2 Unix SMB/Netbios implementation.
4 code to manipulate domain credentials
5 Copyright (C) Andrew Tridgell 1997
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 extern int DEBUGLEVEL
;
28 /****************************************************************************
29 represent a credential as a string
30 ****************************************************************************/
31 char *credstr(uchar
*cred
)
34 sprintf(buf
,"%02X%02X%02X%02X%02X%02X%02X%02X",
35 cred
[0], cred
[1], cred
[2], cred
[3],
36 cred
[4], cred
[5], cred
[6], cred
[7]);
41 /****************************************************************************
42 setup the session key.
43 Input: 8 byte challenge block
44 8 byte server challenge block
45 16 byte md4 encrypted password
48 ****************************************************************************/
49 void cred_session_key(DOM_CHAL
*clnt_chal
, DOM_CHAL
*srv_chal
, char *pass
,
53 unsigned char sum2
[8];
55 sum
[0] = IVAL(clnt_chal
->data
, 0) + IVAL(srv_chal
->data
, 0);
56 sum
[1] = IVAL(clnt_chal
->data
, 4) + IVAL(srv_chal
->data
, 4);
61 cred_hash1(session_key
, sum2
,(unsigned char *)pass
);
64 DEBUG(4,("cred_session_key\n"));
66 DEBUG(5,(" clnt_chal: %s\n", credstr(clnt_chal
->data
)));
67 DEBUG(5,(" srv_chal : %s\n", credstr(srv_chal
->data
)));
68 DEBUG(5,(" clnt+srv : %s\n", credstr(sum2
)));
69 DEBUG(5,(" sess_key : %s\n", credstr(session_key
)));
73 /****************************************************************************
78 8 byte stored credential
83 ****************************************************************************/
84 void cred_create(uchar session_key
[8], DOM_CHAL
*stor_cred
, UTIME timestamp
,
89 SIVAL(time_cred
.data
, 0, IVAL(stor_cred
->data
, 0) + timestamp
.time
);
90 SIVAL(time_cred
.data
, 4, IVAL(stor_cred
->data
, 4));
92 cred_hash2(cred
->data
, time_cred
.data
, session_key
);
95 DEBUG(4,("cred_create\n"));
97 DEBUG(5,(" sess_key : %s\n", credstr(session_key
)));
98 DEBUG(5,(" stor_cred: %s\n", credstr(stor_cred
->data
)));
99 DEBUG(5,(" timestamp: %lx\n" , timestamp
.time
));
100 DEBUG(5,(" timecred : %s\n", credstr(time_cred
.data
)));
101 DEBUG(5,(" calc_cred: %s\n", credstr(cred
->data
)));
105 /****************************************************************************
106 check a supplied credential
109 8 byte received credential
111 8 byte stored credential
115 returns 1 if computed credential matches received credential
117 ****************************************************************************/
118 int cred_assert(DOM_CHAL
*cred
, char session_key
[8], DOM_CHAL
*stored_cred
,
123 cred_create(session_key
, stored_cred
, timestamp
, &cred2
);
126 DEBUG(4,("cred_assert\n"));
128 DEBUG(5,(" challenge : %s\n", credstr(cred
->data
)));
129 DEBUG(5,(" calculated: %s\n", credstr(cred2
.data
)));
131 if (memcmp(cred
->data
, cred2
.data
, 8) == 0)
133 DEBUG(5, ("credentials check ok\n"));
138 DEBUG(5, ("credentials check wrong\n"));
144 /****************************************************************************
145 checks credentials; generates next step in the credential chain
146 ****************************************************************************/
147 BOOL
clnt_deal_with_creds(char sess_key
[8],
148 DOM_CRED
*sto_clnt_cred
, DOM_CRED
*rcv_srv_cred
)
153 DEBUG(5,("clnt_deal_with_creds: %d\n", __LINE__
));
155 /* increment client time by one second */
156 new_clnt_time
.time
= sto_clnt_cred
->timestamp
.time
+ 1;
158 /* check that the received server credentials are valid */
159 if (!cred_assert(&(rcv_srv_cred
->challenge
), sess_key
,
160 &(sto_clnt_cred
->challenge
), new_clnt_time
))
165 /* first 4 bytes of the new seed is old client 4 bytes + clnt time + 1 */
166 new_cred
= IVAL(sto_clnt_cred
->challenge
.data
, 0);
167 new_cred
+= new_clnt_time
.time
;
169 /* store new seed in client credentials */
170 SIVAL(sto_clnt_cred
->challenge
.data
, 0, new_cred
);
172 DEBUG(5,(" new clnt cred: %s\n", credstr(sto_clnt_cred
->challenge
.data
)));
177 /****************************************************************************
178 checks credentials; generates next step in the credential chain
179 ****************************************************************************/
180 BOOL
deal_with_creds(uchar sess_key
[8],
181 DOM_CRED
*sto_clnt_cred
,
182 DOM_CRED
*rcv_clnt_cred
, DOM_CRED
*rtn_srv_cred
)
187 DEBUG(5,("deal_with_creds: %d\n", __LINE__
));
189 /* check that the received client credentials are valid */
190 if (!cred_assert(&(rcv_clnt_cred
->challenge
), sess_key
,
191 &(sto_clnt_cred
->challenge
), rcv_clnt_cred
->timestamp
))
196 /* increment client time by one second */
197 new_clnt_time
.time
= rcv_clnt_cred
->timestamp
.time
+ 1;
199 /* first 4 bytes of the new seed is old client 4 bytes + clnt time + 1 */
200 new_cred
= IVAL(sto_clnt_cred
->challenge
.data
, 0);
201 new_cred
+= new_clnt_time
.time
;
203 DEBUG(5,("deal_with_creds: new_cred[0]=%lx\n", new_cred
));
205 /* doesn't matter that server time is 0 */
206 rtn_srv_cred
->timestamp
.time
= 0;
208 DEBUG(5,("deal_with_creds: new_clnt_time=%lx\n", new_clnt_time
.time
));
210 /* create return credentials for inclusion in the reply */
211 cred_create(sess_key
, &(sto_clnt_cred
->challenge
), new_clnt_time
,
212 &(rtn_srv_cred
->challenge
));
214 DEBUG(5,("deal_with_creds: clnt_cred=%s\n", credstr(sto_clnt_cred
->challenge
.data
)));
216 /* store new seed in client credentials */
217 SIVAL(sto_clnt_cred
->challenge
.data
, 0, new_cred
);