OpenVAS Libraries  9.0.3
nasl_crypto.c
Go to the documentation of this file.
1 /* Nessus Attack Scripting Language
2  *
3  * Copyright (C) 2002 - 2004 Tenable Network Security
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2,
7  * as published by the Free Software Foundation
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
17  *
18  */
19 
24 /* MODIFICATION: added definitions for implemention NTLMSSP features */
25 
26 #include <gcrypt.h>
27 #include <glib.h>
28 
29 #include "nasl_tree.h"
30 #include "nasl_global_ctxt.h"
31 #include "nasl_func.h"
32 #include "nasl_var.h"
33 #include "nasl_lex_ctxt.h"
34 #include "exec.h"
35 #include "nasl_crypto.h"
36 #include "hmacmd5.h"
37 #include "smb_crypt.h"
38 #include "nasl_debug.h"
39 #include "../misc/openvas_logging.h"
40 
41 #include <ctype.h>
42 #include <stdlib.h>
43 #include <assert.h>
44 #include "smb.h"
45 #include "smb_signing.h"
46 #include "ntlmssp.h"
47 
48 #ifndef uchar
49 #define uchar unsigned char
50 #endif
51 
52 #ifndef uint8
53 #define uint8 uint8_t
54 #endif
55 
56 #ifndef uint32
57 #define uint32 uint32_t
58 #endif
59 
60 /*-------------------[ Std. HASH ]-------------------------------------*/
61 static tree_cell *
62 nasl_gcrypt_hash (lex_ctxt * lexic, int algorithm, void *data, size_t datalen,
63  void *key, size_t keylen)
64 {
65  gcry_md_hd_t hd;
66  gcry_error_t err;
67  tree_cell *retc;
68  int dlen = gcry_md_get_algo_dlen (algorithm);
69 
70  if (data == NULL)
71  return NULL;
72 
73  err = gcry_md_open (&hd, algorithm, key ? GCRY_MD_FLAG_HMAC : 0);
74  if (err)
75  {
76  nasl_perror (lexic, "nasl_gcrypt_hash(): gcry_md_open failed: %s/%s\n",
77  gcry_strsource (err), gcry_strerror (err));
78  return NULL;
79  }
80 
81  if (key)
82  {
83  err = gcry_md_setkey (hd, key, keylen);
84  if (err)
85  {
86  nasl_perror (lexic,
87  "nasl_gcrypt_hash():" " gcry_md_setkey failed: %s/%s\n",
88  gcry_strsource (err), gcry_strerror (err));
89  return NULL;
90  }
91  }
92 
93  gcry_md_write (hd, data, datalen);
94 
95  retc = alloc_tree_cell (0, NULL);
96  retc->type = CONST_DATA;
97  retc->x.str_val = g_memdup (gcry_md_read (hd, algorithm), dlen + 1);
98  retc->size = dlen;
99 
100  gcry_md_close (hd);
101 
102  return retc;
103 }
104 
105 static tree_cell *
106 nasl_hash (lex_ctxt * lexic, int algorithm)
107 {
108  char *data = get_str_var_by_num (lexic, 0);
109  int len = get_var_size_by_num (lexic, 0);
110 
111  return nasl_gcrypt_hash (lexic, algorithm, data, len, NULL, 0);
112 }
113 
114 tree_cell *
116 {
117  return nasl_hash (lexic, GCRY_MD_MD2);
118 }
119 
120 tree_cell *
122 {
123  return nasl_hash (lexic, GCRY_MD_MD4);
124 }
125 
126 tree_cell *
128 {
129  return nasl_hash (lexic, GCRY_MD_MD5);
130 }
131 
132 tree_cell *
134 {
135  return nasl_hash (lexic, GCRY_MD_SHA1);
136 }
137 
138 tree_cell *
140 {
141  return nasl_hash (lexic, GCRY_MD_SHA256);
142 }
143 
144 tree_cell *
146 {
147  return nasl_hash (lexic, GCRY_MD_RMD160);
148 }
149 
150 static tree_cell *
151 nasl_cipher (int algorithm, void *data, size_t dlen, void *key, size_t klen)
152 {
153  gcry_cipher_hd_t hd;
154  gcry_error_t error;
155  tree_cell *retc;
156  char *result;
157 
158  if ((error = gcry_cipher_open (&hd, algorithm, GCRY_CIPHER_MODE_ECB, 0)))
159  {
160  log_legacy_write ("gcry_cipher_open: %s", gcry_strerror (error));
161  return NULL;
162  }
163  if ((error = gcry_cipher_setkey (hd, key, klen)))
164  {
165  log_legacy_write ("gcry_cipher_setkey: %s", gcry_strerror (error));
166  return NULL;
167  }
168  result = g_malloc0 (dlen);
169  if ((error = gcry_cipher_encrypt (hd, result, dlen, data, dlen)))
170  {
171  log_legacy_write ("gcry_cipher_encrypt: %s", gcry_strerror (error));
172  return NULL;
173  }
174  gcry_cipher_close (hd);
175 
176  retc = alloc_tree_cell (0, NULL);
177  retc->type = CONST_DATA;
178  retc->x.str_val = result;
179  retc->size = dlen;
180  return retc;
181 }
182 
183 tree_cell *
185 {
186  char *data, *key;
187  size_t dlen, klen;
188 
189  data = get_str_var_by_num (lexic, 0);
190  dlen = get_var_size_by_num (lexic, 0);
191  key = get_str_var_by_num (lexic, 1);
192  klen = get_var_size_by_num (lexic, 1);
193  return nasl_cipher (GCRY_CIPHER_DES, data, dlen, key, klen);
194 }
195 
196 /*-------------------[ HMAC ]-------------------------------------*/
197 
198 
199 
200 static tree_cell *
201 nasl_hmac (lex_ctxt * lexic, int algorithm)
202 {
203  char *data = get_str_local_var_by_name (lexic, "data");
204  char *key = get_str_local_var_by_name (lexic, "key");
205  int data_len = get_local_var_size_by_name (lexic, "data");
206  int key_len = get_local_var_size_by_name (lexic, "key");
207 
208  return nasl_gcrypt_hash (lexic, algorithm, data, data_len, key, key_len);
209 }
210 
211 tree_cell *
213 {
214  return nasl_hmac (lexic, GCRY_MD_MD2);
215 }
216 
217 tree_cell *
219 {
220  return nasl_hmac (lexic, GCRY_MD_MD5);
221 }
222 
223 tree_cell *
225 {
226  return nasl_hmac (lexic, GCRY_MD_SHA1);
227 }
228 
229 tree_cell *
231 {
232  return nasl_hmac (lexic, GCRY_MD_SHA384);
233 }
234 
235 tree_cell *
237 {
238  return nasl_hmac (lexic, GCRY_MD_RMD160);
239 }
240 
241 /*-------------------[ Windows ]-------------------------------------*/
242 tree_cell *
244 {
245  char *mac_key = (char *) get_str_var_by_name (lexic, "key");
246  uint8_t *buf = (uint8_t *) get_str_var_by_name (lexic, "buf");
247  int buflen = get_int_var_by_name (lexic, "buflen", -1);
248  uint32 seq_num = get_int_var_by_name (lexic, "seq_number", -1);
249  if (mac_key == NULL || buf == NULL || buflen == -1 || seq_num == -1)
250  {
251  nasl_perror (lexic,
252  "Syntax : get_sign(key:<k>, buf:<b>, buflen:<bl>, seq_number:<s>)\n");
253  return NULL;
254  }
255  uint8_t calc_md5_mac[16];
256  simple_packet_signature_ntlmssp ((uint8_t *) mac_key, buf, seq_num, calc_md5_mac);
257  memcpy (buf + 18, calc_md5_mac, 8);
258  char *ret = g_malloc0 (buflen);
259  memcpy (ret, buf, buflen);
260  tree_cell *retc;
261  retc = alloc_tree_cell (0, NULL);
262  retc->type = CONST_DATA;
263  retc->size = buflen;
264  retc->x.str_val = (char *) ret;
265  return retc;
266 }
267 
268 static void *
269 hmac_md5_for_prf (const void *key, int keylen, const void *buf, int buflen)
270 {
271  void *signature = g_malloc0 (16);
272  gsize signlen = 16;
273  GHmac *hmac;
274 
275  hmac = g_hmac_new (G_CHECKSUM_MD5, key, keylen);
276  g_hmac_update (hmac, buf, buflen);
277  g_hmac_get_digest (hmac, signature, &signlen);
278  g_hmac_unref (hmac);
279  return signature;
280 }
281 
282 static void *
283 hmac_sha1 (const void *key, int keylen, const void *buf, int buflen)
284 {
285  void *signature = g_malloc0 (20);
286  gsize signlen = 20;
287  GHmac *hmac;
288 
289  hmac = g_hmac_new (G_CHECKSUM_SHA1, key, keylen);
290  g_hmac_update (hmac, buf, buflen);
291  g_hmac_get_digest (hmac, signature, &signlen);
292  g_hmac_unref (hmac);
293  return signature;
294 }
295 
296 static void *
297 hmac_sha256 (const void *key, int keylen, const void *buf, int buflen)
298 {
299  void *signature = g_malloc0 (32);
300  gsize signlen = 32;
301  GHmac *hmac;
302 
303  hmac = g_hmac_new (G_CHECKSUM_SHA256, key, keylen);
304  g_hmac_update (hmac, buf, buflen);
305  g_hmac_get_digest (hmac, signature, &signlen);
306  g_hmac_unref (hmac);
307  return signature;
308 }
309 
310 static void *
311 hmac_sha384 (const void *key, int keylen, const void *buf, int buflen)
312 {
313  gcry_md_hd_t hd;
314  gcry_error_t err;
315  void *ret;
316 
317  if (!buf || buflen <= 0)
318  return NULL;
319 
320  err = gcry_md_open (&hd, GCRY_MD_SHA384, key ? GCRY_MD_FLAG_HMAC : 0);
321  if (err)
322  {
323  log_legacy_write ("nasl_gcrypt_hash(): gcry_md_open failed: %s/%s\n",
324  gcry_strsource (err), gcry_strerror (err));
325  return NULL;
326  }
327 
328  if (key)
329  {
330  err = gcry_md_setkey (hd, key, keylen);
331  if (err)
332  {
333  log_legacy_write ("nasl_gcrypt_hash(): gcry_md_setkey failed: %s/%s\n",
334  gcry_strsource (err), gcry_strerror (err));
335  return NULL;
336  }
337  }
338 
339  gcry_md_write (hd, buf, buflen);
340  ret = g_memdup (gcry_md_read (hd, 0), 48);
341  gcry_md_close (hd);
342  return ret;
343 }
344 
345 tree_cell *
347 {
348  void *key, *data, *signature;
349  int keylen, datalen;
350  tree_cell *retc;
351 
352  key = get_str_var_by_name (lexic, "key");
353  data = get_str_var_by_name (lexic, "data");
354  datalen = get_local_var_size_by_name (lexic, "data");
355  keylen = get_local_var_size_by_name (lexic, "key");
356  if (!key || !data || keylen <= 0 || datalen <= 0)
357  {
358  nasl_perror (lexic,
359  "Syntax : hmac_sha256(data:<b>, key:<k>)\n");
360  return NULL;
361  }
362  signature = hmac_sha256 (key, keylen, data, datalen);
363 
364  retc = alloc_tree_cell (0, NULL);
365  retc->type = CONST_DATA;
366  retc->size = 32;
367  retc->x.str_val = (char *) signature;
368  return retc;
369 }
370 
371 /* @brief PRF function from RFC 2246 chapter 5.
372  *
373  * @param hmac 0 for SHA256, 1 for SHA384, 2 for MD5, 3 for SHA1.
374  *
375  * */
376 static void *
377 tls_prf (const void *secret, size_t secret_len, const void *seed,
378  size_t seed_len, const void *label, size_t outlen, int hmac)
379 {
380  char *result = NULL;
381  size_t pos = 0, lslen, hmac_size;
382  void *Ai;
383  void *lseed;
384  void *(* hmac_func) (const void *, int, const void *, int);
385 
386  if (hmac == 0)
387  {
388  hmac_size = 32;
389  hmac_func = hmac_sha256;
390  }
391  else if (hmac == 1)
392  {
393  hmac_size = 48;
394  hmac_func = hmac_sha384;
395  }
396  else if (hmac == 2)
397  {
398  hmac_size = 16;
399  hmac_func = hmac_md5_for_prf;
400  }
401  else
402  {
403  hmac_size = 20;
404  hmac_func = hmac_sha1;
405  }
406 
407  /*
408  * lseed = label + seed
409  * A0 = lseed (new seed)
410  * Ai = HMAC(secret, A(i - 1))
411  */
412  lslen = strlen (label) + seed_len;
413  lseed = g_malloc0 (lslen);
414  memcpy (lseed, label, strlen (label));
415  memcpy (lseed + strlen (label), seed, seed_len);
416 
417  Ai = hmac_func (secret, secret_len, lseed, lslen);
418  if (!Ai)
419  return NULL;
420 
421  result = g_malloc0 (outlen);
422  while (pos < outlen)
423  {
424  void *tmp, *tmp2;
425  size_t clen;
426 
427  /* HMAC_hash(secret, Ai + lseed) */
428  tmp = g_malloc0 (hmac_size + lslen);
429  memcpy (tmp, Ai, hmac_size);
430  memcpy (tmp + hmac_size, lseed, lslen);
431  tmp2 = hmac_func (secret, secret_len, tmp, hmac_size + lslen);
432  g_free (tmp);
433  /* concat to result */
434  clen = outlen - pos;
435  if (clen > hmac_size)
436  clen = hmac_size;
437  memcpy (result + pos, tmp2, clen);
438  pos += clen;
439  g_free (tmp2);
440 
441  /* A(i+1) */
442  tmp = hmac_func (secret, secret_len, Ai, hmac_size);
443  g_free (Ai);
444  Ai = tmp;
445  }
446 
447  g_free (Ai);
448  g_free (lseed);
449  return result;
450 }
451 
452 /* @brief PRF function from RFC 4346 chapter 5. TLS v1.1
453  *
454  * Legacy function in wich P_MD5 and PSHA1 are combined.
455  *
456  * Legacy function has been replaced with prf_sha256 and prf_sha348
457  * in TLS v1.2, as it can be read in chapter 1.2
458  * */
459 static void *
460 tls1_prf (const void *secret, size_t secret_len, const void *seed,
461  size_t seed_len, const void *label, size_t outlen)
462 {
463  void *result, *secret1 = NULL, *secret2 = NULL;
464  unsigned int half_slen, odd = 0, i;
465  char *resultmd5 = NULL, *resultsha1 = NULL, *aux_res = NULL;
466 
467  if (secret_len % 2 == 0 )
468  half_slen = secret_len / 2;
469  else
470  {
471  half_slen = (secret_len + 1) / 2;
472  odd = 1;
473  }
474 
475  secret1 = g_malloc0 (half_slen);
476  memcpy (secret1, secret, half_slen);
477  resultmd5 = tls_prf (secret1, half_slen, seed, seed_len, label, outlen, 2);
478  if (!resultmd5)
479  {
480  g_free (secret1);
481  return NULL;
482  }
483 
484  secret2 = g_malloc0 (half_slen);
485  memcpy (secret2, secret + (half_slen - odd), half_slen);
486  resultsha1 = tls_prf (secret2, half_slen, seed, seed_len, label, outlen, 3);
487  if (!resultsha1)
488  {
489  g_free (resultmd5);
490  g_free (secret1);
491  g_free (secret2);
492  return NULL;
493  }
494 
495  aux_res = g_malloc0 (outlen);
496  for (i = 0; i < outlen; i++)
497  aux_res[i] = resultmd5[i] ^ resultsha1[i];
498 
499  result = g_malloc (outlen);
500  memcpy (result, aux_res, outlen);
501 
502  g_free (resultmd5);
503  g_free (resultsha1);
504  g_free (secret1);
505  g_free (secret2);
506  g_free (aux_res);
507 
508  return result;
509 }
510 
511 static tree_cell *
512 nasl_prf (lex_ctxt * lexic, int hmac)
513 {
514  void *secret, *seed, *label, *result;
515  int secret_len, seed_len, label_len, outlen;
516  tree_cell *retc;
517 
518  secret = get_str_var_by_name (lexic, "secret");
519  seed = get_str_var_by_name (lexic, "seed");
520  label = get_str_var_by_name (lexic, "label");
521  outlen = get_int_var_by_name (lexic, "outlen", -1);
522  seed_len = get_local_var_size_by_name (lexic, "seed");
523  secret_len = get_local_var_size_by_name (lexic, "secret");
524  label_len = get_local_var_size_by_name (lexic, "label");
525  if (!secret || !seed || secret_len <= 0 || seed_len <= 0 || !label
526  || label_len <= 0 || outlen <= 0)
527  {
528  nasl_perror (lexic,
529  "Syntax : prf(secret, seed, label, outlen)\n");
530  return NULL;
531  }
532  if (hmac != 2)
533  result = tls_prf (secret, secret_len, seed, seed_len, label, outlen, hmac);
534  else
535  result = tls1_prf (secret, secret_len, seed, seed_len, label, outlen);
536 
537  if (!result)
538  return NULL;
539 
540  retc = alloc_tree_cell (0, NULL);
541  retc->type = CONST_DATA;
542  retc->size = outlen;
543  retc->x.str_val = (char *) result;
544  return retc;
545 }
546 
547 tree_cell *
549 {
550  return nasl_prf (lexic, 0);
551 }
552 
553 tree_cell *
555 {
556  return nasl_prf (lexic, 1);
557 }
558 
559 tree_cell *
561 {
562  return nasl_prf (lexic, 2);
563 }
564 
565 tree_cell *
567 {
568  return nasl_hmac (lexic, GCRY_MD_SHA512);
569 }
570 
571 tree_cell *
573 {
574  void *key, *buf, *signature, *ret;
575  int keylen, buflen;
576  tree_cell *retc;
577 
578  key = get_str_var_by_name (lexic, "key");
579  buf = get_str_var_by_name (lexic, "buf");
580  keylen = get_var_size_by_name (lexic, "key");
581  buflen = get_var_size_by_name (lexic, "buf");
582  if (!key || !buf || keylen <= 0)
583  {
584  nasl_perror (lexic,
585  "Syntax : get_smb2_sign(buf:<b>, key:<k>)");
586  return NULL;
587  }
588  if (buflen < 64)
589  {
590  nasl_perror (lexic, "get_smb2_sign: Buffer length < 64");
591  return NULL;
592  }
593 
594  /* Zero the SMB2 signature field, then calculate signature */
595  memset(buf + 48, 0, 16);
596  signature = hmac_sha256 (key, keylen, buf, buflen);
597 
598  /* Return the header with signature included. */
599  ret = g_malloc0 (buflen);
600  memcpy (ret, buf, buflen);
601  memcpy (ret + 48, signature, 16);
602  g_free (signature);
603  retc = alloc_tree_cell (0, NULL);
604  retc->type = CONST_DATA;
605  retc->size = buflen;
606  retc->x.str_val = (char *) ret;
607  return retc;
608 }
609 
610 tree_cell *
612 {
613  char *cryptkey = (char *) get_str_var_by_name (lexic, "cryptkey");
614  char *user = (char *) get_str_var_by_name (lexic, "user");
615  char *domain = (char *) get_str_var_by_name (lexic, "domain");
616  unsigned char *ntlmv2_hash =
617  (unsigned char *) get_str_var_by_name (lexic, "ntlmv2_hash");
618  char *address_list = get_str_var_by_name (lexic, "address_list");
619  int address_list_len = get_int_var_by_name (lexic, "address_list_len", -1);
620 
621  if (cryptkey == NULL || user == NULL || domain == NULL || ntlmv2_hash == NULL
622  || address_list == NULL || address_list_len < 0)
623  {
624  nasl_perror (lexic,
625  "Syntax : ntlmv2_response(cryptkey:<c>, user:<u>, domain:<d>, ntlmv2_hash:<n>, address_list:<a>, address_list_len:<len>)\n");
626  return NULL;
627  }
628  uint8_t lm_response[24];
629  uint8_t nt_response[16 + 28 + address_list_len];
630  uint8_t session_key[16];
631  bzero (lm_response, sizeof (lm_response));
632  bzero (nt_response, sizeof (nt_response));
633  bzero (session_key, sizeof (session_key));
634 
635  ntlmssp_genauth_ntlmv2 (user, domain, address_list, address_list_len,
636  cryptkey, lm_response, nt_response, session_key,
637  ntlmv2_hash);
638  tree_cell *retc;
639  int lm_response_len = 24;
640  int nt_response_len = 16 + 28 + address_list_len;
641  int len = lm_response_len + nt_response_len + sizeof (session_key);
642  char *ret = g_malloc0 (len);
643  memcpy (ret, lm_response, lm_response_len);
644  memcpy (ret + lm_response_len, session_key, sizeof (session_key));
645  memcpy (ret + lm_response_len + sizeof (session_key), nt_response,
646  nt_response_len);
647  retc = alloc_tree_cell (0, NULL);
648  retc->type = CONST_DATA;
649  retc->size = len;
650  retc->x.str_val = ret;
651  return retc;
652 }
653 
654 tree_cell *
656 {
657  char *cryptkey = (char *) get_str_var_by_name (lexic, "cryptkey");
658  char *password = get_str_var_by_name (lexic, "password");
659  uint8_t pass_len = get_var_size_by_name (lexic, "password");
660  void *nt_hash = get_str_var_by_name (lexic, "nt_hash");
661  int hash_len = get_var_size_by_name (lexic, "nt_hash");
662 
663  if (!cryptkey || !password || !nt_hash || hash_len < 16)
664  {
666  (lexic, "Syntax : ntlm2_response(cryptkey:<c>, password:<p>, nt_hash:<n[16]>)\n");
667  return NULL;
668  }
669 
670  uint8_t lm_response[24];
671  uint8_t nt_response[24];
672  uint8_t session_key[16];
673 
674  tree_cell *retc;
675  ntlmssp_genauth_ntlm2 (password, pass_len, lm_response, nt_response, session_key,
676  cryptkey, nt_hash);
677  int len = sizeof (lm_response) + sizeof (nt_response) + sizeof (session_key);
678  char *ret = g_malloc0 (len);
679  memcpy (ret, lm_response, sizeof (lm_response));
680  memcpy (ret + sizeof (lm_response), nt_response, sizeof (nt_response));
681  memcpy (ret + sizeof (lm_response) + sizeof (nt_response), session_key,
682  sizeof (session_key));
683  retc = alloc_tree_cell (0, NULL);
684  retc->type = CONST_DATA;
685  retc->size = len;
686  retc->x.str_val = ret;
687  return retc;
688 }
689 
690 tree_cell *
692 {
693  char *cryptkey = (char *) get_str_var_by_name (lexic, "cryptkey");
694  char *password = get_str_var_by_name (lexic, "password");
695  uint8_t pass_len = (uint8_t) get_var_size_by_name (lexic, "password");
696  void *nt_hash = get_str_var_by_name (lexic, "nt_hash");
697  int hash_len = get_var_size_by_name (lexic, "nt_hash");
698  int neg_flags = get_int_var_by_name (lexic, "neg_flags", -1);
699 
700  if (!cryptkey || !password || !nt_hash || hash_len < 16 || neg_flags < 0)
701  {
702  nasl_perror (lexic,
703  "Syntax : ntlm_response(cryptkey:<c>, password:<p>, nt_hash:<n[16]>, neg_flags:<nf>)\n");
704  return NULL;
705  }
706 
707  uint8_t lm_response[24];
708  uint8_t nt_response[24];
709  uint8_t session_key[16];
710 
711  tree_cell *retc;
712 
713  ntlmssp_genauth_ntlm (password, pass_len, lm_response, nt_response, session_key,
714  cryptkey, nt_hash, neg_flags);
715 
716  int len = sizeof (lm_response) + sizeof (nt_response) + sizeof (session_key);
717  char *ret = g_malloc0 (len);
718  memcpy (ret, lm_response, sizeof (lm_response));
719  memcpy (ret + sizeof (lm_response), nt_response, sizeof (nt_response));
720  memcpy (ret + sizeof (lm_response) + sizeof (nt_response), session_key,
721  sizeof (session_key));
722  retc = alloc_tree_cell (0, NULL);
723  retc->type = CONST_DATA;
724  retc->size = len;
725  retc->x.str_val = ret;
726  return retc;
727 }
728 
729 tree_cell *
731 {
732  char *cryptkey = (char *) get_str_var_by_name (lexic, "cryptkey");
733  uint8_t *session_key = (uint8_t *) get_str_var_by_name (lexic, "session_key");
734  unsigned char *nt_hash =
735  (unsigned char *) get_str_var_by_name (lexic, "nt_hash");
736 
737  if (cryptkey == NULL || session_key == NULL || nt_hash == NULL)
738  {
739  nasl_perror (lexic,
740  "Syntax : keyexchg(cryptkey:<c>, session_key:<s>, nt_hash:<n> )\n");
741  return NULL;
742  }
743  uint8_t new_sess_key[16];
744  tree_cell *retc;
745  uint8_t *encrypted_session_key = NULL;
746  encrypted_session_key =
747  ntlmssp_genauth_keyexchg (session_key, cryptkey, nt_hash,
748  (uint8_t *) & new_sess_key);
749  int len = 16 + 16;
750  char *ret = g_malloc0 (len);
751  memcpy (ret, new_sess_key, 16);
752  memcpy (ret + 16, encrypted_session_key, 16);
753  retc = alloc_tree_cell (0, NULL);
754  retc->type = CONST_DATA;
755  retc->size = len;
756  retc->x.str_val = ret;
757  return retc;
758 }
759 
760 tree_cell *
762 {
763  const uchar *cryptkey = (uchar *) get_str_var_by_name (lexic, "cryptkey");
764  char *password = get_str_var_by_name (lexic, "passhash");
765  int pass_len = get_var_size_by_name (lexic, "passhash");
766  unsigned char p21[21];
767  tree_cell *retc;
768  uchar *ret;
769 
770  if (cryptkey == NULL || password == NULL)
771  {
772  nasl_perror (lexic, "Syntax : ntlmv1_hash(cryptkey:<c>, passhash:<p>)\n");
773  return NULL;
774  }
775 
776  if (pass_len < 16)
777  pass_len = 16;
778 
779  bzero (p21, sizeof (p21));
780  memcpy (p21, password, pass_len);
781 
782  ret = g_malloc0 (24);
783 
784  E_P24 (p21, cryptkey, ret);
785  retc = alloc_tree_cell (0, NULL);
786  retc->type = CONST_DATA;
787  retc->size = 24;
788  retc->x.str_val = (char *) ret;
789 
790  return retc;
791 }
792 
793 tree_cell *
795 {
796  char *pass = get_str_var_by_num (lexic, 0);
797  gunichar2 *upass;
798  glong upass_len;
799  tree_cell *ret;
800 
801  if (!pass)
802  {
803  nasl_perror (lexic, "Syntax : nt_owf_gen(password:<p>)\n");
804  return NULL;
805  }
806  upass = g_utf8_to_utf16 (pass, -1, NULL, &upass_len, NULL);
807  ret = nasl_gcrypt_hash (lexic, GCRY_MD_MD4, upass, upass_len * 2, NULL, 0);
808  g_free (upass);
809  return ret;
810 }
811 
812 tree_cell *
814 {
815  char *pass = get_str_var_by_num (lexic, 0);
816  int pass_len = get_var_size_by_num (lexic, 0);
817  tree_cell *retc;
818  uchar pwd[15];
819  uchar p16[16];
820  int i;
821 
822  if (pass_len < 0 || pass == NULL)
823  {
824  nasl_perror (lexic, "Syntax : nt_lm_gen(password:<p>)\n");
825  return NULL;
826  }
827 
828  bzero (pwd, sizeof (pwd));
829  strncpy ((char *) pwd, pass, sizeof (pwd) - 1);
830  for (i = 0; i < sizeof (pwd); i++)
831  pwd[i] = toupper (pwd[i]);
832 
833  E_P16 (pwd, p16);
834 
835  retc = alloc_tree_cell (0, NULL);
836  retc->type = CONST_DATA;
837  retc->size = 16;
838  retc->x.str_val = g_memdup (p16, 16);
839  return retc;
840 }
841 
842 tree_cell *
844 {
845  const uchar *in = (uchar *) get_str_var_by_name (lexic, "in");
846  int in_len = get_var_size_by_name (lexic, "in");
847  char *src;
848  smb_ucs2_t *out, *dst, val;
849  int i;
850  size_t byte_len;
851  tree_cell *retc;
852  if (in_len < 0 || in == NULL)
853  {
854  nasl_perror (lexic, "Syntax : insert_hexzeros(in:<i>)\n");
855  return NULL;
856  }
857 
858  byte_len = sizeof (smb_ucs2_t) * (strlen ((char *) in) + 1);
859  out = g_malloc0 (byte_len);
860  dst = out;
861  src = (char *) in;
862 
863  for (i = 0; i < in_len; i++)
864  {
865  val = *src;
866  *dst = val;
867  dst++;
868  src++;
869  if (val == 0)
870  break;
871  }
872 
873 
874  /* We don't want null termination */
875  byte_len = byte_len - 2;
876 
877  retc = alloc_tree_cell (0, NULL);
878  retc->type = CONST_DATA;
879  retc->size = byte_len;
880  retc->x.str_val = (char *) out;
881  return retc;
882 }
883 
884 /* Does both the NTLMv2 owfs of a user's password */
885 tree_cell *
887 {
888  const uchar *owf_in = (uchar *) get_str_var_by_name (lexic, "owf");
889  int owf_in_len = get_var_size_by_name (lexic, "owf");
890  char *user_in = get_str_var_by_name (lexic, "login");
891  int user_in_len = get_var_size_by_name (lexic, "login");
892  char *domain_in = get_str_var_by_name (lexic, "domain");
893  int domain_len = get_var_size_by_name (lexic, "domain");
894  char *src_user, *src_domain;
895  smb_ucs2_t *user, *dst_user, val_user;
896  smb_ucs2_t *domain, *dst_domain, val_domain;
897  int i;
898  size_t user_byte_len;
899  size_t domain_byte_len;
900  tree_cell *retc;
901  uchar *kr_buf;
902  HMACMD5Context ctx;
903 
904  if (owf_in_len < 0 || owf_in == NULL || user_in_len < 0 || user_in == NULL
905  || domain_len < 0 || domain_in == NULL)
906  {
907  nasl_perror (lexic,
908  "Syntax : ntv2_owf_gen(owf:<o>, login:<l>, domain:<d>)\n");
909  return NULL;
910  }
911 
912  assert (owf_in_len == 16);
913 
914  user_byte_len = sizeof (smb_ucs2_t) * (strlen (user_in) + 1);
915  user = g_malloc0 (user_byte_len);
916  dst_user = user;
917  src_user = user_in;
918 
919  for (i = 0; i < user_in_len; i++)
920  {
921  val_user = *src_user;
922  *dst_user = val_user;
923  dst_user++;
924  src_user++;
925  if (val_user == 0)
926  break;
927  }
928 
929  domain_byte_len = sizeof (smb_ucs2_t) * (strlen (domain_in) + 1);
930  domain = g_malloc0 (domain_byte_len);
931  dst_domain = domain;
932  src_domain = domain_in;
933 
934  for (i = 0; i < domain_len; i++)
935  {
936  val_domain = *src_domain;
937  *dst_domain = val_domain;
938 
939  dst_domain++;
940  src_domain++;
941  if (val_domain == 0)
942  break;
943  }
944 
945  strupper_w (user);
946  strupper_w (domain);
947 
948  assert (user_byte_len >= 2);
949  assert (domain_byte_len >= 2);
950 
951  /* We don't want null termination */
952  user_byte_len = user_byte_len - 2;
953  domain_byte_len = domain_byte_len - 2;
954 
955  kr_buf = g_malloc0 (16);
956 
957  hmac_md5_init_limK_to_64 (owf_in, 16, &ctx);
958  hmac_md5_update ((const unsigned char *) user, user_byte_len, &ctx);
959  hmac_md5_update ((const unsigned char *) domain, domain_byte_len, &ctx);
960  hmac_md5_final (kr_buf, &ctx);
961 
962  g_free (user);
963  g_free (domain);
964 
965  retc = alloc_tree_cell (0, NULL);
966  retc->type = CONST_DATA;
967  retc->size = 16;
968  retc->x.str_val = (char *) kr_buf;
969 
970  return retc;
971 }
972 
973 tree_cell *
975 {
976  const uchar *server_chal = (uchar *) get_str_var_by_name (lexic, "cryptkey");
977  int sc_len = get_var_size_by_name (lexic, "cryptkey");
978  const uchar *ntlm_v2_hash = (uchar *) get_str_var_by_name (lexic, "passhash");
979  int hash_len = get_var_size_by_name (lexic, "passhash");
980  int client_chal_length = get_int_var_by_name (lexic, "length", -1);
981  tree_cell *retc;
982  unsigned char ntlmv2_response[16];
983  unsigned char *ntlmv2_client_data = NULL;
984  unsigned char *final_response;
985  int i;
986 
987  if (sc_len < 0 || server_chal == NULL || hash_len < 0 || ntlm_v2_hash == NULL
988  || client_chal_length < 0)
989  {
990  nasl_perror (lexic,
991  "Syntax : ntlmv2_hash(cryptkey:<c>, passhash:<p>, length:<l>)\n");
992  return NULL;
993  }
994 
995  /* NTLMv2 */
996 
997  /* We also get to specify some random data */
998  ntlmv2_client_data = g_malloc0 (client_chal_length);
999  for (i = 0; i < client_chal_length; i++)
1000  ntlmv2_client_data[i] = rand () % 256;
1001 
1002 
1003 
1004  assert (hash_len == 16);
1005  /* Given that data, and the challenge from the server, generate a response */
1006  SMBOWFencrypt_ntv2_ntlmssp(ntlm_v2_hash, server_chal, 8, ntlmv2_client_data,
1007  client_chal_length, ntlmv2_response);
1008 
1009  /* put it into nt_response, for the code below to put into the packet */
1010  final_response = g_malloc0 (client_chal_length + sizeof (ntlmv2_response));
1011  memcpy (final_response, ntlmv2_response, sizeof (ntlmv2_response));
1012  /* after the first 16 bytes is the random data we generated above, so the server can verify us with it */
1013  memcpy (final_response + sizeof (ntlmv2_response), ntlmv2_client_data,
1014  client_chal_length);
1015 
1016  g_free (ntlmv2_client_data);
1017 
1018  retc = alloc_tree_cell (0, NULL);
1019  retc->type = CONST_DATA;
1020  retc->size = client_chal_length + sizeof (ntlmv2_response);
1021  retc->x.str_val = (char *) final_response;
1022 
1023  return retc;
1024 }
#define uchar
Definition: hmacmd5.h:28
#define uint32
Definition: genrand.c:49
void simple_packet_signature_ntlmssp(uint8_t *mac_key, const uchar *buf, uint32 seq_number, unsigned char *calc_md5_mac)
Definition: smb_signing.c:27
#define err(x)
tree_cell * nasl_hmac_md2(lex_ctxt *lexic)
Definition: nasl_crypto.c:212
tree_cell * nasl_sha1(lex_ctxt *lexic)
Definition: nasl_crypto.c:133
const char * val
Definition: nasl_init.c:525
int strupper_w(smb_ucs2_t *s)
Definition: smb_crypt2.c:42
tree_cell * nasl_hmac_sha512(lex_ctxt *lexic)
Definition: nasl_crypto.c:566
tree_cell * nasl_keyexchg(lex_ctxt *lexic)
Definition: nasl_crypto.c:730
tree_cell * nasl_md5(lex_ctxt *lexic)
Definition: nasl_crypto.c:127
short type
Definition: nasl_tree.h:107
char * str_val
Definition: nasl_tree.h:113
tree_cell * nasl_ntlm2_response(lex_ctxt *lexic)
Definition: nasl_crypto.c:655
uint8_t * ntlmssp_genauth_keyexchg(uint8_t *session_key, char *challenge_data, unsigned char *nt_hash, uint8_t *new_sess_key)
Definition: ntlmssp.c:95
tree_cell * nasl_sha256(lex_ctxt *lexic)
Definition: nasl_crypto.c:139
void E_P16(uchar *p14, uchar *p16)
Definition: smb_crypt.c:323
tree_cell * nasl_nt_owf_gen(lex_ctxt *lexic)
Definition: nasl_crypto.c:794
tree_cell * nasl_hmac_md5(lex_ctxt *lexic)
Definition: nasl_crypto.c:218
tree_cell * nasl_ntlm_response(lex_ctxt *lexic)
Definition: nasl_crypto.c:691
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
int get_local_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1298
char * get_str_local_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1262
union TC::@7 x
tree_cell * nasl_cipher_des(lex_ctxt *lexic)
Definition: nasl_crypto.c:184
char * get_str_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1255
void hmac_md5_init_limK_to_64(const uchar *key, int key_len, HMACMD5Context *ctx)
The microsoft version of hmac_md5 initialisation.
Definition: hmacmd5.c:33
tree_cell * nasl_prf_sha384(lex_ctxt *lexic)
Definition: nasl_crypto.c:554
tree_cell * nasl_ntv2_owf_gen(lex_ctxt *lexic)
Definition: nasl_crypto.c:886
tree_cell * nasl_get_smb2_sign(lex_ctxt *lexic)
Definition: nasl_crypto.c:572
tree_cell * nasl_hmac_ripemd160(lex_ctxt *lexic)
Definition: nasl_crypto.c:236
tree_cell * nasl_ntlmv1_hash(lex_ctxt *lexic)
Definition: nasl_crypto.c:761
tree_cell * nasl_tls1_prf(lex_ctxt *lexic)
Definition: nasl_crypto.c:560
tree_cell * nasl_md2(lex_ctxt *lexic)
Definition: nasl_crypto.c:115
tree_cell * nasl_hmac_sha1(lex_ctxt *lexic)
Definition: nasl_crypto.c:224
Definition: nasl_tree.h:105
int get_var_size_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1305
void SMBOWFencrypt_ntv2_ntlmssp(const uchar kr[16], const uint8_t *srv_chal, int srv_chal_len, const uint8_t *cli_chal, int cli_chal_len, uchar resp_buf[16])
void hmac_md5_final(uchar *digest, HMACMD5Context *ctx)
Finish off hmac_md5 "inner" buffer and generate outer one.
Definition: hmacmd5.c:71
tree_cell * nasl_lm_owf_gen(lex_ctxt *lexic)
Definition: nasl_crypto.c:813
tree_cell * nasl_md4(lex_ctxt *lexic)
Definition: nasl_crypto.c:121
void ntlmssp_genauth_ntlm2(char *password, uint8_t pass_len, uint8_t *lm_response, uint8_t *nt_response, uint8_t *session_key, char *challenge_data, unsigned char *nt_hash)
Definition: ntlmssp.c:43
tree_cell * nasl_insert_hexzeros(lex_ctxt *lexic)
Definition: nasl_crypto.c:843
void nasl_perror(lex_ctxt *lexic, char *msg,...)
Definition: nasl_debug.c:94
char * get_str_var_by_num(lex_ctxt *, int)
Definition: nasl_var.c:1248
tree_cell * nasl_ntlmv2_response(lex_ctxt *lexic)
Definition: nasl_crypto.c:611
void hmac_md5_update(const uchar *text, int text_len, HMACMD5Context *ctx)
Update hmac_md5 "inner" buffer.
Definition: hmacmd5.c:63
long int get_int_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1233
uint16 smb_ucs2_t
Definition: hmacmd5.h:68
void ntlmssp_genauth_ntlm(char *password, uint8_t pass_len, uint8_t *lm_response, uint8_t *nt_response, uint8_t *session_key, char *challenge_data, unsigned char *nt_hash, int neg_flags)
Definition: ntlmssp.c:76
tree_cell * alloc_tree_cell(int lnb, char *s)
Definition: nasl_tree.c:37
tree_cell * nasl_get_sign(lex_ctxt *lexic)
Definition: nasl_crypto.c:243
tree_cell * nasl_ripemd160(lex_ctxt *lexic)
Definition: nasl_crypto.c:145
tree_cell * nasl_ntlmv2_hash(lex_ctxt *lexic)
Definition: nasl_crypto.c:974
void ntlmssp_genauth_ntlmv2(char *user, char *domain, char *address_list, int address_list_len, char *challenge_data, uint8_t *lm_response, uint8_t *nt_response, uint8_t *session_key, unsigned char *ntlmv2_hash)
Definition: ntlmssp.c:37
tree_cell * nasl_hmac_sha256(lex_ctxt *lexic)
Definition: nasl_crypto.c:346
tree_cell * nasl_prf_sha256(lex_ctxt *lexic)
Definition: nasl_crypto.c:548
void E_P24(const uchar *p21, const uchar *c8, uchar *p24)
Definition: smb_crypt.c:330
int get_var_size_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1291
tree_cell * nasl_hmac_sha384(lex_ctxt *lexic)
Definition: nasl_crypto.c:230
int size
Definition: nasl_tree.h:110