2_client_data = NTLMv2_generate_client_data(mem_ctx, names_blob); /* Given that data, and the challenge from the server, generate a response */ SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &ntlmv2_client_data, ntlmv2_response); final_response = data_blob_talloc(out_mem_ctx, NULL, sizeof(ntlmv2_response) + ntlmv2_client_data.length); memcpy(final_response.data, ntlmv2_response, sizeof(ntlmv2_response)); memcpy(final_response.data+sizeof(ntlmv2_response), ntlmv2_client_data.data, ntlmv2_client_data.length); talloc_free(mem_ctx); return final_response;}static DATA_BLOB LMv2_generate_response(TALLOC_CTX *mem_ctx, const uint8_t ntlm_v2_hash[16], const DATA_BLOB *server_chal){ uint8_t lmv2_response[16]; DATA_BLOB lmv2_client_data = data_blob_talloc(mem_ctx, NULL, 8); DATA_BLOB final_response = data_blob_talloc(mem_ctx, NULL,24); /* LMv2 */ /* client-supplied random data */ generate_random_buffer(lmv2_client_data.data, lmv2_client_data.length); /* Given that data, and the challenge from the server, generate a response */ SMBOWFencrypt_ntv2(ntlm_v2_hash, server_chal, &lmv2_client_data, lmv2_response); memcpy(final_response.data, lmv2_response, sizeof(lmv2_response)); /* after the first 16 bytes is the random data we generated above, so the server can verify us with it */ memcpy(final_response.data+sizeof(lmv2_response), lmv2_client_data.data, lmv2_client_data.length); data_blob_free(&lmv2_client_data); return final_response;}bool SMBNTLMv2encrypt_hash(TALLOC_CTX *mem_ctx, const char *user, const char *domain, const uint8_t nt_hash[16], const DATA_BLOB *server_chal, const DATA_BLOB *names_blob, DATA_BLOB *lm_response, DATA_BLOB *nt_response, DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) { uint8_t ntlm_v2_hash[16]; /* We don't use the NT# directly. Instead we use it mashed up with the username and domain. This prevents username swapping during the auth exchange */ if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) { return false; } if (nt_response) { *nt_response = NTLMv2_generate_response(mem_ctx, ntlm_v2_hash, server_chal, names_blob); if (user_session_key) { *user_session_key = data_blob_talloc(mem_ctx, NULL, 16); /* The NTLMv2 calculations also provide a session key, for signing etc later */ /* use only the first 16 bytes of nt_response for session key */ SMBsesskeygen_ntv2(ntlm_v2_hash, nt_response->data, user_session_key->data); } } /* LMv2 */ if (lm_response) { *lm_response = LMv2_generate_response(mem_ctx, ntlm_v2_hash, server_chal); if (lm_session_key) { *lm_session_key = data_blob_talloc(mem_ctx, NULL, 16); /* The NTLMv2 calculations also provide a session key, for signing etc later */ /* use only the first 16 bytes of lm_response for session key */ SMBsesskeygen_ntv2(ntlm_v2_hash, lm_response->data, lm_session_key->data); } } return true;}bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx, const char *user, const char *domain, const char *password, const DATA_BLOB *server_chal, const DATA_BLOB *names_blob, DATA_BLOB *lm_response, DATA_BLOB *nt_response, DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) { uint8_t nt_hash[16]; E_md4hash(password, nt_hash); return SMBNTLMv2encrypt_hash(mem_ctx, user, domain, nt_hash, server_chal, names_blob, lm_response, nt_response, lm_session_key, user_session_key);}/*********************************************************** encode a password buffer with a unicode password. The buffer is filled with random data to make it harder to attack.************************************************************/bool encode_pw_buffer(uint8_t buffer[516], const char *password, int string_flags){ uint8_t new_pw[512]; size_t new_pw_len; /* the incoming buffer can be any alignment. */ string_flags |= STR_NOALIGN; new_pw_len = push_string(lp_iconv_convenience(global_loadparm), new_pw, password, sizeof(new_pw), string_flags); memcpy(&buffer[512 - new_pw_len], new_pw, new_pw_len); generate_random_buffer(buffer, 512 - new_pw_len); /* * The length of the new password is in the last 4 bytes of * the data buffer. */ SIVAL(buffer, 512, new_pw_len); ZERO_STRUCT(new_pw); return true;}/*********************************************************** decode a password buffer *new_pw_len is the length in bytes of the possibly mulitbyte returned password including termination.************************************************************/bool decode_pw_buffer(uint8_t in_buffer[516], char *new_pwrd, int new_pwrd_size, uint32_t *new_pw_len, int string_flags){ int byte_len=0; /* the incoming buffer can be any alignment. */ string_flags |= STR_NOALIGN; /* Warning !!! : This function is called from some rpc call. The password IN the buffer may be a UNICODE string. The password IN new_pwrd is an ASCII string If you reuse that code somewhere else check first. */ /* The length of the new password is in the last 4 bytes of the data buffer. */ byte_len = IVAL(in_buffer, 512);#ifdef DEBUG_PASSWORD dump_data(100, in_buffer, 516);#endif /* Password cannot be longer than the size of the password buffer */ if ( (byte_len < 0) || (byte_len > 512)) { return false; } /* decode into the return buffer. Buffer length supplied */ *new_pw_len = pull_string(lp_iconv_convenience(global_loadparm), new_pwrd, &in_buffer[512 - byte_len], new_pwrd_size, byte_len, string_flags);#ifdef DEBUG_PASSWORD DEBUG(100,("decode_pw_buffer: new_pwrd: ")); dump_data(100, (const uint8_t *)new_pwrd, *new_pw_len); DEBUG(100,("multibyte len:%d\n", *new_pw_len)); DEBUG(100,("original char len:%d\n", byte_len/2));#endif return true;}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?