45 #include <gvm/base/logging.h>
49 #define uchar unsigned char
57 #define uint32 uint32_t
64 #define G_LOG_DOMAIN "lib nasl"
69 void *key,
size_t keylen)
74 int dlen = gcry_md_get_algo_dlen (algorithm);
79 err = gcry_md_open (&hd, algorithm, key ? GCRY_MD_FLAG_HMAC : 0);
82 nasl_perror (lexic,
"nasl_gcrypt_hash(): gcry_md_open failed: %s/%s\n",
83 gcry_strsource (err), gcry_strerror (err));
89 err = gcry_md_setkey (hd, key, keylen);
94 " gcry_md_setkey failed: %s/%s\n",
95 gcry_strsource (err), gcry_strerror (err));
100 gcry_md_write (hd, data, datalen);
103 retc->
x.
str_val = g_memdup (gcry_md_read (hd, algorithm), dlen + 1);
147 return nasl_hash (lexic, GCRY_MD_SHA256);
153 return nasl_hash (lexic, GCRY_MD_RMD160);
157 nasl_cipher (
int algorithm,
void *data,
size_t dlen,
void *key,
size_t klen)
164 if ((error = gcry_cipher_open (&hd, algorithm, GCRY_CIPHER_MODE_ECB, 0)))
166 g_message (
"gcry_cipher_open: %s", gcry_strerror (error));
169 if ((error = gcry_cipher_setkey (hd, key, klen)))
171 g_message (
"gcry_cipher_setkey: %s", gcry_strerror (error));
174 result = g_malloc0 (dlen);
175 if ((error = gcry_cipher_encrypt (hd, result, dlen, data, dlen)))
177 g_message (
"gcry_cipher_encrypt: %s", gcry_strerror (error));
180 gcry_cipher_close (hd);
198 return nasl_cipher (GCRY_CIPHER_DES, data, dlen, key, klen);
235 return nasl_hmac (lexic, GCRY_MD_SHA384);
241 return nasl_hmac (lexic, GCRY_MD_RMD160);
252 if (mac_key == NULL || buf == NULL || buflen == -1 || seq_num <= -1)
254 nasl_perror (lexic,
"Syntax : get_signature(key:<k>, buf:<b>, "
255 "buflen:<bl>, seq_number:<s>)\n");
258 uint8_t calc_md5_mac[16];
261 memcpy (buf + 18, calc_md5_mac, 8);
262 char *ret = g_malloc0 (buflen);
263 memcpy (ret, buf, buflen);
274 void *signature = g_malloc0 (16);
278 hmac = g_hmac_new (G_CHECKSUM_MD5, key, keylen);
279 g_hmac_update (hmac, buf, buflen);
280 g_hmac_get_digest (hmac, signature, &signlen);
286 hmac_sha1 (
const void *key,
int keylen,
const void *buf,
int buflen)
288 void *signature = g_malloc0 (20);
292 hmac = g_hmac_new (G_CHECKSUM_SHA1, key, keylen);
293 g_hmac_update (hmac, buf, buflen);
294 g_hmac_get_digest (hmac, signature, &signlen);
300 hmac_sha256 (
const void *key,
int keylen,
const void *buf,
int buflen)
302 void *signature = g_malloc0 (32);
306 hmac = g_hmac_new (G_CHECKSUM_SHA256, key, keylen);
307 g_hmac_update (hmac, buf, buflen);
308 g_hmac_get_digest (hmac, signature, &signlen);
314 hmac_sha384 (
const void *key,
int keylen,
const void *buf,
int buflen)
320 if (!buf || buflen <= 0)
323 err = gcry_md_open (&hd, GCRY_MD_SHA384, key ? GCRY_MD_FLAG_HMAC : 0);
326 g_message (
"nasl_gcrypt_hash(): gcry_md_open failed: %s/%s",
327 gcry_strsource (err), gcry_strerror (err));
333 err = gcry_md_setkey (hd, key, keylen);
336 g_message (
"nasl_gcrypt_hash(): gcry_md_setkey failed: %s/%s",
337 gcry_strsource (err), gcry_strerror (err));
342 gcry_md_write (hd, buf, buflen);
343 ret = g_memdup (gcry_md_read (hd, 0), 48);
351 void *key, *data, *signature;
359 if (!key || !data || keylen <= 0 || datalen <= 0)
361 nasl_perror (lexic,
"Syntax : hmac_sha256(data:<b>, key:<k>)\n");
364 signature =
hmac_sha256 (key, keylen, data, datalen);
368 retc->
x.
str_val = (
char *) signature;
378 tls_prf (
const void *secret,
size_t secret_len,
const void *seed,
379 size_t seed_len,
const void *label,
size_t outlen,
int hmac)
382 size_t pos = 0, lslen, hmac_size;
385 void *(*hmac_func) (
const void *, int,
const void *, int);
413 lslen = strlen (label) + seed_len;
414 lseed = g_malloc0 (lslen);
415 memcpy (lseed, label, strlen (label));
416 memcpy ((
char *) lseed + strlen (label), seed, seed_len);
418 Ai = hmac_func (secret, secret_len, lseed, lslen);
422 result = g_malloc0 (outlen);
429 tmp = g_malloc0 (hmac_size + lslen);
430 memcpy (tmp, Ai, hmac_size);
431 memcpy ((
char *) tmp + hmac_size, lseed, lslen);
432 tmp2 = hmac_func (secret, secret_len, tmp, hmac_size + lslen);
436 if (clen > hmac_size)
438 memcpy (result + pos, tmp2, clen);
443 tmp = hmac_func (secret, secret_len, Ai, hmac_size);
461 tls1_prf (
const void *secret,
size_t secret_len,
const void *seed,
462 size_t seed_len,
const void *label,
size_t outlen)
464 void *result, *secret1 = NULL, *secret2 = NULL;
465 unsigned int half_slen, odd = 0, i;
466 char *resultmd5 = NULL, *resultsha1 = NULL, *aux_res = NULL;
468 if (secret_len % 2 == 0)
469 half_slen = secret_len / 2;
472 half_slen = (secret_len + 1) / 2;
476 secret1 = g_malloc0 (half_slen);
477 memcpy (secret1, secret, half_slen);
478 resultmd5 =
tls_prf (secret1, half_slen, seed, seed_len, label, outlen, 2);
485 secret2 = g_malloc0 (half_slen);
486 memcpy (secret2, (
char *) secret + (half_slen - odd), half_slen);
487 resultsha1 =
tls_prf (secret2, half_slen, seed, seed_len, label, outlen, 3);
496 aux_res = g_malloc0 (outlen);
497 for (i = 0; i < outlen; i++)
498 aux_res[i] = resultmd5[i] ^ resultsha1[i];
500 result = g_malloc (outlen);
501 memcpy (result, aux_res, outlen);
515 void *secret, *seed, *label, *result;
516 int secret_len, seed_len, label_len, outlen;
526 if (!secret || !seed || secret_len <= 0 || seed_len <= 0 || !label
527 || label_len <= 0 || outlen <= 0)
529 nasl_perror (lexic,
"Syntax : prf(secret, seed, label, outlen)\n");
533 result =
tls_prf (secret, secret_len, seed, seed_len, label, outlen, hmac);
535 result =
tls1_prf (secret, secret_len, seed, seed_len, label, outlen);
567 return nasl_hmac (lexic, GCRY_MD_SHA512);
573 void *key, *buf, *signature, *ret;
581 if (!key || !buf || keylen <= 0)
583 nasl_perror (lexic,
"Syntax : get_smb2_signature(buf:<b>, key:<k>)");
588 nasl_perror (lexic,
"get_smb2_sign: Buffer length < 64");
593 memset ((
char *) buf + 48, 0, 16);
594 signature =
hmac_sha256 (key, keylen, buf, buflen);
597 ret = g_malloc0 (buflen);
598 memcpy (ret, buf, buflen);
599 memcpy ((
char *) ret + 48, signature, 16);
613 unsigned char *ntlmv2_hash =
618 if (cryptkey == NULL || user == NULL || domain == NULL || ntlmv2_hash == NULL
619 || address_list == NULL || address_list_len < 0)
622 lexic,
"Syntax : ntlmv2_response(cryptkey:<c>, user:<u>, domain:<d>, "
623 "ntlmv2_hash:<n>, address_list:<a>, address_list_len:<len>)\n");
626 uint8_t lm_response[24];
627 uint8_t nt_response[16 + 28 + address_list_len];
628 uint8_t session_key[16];
629 bzero (lm_response,
sizeof (lm_response));
630 bzero (nt_response,
sizeof (nt_response));
631 bzero (session_key,
sizeof (session_key));
634 cryptkey, lm_response, nt_response, session_key,
637 int lm_response_len = 24;
638 int nt_response_len = 16 + 28 + address_list_len;
639 int len = lm_response_len + nt_response_len +
sizeof (session_key);
640 char *ret = g_malloc0 (len);
641 memcpy (ret, lm_response, lm_response_len);
642 memcpy (ret + lm_response_len, session_key,
sizeof (session_key));
643 memcpy (ret + lm_response_len +
sizeof (session_key), nt_response,
660 if (!cryptkey || !password || !nt_hash || hash_len < 16)
662 nasl_perror (lexic,
"Syntax : ntlm2_response(cryptkey:<c>, password:<p>, "
663 "nt_hash:<n[16]>)\n");
667 uint8_t lm_response[24];
668 uint8_t nt_response[24];
669 uint8_t session_key[16];
673 session_key, cryptkey, nt_hash);
674 int len =
sizeof (lm_response) +
sizeof (nt_response) +
sizeof (session_key);
675 char *ret = g_malloc0 (len);
676 memcpy (ret, lm_response,
sizeof (lm_response));
677 memcpy (ret +
sizeof (lm_response), nt_response,
sizeof (nt_response));
678 memcpy (ret +
sizeof (lm_response) +
sizeof (nt_response), session_key,
679 sizeof (session_key));
696 if (!cryptkey || !password || !nt_hash || hash_len < 16 || neg_flags < 0)
698 nasl_perror (lexic,
"Syntax : ntlm_response(cryptkey:<c>, password:<p>, "
699 "nt_hash:<n[16]>, neg_flags:<nf>)\n");
703 uint8_t lm_response[24];
704 uint8_t nt_response[24];
705 uint8_t session_key[16];
710 session_key, cryptkey, nt_hash, neg_flags);
712 int len =
sizeof (lm_response) +
sizeof (nt_response) +
sizeof (session_key);
713 char *ret = g_malloc0 (len);
714 memcpy (ret, lm_response,
sizeof (lm_response));
715 memcpy (ret +
sizeof (lm_response), nt_response,
sizeof (nt_response));
716 memcpy (ret +
sizeof (lm_response) +
sizeof (nt_response), session_key,
717 sizeof (session_key));
729 unsigned char *nt_hash =
732 if (cryptkey == NULL || session_key == NULL || nt_hash == NULL)
736 "Syntax : key_exchange(cryptkey:<c>, session_key:<s>, nt_hash:<n> )\n");
739 uint8_t new_sess_key[16];
741 uint8_t *encrypted_session_key = NULL;
743 session_key, cryptkey, nt_hash, (uint8_t *) &new_sess_key);
745 char *ret = g_malloc0 (len);
746 memcpy (ret, new_sess_key, 16);
747 memcpy (ret + 16, encrypted_session_key, 16);
760 unsigned char p21[21];
764 if (cryptkey == NULL || password == NULL)
766 nasl_perror (lexic,
"Syntax : ntlmv1_hash(cryptkey:<c>, passhash:<p>)\n");
773 bzero (p21,
sizeof (p21));
774 memcpy (p21, password, pass_len);
776 ret = g_malloc0 (24);
778 E_P24 (p21, cryptkey, ret);
796 nasl_perror (lexic,
"Syntax : nt_owf_gen(<password>)\n");
799 upass = g_utf8_to_utf16 (pass, -1, NULL, &upass_len, NULL);
815 if (pass_len < 0 || pass == NULL)
817 nasl_perror (lexic,
"Syntax : nt_lm_gen(password:<p>)\n");
821 bzero (pwd,
sizeof (pwd));
822 strncpy ((
char *) pwd, pass,
sizeof (pwd) - 1);
823 for (i = 0; i <
sizeof (pwd); i++)
824 pwd[i] = toupper (pwd[i]);
830 retc->
x.
str_val = g_memdup (p16, 16);
844 if (in_len < 0 || in == NULL)
846 nasl_perror (lexic,
"Syntax : insert_hexzeros(in:<i>)\n");
850 byte_len =
sizeof (
smb_ucs2_t) * (strlen ((
char *) in) + 1);
851 out = g_malloc0 (byte_len);
855 for (i = 0; i < in_len; i++)
866 byte_len = byte_len - 2;
869 retc->
size = byte_len;
884 char *src_user, *src_domain;
888 size_t user_byte_len;
889 size_t domain_byte_len;
894 if (owf_in_len < 0 || owf_in == NULL || user_in_len < 0 || user_in == NULL
895 || domain_len < 0 || domain_in == NULL)
898 "Syntax : ntv2_owf_gen(owf:<o>, login:<l>, domain:<d>)\n");
902 assert (owf_in_len == 16);
904 user_byte_len =
sizeof (
smb_ucs2_t) * (strlen (user_in) + 1);
905 user = g_malloc0 (user_byte_len);
909 for (i = 0; i < user_in_len; i++)
911 val_user = *src_user;
912 *dst_user = val_user;
919 domain_byte_len =
sizeof (
smb_ucs2_t) * (strlen (domain_in) + 1);
920 domain = g_malloc0 (domain_byte_len);
922 src_domain = domain_in;
924 for (i = 0; i < domain_len; i++)
926 val_domain = *src_domain;
927 *dst_domain = val_domain;
938 assert (user_byte_len >= 2);
939 assert (domain_byte_len >= 2);
942 user_byte_len = user_byte_len - 2;
943 domain_byte_len = domain_byte_len - 2;
945 kr_buf = g_malloc0 (16);
949 hmac_md5_update ((
const unsigned char *) domain, domain_byte_len, &ctx);
971 unsigned char ntlmv2_response[16];
972 unsigned char *ntlmv2_client_data = NULL;
973 unsigned char *final_response;
976 if (sc_len < 0 || server_chal == NULL || hash_len < 0 || ntlm_v2_hash == NULL
977 || client_chal_length < 0)
981 "Syntax : ntlmv2_hash(cryptkey:<c>, passhash:<p>, length:<l>)\n");
988 ntlmv2_client_data = g_malloc0 (client_chal_length);
989 for (i = 0; i < client_chal_length; i++)
990 ntlmv2_client_data[i] = rand () % 256;
992 assert (hash_len == 16);
995 client_chal_length, ntlmv2_response);
998 final_response = g_malloc0 (client_chal_length +
sizeof (ntlmv2_response));
999 memcpy (final_response, ntlmv2_response,
sizeof (ntlmv2_response));
1002 memcpy (final_response +
sizeof (ntlmv2_response), ntlmv2_client_data,
1003 client_chal_length);
1005 g_free (ntlmv2_client_data);
1008 retc->
size = client_chal_length +
sizeof (ntlmv2_response);
1009 retc->
x.
str_val = (
char *) final_response;