16 #include "../misc/support.h"
35 #include <gvm/base/logging.h>
40 #define uchar unsigned char
48 #define uint32 uint32_t
55 #define G_LOG_DOMAIN "lib nasl"
60 void *key,
size_t keylen)
65 unsigned int dlen = gcry_md_get_algo_dlen (algorithm);
70 err = gcry_md_open (&hd, algorithm, key ? GCRY_MD_FLAG_HMAC : 0);
73 nasl_perror (lexic,
"nasl_gcrypt_hash(): gcry_md_open failed: %s/%s\n",
74 gcry_strsource (err), gcry_strerror (err));
80 err = gcry_md_setkey (hd, key, keylen);
85 " gcry_md_setkey failed: %s/%s\n",
86 gcry_strsource (err), gcry_strerror (err));
91 gcry_md_write (hd, data, datalen);
94 retc->
x.
str_val = g_malloc0 (dlen + 1);
95 memcpy (retc->
x.
str_val, gcry_md_read (hd, algorithm), dlen + 1);
139 return nasl_hash (lexic, GCRY_MD_SHA256);
145 return nasl_hash (lexic, GCRY_MD_SHA512);
151 return nasl_hash (lexic, GCRY_MD_RMD160);
155 nasl_cipher (
int algorithm,
void *data,
size_t dlen,
void *key,
size_t klen)
162 if ((error = gcry_cipher_open (&hd, algorithm, GCRY_CIPHER_MODE_ECB, 0)))
164 g_message (
"gcry_cipher_open: %s", gcry_strerror (error));
167 if ((error = gcry_cipher_setkey (hd, key, klen)))
169 g_message (
"gcry_cipher_setkey: %s", gcry_strerror (error));
172 result = g_malloc0 (dlen);
173 if ((error = gcry_cipher_encrypt (hd, result, dlen, data, dlen)))
175 g_message (
"gcry_cipher_encrypt: %s", gcry_strerror (error));
178 gcry_cipher_close (hd);
196 return nasl_cipher (GCRY_CIPHER_DES, data, dlen, key, klen);
233 return nasl_hmac (lexic, GCRY_MD_SHA384);
239 return nasl_hmac (lexic, GCRY_MD_RMD160);
250 if (mac_key == NULL || buf == NULL || buflen == -1 || seq_num <= -1)
252 nasl_perror (lexic,
"Syntax : get_signature(key:<k>, buf:<b>, "
253 "buflen:<bl>, seq_number:<s>)\n");
256 uint8_t calc_md5_mac[16];
259 memcpy (buf + 18, calc_md5_mac, 8);
260 char *ret = g_malloc0 (buflen);
261 memcpy (ret, buf, buflen);
272 void *key, *data, *signature;
280 if (!key || !data || keylen <= 0 || datalen <= 0)
282 nasl_perror (lexic,
"Syntax : hmac_sha256(data:<b>, key:<k>)\n");
285 signature =
hmac_sha256 (key, keylen, data, datalen);
289 retc->
x.
str_val = (
char *) signature;
299 tls_prf (
const void *secret,
size_t secret_len,
const void *seed,
300 size_t seed_len,
const void *label,
size_t outlen,
int hmac)
303 size_t pos = 0, lslen, hmac_size;
306 void *(*hmac_func) (
const void *, int,
const void *, int);
334 lslen = strlen (label) + seed_len;
335 lseed = g_malloc0 (lslen);
336 memcpy (lseed, label, strlen (label));
337 memcpy ((
char *) lseed + strlen (label), seed, seed_len);
339 Ai = hmac_func (secret, secret_len, lseed, lslen);
346 result = g_malloc0 (outlen);
353 tmp = g_malloc0 (hmac_size + lslen);
354 memcpy (tmp, Ai, hmac_size);
355 memcpy ((
char *) tmp + hmac_size, lseed, lslen);
356 tmp2 = hmac_func (secret, secret_len, tmp, hmac_size + lslen);
360 if (clen > hmac_size)
362 memcpy (result + pos, tmp2, clen);
367 tmp = hmac_func (secret, secret_len, Ai, hmac_size);
385 tls1_prf (
const void *secret,
size_t secret_len,
const void *seed,
386 size_t seed_len,
const void *label,
size_t outlen)
388 void *result, *secret1 = NULL, *secret2 = NULL;
389 unsigned int half_slen, odd = 0, i;
390 char *resultmd5 = NULL, *resultsha1 = NULL, *aux_res = NULL;
392 if (secret_len % 2 == 0)
393 half_slen = secret_len / 2;
396 half_slen = (secret_len + 1) / 2;
400 secret1 = g_malloc0 (half_slen);
401 memcpy (secret1, secret, half_slen);
402 resultmd5 =
tls_prf (secret1, half_slen, seed, seed_len, label, outlen, 2);
409 secret2 = g_malloc0 (half_slen);
410 memcpy (secret2, (
char *) secret + (half_slen - odd), half_slen);
411 resultsha1 =
tls_prf (secret2, half_slen, seed, seed_len, label, outlen, 3);
420 aux_res = g_malloc0 (outlen);
421 for (i = 0; i < outlen; i++)
422 aux_res[i] = resultmd5[i] ^ resultsha1[i];
424 result = g_malloc (outlen);
425 memcpy (result, aux_res, outlen);
439 void *secret, *seed, *label, *result;
440 int secret_len, seed_len, label_len, outlen;
450 if (!secret || !seed || secret_len <= 0 || seed_len <= 0 || !label
451 || label_len <= 0 || outlen <= 0)
453 nasl_perror (lexic,
"Syntax : prf(secret, seed, label, outlen)\n");
457 result =
tls_prf (secret, secret_len, seed, seed_len, label, outlen, hmac);
459 result =
tls1_prf (secret, secret_len, seed, seed_len, label, outlen);
491 return nasl_hmac (lexic, GCRY_MD_SHA512);
518 unsigned char *ntlmv2_hash =
523 if (cryptkey == NULL || user == NULL || domain == NULL || ntlmv2_hash == NULL
524 || address_list == NULL || address_list_len < 0)
527 lexic,
"Syntax : ntlmv2_response(cryptkey:<c>, user:<u>, domain:<d>, "
528 "ntlmv2_hash:<n>, address_list:<a>, address_list_len:<len>)\n");
531 uint8_t lm_response[24];
532 uint8_t nt_response[16 + 28 + address_list_len];
533 uint8_t session_key[16];
534 bzero (lm_response,
sizeof (lm_response));
535 bzero (nt_response,
sizeof (nt_response));
536 bzero (session_key,
sizeof (session_key));
539 cryptkey, lm_response, nt_response, session_key,
542 int lm_response_len = 24;
543 int nt_response_len = 16 + 28 + address_list_len;
544 int len = lm_response_len + nt_response_len +
sizeof (session_key);
545 char *ret = g_malloc0 (
len);
546 memcpy (ret, lm_response, lm_response_len);
547 memcpy (ret + lm_response_len, session_key,
sizeof (session_key));
548 memcpy (ret + lm_response_len +
sizeof (session_key), nt_response,
565 if (!cryptkey || !password || !nt_hash || hash_len < 16)
567 nasl_perror (lexic,
"Syntax : ntlm2_response(cryptkey:<c>, password:<p>, "
568 "nt_hash:<n[16]>)\n");
572 uint8_t lm_response[24];
573 uint8_t nt_response[24];
574 uint8_t session_key[16];
578 session_key, cryptkey, nt_hash);
579 int len =
sizeof (lm_response) +
sizeof (nt_response) +
sizeof (session_key);
580 char *ret = g_malloc0 (
len);
581 memcpy (ret, lm_response,
sizeof (lm_response));
582 memcpy (ret +
sizeof (lm_response), nt_response,
sizeof (nt_response));
583 memcpy (ret +
sizeof (lm_response) +
sizeof (nt_response), session_key,
584 sizeof (session_key));
601 if (!cryptkey || !password || !nt_hash || hash_len < 16 || neg_flags < 0)
603 nasl_perror (lexic,
"Syntax : ntlm_response(cryptkey:<c>, password:<p>, "
604 "nt_hash:<n[16]>, neg_flags:<nf>)\n");
608 uint8_t lm_response[24];
609 uint8_t nt_response[24];
610 uint8_t session_key[16];
615 session_key, cryptkey, nt_hash, neg_flags);
617 int len =
sizeof (lm_response) +
sizeof (nt_response) +
sizeof (session_key);
618 char *ret = g_malloc0 (
len);
619 memcpy (ret, lm_response,
sizeof (lm_response));
620 memcpy (ret +
sizeof (lm_response), nt_response,
sizeof (nt_response));
621 memcpy (ret +
sizeof (lm_response) +
sizeof (nt_response), session_key,
622 sizeof (session_key));
634 unsigned char *nt_hash =
637 if (cryptkey == NULL || session_key == NULL || nt_hash == NULL)
641 "Syntax : key_exchange(cryptkey:<c>, session_key:<s>, nt_hash:<n> )\n");
644 uint8_t new_sess_key[16];
646 uint8_t *encrypted_session_key = NULL;
648 session_key, cryptkey, nt_hash, (uint8_t *) &new_sess_key);
650 char *ret = g_malloc0 (
len);
651 memcpy (ret, new_sess_key, 16);
652 memcpy (ret + 16, encrypted_session_key, 16);
665 unsigned char p21[21];
669 if (cryptkey == NULL || password == NULL)
671 nasl_perror (lexic,
"Syntax : ntlmv1_hash(cryptkey:<c>, passhash:<p>)\n");
678 bzero (p21,
sizeof (p21));
679 memcpy (p21, password, pass_len);
681 ret = g_malloc0 (24);
683 E_P24 (p21, cryptkey, ret);
701 nasl_perror (lexic,
"Syntax : nt_owf_gen(<password>)\n");
704 upass = g_utf8_to_utf16 (pass, -1, NULL, &upass_len, NULL);
720 if (pass_len < 0 || pass == NULL)
722 nasl_perror (lexic,
"Syntax : nt_lm_gen(password:<p>)\n");
726 bzero (pwd,
sizeof (pwd));
727 strncpy ((
char *) pwd, pass,
sizeof (pwd) - 1);
728 for (i = 0; i <
sizeof (pwd); i++)
729 pwd[i] = toupper (pwd[i]);
735 retc->
x.
str_val = g_memdup2 (p16, 16);
749 if (in_len < 0 || in == NULL)
751 nasl_perror (lexic,
"Syntax : insert_hexzeros(in:<i>)\n");
755 byte_len =
sizeof (
smb_ucs2_t) * (strlen ((
char *) in) + 1);
756 out = g_malloc0 (byte_len);
760 for (i = 0; i < in_len; i++)
771 byte_len = byte_len - 2;
774 retc->
size = byte_len;
789 char *src_user, *src_domain;
793 size_t user_byte_len;
794 size_t domain_byte_len;
799 if (owf_in_len < 0 || owf_in == NULL || user_in_len < 0 || user_in == NULL
800 || domain_len < 0 || domain_in == NULL)
803 "Syntax : ntv2_owf_gen(owf:<o>, login:<l>, domain:<d>)\n");
807 assert (owf_in_len == 16);
809 user_byte_len =
sizeof (
smb_ucs2_t) * (strlen (user_in) + 1);
810 user = g_malloc0 (user_byte_len);
814 for (i = 0; i < user_in_len; i++)
816 val_user = *src_user;
817 *dst_user = val_user;
824 domain_byte_len =
sizeof (
smb_ucs2_t) * (strlen (domain_in) + 1);
825 domain = g_malloc0 (domain_byte_len);
827 src_domain = domain_in;
829 for (i = 0; i < domain_len; i++)
831 val_domain = *src_domain;
832 *dst_domain = val_domain;
843 assert (user_byte_len >= 2);
844 assert (domain_byte_len >= 2);
847 user_byte_len = user_byte_len - 2;
848 domain_byte_len = domain_byte_len - 2;
850 kr_buf = g_malloc0 (16);
854 hmac_md5_update ((
const unsigned char *) domain, domain_byte_len, &ctx);
876 unsigned char ntlmv2_response[16];
877 unsigned char *ntlmv2_client_data = NULL;
878 unsigned char *final_response;
881 if (sc_len < 0 || server_chal == NULL || hash_len < 0 || ntlm_v2_hash == NULL
882 || client_chal_length < 0)
886 "Syntax : ntlmv2_hash(cryptkey:<c>, passhash:<p>, length:<l>)\n");
893 ntlmv2_client_data = g_malloc0 (client_chal_length);
894 for (i = 0; i < client_chal_length; i++)
895 ntlmv2_client_data[i] = rand () % 256;
897 assert (hash_len == 16);
900 client_chal_length, ntlmv2_response);
903 final_response = g_malloc0 (client_chal_length +
sizeof (ntlmv2_response));
904 memcpy (final_response, ntlmv2_response,
sizeof (ntlmv2_response));
907 memcpy (final_response +
sizeof (ntlmv2_response), ntlmv2_client_data,
910 g_free (ntlmv2_client_data);
913 retc->
size = client_chal_length +
sizeof (ntlmv2_response);
914 retc->
x.
str_val = (
char *) final_response;