1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22
23 #include "curl_setup.h"
24
25 #if defined(USE_NTLM) && !defined(USE_WINDOWS_SSPI)
26
27 /*
28 * NTLM details:
29 *
30 * https://davenport.sourceforge.io/ntlm.html
31 * https://www.innovation.ch/java/ntlm.html
32 */
33
34 #define DEBUG_ME 0
35
36 #include "urldata.h"
37 #include "non-ascii.h"
38 #include "sendf.h"
39 #include "curl_ntlm_core.h"
40 #include "curl_gethostname.h"
41 #include "curl_multibyte.h"
42 #include "curl_md5.h"
43 #include "warnless.h"
44 #include "rand.h"
45 #include "vtls/vtls.h"
46
47 /* SSL backend-specific #if branches in this file must be kept in the order
48 documented in curl_ntlm_core. */
49 #if defined(NTLM_NEEDS_NSS_INIT)
50 #include "vtls/nssg.h" /* for Curl_nss_force_init() */
51 #endif
52
53 #define BUILDING_CURL_NTLM_MSGS_C
54 #include "vauth/vauth.h"
55 #include "vauth/ntlm.h"
56 #include "curl_endian.h"
57 #include "curl_printf.h"
58
59 /* The last #include files should be: */
60 #include "curl_memory.h"
61 #include "memdebug.h"
62
63 /* "NTLMSSP" signature is always in ASCII regardless of the platform */
64 #define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
65
66 #if DEBUG_ME
67 # define DEBUG_OUT(x) x
ntlm_print_flags(FILE * handle,unsigned long flags)68 static void ntlm_print_flags(FILE *handle, unsigned long flags)
69 {
70 if(flags & NTLMFLAG_NEGOTIATE_UNICODE)
71 fprintf(handle, "NTLMFLAG_NEGOTIATE_UNICODE ");
72 if(flags & NTLMFLAG_NEGOTIATE_OEM)
73 fprintf(handle, "NTLMFLAG_NEGOTIATE_OEM ");
74 if(flags & NTLMFLAG_REQUEST_TARGET)
75 fprintf(handle, "NTLMFLAG_REQUEST_TARGET ");
76 if(flags & (1<<3))
77 fprintf(handle, "NTLMFLAG_UNKNOWN_3 ");
78 if(flags & NTLMFLAG_NEGOTIATE_SIGN)
79 fprintf(handle, "NTLMFLAG_NEGOTIATE_SIGN ");
80 if(flags & NTLMFLAG_NEGOTIATE_SEAL)
81 fprintf(handle, "NTLMFLAG_NEGOTIATE_SEAL ");
82 if(flags & NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE)
83 fprintf(handle, "NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE ");
84 if(flags & NTLMFLAG_NEGOTIATE_LM_KEY)
85 fprintf(handle, "NTLMFLAG_NEGOTIATE_LM_KEY ");
86 if(flags & NTLMFLAG_NEGOTIATE_NETWARE)
87 fprintf(handle, "NTLMFLAG_NEGOTIATE_NETWARE ");
88 if(flags & NTLMFLAG_NEGOTIATE_NTLM_KEY)
89 fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM_KEY ");
90 if(flags & (1<<10))
91 fprintf(handle, "NTLMFLAG_UNKNOWN_10 ");
92 if(flags & NTLMFLAG_NEGOTIATE_ANONYMOUS)
93 fprintf(handle, "NTLMFLAG_NEGOTIATE_ANONYMOUS ");
94 if(flags & NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED)
95 fprintf(handle, "NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED ");
96 if(flags & NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED)
97 fprintf(handle, "NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED ");
98 if(flags & NTLMFLAG_NEGOTIATE_LOCAL_CALL)
99 fprintf(handle, "NTLMFLAG_NEGOTIATE_LOCAL_CALL ");
100 if(flags & NTLMFLAG_NEGOTIATE_ALWAYS_SIGN)
101 fprintf(handle, "NTLMFLAG_NEGOTIATE_ALWAYS_SIGN ");
102 if(flags & NTLMFLAG_TARGET_TYPE_DOMAIN)
103 fprintf(handle, "NTLMFLAG_TARGET_TYPE_DOMAIN ");
104 if(flags & NTLMFLAG_TARGET_TYPE_SERVER)
105 fprintf(handle, "NTLMFLAG_TARGET_TYPE_SERVER ");
106 if(flags & NTLMFLAG_TARGET_TYPE_SHARE)
107 fprintf(handle, "NTLMFLAG_TARGET_TYPE_SHARE ");
108 if(flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY)
109 fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM2_KEY ");
110 if(flags & NTLMFLAG_REQUEST_INIT_RESPONSE)
111 fprintf(handle, "NTLMFLAG_REQUEST_INIT_RESPONSE ");
112 if(flags & NTLMFLAG_REQUEST_ACCEPT_RESPONSE)
113 fprintf(handle, "NTLMFLAG_REQUEST_ACCEPT_RESPONSE ");
114 if(flags & NTLMFLAG_REQUEST_NONNT_SESSION_KEY)
115 fprintf(handle, "NTLMFLAG_REQUEST_NONNT_SESSION_KEY ");
116 if(flags & NTLMFLAG_NEGOTIATE_TARGET_INFO)
117 fprintf(handle, "NTLMFLAG_NEGOTIATE_TARGET_INFO ");
118 if(flags & (1<<24))
119 fprintf(handle, "NTLMFLAG_UNKNOWN_24 ");
120 if(flags & (1<<25))
121 fprintf(handle, "NTLMFLAG_UNKNOWN_25 ");
122 if(flags & (1<<26))
123 fprintf(handle, "NTLMFLAG_UNKNOWN_26 ");
124 if(flags & (1<<27))
125 fprintf(handle, "NTLMFLAG_UNKNOWN_27 ");
126 if(flags & (1<<28))
127 fprintf(handle, "NTLMFLAG_UNKNOWN_28 ");
128 if(flags & NTLMFLAG_NEGOTIATE_128)
129 fprintf(handle, "NTLMFLAG_NEGOTIATE_128 ");
130 if(flags & NTLMFLAG_NEGOTIATE_KEY_EXCHANGE)
131 fprintf(handle, "NTLMFLAG_NEGOTIATE_KEY_EXCHANGE ");
132 if(flags & NTLMFLAG_NEGOTIATE_56)
133 fprintf(handle, "NTLMFLAG_NEGOTIATE_56 ");
134 }
135
ntlm_print_hex(FILE * handle,const char * buf,size_t len)136 static void ntlm_print_hex(FILE *handle, const char *buf, size_t len)
137 {
138 const char *p = buf;
139
140 (void) handle;
141
142 fprintf(stderr, "0x");
143 while(len-- > 0)
144 fprintf(stderr, "%02.2x", (unsigned int)*p++);
145 }
146 #else
147 # define DEBUG_OUT(x) Curl_nop_stmt
148 #endif
149
150 /*
151 * ntlm_decode_type2_target()
152 *
153 * This is used to decode the "target info" in the NTLM type-2 message
154 * received.
155 *
156 * Parameters:
157 *
158 * data [in] - The session handle.
159 * type2ref [in] - The type-2 message.
160 * ntlm [in/out] - The NTLM data struct being used and modified.
161 *
162 * Returns CURLE_OK on success.
163 */
ntlm_decode_type2_target(struct Curl_easy * data,const struct bufref * type2ref,struct ntlmdata * ntlm)164 static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
165 const struct bufref *type2ref,
166 struct ntlmdata *ntlm)
167 {
168 unsigned short target_info_len = 0;
169 unsigned int target_info_offset = 0;
170 const unsigned char *type2 = Curl_bufref_ptr(type2ref);
171 size_t type2len = Curl_bufref_len(type2ref);
172
173 #if defined(CURL_DISABLE_VERBOSE_STRINGS)
174 (void) data;
175 #endif
176
177 if(type2len >= 48) {
178 target_info_len = Curl_read16_le(&type2[40]);
179 target_info_offset = Curl_read32_le(&type2[44]);
180 if(target_info_len > 0) {
181 if((target_info_offset > type2len) ||
182 (target_info_offset + target_info_len) > type2len ||
183 target_info_offset < 48) {
184 infof(data, "NTLM handshake failure (bad type-2 message). "
185 "Target Info Offset Len is set incorrect by the peer");
186 return CURLE_BAD_CONTENT_ENCODING;
187 }
188
189 free(ntlm->target_info); /* replace any previous data */
190 ntlm->target_info = malloc(target_info_len);
191 if(!ntlm->target_info)
192 return CURLE_OUT_OF_MEMORY;
193
194 memcpy(ntlm->target_info, &type2[target_info_offset], target_info_len);
195 }
196 }
197
198 ntlm->target_info_len = target_info_len;
199
200 return CURLE_OK;
201 }
202
203 /*
204 NTLM message structure notes:
205
206 A 'short' is a 'network short', a little-endian 16-bit unsigned value.
207
208 A 'long' is a 'network long', a little-endian, 32-bit unsigned value.
209
210 A 'security buffer' represents a triplet used to point to a buffer,
211 consisting of two shorts and one long:
212
213 1. A 'short' containing the length of the buffer content in bytes.
214 2. A 'short' containing the allocated space for the buffer in bytes.
215 3. A 'long' containing the offset to the start of the buffer in bytes,
216 from the beginning of the NTLM message.
217 */
218
219 /*
220 * Curl_auth_is_ntlm_supported()
221 *
222 * This is used to evaluate if NTLM is supported.
223 *
224 * Parameters: None
225 *
226 * Returns TRUE as NTLM as handled by libcurl.
227 */
Curl_auth_is_ntlm_supported(void)228 bool Curl_auth_is_ntlm_supported(void)
229 {
230 return TRUE;
231 }
232
233 /*
234 * Curl_auth_decode_ntlm_type2_message()
235 *
236 * This is used to decode an NTLM type-2 message. The raw NTLM message is
237 * checked * for validity before the appropriate data for creating a type-3
238 * message is * written to the given NTLM data structure.
239 *
240 * Parameters:
241 *
242 * data [in] - The session handle.
243 * type2ref [in] - The type-2 message.
244 * ntlm [in/out] - The NTLM data struct being used and modified.
245 *
246 * Returns CURLE_OK on success.
247 */
Curl_auth_decode_ntlm_type2_message(struct Curl_easy * data,const struct bufref * type2ref,struct ntlmdata * ntlm)248 CURLcode Curl_auth_decode_ntlm_type2_message(struct Curl_easy *data,
249 const struct bufref *type2ref,
250 struct ntlmdata *ntlm)
251 {
252 static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
253
254 /* NTLM type-2 message structure:
255
256 Index Description Content
257 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
258 (0x4e544c4d53535000)
259 8 NTLM Message Type long (0x02000000)
260 12 Target Name security buffer
261 20 Flags long
262 24 Challenge 8 bytes
263 (32) Context 8 bytes (two consecutive longs) (*)
264 (40) Target Information security buffer (*)
265 (48) OS Version Structure 8 bytes (*)
266 32 (48) (56) Start of data block (*)
267 (*) -> Optional
268 */
269
270 CURLcode result = CURLE_OK;
271 const unsigned char *type2 = Curl_bufref_ptr(type2ref);
272 size_t type2len = Curl_bufref_len(type2ref);
273
274 #if defined(NTLM_NEEDS_NSS_INIT)
275 /* Make sure the crypto backend is initialized */
276 result = Curl_nss_force_init(data);
277 if(result)
278 return result;
279 #elif defined(CURL_DISABLE_VERBOSE_STRINGS)
280 (void)data;
281 #endif
282
283 ntlm->flags = 0;
284
285 if((type2len < 32) ||
286 (memcmp(type2, NTLMSSP_SIGNATURE, 8) != 0) ||
287 (memcmp(type2 + 8, type2_marker, sizeof(type2_marker)) != 0)) {
288 /* This was not a good enough type-2 message */
289 infof(data, "NTLM handshake failure (bad type-2 message)");
290 return CURLE_BAD_CONTENT_ENCODING;
291 }
292
293 ntlm->flags = Curl_read32_le(&type2[20]);
294 memcpy(ntlm->nonce, &type2[24], 8);
295
296 if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
297 result = ntlm_decode_type2_target(data, type2ref, ntlm);
298 if(result) {
299 infof(data, "NTLM handshake failure (bad type-2 message)");
300 return result;
301 }
302 }
303
304 DEBUG_OUT({
305 fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
306 ntlm_print_flags(stderr, ntlm->flags);
307 fprintf(stderr, "\n nonce=");
308 ntlm_print_hex(stderr, (char *)ntlm->nonce, 8);
309 fprintf(stderr, "\n****\n");
310 fprintf(stderr, "**** Header %s\n ", header);
311 });
312
313 return result;
314 }
315
316 /* copy the source to the destination and fill in zeroes in every
317 other destination byte! */
unicodecpy(unsigned char * dest,const char * src,size_t length)318 static void unicodecpy(unsigned char *dest, const char *src, size_t length)
319 {
320 size_t i;
321 for(i = 0; i < length; i++) {
322 dest[2 * i] = (unsigned char)src[i];
323 dest[2 * i + 1] = '\0';
324 }
325 }
326
327 /*
328 * Curl_auth_create_ntlm_type1_message()
329 *
330 * This is used to generate an NTLM type-1 message ready for sending to the
331 * recipient using the appropriate compile time crypto API.
332 *
333 * Parameters:
334 *
335 * data [in] - The session handle.
336 * userp [in] - The user name in the format User or Domain\User.
337 * passwdp [in] - The user's password.
338 * service [in] - The service type such as http, smtp, pop or imap.
339 * host [in] - The host name.
340 * ntlm [in/out] - The NTLM data struct being used and modified.
341 * out [out] - The result storage.
342 *
343 * Returns CURLE_OK on success.
344 */
Curl_auth_create_ntlm_type1_message(struct Curl_easy * data,const char * userp,const char * passwdp,const char * service,const char * hostname,struct ntlmdata * ntlm,struct bufref * out)345 CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data,
346 const char *userp,
347 const char *passwdp,
348 const char *service,
349 const char *hostname,
350 struct ntlmdata *ntlm,
351 struct bufref *out)
352 {
353 /* NTLM type-1 message structure:
354
355 Index Description Content
356 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
357 (0x4e544c4d53535000)
358 8 NTLM Message Type long (0x01000000)
359 12 Flags long
360 (16) Supplied Domain security buffer (*)
361 (24) Supplied Workstation security buffer (*)
362 (32) OS Version Structure 8 bytes (*)
363 (32) (40) Start of data block (*)
364 (*) -> Optional
365 */
366
367 size_t size;
368
369 char *ntlmbuf;
370 const char *host = ""; /* empty */
371 const char *domain = ""; /* empty */
372 size_t hostlen = 0;
373 size_t domlen = 0;
374 size_t hostoff = 0;
375 size_t domoff = hostoff + hostlen; /* This is 0: remember that host and
376 domain are empty */
377 (void)data;
378 (void)userp;
379 (void)passwdp;
380 (void)service,
381 (void)hostname,
382
383 /* Clean up any former leftovers and initialise to defaults */
384 Curl_auth_cleanup_ntlm(ntlm);
385
386 #if defined(USE_NTRESPONSES) && \
387 (defined(USE_NTLM2SESSION) || defined(USE_NTLM_V2))
388 #define NTLM2FLAG NTLMFLAG_NEGOTIATE_NTLM2_KEY
389 #else
390 #define NTLM2FLAG 0
391 #endif
392 ntlmbuf = aprintf(NTLMSSP_SIGNATURE "%c"
393 "\x01%c%c%c" /* 32-bit type = 1 */
394 "%c%c%c%c" /* 32-bit NTLM flag field */
395 "%c%c" /* domain length */
396 "%c%c" /* domain allocated space */
397 "%c%c" /* domain name offset */
398 "%c%c" /* 2 zeroes */
399 "%c%c" /* host length */
400 "%c%c" /* host allocated space */
401 "%c%c" /* host name offset */
402 "%c%c" /* 2 zeroes */
403 "%s" /* host name */
404 "%s", /* domain string */
405 0, /* trailing zero */
406 0, 0, 0, /* part of type-1 long */
407
408 LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
409 NTLMFLAG_REQUEST_TARGET |
410 NTLMFLAG_NEGOTIATE_NTLM_KEY |
411 NTLM2FLAG |
412 NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
413 SHORTPAIR(domlen),
414 SHORTPAIR(domlen),
415 SHORTPAIR(domoff),
416 0, 0,
417 SHORTPAIR(hostlen),
418 SHORTPAIR(hostlen),
419 SHORTPAIR(hostoff),
420 0, 0,
421 host, /* this is empty */
422 domain /* this is empty */);
423
424 if(!ntlmbuf)
425 return CURLE_OUT_OF_MEMORY;
426
427 /* Initial packet length */
428 size = 32 + hostlen + domlen;
429
430 DEBUG_OUT({
431 fprintf(stderr, "* TYPE1 header flags=0x%02.2x%02.2x%02.2x%02.2x "
432 "0x%08.8x ",
433 LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM |
434 NTLMFLAG_REQUEST_TARGET |
435 NTLMFLAG_NEGOTIATE_NTLM_KEY |
436 NTLM2FLAG |
437 NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
438 NTLMFLAG_NEGOTIATE_OEM |
439 NTLMFLAG_REQUEST_TARGET |
440 NTLMFLAG_NEGOTIATE_NTLM_KEY |
441 NTLM2FLAG |
442 NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
443 ntlm_print_flags(stderr,
444 NTLMFLAG_NEGOTIATE_OEM |
445 NTLMFLAG_REQUEST_TARGET |
446 NTLMFLAG_NEGOTIATE_NTLM_KEY |
447 NTLM2FLAG |
448 NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
449 fprintf(stderr, "\n****\n");
450 });
451
452 Curl_bufref_set(out, ntlmbuf, size, curl_free);
453 return CURLE_OK;
454 }
455
456 /*
457 * Curl_auth_create_ntlm_type3_message()
458 *
459 * This is used to generate an already encoded NTLM type-3 message ready for
460 * sending to the recipient using the appropriate compile time crypto API.
461 *
462 * Parameters:
463 *
464 * data [in] - The session handle.
465 * userp [in] - The user name in the format User or Domain\User.
466 * passwdp [in] - The user's password.
467 * ntlm [in/out] - The NTLM data struct being used and modified.
468 * out [out] - The result storage.
469 *
470 * Returns CURLE_OK on success.
471 */
Curl_auth_create_ntlm_type3_message(struct Curl_easy * data,const char * userp,const char * passwdp,struct ntlmdata * ntlm,struct bufref * out)472 CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
473 const char *userp,
474 const char *passwdp,
475 struct ntlmdata *ntlm,
476 struct bufref *out)
477 {
478 /* NTLM type-3 message structure:
479
480 Index Description Content
481 0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
482 (0x4e544c4d53535000)
483 8 NTLM Message Type long (0x03000000)
484 12 LM/LMv2 Response security buffer
485 20 NTLM/NTLMv2 Response security buffer
486 28 Target Name security buffer
487 36 User Name security buffer
488 44 Workstation Name security buffer
489 (52) Session Key security buffer (*)
490 (60) Flags long (*)
491 (64) OS Version Structure 8 bytes (*)
492 52 (64) (72) Start of data block
493 (*) -> Optional
494 */
495
496 CURLcode result = CURLE_OK;
497 size_t size;
498 unsigned char ntlmbuf[NTLM_BUFSIZE];
499 int lmrespoff;
500 unsigned char lmresp[24]; /* fixed-size */
501 #ifdef USE_NTRESPONSES
502 int ntrespoff;
503 unsigned int ntresplen = 24;
504 unsigned char ntresp[24]; /* fixed-size */
505 unsigned char *ptr_ntresp = &ntresp[0];
506 unsigned char *ntlmv2resp = NULL;
507 #endif
508 bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
509 char host[HOSTNAME_MAX + 1] = "";
510 const char *user;
511 const char *domain = "";
512 size_t hostoff = 0;
513 size_t useroff = 0;
514 size_t domoff = 0;
515 size_t hostlen = 0;
516 size_t userlen = 0;
517 size_t domlen = 0;
518
519 user = strchr(userp, '\\');
520 if(!user)
521 user = strchr(userp, '/');
522
523 if(user) {
524 domain = userp;
525 domlen = (user - domain);
526 user++;
527 }
528 else
529 user = userp;
530
531 userlen = strlen(user);
532
533 /* Get the machine's un-qualified host name as NTLM doesn't like the fully
534 qualified domain name */
535 if(Curl_gethostname(host, sizeof(host))) {
536 infof(data, "gethostname() failed, continuing without!");
537 hostlen = 0;
538 }
539 else {
540 hostlen = strlen(host);
541 }
542
543 #if defined(USE_NTRESPONSES) && \
544 (defined(USE_NTLM2SESSION) || defined(USE_NTLM_V2))
545 /* We don't support NTLM2 or extended security if we don't have
546 USE_NTRESPONSES */
547 if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
548 # if defined(USE_NTLM_V2)
549 unsigned char ntbuffer[0x18];
550 unsigned char entropy[8];
551 unsigned char ntlmv2hash[0x18];
552
553 /* Full NTLM version 2
554 Although this cannot be negotiated, it is used here if available, as
555 servers featuring extended security are likely supporting also
556 NTLMv2. */
557 result = Curl_rand(data, entropy, 8);
558 if(result)
559 return result;
560
561 result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
562 if(result)
563 return result;
564
565 result = Curl_ntlm_core_mk_ntlmv2_hash(user, userlen, domain, domlen,
566 ntbuffer, ntlmv2hash);
567 if(result)
568 return result;
569
570 /* LMv2 response */
571 result = Curl_ntlm_core_mk_lmv2_resp(ntlmv2hash, entropy,
572 &ntlm->nonce[0], lmresp);
573 if(result)
574 return result;
575
576 /* NTLMv2 response */
577 result = Curl_ntlm_core_mk_ntlmv2_resp(ntlmv2hash, entropy,
578 ntlm, &ntlmv2resp, &ntresplen);
579 if(result)
580 return result;
581
582 ptr_ntresp = ntlmv2resp;
583 # else /* defined(USE_NTLM_V2) */
584 unsigned char ntbuffer[0x18];
585 unsigned char tmp[0x18];
586 unsigned char md5sum[MD5_DIGEST_LEN];
587 unsigned char entropy[8];
588
589 /* NTLM version 1 with extended security. */
590
591 /* Need to create 8 bytes random data */
592 result = Curl_rand(data, entropy, 8);
593 if(result)
594 return result;
595
596 /* 8 bytes random data as challenge in lmresp */
597 memcpy(lmresp, entropy, 8);
598
599 /* Pad with zeros */
600 memset(lmresp + 8, 0, 0x10);
601
602 /* Fill tmp with challenge(nonce?) + entropy */
603 memcpy(tmp, &ntlm->nonce[0], 8);
604 memcpy(tmp + 8, entropy, 8);
605
606 Curl_md5it(md5sum, tmp, 16);
607
608 /* We shall only use the first 8 bytes of md5sum, but the des code in
609 Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */
610 result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
611 if(result)
612 return result;
613
614 Curl_ntlm_core_lm_resp(ntbuffer, md5sum, ntresp);
615
616 /* End of NTLM2 Session code */
617 /* NTLM v2 session security is a misnomer because it is not NTLM v2.
618 It is NTLM v1 using the extended session security that is also
619 in NTLM v2 */
620 # endif /* defined(USE_NTLM_V2) */
621 }
622 else
623 #endif
624 {
625
626 #ifdef USE_NTRESPONSES
627 unsigned char ntbuffer[0x18];
628 #endif
629 unsigned char lmbuffer[0x18];
630
631 /* NTLM version 1 */
632
633 #ifdef USE_NTRESPONSES
634 result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
635 if(result)
636 return result;
637
638 Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], ntresp);
639 #endif
640
641 result = Curl_ntlm_core_mk_lm_hash(data, passwdp, lmbuffer);
642 if(result)
643 return result;
644
645 Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
646 ntlm->flags &= ~NTLMFLAG_NEGOTIATE_NTLM2_KEY;
647
648 /* A safer but less compatible alternative is:
649 * Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
650 * See https://davenport.sourceforge.io/ntlm.html#ntlmVersion2 */
651 }
652
653 if(unicode) {
654 domlen = domlen * 2;
655 userlen = userlen * 2;
656 hostlen = hostlen * 2;
657 }
658
659 lmrespoff = 64; /* size of the message header */
660 #ifdef USE_NTRESPONSES
661 ntrespoff = lmrespoff + 0x18;
662 domoff = ntrespoff + ntresplen;
663 #else
664 domoff = lmrespoff + 0x18;
665 #endif
666 useroff = domoff + domlen;
667 hostoff = useroff + userlen;
668
669 /* Create the big type-3 message binary blob */
670 size = msnprintf((char *)ntlmbuf, NTLM_BUFSIZE,
671 NTLMSSP_SIGNATURE "%c"
672 "\x03%c%c%c" /* 32-bit type = 3 */
673
674 "%c%c" /* LanManager length */
675 "%c%c" /* LanManager allocated space */
676 "%c%c" /* LanManager offset */
677 "%c%c" /* 2 zeroes */
678
679 "%c%c" /* NT-response length */
680 "%c%c" /* NT-response allocated space */
681 "%c%c" /* NT-response offset */
682 "%c%c" /* 2 zeroes */
683
684 "%c%c" /* domain length */
685 "%c%c" /* domain allocated space */
686 "%c%c" /* domain name offset */
687 "%c%c" /* 2 zeroes */
688
689 "%c%c" /* user length */
690 "%c%c" /* user allocated space */
691 "%c%c" /* user offset */
692 "%c%c" /* 2 zeroes */
693
694 "%c%c" /* host length */
695 "%c%c" /* host allocated space */
696 "%c%c" /* host offset */
697 "%c%c" /* 2 zeroes */
698
699 "%c%c" /* session key length (unknown purpose) */
700 "%c%c" /* session key allocated space (unknown purpose) */
701 "%c%c" /* session key offset (unknown purpose) */
702 "%c%c" /* 2 zeroes */
703
704 "%c%c%c%c", /* flags */
705
706 /* domain string */
707 /* user string */
708 /* host string */
709 /* LanManager response */
710 /* NT response */
711
712 0, /* zero termination */
713 0, 0, 0, /* type-3 long, the 24 upper bits */
714
715 SHORTPAIR(0x18), /* LanManager response length, twice */
716 SHORTPAIR(0x18),
717 SHORTPAIR(lmrespoff),
718 0x0, 0x0,
719
720 #ifdef USE_NTRESPONSES
721 SHORTPAIR(ntresplen), /* NT-response length, twice */
722 SHORTPAIR(ntresplen),
723 SHORTPAIR(ntrespoff),
724 0x0, 0x0,
725 #else
726 0x0, 0x0,
727 0x0, 0x0,
728 0x0, 0x0,
729 0x0, 0x0,
730 #endif
731 SHORTPAIR(domlen),
732 SHORTPAIR(domlen),
733 SHORTPAIR(domoff),
734 0x0, 0x0,
735
736 SHORTPAIR(userlen),
737 SHORTPAIR(userlen),
738 SHORTPAIR(useroff),
739 0x0, 0x0,
740
741 SHORTPAIR(hostlen),
742 SHORTPAIR(hostlen),
743 SHORTPAIR(hostoff),
744 0x0, 0x0,
745
746 0x0, 0x0,
747 0x0, 0x0,
748 0x0, 0x0,
749 0x0, 0x0,
750
751 LONGQUARTET(ntlm->flags));
752
753 DEBUGASSERT(size == 64);
754 DEBUGASSERT(size == (size_t)lmrespoff);
755
756 /* We append the binary hashes */
757 if(size < (NTLM_BUFSIZE - 0x18)) {
758 memcpy(&ntlmbuf[size], lmresp, 0x18);
759 size += 0x18;
760 }
761
762 DEBUG_OUT({
763 fprintf(stderr, "**** TYPE3 header lmresp=");
764 ntlm_print_hex(stderr, (char *)&ntlmbuf[lmrespoff], 0x18);
765 });
766
767 #ifdef USE_NTRESPONSES
768 /* ntresplen + size should not be risking an integer overflow here */
769 if(ntresplen + size > sizeof(ntlmbuf)) {
770 failf(data, "incoming NTLM message too big");
771 return CURLE_OUT_OF_MEMORY;
772 }
773 DEBUGASSERT(size == (size_t)ntrespoff);
774 memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
775 size += ntresplen;
776
777 DEBUG_OUT({
778 fprintf(stderr, "\n ntresp=");
779 ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
780 });
781
782 free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
783
784 #endif
785
786 DEBUG_OUT({
787 fprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
788 LONGQUARTET(ntlm->flags), ntlm->flags);
789 ntlm_print_flags(stderr, ntlm->flags);
790 fprintf(stderr, "\n****\n");
791 });
792
793 /* Make sure that the domain, user and host strings fit in the
794 buffer before we copy them there. */
795 if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) {
796 failf(data, "user + domain + host name too big");
797 return CURLE_OUT_OF_MEMORY;
798 }
799
800 DEBUGASSERT(size == domoff);
801 if(unicode)
802 unicodecpy(&ntlmbuf[size], domain, domlen / 2);
803 else
804 memcpy(&ntlmbuf[size], domain, domlen);
805
806 size += domlen;
807
808 DEBUGASSERT(size == useroff);
809 if(unicode)
810 unicodecpy(&ntlmbuf[size], user, userlen / 2);
811 else
812 memcpy(&ntlmbuf[size], user, userlen);
813
814 size += userlen;
815
816 DEBUGASSERT(size == hostoff);
817 if(unicode)
818 unicodecpy(&ntlmbuf[size], host, hostlen / 2);
819 else
820 memcpy(&ntlmbuf[size], host, hostlen);
821
822 size += hostlen;
823
824 /* Convert domain, user, and host to ASCII but leave the rest as-is */
825 result = Curl_convert_to_network(data, (char *)&ntlmbuf[domoff],
826 size - domoff);
827 if(result)
828 return CURLE_CONV_FAILED;
829
830 /* Return the binary blob. */
831 result = Curl_bufref_memdup(out, ntlmbuf, size);
832
833 Curl_auth_cleanup_ntlm(ntlm);
834
835 return result;
836 }
837
838 /*
839 * Curl_auth_cleanup_ntlm()
840 *
841 * This is used to clean up the NTLM specific data.
842 *
843 * Parameters:
844 *
845 * ntlm [in/out] - The NTLM data struct being cleaned up.
846 *
847 */
Curl_auth_cleanup_ntlm(struct ntlmdata * ntlm)848 void Curl_auth_cleanup_ntlm(struct ntlmdata *ntlm)
849 {
850 /* Free the target info */
851 Curl_safefree(ntlm->target_info);
852
853 /* Reset any variables */
854 ntlm->target_info_len = 0;
855 }
856
857 #endif /* USE_NTLM && !USE_WINDOWS_SSPI */
858