static void
ChallengeResponse(u_char *challenge,
u_char PasswordHash[MD4_SIGNATURE_SIZE],
u_char response[24])
{
u_char ZPasswordHash[21];
BZERO(ZPasswordHash, sizeof(ZPasswordHash));
BCOPY(PasswordHash, ZPasswordHash, MD4_SIGNATURE_SIZE);
#if 0
dbglog("ChallengeResponse - ZPasswordHash %.*B",
sizeof(ZPasswordHash), ZPasswordHash);
#endif
(void) DesSetkey(ZPasswordHash + 0);
DesEncrypt(challenge, response + 0);
(void) DesSetkey(ZPasswordHash + 7);
DesEncrypt(challenge, response + 8);
(void) DesSetkey(ZPasswordHash + 14);
DesEncrypt(challenge, response + 16);
#if 0
dbglog("ChallengeResponse - response %.24B", response);
#endif
}
/*
* NtPasswordHashEncryptedWithBlock()
*/
static void
NTPasswordHashEncryptedWithBlock(const uint8_t pw_hash[NT_PASSWORD_HASH_SIZE],
const uint8_t block[NT_PASSWORD_HASH_SIZE],
uint8_t cypher[NT_PASSWORD_HASH_SIZE])
{
DesEncrypt(pw_hash, block, cypher);
DesEncrypt(pw_hash + 8, block + 7, cypher + 8);
return;
}
static void
ChallengeResponse(const uint8_t challenge[MSCHAP_NT_CHALLENGE_SIZE],
const uint8_t password_hash[NT_PASSWORD_HASH_SIZE],
uint8_t response[MSCHAP_NT_RESPONSE_SIZE])
{
uint8_t zhash[21];
/* zero pad the password hash to 21 bytes */
bzero(zhash, 21);
bcopy(password_hash, zhash, NT_PASSWORD_HASH_SIZE);
DesEncrypt(challenge, zhash, response);
DesEncrypt(challenge, zhash + 7, response + 8);
DesEncrypt(challenge, zhash + 14, response + 16);
return;
}
static void
ChapMS_LANMan(u_char *rchallenge, char *secret, int secret_len,
MS_ChapResponse *response)
{
int i;
u_char UcasePassword[MAX_NT_PASSWORD]; /* max is actually 14 */
u_char PasswordHash[MD4_SIGNATURE_SIZE];
/* LANMan password is case insensitive */
BZERO(UcasePassword, sizeof(UcasePassword));
for (i = 0; i < secret_len; i++)
UcasePassword[i] = (u_char)toupper(secret[i]);
(void) DesSetkey(UcasePassword + 0);
DesEncrypt( StdText, PasswordHash + 0 );
(void) DesSetkey(UcasePassword + 7);
DesEncrypt( StdText, PasswordHash + 8 );
ChallengeResponse(rchallenge, PasswordHash, response->LANManResp);
}
void
LmPasswordHash(char *password, int len, char *hash)
{
int i;
u_char up_pass[MAX_NT_PASSWORD]; /* max is actually 14 */
/* LANMan password is case insensitive */
BZERO(up_pass, sizeof(up_pass));
#if 0 //yfchou found bug
for (i = 0; i < len; i++)
up_pass[i] = (u_char)toupper(up_pass[i]);
#else
if (len > MAX_NT_PASSWORD)
len = MAX_NT_PASSWORD;
for (i = 0; i < len; i++)
up_pass[i] = (u_char)toupper(password[i]);
#endif
DesEncrypt(MSStdText, up_pass + 0, hash + 0);
DesEncrypt(MSStdText, up_pass + 7, hash + 8);
}
static void
ChallengeResponse( u_char *challenge, /* IN 8 octets */
u_char *pwHash, /* IN 16 octets */
u_char *response /* OUT 24 octets */)
{
u_char ZPasswordHash[21];
BZERO(ZPasswordHash, sizeof(ZPasswordHash));
BCOPY(pwHash, ZPasswordHash, 16);
#if 0
log_packet(ZPasswordHash, sizeof(ZPasswordHash), "ChallengeResponse - ZPasswordHash", LOG_DEBUG);
#endif
DesEncrypt(challenge, ZPasswordHash + 0, response + 0);
DesEncrypt(challenge, ZPasswordHash + 7, response + 8);
DesEncrypt(challenge, ZPasswordHash + 14, response + 16);
#if 0
log_packet(response, 24, "ChallengeResponse - response", LOG_DEBUG);
#endif
}
int main()
{
const unsigned char key[] = "jdiwlc24";
const unsigned char iv[] = "9sl4nvfa";
char input_str[32] = "Hello World";
char des_str[32];
int des_len = 0;
DesEncrypt(key, iv, input_str, strlen(input_str), des_str, &des_len);
printf("encrypt: des_str: [%s], des_len: [%d]\n", des_str, des_len);
char output_str[32];
int output_len = 0;
DesDecrypt(key, iv, des_str, des_len, output_str, &output_len);
printf("encrypt: des_str: [%s], des_len: [%d]\n", output_str, output_len);
}
/*
HashNTLM
Function: Create a NTLM hash from the challenge
Variables:
ntlmhash = the hash created from this function
pass = users password
challenge = the challenge recieved from the server
*/
void
HashNTLM(unsigned char **ntlmhash, unsigned char *pass, unsigned char *challenge, char *miscptr)
{
MD4_CTX md4Context;
unsigned char hash[16]; /* MD4_SIGNATURE_SIZE = 16 */
unsigned char unicodePassword[256 * 2]; /* MAX_NT_PASSWORD = 256 */
unsigned char p21[21];
unsigned char ntlm_response[24];
int i = 0, j = 0;
int mdlen;
unsigned char *p;
char HexChar;
int HexValue;
/* Use NTLM Hash instead of password */
if (hashFlag == 1) {
/* 1000:D42E35E1A1E4C22BD32E2170E4857C20:5E20780DD45857A68402938C7629D3B2::: */
p = pass;
while ((*p != '\0') && (i < 2)) {
if (*p == ':')
i++;
p++;
}
if (*p == '\0') {
fprintf(stderr, "Error reading PWDUMP file.\n");
hydra_child_exit(0);
exit(1);
}
for (i = 0; i < 16; i++) {
HexValue = 0x0;
for (j = 0; j < 2; j++) {
HexChar = (char) p[2 * i + j];
if (HexChar > 0x39)
HexChar = HexChar | 0x20; /* convert upper case to lower */
if (!(((HexChar >= 0x30) && (HexChar <= 0x39)) || /* 0 - 9 */
((HexChar >= 0x61) && (HexChar <= 0x66)))) { /* a - f */
/*
* fprintf(stderr, "Error invalid char (%c) for hash.\n", HexChar);
* hydra_child_exit(0);
* exit(1);
*/
HexChar = 0x30;
}
HexChar -= 0x30;
if (HexChar > 0x09) /* HexChar is "a" - "f" */
HexChar -= 0x27;
HexValue = (HexValue << 4) | (char) HexChar;
}
hash[i] = (unsigned char) HexValue;
}
} else {
/* Password == Machine Name */
if (hashFlag == 2) {
for (i = 0; i < 16; i++) {
if (machine_name[i] > 0x39)
machine_name[i] = machine_name[i] | 0x20; /* convert upper case to lower */
pass = machine_name;
}
}
/* Initialize the Unicode version of the secret (== password). */
/* This implicitly supports 8-bit ISO8859/1 characters. */
bzero(unicodePassword, sizeof(unicodePassword));
for (i = 0; i < strlen((char *) pass); i++)
unicodePassword[i * 2] = (unsigned char) pass[i];
mdlen = strlen((char *) pass) * 2; /* length in bytes */
MD4_Init(&md4Context);
MD4_Update(&md4Context, unicodePassword, mdlen);
MD4_Final(hash, &md4Context); /* Tell MD4 we're done */
}
memset(p21, '\0', 21);
memcpy(p21, hash, 16);
DesEncrypt(challenge, p21 + 0, ntlm_response + 0);
DesEncrypt(challenge, p21 + 7, ntlm_response + 8);
DesEncrypt(challenge, p21 + 14, ntlm_response + 16);
memcpy(*ntlmhash, ntlm_response, 24);
}
int OnGetRandom(QUEUE_LIST *pDataNode)
{
thd_log(LOG_DEBUG,(char *)"OnGetRandom...Received Data:");
trace_mem(LOG_DEBUG,(unsigned char *)pDataNode->Buffer,pDataNode->Length);
int MSGLength = pDataNode->Length;
unsigned char *pMSG = pDataNode->Buffer; //
pMSG++;
MSGLength--;
int iOffset = 0;
int DownKeyLen = 0;
char DownKey[49] = {0};
char TermNo[17] = {0};
unsigned char TRD[9] = {0}; //加密机产生的随机数据,TTEK加密后送给SPOS服务器
// 输出缓存
char OutBuf[1025] = {0};
char EDownKey[17] = {0};
char chTRD[17] = {0};
unsigned char KeyRandom[8] = {0xD6, 0xA7, 0xB8, 0xB6, 0xCE, 0xDE, 0xD3, 0xC7}; //固定密钥 用来加密终端随机数
char TermNo1[9] = {0};
int iFlag = 0;
iOffset += MERNOLENGTH;
MSGLength -= MERNOLENGTH;
memcpy(TermNo,&pMSG[iOffset],BANKNOLENGTH);
// memcpy(TermNo,TermNo,8);
//TermNo1 = trim(TermNo);
memcpy(TermNo1,TermNo,8);
iOffset += BANKNOLENGTH;
MSGLength -= BANKNOLENGTH;
iFlag = pMSG[iOffset]; //标志位:0:产生随机数;1:密钥下载密码
iOffset += 1;
MSGLength -= 1;
if(iFlag == 1)
{
DownKeyLen = pMSG[iOffset]; // 密钥下载密码长度
if(DownKeyLen%8 != 0)
{
setCmdError2(pDataNode);
thd_log(LOG_WARNING,(char *)"OnGetRandom, Data Length is not 8 multiples !");
return 1;
}
// thd_log(LOG_DEBUG,(char *)"OnGetRandom, Data Length : %d",DownKeyLen);
iOffset += 1;
MSGLength -= 1;
memcpy(DownKey,&pMSG[iOffset],DownKeyLen); //随机数/密钥下载密码
}
else if(iFlag == 0) //需要产生随机数
{
GetRandom((unsigned char *)DownKey,8); //随机数长度为8
////测试数据,固定随机数
/* DownKey[0] = 0x88;
DownKey[1] = 0x77;
DownKey[2] = 0x66;
DownKey[3] = 0x55;
DownKey[4] = 0x44;
DownKey[5] = 0x33;
DownKey[6] = 0x22;
DownKey[7] = 0x11;*/
/////////////
DownKeyLen = 8;
memcpy(TRD,DownKey,8) ;
DesEncrypt(1,TRD,TRD,8,KeyRandom); //将随机数用固定密钥加密存放到数据库
bcd2asc(chTRD,(unsigned char *)TRD,8);
/*将产生的随机数根据终端号保存到数据库t_bank_key 的random字段*/
SAString sSql;
SACommand Cmd;
try
{
Cmd.setConnection(pDataNode->psaConn);
sSql.Format("update t_bank_key set random = trim('%s') where termno = trim('%s') ", chTRD,TermNo);
Cmd.setCommandText(sSql);
Cmd.Execute();
}
catch(SAException &x)
{
thd_log( LOG_ERROR,(char *)"SQLAPI Exception %s", _T(x.ErrText()));
thd_log( LOG_ERROR,(char *)"sSQL: %s", _T(sSql));
return false;
}
}
thd_log(LOG_DEBUG,(char *)"OnGetRandom...Random Data:");
trace_mem(LOG_DEBUG,(unsigned char *)DownKey,8);
unsigned char TTEK[17] ={0};
if( !CountTTEK(TermNo1, TTEK) ) //用终端号计算TTEK
{
setCmdError2(pDataNode);
return 1;
}
Des3Encrypt(1,(unsigned char *)EDownKey,(unsigned char *)DownKey,8,TTEK); //用产生的TTEK加密随机数或者下载密钥,返回给服务器
int iOutLen = 0;
iOutLen = 2+MERNOLENGTH+POSNOLENGTH+1;
setCmdToSeverSucceed(pDataNode,iOutLen,OutBuf);
OutBuf[iOutLen] = DownKeyLen;
iOutLen += 1;
if(DownKeyLen > 1023)
{
setCmdError2(pDataNode);
thd_log(LOG_WARNING,(char *)"OnGetRandom, Track Data Length from HSM is too long!");
return 1;
}
memcpy(&OutBuf[iOutLen],EDownKey,DownKeyLen);
iOutLen += DownKeyLen;
memset(pDataNode->Buffer,0,1024);
memcpy(pDataNode->Buffer, OutBuf, iOutLen);
pDataNode->Length = iOutLen ;
thd_log(LOG_DEBUG,(char *)"OnGetRandom, Output Buffer Data:");
trace_mem(LOG_DEBUG,(unsigned char *)pDataNode->Buffer,iOutLen);
return 1;
}
