The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netsmb/smb_crypt.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2000-2001, Boris Popov
    3  * All rights reserved.
    4  *
    5  * Copyright (c) 2003, 2004 Tim J. Robbins.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. All advertising materials mentioning features or use of this software
   17  *    must display the following acknowledgement:
   18  *    This product includes software developed by Boris Popov.
   19  * 4. Neither the name of the author nor the names of any co-contributors
   20  *    may be used to endorse or promote products derived from this software
   21  *    without specific prior written permission.
   22  *
   23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   33  * SUCH DAMAGE.
   34  */
   35 
   36 #include <sys/cdefs.h>
   37 __FBSDID("$FreeBSD: releng/11.2/sys/netsmb/smb_crypt.c 331722 2018-03-29 02:50:57Z eadler $");
   38 
   39 #include <sys/param.h>
   40 #include <sys/malloc.h>
   41 #include <sys/kernel.h>
   42 #include <sys/systm.h>
   43 #include <sys/conf.h>
   44 #include <sys/proc.h>
   45 #include <sys/fcntl.h>
   46 #include <sys/socket.h>
   47 #include <sys/socketvar.h>
   48 #include <sys/sysctl.h>
   49 #include <sys/endian.h>
   50 #include <sys/mbuf.h>
   51 #include <sys/mchain.h>
   52 #include <sys/md4.h>
   53 #include <sys/md5.h>
   54 #include <sys/iconv.h>
   55 
   56 #include <netsmb/smb.h>
   57 #include <netsmb/smb_conn.h>
   58 #include <netsmb/smb_subr.h>
   59 #include <netsmb/smb_rq.h>
   60 #include <netsmb/smb_dev.h>
   61 
   62 #include <crypto/des/des.h>
   63 
   64 #include "opt_netsmb.h"
   65 
   66 static u_char N8[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
   67 
   68 
   69 static void
   70 smb_E(const u_char *key, u_char *data, u_char *dest)
   71 {
   72         des_key_schedule *ksp;
   73         u_char kk[8];
   74 
   75         kk[0] = key[0] & 0xfe;
   76         kk[1] = key[0] << 7 | (key[1] >> 1 & 0xfe);
   77         kk[2] = key[1] << 6 | (key[2] >> 2 & 0xfe);
   78         kk[3] = key[2] << 5 | (key[3] >> 3 & 0xfe);
   79         kk[4] = key[3] << 4 | (key[4] >> 4 & 0xfe);
   80         kk[5] = key[4] << 3 | (key[5] >> 5 & 0xfe);
   81         kk[6] = key[5] << 2 | (key[6] >> 6 & 0xfe);
   82         kk[7] = key[6] << 1;
   83         ksp = malloc(sizeof(des_key_schedule), M_SMBTEMP, M_WAITOK);
   84         des_set_key((des_cblock *)kk, *ksp);
   85         des_ecb_encrypt((des_cblock *)data, (des_cblock *)dest, *ksp, 1);
   86         free(ksp, M_SMBTEMP);
   87 }
   88 
   89 
   90 int
   91 smb_encrypt(const u_char *apwd, u_char *C8, u_char *RN)
   92 {
   93         u_char *p, *P14, *S21;
   94 
   95         p = malloc(14 + 21, M_SMBTEMP, M_WAITOK);
   96         bzero(p, 14 + 21);
   97         P14 = p;
   98         S21 = p + 14;
   99         bcopy(apwd, P14, min(14, strlen(apwd)));
  100         /*
  101          * S21 = concat(Ex(P14, N8), zeros(5));
  102          */
  103         smb_E(P14, N8, S21);
  104         smb_E(P14 + 7, N8, S21 + 8);
  105 
  106         smb_E(S21, C8, RN);
  107         smb_E(S21 + 7, C8, RN + 8);
  108         smb_E(S21 + 14, C8, RN + 16);
  109         free(p, M_SMBTEMP);
  110         return 0;
  111 }
  112 
  113 int
  114 smb_ntencrypt(const u_char *apwd, u_char *C8, u_char *RN)
  115 {
  116         u_char S21[21];
  117         u_int16_t *unipwd;
  118         MD4_CTX *ctxp;
  119         int len;
  120 
  121         len = strlen(apwd);
  122         unipwd = malloc((len + 1) * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK);
  123         /*
  124          * S21 = concat(MD4(U(apwd)), zeros(5));
  125          */
  126         smb_strtouni(unipwd, apwd);
  127         ctxp = malloc(sizeof(MD4_CTX), M_SMBTEMP, M_WAITOK);
  128         MD4Init(ctxp);
  129         MD4Update(ctxp, (u_char*)unipwd, len * sizeof(u_int16_t));
  130         free(unipwd, M_SMBTEMP);
  131         bzero(S21, 21);
  132         MD4Final(S21, ctxp);
  133         free(ctxp, M_SMBTEMP);
  134 
  135         smb_E(S21, C8, RN);
  136         smb_E(S21 + 7, C8, RN + 8);
  137         smb_E(S21 + 14, C8, RN + 16);
  138         return 0;
  139 }
  140 
  141 /*
  142  * Calculate message authentication code (MAC) key for virtual circuit.
  143  */
  144 int
  145 smb_calcmackey(struct smb_vc *vcp)
  146 {
  147         const char *pwd;
  148         u_int16_t *unipwd;
  149         int len;
  150         MD4_CTX md4;
  151         u_char S16[16], S21[21];
  152 
  153         KASSERT(vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE,
  154             ("signatures not enabled"));
  155 
  156         if (vcp->vc_mackey != NULL) {
  157                 free(vcp->vc_mackey, M_SMBTEMP);
  158                 vcp->vc_mackey = NULL;
  159                 vcp->vc_mackeylen = 0;
  160                 vcp->vc_seqno = 0;
  161         }
  162 
  163         /*
  164          * The partial MAC key is the concatenation of the 16 byte session
  165          * key and the 24 byte challenge response.
  166          */
  167         vcp->vc_mackeylen = 16 + 24;
  168         vcp->vc_mackey = malloc(vcp->vc_mackeylen, M_SMBTEMP, M_WAITOK);
  169 
  170         /*
  171          * Calculate session key:
  172          *      MD4(MD4(U(PN)))
  173          */
  174         pwd = smb_vc_getpass(vcp);
  175         len = strlen(pwd);
  176         unipwd = malloc((len + 1) * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK);
  177         smb_strtouni(unipwd, pwd);
  178         MD4Init(&md4);
  179         MD4Update(&md4, (u_char *)unipwd, len * sizeof(u_int16_t));
  180         MD4Final(S16, &md4);
  181         MD4Init(&md4);
  182         MD4Update(&md4, S16, 16);
  183         MD4Final(vcp->vc_mackey, &md4);
  184         free(unipwd, M_SMBTEMP);
  185 
  186         /*
  187          * Calculate response to challenge:
  188          *      Ex(concat(MD4(U(pass)), zeros(5)), C8)
  189          */
  190         bzero(S21, 21);
  191         bcopy(S16, S21, 16);
  192         smb_E(S21, vcp->vc_ch, vcp->vc_mackey + 16);
  193         smb_E(S21 + 7, vcp->vc_ch, vcp->vc_mackey + 24);
  194         smb_E(S21 + 14, vcp->vc_ch, vcp->vc_mackey + 32);
  195 
  196         return (0);
  197 }
  198 
  199 /*
  200  * Sign request with MAC.
  201  */
  202 int
  203 smb_rq_sign(struct smb_rq *rqp)
  204 {
  205         struct smb_vc *vcp = rqp->sr_vc;
  206         struct mbchain *mbp;
  207         struct mbuf *mb;
  208         MD5_CTX md5;
  209         u_char digest[16];
  210 
  211         KASSERT(vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE,
  212             ("signatures not enabled"));
  213 
  214         if (vcp->vc_mackey == NULL)
  215                 /* XXX Should assert that cmd == SMB_COM_NEGOTIATE. */
  216                 return (0);
  217 
  218         /*
  219          * This is a bit of a kludge. If the request is non-TRANSACTION,
  220          * or it is the first request of a transaction, give it the next
  221          * sequence number, and expect the reply to have the sequence number
  222          * following that one. Otherwise, it is a secondary request in
  223          * a transaction, and it gets the same sequence numbers as the
  224          * primary request.
  225          */
  226         if (rqp->sr_t2 == NULL ||
  227             (rqp->sr_t2->t2_flags & SMBT2_SECONDARY) == 0) {
  228                 rqp->sr_seqno = vcp->vc_seqno++;
  229                 rqp->sr_rseqno = vcp->vc_seqno++;
  230         } else {
  231                 /*
  232                  * Sequence numbers are already in the struct because
  233                  * smb_t2_request_int() uses the same one for all the
  234                  * requests in the transaction.
  235                  * (At least we hope so.)
  236                  */
  237                 KASSERT(rqp->sr_t2 == NULL ||
  238                     (rqp->sr_t2->t2_flags & SMBT2_SECONDARY) == 0 ||
  239                     rqp->sr_t2->t2_rq == rqp,
  240                     ("sec t2 rq not using same smb_rq"));
  241         }
  242 
  243         /* Initialize sec. signature field to sequence number + zeros. */
  244         le32enc(rqp->sr_rqsig, rqp->sr_seqno);
  245         le32enc(rqp->sr_rqsig + 4, 0);
  246 
  247         /*
  248          * Compute HMAC-MD5 of packet data, keyed by MAC key.
  249          * Store the first 8 bytes in the sec. signature field.
  250          */
  251         smb_rq_getrequest(rqp, &mbp);
  252         MD5Init(&md5);
  253         MD5Update(&md5, vcp->vc_mackey, vcp->vc_mackeylen);
  254         for (mb = mbp->mb_top; mb != NULL; mb = mb->m_next)
  255                 MD5Update(&md5, mtod(mb, void *), mb->m_len);
  256         MD5Final(digest, &md5);
  257         bcopy(digest, rqp->sr_rqsig, 8);
  258 
  259         return (0);
  260 }
  261 
  262 /*
  263  * Verify reply signature.
  264  */
  265 int
  266 smb_rq_verify(struct smb_rq *rqp)
  267 {
  268         struct smb_vc *vcp = rqp->sr_vc;
  269         struct mdchain *mdp;
  270         u_char sigbuf[8];
  271         MD5_CTX md5;
  272         u_char digest[16];
  273         struct mbuf *mb;
  274 
  275         KASSERT(vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE,
  276             ("signatures not enabled"));
  277 
  278         if (vcp->vc_mackey == NULL)
  279                 /* XXX Should check that this is a SMB_COM_NEGOTIATE reply. */
  280                 return (0);
  281 
  282         /*
  283          * Compute HMAC-MD5 of packet data, keyed by MAC key.
  284          * We play games to pretend the security signature field
  285          * contains their sequence number, to avoid modifying
  286          * the packet itself.
  287          */
  288         smb_rq_getreply(rqp, &mdp);
  289         mb = mdp->md_top;
  290         KASSERT(mb->m_len >= SMB_HDRLEN, ("forgot to m_pullup"));
  291         MD5Init(&md5);
  292         MD5Update(&md5, vcp->vc_mackey, vcp->vc_mackeylen);
  293         MD5Update(&md5, mtod(mb, void *), 14);
  294         *(u_int32_t *)sigbuf = htole32(rqp->sr_rseqno);
  295         *(u_int32_t *)(sigbuf + 4) = 0;
  296         MD5Update(&md5, sigbuf, 8);
  297         MD5Update(&md5, mtod(mb, u_char *) + 22, mb->m_len - 22);
  298         for (mb = mb->m_next; mb != NULL; mb = mb->m_next)
  299                 MD5Update(&md5, mtod(mb, void *), mb->m_len);
  300         MD5Final(digest, &md5);
  301 
  302         /*
  303          * Now verify the signature.
  304          */
  305         if (bcmp(mtod(mdp->md_top, u_char *) + 14, digest, 8) != 0)
  306                 return (EAUTH);
  307 
  308         return (0);
  309 }

Cache object: c0fc85ee57303c5aa6d6f27c31b8097b


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.