70
81
memcpy (result, md, 16);
85
gen_hmac_md5 (const char* data, int data_len, const char* key, int key_len,char *result)
90
HMAC_Init (&c, key, key_len, EVP_md5());
91
HMAC_Update (&c, data, data_len);
92
HMAC_Final (&c, result, &len);
97
gen_timestamp (unsigned char *timestamp)
99
/* Copies 8 bytes long timestamp into "timestamp" buffer.
100
* Timestamp is Little-endian, 64-bit signed value representing the number of tenths of a microsecond since January 1, 1601.
103
UINTEGER64 timestamp_ull;
105
timestamp_ull = openvpn_time(NULL);
106
timestamp_ull = (timestamp_ull + UINT64(11644473600)) * UINT64(10000000);
108
/* store little endian value */
109
timestamp[0]= timestamp_ull & UINT64(0xFF);
110
timestamp[1]= (timestamp_ull >> 8) & UINT64(0xFF);
111
timestamp[2]= (timestamp_ull >> 16) & UINT64(0xFF);
112
timestamp[3]= (timestamp_ull >> 24) & UINT64(0xFF);
113
timestamp[4]= (timestamp_ull >> 32) & UINT64(0xFF);
114
timestamp[5]= (timestamp_ull >> 40) & UINT64(0xFF);
115
timestamp[6]= (timestamp_ull >> 48) & UINT64(0xFF);
116
timestamp[7]= (timestamp_ull >> 56) & UINT64(0xFF);
120
gen_nonce (unsigned char *nonce)
122
/* Generates 8 random bytes to be used as client nonce */
126
nonce[i] = (unsigned char)get_random();
130
unsigned char *my_strupr(unsigned char *str)
132
/* converts string to uppercase in place */
133
unsigned char *tmp = str;;
135
do *str = toupper(*str); while (*(++str));
74
140
unicodize (char *dst, const char *src)
106
184
ntlm_phase_3 (const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc)
188
* http://davenport.sourceforge.net/ntlm.html
108
192
char pwbuf[sizeof (p->up.password) * 2]; /* for unicode password */
109
193
char buf2[128]; /* decoded reply from proxy */
194
unsigned char phase3[464];
112
196
char md4_hash[21];
113
char challenge[8], response[24];
114
int i, ret_val, buflen;
197
char challenge[8], ntlm_response[24];
115
199
des_cblock key1, key2, key3;
116
200
des_key_schedule sched1, sched2, sched3;
118
/* try a minimal NTLM handshake
120
* http://davenport.sourceforge.net/ntlm.html
202
char ntlmv2_response[144];
203
char userdomain_u[256]; /* for uppercase unicode username and domain */
204
char userdomain[128]; /* the same as previous but ascii */
205
char ntlmv2_hash[16];
206
char ntlmv2_hmacmd5[16];
207
char *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */
208
int ntlmv2_blob_size=0;
209
int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */
216
bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2);
123
218
ASSERT (strlen (p->up.username) > 0);
124
219
ASSERT (strlen (p->up.password) > 0);
221
/* username parsing */
222
separator = strchr(p->up.username, '\\');
223
if (separator == NULL) {
224
strncpy(username, p->up.username, sizeof(username)-1);
225
username[sizeof(username)-1]=0;
228
strncpy(username, separator+1, sizeof(username)-1);
229
username[sizeof(username)-1]=0;
230
len = separator - p->up.username;
231
if (len > sizeof(domain) - 1) len = sizeof(domain) - 1;
232
strncpy(domain, p->up.username, len);
126
237
/* fill 1st 16 bytes with md4 hash, disregard terminating null */
127
238
gen_md4_hash (pwbuf, unicodize (pwbuf, p->up.password) - 2, md4_hash);
139
250
challenge[i] = buf2[i+24];
142
create_des_keys ((unsigned char *)md4_hash, key1);
143
des_set_key_unchecked ((des_cblock *)key1, sched1);
144
des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)response, sched1, DES_ENCRYPT);
146
create_des_keys ((unsigned char *)&(md4_hash[7]), key2);
147
des_set_key_unchecked ((des_cblock *)key2, sched2);
148
des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(response[8]), sched2, DES_ENCRYPT);
150
create_des_keys ((unsigned char *)&(md4_hash[14]), key3);
151
des_set_key_unchecked ((des_cblock *)key3, sched3);
152
des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(response[16]), sched3, DES_ENCRYPT);
155
memset (phase3, 0, sizeof (phase3));
157
strcpy (phase3, "NTLMSSP\0");
158
phase3[8] = 3; /* type 3 */
160
buflen = 0x58 + strlen (p->up.username);
161
if (buflen > (int) sizeof (phase3))
162
buflen = sizeof (phase3);
164
phase3[0x10] = buflen; /* lm not used */
165
phase3[0x20] = buflen; /* default domain (i.e. proxy's domain) */
166
phase3[0x30] = buflen; /* no workstation name supplied */
167
phase3[0x38] = buflen; /* no session key */
169
phase3[0x14] = 24; /* ntlm response is 24 bytes long */
170
phase3[0x16] = phase3[0x14];
171
phase3[0x18] = 0x40; /* ntlm offset */
172
memcpy (&(phase3[0x40]), response, 24);
175
phase3[0x24] = strlen (p->up.username); /* username in ascii */
176
phase3[0x26] = phase3[0x24];
178
strncpy (&(phase3[0x58]), p->up.username, sizeof (phase3) - 0x58);
253
if (ntlmv2_enabled){ /* Generate NTLMv2 response */
256
my_strupr(strcpy(userdomain, username));
257
if (strlen(username) + strlen(domain) < sizeof(userdomain))
258
strcat(userdomain, domain);
260
msg (M_INFO, "Warning: Username or domain too long");
261
unicodize (userdomain_u, userdomain);
262
gen_hmac_md5(userdomain_u, 2 * strlen(userdomain), md4_hash, 16, ntlmv2_hash);
265
memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */
266
ntlmv2_blob[0x00]=1; /* Signature */
267
ntlmv2_blob[0x01]=1; /* Signature */
268
ntlmv2_blob[0x04]=0; /* Reserved */
269
gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */
270
gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */
271
ntlmv2_blob[0x18]=0; /* Unknown, zero should work */
273
/* Add target information block to the blob */
275
if (( *((long *)&buf2[0x14]) & 0x00800000) == 0x00800000){ /* Check for Target Information block */
276
tib_len = buf2[0x28];/* Get Target Information block size */
277
if (tib_len > 96) tib_len = 96;
278
char *tib_ptr = buf2 + buf2[0x2c]; /* Get Target Information block pointer */
279
memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len); /* Copy Target Information block into the blob */
284
ntlmv2_blob[0x1c + tib_len] = 0; /* Unknown, zero works */
286
/* Get blob length */
287
ntlmv2_blob_size = 0x20 + tib_len;
289
/* Add challenge from message 2 */
290
memcpy(&ntlmv2_response[8], challenge, 8);
293
gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash, 16, ntlmv2_hmacmd5);
295
/* Add hmac-md5 result to the blob */
296
memcpy(ntlmv2_response, ntlmv2_hmacmd5, 16); /* Note: This overwrites challenge previously written at ntlmv2_response[8..15] */
298
} else { /* Generate NTLM response */
300
create_des_keys ((unsigned char *)md4_hash, key1);
301
des_set_key_unchecked ((des_cblock *)key1, sched1);
302
des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)ntlm_response, sched1, DES_ENCRYPT);
304
create_des_keys ((unsigned char *)&(md4_hash[7]), key2);
305
des_set_key_unchecked ((des_cblock *)key2, sched2);
306
des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(ntlm_response[8]), sched2, DES_ENCRYPT);
308
create_des_keys ((unsigned char *)&(md4_hash[14]), key3);
309
des_set_key_unchecked ((des_cblock *)key3, sched3);
310
des_ecb_encrypt ((des_cblock *)challenge, (des_cblock *)&(ntlm_response[16]), sched3, DES_ENCRYPT);
314
memset (phase3, 0, sizeof (phase3)); /* clear reply */
316
strcpy (phase3, "NTLMSSP\0"); /* signature */
317
phase3[8] = 3; /* type 3 */
319
if (ntlmv2_enabled){ /* NTLMv2 response */
320
add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, phase3, &phase3_bufpos);
321
}else{ /* NTLM response */
322
add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos);
325
/* username in ascii */
326
add_security_buffer(0x24, username, strlen (username), phase3, &phase3_bufpos);
328
/* Set domain. If <domain> is empty, default domain will be used (i.e. proxy's domain) */
329
add_security_buffer(0x1c, domain, strlen (domain), phase3, &phase3_bufpos);
332
/* other security buffers will be empty */
333
phase3[0x10] = phase3_bufpos; /* lm not used */
334
phase3[0x30] = phase3_bufpos; /* no workstation name supplied */
335
phase3[0x38] = phase3_bufpos; /* no session key */
180
338
phase3[0x3c] = 0x02; /* negotiate oem */
181
339
phase3[0x3d] = 0x02; /* negotiate ntlm */
183
return ((const char *)make_base64_string2 ((unsigned char *)phase3, buflen, gc));
341
return ((const char *)make_base64_string2 ((unsigned char *)phase3, phase3_bufpos, gc));