ntlm.c 24 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if defined(USE_NTLM) && !defined(USE_WINDOWS_SSPI)
  26. /*
  27. * NTLM details:
  28. *
  29. * https://davenport.sourceforge.net/ntlm.html
  30. * https://www.innovation.ch/java/ntlm.html
  31. */
  32. #define DEBUG_ME 0
  33. #include "urldata.h"
  34. #include "sendf.h"
  35. #include "curl_ntlm_core.h"
  36. #include "curl_gethostname.h"
  37. #include "curl_multibyte.h"
  38. #include "curl_md5.h"
  39. #include "warnless.h"
  40. #include "rand.h"
  41. #include "vtls/vtls.h"
  42. #include "strdup.h"
  43. #define BUILDING_CURL_NTLM_MSGS_C
  44. #include "vauth/vauth.h"
  45. #include "vauth/ntlm.h"
  46. #include "curl_endian.h"
  47. #include "curl_printf.h"
  48. /* The last #include files should be: */
  49. #include "curl_memory.h"
  50. #include "memdebug.h"
  51. /* "NTLMSSP" signature is always in ASCII regardless of the platform */
  52. #define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
  53. #if DEBUG_ME
  54. # define DEBUG_OUT(x) x
  55. static void ntlm_print_flags(FILE *handle, unsigned long flags)
  56. {
  57. if(flags & NTLMFLAG_NEGOTIATE_UNICODE)
  58. fprintf(handle, "NTLMFLAG_NEGOTIATE_UNICODE ");
  59. if(flags & NTLMFLAG_NEGOTIATE_OEM)
  60. fprintf(handle, "NTLMFLAG_NEGOTIATE_OEM ");
  61. if(flags & NTLMFLAG_REQUEST_TARGET)
  62. fprintf(handle, "NTLMFLAG_REQUEST_TARGET ");
  63. if(flags & (1 << 3))
  64. fprintf(handle, "NTLMFLAG_UNKNOWN_3 ");
  65. if(flags & NTLMFLAG_NEGOTIATE_SIGN)
  66. fprintf(handle, "NTLMFLAG_NEGOTIATE_SIGN ");
  67. if(flags & NTLMFLAG_NEGOTIATE_SEAL)
  68. fprintf(handle, "NTLMFLAG_NEGOTIATE_SEAL ");
  69. if(flags & NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE)
  70. fprintf(handle, "NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE ");
  71. if(flags & NTLMFLAG_NEGOTIATE_LM_KEY)
  72. fprintf(handle, "NTLMFLAG_NEGOTIATE_LM_KEY ");
  73. if(flags & NTLMFLAG_NEGOTIATE_NTLM_KEY)
  74. fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM_KEY ");
  75. if(flags & (1 << 10))
  76. fprintf(handle, "NTLMFLAG_UNKNOWN_10 ");
  77. if(flags & NTLMFLAG_NEGOTIATE_ANONYMOUS)
  78. fprintf(handle, "NTLMFLAG_NEGOTIATE_ANONYMOUS ");
  79. if(flags & NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED)
  80. fprintf(handle, "NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED ");
  81. if(flags & NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED)
  82. fprintf(handle, "NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED ");
  83. if(flags & NTLMFLAG_NEGOTIATE_LOCAL_CALL)
  84. fprintf(handle, "NTLMFLAG_NEGOTIATE_LOCAL_CALL ");
  85. if(flags & NTLMFLAG_NEGOTIATE_ALWAYS_SIGN)
  86. fprintf(handle, "NTLMFLAG_NEGOTIATE_ALWAYS_SIGN ");
  87. if(flags & NTLMFLAG_TARGET_TYPE_DOMAIN)
  88. fprintf(handle, "NTLMFLAG_TARGET_TYPE_DOMAIN ");
  89. if(flags & NTLMFLAG_TARGET_TYPE_SERVER)
  90. fprintf(handle, "NTLMFLAG_TARGET_TYPE_SERVER ");
  91. if(flags & NTLMFLAG_TARGET_TYPE_SHARE)
  92. fprintf(handle, "NTLMFLAG_TARGET_TYPE_SHARE ");
  93. if(flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY)
  94. fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM2_KEY ");
  95. if(flags & NTLMFLAG_REQUEST_INIT_RESPONSE)
  96. fprintf(handle, "NTLMFLAG_REQUEST_INIT_RESPONSE ");
  97. if(flags & NTLMFLAG_REQUEST_ACCEPT_RESPONSE)
  98. fprintf(handle, "NTLMFLAG_REQUEST_ACCEPT_RESPONSE ");
  99. if(flags & NTLMFLAG_REQUEST_NONNT_SESSION_KEY)
  100. fprintf(handle, "NTLMFLAG_REQUEST_NONNT_SESSION_KEY ");
  101. if(flags & NTLMFLAG_NEGOTIATE_TARGET_INFO)
  102. fprintf(handle, "NTLMFLAG_NEGOTIATE_TARGET_INFO ");
  103. if(flags & (1 << 24))
  104. fprintf(handle, "NTLMFLAG_UNKNOWN_24 ");
  105. if(flags & (1 << 25))
  106. fprintf(handle, "NTLMFLAG_UNKNOWN_25 ");
  107. if(flags & (1 << 26))
  108. fprintf(handle, "NTLMFLAG_UNKNOWN_26 ");
  109. if(flags & (1 << 27))
  110. fprintf(handle, "NTLMFLAG_UNKNOWN_27 ");
  111. if(flags & (1 << 28))
  112. fprintf(handle, "NTLMFLAG_UNKNOWN_28 ");
  113. if(flags & NTLMFLAG_NEGOTIATE_128)
  114. fprintf(handle, "NTLMFLAG_NEGOTIATE_128 ");
  115. if(flags & NTLMFLAG_NEGOTIATE_KEY_EXCHANGE)
  116. fprintf(handle, "NTLMFLAG_NEGOTIATE_KEY_EXCHANGE ");
  117. if(flags & NTLMFLAG_NEGOTIATE_56)
  118. fprintf(handle, "NTLMFLAG_NEGOTIATE_56 ");
  119. }
  120. static void ntlm_print_hex(FILE *handle, const char *buf, size_t len)
  121. {
  122. const char *p = buf;
  123. (void) handle;
  124. fprintf(stderr, "0x");
  125. while(len-- > 0)
  126. fprintf(stderr, "%02.2x", (unsigned int)*p++);
  127. }
  128. #else
  129. # define DEBUG_OUT(x) Curl_nop_stmt
  130. #endif
  131. /*
  132. * ntlm_decode_type2_target()
  133. *
  134. * This is used to decode the "target info" in the NTLM type-2 message
  135. * received.
  136. *
  137. * Parameters:
  138. *
  139. * data [in] - The session handle.
  140. * type2ref [in] - The type-2 message.
  141. * ntlm [in/out] - The NTLM data struct being used and modified.
  142. *
  143. * Returns CURLE_OK on success.
  144. */
  145. static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
  146. const struct bufref *type2ref,
  147. struct ntlmdata *ntlm)
  148. {
  149. unsigned short target_info_len = 0;
  150. unsigned int target_info_offset = 0;
  151. const unsigned char *type2 = Curl_bufref_ptr(type2ref);
  152. size_t type2len = Curl_bufref_len(type2ref);
  153. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  154. (void) data;
  155. #endif
  156. if(type2len >= 48) {
  157. target_info_len = Curl_read16_le(&type2[40]);
  158. target_info_offset = Curl_read32_le(&type2[44]);
  159. if(target_info_len > 0) {
  160. if((target_info_offset > type2len) ||
  161. (target_info_offset + target_info_len) > type2len ||
  162. target_info_offset < 48) {
  163. infof(data, "NTLM handshake failure (bad type-2 message). "
  164. "Target Info Offset Len is set incorrect by the peer");
  165. return CURLE_BAD_CONTENT_ENCODING;
  166. }
  167. free(ntlm->target_info); /* replace any previous data */
  168. ntlm->target_info = Curl_memdup(&type2[target_info_offset],
  169. target_info_len);
  170. if(!ntlm->target_info)
  171. return CURLE_OUT_OF_MEMORY;
  172. }
  173. }
  174. ntlm->target_info_len = target_info_len;
  175. return CURLE_OK;
  176. }
  177. /*
  178. NTLM message structure notes:
  179. A 'short' is a 'network short', a little-endian 16-bit unsigned value.
  180. A 'long' is a 'network long', a little-endian, 32-bit unsigned value.
  181. A 'security buffer' represents a triplet used to point to a buffer,
  182. consisting of two shorts and one long:
  183. 1. A 'short' containing the length of the buffer content in bytes.
  184. 2. A 'short' containing the allocated space for the buffer in bytes.
  185. 3. A 'long' containing the offset to the start of the buffer in bytes,
  186. from the beginning of the NTLM message.
  187. */
  188. /*
  189. * Curl_auth_is_ntlm_supported()
  190. *
  191. * This is used to evaluate if NTLM is supported.
  192. *
  193. * Parameters: None
  194. *
  195. * Returns TRUE as NTLM as handled by libcurl.
  196. */
  197. bool Curl_auth_is_ntlm_supported(void)
  198. {
  199. return TRUE;
  200. }
  201. /*
  202. * Curl_auth_decode_ntlm_type2_message()
  203. *
  204. * This is used to decode an NTLM type-2 message. The raw NTLM message is
  205. * checked * for validity before the appropriate data for creating a type-3
  206. * message is * written to the given NTLM data structure.
  207. *
  208. * Parameters:
  209. *
  210. * data [in] - The session handle.
  211. * type2ref [in] - The type-2 message.
  212. * ntlm [in/out] - The NTLM data struct being used and modified.
  213. *
  214. * Returns CURLE_OK on success.
  215. */
  216. CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
  217. const struct bufref *type2ref,
  218. struct ntlmdata *ntlm)
  219. {
  220. static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
  221. /* NTLM type-2 message structure:
  222. Index Description Content
  223. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  224. (0x4e544c4d53535000)
  225. 8 NTLM Message Type long (0x02000000)
  226. 12 Target Name security buffer
  227. 20 Flags long
  228. 24 Challenge 8 bytes
  229. (32) Context 8 bytes (two consecutive longs) (*)
  230. (40) Target Information security buffer (*)
  231. (48) OS Version Structure 8 bytes (*)
  232. 32 (48) (56) Start of data block (*)
  233. (*) -> Optional
  234. */
  235. CURLcode result = CURLE_OK;
  236. const unsigned char *type2 = Curl_bufref_ptr(type2ref);
  237. size_t type2len = Curl_bufref_len(type2ref);
  238. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  239. (void)data;
  240. #endif
  241. ntlm->flags = 0;
  242. if((type2len < 32) ||
  243. (memcmp(type2, NTLMSSP_SIGNATURE, 8) != 0) ||
  244. (memcmp(type2 + 8, type2_marker, sizeof(type2_marker)) != 0)) {
  245. /* This was not a good enough type-2 message */
  246. infof(data, "NTLM handshake failure (bad type-2 message)");
  247. return CURLE_BAD_CONTENT_ENCODING;
  248. }
  249. ntlm->flags = Curl_read32_le(&type2[20]);
  250. memcpy(ntlm->nonce, &type2[24], 8);
  251. if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
  252. result = ntlm_decode_type2_target(data, type2ref, ntlm);
  253. if(result) {
  254. infof(data, "NTLM handshake failure (bad type-2 message)");
  255. return result;
  256. }
  257. }
  258. DEBUG_OUT({
  259. fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
  260. ntlm_print_flags(stderr, ntlm->flags);
  261. fprintf(stderr, "\n nonce=");
  262. ntlm_print_hex(stderr, (char *)ntlm->nonce, 8);
  263. fprintf(stderr, "\n****\n");
  264. fprintf(stderr, "**** Header %s\n ", header);
  265. });
  266. return result;
  267. }
  268. /* copy the source to the destination and fill in zeroes in every
  269. other destination byte! */
  270. static void unicodecpy(unsigned char *dest, const char *src, size_t length)
  271. {
  272. size_t i;
  273. for(i = 0; i < length; i++) {
  274. dest[2 * i] = (unsigned char)src[i];
  275. dest[2 * i + 1] = '\0';
  276. }
  277. }
  278. /*
  279. * Curl_auth_create_ntlm_type1_message()
  280. *
  281. * This is used to generate an NTLM type-1 message ready for sending to the
  282. * recipient using the appropriate compile time crypto API.
  283. *
  284. * Parameters:
  285. *
  286. * data [in] - The session handle.
  287. * userp [in] - The username in the format User or Domain\User.
  288. * passwdp [in] - The user's password.
  289. * service [in] - The service type such as http, smtp, pop or imap.
  290. * host [in] - The hostname.
  291. * ntlm [in/out] - The NTLM data struct being used and modified.
  292. * out [out] - The result storage.
  293. *
  294. * Returns CURLE_OK on success.
  295. */
  296. CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
  297. const char *userp,
  298. const char *passwdp,
  299. const char *service,
  300. const char *hostname,
  301. struct ntlmdata *ntlm,
  302. struct bufref *out)
  303. {
  304. /* NTLM type-1 message structure:
  305. Index Description Content
  306. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  307. (0x4e544c4d53535000)
  308. 8 NTLM Message Type long (0x01000000)
  309. 12 Flags long
  310. (16) Supplied Domain security buffer (*)
  311. (24) Supplied Workstation security buffer (*)
  312. (32) OS Version Structure 8 bytes (*)
  313. (32) (40) Start of data block (*)
  314. (*) -> Optional
  315. */
  316. size_t size;
  317. char *ntlmbuf;
  318. const char *host = ""; /* empty */
  319. const char *domain = ""; /* empty */
  320. size_t hostlen = 0;
  321. size_t domlen = 0;
  322. size_t hostoff = 0;
  323. size_t domoff = hostoff + hostlen; /* This is 0: remember that host and
  324. domain are empty */
  325. (void)data;
  326. (void)userp;
  327. (void)passwdp;
  328. (void)service;
  329. (void)hostname;
  330. /* Clean up any former leftovers and initialise to defaults */
  331. Curl_auth_cleanup_ntlm(ntlm);
  332. ntlmbuf = aprintf(NTLMSSP_SIGNATURE "%c"
  333. "\x01%c%c%c" /* 32-bit type = 1 */
  334. "%c%c%c%c" /* 32-bit NTLM flag field */
  335. "%c%c" /* domain length */
  336. "%c%c" /* domain allocated space */
  337. "%c%c" /* domain name offset */
  338. "%c%c" /* 2 zeroes */
  339. "%c%c" /* host length */
  340. "%c%c" /* host allocated space */
  341. "%c%c" /* hostname offset */
  342. "%c%c" /* 2 zeroes */
  343. "%s" /* hostname */
  344. "%s", /* domain string */
  345. 0, /* trailing zero */
  346. 0, 0, 0, /* part of type-1 long */
  347. LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
  348. NTLMFLAG_REQUEST_TARGET |
  349. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  350. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  351. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
  352. SHORTPAIR(domlen),
  353. SHORTPAIR(domlen),
  354. SHORTPAIR(domoff),
  355. 0, 0,
  356. SHORTPAIR(hostlen),
  357. SHORTPAIR(hostlen),
  358. SHORTPAIR(hostoff),
  359. 0, 0,
  360. host, /* this is empty */
  361. domain /* this is empty */);
  362. if(!ntlmbuf)
  363. return CURLE_OUT_OF_MEMORY;
  364. /* Initial packet length */
  365. size = 32 + hostlen + domlen;
  366. DEBUG_OUT({
  367. fprintf(stderr, "* TYPE1 header flags=0x%02.2x%02.2x%02.2x%02.2x "
  368. "0x%08.8x ",
  369. LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
  370. NTLMFLAG_REQUEST_TARGET |
  371. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  372. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  373. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
  374. NTLMFLAG_NEGOTIATE_OEM |
  375. NTLMFLAG_REQUEST_TARGET |
  376. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  377. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  378. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
  379. ntlm_print_flags(stderr,
  380. NTLMFLAG_NEGOTIATE_OEM |
  381. NTLMFLAG_REQUEST_TARGET |
  382. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  383. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  384. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
  385. fprintf(stderr, "\n****\n");
  386. });
  387. Curl_bufref_set(out, ntlmbuf, size, curl_free);
  388. return CURLE_OK;
  389. }
  390. /*
  391. * Curl_auth_create_ntlm_type3_message()
  392. *
  393. * This is used to generate an already encoded NTLM type-3 message ready for
  394. * sending to the recipient using the appropriate compile time crypto API.
  395. *
  396. * Parameters:
  397. *
  398. * data [in] - The session handle.
  399. * userp [in] - The username in the format User or Domain\User.
  400. * passwdp [in] - The user's password.
  401. * ntlm [in/out] - The NTLM data struct being used and modified.
  402. * out [out] - The result storage.
  403. *
  404. * Returns CURLE_OK on success.
  405. */
  406. CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
  407. const char *userp,
  408. const char *passwdp,
  409. struct ntlmdata *ntlm,
  410. struct bufref *out)
  411. {
  412. /* NTLM type-3 message structure:
  413. Index Description Content
  414. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  415. (0x4e544c4d53535000)
  416. 8 NTLM Message Type long (0x03000000)
  417. 12 LM/LMv2 Response security buffer
  418. 20 NTLM/NTLMv2 Response security buffer
  419. 28 Target Name security buffer
  420. 36 username security buffer
  421. 44 Workstation Name security buffer
  422. (52) Session Key security buffer (*)
  423. (60) Flags long (*)
  424. (64) OS Version Structure 8 bytes (*)
  425. 52 (64) (72) Start of data block
  426. (*) -> Optional
  427. */
  428. CURLcode result = CURLE_OK;
  429. size_t size;
  430. unsigned char ntlmbuf[NTLM_BUFSIZE];
  431. unsigned int lmrespoff;
  432. unsigned char lmresp[24]; /* fixed-size */
  433. unsigned int ntrespoff;
  434. unsigned int ntresplen = 24;
  435. unsigned char ntresp[24]; /* fixed-size */
  436. unsigned char *ptr_ntresp = &ntresp[0];
  437. unsigned char *ntlmv2resp = NULL;
  438. bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE);
  439. /* The fixed hostname we provide, in order to not leak our real local host
  440. name. Copy the name used by Firefox. */
  441. static const char host[] = "WORKSTATION";
  442. const char *user;
  443. const char *domain = "";
  444. size_t hostoff = 0;
  445. size_t useroff = 0;
  446. size_t domoff = 0;
  447. size_t hostlen = 0;
  448. size_t userlen = 0;
  449. size_t domlen = 0;
  450. memset(lmresp, 0, sizeof(lmresp));
  451. memset(ntresp, 0, sizeof(ntresp));
  452. user = strchr(userp, '\\');
  453. if(!user)
  454. user = strchr(userp, '/');
  455. if(user) {
  456. domain = userp;
  457. domlen = (user - domain);
  458. user++;
  459. }
  460. else
  461. user = userp;
  462. userlen = strlen(user);
  463. hostlen = sizeof(host) - 1;
  464. if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
  465. unsigned char ntbuffer[0x18];
  466. unsigned char entropy[8];
  467. unsigned char ntlmv2hash[0x18];
  468. /* Full NTLM version 2
  469. Although this cannot be negotiated, it is used here if available, as
  470. servers featuring extended security are likely supporting also
  471. NTLMv2. */
  472. result = Curl_rand(data, entropy, 8);
  473. if(result)
  474. return result;
  475. result = Curl_ntlm_core_mk_nt_hash(passwdp, ntbuffer);
  476. if(result)
  477. return result;
  478. result = Curl_ntlm_core_mk_ntlmv2_hash(user, userlen, domain, domlen,
  479. ntbuffer, ntlmv2hash);
  480. if(result)
  481. return result;
  482. /* LMv2 response */
  483. result = Curl_ntlm_core_mk_lmv2_resp(ntlmv2hash, entropy,
  484. &ntlm->nonce[0], lmresp);
  485. if(result)
  486. return result;
  487. /* NTLMv2 response */
  488. result = Curl_ntlm_core_mk_ntlmv2_resp(ntlmv2hash, entropy,
  489. ntlm, &ntlmv2resp, &ntresplen);
  490. if(result)
  491. return result;
  492. ptr_ntresp = ntlmv2resp;
  493. }
  494. else {
  495. unsigned char ntbuffer[0x18];
  496. unsigned char lmbuffer[0x18];
  497. /* NTLM version 1 */
  498. result = Curl_ntlm_core_mk_nt_hash(passwdp, ntbuffer);
  499. if(result)
  500. return result;
  501. Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], ntresp);
  502. result = Curl_ntlm_core_mk_lm_hash(passwdp, lmbuffer);
  503. if(result)
  504. return result;
  505. Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
  506. ntlm->flags &= ~(unsigned int)NTLMFLAG_NEGOTIATE_NTLM2_KEY;
  507. /* A safer but less compatible alternative is:
  508. * Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
  509. * See https://davenport.sourceforge.net/ntlm.html#ntlmVersion2 */
  510. }
  511. if(unicode) {
  512. domlen = domlen * 2;
  513. userlen = userlen * 2;
  514. hostlen = hostlen * 2;
  515. }
  516. lmrespoff = 64; /* size of the message header */
  517. ntrespoff = lmrespoff + 0x18;
  518. domoff = ntrespoff + ntresplen;
  519. useroff = domoff + domlen;
  520. hostoff = useroff + userlen;
  521. /* Create the big type-3 message binary blob */
  522. size = msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
  523. NTLMSSP_SIGNATURE "%c"
  524. "\x03%c%c%c" /* 32-bit type = 3 */
  525. "%c%c" /* LanManager length */
  526. "%c%c" /* LanManager allocated space */
  527. "%c%c" /* LanManager offset */
  528. "%c%c" /* 2 zeroes */
  529. "%c%c" /* NT-response length */
  530. "%c%c" /* NT-response allocated space */
  531. "%c%c" /* NT-response offset */
  532. "%c%c" /* 2 zeroes */
  533. "%c%c" /* domain length */
  534. "%c%c" /* domain allocated space */
  535. "%c%c" /* domain name offset */
  536. "%c%c" /* 2 zeroes */
  537. "%c%c" /* user length */
  538. "%c%c" /* user allocated space */
  539. "%c%c" /* user offset */
  540. "%c%c" /* 2 zeroes */
  541. "%c%c" /* host length */
  542. "%c%c" /* host allocated space */
  543. "%c%c" /* host offset */
  544. "%c%c" /* 2 zeroes */
  545. "%c%c" /* session key length (unknown purpose) */
  546. "%c%c" /* session key allocated space (unknown purpose) */
  547. "%c%c" /* session key offset (unknown purpose) */
  548. "%c%c" /* 2 zeroes */
  549. "%c%c%c%c", /* flags */
  550. /* domain string */
  551. /* user string */
  552. /* host string */
  553. /* LanManager response */
  554. /* NT response */
  555. 0, /* null-termination */
  556. 0, 0, 0, /* type-3 long, the 24 upper bits */
  557. SHORTPAIR(0x18), /* LanManager response length, twice */
  558. SHORTPAIR(0x18),
  559. SHORTPAIR(lmrespoff),
  560. 0x0, 0x0,
  561. SHORTPAIR(ntresplen), /* NT-response length, twice */
  562. SHORTPAIR(ntresplen),
  563. SHORTPAIR(ntrespoff),
  564. 0x0, 0x0,
  565. SHORTPAIR(domlen),
  566. SHORTPAIR(domlen),
  567. SHORTPAIR(domoff),
  568. 0x0, 0x0,
  569. SHORTPAIR(userlen),
  570. SHORTPAIR(userlen),
  571. SHORTPAIR(useroff),
  572. 0x0, 0x0,
  573. SHORTPAIR(hostlen),
  574. SHORTPAIR(hostlen),
  575. SHORTPAIR(hostoff),
  576. 0x0, 0x0,
  577. 0x0, 0x0,
  578. 0x0, 0x0,
  579. 0x0, 0x0,
  580. 0x0, 0x0,
  581. LONGQUARTET(ntlm->flags));
  582. DEBUGASSERT(size == 64);
  583. DEBUGASSERT(size == (size_t)lmrespoff);
  584. /* We append the binary hashes */
  585. if(size < (NTLM_BUFSIZE - 0x18)) {
  586. memcpy(&ntlmbuf[size], lmresp, 0x18);
  587. size += 0x18;
  588. }
  589. DEBUG_OUT({
  590. fprintf(stderr, "**** TYPE3 header lmresp=");
  591. ntlm_print_hex(stderr, (char *)&ntlmbuf[lmrespoff], 0x18);
  592. });
  593. /* ntresplen + size should not be risking an integer overflow here */
  594. if(ntresplen + size > sizeof(ntlmbuf)) {
  595. failf(data, "incoming NTLM message too big");
  596. return CURLE_OUT_OF_MEMORY;
  597. }
  598. DEBUGASSERT(size == (size_t)ntrespoff);
  599. memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
  600. size += ntresplen;
  601. DEBUG_OUT({
  602. fprintf(stderr, "\n ntresp=");
  603. ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
  604. });
  605. free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
  606. DEBUG_OUT({
  607. fprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
  608. LONGQUARTET(ntlm->flags), ntlm->flags);
  609. ntlm_print_flags(stderr, ntlm->flags);
  610. fprintf(stderr, "\n****\n");
  611. });
  612. /* Make sure that the domain, user and host strings fit in the
  613. buffer before we copy them there. */
  614. if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) {
  615. failf(data, "user + domain + hostname too big");
  616. return CURLE_OUT_OF_MEMORY;
  617. }
  618. DEBUGASSERT(size == domoff);
  619. if(unicode)
  620. unicodecpy(&ntlmbuf[size], domain, domlen / 2);
  621. else
  622. memcpy(&ntlmbuf[size], domain, domlen);
  623. size += domlen;
  624. DEBUGASSERT(size == useroff);
  625. if(unicode)
  626. unicodecpy(&ntlmbuf[size], user, userlen / 2);
  627. else
  628. memcpy(&ntlmbuf[size], user, userlen);
  629. size += userlen;
  630. DEBUGASSERT(size == hostoff);
  631. if(unicode)
  632. unicodecpy(&ntlmbuf[size], host, hostlen / 2);
  633. else
  634. memcpy(&ntlmbuf[size], host, hostlen);
  635. size += hostlen;
  636. /* Return the binary blob. */
  637. result = Curl_bufref_memdup(out, ntlmbuf, size);
  638. Curl_auth_cleanup_ntlm(ntlm);
  639. return result;
  640. }
  641. /*
  642. * Curl_auth_cleanup_ntlm()
  643. *
  644. * This is used to clean up the NTLM specific data.
  645. *
  646. * Parameters:
  647. *
  648. * ntlm [in/out] - The NTLM data struct being cleaned up.
  649. *
  650. */
  651. void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm)
  652. {
  653. /* Free the target info */
  654. Curl_safefree(ntlm->target_info);
  655. /* Reset any variables */
  656. ntlm->target_info_len = 0;
  657. }
  658. #endif /* USE_NTLM && !USE_WINDOWS_SSPI */