libsmbfs/smb/ntlm.c

10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Copyright (c) 2000-2001, Boris Popov
10023SGordon.Ross@Sun.COM * All rights reserved.
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Redistribution and use in source and binary forms, with or without
10023SGordon.Ross@Sun.COM * modification, are permitted provided that the following conditions
10023SGordon.Ross@Sun.COM * are met:
10023SGordon.Ross@Sun.COM * 1. Redistributions of source code must retain the above copyright
10023SGordon.Ross@Sun.COM *    notice, this list of conditions and the following disclaimer.
10023SGordon.Ross@Sun.COM * 2. Redistributions in binary form must reproduce the above copyright
10023SGordon.Ross@Sun.COM *    notice, this list of conditions and the following disclaimer in the
10023SGordon.Ross@Sun.COM *    documentation and/or other materials provided with the distribution.
10023SGordon.Ross@Sun.COM * 3. All advertising materials mentioning features or use of this software
10023SGordon.Ross@Sun.COM *    must display the following acknowledgement:
10023SGordon.Ross@Sun.COM *    This product includes software developed by Boris Popov.
10023SGordon.Ross@Sun.COM * 4. Neither the name of the author nor the names of any co-contributors
10023SGordon.Ross@Sun.COM *    may be used to endorse or promote products derived from this software
10023SGordon.Ross@Sun.COM *    without specific prior written permission.
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
10023SGordon.Ross@Sun.COM * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
10023SGordon.Ross@Sun.COM * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
10023SGordon.Ross@Sun.COM * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
10023SGordon.Ross@Sun.COM * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
10023SGordon.Ross@Sun.COM * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
10023SGordon.Ross@Sun.COM * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
10023SGordon.Ross@Sun.COM * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
10023SGordon.Ross@Sun.COM * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
10023SGordon.Ross@Sun.COM * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
10023SGordon.Ross@Sun.COM * SUCH DAMAGE.
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * $Id: smb_crypt.c,v 1.13 2005/01/26 23:50:50 lindak Exp $
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
*12140SGordon.Ross@Sun.COM * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * NTLM support functions
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Some code from the driver: smb_smb.c, smb_crypt.c
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM#include <sys/errno.h>
10023SGordon.Ross@Sun.COM#include <sys/types.h>
10023SGordon.Ross@Sun.COM#include <sys/md4.h>
10023SGordon.Ross@Sun.COM#include <sys/md5.h>
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM#include <ctype.h>
10023SGordon.Ross@Sun.COM#include <stdlib.h>
10023SGordon.Ross@Sun.COM#include <strings.h>
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM#include <netsmb/smb_lib.h>
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM#include "private.h"
10023SGordon.Ross@Sun.COM#include "charsets.h"
10023SGordon.Ross@Sun.COM#include "smb_crypt.h"
10023SGordon.Ross@Sun.COM#include "ntlm.h"
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * ntlm_compute_lm_hash
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Compute an LM hash given a password
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Output:
10023SGordon.Ross@Sun.COM *	hash: 16-byte "LanMan" (LM) hash.
10023SGordon.Ross@Sun.COM * Inputs:
10023SGordon.Ross@Sun.COM *	ucpw: User's password, upper-case UTF-8 string.
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Source: Implementing CIFS (Chris Hertel)
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * P14 = UCPW padded to 14-bytes, or truncated (as needed)
10023SGordon.Ross@Sun.COM * result = Encrypt(Key=P14, Data=MagicString)
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMint
10023SGordon.Ross@Sun.COMntlm_compute_lm_hash(uchar_t *hash, const char *pass)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	static const uchar_t M8[8] = "KGS!@#$%";
10023SGordon.Ross@Sun.COM	uchar_t P14[14 + 1];
10023SGordon.Ross@Sun.COM	int err;
10023SGordon.Ross@Sun.COM	char *ucpw;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* First, convert the p/w to upper case. */
10023SGordon.Ross@Sun.COM	ucpw = utf8_str_toupper(pass);
10023SGordon.Ross@Sun.COM	if (ucpw == NULL)
10023SGordon.Ross@Sun.COM		return (ENOMEM);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* Pad or truncate the upper-case P/W as needed. */
10023SGordon.Ross@Sun.COM	bzero(P14, sizeof (P14));
10023SGordon.Ross@Sun.COM	(void) strncpy((char *)P14, ucpw, 14);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* Compute the hash. */
10023SGordon.Ross@Sun.COM	err = smb_encrypt_DES(hash, NTLM_HASH_SZ,
10023SGordon.Ross@Sun.COM	    P14, 14, M8, 8);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	free(ucpw);
10023SGordon.Ross@Sun.COM	return (err);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * ntlm_compute_nt_hash
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Compute an NT hash given a password in UTF-8.
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Output:
10023SGordon.Ross@Sun.COM *	hash: 16-byte "NT" hash.
10023SGordon.Ross@Sun.COM * Inputs:
10023SGordon.Ross@Sun.COM *	upw: User's password, mixed-case UCS-2LE.
10023SGordon.Ross@Sun.COM *	pwlen: Size (in bytes) of upw
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMint
10023SGordon.Ross@Sun.COMntlm_compute_nt_hash(uchar_t *hash, const char *pass)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	MD4_CTX ctx;
10023SGordon.Ross@Sun.COM	uint16_t *unipw = NULL;
10023SGordon.Ross@Sun.COM	int pwsz;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* First, convert the password to unicode. */
10023SGordon.Ross@Sun.COM	unipw = convert_utf8_to_leunicode(pass);
10023SGordon.Ross@Sun.COM	if (unipw == NULL)
10023SGordon.Ross@Sun.COM		return (ENOMEM);
10023SGordon.Ross@Sun.COM	pwsz = unicode_strlen(unipw) << 1;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* Compute the hash. */
10023SGordon.Ross@Sun.COM	MD4Init(&ctx);
10023SGordon.Ross@Sun.COM	MD4Update(&ctx, unipw, pwsz);
10023SGordon.Ross@Sun.COM	MD4Final(hash, &ctx);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	free(unipw);
10023SGordon.Ross@Sun.COM	return (0);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * ntlm_v1_response
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Create an LM response from the given LM hash and challenge,
10023SGordon.Ross@Sun.COM * or an NTLM repsonse from a given NTLM hash and challenge.
10023SGordon.Ross@Sun.COM * Both response types are 24 bytes (NTLM_V1_RESP_SZ)
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMstatic int
10023SGordon.Ross@Sun.COMntlm_v1_response(uchar_t *resp,
10023SGordon.Ross@Sun.COM    const uchar_t *hash,
10023SGordon.Ross@Sun.COM    const uchar_t *chal, int clen)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	uchar_t S21[21];
10023SGordon.Ross@Sun.COM	int err;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * 14-byte LM Hash should be padded with 5 nul bytes to create
10023SGordon.Ross@Sun.COM	 * a 21-byte string to be used in producing LM response
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	bzero(&S21, sizeof (S21));
10023SGordon.Ross@Sun.COM	bcopy(hash, S21, NTLM_HASH_SZ);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* padded LM Hash -> LM Response */
10023SGordon.Ross@Sun.COM	err = smb_encrypt_DES(resp, NTLM_V1_RESP_SZ,
10023SGordon.Ross@Sun.COM	    S21, 21, chal, clen);
10023SGordon.Ross@Sun.COM	return (err);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Calculate an NTLMv1 session key (16 bytes).
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMstatic void
10023SGordon.Ross@Sun.COMntlm_v1_session_key(uchar_t *ssn_key, const uchar_t *nt_hash)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	MD4_CTX md4;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	MD4Init(&md4);
10023SGordon.Ross@Sun.COM	MD4Update(&md4, nt_hash, NTLM_HASH_SZ);
10023SGordon.Ross@Sun.COM	MD4Final(ssn_key, &md4);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Compute both the LM(v1) response and the NTLM(v1) response,
10023SGordon.Ross@Sun.COM * and put them in the mbdata chains passed.  This allocates
10023SGordon.Ross@Sun.COM * mbuf chains in the output args, which the caller frees.
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMint
10023SGordon.Ross@Sun.COMntlm_put_v1_responses(struct smb_ctx *ctx,
10023SGordon.Ross@Sun.COM	struct mbdata *lm_mbp, struct mbdata *nt_mbp)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	uchar_t *lmresp, *ntresp;
10023SGordon.Ross@Sun.COM	int err;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* Get mbuf chain for the LM response. */
11332SGordon.Ross@Sun.COM	if ((err = mb_init_sz(lm_mbp, NTLM_V1_RESP_SZ)) != 0)
10023SGordon.Ross@Sun.COM		return (err);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* Get mbuf chain for the NT response. */
11332SGordon.Ross@Sun.COM	if ((err = mb_init_sz(nt_mbp, NTLM_V1_RESP_SZ)) != 0)
10023SGordon.Ross@Sun.COM		return (err);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Compute the LM response, derived
10023SGordon.Ross@Sun.COM	 * from the challenge and the ASCII
10023SGordon.Ross@Sun.COM	 * password (if authflags allow).
10023SGordon.Ross@Sun.COM	 */
11332SGordon.Ross@Sun.COM	err = mb_fit(lm_mbp, NTLM_V1_RESP_SZ, (char **)&lmresp);
11332SGordon.Ross@Sun.COM	if (err)
11332SGordon.Ross@Sun.COM		return (err);
10023SGordon.Ross@Sun.COM	bzero(lmresp, NTLM_V1_RESP_SZ);
10023SGordon.Ross@Sun.COM	if (ctx->ct_authflags & SMB_AT_LM1) {
10023SGordon.Ross@Sun.COM		/* They asked to send the LM hash too. */
10023SGordon.Ross@Sun.COM		err = ntlm_v1_response(lmresp, ctx->ct_lmhash,
10023SGordon.Ross@Sun.COM		    ctx->ct_ntlm_chal, NTLM_CHAL_SZ);
10023SGordon.Ross@Sun.COM		if (err)
10023SGordon.Ross@Sun.COM			return (err);
10023SGordon.Ross@Sun.COM	}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Compute the NTLM response, derived from
10023SGordon.Ross@Sun.COM	 * the challenge and the NT hash.
10023SGordon.Ross@Sun.COM	 */
11332SGordon.Ross@Sun.COM	err = mb_fit(nt_mbp, NTLM_V1_RESP_SZ, (char **)&ntresp);
11332SGordon.Ross@Sun.COM	if (err)
11332SGordon.Ross@Sun.COM		return (err);
10023SGordon.Ross@Sun.COM	bzero(ntresp, NTLM_V1_RESP_SZ);
10023SGordon.Ross@Sun.COM	err = ntlm_v1_response(ntresp, ctx->ct_nthash,
10023SGordon.Ross@Sun.COM	    ctx->ct_ntlm_chal, NTLM_CHAL_SZ);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Compute the session key
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	ntlm_v1_session_key(ctx->ct_ssn_key, ctx->ct_nthash);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	return (err);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * A variation on HMAC-MD5 known as HMACT64 is used by Windows systems.
10023SGordon.Ross@Sun.COM * The HMACT64() function is the same as the HMAC-MD5() except that
10023SGordon.Ross@Sun.COM * it truncates the input key to 64 bytes rather than hashing it down
10023SGordon.Ross@Sun.COM * to 16 bytes using the MD5() function.
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Output: digest (16-bytes)
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMstatic void
10023SGordon.Ross@Sun.COMHMACT64(uchar_t *digest,
10023SGordon.Ross@Sun.COM    const uchar_t *key, size_t key_len,
10023SGordon.Ross@Sun.COM    const uchar_t *data, size_t data_len)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	MD5_CTX context;
10023SGordon.Ross@Sun.COM	uchar_t k_ipad[64];	/* inner padding - key XORd with ipad */
10023SGordon.Ross@Sun.COM	uchar_t k_opad[64];	/* outer padding - key XORd with opad */
10023SGordon.Ross@Sun.COM	int i;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* if key is longer than 64 bytes use only the first 64 bytes */
10023SGordon.Ross@Sun.COM	if (key_len > 64)
10023SGordon.Ross@Sun.COM		key_len = 64;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * The HMAC-MD5 (and HMACT64) transform looks like:
10023SGordon.Ross@Sun.COM	 *
10023SGordon.Ross@Sun.COM	 * MD5(K XOR opad, MD5(K XOR ipad, data))
10023SGordon.Ross@Sun.COM	 *
10023SGordon.Ross@Sun.COM	 * where K is an n byte key
10023SGordon.Ross@Sun.COM	 * ipad is the byte 0x36 repeated 64 times
10023SGordon.Ross@Sun.COM	 * opad is the byte 0x5c repeated 64 times
10023SGordon.Ross@Sun.COM	 * and data is the data being protected.
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* start out by storing key in pads */
10023SGordon.Ross@Sun.COM	bzero(k_ipad, sizeof (k_ipad));
10023SGordon.Ross@Sun.COM	bzero(k_opad, sizeof (k_opad));
10023SGordon.Ross@Sun.COM	bcopy(key, k_ipad, key_len);
10023SGordon.Ross@Sun.COM	bcopy(key, k_opad, key_len);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* XOR key with ipad and opad values */
10023SGordon.Ross@Sun.COM	for (i = 0; i < 64; i++) {
10023SGordon.Ross@Sun.COM		k_ipad[i] ^= 0x36;
10023SGordon.Ross@Sun.COM		k_opad[i] ^= 0x5c;
10023SGordon.Ross@Sun.COM	}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * perform inner MD5
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	MD5Init(&context);			/* init context for 1st pass */
10023SGordon.Ross@Sun.COM	MD5Update(&context, k_ipad, 64);	/* start with inner pad */
10023SGordon.Ross@Sun.COM	MD5Update(&context, data, data_len);	/* then data of datagram */
10023SGordon.Ross@Sun.COM	MD5Final(digest, &context);		/* finish up 1st pass */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * perform outer MD5
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	MD5Init(&context);			/* init context for 2nd pass */
10023SGordon.Ross@Sun.COM	MD5Update(&context, k_opad, 64);	/* start with outer pad */
10023SGordon.Ross@Sun.COM	MD5Update(&context, digest, 16);	/* then results of 1st hash */
10023SGordon.Ross@Sun.COM	MD5Final(digest, &context);		/* finish up 2nd pass */
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Compute an NTLMv2 hash given the NTLMv1 hash, the user name,
10023SGordon.Ross@Sun.COM * and the destination (machine or domain name).
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Output:
10023SGordon.Ross@Sun.COM *	v2hash: 16-byte NTLMv2 hash.
10023SGordon.Ross@Sun.COM * Inputs:
10023SGordon.Ross@Sun.COM *	v1hash: 16-byte NTLMv1 hash.
10023SGordon.Ross@Sun.COM *	user: User name, UPPER-case UTF-8 string.
10023SGordon.Ross@Sun.COM *	destination: Domain or server, MIXED-case UTF-8 string.
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMstatic int
10023SGordon.Ross@Sun.COMntlm_v2_hash(uchar_t *v2hash, const uchar_t *v1hash,
10023SGordon.Ross@Sun.COM    const char *user, const char *destination)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	int ulen, dlen;
10023SGordon.Ross@Sun.COM	size_t ucs2len;
10023SGordon.Ross@Sun.COM	uint16_t *ucs2data = NULL;
10023SGordon.Ross@Sun.COM	char *utf8data = NULL;
10023SGordon.Ross@Sun.COM	int err = ENOMEM;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * v2hash = HMACT64(v1hash, 16, concat(upcase(user), dest))
10023SGordon.Ross@Sun.COM	 * where "dest" is the domain or server name ("target name")
10023SGordon.Ross@Sun.COM	 * Note: user name is converted to upper-case by the caller.
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* utf8data = concat(user, dest) */
10023SGordon.Ross@Sun.COM	ulen = strlen(user);
10023SGordon.Ross@Sun.COM	dlen = strlen(destination);
10023SGordon.Ross@Sun.COM	utf8data = malloc(ulen + dlen + 1);
10023SGordon.Ross@Sun.COM	if (utf8data == NULL)
10023SGordon.Ross@Sun.COM		goto out;
10023SGordon.Ross@Sun.COM	bcopy(user, utf8data, ulen);
10023SGordon.Ross@Sun.COM	bcopy(destination, utf8data + ulen, dlen + 1);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* Convert to UCS-2LE */
10023SGordon.Ross@Sun.COM	ucs2data = convert_utf8_to_leunicode(utf8data);
10023SGordon.Ross@Sun.COM	if (ucs2data == NULL)
10023SGordon.Ross@Sun.COM		goto out;
10023SGordon.Ross@Sun.COM	ucs2len = 2 * unicode_strlen(ucs2data);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	HMACT64(v2hash, v1hash, NTLM_HASH_SZ,
10023SGordon.Ross@Sun.COM	    (uchar_t *)ucs2data, ucs2len);
10023SGordon.Ross@Sun.COM	err = 0;
10023SGordon.Ross@Sun.COMout:
10023SGordon.Ross@Sun.COM	if (ucs2data)
10023SGordon.Ross@Sun.COM		free(ucs2data);
10023SGordon.Ross@Sun.COM	if (utf8data)
10023SGordon.Ross@Sun.COM		free(utf8data);
10023SGordon.Ross@Sun.COM	return (err);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Compute a partial LMv2 or NTLMv2 response (first 16-bytes).
10023SGordon.Ross@Sun.COM * The full response is composed by the caller by
10023SGordon.Ross@Sun.COM * appending the client_data to the returned hash.
10023SGordon.Ross@Sun.COM *
10023SGordon.Ross@Sun.COM * Output:
10023SGordon.Ross@Sun.COM *	rhash: _partial_ LMv2/NTLMv2 response (first 16-bytes)
10023SGordon.Ross@Sun.COM * Inputs:
10023SGordon.Ross@Sun.COM *	v2hash: 16-byte NTLMv2 hash.
10023SGordon.Ross@Sun.COM *	C8: Challenge from server (8 bytes)
10023SGordon.Ross@Sun.COM *	client_data: client nonce (for LMv2) or the
10023SGordon.Ross@Sun.COM *	  "blob" from ntlm_build_target_info (NTLMv2)
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMstatic int
10023SGordon.Ross@Sun.COMntlm_v2_resp_hash(uchar_t *rhash,
10023SGordon.Ross@Sun.COM    const uchar_t *v2hash, const uchar_t *C8,
10023SGordon.Ross@Sun.COM    const uchar_t *client_data, size_t cdlen)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	size_t dlen;
10023SGordon.Ross@Sun.COM	uchar_t *data = NULL;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* data = concat(C8, client_data) */
10023SGordon.Ross@Sun.COM	dlen = 8 + cdlen;
10023SGordon.Ross@Sun.COM	data = malloc(dlen);
10023SGordon.Ross@Sun.COM	if (data == NULL)
10023SGordon.Ross@Sun.COM		return (ENOMEM);
10023SGordon.Ross@Sun.COM	bcopy(C8, data, 8);
10023SGordon.Ross@Sun.COM	bcopy(client_data, data + 8, cdlen);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	HMACT64(rhash, v2hash, NTLM_HASH_SZ, data, dlen);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	free(data);
10023SGordon.Ross@Sun.COM	return (0);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Calculate an NTLMv2 session key (16 bytes).
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMstatic void
10023SGordon.Ross@Sun.COMntlm_v2_session_key(uchar_t *ssn_key,
10023SGordon.Ross@Sun.COM	const uchar_t *v2hash,
10023SGordon.Ross@Sun.COM	const uchar_t *ntresp)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* session key uses only 1st 16 bytes of ntresp */
10023SGordon.Ross@Sun.COM	HMACT64(ssn_key, v2hash, NTLM_HASH_SZ, ntresp, NTLM_HASH_SZ);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Compute both the LMv2 response and the NTLMv2 response,
10023SGordon.Ross@Sun.COM * and put them in the mbdata chains passed.  This allocates
10023SGordon.Ross@Sun.COM * mbuf chains in the output args, which the caller frees.
10023SGordon.Ross@Sun.COM * Also computes the session key.
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMint
10023SGordon.Ross@Sun.COMntlm_put_v2_responses(struct smb_ctx *ctx, struct mbdata *ti_mbp,
10023SGordon.Ross@Sun.COM	struct mbdata *lm_mbp, struct mbdata *nt_mbp)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	uchar_t *lmresp, *ntresp;
10023SGordon.Ross@Sun.COM	int err;
*12140SGordon.Ross@Sun.COM	char *ucuser = NULL;	/* upper-case user name */
10023SGordon.Ross@Sun.COM	uchar_t v2hash[NTLM_HASH_SZ];
10023SGordon.Ross@Sun.COM	struct mbuf *tim = ti_mbp->mb_top;
10023SGordon.Ross@Sun.COM
11332SGordon.Ross@Sun.COM	if ((err = mb_init(lm_mbp)) != 0)
10023SGordon.Ross@Sun.COM		return (err);
11332SGordon.Ross@Sun.COM	if ((err = mb_init(nt_mbp)) != 0)
10023SGordon.Ross@Sun.COM		return (err);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Convert the user name to upper-case, as
10023SGordon.Ross@Sun.COM	 * that's what's used when computing LMv2
*12140SGordon.Ross@Sun.COM	 * and NTLMv2 responses.  Note that the
*12140SGordon.Ross@Sun.COM	 * domain name is NOT upper-cased!
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	ucuser = utf8_str_toupper(ctx->ct_user);
*12140SGordon.Ross@Sun.COM	if (ucuser == NULL) {
10023SGordon.Ross@Sun.COM		err = ENOMEM;
10023SGordon.Ross@Sun.COM		goto out;
10023SGordon.Ross@Sun.COM	}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
*12140SGordon.Ross@Sun.COM	 * Compute the NTLMv2 hash
10023SGordon.Ross@Sun.COM	 */
*12140SGordon.Ross@Sun.COM	err = ntlm_v2_hash(v2hash, ctx->ct_nthash,
*12140SGordon.Ross@Sun.COM	    ucuser, ctx->ct_domain);
10023SGordon.Ross@Sun.COM	if (err)
10023SGordon.Ross@Sun.COM		goto out;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Compute the LMv2 response, derived from
10023SGordon.Ross@Sun.COM	 * the v2hash, the server challenge, and
10023SGordon.Ross@Sun.COM	 * the client nonce (random bits).
10023SGordon.Ross@Sun.COM	 *
10023SGordon.Ross@Sun.COM	 * We compose it from two parts:
10023SGordon.Ross@Sun.COM	 *	1: 16-byte response hash
10023SGordon.Ross@Sun.COM	 *	2: Client nonce
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	lmresp = (uchar_t *)lm_mbp->mb_pos;
11332SGordon.Ross@Sun.COM	mb_put_mem(lm_mbp, NULL, NTLM_HASH_SZ, MB_MSYSTEM);
10023SGordon.Ross@Sun.COM	err = ntlm_v2_resp_hash(lmresp,
10023SGordon.Ross@Sun.COM	    v2hash, ctx->ct_ntlm_chal,
10023SGordon.Ross@Sun.COM	    ctx->ct_clnonce, NTLM_CHAL_SZ);
10023SGordon.Ross@Sun.COM	if (err)
10023SGordon.Ross@Sun.COM		goto out;
11332SGordon.Ross@Sun.COM	mb_put_mem(lm_mbp, ctx->ct_clnonce, NTLM_CHAL_SZ, MB_MSYSTEM);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Compute the NTLMv2 response, derived
10023SGordon.Ross@Sun.COM	 * from the server challenge and the
10023SGordon.Ross@Sun.COM	 * "target info." blob passed in.
10023SGordon.Ross@Sun.COM	 *
10023SGordon.Ross@Sun.COM	 * Again composed from two parts:
10023SGordon.Ross@Sun.COM	 *	1: 16-byte response hash
10023SGordon.Ross@Sun.COM	 *	2: "target info." blob
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	ntresp = (uchar_t *)nt_mbp->mb_pos;
11332SGordon.Ross@Sun.COM	mb_put_mem(nt_mbp, NULL, NTLM_HASH_SZ, MB_MSYSTEM);
10023SGordon.Ross@Sun.COM	err = ntlm_v2_resp_hash(ntresp,
10023SGordon.Ross@Sun.COM	    v2hash, ctx->ct_ntlm_chal,
10023SGordon.Ross@Sun.COM	    (uchar_t *)tim->m_data, tim->m_len);
10023SGordon.Ross@Sun.COM	if (err)
10023SGordon.Ross@Sun.COM		goto out;
11332SGordon.Ross@Sun.COM	mb_put_mem(nt_mbp, tim->m_data, tim->m_len, MB_MSYSTEM);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Compute the session key
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	ntlm_v2_session_key(ctx->ct_ssn_key, v2hash, ntresp);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COMout:
10023SGordon.Ross@Sun.COM	if (err) {
10023SGordon.Ross@Sun.COM		mb_done(lm_mbp);
10023SGordon.Ross@Sun.COM		mb_done(nt_mbp);
10023SGordon.Ross@Sun.COM	}
10023SGordon.Ross@Sun.COM	free(ucuser);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	return (err);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Helper for ntlm_build_target_info below.
10023SGordon.Ross@Sun.COM * Put a name in the NTLMv2 "target info." blob.
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMstatic void
10023SGordon.Ross@Sun.COMsmb_put_blob_name(struct mbdata *mbp, char *name, int type)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	uint16_t *ucs = NULL;
10023SGordon.Ross@Sun.COM	int nlen;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	if (name)
10023SGordon.Ross@Sun.COM		ucs = convert_utf8_to_leunicode(name);
10023SGordon.Ross@Sun.COM	if (ucs)
10023SGordon.Ross@Sun.COM		nlen = unicode_strlen(ucs);
10023SGordon.Ross@Sun.COM	else
10023SGordon.Ross@Sun.COM		nlen = 0;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	nlen <<= 1;	/* length in bytes, without null. */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	mb_put_uint16le(mbp, type);
10023SGordon.Ross@Sun.COM	mb_put_uint16le(mbp, nlen);
11332SGordon.Ross@Sun.COM	mb_put_mem(mbp, (char *)ucs, nlen, MB_MSYSTEM);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	if (ucs)
10023SGordon.Ross@Sun.COM		free(ucs);
10023SGordon.Ross@Sun.COM}
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM/*
10023SGordon.Ross@Sun.COM * Build an NTLMv2 "target info." blob.  When called from NTLMSSP,
10023SGordon.Ross@Sun.COM * the list of names comes from the Type 2 message.  Otherwise,
10023SGordon.Ross@Sun.COM * we create the name list here.
10023SGordon.Ross@Sun.COM */
10023SGordon.Ross@Sun.COMint
10023SGordon.Ross@Sun.COMntlm_build_target_info(struct smb_ctx *ctx, struct mbuf *names,
10023SGordon.Ross@Sun.COM	struct mbdata *mbp)
10023SGordon.Ross@Sun.COM{
10023SGordon.Ross@Sun.COM	struct timeval now;
10023SGordon.Ross@Sun.COM	uint64_t nt_time;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	char *ucdom = NULL;	/* user's domain */
10023SGordon.Ross@Sun.COM	int err;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/* Get mbuf chain for the "target info". */
11332SGordon.Ross@Sun.COM	if ((err = mb_init(mbp)) != 0)
10023SGordon.Ross@Sun.COM		return (err);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Construct the client nonce by getting
10023SGordon.Ross@Sun.COM	 * some random data from /dev/urandom
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	err = smb_get_urandom(ctx->ct_clnonce, NTLM_CHAL_SZ);
10023SGordon.Ross@Sun.COM	if (err)
10023SGordon.Ross@Sun.COM		goto out;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Get the "NT time" for the target info header.
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	(void) gettimeofday(&now, 0);
10023SGordon.Ross@Sun.COM	smb_time_local2NT(&now, 0, &nt_time);
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Build the "target info." block.
10023SGordon.Ross@Sun.COM	 *
10023SGordon.Ross@Sun.COM	 * Based on information at:
10023SGordon.Ross@Sun.COM	 * http://davenport.sourceforge.net/ntlm.html#theNtlmv2Response
10023SGordon.Ross@Sun.COM	 *
10023SGordon.Ross@Sun.COM	 * First the fixed-size part.
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	mb_put_uint32le(mbp, 0x101);	/* Blob signature */
10023SGordon.Ross@Sun.COM	mb_put_uint32le(mbp, 0);		/* reserved */
10023SGordon.Ross@Sun.COM	mb_put_uint64le(mbp, nt_time);	/* NT time stamp */
11332SGordon.Ross@Sun.COM	mb_put_mem(mbp, ctx->ct_clnonce, NTLM_CHAL_SZ, MB_MSYSTEM);
10023SGordon.Ross@Sun.COM	mb_put_uint32le(mbp, 0);		/* unknown */
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COM	/*
10023SGordon.Ross@Sun.COM	 * Now put the list of names, either from the
10023SGordon.Ross@Sun.COM	 * NTLMSSP Type 2 message or composed here.
10023SGordon.Ross@Sun.COM	 */
10023SGordon.Ross@Sun.COM	if (names) {
11332SGordon.Ross@Sun.COM		err = mb_put_mem(mbp, names->m_data, names->m_len, MB_MSYSTEM);
10023SGordon.Ross@Sun.COM	} else {
10023SGordon.Ross@Sun.COM		/* Get upper-case names. */
10023SGordon.Ross@Sun.COM		ucdom  = utf8_str_toupper(ctx->ct_domain);
10023SGordon.Ross@Sun.COM		if (ucdom == NULL) {
10023SGordon.Ross@Sun.COM			err = ENOMEM;
10023SGordon.Ross@Sun.COM			goto out;
10023SGordon.Ross@Sun.COM		}
10023SGordon.Ross@Sun.COM		smb_put_blob_name(mbp, ucdom, NAMETYPE_DOMAIN_NB);
10023SGordon.Ross@Sun.COM		smb_put_blob_name(mbp, NULL, NAMETYPE_EOL);
10023SGordon.Ross@Sun.COM		/* OK, that's the whole "target info." blob! */
10023SGordon.Ross@Sun.COM	}
10023SGordon.Ross@Sun.COM	err = 0;
10023SGordon.Ross@Sun.COM
10023SGordon.Ross@Sun.COMout:
10023SGordon.Ross@Sun.COM	free(ucdom);
10023SGordon.Ross@Sun.COM	return (err);
10023SGordon.Ross@Sun.COM}