2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 * Inspired by previous work by Andrew Doran <ad@interlude.eu.org>.
20 #include "ntlmauth/ntlmauth.h"
21 #include "util.h" /* for base64-related stuff */
23 /* ************************************************************************* */
25 /* ************************************************************************* */
27 /** Dumps NTLM flags to standard error for debugging purposes */
29 ntlm_dump_ntlmssp_flags(uint32_t flags
)
31 fprintf(stderr
, "flags: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
32 (flags
& NTLM_NEGOTIATE_UNICODE
? "Unicode " : ""),
33 (flags
& NTLM_NEGOTIATE_ASCII
? "ASCII " : ""),
34 (flags
& NTLM_NEGOTIATE_REQUEST_TARGET
? "ReqTgt " : ""),
35 (flags
& NTLM_NEGOTIATE_REQUEST_SIGN
? "ReqSign " : ""),
36 (flags
& NTLM_NEGOTIATE_REQUEST_SEAL
? "ReqSeal " : ""),
37 (flags
& NTLM_NEGOTIATE_DATAGRAM_STYLE
? "Dgram " : ""),
38 (flags
& NTLM_NEGOTIATE_USE_LM
? "UseLM " : ""),
39 (flags
& NTLM_NEGOTIATE_USE_NETWARE
? "UseNW " : ""),
40 (flags
& NTLM_NEGOTIATE_USE_NTLM
? "UseNTLM " : ""),
41 (flags
& NTLM_NEGOTIATE_DOMAIN_SUPPLIED
? "HaveDomain " : ""),
42 (flags
& NTLM_NEGOTIATE_WORKSTATION_SUPPLIED
? "HaveWKS " : ""),
43 (flags
& NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL
? "LocalCall " : ""),
44 (flags
& NTLM_NEGOTIATE_ALWAYS_SIGN
? "AlwaysSign " : ""),
45 (flags
& NTLM_CHALLENGE_TARGET_IS_DOMAIN
? "Tgt_is_domain" : ""),
46 (flags
& NTLM_CHALLENGE_TARGET_IS_SERVER
? "Tgt_is_server " : ""),
47 (flags
& NTLM_CHALLENGE_TARGET_IS_SHARE
? "Tgt_is_share " : ""),
48 (flags
& NTLM_REQUEST_INIT_RESPONSE
? "Req_init_response " : ""),
49 (flags
& NTLM_REQUEST_ACCEPT_RESPONSE
? "Req_accept_response " : ""),
50 (flags
& NTLM_REQUEST_NON_NT_SESSION_KEY
? "Req_nonnt_sesskey " : "")
54 /* ************************************************************************* */
55 /* Packet and Payload handling functions */
56 /* ************************************************************************* */
59 * Check the validity of a decoded NTLM packet.
61 * \retval NTLM_ERR_NONE Packet is okay
62 * \retval NTLM_ERR_BLOB Packet is not even an NTLMSSP packet at all.
63 * \retval NTLM_ERR_PROTOCOL Packet is not the expected type.
66 ntlm_validate_packet(const ntlmhdr
* hdr
, const int32_t type
)
69 * Must be the correct security package and request type.
70 * The 8 bytes compared includes the ASCII 'NUL'.
72 if (memcmp(hdr
->signature
, "NTLMSSP", 8) != 0) {
73 fprintf(stderr
, "ntlmCheckHeader: bad header signature\n");
79 if ((int32_t)le32toh(hdr
->type
) != type
) {
80 /* don't report this error - it's ok as we do a if() around this function */
81 debug("ntlm_validate_packet: type is %d, wanted %d\n", le32toh(hdr
->type
), type
);
82 return NTLM_ERR_PROTOCOL
;
88 * Fetches a string from the authentication packet.
89 * The lstring data-part may point to inside the packet itself or a temporary static buffer.
90 * It's up to the user to memcpy() that if the value needs to
91 * be used in any way that requires a tailing \0. (can check whether the
92 * value is there though, in that case lstring.length == -1).
94 * String may be either ASCII or UNICODE depending on whether flags contains NTLM_NEGOTIATE_ASCII
97 ntlm_fetch_string(const ntlmhdr
*packet
, const int32_t packet_size
, const strhdr
* str
, const uint32_t flags
)
99 static char buf
[NTLM_MAX_FIELD_LENGTH
];
106 int16_t l
= le16toh(str
->len
);
107 int32_t o
= le32toh(str
->offset
);
108 // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
110 if (l
< 0 || l
> NTLM_MAX_FIELD_LENGTH
|| o
+ l
> packet_size
|| o
== 0) {
111 debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size
,l
,o
);
114 rv
.str
= (char *)packet
+ o
;
116 if ((flags
& NTLM_NEGOTIATE_ASCII
) == 0) {
118 unsigned short *s
= (unsigned short *)rv
.str
;
121 for (uint32_t len
= (l
>>1); len
; ++s
, --len
) {
122 uint16_t c
= le16toh(*s
);
123 if (c
> 254 || c
== '\0') {
124 fprintf(stderr
, "ntlmssp: bad unicode: %04x\n", c
);
127 *d
= static_cast<char>(c
&0xFF);
132 /* ASCII/OEM string */
135 for (; l
>=0; ++sc
, --l
) {
136 if (*sc
== '\0' || !xisprint(*sc
)) {
137 fprintf(stderr
, "ntlmssp: bad ascii: %04x\n", *sc
);
148 * Adds something to the payload. The caller must guarrantee that
149 * there is enough space in the payload string to accommodate the
151 * payload_length and hdr will be modified as a side-effect.
154 ntlm_add_to_payload(const ntlmhdr
*packet_hdr
,
159 const uint16_t toadd_length
)
161 int l
= (*payload_length
);
162 memcpy(payload
+ l
, toadd
, toadd_length
);
164 hdr
->len
= htole16(toadd_length
);
165 hdr
->maxlen
= htole16(toadd_length
);
166 const off_t o
= l
+ reinterpret_cast<const ntlmhdr
*>(payload
) - packet_hdr
;
167 hdr
->offset
= htole32(o
& 0xFFFFFFFF);
168 (*payload_length
) += toadd_length
;
171 /* ************************************************************************* */
172 /* Negotiate Packet functions */
173 /* ************************************************************************* */
177 /* ************************************************************************* */
178 /* Challenge Packet functions */
179 /* ************************************************************************* */
182 * Generates a challenge request nonce.
185 ntlm_make_nonce(char *nonce
)
187 static std::mt19937
mt(time(0));
188 static xuniform_int_distribution
<uint8_t> dist
;
190 for (int i
= 0; i
< NTLM_NONCE_LEN
; ++i
)
191 nonce
[i
] = static_cast<char>(dist(mt
) & 0xFF);
195 * Prepares a challenge packet to be sent to the client
196 * \note domain should be upper_case
199 ntlm_make_challenge(ntlm_challenge
*ch
,
200 const char *domain
, const char *,
201 const char *challenge_nonce
, const int challenge_nonce_len
,
202 const uint32_t flags
)
205 memset(ch
, 0, sizeof(ntlm_challenge
)); /* reset */
206 memcpy(ch
->hdr
.signature
, "NTLMSSP", 8); /* set the signature */
207 ch
->hdr
.type
= htole32(NTLM_CHALLENGE
); /* this is a challenge */
208 if (domain
!= NULL
) {
209 // silently truncate the domain if it exceeds 2^16-1 bytes.
210 // NTLM packets normally expect 2^8 bytes of domain.
211 const uint16_t dlen
= strlen(domain
) & 0xFFFF;
212 ntlm_add_to_payload(&ch
->hdr
, ch
->payload
, &pl
, &ch
->target
, domain
, dlen
);
214 ch
->flags
= htole32(flags
);
215 ch
->context_low
= 0; /* check this out */
216 ch
->context_high
= 0;
217 memcpy(ch
->challenge
, challenge_nonce
, challenge_nonce_len
);
220 /* ************************************************************************* */
221 /* Authenticate Packet functions */
222 /* ************************************************************************* */
225 * Unpack the strings in an NTLM authentication response from client.
226 * The caller is responsible for initializing the user and domain buffers
227 * this function will only insert data if the packet contains any. Otherwise
228 * the buffers will be left untouched.
230 * \retval NTLM_ERR_NONE username present, maybe also domain.
231 * \retval NTLM_ERR_PROTOCOL packet type is not an authentication packet.
232 * \retval NTLM_ERR_LOGON no username.
233 * \retval NTLM_ERR_BLOB domain field is apparently larger than the packet.
236 ntlm_unpack_auth(const ntlm_authenticate
*auth
, char *user
, char *domain
, const int32_t size
)
240 if (ntlm_validate_packet(&auth
->hdr
, NTLM_AUTHENTICATE
)) {
241 fprintf(stderr
, "ntlm_unpack_auth: header check fails\n");
242 return NTLM_ERR_PROTOCOL
;
244 debug("ntlm_unpack_auth: size of %d\n", size
);
245 debug("ntlm_unpack_auth: flg %08x\n", auth
->flags
);
246 debug("ntlm_unpack_auth: lmr o(%d) l(%d)\n", le32toh(auth
->lmresponse
.offset
), auth
->lmresponse
.len
);
247 debug("ntlm_unpack_auth: ntr o(%d) l(%d)\n", le32toh(auth
->ntresponse
.offset
), auth
->ntresponse
.len
);
248 debug("ntlm_unpack_auth: dom o(%d) l(%d)\n", le32toh(auth
->domain
.offset
), auth
->domain
.len
);
249 debug("ntlm_unpack_auth: usr o(%d) l(%d)\n", le32toh(auth
->user
.offset
), auth
->user
.len
);
250 debug("ntlm_unpack_auth: wst o(%d) l(%d)\n", le32toh(auth
->workstation
.offset
), auth
->workstation
.len
);
251 debug("ntlm_unpack_auth: key o(%d) l(%d)\n", le32toh(auth
->sessionkey
.offset
), auth
->sessionkey
.len
);
253 rv
= ntlm_fetch_string(&auth
->hdr
, size
, &auth
->domain
, auth
->flags
);
255 memcpy(domain
, rv
.str
, rv
.l
);
257 debug("ntlm_unpack_auth: Domain '%s' (len=%d).\n", domain
, rv
.l
);
260 debug("ntlm_unpack_auth: Domain length %d too big for %d byte packet.\n", rv
.l
, size
);
261 return NTLM_ERR_BLOB
;
264 rv
= ntlm_fetch_string(&auth
->hdr
, size
, &auth
->user
, auth
->flags
);
266 memcpy(user
, rv
.str
, rv
.l
);
268 debug("ntlm_unpack_auth: Username '%s' (len=%d).\n", user
, rv
.l
);
270 return NTLM_ERR_LOGON
;
272 return NTLM_ERR_NONE
;