lib/ntlmauth/ntlmauth.cc

   1 /*
   2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /*
  10  * Inspired by previous work by Andrew Doran <ad@interlude.eu.org>.
  11  */
  12 #include "squid.h"
  13
  14 #include <cstring>
  15 #include <random>
  16 #if HAVE_STRINGS_H
  17 #include <strings.h>
  18 #endif
  19
  20 #include "ntlmauth/ntlmauth.h"
  21 #include "util.h"       /* for base64-related stuff */
  22
  23 /* ************************************************************************* */
  24 /* DEBUG functions */
  25 /* ************************************************************************* */
  26
  27 /** Dumps NTLM flags to standard error for debugging purposes */
  28 void
  29 ntlm_dump_ntlmssp_flags(uint32_t flags)
  30 {
  31     fprintf(stderr, "flags: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
  32             (flags & NTLM_NEGOTIATE_UNICODE ? "Unicode " : ""),
  33             (flags & NTLM_NEGOTIATE_ASCII ? "ASCII " : ""),
  34             (flags & NTLM_NEGOTIATE_REQUEST_TARGET ? "ReqTgt " : ""),
  35             (flags & NTLM_NEGOTIATE_REQUEST_SIGN ? "ReqSign " : ""),
  36             (flags & NTLM_NEGOTIATE_REQUEST_SEAL ? "ReqSeal " : ""),
  37             (flags & NTLM_NEGOTIATE_DATAGRAM_STYLE ? "Dgram " : ""),
  38             (flags & NTLM_NEGOTIATE_USE_LM ? "UseLM " : ""),
  39             (flags & NTLM_NEGOTIATE_USE_NETWARE ? "UseNW " : ""),
  40             (flags & NTLM_NEGOTIATE_USE_NTLM ? "UseNTLM " : ""),
  41             (flags & NTLM_NEGOTIATE_DOMAIN_SUPPLIED ? "HaveDomain " : ""),
  42             (flags & NTLM_NEGOTIATE_WORKSTATION_SUPPLIED ? "HaveWKS " : ""),
  43             (flags & NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL ? "LocalCall " : ""),
  44             (flags & NTLM_NEGOTIATE_ALWAYS_SIGN ? "AlwaysSign " : ""),
  45             (flags & NTLM_CHALLENGE_TARGET_IS_DOMAIN ? "Tgt_is_domain" : ""),
  46             (flags & NTLM_CHALLENGE_TARGET_IS_SERVER ? "Tgt_is_server " : ""),
  47             (flags & NTLM_CHALLENGE_TARGET_IS_SHARE ? "Tgt_is_share " : ""),
  48             (flags & NTLM_REQUEST_INIT_RESPONSE ? "Req_init_response " : ""),
  49             (flags & NTLM_REQUEST_ACCEPT_RESPONSE ? "Req_accept_response " : ""),
  50             (flags & NTLM_REQUEST_NON_NT_SESSION_KEY ? "Req_nonnt_sesskey " : "")
  51            );
  52 }
  53
  54 /* ************************************************************************* */
  55 /* Packet and Payload handling functions */
  56 /* ************************************************************************* */
  57
  58 /**
  59  * Check the validity of a decoded NTLM packet.
  60  *
  61  * \retval NTLM_ERR_NONE      Packet is okay
  62  * \retval NTLM_ERR_BLOB      Packet is not even an NTLMSSP packet at all.
  63  * \retval NTLM_ERR_PROTOCOL  Packet is not the expected type.
  64  */
  65 int
  66 ntlm_validate_packet(const ntlmhdr * hdr, const int32_t type)
  67 {
  68     /*
  69      * Must be the correct security package and request type.
  70      * The 8 bytes compared includes the ASCII 'NUL'.
  71      */
  72     if (memcmp(hdr->signature, "NTLMSSP", 8) != 0) {
  73         fprintf(stderr, "ntlmCheckHeader: bad header signature\n");
  74         return NTLM_ERR_BLOB;
  75     }
  76     if (type == NTLM_ANY)
  77         return NTLM_ERR_NONE;
  78
  79     if ((int32_t)le32toh(hdr->type) != type) {
  80         /* don't report this error - it's ok as we do a if() around this function */
  81         debug("ntlm_validate_packet: type is %d, wanted %d\n", le32toh(hdr->type), type);
  82         return NTLM_ERR_PROTOCOL;
  83     }
  84     return NTLM_ERR_NONE;
  85 }
  86
  87 /**
  88  * Fetches a string from the authentication packet.
  89  * The lstring data-part may point to inside the packet itself or a temporary static buffer.
  90  * It's up to the user to memcpy() that if the value needs to
  91  * be used in any way that requires a tailing \0. (can check whether the
  92  * value is there though, in that case lstring.length == -1).
  93  *
  94  * String may be either ASCII or UNICODE depending on whether flags contains NTLM_NEGOTIATE_ASCII
  95  */
  96 lstring
  97 ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr * str, const uint32_t flags)
  98 {
  99     static char buf[NTLM_MAX_FIELD_LENGTH];
 100     lstring rv;
 101     char *d;
 102
 103     rv.str = NULL;
 104     rv.l = -1;
 105
 106     int16_t l = le16toh(str->len);
 107     int32_t o = le32toh(str->offset);
 108     // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
 109
 110     if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
 111         debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
 112         return rv;
 113     }
 114     rv.str = (char *)packet + o;
 115     rv.l = 0;
 116     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
 117         /* UNICODE string */
 118         unsigned short *s = (unsigned short *)rv.str;
 119         rv.str = d = buf;
 120
 121         for (uint32_t len = (l>>1); len; ++s, --len) {
 122             uint16_t c = le16toh(*s);
 123             if (c > 254 || c == '\0') {
 124                 fprintf(stderr, "ntlmssp: bad unicode: %04x\n", c);
 125                 return rv;
 126             }
 127             *d = static_cast<char>(c&0xFF);
 128             ++d;
 129             ++rv.l;
 130         }
 131     } else {
 132         /* ASCII/OEM string */
 133         char *sc = rv.str;
 134
 135         for (; l>=0; ++sc, --l) {
 136             if (*sc == '\0' || !xisprint(*sc)) {
 137                 fprintf(stderr, "ntlmssp: bad ascii: %04x\n", *sc);
 138                 return rv;
 139             }
 140             ++rv.l;
 141         }
 142     }
 143
 144     return rv;
 145 }
 146
 147 /**
 148  * Adds something to the payload. The caller must guarrantee that
 149  * there is enough space in the payload string to accommodate the
 150  * added value.
 151  * payload_length and hdr will be modified as a side-effect.
 152  */
 153 void
 154 ntlm_add_to_payload(const ntlmhdr *packet_hdr,
 155                     char *payload,
 156                     int *payload_length,
 157                     strhdr * hdr,
 158                     const char *toadd,
 159                     const uint16_t toadd_length)
 160 {
 161     int l = (*payload_length);
 162     memcpy(payload + l, toadd, toadd_length);
 163
 164     hdr->len = htole16(toadd_length);
 165     hdr->maxlen = htole16(toadd_length);
 166     const off_t o = l + reinterpret_cast<const ntlmhdr *>(payload) - packet_hdr;
 167     hdr->offset = htole32(o & 0xFFFFFFFF);
 168     (*payload_length) += toadd_length;
 169 }
 170
 171 /* ************************************************************************* */
 172 /* Negotiate Packet functions */
 173 /* ************************************************************************* */
 174
 175 // ?
 176
 177 /* ************************************************************************* */
 178 /* Challenge Packet functions */
 179 /* ************************************************************************* */
 180
 181 /*
 182  * Generates a challenge request nonce.
 183  */
 184 void
 185 ntlm_make_nonce(char *nonce)
 186 {
 187     static std::mt19937 mt(time(0));
 188     static xuniform_int_distribution<uint8_t> dist;
 189
 190     for (int i = 0; i < NTLM_NONCE_LEN; ++i)
 191         nonce[i] = static_cast<char>(dist(mt) & 0xFF);
 192 }
 193
 194 /**
 195  * Prepares a challenge packet to be sent to the client
 196  * \note domain should be upper_case
 197  */
 198 void
 199 ntlm_make_challenge(ntlm_challenge *ch,
 200                     const char *domain, const char *,
 201                     const char *challenge_nonce, const int challenge_nonce_len,
 202                     const uint32_t flags)
 203 {
 204     int pl = 0;
 205     memset(ch, 0, sizeof(ntlm_challenge));  /* reset */
 206     memcpy(ch->hdr.signature, "NTLMSSP", 8);        /* set the signature */
 207     ch->hdr.type = htole32(NTLM_CHALLENGE); /* this is a challenge */
 208     if (domain != NULL) {
 209         // silently truncate the domain if it exceeds 2^16-1 bytes.
 210         // NTLM packets normally expect 2^8 bytes of domain.
 211         const uint16_t dlen = strlen(domain) & 0xFFFF;
 212         ntlm_add_to_payload(&ch->hdr, ch->payload, &pl, &ch->target, domain, dlen);
 213     }
 214     ch->flags = htole32(flags);
 215     ch->context_low = 0;        /* check this out */
 216     ch->context_high = 0;
 217     memcpy(ch->challenge, challenge_nonce, challenge_nonce_len);
 218 }
 219
 220 /* ************************************************************************* */
 221 /* Authenticate Packet functions */
 222 /* ************************************************************************* */
 223
 224 /**
 225  * Unpack the strings in an NTLM authentication response from client.
 226  * The caller is responsible for initializing the user and domain buffers
 227  * this function will only insert data if the packet contains any. Otherwise
 228  * the buffers will be left untouched.
 229  *
 230  * \retval NTLM_ERR_NONE    username present, maybe also domain.
 231  * \retval NTLM_ERR_PROTOCOL    packet type is not an authentication packet.
 232  * \retval NTLM_ERR_LOGON   no username.
 233  * \retval NTLM_ERR_BLOB    domain field is apparently larger than the packet.
 234  */
 235 int
 236 ntlm_unpack_auth(const ntlm_authenticate *auth, char *user, char *domain, const int32_t size)
 237 {
 238     lstring rv;
 239
 240     if (ntlm_validate_packet(&auth->hdr, NTLM_AUTHENTICATE)) {
 241         fprintf(stderr, "ntlm_unpack_auth: header check fails\n");
 242         return NTLM_ERR_PROTOCOL;
 243     }
 244     debug("ntlm_unpack_auth: size of %d\n", size);
 245     debug("ntlm_unpack_auth: flg %08x\n", auth->flags);
 246     debug("ntlm_unpack_auth: lmr o(%d) l(%d)\n", le32toh(auth->lmresponse.offset), auth->lmresponse.len);
 247     debug("ntlm_unpack_auth: ntr o(%d) l(%d)\n", le32toh(auth->ntresponse.offset), auth->ntresponse.len);
 248     debug("ntlm_unpack_auth: dom o(%d) l(%d)\n", le32toh(auth->domain.offset), auth->domain.len);
 249     debug("ntlm_unpack_auth: usr o(%d) l(%d)\n", le32toh(auth->user.offset), auth->user.len);
 250     debug("ntlm_unpack_auth: wst o(%d) l(%d)\n", le32toh(auth->workstation.offset), auth->workstation.len);
 251     debug("ntlm_unpack_auth: key o(%d) l(%d)\n", le32toh(auth->sessionkey.offset), auth->sessionkey.len);
 252
 253     rv = ntlm_fetch_string(&auth->hdr, size, &auth->domain, auth->flags);
 254     if (rv.l > 0) {
 255         memcpy(domain, rv.str, rv.l);
 256         domain[rv.l] = '\0';
 257         debug("ntlm_unpack_auth: Domain '%s' (len=%d).\n", domain, rv.l);
 258     }
 259     if (rv.l >= size) {
 260         debug("ntlm_unpack_auth: Domain length %d too big for %d byte packet.\n", rv.l , size);
 261         return NTLM_ERR_BLOB;
 262     }
 263
 264     rv = ntlm_fetch_string(&auth->hdr, size, &auth->user, auth->flags);
 265     if (rv.l > 0) {
 266         memcpy(user, rv.str, rv.l);
 267         user[rv.l] = '\0';
 268         debug("ntlm_unpack_auth: Username '%s' (len=%d).\n", user, rv.l);
 269     } else
 270         return NTLM_ERR_LOGON;
 271
 272     return NTLM_ERR_NONE;
 273 }
 274