Plan 9 from Bell Labs’s /usr/web/sources/patch/sorry/cifs-big/auth.c

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution.


/*
 * Beware the LM hash is easy to crack (google for l0phtCrack)
 * and though NTLM is more secure it is still breakable.
 * Ntlmv2 is better and seen as good enough by the windows community.
 * For real security use kerberos.
 */
#include <u.h>
#include <libc.h>
#include <mp.h>
#include <auth.h>
#include <libsec.h>
#include <ctype.h>
#include <fcall.h>
#include <thread.h>
#include <9p.h>
#include "cifs.h"

#define DEF_AUTH 	"ntlmv2"

static enum {
	MACkeylen	= 40,	/* MAC key len */
	MAClen		= 8,	/* signature length */
	MACoff		= 14,	/* sign. offset from start of SMB (not netbios) pkt */
	Bliplen		= 8,	/* size of LMv2 client nonce */
};

static void
dmp(char *s, int seq, void *buf, int n)
{
	int i;
	char *p = buf;

	print("%s %3d      ", s, seq);
	while(n > 0){
		for(i = 0; i < 16 && n > 0; i++, n--)
			print("%02x ", *p++ & 0xff);
		if(n > 0)
			print("\n");
	}
	print("\n");
}

static Auth *
auth_plain(char *windom, char *keyp, uchar *chal, int len)
{
	UserPasswd *up;
	static Auth *ap;

	USED(chal, len);

	up = auth_getuserpasswd(auth_getkey, "windom=%s proto=pass service=cifs %s",
		windom, keyp);
	if(! up)
		sysfatal("cannot get key - %r");

	ap = emalloc9p(sizeof(Auth));
	memset(ap, 0, sizeof(ap));
	ap->user = estrdup9p(up->user);
	ap->windom = estrdup9p(windom);

	ap->resp[0] = estrdup9p(up->passwd);
	ap->len[0] = strlen(up->passwd);
	memset(up->passwd, 0, strlen(up->passwd));
	free(up);

	return ap;
}

static Auth *
auth_lm_and_ntlm(char *windom, char *keyp, uchar *chal, int len)
{
	int err;
	char user[64];
	Auth *ap;
	MSchapreply mcr;

	err = auth_respond(chal, len, user, sizeof user, &mcr, sizeof mcr,
		auth_getkey, "windom=%s proto=mschap role=client service=cifs %s",
		windom, keyp);
	if(err == -1)
		sysfatal("cannot get key - %r");

	ap = emalloc9p(sizeof(Auth));
	memset(ap, 0, sizeof(ap));
	ap->user = estrdup9p(user);
	ap->windom = estrdup9p(windom);

	/* LM response */
	ap->len[0] = sizeof(mcr.LMresp);
	ap->resp[0] = emalloc9p(ap->len[0]);
	memcpy(ap->resp[0], mcr.LMresp, ap->len[0]);

	/* NTLM response */
	ap->len[1] = sizeof(mcr.NTresp);
	ap->resp[1] = emalloc9p(ap->len[1]);
	memcpy(ap->resp[1], mcr.NTresp, ap->len[1]);

	return ap;
}

/*
 * NTLM response only, the LM response is a just
 * copy of the NTLM one. we do this because the lm
 * response is easily reversed - Google for l0pht
 * for more info.
 */
static Auth *
auth_ntlm(char *windom, char *keyp, uchar *chal, int len)
{
	Auth *ap;

	if((ap = auth_lm_and_ntlm(windom, keyp, chal, len)) == nil)
		return nil;

	free(ap->resp[0]);
	ap->len[0] = ap->len[1];
	ap->resp[0] = emalloc9p(ap->len[0]);
	memcpy(ap->resp[0], ap->resp[1], ap->len[0]);
	return ap;
}

/*
 * This is not really nescessary as all fields hmac_md5'ed
 * in the ntlmv2 protocol are less than 64 bytes long, however
 * I still do this for completeness
 */
static DigestState *
hmac_t64(uchar *data, ulong dlen, uchar *key, ulong klen, uchar *digest,
	DigestState *state)
{
	if(klen > 64)
		klen = 64;
	return hmac_md5(data, dlen, key, klen, digest, state);
}


static int
putname(uchar *buf, int len, char *name, int type)
{
	int n;
	Rune r;
	char *d;
	uchar *p = buf;

	*p++ = type;
	*p++ = 0;		/* 16bit: name type */

	n = utflen(name) * 2;
	*p++ = n;
	*p++ = n >> 8;		/* 16bit: name length */

	d = name;
	while(*d != 0 && p-buf < len-8){
		d += chartorune(&r, d);
		r = toupperrune(r);
		*p++ = r;
			*p++ = r >> 8;
	}			/* var: actual name */

	return p - buf;
}

static int
ntv2_blob(uchar *blob, int len, char *windom)
{
	uvlong t;
	uchar *p;
	enum {			/* name types */
		Beof,		/* end of name list */
		Bhost,		/* Netbios host name */
		Bdomain,	/* Windows Domain name (NT) */
		Bdnshost,	/* DNS host name */
		Bdnsdomain,	/* DNS domain name */
	};

	p = blob;
	*p++ = 1;		/* 8bit: response type */
	*p++ = 1;		/* 8bit: max response type understood by client */

	*p++ = 0;		/* 16bit: reserved */
	*p++ = 0;

	*p++ = 0;		/* 32bit: unknown */
	*p++ = 0;
	*p++ = 0;
	*p++ = 0;

	t = time(nil);
	t += 11644473600LL;
	t *= 10000000LL;

	*p++ = t;		/* 64bit: time in NT format */
	*p++ = t >> 8;
	*p++ = t >> 16;
	*p++ = t >> 24;
	*p++ = t >> 32;
	*p++ = t >> 40;
	*p++ = t >> 48;
	*p++ = t >> 56;

	genrandom(p, 8);
	p += 8;			/* 64bit: client nonce */

	*p++ = 0;		/* 32bit: unknown data */
	*p++ = 0;
	*p++ = 0;
	*p++ = 0;

	p += putname(p, len - (p-blob), windom, Bdomain);
	p += putname(p, len - (p-blob), "", Beof);

	return p - blob;
}

static Auth *
auth_ntlmv2(char *windom, char *keyp, uchar *chal, int len)
{
	int i, n;
	Rune r;
	char *p, *u;
	uchar v1hash[MD5dlen], blip[Bliplen], blob[1024], v2hash[MD5dlen];
	uchar c, lm_hmac[MD5dlen], nt_hmac[MD5dlen], nt_sesskey[MD5dlen],
		lm_sesskey[MD5dlen];
	DigestState *ds;
	UserPasswd *up;
	static Auth *ap;

	up = auth_getuserpasswd(auth_getkey, "windom=%s proto=pass  service=cifs-ntlmv2 %s",
		windom, keyp);
	if(!up)
		sysfatal("cannot get key - %r");

	ap = emalloc9p(sizeof(Auth));
	memset(ap, 0, sizeof(ap));

	/* Standard says unlimited length, experience says 128 max */
	if((n = strlen(up->passwd)) > 128)
		n = 128;

	ds = md4(nil, 0, nil, nil);
	for(i=0, p=up->passwd; i < n; i++) {
		p += chartorune(&r, p);
		c = r;
		md4(&c, 1, nil, ds);
		c = r >> 8;
		md4(&c, 1, nil, ds);
	}
	md4(nil, 0, v1hash, ds);

	/*
	 * Some documentation insists that the username must be forced to
	 * uppercase, but the domain name should not be. Other shows both
	 * being forced to uppercase. I am pretty sure this is irrevevant as the
	 * domain name passed from the remote server always seems to be in
	 * uppercase already.
	 */
        ds = hmac_t64(nil, 0, v1hash, MD5dlen, nil, nil);
	u = up->user;
	while(*u){
		u += chartorune(&r, u);
		r = toupperrune(r);
		c = r;
        	hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
		c = r >> 8;
        	hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
	}
	u = windom;

	while(*u){
		u += chartorune(&r, u);
		c = r;
        	hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
		c = r >> 8;
        	hmac_t64(&c, 1, v1hash, MD5dlen, nil, ds);
	}
        hmac_t64(nil, 0, v1hash, MD5dlen, v2hash, ds);
	ap->user = estrdup9p(up->user);
	ap->windom = estrdup9p(windom);

	/* LM v2 */

	genrandom(blip, Bliplen);
        ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil);
	hmac_t64(blip, Bliplen, v2hash, MD5dlen, lm_hmac, ds);
	ap->len[0] = MD5dlen+Bliplen;
	ap->resp[0] = emalloc9p(ap->len[0]);
	memcpy(ap->resp[0], lm_hmac, MD5dlen);
	memcpy(ap->resp[0]+MD5dlen, blip, Bliplen);

	/* LM v2 session key */
	hmac_t64(lm_hmac, MD5dlen, v2hash, MD5dlen, lm_sesskey, nil);

	/* LM v2 MAC key */
	ap->mackey[0] = emalloc9p(MACkeylen);
	memcpy(ap->mackey[0], lm_sesskey, MD5dlen);
	memcpy(ap->mackey[0]+MD5dlen, ap->resp[0], MACkeylen-MD5dlen);

	/* NTLM v2 */
	n = ntv2_blob(blob, sizeof blob, windom);
        ds = hmac_t64(chal, len, v2hash, MD5dlen, nil, nil);
	hmac_t64(blob, n, v2hash, MD5dlen, nt_hmac, ds);
	ap->len[1] = MD5dlen+n;
	ap->resp[1] = emalloc9p(ap->len[1]);
	memcpy(ap->resp[1], nt_hmac, MD5dlen);
	memcpy(ap->resp[1]+MD5dlen, blob, n);

	/*
	 * v2hash definitely OK by
	 * the time we get here.
	 */
	/* NTLM v2 session key */
	hmac_t64(nt_hmac, MD5dlen, v2hash, MD5dlen, nt_sesskey, nil);

	/* NTLM v2 MAC key */
	ap->mackey[1] = emalloc9p(MACkeylen);
	memcpy(ap->mackey[1], nt_sesskey, MD5dlen);
	memcpy(ap->mackey[1]+MD5dlen, ap->resp[1], MACkeylen-MD5dlen);
	free(up);

	return ap;
}

struct {
	char	*name;
	Auth	*(*func)(char *, char *, uchar *, int);
} methods[] = {
	{ "plain",	auth_plain },
	{ "lm+ntlm",	auth_lm_and_ntlm },
	{ "ntlm",	auth_ntlm },
	{ "ntlmv2",	auth_ntlmv2 },
//	{ "kerberos",	auth_kerberos },
};

void
autherr(void)
{
	int i;

	fprint(2, "supported auth methods:\t");
	for(i = 0; i < nelem(methods); i++)
		fprint(2, "%s ", methods[i].name);
	fprint(2, "\n");
	exits("usage");
}

Auth *
getauth(char *name, char *windom, char *keyp, int secmode, uchar *chal, int len)
{
	int i;
	Auth *ap;

	if(name == nil){
		name = DEF_AUTH;
		if((secmode & SECMODE_PW_ENCRYPT) == 0)
			sysfatal("plaintext authentication required, use '-a plain'");
	}

	ap = nil;
	for(i = 0; i < nelem(methods); i++)
		if(strcmp(methods[i].name, name) == 0){
			ap = methods[i].func(windom, keyp, chal, len);
			break;
		}

	if(! ap){
		fprint(2, "%s: %s - unknown auth method\n", argv0, name);
		autherr();	/* never returns */
	}
	return ap;
}

static int
genmac(uchar *buf, int len, int seq, uchar key[MACkeylen], uchar ours[MAClen])
{
	DigestState *ds;
	uchar *sig, digest[MD5dlen], theirs[MAClen];

	sig = buf+MACoff;
	memcpy(theirs, sig, MAClen);

	memset(sig, 0, MAClen);
	sig[0] = seq;
	sig[1] = seq >> 8;
	sig[2] = seq >> 16;
	sig[3] = seq >> 24;

	ds = md5(key, MACkeylen, nil, nil);
	md5(buf, len, digest, ds);
	memcpy(ours, digest, MAClen);

	return memcmp(theirs, ours, MAClen);
}

int
macsign(Pkt *p, int seq)
{
	int rc, len;
	uchar *sig, *buf, mac[MAClen];

	sig = p->buf + NBHDRLEN + MACoff;
	buf = p->buf + NBHDRLEN;
	len = (p->pos - p->buf) - NBHDRLEN;

#ifdef DEBUG_MAC
	if(seq & 1)
		dmp("rx", seq, sig, MAClen);
#endif
	rc = 0;
	if(! p->s->seqrun)
		memcpy(mac, "BSRSPYL ", 8);	/* no idea, ask MS */
	else
		rc = genmac(buf, len, seq, p->s->auth->mackey[0], mac);
#ifdef DEBUG_MAC
	if(!(seq & 1))
		dmp("tx", seq, mac, MAClen);
#endif
	memcpy(sig, mac, MAClen);
	return rc;
}

Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to [email protected].