1 #include "lmhash.h"
2
3 #include <stddef.h>
4 #include <stdint.h>
5
6 /* ========================================================================== **
7 *
8 * LMhash.h
9 *
10 * Copyright:
11 * Copyright (C) 2004 by Christopher R. Hertel
12 *
13 * Email: crh@ubiqx.mn.org
14 *
15 * $Id: LMhash.h,v 0.1 2004/05/30 02:26:31 crh Exp $
16 *
17 * -------------------------------------------------------------------------- **
18 *
19 * Description:
20 *
21 * Implemention of the LAN Manager hash (LM hash) and LM response
22 * algorithms.
23 *
24 * -------------------------------------------------------------------------- **
25 *
26 * License:
27 *
28 * This library is free software; you can redistribute it and/or
29 * modify it under the terms of the GNU Lesser General Public
30 * License as published by the Free Software Foundation; either
31 * version 2.1 of the License, or (at your option) any later version.
32 *
33 * This library is distributed in the hope that it will be useful,
34 * but WITHOUT ANY WARRANTY; without even the implied warranty of
35 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
36 * Lesser General Public License for more details.
37 *
38 * You should have received a copy of the GNU Lesser General Public
39 * License along with this library; if not, write to the Free Software
40 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
41 *
42 * -------------------------------------------------------------------------- **
43 *
44 * Notes:
45 *
46 * This module implements the LM hash. The NT hash is simply the MD4() of
47 * the password, so we don't need a separate implementation of that. This
48 * module also implements the LM response, which can be combined with the
49 * NT hash to produce the NTLM response.
50 *
51 * This implementation was created based on the description in my own book.
52 * The book description was, in turn, written after studying many existing
53 * examples in various documentation. Jeremy Allison and Andrew Tridgell
54 * deserve lots of credit for having figured out the secrets of Lan Manager
55 * authentication many years ago.
56 *
57 * See:
58 * Implementing CIFS - the Common Internet File System
59 * by your truly. ISBN 0-13-047116-X, Prentice Hall PTR., August 2003
60 * Section 15.3, in particular.
61 * (Online at: http://ubiqx.org/cifs/SMB.html#SMB.8.3)
62 *
63 * ========================================================================== **
64 */
65
66
67 /* Initial permutation map.
68 * In the first step of DES, the bits of the initial plaintext are rearranged
69 * according to the map given below. This map and those like it are read by
70 * the Permute() function (below) which uses the maps as a guide when moving
71 * bits from one place to another.
72 *
73 * Note that the values here are all one less than those shown in Schneier.
74 * That's because C likes to start counting from 0, not 1.
75 *
76 * According to Schneier (Ch12, pg 271), the purpose of the initial
77 * permutation was to make it easier to load plaintext and ciphertext into
78 * a DES ecryption chip. I have no idea why that would be the case.
79 */
80 static const uint8_t InitialPermuteMap[64] =
81 {
82 57, 49, 41, 33, 25, 17, 9, 1,
83 59, 51, 43, 35, 27, 19, 11, 3,
84 61, 53, 45, 37, 29, 21, 13, 5,
85 63, 55, 47, 39, 31, 23, 15, 7,
86 56, 48, 40, 32, 24, 16, 8, 0,
87 58, 50, 42, 34, 26, 18, 10, 2,
88 60, 52, 44, 36, 28, 20, 12, 4,
89 62, 54, 46, 38, 30, 22, 14, 6
90 };
91
92
93 /* Key permutation map.
94 * Like the input data and encryption result, the key is permuted before
95 * the algorithm really gets going. The original algorithm called for an
96 * eight-byte key in which each byte contained a parity bit. During the
97 * key permutiation, the parity bits were discarded. The DES algorithm,
98 * as used with SMB, does not make use of the parity bits. Instead, SMB
99 * passes 7-byte keys to DES. For DES implementations that expect parity,
100 * the parity bits must be added. In this case, however, we're just going
101 * to start with a 7-byte (56 bit) key. KeyPermuteMap, below, is adjusted
102 * accordingly and, of course, each entry in the map is reduced by 1 with
103 * respect to the documented values because C likes to start counting from
104 * 0, not 1.
105 */
106 static const uint8_t KeyPermuteMap[56] =
107 {
108 49, 42, 35, 28, 21, 14, 7, 0,
109 50, 43, 36, 29, 22, 15, 8, 1,
110 51, 44, 37, 30, 23, 16, 9, 2,
111 52, 45, 38, 31, 55, 48, 41, 34,
112 27, 20, 13, 6, 54, 47, 40, 33,
113 26, 19, 12, 5, 53, 46, 39, 32,
114 25, 18, 11, 4, 24, 17, 10, 3,
115 };
116
117
118 /* Key rotation table.
119 * At the start of each round of encryption, the key is split and each
120 * 28-bit half is rotated left. The number of bits of rotation per round
121 * is given in the table below.
122 */
123 static const uint8_t KeyRotation[16] =
124 { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 };
125
126
127 /* Key compression table.
128 * This table is used to select 48 of the 56 bits of the key.
129 * The left and right halves of the source text are each 32 bits,
130 * but they are expanded to 48 bits and the results are XOR'd
131 * against the compressed (48-bit) key.
132 */
133 static const uint8_t KeyCompression[48] =
134 {
135 13, 16, 10, 23, 0, 4, 2, 27,
136 14, 5, 20, 9, 22, 18, 11, 3,
137 25, 7, 15, 6, 26, 19, 12, 1,
138 40, 51, 30, 36, 46, 54, 29, 39,
139 50, 44, 32, 47, 43, 48, 38, 55,
140 33, 52, 45, 41, 49, 35, 28, 31
141 };
142
143
144 /* Data expansion table.
145 * This table is used after the data block (64-bits) has been split
146 * into two 32-bit (4-byte) halves (generally denoted L and R).
147 * Each 32-bit half is "expanded", using this table, to a 48 bit
148 * data block, which is then XOR'd with the 48 bit subkey for the
149 * round.
150 */
151 static const uint8_t DataExpansion[48] =
152 {
153 31, 0, 1, 2, 3, 4, 3, 4,
154 5, 6, 7, 8, 7, 8, 9, 10,
155 11, 12, 11, 12, 13, 14, 15, 16,
156 15, 16, 17, 18, 19, 20, 19, 20,
157 21, 22, 23, 24, 23, 24, 25, 26,
158 27, 28, 27, 28, 29, 30, 31, 0
159 };
160
161
162 /* The (in)famous S-boxes.
163 * These are used to perform substitutions.
164 * Six bits worth of input will return four bits of output.
165 * The four bit values are stored in these tables. Each table has
166 * 64 entries...and 6 bits provides a number between 0 and 63.
167 * There are eight S-boxes, one per 6 bits of a 48-bit value.
168 * Thus, 48 bits are reduced to 32 bits. Obviously, this step
169 * follows the DataExpansion step.
170 *
171 * Note that the literature generally shows this as 8 arrays each
172 * with four rows and 16 colums. There is a complex formula for
173 * mapping the 6 bit input values to the correct row and column.
174 * I've pre-computed that mapping, and the tables below provide
175 * direct 6-bit input to 4-bit output. See pp 274-274 in Schneier.
176 */
177 static const uint8_t SBox[8][64] =
178 {
179 { /* S0 */
180 14, 0, 4, 15, 13, 7, 1, 4, 2, 14, 15, 2, 11, 13, 8, 1,
181 3, 10, 10, 6, 6, 12, 12, 11, 5, 9, 9, 5, 0, 3, 7, 8,
182 4, 15, 1, 12, 14, 8, 8, 2, 13, 4, 6, 9, 2, 1, 11, 7,
183 15, 5, 12, 11, 9, 3, 7, 14, 3, 10, 10, 0, 5, 6, 0, 13
184 },
185 { /* S1 */
186 15, 3, 1, 13, 8, 4, 14, 7, 6, 15, 11, 2, 3, 8, 4, 14,
187 9, 12, 7, 0, 2, 1, 13, 10, 12, 6, 0, 9, 5, 11, 10, 5,
188 0, 13, 14, 8, 7, 10, 11, 1, 10, 3, 4, 15, 13, 4, 1, 2,
189 5, 11, 8, 6, 12, 7, 6, 12, 9, 0, 3, 5, 2, 14, 15, 9
190 },
191 { /* S2 */
192 10, 13, 0, 7, 9, 0, 14, 9, 6, 3, 3, 4, 15, 6, 5, 10,
193 1, 2, 13, 8, 12, 5, 7, 14, 11, 12, 4, 11, 2, 15, 8, 1,
194 13, 1, 6, 10, 4, 13, 9, 0, 8, 6, 15, 9, 3, 8, 0, 7,
195 11, 4, 1, 15, 2, 14, 12, 3, 5, 11, 10, 5, 14, 2, 7, 12
196 },
197 { /* S3 */
198 7, 13, 13, 8, 14, 11, 3, 5, 0, 6, 6, 15, 9, 0, 10, 3,
199 1, 4, 2, 7, 8, 2, 5, 12, 11, 1, 12, 10, 4, 14, 15, 9,
200 10, 3, 6, 15, 9, 0, 0, 6, 12, 10, 11, 1, 7, 13, 13, 8,
201 15, 9, 1, 4, 3, 5, 14, 11, 5, 12, 2, 7, 8, 2, 4, 14
202 },
203 { /* S4 */
204 2, 14, 12, 11, 4, 2, 1, 12, 7, 4, 10, 7, 11, 13, 6, 1,
205 8, 5, 5, 0, 3, 15, 15, 10, 13, 3, 0, 9, 14, 8, 9, 6,
206 4, 11, 2, 8, 1, 12, 11, 7, 10, 1, 13, 14, 7, 2, 8, 13,
207 15, 6, 9, 15, 12, 0, 5, 9, 6, 10, 3, 4, 0, 5, 14, 3
208 },
209 { /* S5 */
210 12, 10, 1, 15, 10, 4, 15, 2, 9, 7, 2, 12, 6, 9, 8, 5,
211 0, 6, 13, 1, 3, 13, 4, 14, 14, 0, 7, 11, 5, 3, 11, 8,
212 9, 4, 14, 3, 15, 2, 5, 12, 2, 9, 8, 5, 12, 15, 3, 10,
213 7, 11, 0, 14, 4, 1, 10, 7, 1, 6, 13, 0, 11, 8, 6, 13
214 },
215 { /* S6 */
216 4, 13, 11, 0, 2, 11, 14, 7, 15, 4, 0, 9, 8, 1, 13, 10,
217 3, 14, 12, 3, 9, 5, 7, 12, 5, 2, 10, 15, 6, 8, 1, 6,
218 1, 6, 4, 11, 11, 13, 13, 8, 12, 1, 3, 4, 7, 10, 14, 7,
219 10, 9, 15, 5, 6, 0, 8, 15, 0, 14, 5, 2, 9, 3, 2, 12
220 },
221 { /* S7 */
222 13, 1, 2, 15, 8, 13, 4, 8, 6, 10, 15, 3, 11, 7, 1, 4,
223 10, 12, 9, 5, 3, 6, 14, 11, 5, 0, 0, 14, 12, 9, 7, 2,
224 7, 2, 11, 1, 4, 14, 1, 7, 9, 4, 12, 10, 14, 8, 2, 13,
225 0, 15, 6, 12, 10, 9, 13, 0, 15, 3, 3, 5, 5, 6, 8, 11
226 }
227 };
228
229
230 /* P-Box permutation.
231 * This permutation is applied to the result of the S-Box Substitutions.
232 * It's a straight-forward re-arrangement of the bits.
233 */
234 static const uint8_t PBox[32] =
235 {
236 15, 6, 19, 20, 28, 11, 27, 16,
237 0, 14, 22, 25, 4, 17, 30, 9,
238 1, 7, 23, 13, 31, 26, 2, 8,
239 18, 12, 29, 5, 21, 10, 3, 24
240 };
241
242
243 /* Final permutation map.
244 * This is supposed to be the inverse of the Initial Permutation,
245 * but there's been a bit of fiddling done.
246 * As always, the values given are one less than those in the literature
247 * (because C starts counting from 0, not 1). In addition, the penultimate
248 * step in DES is to swap the left and right hand sides of the ciphertext.
249 * The inverse of the Initial Permutation is then applied to produce the
250 * final result.
251 * To save a step, the map below does the left/right swap as well as the
252 * inverse permutation.
253 */
254 static const uint8_t FinalPermuteMap[64] =
255 {
256 7, 39, 15, 47, 23, 55, 31, 63,
257 6, 38, 14, 46, 22, 54, 30, 62,
258 5, 37, 13, 45, 21, 53, 29, 61,
259 4, 36, 12, 44, 20, 52, 28, 60,
260 3, 35, 11, 43, 19, 51, 27, 59,
261 2, 34, 10, 42, 18, 50, 26, 58,
262 1, 33, 9, 41, 17, 49, 25, 57,
263 0, 32, 8, 40, 16, 48, 24, 56
264 };
265
266
267 /* -------------------------------------------------------------------------- **
268 * Macros:
269 *
270 * CLRBIT( STR, IDX )
271 * Input: STR - (uchar *) pointer to an array of 8-bit bytes.
272 * IDX - (int) bitwise index of a bit within the STR array
273 * that is to be cleared (that is, given a value of 0).
274 * Notes: This macro clears a bit within an array of bits (which is
275 * built within an array of bytes).
276 * - The macro converts to an assignment of the form A &= B.
277 * - The string of bytes is viewed as an array of bits, read from
278 * highest order bit first. The highest order bit of a byte
279 * would, therefore, be bit 0 (within that byte).
280 *
281 * SETBIT( STR, IDX )
282 * Input: STR - (uchar *) pointer to an array of 8-bit bytes.
283 * IDX - (int) bitwise index of a bit within the STR array
284 * that is to be set (that is, given a value of 1).
285 * Notes: This macro sets a bit within an array of bits (which is
286 * built within an array of bytes).
287 * - The macro converts to an assignment of the form A |= B.
288 * - The string of bytes is viewed as an array of bits, read from
289 * highest order bit first. The highest order bit of a byte
290 * would, therefore, be bit 0 (within that byte).
291 *
292 * GETBIT( STR, IDX )
293 * Input: STR - (uchar *) pointer to an array of 8-bit bytes.
294 * IDX - (int) bit-wise index of a bit within the STR array
295 * that is to be read.
296 * Output: True (1) if the indexed bit was set, else false (0).
297 *
298 * -------------------------------------------------------------------------- **
299 */
300
301 #define CLRBIT( STR, IDX ) ( (STR)[(IDX)/8] &= ~(0x01 << (7 - ((IDX)%8))) )
302
303 #define SETBIT( STR, IDX ) ( (STR)[(IDX)/8] |= (0x01 << (7 - ((IDX)%8))) )
304
305 #define GETBIT( STR, IDX ) (( ((STR)[(IDX)/8]) >> (7 - ((IDX)%8)) ) & 0x01)
306
307
308 /* -------------------------------------------------------------------------- **
309 * Static Functions:
310 */
311
Permute(uchar * dst,const uchar * src,const uint8_t * map,const int mapsize)312 static void Permute( uchar *dst,
313 const uchar *src,
314 const uint8_t *map,
315 const int mapsize )
316 /* ------------------------------------------------------------------------ **
317 * Performs a DES permutation, which re-arranges the bits in an array of
318 * bytes.
319 *
320 * Input: dst - Destination into which to put the re-arranged bits.
321 * src - Source from which to read the bits.
322 * map - Permutation map.
323 * mapsize - Number of bytes represented by the <map>. This also
324 * represents the number of bytes to be copied to <dst>.
325 *
326 * Output: none.
327 *
328 * Notes: <src> and <dst> must not point to the same location.
329 *
330 * - No checks are done to ensure that there is enough room
331 * in <dst>, or that the bit numbers in <map> do not exceed
332 * the bits available in <src>. A good reason to make this
333 * function static (private).
334 *
335 * - The <mapsize> value is in bytes. All permutations in DES
336 * use tables that are a multiple of 8 bits, so there is no
337 * need to handle partial bytes. (Yes, I know that there
338 * are some machines out there that still use bytes of a size
339 * other than 8 bits. For our purposes we'll stick with 8-bit
340 * bytes.)
341 *
342 * ------------------------------------------------------------------------ **
343 */
344 {
345 int bitcount;
346 int i;
347
348 /* Clear all bits in the destination.
349 */
350 for( i = 0; i < mapsize; i++ )
351 dst[i] = 0;
352
353 /* Set destination bit if the mapped source bit it set. */
354 bitcount = mapsize * 8;
355 for( i = 0; i < bitcount; i++ )
356 {
357 if( GETBIT( src, map[i] ) )
358 SETBIT( dst, i );
359 }
360 } /* Permute */
361
362
KeyShift(uchar * key,const int numbits)363 static void KeyShift( uchar *key, const int numbits )
364 /* ------------------------------------------------------------------------ **
365 * Split the 56-bit key in half & left rotate each half by <numbits> bits.
366 *
367 * Input: key - The 56-bit key to be split-rotated.
368 * numbits - The number of bits by which to rotate the key.
369 *
370 * Output: none.
371 *
372 * Notes: There are probably several better ways to implement this.
373 *
374 * ------------------------------------------------------------------------ **
375 */
376 {
377 int i;
378 uchar keep = key[0]; /* Copy the highest order bits of the key. */
379
380 /* Repeat the shift process <numbits> times.
381 */
382 for( i = 0; i < numbits; i++ )
383 {
384 int j;
385
386 /* Shift the entire thing, byte by byte.
387 */
388 for( j = 0; j < 7; j++ )
389 {
390 if( j && (key[j] & 0x80) ) /* If the top bit of this byte is set. */
391 key[j-1] |= 0x01; /* ...shift it to last byte's low bit. */
392 key[j] <<= 1; /* Then left-shift the whole byte. */
393 }
394
395 /* Now move the high-order bits of each 28-bit half-key to their
396 * correct locations.
397 * Bit 27 is the lowest order bit of the first half-key.
398 * Before the shift, it was the highest order bit of the 2nd half-key.
399 */
400 if( GETBIT( key, 27 ) ) /* If bit 27 is set... */
401 {
402 CLRBIT( key, 27 ); /* ...clear bit 27. */
403 SETBIT( key, 55 ); /* ...set lowest order bit of 2nd half-key. */
404 }
405
406 /* We kept the highest order bit of the first half-key in <keep>.
407 * If it's set, copy it to bit 27.
408 */
409 if( keep & 0x80 )
410 SETBIT( key, 27 );
411
412 /* Rotate the <keep> byte too, in case <numbits> is 2 and there's
413 * a second round coming.
414 */
415 keep <<= 1;
416 }
417 } /* KeyShift */
418
419
sbox(uchar * dst,const uchar * src)420 static void sbox( uchar *dst, const uchar *src )
421 /* ------------------------------------------------------------------------ **
422 * Perform S-Box substitutions.
423 *
424 * Input: dst - Destination byte array into which the S-Box substituted
425 * bitmap will be written.
426 * src - Source byte array.
427 *
428 * Output: none.
429 *
430 * Notes: It's really not possible (for me, anyway) to understand how
431 * this works without reading one or more detailed explanations.
432 * Quick overview, though:
433 *
434 * After the DataExpansion step (in which a 32-bit bit array is
435 * expanded to a 48-bit bit array) the expanded data block is
436 * XOR'd with 48-bits worth of key. That 48 bits then needs to
437 * be condensed back into 32 bits.
438 *
439 * The S-Box substitution handles the data reduction by breaking
440 * the 48-bit value into eight 6-bit values. For each of these
441 * 6-bit values there is a table (an S-Box table). The table
442 * contains 64 possible values. Conveniently, a 6-bit integer
443 * can represent a value between 0 and 63.
444 *
445 * So, if you think of the 48-bit bit array as an array of 6-bit
446 * integers, you use S-Box table 0 with the 0th 6-bit value.
447 * Table 1 is used with the 6-bit value #1, and so on until #7.
448 * Within each table, the correct substitution is found based
449 * simply on the value of the 6-bit integer.
450 *
451 * Well, the original algorithm (and most documentation) don't
452 * make it so simple. There's a complex formula for mapping
453 * the 6-bit values to the correct substitution. Fortunately,
454 * those lookups can be precomputed (and have been for this
455 * implementation). See pp 274-274 in Schneier.
456 *
457 * Oh, and the substitute values are all 4-bit values, so each
458 * 6-bits gets reduced to 4-bits resulting in a 32-bit bit array.
459 *
460 * ------------------------------------------------------------------------ **
461 */
462 {
463 int i;
464
465 /* Clear the destination array.
466 */
467 for( i = 0; i < 4; i++ )
468 dst[i] = 0;
469
470 /* For each set of six input bits...
471 */
472 for( i = 0; i < 8; i++ )
473 {
474 int j;
475 int Snum;
476 int bitnum;
477
478 /* Extract the 6-bit integer from the source.
479 * This will be the lookup key within the SBox[i] array.
480 */
481 for( Snum = j = 0, bitnum = (i * 6); j < 6; j++, bitnum++ )
482 {
483 Snum <<= 1;
484 Snum |= GETBIT( src, bitnum );
485 }
486
487 /* Find the correct value in the correct SBox[]
488 * and copy it into the destination.
489 * Left shift the nibble four bytes for even values of <i>.
490 */
491 if( 0 == (i%2) )
492 dst[i/2] |= ((SBox[i][Snum]) << 4);
493 else
494 dst[i/2] |= SBox[i][Snum];
495 }
496 } /* sbox */
497
498
xor(uchar * dst,const uchar * a,const uchar * b,const int count)499 static void xor( uchar *dst, const uchar *a, const uchar *b, const int count )
500 /* ------------------------------------------------------------------------ **
501 * Perform an XOR operation on two byte arrays.
502 *
503 * Input: dst - Destination array to which the result will be written.
504 * a - The first string of bytes.
505 * b - The second string of bytes.
506 * count - Number of bytes to XOR against one another.
507 *
508 * Output: none.
509 *
510 * Notes: This function operates on whole byte chunks. There's no need
511 * to XOR partial bytes so no need to write code to handle it.
512 *
513 * - This function essentially implements dst = a ^ b; for byte
514 * arrays.
515 *
516 * - <dst> may safely point to the same location as <a> or <b>.
517 *
518 * ------------------------------------------------------------------------ **
519 */
520 {
521 int i;
522
523 for( i = 0; i < count; i++ )
524 dst[i] = a[i] ^ b[i];
525 } /* xor */
526
527
528 /* -------------------------------------------------------------------------- **
529 * Functions:
530 */
531
auth_DESkey8to7(uchar * dst,const uchar * key)532 uchar *auth_DESkey8to7( uchar *dst, const uchar *key )
533 /* ------------------------------------------------------------------------ **
534 * Compress an 8-byte DES key to its 7-byte form.
535 *
536 * Input: dst - Pointer to a memory location (minimum 7 bytes) to accept
537 * the compressed key.
538 * key - Pointer to an 8-byte DES key. See the notes below.
539 *
540 * Output: A pointer to the compressed key (same as <dst>) or NULL if
541 * either <src> or <dst> were NULL.
542 *
543 * Notes: There are no checks done to ensure that <dst> and <key> point
544 * to sufficient space. Please be carefull.
545 *
546 * The two pointers, <dst> and <key> may point to the same
547 * memory location. Internally, a temporary buffer is used and
548 * the results are copied back to <dst>.
549 *
550 * The DES algorithm uses 8 byte keys by definition. The first
551 * step in the algorithm, however, involves removing every eigth
552 * bit to produce a 56-bit key (seven bytes). SMB authentication
553 * skips this step and uses 7-byte keys. The <auth_DEShash()>
554 * algorithm in this module expects 7-byte keys. This function
555 * is used to convert an 8-byte DES key into a 7-byte SMB DES key.
556 *
557 * ------------------------------------------------------------------------ **
558 */
559 {
560 int i;
561 uchar tmp[7];
562 static const uint8_t map8to7[56] =
563 {
564 0, 1, 2, 3, 4, 5, 6,
565 8, 9, 10, 11, 12, 13, 14,
566 16, 17, 18, 19, 20, 21, 22,
567 24, 25, 26, 27, 28, 29, 30,
568 32, 33, 34, 35, 36, 37, 38,
569 40, 41, 42, 43, 44, 45, 46,
570 48, 49, 50, 51, 52, 53, 54,
571 56, 57, 58, 59, 60, 61, 62
572 };
573
574 if( (NULL == dst) || (NULL == key) )
575 return( NULL );
576
577 Permute( tmp, key, map8to7, 7 );
578 for( i = 0; i < 7; i++ )
579 dst[i] = tmp[i];
580
581 return( dst );
582 } /* auth_DESkey8to7 */
583
584
auth_DEShash(uchar * dst,const uchar * key,const uchar * src)585 uchar *auth_DEShash( uchar *dst, const uchar *key, const uchar *src )
586 /* ------------------------------------------------------------------------ **
587 * DES encryption of the input data using the input key.
588 *
589 * Input: dst - Destination buffer. It *must* be at least eight bytes
590 * in length, to receive the encrypted result.
591 * key - Encryption key. Exactly seven bytes will be used.
592 * If your key is shorter, ensure that you pad it to seven
593 * bytes.
594 * src - Source data to be encrypted. Exactly eight bytes will
595 * be used. If your source data is shorter, ensure that
596 * you pad it to eight bytes.
597 *
598 * Output: A pointer to the encrpyted data (same as <dst>).
599 *
600 * Notes: In SMB, the DES function is used as a hashing function rather
601 * than an encryption/decryption tool. When used for generating
602 * the LM hash the <src> input is the known value "KGS!@#$%" and
603 * the key is derived from the password entered by the user.
604 * When used to generate the LM or NTLM response, the <key> is
605 * derived from the LM or NTLM hash, and the challenge is used
606 * as the <src> input.
607 * See: http://ubiqx.org/cifs/SMB.html#SMB.8.3
608 *
609 * - This function is called "DEShash" rather than just "DES"
610 * because it is only used for creating LM hashes and the
611 * LM/NTLM responses. For all practical purposes, however, it
612 * is a full DES encryption implementation.
613 *
614 * - This DES implementation does not need to be fast, nor is a
615 * DES decryption function needed. The goal is to keep the
616 * code small, simple, and well documented.
617 *
618 * - The input values are copied and refiddled within the module
619 * and the result is not written to <dst> until the very last
620 * step, so it's okay if <dst> points to the same memory as
621 * <key> or <src>.
622 *
623 * ------------------------------------------------------------------------ **
624 */
625 {
626 int i; /* Loop counter. */
627 uchar K[7]; /* Holds the key, as we manipulate it. */
628 uchar D[8]; /* The data block, as we manipulate it. */
629
630 /* Create the permutations of the key and the source.
631 */
632 Permute( K, key, KeyPermuteMap, 7 );
633 Permute( D, src, InitialPermuteMap, 8 );
634
635 /* DES encryption proceeds in 16 rounds.
636 * The stuff inside the loop is known in the literature as "function f".
637 */
638 for( i = 0; i < 16; i++ )
639 {
640 int j;
641 uchar *L = D; /* The left 4 bytes (half) of the data block. */
642 uchar *R = &(D[4]); /* The right half of the ciphertext block. */
643 uchar Rexp[6]; /* Expanded right half. */
644 uchar Rn[4]; /* New value of R, as we manipulate it. */
645 uchar SubK[6]; /* The 48-bit subkey. */
646
647 /* Generate the subkey for this round.
648 */
649 KeyShift( K, KeyRotation[i] );
650 Permute( SubK, K, KeyCompression, 6 );
651
652 /* Expand the right half (R) of the data block to 48 bytes,
653 * then XOR the result with the Subkey for this round.
654 */
655 Permute( Rexp, R, DataExpansion, 6 );
656 xor( Rexp, Rexp, SubK, 6 );
657
658 /* S-Box substitutions, P-Box permutation, and final XOR.
659 * The S-Box substitutions return a 32-bit value, which is then
660 * run through the 32-bit to 32-bit P-Box permutation. The P-Box
661 * result is then XOR'd with the left-hand half of the key.
662 * (Rexp is used as a temporary variable between the P-Box & XOR).
663 */
664 sbox( Rn, Rexp );
665 Permute( Rexp, Rn, PBox, 4 );
666 xor( Rn, L, Rexp, 4 );
667
668 /* The previous R becomes the new L,
669 * and Rn is moved into R ready for the next round.
670 */
671 for( j = 0; j < 4; j++ )
672 {
673 L[j] = R[j];
674 R[j] = Rn[j];
675 }
676 }
677
678 /* The encryption is complete.
679 * Now reverse-permute the ciphertext to produce the final result.
680 * We actually combine two steps here. The penultimate step is to
681 * swap the positions of L and R in the result of the 16 rounds,
682 * after which the reverse of the Initial Permutation is applied.
683 * To save a step, the FinalPermuteMap applies both the L/R swap
684 * and the inverse of the Initial Permutation.
685 */
686 Permute( dst, D, FinalPermuteMap, 8 );
687 return( dst );
688 } /* auth_DEShash */
689
690
691 static const uchar SMB_LMhash_Magic[8] =
692 { 'K', 'G', 'S', '!', '@', '#', '$', '%' };
693
auth_LMhash(uchar * dst,const uchar * pwd,const int pwdlen)694 uchar *auth_LMhash( uchar *dst, const uchar *pwd, const int pwdlen )
695 /* ------------------------------------------------------------------------ **
696 * Generate an LM Hash from the input password.
697 *
698 * Input: dst - Pointer to a location to which to write the LM Hash.
699 * Requires 16 bytes minimum.
700 * pwd - Source password. Should be in OEM charset (extended
701 * ASCII) format in all upper-case, but this
702 * implementation doesn't really care. See the notes
703 * below.
704 * pwdlen - Length, in bytes, of the password. Normally, this
705 * will be strlen( pwd ).
706 *
707 * Output: Pointer to the resulting LM hash (same as <dst>).
708 *
709 * Notes: This function does not convert the input password to upper
710 * case. The upper-case conversion should be done before the
711 * password gets this far. DOS codepage handling and such
712 * should be taken into consideration. Rather than attempt to
713 * work out all those details here, the function assumes that
714 * the password is in the correct form before it reaches this
715 * point.
716 *
717 * ------------------------------------------------------------------------ **
718 */
719 {
720 int i,
721 max14;
722 uint8_t tmp_pwd[14] = { 0,0,0,0,0,0,0,0,0,0,0,0,0,0 };
723
724 /* Copy at most 14 bytes of <pwd> into <tmp_pwd>.
725 * If the password is less than 14 bytes long
726 * the rest will be nul padded.
727 */
728 max14 = pwdlen > 14 ? 14 : pwdlen;
729 for( i = 0; i < max14; i++ )
730 tmp_pwd[i] = pwd[i];
731
732 /* The password is split into two 7-byte keys, each of which
733 * are used to DES-encrypt the magic string. The results are
734 * concatonated to produce the 16-byte LM Hash.
735 */
736 (void)auth_DEShash( dst, tmp_pwd, SMB_LMhash_Magic );
737 (void)auth_DEShash( &dst[8], &tmp_pwd[7], SMB_LMhash_Magic );
738
739 /* Return a pointer to the result.
740 */
741 return( dst );
742 } /* auth_LMhash */
743