/*++ Copyright (c) 1993 Microsoft Corporation Module Name: encrypt.c Abstract: This module implements the routines for the NetWare redirector to mangle an objectid, challenge key and password such that a NetWare server will accept the password as valid. This program uses information published in Byte Magazine. Author: Colin Watson [ColinW] 15-Mar-1993 Revision History: --*/ #include #include #include #include // #include #include #include // #include #define SWAPWORD(w) ((WORD)((w & 0xFF) << 8)|(WORD)(w >> 8)) #define SWAPLONG(l) MAKELONG(SWAPWORD(HIWORD(l)),SWAPWORD(LOWORD(l))) #define NCP_WELL_KNOWN_SUPERVISOR_ID (ULONG) 0x00000001 #define NCP_WELL_KNOWN_SUPERVISOR_ID_SWAPPED (ULONG) 0x01000000 #define NCP_WELL_KNOWN_SUPERVISOR_ID_CHICAGO (ULONG) 0x00010000 #define NCP_WELL_KNOWN_PSERVER_ID (ULONG) 0x00000002 #define NCP_PSERVER_SIGNATURE L"PS_" #define SWAP_OBJECT_ID(id) (id == NCP_WELL_KNOWN_SUPERVISOR_ID) ? \ NCP_WELL_KNOWN_SUPERVISOR_ID_SWAPPED : \ MAKELONG(LOWORD(id),SWAPWORD(HIWORD(id))) UCHAR Table[] = {0x7,0x8,0x0,0x8,0x6,0x4,0xE,0x4,0x5,0xC,0x1,0x7,0xB,0xF,0xA,0x8, 0xF,0x8,0xC,0xC,0x9,0x4,0x1,0xE,0x4,0x6,0x2,0x4,0x0,0xA,0xB,0x9, 0x2,0xF,0xB,0x1,0xD,0x2,0x1,0x9,0x5,0xE,0x7,0x0,0x0,0x2,0x6,0x6, 0x0,0x7,0x3,0x8,0x2,0x9,0x3,0xF,0x7,0xF,0xC,0xF,0x6,0x4,0xA,0x0, 0x2,0x3,0xA,0xB,0xD,0x8,0x3,0xA,0x1,0x7,0xC,0xF,0x1,0x8,0x9,0xD, 0x9,0x1,0x9,0x4,0xE,0x4,0xC,0x5,0x5,0xC,0x8,0xB,0x2,0x3,0x9,0xE, 0x7,0x7,0x6,0x9,0xE,0xF,0xC,0x8,0xD,0x1,0xA,0x6,0xE,0xD,0x0,0x7, 0x7,0xA,0x0,0x1,0xF,0x5,0x4,0xB,0x7,0xB,0xE,0xC,0x9,0x5,0xD,0x1, 0xB,0xD,0x1,0x3,0x5,0xD,0xE,0x6,0x3,0x0,0xB,0xB,0xF,0x3,0x6,0x4, 0x9,0xD,0xA,0x3,0x1,0x4,0x9,0x4,0x8,0x3,0xB,0xE,0x5,0x0,0x5,0x2, 0xC,0xB,0xD,0x5,0xD,0x5,0xD,0x2,0xD,0x9,0xA,0xC,0xA,0x0,0xB,0x3, 0x5,0x3,0x6,0x9,0x5,0x1,0xE,0xE,0x0,0xE,0x8,0x2,0xD,0x2,0x2,0x0, 0x4,0xF,0x8,0x5,0x9,0x6,0x8,0x6,0xB,0xA,0xB,0xF,0x0,0x7,0x2,0x8, 0xC,0x7,0x3,0xA,0x1,0x4,0x2,0x5,0xF,0x7,0xA,0xC,0xE,0x5,0x9,0x3, 0xE,0x7,0x1,0x2,0xE,0x1,0xF,0x4,0xA,0x6,0xC,0x6,0xF,0x4,0x3,0x0, 0xC,0x0,0x3,0x6,0xF,0x8,0x7,0xB,0x2,0xD,0xC,0x6,0xA,0xA,0x8,0xD}; UCHAR Keys[32] = {0x48,0x93,0x46,0x67,0x98,0x3D,0xE6,0x8D, 0xB7,0x10,0x7A,0x26,0x5A,0xB9,0xB1,0x35, 0x6B,0x0F,0xD5,0x70,0xAE,0xFB,0xAD,0x11, 0xF4,0x47,0xDC,0xA7,0xEC,0xCF,0x50,0xC0}; #define XorArray( DEST, SRC ) { \ PULONG D = (PULONG)DEST; \ PULONG S = (PULONG)SRC; \ int i; \ for ( i = 0; i <= 7 ; i++ ) { \ D[i] ^= S[i]; \ } \ } int Scramble( int iSeed, UCHAR achBuffer[32] ); VOID Shuffle( UCHAR *achObjectId, UCHAR *szUpperPassword, int iPasswordLen, UCHAR *achOutputBuffer ) /*++ Routine Description: This routine shuffles around the object ID with the password Arguments: IN achObjectId - Supplies the 4 byte user's bindery object id IN szUpperPassword - Supplies the user's uppercased password on the first call to process the password. On the second and third calls this parameter contains the OutputBuffer from the first call IN iPasswordLen - length of uppercased password OUT achOutputBuffer - Returns the 8 byte sub-calculation Return Value: none. --*/ { int iTempIndex; int iOutputIndex; UCHAR achTemp[32]; // // Truncate all trailing zeros from the password. // while (iPasswordLen > 0 && szUpperPassword[iPasswordLen-1] == 0 ) { iPasswordLen--; } // // Initialize the achTemp buffer. Initialization consists of taking // the password and dividing it up into chunks of 32. Any bytes left // over are the remainder and do not go into the initialization. // // achTemp[0] = szUpperPassword[0] ^ szUpperPassword[32] ^ szUpper... // achTemp[1] = szUpperPassword[1] ^ szUpperPassword[33] ^ szUpper... // etc. // if ( iPasswordLen > 32) { // At least one chunk of 32. Set the buffer to the first chunk. RtlCopyMemory( achTemp, szUpperPassword, 32 ); szUpperPassword +=32; // Remove the first chunk iPasswordLen -=32; while ( iPasswordLen >= 32 ) { // // Xor this chunk with the characters already loaded into // achTemp. // XorArray( achTemp, szUpperPassword); szUpperPassword +=32; // Remove this chunk iPasswordLen -=32; } } else { // No chunks of 32 so set the buffer to zero's RtlZeroMemory( achTemp, sizeof(achTemp)); } // // achTemp is now initialized. Load the remainder into achTemp. // The remainder is repeated to fill achTemp. // // The corresponding character from Keys is taken to seperate // each repitition. // // As an example, take the remainder "ABCDEFG". The remainder is expanded // to "ABCDEFGwABCDEFGxABCDEFGyABCDEFGz" where w is Keys[7], // x is Keys[15], y is Keys[23] and z is Keys[31]. // // if (iPasswordLen > 0) { int iPasswordOffset = 0; for (iTempIndex = 0; iTempIndex < 32; iTempIndex++) { if (iPasswordLen == iPasswordOffset) { iPasswordOffset = 0; achTemp[iTempIndex] ^= Keys[iTempIndex]; } else { achTemp[iTempIndex] ^= szUpperPassword[iPasswordOffset++]; } } } // // achTemp has been loaded with the users password packed into 32 // bytes. Now take the objectid that came from the server and use // that to munge every byte in achTemp. // for (iTempIndex = 0; iTempIndex < 32; iTempIndex++) achTemp[iTempIndex] ^= achObjectId[ iTempIndex & 3]; Scramble( Scramble( 0, achTemp ), achTemp ); // // Finally take pairs of bytes in achTemp and return the two // nibbles obtained from Table. The pairs of bytes used // are achTemp[n] and achTemp[n+16]. // for (iOutputIndex = 0; iOutputIndex < 16; iOutputIndex++) { achOutputBuffer[iOutputIndex] = Table[achTemp[iOutputIndex << 1]] | (Table[achTemp[(iOutputIndex << 1) + 1]] << 4); } return; } int Scramble( int iSeed, UCHAR achBuffer[32] ) /*++ Routine Description: This routine scrambles around the contents of the buffer. Each buffer position is updated to include the contents of at least two character positions plus an EncryptKey value. The buffer is processed left to right and so if a character position chooses to merge with a buffer position to its left then this buffer position will include bits derived from at least 3 bytes of the original buffer contents. Arguments: IN iSeed IN OUT achBuffer[32] Return Value: none. --*/ { int iBufferIndex; for (iBufferIndex = 0; iBufferIndex < 32; iBufferIndex++) { achBuffer[iBufferIndex] = (UCHAR)( ((UCHAR)(achBuffer[iBufferIndex] + iSeed)) ^ ((UCHAR)( achBuffer[(iBufferIndex+iSeed) & 31] - Keys[iBufferIndex] ))); iSeed += achBuffer[iBufferIndex]; } return iSeed; } NTSTATUS ReturnNetwareForm( const char * pszSecretValue, DWORD dwUserId, const WCHAR * pchNWPassword, UCHAR * pchEncryptedNWPassword ) /*++ Routine Description: This routine takes the ObjectId and encrypts it with the user supplied password to develop a credential for the intermediate form. Arguments: DWORD dwUserId - Supplies the 4 byte user's object id const WCHAR * pchNWPassword - Supplies the user's password UCHAR * pchEncryptedNWPassword - 16 characters where the result goes. Return Value: none. --*/ { DWORD dwStatus; DWORD chObjectId = SWAP_OBJECT_ID (dwUserId); UNICODE_STRING uniNWPassword; OEM_STRING oemNWPassword; // // shuffle actually uses 32 bytes, not just 16. It only returns 16 though. // UCHAR pszShuffledNWPassword[NT_OWF_PASSWORD_LENGTH * 2]; uniNWPassword.Buffer = (WCHAR *) pchNWPassword; uniNWPassword.Length = (USHORT)(lstrlenW (pchNWPassword)*sizeof(WCHAR)); uniNWPassword.MaximumLength = uniNWPassword.Length; if ((dwStatus = RtlUpcaseUnicodeStringToOemString (&oemNWPassword, &uniNWPassword, TRUE)) == STATUS_SUCCESS) { Shuffle((UCHAR *) &chObjectId, oemNWPassword.Buffer, oemNWPassword.Length, pszShuffledNWPassword); // Encrypt with LSA secret. dwStatus = RtlEncryptNtOwfPwdWithUserKey( (PNT_OWF_PASSWORD) pszShuffledNWPassword, (PUSER_SESSION_KEY) pszSecretValue, (PENCRYPTED_NT_OWF_PASSWORD) pchEncryptedNWPassword); } return (dwStatus); }