ntlm.c 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. #include "curl_setup.h"
  25. #if defined(USE_NTLM) && !defined(USE_WINDOWS_SSPI)
  26. /*
  27. * NTLM details:
  28. *
  29. * https://davenport.sourceforge.net/ntlm.html
  30. * https://www.innovation.ch/java/ntlm.html
  31. */
  32. #define DEBUG_ME 0
  33. #include "urldata.h"
  34. #include "sendf.h"
  35. #include "curl_ntlm_core.h"
  36. #include "curl_gethostname.h"
  37. #include "curl_multibyte.h"
  38. #include "curl_md5.h"
  39. #include "warnless.h"
  40. #include "rand.h"
  41. #include "vtls/vtls.h"
  42. #include "strdup.h"
  43. #define BUILDING_CURL_NTLM_MSGS_C
  44. #include "vauth/vauth.h"
  45. #include "vauth/ntlm.h"
  46. #include "curl_endian.h"
  47. #include "curl_printf.h"
  48. /* The last #include files should be: */
  49. #include "curl_memory.h"
  50. #include "memdebug.h"
  51. /* "NTLMSSP" signature is always in ASCII regardless of the platform */
  52. #define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
  53. /* The fixed host name we provide, in order to not leak our real local host
  54. name. Copy the name used by Firefox. */
  55. #define NTLM_HOSTNAME "WORKSTATION"
  56. #if DEBUG_ME
  57. # define DEBUG_OUT(x) x
  58. static void ntlm_print_flags(FILE *handle, unsigned long flags)
  59. {
  60. if(flags & NTLMFLAG_NEGOTIATE_UNICODE)
  61. fprintf(handle, "NTLMFLAG_NEGOTIATE_UNICODE ");
  62. if(flags & NTLMFLAG_NEGOTIATE_OEM)
  63. fprintf(handle, "NTLMFLAG_NEGOTIATE_OEM ");
  64. if(flags & NTLMFLAG_REQUEST_TARGET)
  65. fprintf(handle, "NTLMFLAG_REQUEST_TARGET ");
  66. if(flags & (1<<3))
  67. fprintf(handle, "NTLMFLAG_UNKNOWN_3 ");
  68. if(flags & NTLMFLAG_NEGOTIATE_SIGN)
  69. fprintf(handle, "NTLMFLAG_NEGOTIATE_SIGN ");
  70. if(flags & NTLMFLAG_NEGOTIATE_SEAL)
  71. fprintf(handle, "NTLMFLAG_NEGOTIATE_SEAL ");
  72. if(flags & NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE)
  73. fprintf(handle, "NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE ");
  74. if(flags & NTLMFLAG_NEGOTIATE_LM_KEY)
  75. fprintf(handle, "NTLMFLAG_NEGOTIATE_LM_KEY ");
  76. if(flags & NTLMFLAG_NEGOTIATE_NTLM_KEY)
  77. fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM_KEY ");
  78. if(flags & (1<<10))
  79. fprintf(handle, "NTLMFLAG_UNKNOWN_10 ");
  80. if(flags & NTLMFLAG_NEGOTIATE_ANONYMOUS)
  81. fprintf(handle, "NTLMFLAG_NEGOTIATE_ANONYMOUS ");
  82. if(flags & NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED)
  83. fprintf(handle, "NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED ");
  84. if(flags & NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED)
  85. fprintf(handle, "NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED ");
  86. if(flags & NTLMFLAG_NEGOTIATE_LOCAL_CALL)
  87. fprintf(handle, "NTLMFLAG_NEGOTIATE_LOCAL_CALL ");
  88. if(flags & NTLMFLAG_NEGOTIATE_ALWAYS_SIGN)
  89. fprintf(handle, "NTLMFLAG_NEGOTIATE_ALWAYS_SIGN ");
  90. if(flags & NTLMFLAG_TARGET_TYPE_DOMAIN)
  91. fprintf(handle, "NTLMFLAG_TARGET_TYPE_DOMAIN ");
  92. if(flags & NTLMFLAG_TARGET_TYPE_SERVER)
  93. fprintf(handle, "NTLMFLAG_TARGET_TYPE_SERVER ");
  94. if(flags & NTLMFLAG_TARGET_TYPE_SHARE)
  95. fprintf(handle, "NTLMFLAG_TARGET_TYPE_SHARE ");
  96. if(flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY)
  97. fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM2_KEY ");
  98. if(flags & NTLMFLAG_REQUEST_INIT_RESPONSE)
  99. fprintf(handle, "NTLMFLAG_REQUEST_INIT_RESPONSE ");
  100. if(flags & NTLMFLAG_REQUEST_ACCEPT_RESPONSE)
  101. fprintf(handle, "NTLMFLAG_REQUEST_ACCEPT_RESPONSE ");
  102. if(flags & NTLMFLAG_REQUEST_NONNT_SESSION_KEY)
  103. fprintf(handle, "NTLMFLAG_REQUEST_NONNT_SESSION_KEY ");
  104. if(flags & NTLMFLAG_NEGOTIATE_TARGET_INFO)
  105. fprintf(handle, "NTLMFLAG_NEGOTIATE_TARGET_INFO ");
  106. if(flags & (1<<24))
  107. fprintf(handle, "NTLMFLAG_UNKNOWN_24 ");
  108. if(flags & (1<<25))
  109. fprintf(handle, "NTLMFLAG_UNKNOWN_25 ");
  110. if(flags & (1<<26))
  111. fprintf(handle, "NTLMFLAG_UNKNOWN_26 ");
  112. if(flags & (1<<27))
  113. fprintf(handle, "NTLMFLAG_UNKNOWN_27 ");
  114. if(flags & (1<<28))
  115. fprintf(handle, "NTLMFLAG_UNKNOWN_28 ");
  116. if(flags & NTLMFLAG_NEGOTIATE_128)
  117. fprintf(handle, "NTLMFLAG_NEGOTIATE_128 ");
  118. if(flags & NTLMFLAG_NEGOTIATE_KEY_EXCHANGE)
  119. fprintf(handle, "NTLMFLAG_NEGOTIATE_KEY_EXCHANGE ");
  120. if(flags & NTLMFLAG_NEGOTIATE_56)
  121. fprintf(handle, "NTLMFLAG_NEGOTIATE_56 ");
  122. }
  123. static void ntlm_print_hex(FILE *handle, const char *buf, size_t len)
  124. {
  125. const char *p = buf;
  126. (void) handle;
  127. fprintf(stderr, "0x");
  128. while(len-- > 0)
  129. fprintf(stderr, "%02.2x", (unsigned int)*p++);
  130. }
  131. #else
  132. # define DEBUG_OUT(x) Curl_nop_stmt
  133. #endif
  134. /*
  135. * ntlm_decode_type2_target()
  136. *
  137. * This is used to decode the "target info" in the NTLM type-2 message
  138. * received.
  139. *
  140. * Parameters:
  141. *
  142. * data [in] - The session handle.
  143. * type2ref [in] - The type-2 message.
  144. * ntlm [in/out] - The NTLM data struct being used and modified.
  145. *
  146. * Returns CURLE_OK on success.
  147. */
  148. static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
  149. const struct bufref *type2ref,
  150. struct ntlmdata *ntlm)
  151. {
  152. unsigned short target_info_len = 0;
  153. unsigned int target_info_offset = 0;
  154. const unsigned char *type2 = Curl_bufref_ptr(type2ref);
  155. size_t type2len = Curl_bufref_len(type2ref);
  156. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  157. (void) data;
  158. #endif
  159. if(type2len >= 48) {
  160. target_info_len = Curl_read16_le(&type2[40]);
  161. target_info_offset = Curl_read32_le(&type2[44]);
  162. if(target_info_len > 0) {
  163. if((target_info_offset > type2len) ||
  164. (target_info_offset + target_info_len) > type2len ||
  165. target_info_offset < 48) {
  166. infof(data, "NTLM handshake failure (bad type-2 message). "
  167. "Target Info Offset Len is set incorrect by the peer");
  168. return CURLE_BAD_CONTENT_ENCODING;
  169. }
  170. free(ntlm->target_info); /* replace any previous data */
  171. ntlm->target_info = Curl_memdup(&type2[target_info_offset],
  172. target_info_len);
  173. if(!ntlm->target_info)
  174. return CURLE_OUT_OF_MEMORY;
  175. }
  176. }
  177. ntlm->target_info_len = target_info_len;
  178. return CURLE_OK;
  179. }
  180. /*
  181. NTLM message structure notes:
  182. A 'short' is a 'network short', a little-endian 16-bit unsigned value.
  183. A 'long' is a 'network long', a little-endian, 32-bit unsigned value.
  184. A 'security buffer' represents a triplet used to point to a buffer,
  185. consisting of two shorts and one long:
  186. 1. A 'short' containing the length of the buffer content in bytes.
  187. 2. A 'short' containing the allocated space for the buffer in bytes.
  188. 3. A 'long' containing the offset to the start of the buffer in bytes,
  189. from the beginning of the NTLM message.
  190. */
  191. /*
  192. * Curl_auth_is_ntlm_supported()
  193. *
  194. * This is used to evaluate if NTLM is supported.
  195. *
  196. * Parameters: None
  197. *
  198. * Returns TRUE as NTLM as handled by libcurl.
  199. */
  200. bool Curl_auth_is_ntlm_supported(void)
  201. {
  202. return TRUE;
  203. }
  204. /*
  205. * Curl_auth_decode_ntlm_type2_message()
  206. *
  207. * This is used to decode an NTLM type-2 message. The raw NTLM message is
  208. * checked * for validity before the appropriate data for creating a type-3
  209. * message is * written to the given NTLM data structure.
  210. *
  211. * Parameters:
  212. *
  213. * data [in] - The session handle.
  214. * type2ref [in] - The type-2 message.
  215. * ntlm [in/out] - The NTLM data struct being used and modified.
  216. *
  217. * Returns CURLE_OK on success.
  218. */
  219. CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
  220. const struct bufref *type2ref,
  221. struct ntlmdata *ntlm)
  222. {
  223. static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
  224. /* NTLM type-2 message structure:
  225. Index Description Content
  226. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  227. (0x4e544c4d53535000)
  228. 8 NTLM Message Type long (0x02000000)
  229. 12 Target Name security buffer
  230. 20 Flags long
  231. 24 Challenge 8 bytes
  232. (32) Context 8 bytes (two consecutive longs) (*)
  233. (40) Target Information security buffer (*)
  234. (48) OS Version Structure 8 bytes (*)
  235. 32 (48) (56) Start of data block (*)
  236. (*) -> Optional
  237. */
  238. CURLcode result = CURLE_OK;
  239. const unsigned char *type2 = Curl_bufref_ptr(type2ref);
  240. size_t type2len = Curl_bufref_len(type2ref);
  241. #if defined(CURL_DISABLE_VERBOSE_STRINGS)
  242. (void)data;
  243. #endif
  244. ntlm->flags = 0;
  245. if((type2len < 32) ||
  246. (memcmp(type2, NTLMSSP_SIGNATURE, 8) != 0) ||
  247. (memcmp(type2 + 8, type2_marker, sizeof(type2_marker)) != 0)) {
  248. /* This was not a good enough type-2 message */
  249. infof(data, "NTLM handshake failure (bad type-2 message)");
  250. return CURLE_BAD_CONTENT_ENCODING;
  251. }
  252. ntlm->flags = Curl_read32_le(&type2[20]);
  253. memcpy(ntlm->nonce, &type2[24], 8);
  254. if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
  255. result = ntlm_decode_type2_target(data, type2ref, ntlm);
  256. if(result) {
  257. infof(data, "NTLM handshake failure (bad type-2 message)");
  258. return result;
  259. }
  260. }
  261. DEBUG_OUT({
  262. fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
  263. ntlm_print_flags(stderr, ntlm->flags);
  264. fprintf(stderr, "\n nonce=");
  265. ntlm_print_hex(stderr, (char *)ntlm->nonce, 8);
  266. fprintf(stderr, "\n****\n");
  267. fprintf(stderr, "**** Header %s\n ", header);
  268. });
  269. return result;
  270. }
  271. /* copy the source to the destination and fill in zeroes in every
  272. other destination byte! */
  273. static void unicodecpy(unsigned char *dest, const char *src, size_t length)
  274. {
  275. size_t i;
  276. for(i = 0; i < length; i++) {
  277. dest[2 * i] = (unsigned char)src[i];
  278. dest[2 * i + 1] = '\0';
  279. }
  280. }
  281. /*
  282. * Curl_auth_create_ntlm_type1_message()
  283. *
  284. * This is used to generate an NTLM type-1 message ready for sending to the
  285. * recipient using the appropriate compile time crypto API.
  286. *
  287. * Parameters:
  288. *
  289. * data [in] - The session handle.
  290. * userp [in] - The user name in the format User or Domain\User.
  291. * passwdp [in] - The user's password.
  292. * service [in] - The service type such as http, smtp, pop or imap.
  293. * host [in] - The host name.
  294. * ntlm [in/out] - The NTLM data struct being used and modified.
  295. * out [out] - The result storage.
  296. *
  297. * Returns CURLE_OK on success.
  298. */
  299. CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
  300. const char *userp,
  301. const char *passwdp,
  302. const char *service,
  303. const char *hostname,
  304. struct ntlmdata *ntlm,
  305. struct bufref *out)
  306. {
  307. /* NTLM type-1 message structure:
  308. Index Description Content
  309. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  310. (0x4e544c4d53535000)
  311. 8 NTLM Message Type long (0x01000000)
  312. 12 Flags long
  313. (16) Supplied Domain security buffer (*)
  314. (24) Supplied Workstation security buffer (*)
  315. (32) OS Version Structure 8 bytes (*)
  316. (32) (40) Start of data block (*)
  317. (*) -> Optional
  318. */
  319. size_t size;
  320. char *ntlmbuf;
  321. const char *host = ""; /* empty */
  322. const char *domain = ""; /* empty */
  323. size_t hostlen = 0;
  324. size_t domlen = 0;
  325. size_t hostoff = 0;
  326. size_t domoff = hostoff + hostlen; /* This is 0: remember that host and
  327. domain are empty */
  328. (void)data;
  329. (void)userp;
  330. (void)passwdp;
  331. (void)service;
  332. (void)hostname;
  333. /* Clean up any former leftovers and initialise to defaults */
  334. Curl_auth_cleanup_ntlm(ntlm);
  335. ntlmbuf = aprintf(NTLMSSP_SIGNATURE "%c"
  336. "\x01%c%c%c" /* 32-bit type = 1 */
  337. "%c%c%c%c" /* 32-bit NTLM flag field */
  338. "%c%c" /* domain length */
  339. "%c%c" /* domain allocated space */
  340. "%c%c" /* domain name offset */
  341. "%c%c" /* 2 zeroes */
  342. "%c%c" /* host length */
  343. "%c%c" /* host allocated space */
  344. "%c%c" /* host name offset */
  345. "%c%c" /* 2 zeroes */
  346. "%s" /* host name */
  347. "%s", /* domain string */
  348. 0, /* trailing zero */
  349. 0, 0, 0, /* part of type-1 long */
  350. LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
  351. NTLMFLAG_REQUEST_TARGET |
  352. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  353. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  354. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
  355. SHORTPAIR(domlen),
  356. SHORTPAIR(domlen),
  357. SHORTPAIR(domoff),
  358. 0, 0,
  359. SHORTPAIR(hostlen),
  360. SHORTPAIR(hostlen),
  361. SHORTPAIR(hostoff),
  362. 0, 0,
  363. host, /* this is empty */
  364. domain /* this is empty */);
  365. if(!ntlmbuf)
  366. return CURLE_OUT_OF_MEMORY;
  367. /* Initial packet length */
  368. size = 32 + hostlen + domlen;
  369. DEBUG_OUT({
  370. fprintf(stderr, "* TYPE1 header flags=0x%02.2x%02.2x%02.2x%02.2x "
  371. "0x%08.8x ",
  372. LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
  373. NTLMFLAG_REQUEST_TARGET |
  374. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  375. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  376. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
  377. NTLMFLAG_NEGOTIATE_OEM |
  378. NTLMFLAG_REQUEST_TARGET |
  379. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  380. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  381. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
  382. ntlm_print_flags(stderr,
  383. NTLMFLAG_NEGOTIATE_OEM |
  384. NTLMFLAG_REQUEST_TARGET |
  385. NTLMFLAG_NEGOTIATE_NTLM_KEY |
  386. NTLMFLAG_NEGOTIATE_NTLM2_KEY |
  387. NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
  388. fprintf(stderr, "\n****\n");
  389. });
  390. Curl_bufref_set(out, ntlmbuf, size, curl_free);
  391. return CURLE_OK;
  392. }
  393. /*
  394. * Curl_auth_create_ntlm_type3_message()
  395. *
  396. * This is used to generate an already encoded NTLM type-3 message ready for
  397. * sending to the recipient using the appropriate compile time crypto API.
  398. *
  399. * Parameters:
  400. *
  401. * data [in] - The session handle.
  402. * userp [in] - The user name in the format User or Domain\User.
  403. * passwdp [in] - The user's password.
  404. * ntlm [in/out] - The NTLM data struct being used and modified.
  405. * out [out] - The result storage.
  406. *
  407. * Returns CURLE_OK on success.
  408. */
  409. CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
  410. const char *userp,
  411. const char *passwdp,
  412. struct ntlmdata *ntlm,
  413. struct bufref *out)
  414. {
  415. /* NTLM type-3 message structure:
  416. Index Description Content
  417. 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
  418. (0x4e544c4d53535000)
  419. 8 NTLM Message Type long (0x03000000)
  420. 12 LM/LMv2 Response security buffer
  421. 20 NTLM/NTLMv2 Response security buffer
  422. 28 Target Name security buffer
  423. 36 User Name security buffer
  424. 44 Workstation Name security buffer
  425. (52) Session Key security buffer (*)
  426. (60) Flags long (*)
  427. (64) OS Version Structure 8 bytes (*)
  428. 52 (64) (72) Start of data block
  429. (*) -> Optional
  430. */
  431. CURLcode result = CURLE_OK;
  432. size_t size;
  433. unsigned char ntlmbuf[NTLM_BUFSIZE];
  434. unsigned int lmrespoff;
  435. unsigned char lmresp[24]; /* fixed-size */
  436. unsigned int ntrespoff;
  437. unsigned int ntresplen = 24;
  438. unsigned char ntresp[24]; /* fixed-size */
  439. unsigned char *ptr_ntresp = &ntresp[0];
  440. unsigned char *ntlmv2resp = NULL;
  441. bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
  442. char host[HOSTNAME_MAX + 1] = "";
  443. const char *user;
  444. const char *domain = "";
  445. size_t hostoff = 0;
  446. size_t useroff = 0;
  447. size_t domoff = 0;
  448. size_t hostlen = 0;
  449. size_t userlen = 0;
  450. size_t domlen = 0;
  451. memset(lmresp, 0, sizeof(lmresp));
  452. memset(ntresp, 0, sizeof(ntresp));
  453. user = strchr(userp, '\\');
  454. if(!user)
  455. user = strchr(userp, '/');
  456. if(user) {
  457. domain = userp;
  458. domlen = (user - domain);
  459. user++;
  460. }
  461. else
  462. user = userp;
  463. userlen = strlen(user);
  464. #ifndef NTLM_HOSTNAME
  465. /* Get the machine's un-qualified host name as NTLM doesn't like the fully
  466. qualified domain name */
  467. if(Curl_gethostname(host, sizeof(host))) {
  468. infof(data, "gethostname() failed, continuing without");
  469. hostlen = 0;
  470. }
  471. else {
  472. hostlen = strlen(host);
  473. }
  474. #else
  475. (void)msnprintf(host, sizeof(host), "%s", NTLM_HOSTNAME);
  476. hostlen = sizeof(NTLM_HOSTNAME)-1;
  477. #endif
  478. if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
  479. unsigned char ntbuffer[0x18];
  480. unsigned char entropy[8];
  481. unsigned char ntlmv2hash[0x18];
  482. /* Full NTLM version 2
  483. Although this cannot be negotiated, it is used here if available, as
  484. servers featuring extended security are likely supporting also
  485. NTLMv2. */
  486. result = Curl_rand(data, entropy, 8);
  487. if(result)
  488. return result;
  489. result = Curl_ntlm_core_mk_nt_hash(passwdp, ntbuffer);
  490. if(result)
  491. return result;
  492. result = Curl_ntlm_core_mk_ntlmv2_hash(user, userlen, domain, domlen,
  493. ntbuffer, ntlmv2hash);
  494. if(result)
  495. return result;
  496. /* LMv2 response */
  497. result = Curl_ntlm_core_mk_lmv2_resp(ntlmv2hash, entropy,
  498. &ntlm->nonce[0], lmresp);
  499. if(result)
  500. return result;
  501. /* NTLMv2 response */
  502. result = Curl_ntlm_core_mk_ntlmv2_resp(ntlmv2hash, entropy,
  503. ntlm, &ntlmv2resp, &ntresplen);
  504. if(result)
  505. return result;
  506. ptr_ntresp = ntlmv2resp;
  507. }
  508. else {
  509. unsigned char ntbuffer[0x18];
  510. unsigned char lmbuffer[0x18];
  511. /* NTLM version 1 */
  512. result = Curl_ntlm_core_mk_nt_hash(passwdp, ntbuffer);
  513. if(result)
  514. return result;
  515. Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], ntresp);
  516. result = Curl_ntlm_core_mk_lm_hash(passwdp, lmbuffer);
  517. if(result)
  518. return result;
  519. Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
  520. ntlm->flags &= ~(unsigned int)NTLMFLAG_NEGOTIATE_NTLM2_KEY;
  521. /* A safer but less compatible alternative is:
  522. * Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
  523. * See https://davenport.sourceforge.net/ntlm.html#ntlmVersion2 */
  524. }
  525. if(unicode) {
  526. domlen = domlen * 2;
  527. userlen = userlen * 2;
  528. hostlen = hostlen * 2;
  529. }
  530. lmrespoff = 64; /* size of the message header */
  531. ntrespoff = lmrespoff + 0x18;
  532. domoff = ntrespoff + ntresplen;
  533. useroff = domoff + domlen;
  534. hostoff = useroff + userlen;
  535. /* Create the big type-3 message binary blob */
  536. size = msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
  537. NTLMSSP_SIGNATURE "%c"
  538. "\x03%c%c%c" /* 32-bit type = 3 */
  539. "%c%c" /* LanManager length */
  540. "%c%c" /* LanManager allocated space */
  541. "%c%c" /* LanManager offset */
  542. "%c%c" /* 2 zeroes */
  543. "%c%c" /* NT-response length */
  544. "%c%c" /* NT-response allocated space */
  545. "%c%c" /* NT-response offset */
  546. "%c%c" /* 2 zeroes */
  547. "%c%c" /* domain length */
  548. "%c%c" /* domain allocated space */
  549. "%c%c" /* domain name offset */
  550. "%c%c" /* 2 zeroes */
  551. "%c%c" /* user length */
  552. "%c%c" /* user allocated space */
  553. "%c%c" /* user offset */
  554. "%c%c" /* 2 zeroes */
  555. "%c%c" /* host length */
  556. "%c%c" /* host allocated space */
  557. "%c%c" /* host offset */
  558. "%c%c" /* 2 zeroes */
  559. "%c%c" /* session key length (unknown purpose) */
  560. "%c%c" /* session key allocated space (unknown purpose) */
  561. "%c%c" /* session key offset (unknown purpose) */
  562. "%c%c" /* 2 zeroes */
  563. "%c%c%c%c", /* flags */
  564. /* domain string */
  565. /* user string */
  566. /* host string */
  567. /* LanManager response */
  568. /* NT response */
  569. 0, /* null-termination */
  570. 0, 0, 0, /* type-3 long, the 24 upper bits */
  571. SHORTPAIR(0x18), /* LanManager response length, twice */
  572. SHORTPAIR(0x18),
  573. SHORTPAIR(lmrespoff),
  574. 0x0, 0x0,
  575. SHORTPAIR(ntresplen), /* NT-response length, twice */
  576. SHORTPAIR(ntresplen),
  577. SHORTPAIR(ntrespoff),
  578. 0x0, 0x0,
  579. SHORTPAIR(domlen),
  580. SHORTPAIR(domlen),
  581. SHORTPAIR(domoff),
  582. 0x0, 0x0,
  583. SHORTPAIR(userlen),
  584. SHORTPAIR(userlen),
  585. SHORTPAIR(useroff),
  586. 0x0, 0x0,
  587. SHORTPAIR(hostlen),
  588. SHORTPAIR(hostlen),
  589. SHORTPAIR(hostoff),
  590. 0x0, 0x0,
  591. 0x0, 0x0,
  592. 0x0, 0x0,
  593. 0x0, 0x0,
  594. 0x0, 0x0,
  595. LONGQUARTET(ntlm->flags));
  596. DEBUGASSERT(size == 64);
  597. DEBUGASSERT(size == (size_t)lmrespoff);
  598. /* We append the binary hashes */
  599. if(size < (NTLM_BUFSIZE - 0x18)) {
  600. memcpy(&ntlmbuf[size], lmresp, 0x18);
  601. size += 0x18;
  602. }
  603. DEBUG_OUT({
  604. fprintf(stderr, "**** TYPE3 header lmresp=");
  605. ntlm_print_hex(stderr, (char *)&ntlmbuf[lmrespoff], 0x18);
  606. });
  607. /* ntresplen + size should not be risking an integer overflow here */
  608. if(ntresplen + size > sizeof(ntlmbuf)) {
  609. failf(data, "incoming NTLM message too big");
  610. return CURLE_OUT_OF_MEMORY;
  611. }
  612. DEBUGASSERT(size == (size_t)ntrespoff);
  613. memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
  614. size += ntresplen;
  615. DEBUG_OUT({
  616. fprintf(stderr, "\n ntresp=");
  617. ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
  618. });
  619. free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
  620. DEBUG_OUT({
  621. fprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
  622. LONGQUARTET(ntlm->flags), ntlm->flags);
  623. ntlm_print_flags(stderr, ntlm->flags);
  624. fprintf(stderr, "\n****\n");
  625. });
  626. /* Make sure that the domain, user and host strings fit in the
  627. buffer before we copy them there. */
  628. if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) {
  629. failf(data, "user + domain + host name too big");
  630. return CURLE_OUT_OF_MEMORY;
  631. }
  632. DEBUGASSERT(size == domoff);
  633. if(unicode)
  634. unicodecpy(&ntlmbuf[size], domain, domlen / 2);
  635. else
  636. memcpy(&ntlmbuf[size], domain, domlen);
  637. size += domlen;
  638. DEBUGASSERT(size == useroff);
  639. if(unicode)
  640. unicodecpy(&ntlmbuf[size], user, userlen / 2);
  641. else
  642. memcpy(&ntlmbuf[size], user, userlen);
  643. size += userlen;
  644. DEBUGASSERT(size == hostoff);
  645. if(unicode)
  646. unicodecpy(&ntlmbuf[size], host, hostlen / 2);
  647. else
  648. memcpy(&ntlmbuf[size], host, hostlen);
  649. size += hostlen;
  650. /* Return the binary blob. */
  651. result = Curl_bufref_memdup(out, ntlmbuf, size);
  652. Curl_auth_cleanup_ntlm(ntlm);
  653. return result;
  654. }
  655. /*
  656. * Curl_auth_cleanup_ntlm()
  657. *
  658. * This is used to clean up the NTLM specific data.
  659. *
  660. * Parameters:
  661. *
  662. * ntlm [in/out] - The NTLM data struct being cleaned up.
  663. *
  664. */
  665. void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm)
  666. {
  667. /* Free the target info */
  668. Curl_safefree(ntlm->target_info);
  669. /* Reset any variables */
  670. ntlm->target_info_len = 0;
  671. }
  672. #endif /* USE_NTLM && !USE_WINDOWS_SSPI */