]>
Commit | Line | Data |
---|---|---|
94439e4e | 1 | /* |
b8ae064d | 2 | * Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
94439e4e | 3 | * |
9c89cd13 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
94439e4e | 7 | */ |
8 | ||
ff9d9458 FC |
9 | #ifndef SQUID_LIB_NTLMAUTH_NTLMAUTH_H |
10 | #define SQUID_LIB_NTLMAUTH_NTLMAUTH_H | |
94439e4e | 11 | |
dac46b89 | 12 | /* NP: All of this cruft is little endian */ |
2f8abb64 | 13 | /* Endian functions are usually handled by the OS but not always. */ |
5fc112ea | 14 | #include "ntlmauth/support_endian.h" |
77d6bd88 | 15 | |
f53969cc SM |
16 | /* Used internally. Microsoft seems to think this is right, I believe them. |
17 | * Right. */ | |
18 | #define NTLM_MAX_FIELD_LENGTH 300 /* max length of an NTLMSSP field */ | |
94439e4e | 19 | |
f53969cc | 20 | /* max length of the BLOB data. (and helper input/output buffer) */ |
1dcf61eb | 21 | #define NTLM_BLOB_BUFFER_SIZE 10240 |
94439e4e | 22 | |
f53969cc | 23 | /* Here start the NTLMSSP definitions */ |
94439e4e | 24 | |
f53969cc | 25 | /* these are marked as "extra" fields */ |
1dcf61eb AJ |
26 | #define NTLM_REQUEST_INIT_RESPONSE 0x100000 |
27 | #define NTLM_REQUEST_ACCEPT_RESPONSE 0x200000 | |
28 | #define NTLM_REQUEST_NON_NT_SESSION_KEY 0x400000 | |
29 | ||
f53969cc | 30 | /* NTLM error codes */ |
1e37143c FC |
31 | enum class NtlmError |
32 | { | |
33 | None = 0, | |
34 | ServerError, | |
35 | ProtocolError, | |
36 | LoginEror, | |
37 | UntrustedDomain, | |
38 | NotConnected, | |
39 | SspiError, | |
40 | BadNtGroup, | |
41 | BadRequest, | |
42 | InternalError, | |
43 | BlobError, | |
44 | BadProtocol | |
45 | }; | |
f53969cc SM |
46 | |
47 | /** String header. String data resides at the end of the request */ | |
48 | typedef struct _strhdr { | |
49 | int16_t len; /**< Length in bytes */ | |
50 | int16_t maxlen; /**< Allocated space in bytes */ | |
51 | int32_t offset; /**< Offset from start of request */ | |
52 | } strhdr; | |
53 | ||
54 | /** We use this to keep data/length couples. */ | |
55 | typedef struct _lstring { | |
56 | int32_t l; /**< length, -1 if empty */ | |
57 | char *str; /**< the string. NULL if not initialized */ | |
58 | } lstring; | |
59 | ||
60 | /** Debug dump the given flags field to stderr */ | |
61 | void ntlm_dump_ntlmssp_flags(const uint32_t flags); | |
62 | ||
63 | /* ************************************************************************* */ | |
64 | /* Packet and Payload structures and handling functions */ | |
65 | /* ************************************************************************* */ | |
66 | ||
67 | /* NTLM request types that we know about */ | |
68 | #define NTLM_ANY 0 | |
69 | #define NTLM_NEGOTIATE 1 | |
70 | #define NTLM_CHALLENGE 2 | |
71 | #define NTLM_AUTHENTICATE 3 | |
72 | ||
73 | /** This is an header common to all packets, it's used to discriminate | |
74 | * among the different packet signature types. | |
75 | */ | |
76 | typedef struct _ntlmhdr { | |
77 | char signature[8]; /**< "NTLMSSP" */ | |
78 | int32_t type; /**< One of the NTLM_* types above. */ | |
79 | } ntlmhdr; | |
80 | ||
81 | /** Validate the packet type matches one we want. */ | |
1e37143c | 82 | NtlmError ntlm_validate_packet(const ntlmhdr *packet, const int32_t type); |
f53969cc SM |
83 | |
84 | /** Retrieve a string from the NTLM packet payload. */ | |
85 | lstring ntlm_fetch_string(const ntlmhdr *packet, | |
86 | const int32_t packet_length, | |
87 | const strhdr *str, | |
88 | const uint32_t flags); | |
89 | ||
90 | /** Append a string to the NTLM packet payload. */ | |
91 | void ntlm_add_to_payload(const ntlmhdr *packet_hdr, | |
92 | char *payload, | |
93 | int *payload_length, | |
94 | strhdr * hdr, | |
95 | const char *toadd, | |
96 | const uint16_t toadd_length); | |
97 | ||
98 | /* ************************************************************************* */ | |
99 | /* Negotiate Packet structures and functions */ | |
100 | /* ************************************************************************* */ | |
101 | ||
102 | /* negotiate request flags */ | |
1dcf61eb AJ |
103 | #define NTLM_NEGOTIATE_UNICODE 0x0001 |
104 | #define NTLM_NEGOTIATE_ASCII 0x0002 | |
105 | #define NTLM_NEGOTIATE_REQUEST_TARGET 0x0004 | |
106 | #define NTLM_NEGOTIATE_REQUEST_SIGN 0x0010 | |
107 | #define NTLM_NEGOTIATE_REQUEST_SEAL 0x0020 | |
108 | #define NTLM_NEGOTIATE_DATAGRAM_STYLE 0x0040 | |
109 | #define NTLM_NEGOTIATE_USE_LM 0x0080 | |
110 | #define NTLM_NEGOTIATE_USE_NETWARE 0x0100 | |
111 | #define NTLM_NEGOTIATE_USE_NTLM 0x0200 | |
112 | #define NTLM_NEGOTIATE_DOMAIN_SUPPLIED 0x1000 | |
113 | #define NTLM_NEGOTIATE_WORKSTATION_SUPPLIED 0x2000 | |
114 | #define NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL 0x4000 | |
115 | #define NTLM_NEGOTIATE_ALWAYS_SIGN 0x8000 | |
75aa769b | 116 | |
f53969cc SM |
117 | /** Negotiation request sent by client */ |
118 | typedef struct _ntlm_negotiate { | |
119 | ntlmhdr hdr; /**< "NTLMSSP" , LSWAP(0x1) */ | |
120 | uint32_t flags; /**< Request flags */ | |
121 | strhdr domain; /**< Domain we wish to authenticate in */ | |
122 | strhdr workstation; /**< Client workstation name */ | |
123 | char payload[256]; /**< String data */ | |
124 | } ntlm_negotiate; | |
94439e4e | 125 | |
f53969cc SM |
126 | /* ************************************************************************* */ |
127 | /* Challenge Packet structures and functions */ | |
128 | /* ************************************************************************* */ | |
75aa769b AJ |
129 | |
130 | #define NTLM_NONCE_LEN 8 | |
131 | ||
f53969cc | 132 | /* challenge request flags */ |
1dcf61eb AJ |
133 | #define NTLM_CHALLENGE_TARGET_IS_DOMAIN 0x10000 |
134 | #define NTLM_CHALLENGE_TARGET_IS_SERVER 0x20000 | |
135 | #define NTLM_CHALLENGE_TARGET_IS_SHARE 0x40000 | |
75aa769b | 136 | |
f53969cc SM |
137 | /** Challenge request sent by server. */ |
138 | typedef struct _ntlm_challenge { | |
139 | ntlmhdr hdr; /**< "NTLMSSP" , LSWAP(0x2) */ | |
140 | strhdr target; /**< Authentication target (domain/server ...) */ | |
141 | uint32_t flags; /**< Request flags */ | |
142 | u_char challenge[NTLM_NONCE_LEN]; /**< Challenge string */ | |
143 | uint32_t context_low; /**< LS part of the server context handle */ | |
144 | uint32_t context_high; /**< MS part of the server context handle */ | |
145 | char payload[256]; /**< String data */ | |
146 | } ntlm_challenge; | |
147 | ||
148 | /* Size of the ntlm_challenge structures formatted fields (excluding payload) */ | |
149 | #define NTLM_CHALLENGE_HEADER_OFFSET (sizeof(ntlm_challenge)-256) | |
150 | ||
151 | /** Generate a challenge request nonce. */ | |
152 | void ntlm_make_nonce(char *nonce); | |
153 | ||
154 | /** Generate a challenge request Blob to be sent to the client. | |
155 | * Will silently truncate the domain value at 2^16-1 bytes if larger. | |
156 | */ | |
157 | void ntlm_make_challenge(ntlm_challenge *ch, | |
158 | const char *domain, | |
159 | const char *domain_controller, | |
160 | const char *challenge_nonce, | |
161 | const int challenge_nonce_len, | |
162 | const uint32_t flags); | |
163 | ||
164 | /* ************************************************************************* */ | |
165 | /* Authenticate Packet structures and functions */ | |
166 | /* ************************************************************************* */ | |
167 | ||
168 | /** Authentication request sent by client in response to challenge */ | |
169 | typedef struct _ntlm_authenticate { | |
170 | ntlmhdr hdr; /**< "NTLMSSP" , LSWAP(0x3) */ | |
171 | strhdr lmresponse; /**< LANMAN challenge response */ | |
172 | strhdr ntresponse; /**< NT challenge response */ | |
173 | strhdr domain; /**< Domain to authenticate against */ | |
174 | strhdr user; /**< Username */ | |
175 | strhdr workstation; /**< Workstation name */ | |
176 | strhdr sessionkey; /**< Session key for server's use */ | |
177 | uint32_t flags; /**< Request flags */ | |
178 | char payload[256 * 6]; /**< String data */ | |
179 | } ntlm_authenticate; | |
180 | ||
181 | /** Unpack username and domain out of a packet payload. */ | |
1e37143c FC |
182 | NtlmError ntlm_unpack_auth(const ntlm_authenticate *auth, |
183 | char *user, | |
184 | char *domain, | |
185 | const int32_t size); | |
94439e4e | 186 | |
ff9d9458 | 187 | #endif /* SQUID_LIB_NTLMAUTH_NTLMAUTH_H */ |
f53969cc | 188 |