The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netsmb/smb_crypt.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * SPDX-License-Identifier: BSD-4-Clause
    3  *
    4  * Copyright (c) 2000-2001, Boris Popov
    5  * All rights reserved.
    6  *
    7  * Copyright (c) 2003, 2004 Tim J. Robbins.
    8  * All rights reserved.
    9  *
   10  * Redistribution and use in source and binary forms, with or without
   11  * modification, are permitted provided that the following conditions
   12  * are met:
   13  * 1. Redistributions of source code must retain the above copyright
   14  *    notice, this list of conditions and the following disclaimer.
   15  * 2. Redistributions in binary form must reproduce the above copyright
   16  *    notice, this list of conditions and the following disclaimer in the
   17  *    documentation and/or other materials provided with the distribution.
   18  * 3. All advertising materials mentioning features or use of this software
   19  *    must display the following acknowledgement:
   20  *    This product includes software developed by Boris Popov.
   21  * 4. Neither the name of the author nor the names of any co-contributors
   22  *    may be used to endorse or promote products derived from this software
   23  *    without specific prior written permission.
   24  *
   25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   35  * SUCH DAMAGE.
   36  */
   37 
   38 #include <sys/cdefs.h>
   39 __FBSDID("$FreeBSD: stable/12/sys/netsmb/smb_crypt.c 328238 2018-01-22 02:08:10Z pfg $");
   40 
   41 #include <sys/param.h>
   42 #include <sys/malloc.h>
   43 #include <sys/kernel.h>
   44 #include <sys/systm.h>
   45 #include <sys/conf.h>
   46 #include <sys/proc.h>
   47 #include <sys/fcntl.h>
   48 #include <sys/socket.h>
   49 #include <sys/socketvar.h>
   50 #include <sys/sysctl.h>
   51 #include <sys/endian.h>
   52 #include <sys/mbuf.h>
   53 #include <sys/mchain.h>
   54 #include <sys/md4.h>
   55 #include <sys/md5.h>
   56 #include <sys/iconv.h>
   57 
   58 #include <netsmb/smb.h>
   59 #include <netsmb/smb_conn.h>
   60 #include <netsmb/smb_subr.h>
   61 #include <netsmb/smb_rq.h>
   62 #include <netsmb/smb_dev.h>
   63 
   64 #include <crypto/des/des.h>
   65 
   66 #include "opt_netsmb.h"
   67 
   68 static u_char N8[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
   69 
   70 
   71 static void
   72 smb_E(const u_char *key, u_char *data, u_char *dest)
   73 {
   74         des_key_schedule *ksp;
   75         u_char kk[8];
   76 
   77         kk[0] = key[0] & 0xfe;
   78         kk[1] = key[0] << 7 | (key[1] >> 1 & 0xfe);
   79         kk[2] = key[1] << 6 | (key[2] >> 2 & 0xfe);
   80         kk[3] = key[2] << 5 | (key[3] >> 3 & 0xfe);
   81         kk[4] = key[3] << 4 | (key[4] >> 4 & 0xfe);
   82         kk[5] = key[4] << 3 | (key[5] >> 5 & 0xfe);
   83         kk[6] = key[5] << 2 | (key[6] >> 6 & 0xfe);
   84         kk[7] = key[6] << 1;
   85         ksp = malloc(sizeof(des_key_schedule), M_SMBTEMP, M_WAITOK);
   86         des_set_key((des_cblock *)kk, *ksp);
   87         des_ecb_encrypt((des_cblock *)data, (des_cblock *)dest, *ksp, 1);
   88         free(ksp, M_SMBTEMP);
   89 }
   90 
   91 
   92 int
   93 smb_encrypt(const u_char *apwd, u_char *C8, u_char *RN)
   94 {
   95         u_char *p, *P14, *S21;
   96 
   97         p = malloc(14 + 21, M_SMBTEMP, M_WAITOK);
   98         bzero(p, 14 + 21);
   99         P14 = p;
  100         S21 = p + 14;
  101         bcopy(apwd, P14, min(14, strlen(apwd)));
  102         /*
  103          * S21 = concat(Ex(P14, N8), zeros(5));
  104          */
  105         smb_E(P14, N8, S21);
  106         smb_E(P14 + 7, N8, S21 + 8);
  107 
  108         smb_E(S21, C8, RN);
  109         smb_E(S21 + 7, C8, RN + 8);
  110         smb_E(S21 + 14, C8, RN + 16);
  111         free(p, M_SMBTEMP);
  112         return 0;
  113 }
  114 
  115 int
  116 smb_ntencrypt(const u_char *apwd, u_char *C8, u_char *RN)
  117 {
  118         u_char S21[21];
  119         u_int16_t *unipwd;
  120         MD4_CTX *ctxp;
  121         u_int len;
  122 
  123         len = strlen(apwd);
  124         unipwd = malloc((len + 1) * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK);
  125         /*
  126          * S21 = concat(MD4(U(apwd)), zeros(5));
  127          */
  128         smb_strtouni(unipwd, apwd);
  129         ctxp = malloc(sizeof(MD4_CTX), M_SMBTEMP, M_WAITOK);
  130         MD4Init(ctxp);
  131         MD4Update(ctxp, (u_char*)unipwd, len * sizeof(u_int16_t));
  132         free(unipwd, M_SMBTEMP);
  133         bzero(S21, 21);
  134         MD4Final(S21, ctxp);
  135         free(ctxp, M_SMBTEMP);
  136 
  137         smb_E(S21, C8, RN);
  138         smb_E(S21 + 7, C8, RN + 8);
  139         smb_E(S21 + 14, C8, RN + 16);
  140         return 0;
  141 }
  142 
  143 /*
  144  * Calculate message authentication code (MAC) key for virtual circuit.
  145  */
  146 int
  147 smb_calcmackey(struct smb_vc *vcp)
  148 {
  149         const char *pwd;
  150         u_int16_t *unipwd;
  151         u_int len;
  152         MD4_CTX md4;
  153         u_char S16[16], S21[21];
  154 
  155         KASSERT(vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE,
  156             ("signatures not enabled"));
  157 
  158         if (vcp->vc_mackey != NULL) {
  159                 free(vcp->vc_mackey, M_SMBTEMP);
  160                 vcp->vc_mackey = NULL;
  161                 vcp->vc_mackeylen = 0;
  162                 vcp->vc_seqno = 0;
  163         }
  164 
  165         /*
  166          * The partial MAC key is the concatenation of the 16 byte session
  167          * key and the 24 byte challenge response.
  168          */
  169         vcp->vc_mackeylen = 16 + 24;
  170         vcp->vc_mackey = malloc(vcp->vc_mackeylen, M_SMBTEMP, M_WAITOK);
  171 
  172         /*
  173          * Calculate session key:
  174          *      MD4(MD4(U(PN)))
  175          */
  176         pwd = smb_vc_getpass(vcp);
  177         len = strlen(pwd);
  178         unipwd = malloc((len + 1) * sizeof(u_int16_t), M_SMBTEMP, M_WAITOK);
  179         smb_strtouni(unipwd, pwd);
  180         MD4Init(&md4);
  181         MD4Update(&md4, (u_char *)unipwd, len * sizeof(u_int16_t));
  182         MD4Final(S16, &md4);
  183         MD4Init(&md4);
  184         MD4Update(&md4, S16, 16);
  185         MD4Final(vcp->vc_mackey, &md4);
  186         free(unipwd, M_SMBTEMP);
  187 
  188         /*
  189          * Calculate response to challenge:
  190          *      Ex(concat(MD4(U(pass)), zeros(5)), C8)
  191          */
  192         bzero(S21, 21);
  193         bcopy(S16, S21, 16);
  194         smb_E(S21, vcp->vc_ch, vcp->vc_mackey + 16);
  195         smb_E(S21 + 7, vcp->vc_ch, vcp->vc_mackey + 24);
  196         smb_E(S21 + 14, vcp->vc_ch, vcp->vc_mackey + 32);
  197 
  198         return (0);
  199 }
  200 
  201 /*
  202  * Sign request with MAC.
  203  */
  204 int
  205 smb_rq_sign(struct smb_rq *rqp)
  206 {
  207         struct smb_vc *vcp = rqp->sr_vc;
  208         struct mbchain *mbp;
  209         struct mbuf *mb;
  210         MD5_CTX md5;
  211         u_char digest[16];
  212 
  213         KASSERT(vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE,
  214             ("signatures not enabled"));
  215 
  216         if (vcp->vc_mackey == NULL)
  217                 /* XXX Should assert that cmd == SMB_COM_NEGOTIATE. */
  218                 return (0);
  219 
  220         /*
  221          * This is a bit of a kludge. If the request is non-TRANSACTION,
  222          * or it is the first request of a transaction, give it the next
  223          * sequence number, and expect the reply to have the sequence number
  224          * following that one. Otherwise, it is a secondary request in
  225          * a transaction, and it gets the same sequence numbers as the
  226          * primary request.
  227          */
  228         if (rqp->sr_t2 == NULL ||
  229             (rqp->sr_t2->t2_flags & SMBT2_SECONDARY) == 0) {
  230                 rqp->sr_seqno = vcp->vc_seqno++;
  231                 rqp->sr_rseqno = vcp->vc_seqno++;
  232         } else {
  233                 /*
  234                  * Sequence numbers are already in the struct because
  235                  * smb_t2_request_int() uses the same one for all the
  236                  * requests in the transaction.
  237                  * (At least we hope so.)
  238                  */
  239                 KASSERT(rqp->sr_t2 == NULL ||
  240                     (rqp->sr_t2->t2_flags & SMBT2_SECONDARY) == 0 ||
  241                     rqp->sr_t2->t2_rq == rqp,
  242                     ("sec t2 rq not using same smb_rq"));
  243         }
  244 
  245         /* Initialize sec. signature field to sequence number + zeros. */
  246         le32enc(rqp->sr_rqsig, rqp->sr_seqno);
  247         le32enc(rqp->sr_rqsig + 4, 0);
  248 
  249         /*
  250          * Compute HMAC-MD5 of packet data, keyed by MAC key.
  251          * Store the first 8 bytes in the sec. signature field.
  252          */
  253         smb_rq_getrequest(rqp, &mbp);
  254         MD5Init(&md5);
  255         MD5Update(&md5, vcp->vc_mackey, vcp->vc_mackeylen);
  256         for (mb = mbp->mb_top; mb != NULL; mb = mb->m_next)
  257                 MD5Update(&md5, mtod(mb, void *), mb->m_len);
  258         MD5Final(digest, &md5);
  259         bcopy(digest, rqp->sr_rqsig, 8);
  260 
  261         return (0);
  262 }
  263 
  264 /*
  265  * Verify reply signature.
  266  */
  267 int
  268 smb_rq_verify(struct smb_rq *rqp)
  269 {
  270         struct smb_vc *vcp = rqp->sr_vc;
  271         struct mdchain *mdp;
  272         u_char sigbuf[8];
  273         MD5_CTX md5;
  274         u_char digest[16];
  275         struct mbuf *mb;
  276 
  277         KASSERT(vcp->vc_hflags2 & SMB_FLAGS2_SECURITY_SIGNATURE,
  278             ("signatures not enabled"));
  279 
  280         if (vcp->vc_mackey == NULL)
  281                 /* XXX Should check that this is a SMB_COM_NEGOTIATE reply. */
  282                 return (0);
  283 
  284         /*
  285          * Compute HMAC-MD5 of packet data, keyed by MAC key.
  286          * We play games to pretend the security signature field
  287          * contains their sequence number, to avoid modifying
  288          * the packet itself.
  289          */
  290         smb_rq_getreply(rqp, &mdp);
  291         mb = mdp->md_top;
  292         KASSERT(mb->m_len >= SMB_HDRLEN, ("forgot to m_pullup"));
  293         MD5Init(&md5);
  294         MD5Update(&md5, vcp->vc_mackey, vcp->vc_mackeylen);
  295         MD5Update(&md5, mtod(mb, void *), 14);
  296         *(u_int32_t *)sigbuf = htole32(rqp->sr_rseqno);
  297         *(u_int32_t *)(sigbuf + 4) = 0;
  298         MD5Update(&md5, sigbuf, 8);
  299         MD5Update(&md5, mtod(mb, u_char *) + 22, mb->m_len - 22);
  300         for (mb = mb->m_next; mb != NULL; mb = mb->m_next)
  301                 MD5Update(&md5, mtod(mb, void *), mb->m_len);
  302         MD5Final(digest, &md5);
  303 
  304         /*
  305          * Now verify the signature.
  306          */
  307         if (bcmp(mtod(mdp->md_top, u_char *) + 14, digest, 8) != 0)
  308                 return (EAUTH);
  309 
  310         return (0);
  311 }

Cache object: e93e9fde6d5cdb1a9fedc2f71ed57194


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.