1 /* Copyright (C) 2010-2021 Greenbone Networks GmbH
2  *
3  * SPDX-License-Identifier: GPL-2.0-or-later
4  *
5  * This program is free software; you can redistribute it and/or
6  * modify it under the terms of the GNU General Public License
7  * as published by the Free Software Foundation; either version 2
8  * of the License, or (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, write to the Free Software
17  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  */
19 
20 /**
21  * @file ntlmssp.c
22  * @brief Functions to support Authentication(type3 message) for NTLMSSP
23  * (NTLMv2, NTLM2, NTLM, KEY GEN)
24  */
25 
26 #include "ntlmssp.h"
27 
28 #include <glib.h>
29 
30 #define NTLMSSP_NEGOTIATE_LM_KEY 0x00000080
31 
32 void
ntlmssp_genauth_ntlmv2(char * user,char * domain,char * address_list,int address_list_len,char * challenge_data,uint8_t * lm_response,uint8_t * nt_response,uint8_t * session_key,unsigned char * ntlmv2_hash)33 ntlmssp_genauth_ntlmv2 (char *user, char *domain, char *address_list,
34                         int address_list_len, char *challenge_data,
35                         uint8_t *lm_response, uint8_t *nt_response,
36                         uint8_t *session_key, unsigned char *ntlmv2_hash)
37 {
38   SMBNTLMv2encrypt_hash_ntlmssp (user, domain, ntlmv2_hash, challenge_data,
39                                  address_list, address_list_len, lm_response,
40                                  nt_response, session_key);
41 }
42 
43 void
ntlmssp_genauth_ntlm2(char * password,uint8_t pass_len,uint8_t * lm_response,uint8_t * nt_response,uint8_t * session_key,char * challenge_data,unsigned char * nt_hash)44 ntlmssp_genauth_ntlm2 (char *password, uint8_t pass_len, uint8_t *lm_response,
45                        uint8_t *nt_response, uint8_t *session_key,
46                        char *challenge_data, unsigned char *nt_hash)
47 {
48   unsigned char lm_hash[16];
49 
50   E_deshash_ntlmssp (password, pass_len, lm_hash);
51 
52   struct MD5Context md5_session_nonce_ctx;
53   uchar session_nonce_hash[16];
54   uchar session_nonce[16];
55   uchar user_session_key[16];
56 
57   generate_random_buffer_ntlmssp (lm_response, 8);
58   memset (lm_response + 8, 0, 16);
59 
60   memcpy (session_nonce, challenge_data, 8);
61   memcpy (&session_nonce[8], lm_response, 8);
62 
63   MD5Init (&md5_session_nonce_ctx);
64   MD5Update (&md5_session_nonce_ctx, (unsigned char const *) challenge_data, 8);
65   MD5Update (&md5_session_nonce_ctx, (unsigned char const *) lm_response, 8);
66   MD5Final (session_nonce_hash, &md5_session_nonce_ctx);
67 
68   SMBNTencrypt_hash_ntlmssp (nt_hash, session_nonce_hash, nt_response);
69   SMBsesskeygen_ntv1_ntlmssp (nt_hash, NULL, user_session_key);
70   hmac_md5 (user_session_key, session_nonce, sizeof (session_nonce),
71             session_key);
72 }
73 
74 void
ntlmssp_genauth_ntlm(char * password,uint8_t pass_len,uint8_t * lm_response,uint8_t * nt_response,uint8_t * session_key,char * challenge_data,unsigned char * nt_hash,int neg_flags)75 ntlmssp_genauth_ntlm (char *password, uint8_t pass_len, uint8_t *lm_response,
76                       uint8_t *nt_response, uint8_t *session_key,
77                       char *challenge_data, unsigned char *nt_hash,
78                       int neg_flags)
79 {
80   unsigned char lm_hash[16];
81 
82   E_deshash_ntlmssp (password, pass_len, lm_hash);
83 
84   SMBencrypt_hash_ntlmssp (lm_hash, (const uchar *) challenge_data,
85                            lm_response);
86   SMBNTencrypt_hash_ntlmssp (nt_hash, (uchar *) challenge_data, nt_response);
87 
88   if (neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
89     {
90       SMBsesskeygen_lm_sess_key_ntlmssp (lm_hash, lm_response, session_key);
91     }
92   else
93     {
94       SMBsesskeygen_ntv1_ntlmssp (nt_hash, NULL, session_key);
95     }
96 }
97 
98 uint8_t *
ntlmssp_genauth_keyexchg(uint8_t * session_key,char * challenge_data,unsigned char * nt_hash,uint8_t * new_sess_key)99 ntlmssp_genauth_keyexchg (uint8_t *session_key, char *challenge_data,
100                           unsigned char *nt_hash, uint8_t *new_sess_key)
101 {
102   /* Make up a new session key */
103   uint8 client_session_key[16];
104 
105   (void) challenge_data;
106   (void) nt_hash;
107   generate_random_buffer_ntlmssp (client_session_key,
108                                   sizeof (client_session_key));
109   /* Encrypt the new session key with the old one */
110 
111   size_t length = sizeof (client_session_key);
112   uint8_t *encrypted_session_key = g_malloc0 (length);
113 
114   memcpy (encrypted_session_key, client_session_key, length);
115   SamOEMhash (encrypted_session_key, session_key, length);
116   memcpy (new_sess_key, client_session_key, 16);
117   return encrypted_session_key;
118 }
119