39 #include "../misc/openvas_logging.h" 49 #define uchar unsigned char 57 #define uint32 uint32_t 62 nasl_gcrypt_hash (
lex_ctxt * lexic,
int algorithm,
void *data,
size_t datalen,
63 void *key,
size_t keylen)
68 int dlen = gcry_md_get_algo_dlen (algorithm);
73 err = gcry_md_open (&hd, algorithm, key ? GCRY_MD_FLAG_HMAC : 0);
76 nasl_perror (lexic,
"nasl_gcrypt_hash(): gcry_md_open failed: %s/%s\n",
77 gcry_strsource (
err), gcry_strerror (
err));
83 err = gcry_md_setkey (hd, key, keylen);
87 "nasl_gcrypt_hash():" " gcry_md_setkey failed: %s/%s\n",
88 gcry_strsource (
err), gcry_strerror (
err));
93 gcry_md_write (hd, data, datalen);
97 retc->
x.
str_val = g_memdup (gcry_md_read (hd, algorithm), dlen + 1);
106 nasl_hash (
lex_ctxt * lexic,
int algorithm)
111 return nasl_gcrypt_hash (lexic, algorithm, data, len, NULL, 0);
117 return nasl_hash (lexic, GCRY_MD_MD2);
123 return nasl_hash (lexic, GCRY_MD_MD4);
129 return nasl_hash (lexic, GCRY_MD_MD5);
135 return nasl_hash (lexic, GCRY_MD_SHA1);
141 return nasl_hash (lexic, GCRY_MD_SHA256);
147 return nasl_hash (lexic, GCRY_MD_RMD160);
151 nasl_cipher (
int algorithm,
void *data,
size_t dlen,
void *key,
size_t klen)
158 if ((error = gcry_cipher_open (&hd, algorithm, GCRY_CIPHER_MODE_ECB, 0)))
163 if ((error = gcry_cipher_setkey (hd, key, klen)))
168 result = g_malloc0 (dlen);
169 if ((error = gcry_cipher_encrypt (hd, result, dlen, data, dlen)))
174 gcry_cipher_close (hd);
193 return nasl_cipher (GCRY_CIPHER_DES, data, dlen, key, klen);
201 nasl_hmac (
lex_ctxt * lexic,
int algorithm)
208 return nasl_gcrypt_hash (lexic, algorithm, data, data_len, key, key_len);
214 return nasl_hmac (lexic, GCRY_MD_MD2);
220 return nasl_hmac (lexic, GCRY_MD_MD5);
226 return nasl_hmac (lexic, GCRY_MD_SHA1);
232 return nasl_hmac (lexic, GCRY_MD_SHA384);
238 return nasl_hmac (lexic, GCRY_MD_RMD160);
249 if (mac_key == NULL || buf == NULL || buflen == -1 || seq_num == -1)
252 "Syntax : get_sign(key:<k>, buf:<b>, buflen:<bl>, seq_number:<s>)\n");
255 uint8_t calc_md5_mac[16];
257 memcpy (buf + 18, calc_md5_mac, 8);
258 char *ret = g_malloc0 (buflen);
259 memcpy (ret, buf, buflen);
269 hmac_md5_for_prf (
const void *key,
int keylen,
const void *buf,
int buflen)
271 void *signature = g_malloc0 (16);
275 hmac = g_hmac_new (G_CHECKSUM_MD5, key, keylen);
276 g_hmac_update (hmac, buf, buflen);
277 g_hmac_get_digest (hmac, signature, &signlen);
283 hmac_sha1 (
const void *key,
int keylen,
const void *buf,
int buflen)
285 void *signature = g_malloc0 (20);
289 hmac = g_hmac_new (G_CHECKSUM_SHA1, key, keylen);
290 g_hmac_update (hmac, buf, buflen);
291 g_hmac_get_digest (hmac, signature, &signlen);
297 hmac_sha256 (
const void *key,
int keylen,
const void *buf,
int buflen)
299 void *signature = g_malloc0 (32);
303 hmac = g_hmac_new (G_CHECKSUM_SHA256, key, keylen);
304 g_hmac_update (hmac, buf, buflen);
305 g_hmac_get_digest (hmac, signature, &signlen);
311 hmac_sha384 (
const void *key,
int keylen,
const void *buf,
int buflen)
317 if (!buf || buflen <= 0)
320 err = gcry_md_open (&hd, GCRY_MD_SHA384, key ? GCRY_MD_FLAG_HMAC : 0);
324 gcry_strsource (
err), gcry_strerror (
err));
330 err = gcry_md_setkey (hd, key, keylen);
334 gcry_strsource (
err), gcry_strerror (
err));
339 gcry_md_write (hd, buf, buflen);
340 ret = g_memdup (gcry_md_read (hd, 0), 48);
348 void *key, *data, *signature;
356 if (!key || !data || keylen <= 0 || datalen <= 0)
359 "Syntax : hmac_sha256(data:<b>, key:<k>)\n");
362 signature = hmac_sha256 (key, keylen, data, datalen);
367 retc->
x.
str_val = (
char *) signature;
377 tls_prf (
const void *secret,
size_t secret_len,
const void *seed,
378 size_t seed_len,
const void *label,
size_t outlen,
int hmac)
381 size_t pos = 0, lslen, hmac_size;
384 void *(* hmac_func) (
const void *, int,
const void *, int);
389 hmac_func = hmac_sha256;
394 hmac_func = hmac_sha384;
399 hmac_func = hmac_md5_for_prf;
404 hmac_func = hmac_sha1;
412 lslen = strlen (label) + seed_len;
413 lseed = g_malloc0 (lslen);
414 memcpy (lseed, label, strlen (label));
415 memcpy (lseed + strlen (label), seed, seed_len);
417 Ai = hmac_func (secret, secret_len, lseed, lslen);
421 result = g_malloc0 (outlen);
428 tmp = g_malloc0 (hmac_size + lslen);
429 memcpy (tmp, Ai, hmac_size);
430 memcpy (tmp + hmac_size, lseed, lslen);
431 tmp2 = hmac_func (secret, secret_len, tmp, hmac_size + lslen);
435 if (clen > hmac_size)
437 memcpy (result + pos, tmp2, clen);
442 tmp = hmac_func (secret, secret_len, Ai, hmac_size);
460 tls1_prf (
const void *secret,
size_t secret_len,
const void *seed,
461 size_t seed_len,
const void *label,
size_t outlen)
463 void *result, *secret1 = NULL, *secret2 = NULL;
464 unsigned int half_slen, odd = 0, i;
465 char *resultmd5 = NULL, *resultsha1 = NULL, *aux_res = NULL;
467 if (secret_len % 2 == 0 )
468 half_slen = secret_len / 2;
471 half_slen = (secret_len + 1) / 2;
475 secret1 = g_malloc0 (half_slen);
476 memcpy (secret1, secret, half_slen);
477 resultmd5 = tls_prf (secret1, half_slen, seed, seed_len, label, outlen, 2);
484 secret2 = g_malloc0 (half_slen);
485 memcpy (secret2, secret + (half_slen - odd), half_slen);
486 resultsha1 = tls_prf (secret2, half_slen, seed, seed_len, label, outlen, 3);
495 aux_res = g_malloc0 (outlen);
496 for (i = 0; i < outlen; i++)
497 aux_res[i] = resultmd5[i] ^ resultsha1[i];
499 result = g_malloc (outlen);
500 memcpy (result, aux_res, outlen);
512 nasl_prf (
lex_ctxt * lexic,
int hmac)
514 void *secret, *seed, *label, *result;
515 int secret_len, seed_len, label_len, outlen;
525 if (!secret || !seed || secret_len <= 0 || seed_len <= 0 || !label
526 || label_len <= 0 || outlen <= 0)
529 "Syntax : prf(secret, seed, label, outlen)\n");
533 result = tls_prf (secret, secret_len, seed, seed_len, label, outlen, hmac);
535 result = tls1_prf (secret, secret_len, seed, seed_len, label, outlen);
550 return nasl_prf (lexic, 0);
556 return nasl_prf (lexic, 1);
562 return nasl_prf (lexic, 2);
568 return nasl_hmac (lexic, GCRY_MD_SHA512);
574 void *key, *buf, *signature, *ret;
582 if (!key || !buf || keylen <= 0)
585 "Syntax : get_smb2_sign(buf:<b>, key:<k>)");
590 nasl_perror (lexic,
"get_smb2_sign: Buffer length < 64");
595 memset(buf + 48, 0, 16);
596 signature = hmac_sha256 (key, keylen, buf, buflen);
599 ret = g_malloc0 (buflen);
600 memcpy (ret, buf, buflen);
601 memcpy (ret + 48, signature, 16);
616 unsigned char *ntlmv2_hash =
621 if (cryptkey == NULL || user == NULL || domain == NULL || ntlmv2_hash == NULL
622 || address_list == NULL || address_list_len < 0)
625 "Syntax : ntlmv2_response(cryptkey:<c>, user:<u>, domain:<d>, ntlmv2_hash:<n>, address_list:<a>, address_list_len:<len>)\n");
628 uint8_t lm_response[24];
629 uint8_t nt_response[16 + 28 + address_list_len];
630 uint8_t session_key[16];
631 bzero (lm_response,
sizeof (lm_response));
632 bzero (nt_response,
sizeof (nt_response));
633 bzero (session_key,
sizeof (session_key));
636 cryptkey, lm_response, nt_response, session_key,
639 int lm_response_len = 24;
640 int nt_response_len = 16 + 28 + address_list_len;
641 int len = lm_response_len + nt_response_len +
sizeof (session_key);
642 char *ret = g_malloc0 (len);
643 memcpy (ret, lm_response, lm_response_len);
644 memcpy (ret + lm_response_len, session_key,
sizeof (session_key));
645 memcpy (ret + lm_response_len +
sizeof (session_key), nt_response,
663 if (!cryptkey || !password || !nt_hash || hash_len < 16)
666 (lexic,
"Syntax : ntlm2_response(cryptkey:<c>, password:<p>, nt_hash:<n[16]>)\n");
670 uint8_t lm_response[24];
671 uint8_t nt_response[24];
672 uint8_t session_key[16];
677 int len =
sizeof (lm_response) +
sizeof (nt_response) +
sizeof (session_key);
678 char *ret = g_malloc0 (len);
679 memcpy (ret, lm_response,
sizeof (lm_response));
680 memcpy (ret +
sizeof (lm_response), nt_response,
sizeof (nt_response));
681 memcpy (ret +
sizeof (lm_response) +
sizeof (nt_response), session_key,
682 sizeof (session_key));
700 if (!cryptkey || !password || !nt_hash || hash_len < 16 || neg_flags < 0)
703 "Syntax : ntlm_response(cryptkey:<c>, password:<p>, nt_hash:<n[16]>, neg_flags:<nf>)\n");
707 uint8_t lm_response[24];
708 uint8_t nt_response[24];
709 uint8_t session_key[16];
714 cryptkey, nt_hash, neg_flags);
716 int len =
sizeof (lm_response) +
sizeof (nt_response) +
sizeof (session_key);
717 char *ret = g_malloc0 (len);
718 memcpy (ret, lm_response,
sizeof (lm_response));
719 memcpy (ret +
sizeof (lm_response), nt_response,
sizeof (nt_response));
720 memcpy (ret +
sizeof (lm_response) +
sizeof (nt_response), session_key,
721 sizeof (session_key));
734 unsigned char *nt_hash =
737 if (cryptkey == NULL || session_key == NULL || nt_hash == NULL)
740 "Syntax : keyexchg(cryptkey:<c>, session_key:<s>, nt_hash:<n> )\n");
743 uint8_t new_sess_key[16];
745 uint8_t *encrypted_session_key = NULL;
746 encrypted_session_key =
748 (uint8_t *) & new_sess_key);
750 char *ret = g_malloc0 (len);
751 memcpy (ret, new_sess_key, 16);
752 memcpy (ret + 16, encrypted_session_key, 16);
766 unsigned char p21[21];
770 if (cryptkey == NULL || password == NULL)
772 nasl_perror (lexic,
"Syntax : ntlmv1_hash(cryptkey:<c>, passhash:<p>)\n");
779 bzero (p21,
sizeof (p21));
780 memcpy (p21, password, pass_len);
782 ret = g_malloc0 (24);
784 E_P24 (p21, cryptkey, ret);
803 nasl_perror (lexic,
"Syntax : nt_owf_gen(password:<p>)\n");
806 upass = g_utf8_to_utf16 (pass, -1, NULL, &upass_len, NULL);
807 ret = nasl_gcrypt_hash (lexic, GCRY_MD_MD4, upass, upass_len * 2, NULL, 0);
822 if (pass_len < 0 || pass == NULL)
824 nasl_perror (lexic,
"Syntax : nt_lm_gen(password:<p>)\n");
828 bzero (pwd,
sizeof (pwd));
829 strncpy ((
char *) pwd, pass,
sizeof (pwd) - 1);
830 for (i = 0; i <
sizeof (pwd); i++)
831 pwd[i] = toupper (pwd[i]);
838 retc->
x.
str_val = g_memdup (p16, 16);
852 if (in_len < 0 || in == NULL)
854 nasl_perror (lexic,
"Syntax : insert_hexzeros(in:<i>)\n");
858 byte_len =
sizeof (
smb_ucs2_t) * (strlen ((
char *) in) + 1);
859 out = g_malloc0 (byte_len);
863 for (i = 0; i < in_len; i++)
875 byte_len = byte_len - 2;
879 retc->
size = byte_len;
894 char *src_user, *src_domain;
898 size_t user_byte_len;
899 size_t domain_byte_len;
904 if (owf_in_len < 0 || owf_in == NULL || user_in_len < 0 || user_in == NULL
905 || domain_len < 0 || domain_in == NULL)
908 "Syntax : ntv2_owf_gen(owf:<o>, login:<l>, domain:<d>)\n");
912 assert (owf_in_len == 16);
914 user_byte_len =
sizeof (
smb_ucs2_t) * (strlen (user_in) + 1);
915 user = g_malloc0 (user_byte_len);
919 for (i = 0; i < user_in_len; i++)
921 val_user = *src_user;
922 *dst_user = val_user;
929 domain_byte_len =
sizeof (
smb_ucs2_t) * (strlen (domain_in) + 1);
930 domain = g_malloc0 (domain_byte_len);
932 src_domain = domain_in;
934 for (i = 0; i < domain_len; i++)
936 val_domain = *src_domain;
937 *dst_domain = val_domain;
948 assert (user_byte_len >= 2);
949 assert (domain_byte_len >= 2);
952 user_byte_len = user_byte_len - 2;
953 domain_byte_len = domain_byte_len - 2;
955 kr_buf = g_malloc0 (16);
959 hmac_md5_update ((
const unsigned char *) domain, domain_byte_len, &ctx);
982 unsigned char ntlmv2_response[16];
983 unsigned char *ntlmv2_client_data = NULL;
984 unsigned char *final_response;
987 if (sc_len < 0 || server_chal == NULL || hash_len < 0 || ntlm_v2_hash == NULL
988 || client_chal_length < 0)
991 "Syntax : ntlmv2_hash(cryptkey:<c>, passhash:<p>, length:<l>)\n");
998 ntlmv2_client_data = g_malloc0 (client_chal_length);
999 for (i = 0; i < client_chal_length; i++)
1000 ntlmv2_client_data[i] = rand () % 256;
1004 assert (hash_len == 16);
1007 client_chal_length, ntlmv2_response);
1010 final_response = g_malloc0 (client_chal_length +
sizeof (ntlmv2_response));
1011 memcpy (final_response, ntlmv2_response,
sizeof (ntlmv2_response));
1013 memcpy (final_response +
sizeof (ntlmv2_response), ntlmv2_client_data,
1014 client_chal_length);
1016 g_free (ntlmv2_client_data);
1020 retc->
size = client_chal_length +
sizeof (ntlmv2_response);
1021 retc->
x.
str_val = (
char *) final_response;
void simple_packet_signature_ntlmssp(uint8_t *mac_key, const uchar *buf, uint32 seq_number, unsigned char *calc_md5_mac)
tree_cell * nasl_hmac_md2(lex_ctxt *lexic)
tree_cell * nasl_sha1(lex_ctxt *lexic)
int strupper_w(smb_ucs2_t *s)
tree_cell * nasl_hmac_sha512(lex_ctxt *lexic)
tree_cell * nasl_keyexchg(lex_ctxt *lexic)
tree_cell * nasl_md5(lex_ctxt *lexic)
tree_cell * nasl_ntlm2_response(lex_ctxt *lexic)
uint8_t * ntlmssp_genauth_keyexchg(uint8_t *session_key, char *challenge_data, unsigned char *nt_hash, uint8_t *new_sess_key)
tree_cell * nasl_sha256(lex_ctxt *lexic)
void E_P16(uchar *p14, uchar *p16)
tree_cell * nasl_nt_owf_gen(lex_ctxt *lexic)
tree_cell * nasl_hmac_md5(lex_ctxt *lexic)
tree_cell * nasl_ntlm_response(lex_ctxt *lexic)
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
int get_local_var_size_by_name(lex_ctxt *, const char *)
char * get_str_local_var_by_name(lex_ctxt *, const char *)
tree_cell * nasl_cipher_des(lex_ctxt *lexic)
char * get_str_var_by_name(lex_ctxt *, const char *)
void hmac_md5_init_limK_to_64(const uchar *key, int key_len, HMACMD5Context *ctx)
The microsoft version of hmac_md5 initialisation.
tree_cell * nasl_prf_sha384(lex_ctxt *lexic)
tree_cell * nasl_ntv2_owf_gen(lex_ctxt *lexic)
tree_cell * nasl_get_smb2_sign(lex_ctxt *lexic)
tree_cell * nasl_hmac_ripemd160(lex_ctxt *lexic)
tree_cell * nasl_ntlmv1_hash(lex_ctxt *lexic)
tree_cell * nasl_tls1_prf(lex_ctxt *lexic)
tree_cell * nasl_md2(lex_ctxt *lexic)
tree_cell * nasl_hmac_sha1(lex_ctxt *lexic)
int get_var_size_by_num(lex_ctxt *, int)
void SMBOWFencrypt_ntv2_ntlmssp(const uchar kr[16], const uint8_t *srv_chal, int srv_chal_len, const uint8_t *cli_chal, int cli_chal_len, uchar resp_buf[16])
void hmac_md5_final(uchar *digest, HMACMD5Context *ctx)
Finish off hmac_md5 "inner" buffer and generate outer one.
tree_cell * nasl_lm_owf_gen(lex_ctxt *lexic)
tree_cell * nasl_md4(lex_ctxt *lexic)
void ntlmssp_genauth_ntlm2(char *password, uint8_t pass_len, uint8_t *lm_response, uint8_t *nt_response, uint8_t *session_key, char *challenge_data, unsigned char *nt_hash)
tree_cell * nasl_insert_hexzeros(lex_ctxt *lexic)
void nasl_perror(lex_ctxt *lexic, char *msg,...)
char * get_str_var_by_num(lex_ctxt *, int)
tree_cell * nasl_ntlmv2_response(lex_ctxt *lexic)
void hmac_md5_update(const uchar *text, int text_len, HMACMD5Context *ctx)
Update hmac_md5 "inner" buffer.
long int get_int_var_by_name(lex_ctxt *, const char *, int)
void ntlmssp_genauth_ntlm(char *password, uint8_t pass_len, uint8_t *lm_response, uint8_t *nt_response, uint8_t *session_key, char *challenge_data, unsigned char *nt_hash, int neg_flags)
tree_cell * alloc_tree_cell(int lnb, char *s)
tree_cell * nasl_get_sign(lex_ctxt *lexic)
tree_cell * nasl_ripemd160(lex_ctxt *lexic)
tree_cell * nasl_ntlmv2_hash(lex_ctxt *lexic)
void ntlmssp_genauth_ntlmv2(char *user, char *domain, char *address_list, int address_list_len, char *challenge_data, uint8_t *lm_response, uint8_t *nt_response, uint8_t *session_key, unsigned char *ntlmv2_hash)
tree_cell * nasl_hmac_sha256(lex_ctxt *lexic)
tree_cell * nasl_prf_sha256(lex_ctxt *lexic)
void E_P24(const uchar *p21, const uchar *c8, uchar *p24)
int get_var_size_by_name(lex_ctxt *, const char *)
tree_cell * nasl_hmac_sha384(lex_ctxt *lexic)