1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9: *
10: * This software is licensed as described in the file COPYING, which
11: * you should have received as part of this distribution. The terms
12: * are also available at https://curl.haxx.se/docs/copyright.html.
13: *
14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15: * copies of the Software, and permit persons to whom the Software is
16: * furnished to do so, under the terms of the COPYING file.
17: *
18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19: * KIND, either express or implied.
20: *
21: ***************************************************************************/
22:
23: #include "curl_setup.h"
24:
25: #if defined(USE_NTLM) && !defined(USE_WINDOWS_SSPI)
26:
27: /*
28: * NTLM details:
29: *
30: * https://davenport.sourceforge.io/ntlm.html
31: * https://www.innovation.ch/java/ntlm.html
32: */
33:
34: #define DEBUG_ME 0
35:
36: #include "urldata.h"
37: #include "non-ascii.h"
38: #include "sendf.h"
39: #include "curl_base64.h"
40: #include "curl_ntlm_core.h"
41: #include "curl_gethostname.h"
42: #include "curl_multibyte.h"
43: #include "curl_md5.h"
44: #include "warnless.h"
45: #include "rand.h"
46: #include "vtls/vtls.h"
47:
48: /* SSL backend-specific #if branches in this file must be kept in the order
49: documented in curl_ntlm_core. */
50: #if defined(NTLM_NEEDS_NSS_INIT)
51: #include "vtls/nssg.h" /* for Curl_nss_force_init() */
52: #endif
53:
54: #define BUILDING_CURL_NTLM_MSGS_C
55: #include "vauth/vauth.h"
56: #include "vauth/ntlm.h"
57: #include "curl_endian.h"
58: #include "curl_printf.h"
59:
60: /* The last #include files should be: */
61: #include "curl_memory.h"
62: #include "memdebug.h"
63:
64: /* "NTLMSSP" signature is always in ASCII regardless of the platform */
65: #define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
66:
67: #define SHORTPAIR(x) ((int)((x) & 0xff)), ((int)(((x) >> 8) & 0xff))
68: #define LONGQUARTET(x) ((int)((x) & 0xff)), ((int)(((x) >> 8) & 0xff)), \
69: ((int)(((x) >> 16) & 0xff)), ((int)(((x) >> 24) & 0xff))
70:
71: #if DEBUG_ME
72: # define DEBUG_OUT(x) x
73: static void ntlm_print_flags(FILE *handle, unsigned long flags)
74: {
75: if(flags & NTLMFLAG_NEGOTIATE_UNICODE)
76: fprintf(handle, "NTLMFLAG_NEGOTIATE_UNICODE ");
77: if(flags & NTLMFLAG_NEGOTIATE_OEM)
78: fprintf(handle, "NTLMFLAG_NEGOTIATE_OEM ");
79: if(flags & NTLMFLAG_REQUEST_TARGET)
80: fprintf(handle, "NTLMFLAG_REQUEST_TARGET ");
81: if(flags & (1<<3))
82: fprintf(handle, "NTLMFLAG_UNKNOWN_3 ");
83: if(flags & NTLMFLAG_NEGOTIATE_SIGN)
84: fprintf(handle, "NTLMFLAG_NEGOTIATE_SIGN ");
85: if(flags & NTLMFLAG_NEGOTIATE_SEAL)
86: fprintf(handle, "NTLMFLAG_NEGOTIATE_SEAL ");
87: if(flags & NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE)
88: fprintf(handle, "NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE ");
89: if(flags & NTLMFLAG_NEGOTIATE_LM_KEY)
90: fprintf(handle, "NTLMFLAG_NEGOTIATE_LM_KEY ");
91: if(flags & NTLMFLAG_NEGOTIATE_NETWARE)
92: fprintf(handle, "NTLMFLAG_NEGOTIATE_NETWARE ");
93: if(flags & NTLMFLAG_NEGOTIATE_NTLM_KEY)
94: fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM_KEY ");
95: if(flags & (1<<10))
96: fprintf(handle, "NTLMFLAG_UNKNOWN_10 ");
97: if(flags & NTLMFLAG_NEGOTIATE_ANONYMOUS)
98: fprintf(handle, "NTLMFLAG_NEGOTIATE_ANONYMOUS ");
99: if(flags & NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED)
100: fprintf(handle, "NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED ");
101: if(flags & NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED)
102: fprintf(handle, "NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED ");
103: if(flags & NTLMFLAG_NEGOTIATE_LOCAL_CALL)
104: fprintf(handle, "NTLMFLAG_NEGOTIATE_LOCAL_CALL ");
105: if(flags & NTLMFLAG_NEGOTIATE_ALWAYS_SIGN)
106: fprintf(handle, "NTLMFLAG_NEGOTIATE_ALWAYS_SIGN ");
107: if(flags & NTLMFLAG_TARGET_TYPE_DOMAIN)
108: fprintf(handle, "NTLMFLAG_TARGET_TYPE_DOMAIN ");
109: if(flags & NTLMFLAG_TARGET_TYPE_SERVER)
110: fprintf(handle, "NTLMFLAG_TARGET_TYPE_SERVER ");
111: if(flags & NTLMFLAG_TARGET_TYPE_SHARE)
112: fprintf(handle, "NTLMFLAG_TARGET_TYPE_SHARE ");
113: if(flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY)
114: fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM2_KEY ");
115: if(flags & NTLMFLAG_REQUEST_INIT_RESPONSE)
116: fprintf(handle, "NTLMFLAG_REQUEST_INIT_RESPONSE ");
117: if(flags & NTLMFLAG_REQUEST_ACCEPT_RESPONSE)
118: fprintf(handle, "NTLMFLAG_REQUEST_ACCEPT_RESPONSE ");
119: if(flags & NTLMFLAG_REQUEST_NONNT_SESSION_KEY)
120: fprintf(handle, "NTLMFLAG_REQUEST_NONNT_SESSION_KEY ");
121: if(flags & NTLMFLAG_NEGOTIATE_TARGET_INFO)
122: fprintf(handle, "NTLMFLAG_NEGOTIATE_TARGET_INFO ");
123: if(flags & (1<<24))
124: fprintf(handle, "NTLMFLAG_UNKNOWN_24 ");
125: if(flags & (1<<25))
126: fprintf(handle, "NTLMFLAG_UNKNOWN_25 ");
127: if(flags & (1<<26))
128: fprintf(handle, "NTLMFLAG_UNKNOWN_26 ");
129: if(flags & (1<<27))
130: fprintf(handle, "NTLMFLAG_UNKNOWN_27 ");
131: if(flags & (1<<28))
132: fprintf(handle, "NTLMFLAG_UNKNOWN_28 ");
133: if(flags & NTLMFLAG_NEGOTIATE_128)
134: fprintf(handle, "NTLMFLAG_NEGOTIATE_128 ");
135: if(flags & NTLMFLAG_NEGOTIATE_KEY_EXCHANGE)
136: fprintf(handle, "NTLMFLAG_NEGOTIATE_KEY_EXCHANGE ");
137: if(flags & NTLMFLAG_NEGOTIATE_56)
138: fprintf(handle, "NTLMFLAG_NEGOTIATE_56 ");
139: }
140:
141: static void ntlm_print_hex(FILE *handle, const char *buf, size_t len)
142: {
143: const char *p = buf;
144:
145: (void) handle;
146:
147: fprintf(stderr, "0x");
148: while(len-- > 0)
149: fprintf(stderr, "%02.2x", (unsigned int)*p++);
150: }
151: #else
152: # define DEBUG_OUT(x) Curl_nop_stmt
153: #endif
154:
155: /*
156: * ntlm_decode_type2_target()
157: *
158: * This is used to decode the "target info" in the NTLM type-2 message
159: * received.
160: *
161: * Parameters:
162: *
163: * data [in] - The session handle.
164: * buffer [in] - The decoded type-2 message.
165: * size [in] - The input buffer size, at least 32 bytes.
166: * ntlm [in/out] - The NTLM data struct being used and modified.
167: *
168: * Returns CURLE_OK on success.
169: */
170: static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
171: unsigned char *buffer,
172: size_t size,
173: struct ntlmdata *ntlm)
174: {
175: unsigned short target_info_len = 0;
176: unsigned int target_info_offset = 0;
177:
178: #if defined(CURL_DISABLE_VERBOSE_STRINGS)
179: (void) data;
180: #endif
181:
182: if(size >= 48) {
183: target_info_len = Curl_read16_le(&buffer[40]);
184: target_info_offset = Curl_read32_le(&buffer[44]);
185: if(target_info_len > 0) {
186: if((target_info_offset >= size) ||
187: ((target_info_offset + target_info_len) > size) ||
188: (target_info_offset < 48)) {
189: infof(data, "NTLM handshake failure (bad type-2 message). "
190: "Target Info Offset Len is set incorrect by the peer\n");
191: return CURLE_BAD_CONTENT_ENCODING;
192: }
193:
194: ntlm->target_info = malloc(target_info_len);
195: if(!ntlm->target_info)
196: return CURLE_OUT_OF_MEMORY;
197:
198: memcpy(ntlm->target_info, &buffer[target_info_offset], target_info_len);
199: }
200: }
201:
202: ntlm->target_info_len = target_info_len;
203:
204: return CURLE_OK;
205: }
206:
207: /*
208: NTLM message structure notes:
209:
210: A 'short' is a 'network short', a little-endian 16-bit unsigned value.
211:
212: A 'long' is a 'network long', a little-endian, 32-bit unsigned value.
213:
214: A 'security buffer' represents a triplet used to point to a buffer,
215: consisting of two shorts and one long:
216:
217: 1. A 'short' containing the length of the buffer content in bytes.
218: 2. A 'short' containing the allocated space for the buffer in bytes.
219: 3. A 'long' containing the offset to the start of the buffer in bytes,
220: from the beginning of the NTLM message.
221: */
222:
223: /*
224: * Curl_auth_is_ntlm_supported()
225: *
226: * This is used to evaluate if NTLM is supported.
227: *
228: * Parameters: None
229: *
230: * Returns TRUE as NTLM as handled by libcurl.
231: */
232: bool Curl_auth_is_ntlm_supported(void)
233: {
234: return TRUE;
235: }
236:
237: /*
238: * Curl_auth_decode_ntlm_type2_message()
239: *
240: * This is used to decode an already encoded NTLM type-2 message. The message
241: * is first decoded from a base64 string into a raw NTLM message and checked
242: * for validity before the appropriate data for creating a type-3 message is
243: * written to the given NTLM data structure.
244: *
245: * Parameters:
246: *
247: * data [in] - The session handle.
248: * type2msg [in] - The base64 encoded type-2 message.
249: * ntlm [in/out] - The NTLM data struct being used and modified.
250: *
251: * Returns CURLE_OK on success.
252: */
253: CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
254: const char *type2msg,
255: struct ntlmdata *ntlm)
256: {
257: static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
258:
259: /* NTLM type-2 message structure:
260:
261: Index Description Content
262: 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
263: (0x4e544c4d53535000)
264: 8 NTLM Message Type long (0x02000000)
265: 12 Target Name security buffer
266: 20 Flags long
267: 24 Challenge 8 bytes
268: (32) Context 8 bytes (two consecutive longs) (*)
269: (40) Target Information security buffer (*)
270: (48) OS Version Structure 8 bytes (*)
271: 32 (48) (56) Start of data block (*)
272: (*) -> Optional
273: */
274:
275: CURLcode result = CURLE_OK;
276: unsigned char *type2 = NULL;
277: size_t type2_len = 0;
278:
279: #if defined(NTLM_NEEDS_NSS_INIT)
280: /* Make sure the crypto backend is initialized */
281: result = Curl_nss_force_init(data);
282: if(result)
283: return result;
284: #elif defined(CURL_DISABLE_VERBOSE_STRINGS)
285: (void)data;
286: #endif
287:
288: /* Decode the base-64 encoded type-2 message */
289: if(strlen(type2msg) && *type2msg != '=') {
290: result = Curl_base64_decode(type2msg, &type2, &type2_len);
291: if(result)
292: return result;
293: }
294:
295: /* Ensure we have a valid type-2 message */
296: if(!type2) {
297: infof(data, "NTLM handshake failure (empty type-2 message)\n");
298: return CURLE_BAD_CONTENT_ENCODING;
299: }
300:
301: ntlm->flags = 0;
302:
303: if((type2_len < 32) ||
304: (memcmp(type2, NTLMSSP_SIGNATURE, 8) != 0) ||
305: (memcmp(type2 + 8, type2_marker, sizeof(type2_marker)) != 0)) {
306: /* This was not a good enough type-2 message */
307: free(type2);
308: infof(data, "NTLM handshake failure (bad type-2 message)\n");
309: return CURLE_BAD_CONTENT_ENCODING;
310: }
311:
312: ntlm->flags = Curl_read32_le(&type2[20]);
313: memcpy(ntlm->nonce, &type2[24], 8);
314:
315: if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
316: result = ntlm_decode_type2_target(data, type2, type2_len, ntlm);
317: if(result) {
318: free(type2);
319: infof(data, "NTLM handshake failure (bad type-2 message)\n");
320: return result;
321: }
322: }
323:
324: DEBUG_OUT({
325: fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
326: ntlm_print_flags(stderr, ntlm->flags);
327: fprintf(stderr, "\n nonce=");
328: ntlm_print_hex(stderr, (char *)ntlm->nonce, 8);
329: fprintf(stderr, "\n****\n");
330: fprintf(stderr, "**** Header %s\n ", header);
331: });
332:
333: free(type2);
334:
335: return result;
336: }
337:
338: /* copy the source to the destination and fill in zeroes in every
339: other destination byte! */
340: static void unicodecpy(unsigned char *dest, const char *src, size_t length)
341: {
342: size_t i;
343: for(i = 0; i < length; i++) {
344: dest[2 * i] = (unsigned char)src[i];
345: dest[2 * i + 1] = '\0';
346: }
347: }
348:
349: /*
350: * Curl_auth_create_ntlm_type1_message()
351: *
352: * This is used to generate an already encoded NTLM type-1 message ready for
353: * sending to the recipient using the appropriate compile time crypto API.
354: *
355: * Parameters:
356: *
357: * data [in] - The session handle.
358: * userp [in] - The user name in the format User or Domain\User.
359: * passwdp [in] - The user's password.
360: * service [in] - The service type such as http, smtp, pop or imap.
361: * host [in] - The host name.
362: * ntlm [in/out] - The NTLM data struct being used and modified.
363: * outptr [in/out] - The address where a pointer to newly allocated memory
364: * holding the result will be stored upon completion.
365: * outlen [out] - The length of the output message.
366: *
367: * Returns CURLE_OK on success.
368: */
369: CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
370: const char *userp,
371: const char *passwdp,
372: const char *service,
373: const char *hostname,
374: struct ntlmdata *ntlm,
375: char **outptr, size_t *outlen)
376: {
377: /* NTLM type-1 message structure:
378:
379: Index Description Content
380: 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
381: (0x4e544c4d53535000)
382: 8 NTLM Message Type long (0x01000000)
383: 12 Flags long
384: (16) Supplied Domain security buffer (*)
385: (24) Supplied Workstation security buffer (*)
386: (32) OS Version Structure 8 bytes (*)
387: (32) (40) Start of data block (*)
388: (*) -> Optional
389: */
390:
391: size_t size;
392:
393: unsigned char ntlmbuf[NTLM_BUFSIZE];
394: const char *host = ""; /* empty */
395: const char *domain = ""; /* empty */
396: size_t hostlen = 0;
397: size_t domlen = 0;
398: size_t hostoff = 0;
399: size_t domoff = hostoff + hostlen; /* This is 0: remember that host and
400: domain are empty */
401: (void)userp;
402: (void)passwdp;
403: (void)service,
404: (void)hostname,
405:
406: /* Clean up any former leftovers and initialise to defaults */
407: Curl_auth_cleanup_ntlm(ntlm);
408:
409: #if defined(USE_NTRESPONSES) && defined(USE_NTLM2SESSION)
410: #define NTLM2FLAG NTLMFLAG_NEGOTIATE_NTLM2_KEY
411: #else
412: #define NTLM2FLAG 0
413: #endif
414: msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
415: NTLMSSP_SIGNATURE "%c"
416: "\x01%c%c%c" /* 32-bit type = 1 */
417: "%c%c%c%c" /* 32-bit NTLM flag field */
418: "%c%c" /* domain length */
419: "%c%c" /* domain allocated space */
420: "%c%c" /* domain name offset */
421: "%c%c" /* 2 zeroes */
422: "%c%c" /* host length */
423: "%c%c" /* host allocated space */
424: "%c%c" /* host name offset */
425: "%c%c" /* 2 zeroes */
426: "%s" /* host name */
427: "%s", /* domain string */
428: 0, /* trailing zero */
429: 0, 0, 0, /* part of type-1 long */
430:
431: LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
432: NTLMFLAG_REQUEST_TARGET |
433: NTLMFLAG_NEGOTIATE_NTLM_KEY |
434: NTLM2FLAG |
435: NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
436: SHORTPAIR(domlen),
437: SHORTPAIR(domlen),
438: SHORTPAIR(domoff),
439: 0, 0,
440: SHORTPAIR(hostlen),
441: SHORTPAIR(hostlen),
442: SHORTPAIR(hostoff),
443: 0, 0,
444: host, /* this is empty */
445: domain /* this is empty */);
446:
447: /* Initial packet length */
448: size = 32 + hostlen + domlen;
449:
450: DEBUG_OUT({
451: fprintf(stderr, "* TYPE1 header flags=0x%02.2x%02.2x%02.2x%02.2x "
452: "0x%08.8x ",
453: LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
454: NTLMFLAG_REQUEST_TARGET |
455: NTLMFLAG_NEGOTIATE_NTLM_KEY |
456: NTLM2FLAG |
457: NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
458: NTLMFLAG_NEGOTIATE_OEM |
459: NTLMFLAG_REQUEST_TARGET |
460: NTLMFLAG_NEGOTIATE_NTLM_KEY |
461: NTLM2FLAG |
462: NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
463: ntlm_print_flags(stderr,
464: NTLMFLAG_NEGOTIATE_OEM |
465: NTLMFLAG_REQUEST_TARGET |
466: NTLMFLAG_NEGOTIATE_NTLM_KEY |
467: NTLM2FLAG |
468: NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
469: fprintf(stderr, "\n****\n");
470: });
471:
472: /* Return with binary blob encoded into base64 */
473: return Curl_base64_encode(data, (char *)ntlmbuf, size, outptr, outlen);
474: }
475:
476: /*
477: * Curl_auth_create_ntlm_type3_message()
478: *
479: * This is used to generate an already encoded NTLM type-3 message ready for
480: * sending to the recipient using the appropriate compile time crypto API.
481: *
482: * Parameters:
483: *
484: * data [in] - The session handle.
485: * userp [in] - The user name in the format User or Domain\User.
486: * passwdp [in] - The user's password.
487: * ntlm [in/out] - The NTLM data struct being used and modified.
488: * outptr [in/out] - The address where a pointer to newly allocated memory
489: * holding the result will be stored upon completion.
490: * outlen [out] - The length of the output message.
491: *
492: * Returns CURLE_OK on success.
493: */
494: CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
495: const char *userp,
496: const char *passwdp,
497: struct ntlmdata *ntlm,
498: char **outptr, size_t *outlen)
499:
500: {
501: /* NTLM type-3 message structure:
502:
503: Index Description Content
504: 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
505: (0x4e544c4d53535000)
506: 8 NTLM Message Type long (0x03000000)
507: 12 LM/LMv2 Response security buffer
508: 20 NTLM/NTLMv2 Response security buffer
509: 28 Target Name security buffer
510: 36 User Name security buffer
511: 44 Workstation Name security buffer
512: (52) Session Key security buffer (*)
513: (60) Flags long (*)
514: (64) OS Version Structure 8 bytes (*)
515: 52 (64) (72) Start of data block
516: (*) -> Optional
517: */
518:
519: CURLcode result = CURLE_OK;
520: size_t size;
521: unsigned char ntlmbuf[NTLM_BUFSIZE];
522: int lmrespoff;
523: unsigned char lmresp[24]; /* fixed-size */
524: #ifdef USE_NTRESPONSES
525: int ntrespoff;
526: unsigned int ntresplen = 24;
527: unsigned char ntresp[24]; /* fixed-size */
528: unsigned char *ptr_ntresp = &ntresp[0];
529: unsigned char *ntlmv2resp = NULL;
530: #endif
531: bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
532: char host[HOSTNAME_MAX + 1] = "";
533: const char *user;
534: const char *domain = "";
535: size_t hostoff = 0;
536: size_t useroff = 0;
537: size_t domoff = 0;
538: size_t hostlen = 0;
539: size_t userlen = 0;
540: size_t domlen = 0;
541:
542: user = strchr(userp, '\\');
543: if(!user)
544: user = strchr(userp, '/');
545:
546: if(user) {
547: domain = userp;
548: domlen = (user - domain);
549: user++;
550: }
551: else
552: user = userp;
553:
554: userlen = strlen(user);
555:
556: /* Get the machine's un-qualified host name as NTLM doesn't like the fully
557: qualified domain name */
558: if(Curl_gethostname(host, sizeof(host))) {
559: infof(data, "gethostname() failed, continuing without!\n");
560: hostlen = 0;
561: }
562: else {
563: hostlen = strlen(host);
564: }
565:
566: #if defined(USE_NTRESPONSES) && defined(USE_NTLM_V2)
567: if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
568: unsigned char ntbuffer[0x18];
569: unsigned char entropy[8];
570: unsigned char ntlmv2hash[0x18];
571:
572: result = Curl_rand(data, entropy, 8);
573: if(result)
574: return result;
575:
576: result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
577: if(result)
578: return result;
579:
580: result = Curl_ntlm_core_mk_ntlmv2_hash(user, userlen, domain, domlen,
581: ntbuffer, ntlmv2hash);
582: if(result)
583: return result;
584:
585: /* LMv2 response */
586: result = Curl_ntlm_core_mk_lmv2_resp(ntlmv2hash, entropy,
587: &ntlm->nonce[0], lmresp);
588: if(result)
589: return result;
590:
591: /* NTLMv2 response */
592: result = Curl_ntlm_core_mk_ntlmv2_resp(ntlmv2hash, entropy,
593: ntlm, &ntlmv2resp, &ntresplen);
594: if(result)
595: return result;
596:
597: ptr_ntresp = ntlmv2resp;
598: }
599: else
600: #endif
601:
602: #if defined(USE_NTRESPONSES) && defined(USE_NTLM2SESSION)
603: /* We don't support NTLM2 if we don't have USE_NTRESPONSES */
604: if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM_KEY) {
605: unsigned char ntbuffer[0x18];
606: unsigned char tmp[0x18];
607: unsigned char md5sum[MD5_DIGEST_LENGTH];
608: unsigned char entropy[8];
609:
610: /* Need to create 8 bytes random data */
611: result = Curl_rand(data, entropy, 8);
612: if(result)
613: return result;
614:
615: /* 8 bytes random data as challenge in lmresp */
616: memcpy(lmresp, entropy, 8);
617:
618: /* Pad with zeros */
619: memset(lmresp + 8, 0, 0x10);
620:
621: /* Fill tmp with challenge(nonce?) + entropy */
622: memcpy(tmp, &ntlm->nonce[0], 8);
623: memcpy(tmp + 8, entropy, 8);
624:
625: Curl_md5it(md5sum, tmp, 16);
626:
627: /* We shall only use the first 8 bytes of md5sum, but the des code in
628: Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */
629: result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
630: if(result)
631: return result;
632:
633: Curl_ntlm_core_lm_resp(ntbuffer, md5sum, ntresp);
634:
635: /* End of NTLM2 Session code */
636: /* NTLM v2 session security is a misnomer because it is not NTLM v2.
637: It is NTLM v1 using the extended session security that is also
638: in NTLM v2 */
639: }
640: else
641: #endif
642: {
643:
644: #ifdef USE_NTRESPONSES
645: unsigned char ntbuffer[0x18];
646: #endif
647: unsigned char lmbuffer[0x18];
648:
649: #ifdef USE_NTRESPONSES
650: result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
651: if(result)
652: return result;
653:
654: Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], ntresp);
655: #endif
656:
657: result = Curl_ntlm_core_mk_lm_hash(data, passwdp, lmbuffer);
658: if(result)
659: return result;
660:
661: Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
662:
663: /* A safer but less compatible alternative is:
664: * Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
665: * See https://davenport.sourceforge.io/ntlm.html#ntlmVersion2 */
666: }
667:
668: if(unicode) {
669: domlen = domlen * 2;
670: userlen = userlen * 2;
671: hostlen = hostlen * 2;
672: }
673:
674: lmrespoff = 64; /* size of the message header */
675: #ifdef USE_NTRESPONSES
676: ntrespoff = lmrespoff + 0x18;
677: domoff = ntrespoff + ntresplen;
678: #else
679: domoff = lmrespoff + 0x18;
680: #endif
681: useroff = domoff + domlen;
682: hostoff = useroff + userlen;
683:
684: /* Create the big type-3 message binary blob */
685: size = msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
686: NTLMSSP_SIGNATURE "%c"
687: "\x03%c%c%c" /* 32-bit type = 3 */
688:
689: "%c%c" /* LanManager length */
690: "%c%c" /* LanManager allocated space */
691: "%c%c" /* LanManager offset */
692: "%c%c" /* 2 zeroes */
693:
694: "%c%c" /* NT-response length */
695: "%c%c" /* NT-response allocated space */
696: "%c%c" /* NT-response offset */
697: "%c%c" /* 2 zeroes */
698:
699: "%c%c" /* domain length */
700: "%c%c" /* domain allocated space */
701: "%c%c" /* domain name offset */
702: "%c%c" /* 2 zeroes */
703:
704: "%c%c" /* user length */
705: "%c%c" /* user allocated space */
706: "%c%c" /* user offset */
707: "%c%c" /* 2 zeroes */
708:
709: "%c%c" /* host length */
710: "%c%c" /* host allocated space */
711: "%c%c" /* host offset */
712: "%c%c" /* 2 zeroes */
713:
714: "%c%c" /* session key length (unknown purpose) */
715: "%c%c" /* session key allocated space (unknown purpose) */
716: "%c%c" /* session key offset (unknown purpose) */
717: "%c%c" /* 2 zeroes */
718:
719: "%c%c%c%c", /* flags */
720:
721: /* domain string */
722: /* user string */
723: /* host string */
724: /* LanManager response */
725: /* NT response */
726:
727: 0, /* zero termination */
728: 0, 0, 0, /* type-3 long, the 24 upper bits */
729:
730: SHORTPAIR(0x18), /* LanManager response length, twice */
731: SHORTPAIR(0x18),
732: SHORTPAIR(lmrespoff),
733: 0x0, 0x0,
734:
735: #ifdef USE_NTRESPONSES
736: SHORTPAIR(ntresplen), /* NT-response length, twice */
737: SHORTPAIR(ntresplen),
738: SHORTPAIR(ntrespoff),
739: 0x0, 0x0,
740: #else
741: 0x0, 0x0,
742: 0x0, 0x0,
743: 0x0, 0x0,
744: 0x0, 0x0,
745: #endif
746: SHORTPAIR(domlen),
747: SHORTPAIR(domlen),
748: SHORTPAIR(domoff),
749: 0x0, 0x0,
750:
751: SHORTPAIR(userlen),
752: SHORTPAIR(userlen),
753: SHORTPAIR(useroff),
754: 0x0, 0x0,
755:
756: SHORTPAIR(hostlen),
757: SHORTPAIR(hostlen),
758: SHORTPAIR(hostoff),
759: 0x0, 0x0,
760:
761: 0x0, 0x0,
762: 0x0, 0x0,
763: 0x0, 0x0,
764: 0x0, 0x0,
765:
766: LONGQUARTET(ntlm->flags));
767:
768: DEBUGASSERT(size == 64);
769: DEBUGASSERT(size == (size_t)lmrespoff);
770:
771: /* We append the binary hashes */
772: if(size < (NTLM_BUFSIZE - 0x18)) {
773: memcpy(&ntlmbuf[size], lmresp, 0x18);
774: size += 0x18;
775: }
776:
777: DEBUG_OUT({
778: fprintf(stderr, "**** TYPE3 header lmresp=");
779: ntlm_print_hex(stderr, (char *)&ntlmbuf[lmrespoff], 0x18);
780: });
781:
782: #ifdef USE_NTRESPONSES
783: /* ntresplen + size should not be risking an integer overflow here */
784: if(ntresplen + size > sizeof(ntlmbuf)) {
785: failf(data, "incoming NTLM message too big");
786: return CURLE_OUT_OF_MEMORY;
787: }
788: DEBUGASSERT(size == (size_t)ntrespoff);
789: memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
790: size += ntresplen;
791:
792: DEBUG_OUT({
793: fprintf(stderr, "\n ntresp=");
794: ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
795: });
796:
797: free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
798:
799: #endif
800:
801: DEBUG_OUT({
802: fprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
803: LONGQUARTET(ntlm->flags), ntlm->flags);
804: ntlm_print_flags(stderr, ntlm->flags);
805: fprintf(stderr, "\n****\n");
806: });
807:
808: /* Make sure that the domain, user and host strings fit in the
809: buffer before we copy them there. */
810: if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) {
811: failf(data, "user + domain + host name too big");
812: return CURLE_OUT_OF_MEMORY;
813: }
814:
815: DEBUGASSERT(size == domoff);
816: if(unicode)
817: unicodecpy(&ntlmbuf[size], domain, domlen / 2);
818: else
819: memcpy(&ntlmbuf[size], domain, domlen);
820:
821: size += domlen;
822:
823: DEBUGASSERT(size == useroff);
824: if(unicode)
825: unicodecpy(&ntlmbuf[size], user, userlen / 2);
826: else
827: memcpy(&ntlmbuf[size], user, userlen);
828:
829: size += userlen;
830:
831: DEBUGASSERT(size == hostoff);
832: if(unicode)
833: unicodecpy(&ntlmbuf[size], host, hostlen / 2);
834: else
835: memcpy(&ntlmbuf[size], host, hostlen);
836:
837: size += hostlen;
838:
839: /* Convert domain, user, and host to ASCII but leave the rest as-is */
840: result = Curl_convert_to_network(data, (char *)&ntlmbuf[domoff],
841: size - domoff);
842: if(result)
843: return CURLE_CONV_FAILED;
844:
845: /* Return with binary blob encoded into base64 */
846: result = Curl_base64_encode(data, (char *)ntlmbuf, size, outptr, outlen);
847:
848: Curl_auth_cleanup_ntlm(ntlm);
849:
850: return result;
851: }
852:
853: /*
854: * Curl_auth_cleanup_ntlm()
855: *
856: * This is used to clean up the NTLM specific data.
857: *
858: * Parameters:
859: *
860: * ntlm [in/out] - The NTLM data struct being cleaned up.
861: *
862: */
863: void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm)
864: {
865: /* Free the target info */
866: Curl_safefree(ntlm->target_info);
867:
868: /* Reset any variables */
869: ntlm->target_info_len = 0;
870: }
871:
872: #endif /* USE_NTLM && !USE_WINDOWS_SSPI */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ntlm.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vauth