[thirdparty/squid.git] / lib / ntlmauth / ntlmauth.h

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_LIB_NTLMAUTH_NTLMAUTH_H
#define SQUID_LIB_NTLMAUTH_NTLMAUTH_H

/* NP: All of this cruft is little endian */
/* Endian functions are usually handled by the OS but not always. */
#include "ntlmauth/support_endian.h"

/* Used internally. Microsoft seems to think this is right, I believe them.
 * Right. */
#define NTLM_MAX_FIELD_LENGTH 300   /* max length of an NTLMSSP field */

/* max length of the BLOB data. (and helper input/output buffer) */
#define NTLM_BLOB_BUFFER_SIZE 10240

/* Here start the NTLMSSP definitions */

/* these are marked as "extra" fields */
#define NTLM_REQUEST_INIT_RESPONSE          0x100000
#define NTLM_REQUEST_ACCEPT_RESPONSE        0x200000
#define NTLM_REQUEST_NON_NT_SESSION_KEY     0x400000

/* NTLM error codes */
enum class NtlmError
{
    None = 0,
    ServerError,
    ProtocolError,
    LoginEror,
    UntrustedDomain,
    NotConnected,
    SspiError,
    BadNtGroup,
    BadRequest,
    InternalError,
    BlobError,
    BadProtocol
};

/** String header. String data resides at the end of the request */
typedef struct _strhdr {
    int16_t len;        /**< Length in bytes */
    int16_t maxlen;     /**< Allocated space in bytes */
    int32_t offset;     /**< Offset from start of request */
} strhdr;

/** We use this to keep data/length couples. */
typedef struct _lstring {
    int32_t l;          /**< length, -1 if empty */
    char *str;          /**< the string. NULL if not initialized */
} lstring;

/** Debug dump the given flags field to stderr */
void ntlm_dump_ntlmssp_flags(const uint32_t flags);

/* ************************************************************************* */
/* Packet and Payload structures and handling functions */
/* ************************************************************************* */

/* NTLM request types that we know about */
#define NTLM_ANY            0
#define NTLM_NEGOTIATE          1
#define NTLM_CHALLENGE          2
#define NTLM_AUTHENTICATE       3

/** This is an header common to all packets, it's used to discriminate
 * among the different packet signature types.
 */
typedef struct _ntlmhdr {
    char signature[8];      /**< "NTLMSSP" */
    int32_t type;       /**< One of the NTLM_* types above. */
} ntlmhdr;

/** Validate the packet type matches one we want. */
NtlmError ntlm_validate_packet(const ntlmhdr *packet, const int32_t type);

/** Retrieve a string from the NTLM packet payload. */
lstring ntlm_fetch_string(const ntlmhdr *packet,
                          const int32_t packet_length,
                          const strhdr *str,
                          const uint32_t flags);

/** Append a string to the NTLM packet payload. */
void ntlm_add_to_payload(const ntlmhdr *packet_hdr,
                         char *payload,
                         int *payload_length,
                         strhdr * hdr,
                         const char *toadd,
                         const uint16_t toadd_length);

/* ************************************************************************* */
/* Negotiate Packet structures and functions */
/* ************************************************************************* */

/* negotiate request flags */
#define NTLM_NEGOTIATE_UNICODE              0x0001
#define NTLM_NEGOTIATE_ASCII                0x0002
#define NTLM_NEGOTIATE_REQUEST_TARGET       0x0004
#define NTLM_NEGOTIATE_REQUEST_SIGN         0x0010
#define NTLM_NEGOTIATE_REQUEST_SEAL         0x0020
#define NTLM_NEGOTIATE_DATAGRAM_STYLE       0x0040
#define NTLM_NEGOTIATE_USE_LM               0x0080
#define NTLM_NEGOTIATE_USE_NETWARE          0x0100
#define NTLM_NEGOTIATE_USE_NTLM             0x0200
#define NTLM_NEGOTIATE_DOMAIN_SUPPLIED      0x1000
#define NTLM_NEGOTIATE_WORKSTATION_SUPPLIED 0x2000
#define NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL   0x4000
#define NTLM_NEGOTIATE_ALWAYS_SIGN          0x8000

/** Negotiation request sent by client */
typedef struct _ntlm_negotiate {
    ntlmhdr hdr;        /**< "NTLMSSP" , LSWAP(0x1) */
    uint32_t flags; /**< Request flags */
    strhdr domain;      /**< Domain we wish to authenticate in */
    strhdr workstation; /**< Client workstation name */
    char payload[256];  /**< String data */
} ntlm_negotiate;

/* ************************************************************************* */
/* Challenge Packet structures and functions */
/* ************************************************************************* */

#define NTLM_NONCE_LEN 8

/* challenge request flags */
#define NTLM_CHALLENGE_TARGET_IS_DOMAIN     0x10000
#define NTLM_CHALLENGE_TARGET_IS_SERVER     0x20000
#define NTLM_CHALLENGE_TARGET_IS_SHARE      0x40000

/** Challenge request sent by server. */
typedef struct _ntlm_challenge {
    ntlmhdr hdr;        /**< "NTLMSSP" , LSWAP(0x2) */
    strhdr target;      /**< Authentication target (domain/server ...) */
    uint32_t flags;     /**< Request flags */
    u_char challenge[NTLM_NONCE_LEN];   /**< Challenge string */
    uint32_t context_low;   /**< LS part of the server context handle */
    uint32_t context_high;  /**< MS part of the server context handle */
    char payload[256];      /**< String data */
} ntlm_challenge;

/* Size of the ntlm_challenge structures formatted fields (excluding payload) */
#define NTLM_CHALLENGE_HEADER_OFFSET    (sizeof(ntlm_challenge)-256)

/** Generate a challenge request nonce. */
void ntlm_make_nonce(char *nonce);

/** Generate a challenge request Blob to be sent to the client.
 * Will silently truncate the domain value at 2^16-1 bytes if larger.
 */
void ntlm_make_challenge(ntlm_challenge *ch,
                         const char *domain,
                         const char *domain_controller,
                         const char *challenge_nonce,
                         const int challenge_nonce_len,
                         const uint32_t flags);

/* ************************************************************************* */
/* Authenticate Packet structures and functions */
/* ************************************************************************* */

/** Authentication request sent by client in response to challenge */
typedef struct _ntlm_authenticate {
    ntlmhdr hdr;        /**< "NTLMSSP" , LSWAP(0x3) */
    strhdr lmresponse;      /**< LANMAN challenge response */
    strhdr ntresponse;      /**< NT challenge response */
    strhdr domain;      /**< Domain to authenticate against */
    strhdr user;        /**< Username */
    strhdr workstation;     /**< Workstation name */
    strhdr sessionkey;      /**< Session key for server's use */
    uint32_t flags;     /**< Request flags */
    char payload[256 * 6];  /**< String data */
} ntlm_authenticate;

/** Unpack username and domain out of a packet payload. */
NtlmError ntlm_unpack_auth(const ntlm_authenticate *auth,
                           char *user,
                           char *domain,
                           const int32_t size);

#endif /* SQUID_LIB_NTLMAUTH_NTLMAUTH_H */
Commit	Line	Data
94439e4e	1	/*
b8ae064d	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
94439e4e	3	*
9c89cd13 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
94439e4e	7	*/
94439e4e	8
ff9d9458 FC	9	#ifndef SQUID_LIB_NTLMAUTH_NTLMAUTH_H
ff9d9458 FC	10	#define SQUID_LIB_NTLMAUTH_NTLMAUTH_H
94439e4e	11
dac46b89	12	/* NP: All of this cruft is little endian */
2f8abb64	13	/* Endian functions are usually handled by the OS but not always. */
5fc112ea	14	#include "ntlmauth/support_endian.h"
77d6bd88	15
f53969cc SM	16	/* Used internally. Microsoft seems to think this is right, I believe them.
	17	* Right. */
	18	#define NTLM_MAX_FIELD_LENGTH 300 /* max length of an NTLMSSP field */
94439e4e	19
f53969cc	20	/* max length of the BLOB data. (and helper input/output buffer) */
1dcf61eb	21	#define NTLM_BLOB_BUFFER_SIZE 10240
94439e4e	22
f53969cc	23	/* Here start the NTLMSSP definitions */
94439e4e	24
f53969cc	25	/* these are marked as "extra" fields */
1dcf61eb AJ	26	#define NTLM_REQUEST_INIT_RESPONSE 0x100000
	27	#define NTLM_REQUEST_ACCEPT_RESPONSE 0x200000
	28	#define NTLM_REQUEST_NON_NT_SESSION_KEY 0x400000
	29
f53969cc	30	/* NTLM error codes */
1e37143c FC	31	enum class NtlmError
	32	{
	33	None = 0,
	34	ServerError,
	35	ProtocolError,
	36	LoginEror,
	37	UntrustedDomain,
	38	NotConnected,
	39	SspiError,
	40	BadNtGroup,
	41	BadRequest,
	42	InternalError,
	43	BlobError,
	44	BadProtocol
	45	};
f53969cc SM	46
	47	/** String header. String data resides at the end of the request */
	48	typedef struct _strhdr {
	49	int16_t len; /*< Length in bytes /
	50	int16_t maxlen; /*< Allocated space in bytes /
	51	int32_t offset; /*< Offset from start of request /
	52	} strhdr;
	53
	54	/** We use this to keep data/length couples. */
	55	typedef struct _lstring {
	56	int32_t l; /*< length, -1 if empty /
	57	char str; /< the string. NULL if not initialized /
	58	} lstring;
	59
	60	/** Debug dump the given flags field to stderr */
	61	void ntlm_dump_ntlmssp_flags(const uint32_t flags);
	62
	63	/* ************************************************************************* */
	64	/* Packet and Payload structures and handling functions */
	65	/* ************************************************************************* */
	66
	67	/* NTLM request types that we know about */
	68	#define NTLM_ANY 0
	69	#define NTLM_NEGOTIATE 1
	70	#define NTLM_CHALLENGE 2
	71	#define NTLM_AUTHENTICATE 3
	72
	73	/** This is an header common to all packets, it's used to discriminate
	74	* among the different packet signature types.
	75	*/
	76	typedef struct _ntlmhdr {
	77	char signature[8]; /*< "NTLMSSP" /
	78	int32_t type; /*< One of the NTLM_ types above. */
	79	} ntlmhdr;
	80
	81	/** Validate the packet type matches one we want. */
1e37143c	82	NtlmError ntlm_validate_packet(const ntlmhdr *packet, const int32_t type);
f53969cc SM	83
	84	/** Retrieve a string from the NTLM packet payload. */
	85	lstring ntlm_fetch_string(const ntlmhdr *packet,
	86	const int32_t packet_length,
	87	const strhdr *str,
	88	const uint32_t flags);
	89
	90	/** Append a string to the NTLM packet payload. */
	91	void ntlm_add_to_payload(const ntlmhdr *packet_hdr,
	92	char *payload,
	93	int *payload_length,
	94	strhdr * hdr,
	95	const char *toadd,
	96	const uint16_t toadd_length);
	97
	98	/* ************************************************************************* */
	99	/* Negotiate Packet structures and functions */
	100	/* ************************************************************************* */
	101
	102	/* negotiate request flags */
1dcf61eb AJ	103	#define NTLM_NEGOTIATE_UNICODE 0x0001
	104	#define NTLM_NEGOTIATE_ASCII 0x0002
	105	#define NTLM_NEGOTIATE_REQUEST_TARGET 0x0004
	106	#define NTLM_NEGOTIATE_REQUEST_SIGN 0x0010
	107	#define NTLM_NEGOTIATE_REQUEST_SEAL 0x0020
	108	#define NTLM_NEGOTIATE_DATAGRAM_STYLE 0x0040
	109	#define NTLM_NEGOTIATE_USE_LM 0x0080
	110	#define NTLM_NEGOTIATE_USE_NETWARE 0x0100
	111	#define NTLM_NEGOTIATE_USE_NTLM 0x0200
	112	#define NTLM_NEGOTIATE_DOMAIN_SUPPLIED 0x1000
	113	#define NTLM_NEGOTIATE_WORKSTATION_SUPPLIED 0x2000
	114	#define NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL 0x4000
	115	#define NTLM_NEGOTIATE_ALWAYS_SIGN 0x8000
75aa769b	116
f53969cc SM	117	/** Negotiation request sent by client */
	118	typedef struct _ntlm_negotiate {
	119	ntlmhdr hdr; /*< "NTLMSSP" , LSWAP(0x1) /
	120	uint32_t flags; /*< Request flags /
	121	strhdr domain; /*< Domain we wish to authenticate in /
	122	strhdr workstation; /*< Client workstation name /
	123	char payload[256]; /*< String data /
	124	} ntlm_negotiate;
94439e4e	125
f53969cc SM	126	/* ************************************************************************* */
	127	/* Challenge Packet structures and functions */
	128	/* ************************************************************************* */
75aa769b AJ	129
	130	#define NTLM_NONCE_LEN 8
	131
f53969cc	132	/* challenge request flags */
1dcf61eb AJ	133	#define NTLM_CHALLENGE_TARGET_IS_DOMAIN 0x10000
	134	#define NTLM_CHALLENGE_TARGET_IS_SERVER 0x20000
	135	#define NTLM_CHALLENGE_TARGET_IS_SHARE 0x40000
75aa769b	136
f53969cc SM	137	/** Challenge request sent by server. */
	138	typedef struct _ntlm_challenge {
	139	ntlmhdr hdr; /*< "NTLMSSP" , LSWAP(0x2) /
	140	strhdr target; /*< Authentication target (domain/server ...) /
	141	uint32_t flags; /*< Request flags /
	142	u_char challenge[NTLM_NONCE_LEN]; /*< Challenge string /
	143	uint32_t context_low; /*< LS part of the server context handle /
	144	uint32_t context_high; /*< MS part of the server context handle /
	145	char payload[256]; /*< String data /
	146	} ntlm_challenge;
	147
	148	/* Size of the ntlm_challenge structures formatted fields (excluding payload) */
	149	#define NTLM_CHALLENGE_HEADER_OFFSET (sizeof(ntlm_challenge)-256)
	150
	151	/** Generate a challenge request nonce. */
	152	void ntlm_make_nonce(char *nonce);
	153
	154	/** Generate a challenge request Blob to be sent to the client.
	155	* Will silently truncate the domain value at 2^16-1 bytes if larger.
	156	*/
	157	void ntlm_make_challenge(ntlm_challenge *ch,
	158	const char *domain,
	159	const char *domain_controller,
	160	const char *challenge_nonce,
	161	const int challenge_nonce_len,
	162	const uint32_t flags);
	163
	164	/* ************************************************************************* */
	165	/* Authenticate Packet structures and functions */
	166	/* ************************************************************************* */
	167
	168	/** Authentication request sent by client in response to challenge */
	169	typedef struct _ntlm_authenticate {
	170	ntlmhdr hdr; /*< "NTLMSSP" , LSWAP(0x3) /
	171	strhdr lmresponse; /*< LANMAN challenge response /
	172	strhdr ntresponse; /*< NT challenge response /
	173	strhdr domain; /*< Domain to authenticate against /
	174	strhdr user; /*< Username /
	175	strhdr workstation; /*< Workstation name /
	176	strhdr sessionkey; /*< Session key for server's use /
	177	uint32_t flags; /*< Request flags /
	178	char payload[256 * 6]; /*< String data /
	179	} ntlm_authenticate;
	180
	181	/** Unpack username and domain out of a packet payload. */
1e37143c FC	182	NtlmError ntlm_unpack_auth(const ntlm_authenticate *auth,
	183	char *user,
	184	char *domain,
	185	const int32_t size);
94439e4e	186
ff9d9458	187	#endif /* SQUID_LIB_NTLMAUTH_NTLMAUTH_H */
f53969cc	188