lib/ntlmauth/ntlmauth.cc

   1 /*
   2  * $Id$
   3  *
   4  * AUTHOR: Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it>
   5  * AUTHOR: Guido Serassio: <guido.serassio@acmeconsulting.it>
   6  * AUTHOR: Amos Jeffries <squid3@treenet.co.nz>
   7  *
   8  * * * * * * * * Legal stuff * * * * * * *
   9  *
  10  * (C) 2000 Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it>,
  11  *   inspired by previous work by Andrew Doran <ad@interlude.eu.org>.
  12  * This program is free software; you can redistribute it and/or modify
  13  * it under the terms of the GNU General Public License as published by
  14  * the Free Software Foundation; either version 2 of the License, or
  15  * (at your option) any later version.
  16  *
  17  * This program is distributed in the hope that it will be useful,
  18  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  20  * GNU General Public License for more details.
  21  *
  22  * You should have received a copy of the GNU General Public License
  23  * along with this program; if not, write to the Free Software
  24  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  25  *
  26  */
  27
  28 #include "config.h"
  29
  30 #if HAVE_STRING_H
  31 #include <string.h>
  32 #endif
  33 #if HAVE_STRINGS_H
  34 #include <strings.h>
  35 #endif
  36
  37 #include "ntlmauth/ntlmauth.h"
  38 #include "util.h"               /* for base64-related stuff */
  39
  40 /* ************************************************************************* */
  41 /* DEBUG functions */
  42 /* ************************************************************************* */
  43
  44 /** Dumps NTLM flags to standard error for debugging purposes */
  45 void
  46 ntlm_dump_ntlmssp_flags(uint32_t flags)
  47 {
  48     fprintf(stderr, "flags: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
  49             (flags & NTLM_NEGOTIATE_UNICODE ? "Unicode " : ""),
  50             (flags & NTLM_NEGOTIATE_ASCII ? "ASCII " : ""),
  51             (flags & NTLM_NEGOTIATE_REQUEST_TARGET ? "ReqTgt " : ""),
  52             (flags & NTLM_NEGOTIATE_REQUEST_SIGN ? "ReqSign " : ""),
  53             (flags & NTLM_NEGOTIATE_REQUEST_SEAL ? "ReqSeal " : ""),
  54             (flags & NTLM_NEGOTIATE_DATAGRAM_STYLE ? "Dgram " : ""),
  55             (flags & NTLM_NEGOTIATE_USE_LM ? "UseLM " : ""),
  56             (flags & NTLM_NEGOTIATE_USE_NETWARE ? "UseNW " : ""),
  57             (flags & NTLM_NEGOTIATE_USE_NTLM ? "UseNTLM " : ""),
  58             (flags & NTLM_NEGOTIATE_DOMAIN_SUPPLIED ? "HaveDomain " : ""),
  59             (flags & NTLM_NEGOTIATE_WORKSTATION_SUPPLIED ? "HaveWKS " : ""),
  60             (flags & NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL ? "LocalCall " : ""),
  61             (flags & NTLM_NEGOTIATE_ALWAYS_SIGN ? "AlwaysSign " : ""),
  62             (flags & NTLM_CHALLENGE_TARGET_IS_DOMAIN ? "Tgt_is_domain" : ""),
  63             (flags & NTLM_CHALLENGE_TARGET_IS_SERVER ? "Tgt_is_server " : ""),
  64             (flags & NTLM_CHALLENGE_TARGET_IS_SHARE ? "Tgt_is_share " : ""),
  65             (flags & NTLM_REQUEST_INIT_RESPONSE ? "Req_init_response " : ""),
  66             (flags & NTLM_REQUEST_ACCEPT_RESPONSE ? "Req_accept_response " : ""),
  67             (flags & NTLM_REQUEST_NON_NT_SESSION_KEY ? "Req_nonnt_sesskey " : "")
  68            );
  69 }
  70
  71 /* ************************************************************************* */
  72 /* Packet and Payload handling functions */
  73 /* ************************************************************************* */
  74
  75 /**
  76  * Check the validity of a decoded NTLM packet.
  77  *
  78  * \retval NTLM_ERR_NONE      Packet is okay
  79  * \retval NTLM_ERR_BLOB      Packet is not even an NTLMSSP packet at all.
  80  * \retval NTLM_ERR_PROTOCOL  Packet is not the expected type.
  81  */
  82 int
  83 ntlm_validate_packet(const ntlmhdr * hdr, const int32_t type)
  84 {
  85     /*
  86      * Must be the correct security package and request type.
  87      * The 8 bytes compared includes the ASCII 'NUL'.
  88      */
  89     if (memcmp(hdr->signature, "NTLMSSP", 8) != 0) {
  90         fprintf(stderr, "ntlmCheckHeader: bad header signature\n");
  91         return NTLM_ERR_BLOB;
  92     }
  93     if (type == NTLM_ANY)
  94         return NTLM_ERR_NONE;
  95
  96     if ((int32_t)le32toh(hdr->type) != type) {
  97         /* don't report this error - it's ok as we do a if() around this function */
  98 //      fprintf(stderr, "ntlmCheckHeader: type is %d, wanted %d\n", le32toh(hdr->type), type);
  99         return NTLM_ERR_PROTOCOL;
 100     }
 101     return NTLM_ERR_NONE;
 102 }
 103
 104 #define lstring_zero(s) s.str=NULL; s.l=-1;
 105
 106 /**
 107  * Fetches a string from the authentication packet.
 108  * The lstring data-part may point to inside the packet itself or a temporary static buffer.
 109  * It's up to the user to memcpy() that if the value needs to
 110  * be used in any way that requires a tailing \0. (can check whether the
 111  * value is there though, in that case lstring.length == -1).
 112  *
 113  * String may be either ASCII or UNICODE depending on whether flags contains NTLM_NEGOTIATE_ASCII
 114  */
 115 lstring
 116 ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr * str, const uint32_t flags)
 117 {
 118     int16_t l;                  /* length */
 119     int32_t o;                  /* offset */
 120     static char buf[NTLM_MAX_FIELD_LENGTH];
 121     lstring rv;
 122     unsigned short *s, c;
 123     char *d, *sc;
 124
 125     lstring_zero(rv);
 126
 127     l = le16toh(str->len);
 128     o = le32toh(str->offset);
 129     /* debug("fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); */
 130
 131     if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
 132         /* debug("ntlmssp: insane data (l: %d, o: %d)\n", l,o); */
 133         return rv;
 134     }
 135     rv.str = (char *)packet + o;
 136     if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
 137         /* UNICODE string */
 138         s = (unsigned short *) ((char *) packet + o);
 139         rv.str = d = buf;
 140
 141         for (l >>= 1; l; s++, l--) {
 142             c = le16toh(*s);
 143             if (c > 254 || c == '\0') {
 144                 fprintf(stderr, "ntlmssp: bad unicode: %04x\n", c);
 145                 return rv;
 146             }
 147             *d++ = c;
 148             rv.l++;
 149         }
 150     } else {
 151         /* ASCII/OEM string */
 152         sc = (char *) packet + o;
 153
 154         for (; l; l--) {
 155             if (*sc == '\0' || !xisprint(*sc)) {
 156                 fprintf(stderr, "ntlmssp: bad ascii: %04x\n", *sc);
 157                 return rv;
 158             }
 159             rv.l++;
 160         }
 161     }
 162
 163     return rv;
 164 }
 165
 166 /**
 167  * Adds something to the payload. The caller must guarrantee that
 168  * there is enough space in the payload string to accommodate the
 169  * added value.
 170  * payload_length and hdr will be modified as a side-effect.
 171  */
 172 void
 173 ntlm_add_to_payload(const ntlmhdr *packet_hdr,
 174                     char *payload,
 175                     int *payload_length,
 176                     strhdr * hdr,
 177                     const char *toadd,
 178                     const int toadd_length)
 179 {
 180     int l = (*payload_length);
 181     memcpy(payload + l, toadd, toadd_length);
 182
 183     hdr->len = htole16(toadd_length);
 184     hdr->maxlen = htole16(toadd_length);
 185     hdr->offset = htole32(l + payload - (char*)packet_hdr);
 186     (*payload_length) += toadd_length;
 187 }
 188
 189
 190 /* ************************************************************************* */
 191 /* Negotiate Packet functions */
 192 /* ************************************************************************* */
 193
 194 // ?
 195
 196
 197 /* ************************************************************************* */
 198 /* Challenge Packet functions */
 199 /* ************************************************************************* */
 200
 201 /*
 202  * Generates a challenge request nonce. The randomness of the 8 byte
 203  * challenge strings can be guarenteed to be poor at best.
 204  */
 205 void
 206 ntlm_make_nonce(char *nonce)
 207 {
 208     static unsigned hash;
 209     int i;
 210     int r = (int) rand();
 211     r = (hash ^ r) + r;
 212
 213     for (i = 0; i < NTLM_NONCE_LEN; i++) {
 214         nonce[i] = r;
 215         r = (r >> 2) ^ r;
 216     }
 217     hash = r;
 218 }
 219
 220 /**
 221  * Prepares a challenge packet to be sent to the client
 222  * \note domain should be upper_case
 223  */
 224 void
 225 ntlm_make_challenge(ntlm_challenge *ch,
 226                     const char *domain, const char *domain_controller_UNUSED,
 227                     const char *challenge_nonce, const int challenge_nonce_len,
 228                     const uint32_t flags)
 229 {
 230     int pl = 0;
 231     memset(ch, 0, sizeof(ntlm_challenge));      /* reset */
 232     memcpy(ch->hdr.signature, "NTLMSSP", 8);            /* set the signature */
 233     ch->hdr.type = htole32(NTLM_CHALLENGE);     /* this is a challenge */
 234     if (domain != NULL) {
 235         ntlm_add_to_payload(&ch->hdr, ch->payload, &pl, &ch->target, domain, strlen(domain));
 236     }
 237     ch->flags = htole32(flags);
 238     ch->context_low = 0;                /* check this out */
 239     ch->context_high = 0;
 240     memcpy(ch->challenge, challenge_nonce, challenge_nonce_len);
 241 }
 242
 243 /* ************************************************************************* */
 244 /* Authenticate Packet functions */
 245 /* ************************************************************************* */
 246
 247 /**
 248  * Unpack the strings in an NTLM authentication response from client.
 249  * The caller is responsible for initializing the user and domain buffers
 250  * this function will only insert data if the packet contains any. Otherwise
 251  * the buffers will be left untouched.
 252  *
 253  * \retval NTLM_ERR_NONE        username present, maybe also domain.
 254  * \retval NTLM_ERR_PROTOCOL    packet type is not an authentication packet.
 255  * \retval NTLM_ERR_LOGON       no username.
 256  * \retval NTLM_ERR_BLOB        domain field is apparently larger than the packet.
 257  */
 258 int
 259 ntlm_unpack_auth(const ntlm_authenticate *auth, char *user, char *domain, const int32_t size)
 260 {
 261     lstring rv;
 262
 263     if (ntlm_validate_packet(&auth->hdr, NTLM_AUTHENTICATE)) {
 264         fprintf(stderr, "ntlmDecodeAuth: header check fails\n");
 265         return NTLM_ERR_PROTOCOL;
 266     }
 267     debug("ntlmDecodeAuth: size of %d\n", size);
 268     debug("ntlmDecodeAuth: flg %08x\n", auth->flags);
 269     debug("ntlmDecodeAuth: usr o(%d) l(%d)\n", auth->user.offset, auth->user.len);
 270
 271     rv = ntlm_fetch_string(&auth->hdr, size, &auth->domain, auth->flags);
 272     if (rv.l > 0) {
 273         memcpy(rv.str, domain, rv.l);
 274         domain[rv.l] = '\0';
 275         debug("ntlm_unpack_auth: Domain '%s'.\n", domain);
 276     }
 277     if (rv.l >= size)
 278         return NTLM_ERR_BLOB;
 279
 280     rv = ntlm_fetch_string(&auth->hdr, size, &auth->user, auth->flags);
 281     if (rv.l > 0) {
 282         memcpy(rv.str, user, rv.l);
 283         user[rv.l] = '\0';
 284         debug("ntlm_unpack_auth: Username '%s'.\n", user);
 285     } else
 286         return NTLM_ERR_LOGON;
 287
 288     return NTLM_ERR_NONE;
 289 }