ntlm.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if defined(USE_NTLM) && !defined(USE_WINDOWS_SSPI)
  26. /*
  27. * NTLM details:
  28. *
  29. * https://davenport.sourceforge.net/ntlm.html
  30. * https://www.innovation.ch/java/ntlm.html
  31. */
  32. #define DEBUG_ME 0
  33. #include "urldata.h"
  34. #include "sendf.h"
  35. #include "curl_ntlm_core.h"
  36. #include "curl_gethostname.h"
  37. #include "curl_multibyte.h"
  38. #include "curl_md5.h"
  39. #include "warnless.h"
  40. #include "rand.h"
  41. #include "vtls/vtls.h"
  42. #define BUILDING_CURL_NTLM_MSGS_C
  43. #include "vauth/vauth.h"
  44. #include "vauth/ntlm.h"
  45. #include "curl_endian.h"
  46. #include "curl_printf.h"
  47. /* The last #include files should be: */
  48. #include "curl_memory.h"
  49. #include "memdebug.h"
  50. /* "NTLMSSP" signature is always in ASCII regardless of the platform */
  51. #define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
  52. /* The fixed host name we provide, in order to not leak our real local host
  53. name. Copy the name used by Firefox. */
  54. #define NTLM_HOSTNAME "WORKSTATION"
  55. #if DEBUG_ME
  56. # define DEBUG_OUT(x) x
  57. static void ntlm_print_flags(FILE *handle, unsigned long flags)
  58. {
  59. if(flags & NTLMFLAG_NEGOTIATE_UNICODE)
  60. fprintf(handle, "NTLMFLAG_NEGOTIATE_UNICODE ");
  61. if(flags & NTLMFLAG_NEGOTIATE_OEM)
  62. fprintf(handle, "NTLMFLAG_NEGOTIATE_OEM ");
  63. if(flags & NTLMFLAG_REQUEST_TARGET)
  64. fprintf(handle, "NTLMFLAG_REQUEST_TARGET ");
  65. if(flags & (1<<3))
  66. fprintf(handle, "NTLMFLAG_UNKNOWN_3 ");
  67. if(flags & NTLMFLAG_NEGOTIATE_SIGN)
  68. fprintf(handle, "NTLMFLAG_NEGOTIATE_SIGN ");
  69. if(flags & NTLMFLAG_NEGOTIATE_SEAL)
  70. fprintf(handle, "NTLMFLAG_NEGOTIATE_SEAL ");
  71. if(flags & NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE)
  72. fprintf(handle, "NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE ");
  73. if(flags & NTLMFLAG_NEGOTIATE_LM_KEY)
  74. fprintf(handle, "NTLMFLAG_NEGOTIATE_LM_KEY ");
  75. if(flags & NTLMFLAG_NEGOTIATE_NTLM_KEY)
  76. fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM_KEY ");
  77. if(flags & (1<<10))
  78. fprintf(handle, "NTLMFLAG_UNKNOWN_10 ");
  79. if(flags & NTLMFLAG_NEGOTIATE_ANONYMOUS)
  80. fprintf(handle, "NTLMFLAG_NEGOTIATE_ANONYMOUS ");
  81. if(flags & NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED)
  82. fprintf(handle, "NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED ");
  83. if(flags & NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED)
  84. fprintf(handle, "NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED ");
  85. if(flags & NTLMFLAG_NEGOTIATE_LOCAL_CALL)
  86. fprintf(handle, "NTLMFLAG_NEGOTIATE_LOCAL_CALL ");
  87. if(flags & NTLMFLAG_NEGOTIATE_ALWAYS_SIGN)
  88. fprintf(handle, "NTLMFLAG_NEGOTIATE_ALWAYS_SIGN ");
  89. if(flags & NTLMFLAG_TARGET_TYPE_DOMAIN)
  90. fprintf(handle, "NTLMFLAG_TARGET_TYPE_DOMAIN ");
  91. if(flags & NTLMFLAG_TARGET_TYPE_SERVER)
  92. fprintf(handle, "NTLMFLAG_TARGET_TYPE_SERVER ");
  93. if(flags & NTLMFLAG_TARGET_TYPE_SHARE)
  94. fprintf(handle, "NTLMFLAG_TARGET_TYPE_SHARE ");
  95. if(flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY)
  96. fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM2_KEY ");
  97. if(flags & NTLMFLAG_REQUEST_INIT_RESPONSE)
  98. fprintf(handle, "NTLMFLAG_REQUEST_INIT_RESPONSE ");
  99. if(flags & NTLMFLAG_REQUEST_ACCEPT_RESPONSE)
  100. fprintf(handle, "NTLMFLAG_REQUEST_ACCEPT_RESPONSE ");
  101. if(flags & NTLMFLAG_REQUEST_NONNT_SESSION_KEY)
  102. fprintf(handle, "NTLMFLAG_REQUEST_NONNT_SESSION_KEY ");
  103. if(flags & NTLMFLAG_NEGOTIATE_TARGET_INFO)
  104. fprintf(handle, "NTLMFLAG_NEGOTIATE_TARGET_INFO ");
  105. if(flags & (1<<24))
  106. fprintf(handle, "NTLMFLAG_UNKNOWN_24 ");
  107. if(flags & (1<<25))
  108. fprintf(handle, "NTLMFLAG_UNKNOWN_25 ");
  109. if(flags & (1<<26))
  110. fprintf(handle, "NTLMFLAG_UNKNOWN_26 ");
  111. if(flags & (1<<27))
  112. fprintf(handle, "NTLMFLAG_UNKNOWN_27 ");
  113. if(flags & (1<<28))
  114. fprintf(handle, "NTLMFLAG_UNKNOWN_28 ");
  115. if(flags & NTLMFLAG_NEGOTIATE_128)
  116. fprintf(handle, "NTLMFLAG_NEGOTIATE_128 ");
  117. if(flags & NTLMFLAG_NEGOTIATE_KEY_EXCHANGE)
  118. fprintf(handle, "NTLMFLAG_NEGOTIATE_KEY_EXCHANGE ");
  119. if(flags & NTLMFLAG_NEGOTIATE_56)
  120. fprintf(handle, "NTLMFLAG_NEGOTIATE_56 ");
  121. }
  122. static void ntlm_print_hex(FILE *handle, const char *buf, size_t len)
  123. {
  124. const char *p = buf;
  125. (void) handle;
  126. fprintf(stderr, "0x");
  127. while(len-- > 0)
  128. fprintf(stderr, "%02.2x", (unsigned int)*p++);
  129. }
  130. #else
  131. # define DEBUG_OUT(x) Curl_nop_stmt
  132. #endif
  133. /*
  134. * ntlm_decode_type2_target()
  135. *
  136. * This is used to decode the "target info" in the NTLM type-2 message
  137. * received.
  138. *
  139. * Parameters:
  140. *
  141. * data [in] - The session handle.
  142. * type2ref [in] - The type-2 message.
  143. * ntlm [in/out] - The NTLM data struct being used and modified.
  144. *
  145. * Returns CURLE_OK on success.
  146. */
  147. static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
  148. const struct bufref *type2ref,
  149. struct ntlmdata *ntlm)
  150. {
  151. unsigned short target_info_len = 0;
  152. unsigned int target_info_offset = 0;
  153. const unsigned char *type2 = Curl_bufref_ptr(type2ref);
  154. size_t type2len = Curl_bufref_len(type2ref);
  155. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  156. (void) data;
  157. #endif
  158. if(type2len >= 48) {
  159. target_info_len = Curl_read16_le(&type2[40]);
  160. target_info_offset = Curl_read32_le(&type2[44]);
  161. if(target_info_len > 0) {
  162. if((target_info_offset > type2len) ||
  163. (target_info_offset + target_info_len) > type2len ||
  164. target_info_offset < 48) {
  165. infof(data, "NTLM handshake failure (bad type-2 message). "
  166. "Target Info Offset Len is set incorrect by the peer");
  167. return CURLE_BAD_CONTENT_ENCODING;
  168. }
  169. free(ntlm->target_info); /* replace any previous data */
  170. ntlm->target_info = malloc(target_info_len);
  171. if(!ntlm->target_info)
  172. return CURLE_OUT_OF_MEMORY;
  173. memcpy(ntlm->target_info, &type2[target_info_offset], target_info_len);
  174. }
  175. }
  176. ntlm->target_info_len = target_info_len;
  177. return CURLE_OK;
  178. }
  179. /*
  180. NTLM message structure notes:
  181. A 'short' is a 'network short', a little-endian 16-bit unsigned value.
  182. A 'long' is a 'network long', a little-endian, 32-bit unsigned value.
  183. A 'security buffer' represents a triplet used to point to a buffer,
  184. consisting of two shorts and one long:
  185. 1. A 'short' containing the length of the buffer content in bytes.
  186. 2. A 'short' containing the allocated space for the buffer in bytes.
  187. 3. A 'long' containing the offset to the start of the buffer in bytes,
  188. from the beginning of the NTLM message.
  189. */
  190. /*
  191. * Curl_auth_is_ntlm_supported()
  192. *
  193. * This is used to evaluate if NTLM is supported.
  194. *
  195. * Parameters: None
  196. *
  197. * Returns TRUE as NTLM as handled by libcurl.
  198. */
  199. bool Curl_auth_is_ntlm_supported(void)
  200. {
  201. return TRUE;
  202. }
  203. /*
  204. * Curl_auth_decode_ntlm_type2_message()
  205. *
  206. * This is used to decode an NTLM type-2 message. The raw NTLM message is
  207. * checked * for validity before the appropriate data for creating a type-3
  208. * message is * written to the given NTLM data structure.
  209. *
  210. * Parameters:
  211. *
  212. * data [in] - The session handle.
  213. * type2ref [in] - The type-2 message.
  214. * ntlm [in/out] - The NTLM data struct being used and modified.
  215. *
  216. * Returns CURLE_OK on success.
  217. */
  218. CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
  219. const struct bufref *type2ref,
  220. struct ntlmdata *ntlm)
  221. {
  222. static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
  223. /* NTLM type-2 message structure:
  224. Index Description Content
  225. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  226. (0x4e544c4d53535000)
  227. 8 NTLM Message Type long (0x02000000)
  228. 12 Target Name security buffer
  229. 20 Flags long
  230. 24 Challenge 8 bytes
  231. (32) Context 8 bytes (two consecutive longs) (*)
  232. (40) Target Information security buffer (*)
  233. (48) OS Version Structure 8 bytes (*)
  234. 32 (48) (56) Start of data block (*)
  235. (*) -> Optional
  236. */
  237. CURLcode result = CURLE_OK;
  238. const unsigned char *type2 = Curl_bufref_ptr(type2ref);
  239. size_t type2len = Curl_bufref_len(type2ref);
  240. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  241. (void)data;
  242. #endif
  243. ntlm->flags = 0;
  244. if((type2len < 32) ||
  245. (memcmp(type2, NTLMSSP_SIGNATURE, 8) != 0) ||
  246. (memcmp(type2 + 8, type2_marker, sizeof(type2_marker)) != 0)) {
  247. /* This was not a good enough type-2 message */
  248. infof(data, "NTLM handshake failure (bad type-2 message)");
  249. return CURLE_BAD_CONTENT_ENCODING;
  250. }
  251. ntlm->flags = Curl_read32_le(&type2[20]);
  252. memcpy(ntlm->nonce, &type2[24], 8);
  253. if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
  254. result = ntlm_decode_type2_target(data, type2ref, ntlm);
  255. if(result) {
  256. infof(data, "NTLM handshake failure (bad type-2 message)");
  257. return result;
  258. }
  259. }
  260. DEBUG_OUT({
  261. fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
  262. ntlm_print_flags(stderr, ntlm->flags);
  263. fprintf(stderr, "\n nonce=");
  264. ntlm_print_hex(stderr, (char *)ntlm->nonce, 8);
  265. fprintf(stderr, "\n****\n");
  266. fprintf(stderr, "**** Header %s\n ", header);
  267. });
  268. return result;
  269. }
  270. /* copy the source to the destination and fill in zeroes in every
  271. other destination byte! */
  272. static void unicodecpy(unsigned char *dest, const char *src, size_t length)
  273. {
  274. size_t i;
  275. for(i = 0; i < length; i++) {
  276. dest[2 * i] = (unsigned char)src[i];
  277. dest[2 * i + 1] = '\0';
  278. }
  279. }
  280. /*
  281. * Curl_auth_create_ntlm_type1_message()
  282. *
  283. * This is used to generate an NTLM type-1 message ready for sending to the
  284. * recipient using the appropriate compile time crypto API.
  285. *
  286. * Parameters:
  287. *
  288. * data [in] - The session handle.
  289. * userp [in] - The user name in the format User or Domain\User.
  290. * passwdp [in] - The user's password.
  291. * service [in] - The service type such as http, smtp, pop or imap.
  292. * host [in] - The host name.
  293. * ntlm [in/out] - The NTLM data struct being used and modified.
  294. * out [out] - The result storage.
  295. *
  296. * Returns CURLE_OK on success.
  297. */
  298. CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
  299. const char *userp,
  300. const char *passwdp,
  301. const char *service,
  302. const char *hostname,
  303. struct ntlmdata *ntlm,
  304. struct bufref *out)
  305. {
  306. /* NTLM type-1 message structure:
  307. Index Description Content
  308. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  309. (0x4e544c4d53535000)
  310. 8 NTLM Message Type long (0x01000000)
  311. 12 Flags long
  312. (16) Supplied Domain security buffer (*)
  313. (24) Supplied Workstation security buffer (*)
  314. (32) OS Version Structure 8 bytes (*)
  315. (32) (40) Start of data block (*)
  316. (*) -> Optional
  317. */
  318. size_t size;
  319. char *ntlmbuf;
  320. const char *host = ""; /* empty */
  321. const char *domain = ""; /* empty */
  322. size_t hostlen = 0;
  323. size_t domlen = 0;
  324. size_t hostoff = 0;
  325. size_t domoff = hostoff + hostlen; /* This is 0: remember that host and
  326. domain are empty */
  327. (void)data;
  328. (void)userp;
  329. (void)passwdp;
  330. (void)service;
  331. (void)hostname;
  332. /* Clean up any former leftovers and initialise to defaults */
  333. Curl_auth_cleanup_ntlm(ntlm);
  334. ntlmbuf = aprintf(NTLMSSP_SIGNATURE "%c"
  335. "\x01%c%c%c" /* 32-bit type = 1 */
  336. "%c%c%c%c" /* 32-bit NTLM flag field */
  337. "%c%c" /* domain length */
  338. "%c%c" /* domain allocated space */
  339. "%c%c" /* domain name offset */
  340. "%c%c" /* 2 zeroes */
  341. "%c%c" /* host length */
  342. "%c%c" /* host allocated space */
  343. "%c%c" /* host name offset */
  344. "%c%c" /* 2 zeroes */
  345. "%s" /* host name */
  346. "%s", /* domain string */
  347. 0, /* trailing zero */
  348. 0, 0, 0, /* part of type-1 long */
  349. LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
  350. NTLMFLAG_REQUEST_TARGET |
  351. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  352. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  353. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
  354. SHORTPAIR(domlen),
  355. SHORTPAIR(domlen),
  356. SHORTPAIR(domoff),
  357. 0, 0,
  358. SHORTPAIR(hostlen),
  359. SHORTPAIR(hostlen),
  360. SHORTPAIR(hostoff),
  361. 0, 0,
  362. host, /* this is empty */
  363. domain /* this is empty */);
  364. if(!ntlmbuf)
  365. return CURLE_OUT_OF_MEMORY;
  366. /* Initial packet length */
  367. size = 32 + hostlen + domlen;
  368. DEBUG_OUT({
  369. fprintf(stderr, "* TYPE1 header flags=0x%02.2x%02.2x%02.2x%02.2x "
  370. "0x%08.8x ",
  371. LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
  372. NTLMFLAG_REQUEST_TARGET |
  373. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  374. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  375. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
  376. NTLMFLAG_NEGOTIATE_OEM |
  377. NTLMFLAG_REQUEST_TARGET |
  378. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  379. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  380. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
  381. ntlm_print_flags(stderr,
  382. NTLMFLAG_NEGOTIATE_OEM |
  383. NTLMFLAG_REQUEST_TARGET |
  384. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  385. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  386. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
  387. fprintf(stderr, "\n****\n");
  388. });
  389. Curl_bufref_set(out, ntlmbuf, size, curl_free);
  390. return CURLE_OK;
  391. }
  392. /*
  393. * Curl_auth_create_ntlm_type3_message()
  394. *
  395. * This is used to generate an already encoded NTLM type-3 message ready for
  396. * sending to the recipient using the appropriate compile time crypto API.
  397. *
  398. * Parameters:
  399. *
  400. * data [in] - The session handle.
  401. * userp [in] - The user name in the format User or Domain\User.
  402. * passwdp [in] - The user's password.
  403. * ntlm [in/out] - The NTLM data struct being used and modified.
  404. * out [out] - The result storage.
  405. *
  406. * Returns CURLE_OK on success.
  407. */
  408. CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
  409. const char *userp,
  410. const char *passwdp,
  411. struct ntlmdata *ntlm,
  412. struct bufref *out)
  413. {
  414. /* NTLM type-3 message structure:
  415. Index Description Content
  416. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  417. (0x4e544c4d53535000)
  418. 8 NTLM Message Type long (0x03000000)
  419. 12 LM/LMv2 Response security buffer
  420. 20 NTLM/NTLMv2 Response security buffer
  421. 28 Target Name security buffer
  422. 36 User Name security buffer
  423. 44 Workstation Name security buffer
  424. (52) Session Key security buffer (*)
  425. (60) Flags long (*)
  426. (64) OS Version Structure 8 bytes (*)
  427. 52 (64) (72) Start of data block
  428. (*) -> Optional
  429. */
  430. CURLcode result = CURLE_OK;
  431. size_t size;
  432. unsigned char ntlmbuf[NTLM_BUFSIZE];
  433. int lmrespoff;
  434. unsigned char lmresp[24]; /* fixed-size */
  435. int ntrespoff;
  436. unsigned int ntresplen = 24;
  437. unsigned char ntresp[24]; /* fixed-size */
  438. unsigned char *ptr_ntresp = &ntresp[0];
  439. unsigned char *ntlmv2resp = NULL;
  440. bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
  441. char host[HOSTNAME_MAX + 1] = "";
  442. const char *user;
  443. const char *domain = "";
  444. size_t hostoff = 0;
  445. size_t useroff = 0;
  446. size_t domoff = 0;
  447. size_t hostlen = 0;
  448. size_t userlen = 0;
  449. size_t domlen = 0;
  450. memset(lmresp, 0, sizeof(lmresp));
  451. memset(ntresp, 0, sizeof(ntresp));
  452. user = strchr(userp, '\\');
  453. if(!user)
  454. user = strchr(userp, '/');
  455. if(user) {
  456. domain = userp;
  457. domlen = (user - domain);
  458. user++;
  459. }
  460. else
  461. user = userp;
  462. userlen = strlen(user);
  463. #ifndef NTLM_HOSTNAME
  464. /* Get the machine's un-qualified host name as NTLM doesn't like the fully
  465. qualified domain name */
  466. if(Curl_gethostname(host, sizeof(host))) {
  467. infof(data, "gethostname() failed, continuing without");
  468. hostlen = 0;
  469. }
  470. else {
  471. hostlen = strlen(host);
  472. }
  473. #else
  474. (void)msnprintf(host, sizeof(host), "%s", NTLM_HOSTNAME);
  475. hostlen = sizeof(NTLM_HOSTNAME)-1;
  476. #endif
  477. if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
  478. unsigned char ntbuffer[0x18];
  479. unsigned char entropy[8];
  480. unsigned char ntlmv2hash[0x18];
  481. /* Full NTLM version 2
  482. Although this cannot be negotiated, it is used here if available, as
  483. servers featuring extended security are likely supporting also
  484. NTLMv2. */
  485. result = Curl_rand(data, entropy, 8);
  486. if(result)
  487. return result;
  488. result = Curl_ntlm_core_mk_nt_hash(passwdp, ntbuffer);
  489. if(result)
  490. return result;
  491. result = Curl_ntlm_core_mk_ntlmv2_hash(user, userlen, domain, domlen,
  492. ntbuffer, ntlmv2hash);
  493. if(result)
  494. return result;
  495. /* LMv2 response */
  496. result = Curl_ntlm_core_mk_lmv2_resp(ntlmv2hash, entropy,
  497. &ntlm->nonce[0], lmresp);
  498. if(result)
  499. return result;
  500. /* NTLMv2 response */
  501. result = Curl_ntlm_core_mk_ntlmv2_resp(ntlmv2hash, entropy,
  502. ntlm, &ntlmv2resp, &ntresplen);
  503. if(result)
  504. return result;
  505. ptr_ntresp = ntlmv2resp;
  506. }
  507. else {
  508. unsigned char ntbuffer[0x18];
  509. unsigned char lmbuffer[0x18];
  510. /* NTLM version 1 */
  511. result = Curl_ntlm_core_mk_nt_hash(passwdp, ntbuffer);
  512. if(result)
  513. return result;
  514. Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], ntresp);
  515. result = Curl_ntlm_core_mk_lm_hash(passwdp, lmbuffer);
  516. if(result)
  517. return result;
  518. Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
  519. ntlm->flags &= ~NTLMFLAG_NEGOTIATE_NTLM2_KEY;
  520. /* A safer but less compatible alternative is:
  521. * Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
  522. * See https://davenport.sourceforge.net/ntlm.html#ntlmVersion2 */
  523. }
  524. if(unicode) {
  525. domlen = domlen * 2;
  526. userlen = userlen * 2;
  527. hostlen = hostlen * 2;
  528. }
  529. lmrespoff = 64; /* size of the message header */
  530. ntrespoff = lmrespoff + 0x18;
  531. domoff = ntrespoff + ntresplen;
  532. useroff = domoff + domlen;
  533. hostoff = useroff + userlen;
  534. /* Create the big type-3 message binary blob */
  535. size = msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
  536. NTLMSSP_SIGNATURE "%c"
  537. "\x03%c%c%c" /* 32-bit type = 3 */
  538. "%c%c" /* LanManager length */
  539. "%c%c" /* LanManager allocated space */
  540. "%c%c" /* LanManager offset */
  541. "%c%c" /* 2 zeroes */
  542. "%c%c" /* NT-response length */
  543. "%c%c" /* NT-response allocated space */
  544. "%c%c" /* NT-response offset */
  545. "%c%c" /* 2 zeroes */
  546. "%c%c" /* domain length */
  547. "%c%c" /* domain allocated space */
  548. "%c%c" /* domain name offset */
  549. "%c%c" /* 2 zeroes */
  550. "%c%c" /* user length */
  551. "%c%c" /* user allocated space */
  552. "%c%c" /* user offset */
  553. "%c%c" /* 2 zeroes */
  554. "%c%c" /* host length */
  555. "%c%c" /* host allocated space */
  556. "%c%c" /* host offset */
  557. "%c%c" /* 2 zeroes */
  558. "%c%c" /* session key length (unknown purpose) */
  559. "%c%c" /* session key allocated space (unknown purpose) */
  560. "%c%c" /* session key offset (unknown purpose) */
  561. "%c%c" /* 2 zeroes */
  562. "%c%c%c%c", /* flags */
  563. /* domain string */
  564. /* user string */
  565. /* host string */
  566. /* LanManager response */
  567. /* NT response */
  568. 0, /* null-termination */
  569. 0, 0, 0, /* type-3 long, the 24 upper bits */
  570. SHORTPAIR(0x18), /* LanManager response length, twice */
  571. SHORTPAIR(0x18),
  572. SHORTPAIR(lmrespoff),
  573. 0x0, 0x0,
  574. SHORTPAIR(ntresplen), /* NT-response length, twice */
  575. SHORTPAIR(ntresplen),
  576. SHORTPAIR(ntrespoff),
  577. 0x0, 0x0,
  578. SHORTPAIR(domlen),
  579. SHORTPAIR(domlen),
  580. SHORTPAIR(domoff),
  581. 0x0, 0x0,
  582. SHORTPAIR(userlen),
  583. SHORTPAIR(userlen),
  584. SHORTPAIR(useroff),
  585. 0x0, 0x0,
  586. SHORTPAIR(hostlen),
  587. SHORTPAIR(hostlen),
  588. SHORTPAIR(hostoff),
  589. 0x0, 0x0,
  590. 0x0, 0x0,
  591. 0x0, 0x0,
  592. 0x0, 0x0,
  593. 0x0, 0x0,
  594. LONGQUARTET(ntlm->flags));
  595. DEBUGASSERT(size == 64);
  596. DEBUGASSERT(size == (size_t)lmrespoff);
  597. /* We append the binary hashes */
  598. if(size < (NTLM_BUFSIZE - 0x18)) {
  599. memcpy(&ntlmbuf[size], lmresp, 0x18);
  600. size += 0x18;
  601. }
  602. DEBUG_OUT({
  603. fprintf(stderr, "**** TYPE3 header lmresp=");
  604. ntlm_print_hex(stderr, (char *)&ntlmbuf[lmrespoff], 0x18);
  605. });
  606. /* ntresplen + size should not be risking an integer overflow here */
  607. if(ntresplen + size > sizeof(ntlmbuf)) {
  608. failf(data, "incoming NTLM message too big");
  609. return CURLE_OUT_OF_MEMORY;
  610. }
  611. DEBUGASSERT(size == (size_t)ntrespoff);
  612. memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
  613. size += ntresplen;
  614. DEBUG_OUT({
  615. fprintf(stderr, "\n ntresp=");
  616. ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
  617. });
  618. free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
  619. DEBUG_OUT({
  620. fprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
  621. LONGQUARTET(ntlm->flags), ntlm->flags);
  622. ntlm_print_flags(stderr, ntlm->flags);
  623. fprintf(stderr, "\n****\n");
  624. });
  625. /* Make sure that the domain, user and host strings fit in the
  626. buffer before we copy them there. */
  627. if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) {
  628. failf(data, "user + domain + host name too big");
  629. return CURLE_OUT_OF_MEMORY;
  630. }
  631. DEBUGASSERT(size == domoff);
  632. if(unicode)
  633. unicodecpy(&ntlmbuf[size], domain, domlen / 2);
  634. else
  635. memcpy(&ntlmbuf[size], domain, domlen);
  636. size += domlen;
  637. DEBUGASSERT(size == useroff);
  638. if(unicode)
  639. unicodecpy(&ntlmbuf[size], user, userlen / 2);
  640. else
  641. memcpy(&ntlmbuf[size], user, userlen);
  642. size += userlen;
  643. DEBUGASSERT(size == hostoff);
  644. if(unicode)
  645. unicodecpy(&ntlmbuf[size], host, hostlen / 2);
  646. else
  647. memcpy(&ntlmbuf[size], host, hostlen);
  648. size += hostlen;
  649. /* Return the binary blob. */
  650. result = Curl_bufref_memdup(out, ntlmbuf, size);
  651. Curl_auth_cleanup_ntlm(ntlm);
  652. return result;
  653. }
  654. /*
  655. * Curl_auth_cleanup_ntlm()
  656. *
  657. * This is used to clean up the NTLM specific data.
  658. *
  659. * Parameters:
  660. *
  661. * ntlm [in/out] - The NTLM data struct being cleaned up.
  662. *
  663. */
  664. void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm)
  665. {
  666. /* Free the target info */
  667. Curl_safefree(ntlm->target_info);
  668. /* Reset any variables */
  669. ntlm->target_info_len = 0;
  670. }
  671. #endif /* USE_NTLM && !USE_WINDOWS_SSPI */