1
/***************************************************************************
3
* Project ___| | | | _ \| |
5
* | (__| |_| | _ <| |___
6
* \___|\___/|_| \_\_____|
8
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
10
* This software is licensed as described in the file COPYING, which
11
* you should have received as part of this distribution. The terms
12
* are also available at http://curl.haxx.se/docs/copyright.html.
14
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15
* copies of the Software, and permit persons to whom the Software is
16
* furnished to do so, under the terms of the COPYING file.
18
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19
* KIND, either express or implied.
21
***************************************************************************/
26
http://davenport.sourceforge.net/ntlm.html
27
http://www.innovation.ch/java/ntlm.html
30
#ifndef CURL_DISABLE_HTTP
35
/* -- WIN32 approved -- */
46
#if (defined(NETWARE) && !defined(__NOVELL_LIBC__))
51
#include "non-ascii.h" /* for Curl_convert_... prototypes */
54
#include "curl_base64.h"
55
#include "http_ntlm.h"
57
#include "curl_gethostname.h"
58
#include "curl_memory.h"
60
#define _MPRINTF_REPLACE /* use our functions only */
61
#include <curl/mprintf.h>
63
/* "NTLMSSP" signature is always in ASCII regardless of the platform */
64
#define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50"
69
# include <openssl/des.h>
70
# ifndef OPENSSL_NO_MD4
71
# include <openssl/md4.h>
73
# include <openssl/md5.h>
74
# include <openssl/ssl.h>
75
# include <openssl/rand.h>
78
# ifndef OPENSSL_NO_MD4
86
#ifndef OPENSSL_VERSION_NUMBER
87
#error "OPENSSL_VERSION_NUMBER not defined"
90
#if OPENSSL_VERSION_NUMBER < 0x00907001L
91
#define DES_key_schedule des_key_schedule
92
#define DES_cblock des_cblock
93
#define DES_set_odd_parity des_set_odd_parity
94
#define DES_set_key des_set_key
95
#define DES_ecb_encrypt des_ecb_encrypt
97
/* This is how things were done in the old days */
99
#define DESKEYARG(x) x
102
#define DESKEYARG(x) *x
106
#ifdef OPENSSL_NO_MD4
107
/* This requires MD4, but OpenSSL was compiled without it */
108
#define USE_NTRESPONSES 0
109
#define USE_NTLM2SESSION 0
112
#elif defined(USE_GNUTLS)
117
#define MD5_DIGEST_LENGTH 16
118
#define MD4_DIGEST_LENGTH 16
120
#elif defined(USE_NSS)
122
#include "curl_md4.h"
127
#define MD5_DIGEST_LENGTH MD5_LENGTH
129
#elif defined(USE_WINDOWS_SSPI)
131
#include "curl_sspi.h"
134
# error "Can't compile NTLM support without a crypto library."
137
/* The last #include file should be: */
138
#include "memdebug.h"
140
#ifndef USE_NTRESPONSES
141
/* Define this to make the type-3 message include the NT response message */
142
#define USE_NTRESPONSES 1
144
/* Define this to make the type-3 message include the NTLM2Session response
145
message, requires USE_NTRESPONSES. */
146
#define USE_NTLM2SESSION 1
149
#ifndef USE_WINDOWS_SSPI
150
/* this function converts from the little endian format used in the incoming
151
package to whatever endian format we're using natively */
152
static unsigned int readint_le(unsigned char *buf) /* must point to a
155
return ((unsigned int)buf[0]) | ((unsigned int)buf[1] << 8) |
156
((unsigned int)buf[2] << 16) | ((unsigned int)buf[3] << 24);
161
# define DEBUG_OUT(x) x
162
static void print_flags(FILE *handle, unsigned long flags)
164
if(flags & NTLMFLAG_NEGOTIATE_UNICODE)
165
fprintf(handle, "NTLMFLAG_NEGOTIATE_UNICODE ");
166
if(flags & NTLMFLAG_NEGOTIATE_OEM)
167
fprintf(handle, "NTLMFLAG_NEGOTIATE_OEM ");
168
if(flags & NTLMFLAG_REQUEST_TARGET)
169
fprintf(handle, "NTLMFLAG_REQUEST_TARGET ");
171
fprintf(handle, "NTLMFLAG_UNKNOWN_3 ");
172
if(flags & NTLMFLAG_NEGOTIATE_SIGN)
173
fprintf(handle, "NTLMFLAG_NEGOTIATE_SIGN ");
174
if(flags & NTLMFLAG_NEGOTIATE_SEAL)
175
fprintf(handle, "NTLMFLAG_NEGOTIATE_SEAL ");
176
if(flags & NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE)
177
fprintf(handle, "NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE ");
178
if(flags & NTLMFLAG_NEGOTIATE_LM_KEY)
179
fprintf(handle, "NTLMFLAG_NEGOTIATE_LM_KEY ");
180
if(flags & NTLMFLAG_NEGOTIATE_NETWARE)
181
fprintf(handle, "NTLMFLAG_NEGOTIATE_NETWARE ");
182
if(flags & NTLMFLAG_NEGOTIATE_NTLM_KEY)
183
fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM_KEY ");
185
fprintf(handle, "NTLMFLAG_UNKNOWN_10 ");
186
if(flags & NTLMFLAG_NEGOTIATE_ANONYMOUS)
187
fprintf(handle, "NTLMFLAG_NEGOTIATE_ANONYMOUS ");
188
if(flags & NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED)
189
fprintf(handle, "NTLMFLAG_NEGOTIATE_DOMAIN_SUPPLIED ");
190
if(flags & NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED)
191
fprintf(handle, "NTLMFLAG_NEGOTIATE_WORKSTATION_SUPPLIED ");
192
if(flags & NTLMFLAG_NEGOTIATE_LOCAL_CALL)
193
fprintf(handle, "NTLMFLAG_NEGOTIATE_LOCAL_CALL ");
194
if(flags & NTLMFLAG_NEGOTIATE_ALWAYS_SIGN)
195
fprintf(handle, "NTLMFLAG_NEGOTIATE_ALWAYS_SIGN ");
196
if(flags & NTLMFLAG_TARGET_TYPE_DOMAIN)
197
fprintf(handle, "NTLMFLAG_TARGET_TYPE_DOMAIN ");
198
if(flags & NTLMFLAG_TARGET_TYPE_SERVER)
199
fprintf(handle, "NTLMFLAG_TARGET_TYPE_SERVER ");
200
if(flags & NTLMFLAG_TARGET_TYPE_SHARE)
201
fprintf(handle, "NTLMFLAG_TARGET_TYPE_SHARE ");
202
if(flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY)
203
fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM2_KEY ");
204
if(flags & NTLMFLAG_REQUEST_INIT_RESPONSE)
205
fprintf(handle, "NTLMFLAG_REQUEST_INIT_RESPONSE ");
206
if(flags & NTLMFLAG_REQUEST_ACCEPT_RESPONSE)
207
fprintf(handle, "NTLMFLAG_REQUEST_ACCEPT_RESPONSE ");
208
if(flags & NTLMFLAG_REQUEST_NONNT_SESSION_KEY)
209
fprintf(handle, "NTLMFLAG_REQUEST_NONNT_SESSION_KEY ");
210
if(flags & NTLMFLAG_NEGOTIATE_TARGET_INFO)
211
fprintf(handle, "NTLMFLAG_NEGOTIATE_TARGET_INFO ");
213
fprintf(handle, "NTLMFLAG_UNKNOWN_24 ");
215
fprintf(handle, "NTLMFLAG_UNKNOWN_25 ");
217
fprintf(handle, "NTLMFLAG_UNKNOWN_26 ");
219
fprintf(handle, "NTLMFLAG_UNKNOWN_27 ");
221
fprintf(handle, "NTLMFLAG_UNKNOWN_28 ");
222
if(flags & NTLMFLAG_NEGOTIATE_128)
223
fprintf(handle, "NTLMFLAG_NEGOTIATE_128 ");
224
if(flags & NTLMFLAG_NEGOTIATE_KEY_EXCHANGE)
225
fprintf(handle, "NTLMFLAG_NEGOTIATE_KEY_EXCHANGE ");
226
if(flags & NTLMFLAG_NEGOTIATE_56)
227
fprintf(handle, "NTLMFLAG_NEGOTIATE_56 ");
230
static void print_hex(FILE *handle, const char *buf, size_t len)
233
fprintf(stderr, "0x");
235
fprintf(stderr, "%02.2x", (unsigned int)*p++);
238
# define DEBUG_OUT(x)
242
(*) = A "security buffer" is a triplet consisting of two shorts and one
245
1. a 'short' containing the length of the buffer in bytes
246
2. a 'short' containing the allocated space for the buffer in bytes
247
3. a 'long' containing the offset to the start of the buffer from the
248
beginning of the NTLM message, in bytes.
252
CURLntlm Curl_input_ntlm(struct connectdata *conn,
253
bool proxy, /* if proxy or not */
254
const char *header) /* rest of the www-authenticate:
257
/* point to the correct struct with this */
258
struct ntlmdata *ntlm;
259
#ifndef USE_WINDOWS_SSPI
260
static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
264
if(CURLE_OK != Curl_nss_force_init(conn->data))
268
ntlm = proxy?&conn->proxyntlm:&conn->ntlm;
270
/* skip initial whitespaces */
271
while(*header && ISSPACE(*header))
274
if(checkprefix("NTLM", header)) {
275
header += strlen("NTLM");
277
while(*header && ISSPACE(*header))
281
/* We got a type-2 message here:
283
Index Description Content
284
0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
286
8 NTLM Message Type long (0x02000000)
287
12 Target Name security buffer(*)
290
(32) Context (optional) 8 bytes (two consecutive longs)
291
(40) Target Information (optional) security buffer(*)
292
32 (48) start of data block
295
unsigned char *buffer;
296
size = Curl_base64_decode(header, &buffer);
300
ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
302
#ifdef USE_WINDOWS_SSPI
303
ntlm->type_2 = malloc(size+1);
304
if(ntlm->type_2 == NULL) {
306
return CURLE_OUT_OF_MEMORY;
308
ntlm->n_type_2 = size;
309
memcpy(ntlm->type_2, buffer, size);
314
(memcmp(buffer, NTLMSSP_SIGNATURE, 8) != 0) ||
315
(memcmp(buffer+8, type2_marker, sizeof(type2_marker)) != 0)) {
316
/* This was not a good enough type-2 message */
321
ntlm->flags = readint_le(&buffer[20]);
322
memcpy(ntlm->nonce, &buffer[24], 8);
325
fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
326
print_flags(stderr, ntlm->flags);
327
fprintf(stderr, "\n nonce=");
328
print_hex(stderr, (char *)ntlm->nonce, 8);
329
fprintf(stderr, "\n****\n");
330
fprintf(stderr, "**** Header %s\n ", header);
336
if(ntlm->state >= NTLMSTATE_TYPE1)
339
ntlm->state = NTLMSTATE_TYPE1; /* we should sent away a type-1 */
342
return CURLNTLM_FINE;
345
#ifndef USE_WINDOWS_SSPI
349
* Turns a 56 bit key into the 64 bit, odd parity key and sets the key. The
350
* key schedule ks is also set.
352
static void setup_des_key(const unsigned char *key_56,
353
DES_key_schedule DESKEYARG(ks))
358
key[1] = (unsigned char)(((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1));
359
key[2] = (unsigned char)(((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2));
360
key[3] = (unsigned char)(((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3));
361
key[4] = (unsigned char)(((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4));
362
key[5] = (unsigned char)(((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5));
363
key[6] = (unsigned char)(((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6));
364
key[7] = (unsigned char) ((key_56[6] << 1) & 0xFF);
366
DES_set_odd_parity(&key);
367
DES_set_key(&key, ks);
370
#else /* defined(USE_SSLEAY) */
373
* Turns a 56 bit key into the 64 bit, odd parity key. Used by GnuTLS and NSS.
375
static void extend_key_56_to_64(const unsigned char *key_56, char *key)
378
key[1] = (unsigned char)(((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1));
379
key[2] = (unsigned char)(((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2));
380
key[3] = (unsigned char)(((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3));
381
key[4] = (unsigned char)(((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4));
382
key[5] = (unsigned char)(((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5));
383
key[6] = (unsigned char)(((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6));
384
key[7] = (unsigned char) ((key_56[6] << 1) & 0xFF);
387
#if defined(USE_GNUTLS)
390
* Turns a 56 bit key into the 64 bit, odd parity key and sets the key.
392
static void setup_des_key(const unsigned char *key_56,
393
gcry_cipher_hd_t *des)
396
extend_key_56_to_64(key_56, key);
397
gcry_cipher_setkey(*des, key, 8);
400
#elif defined(USE_NSS)
403
* Expands a 56 bit key KEY_56 to 64 bit and encrypts 64 bit of data, using
404
* the expanded key. The caller is responsible for giving 64 bit of valid
405
* data is IN and (at least) 64 bit large buffer as OUT.
407
static bool encrypt_des(const unsigned char *in, unsigned char *out,
408
const unsigned char *key_56)
410
const CK_MECHANISM_TYPE mech = CKM_DES_ECB; /* DES cipher in ECB mode */
411
PK11SlotInfo *slot = NULL;
412
char key[8]; /* expanded 64 bit key */
414
PK11SymKey *symkey = NULL;
415
SECItem *param = NULL;
416
PK11Context *ctx = NULL;
417
int out_len; /* not used, required by NSS */
420
/* use internal slot for DES encryption (requires NSS to be initialized) */
421
slot = PK11_GetInternalKeySlot();
425
/* expand the 56 bit key to 64 bit and wrap by NSS */
426
extend_key_56_to_64(key_56, key);
427
key_item.data = (unsigned char *)key;
428
key_item.len = /* hard-wired */ 8;
429
symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_ENCRYPT,
434
/* create DES encryption context */
435
param = PK11_ParamFromIV(mech, /* no IV in ECB mode */ NULL);
438
ctx = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, symkey, param);
442
/* perform the encryption */
443
if(SECSuccess == PK11_CipherOp(ctx, out, &out_len, /* outbuflen */ 8,
444
(unsigned char *)in, /* inbuflen */ 8)
445
&& SECSuccess == PK11_Finalize(ctx))
446
rv = /* all OK */ TRUE;
451
PK11_DestroyContext(ctx, PR_TRUE);
453
PK11_FreeSymKey(symkey);
455
SECITEM_FreeItem(param, PR_TRUE);
460
#endif /* defined(USE_NSS) */
462
#endif /* defined(USE_SSLEAY) */
465
* takes a 21 byte array and treats it as 3 56-bit DES keys. The
466
* 8 byte plaintext is encrypted with each key and the resulting 24
467
* bytes are stored in the results array.
469
static void lm_resp(const unsigned char *keys,
470
const unsigned char *plaintext,
471
unsigned char *results)
476
setup_des_key(keys, DESKEY(ks));
477
DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) results,
478
DESKEY(ks), DES_ENCRYPT);
480
setup_des_key(keys+7, DESKEY(ks));
481
DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+8),
482
DESKEY(ks), DES_ENCRYPT);
484
setup_des_key(keys+14, DESKEY(ks));
485
DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+16),
486
DESKEY(ks), DES_ENCRYPT);
487
#elif defined(USE_GNUTLS)
488
gcry_cipher_hd_t des;
490
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
491
setup_des_key(keys, &des);
492
gcry_cipher_encrypt(des, results, 8, plaintext, 8);
493
gcry_cipher_close(des);
495
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
496
setup_des_key(keys+7, &des);
497
gcry_cipher_encrypt(des, results+8, 8, plaintext, 8);
498
gcry_cipher_close(des);
500
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
501
setup_des_key(keys+14, &des);
502
gcry_cipher_encrypt(des, results+16, 8, plaintext, 8);
503
gcry_cipher_close(des);
504
#elif defined(USE_NSS)
505
encrypt_des(plaintext, results, keys);
506
encrypt_des(plaintext, results+8, keys+7);
507
encrypt_des(plaintext, results+16, keys+14);
513
* Set up lanmanager hashed password
515
static void mk_lm_hash(struct SessionHandle *data,
516
const char *password,
517
unsigned char *lmbuffer /* 21 bytes */)
520
unsigned char pw[14];
521
static const unsigned char magic[] = {
522
0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 /* i.e. KGS!@#$% */
524
size_t len = CURLMIN(strlen(password), 14);
526
Curl_strntoupper((char *)pw, password, len);
527
memset(&pw[len], 0, 14-len);
530
* The LanManager hashed password needs to be created using the
531
* password in the network encoding not the host encoding.
533
res = Curl_convert_to_network(data, (char *)pw, 14);
538
/* Create LanManager hashed password. */
543
setup_des_key(pw, DESKEY(ks));
544
DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)lmbuffer,
545
DESKEY(ks), DES_ENCRYPT);
547
setup_des_key(pw+7, DESKEY(ks));
548
DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8),
549
DESKEY(ks), DES_ENCRYPT);
550
#elif defined(USE_GNUTLS)
551
gcry_cipher_hd_t des;
553
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
554
setup_des_key(pw, &des);
555
gcry_cipher_encrypt(des, lmbuffer, 8, magic, 8);
556
gcry_cipher_close(des);
558
gcry_cipher_open(&des, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
559
setup_des_key(pw+7, &des);
560
gcry_cipher_encrypt(des, lmbuffer+8, 8, magic, 8);
561
gcry_cipher_close(des);
562
#elif defined(USE_NSS)
563
encrypt_des(magic, lmbuffer, pw);
564
encrypt_des(magic, lmbuffer+8, pw+7);
567
memset(lmbuffer + 16, 0, 21 - 16);
572
static void ascii_to_unicode_le(unsigned char *dest, const char *src,
576
for(i=0; i<srclen; i++) {
577
dest[2*i] = (unsigned char)src[i];
583
* Set up nt hashed passwords
585
static CURLcode mk_nt_hash(struct SessionHandle *data,
586
const char *password,
587
unsigned char *ntbuffer /* 21 bytes */)
589
size_t len = strlen(password);
590
unsigned char *pw = malloc(len*2);
593
return CURLE_OUT_OF_MEMORY;
595
ascii_to_unicode_le(pw, password, len);
598
* The NT hashed password needs to be created using the password in the
599
* network encoding not the host encoding.
601
result = Curl_convert_to_network(data, (char *)pw, len*2);
606
/* Create NT hashed password. */
610
MD4_Update(&MD4pw, pw, 2*len);
611
MD4_Final(ntbuffer, &MD4pw);
612
#elif defined(USE_GNUTLS)
614
gcry_md_open(&MD4pw, GCRY_MD_MD4, 0);
615
gcry_md_write(MD4pw, pw, 2*len);
616
memcpy (ntbuffer, gcry_md_read (MD4pw, 0), MD4_DIGEST_LENGTH);
617
gcry_md_close(MD4pw);
618
#elif defined(USE_NSS)
619
Curl_md4it(ntbuffer, pw, 2*len);
622
memset(ntbuffer + 16, 0, 21 - 16);
633
#ifdef USE_WINDOWS_SSPI
636
ntlm_sspi_cleanup(struct ntlmdata *ntlm)
642
if(ntlm->has_handles) {
643
s_pSecFn->DeleteSecurityContext(&ntlm->c_handle);
644
s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
645
ntlm->has_handles = 0;
647
if(ntlm->p_identity) {
648
if(ntlm->identity.User) free(ntlm->identity.User);
649
if(ntlm->identity.Password) free(ntlm->identity.Password);
650
if(ntlm->identity.Domain) free(ntlm->identity.Domain);
651
ntlm->p_identity = NULL;
657
#define SHORTPAIR(x) ((x) & 0xff), (((x) >> 8) & 0xff)
658
#define LONGQUARTET(x) ((x) & 0xff), (((x) >> 8)&0xff), \
659
(((x) >>16)&0xff), (((x)>>24) & 0xff)
661
#define HOSTNAME_MAX 1024
663
#ifndef USE_WINDOWS_SSPI
664
/* copy the source to the destination and fill in zeroes in every
665
other destination byte! */
666
static void unicodecpy(unsigned char *dest,
667
const char *src, size_t length)
670
for(i=0; i<length; i++) {
671
dest[2*i] = (unsigned char)src[i];
677
/* this is for creating ntlm header output */
678
CURLcode Curl_output_ntlm(struct connectdata *conn,
681
const char *domain=""; /* empty */
682
char host [HOSTNAME_MAX+ 1] = ""; /* empty */
683
#ifndef USE_WINDOWS_SSPI
684
size_t domlen = strlen(domain);
685
size_t hostlen = strlen(host);
686
size_t hostoff; /* host name offset */
687
size_t domoff; /* domain name offset */
691
unsigned char ntlmbuf[1024]; /* enough, unless the user+host+domain is very
694
/* point to the address of the pointer that holds the string to sent to the
695
server, which is for a plain host or for a HTTP proxy */
698
/* point to the name and password for this */
701
/* point to the correct struct with this */
702
struct ntlmdata *ntlm;
706
DEBUGASSERT(conn->data);
709
if(CURLE_OK != Curl_nss_force_init(conn->data))
710
return CURLE_OUT_OF_MEMORY;
714
allocuserpwd = &conn->allocptr.proxyuserpwd;
715
userp = conn->proxyuser;
716
passwdp = conn->proxypasswd;
717
ntlm = &conn->proxyntlm;
718
authp = &conn->data->state.authproxy;
721
allocuserpwd = &conn->allocptr.userpwd;
723
passwdp = conn->passwd;
725
authp = &conn->data->state.authhost;
729
/* not set means empty */
736
#ifdef USE_WINDOWS_SSPI
737
if(s_hSecDll == NULL) {
738
/* not thread safe and leaks - use curl_global_init() to avoid */
739
CURLcode err = Curl_sspi_global_init();
740
if(s_hSecDll == NULL)
745
switch(ntlm->state) {
746
case NTLMSTATE_TYPE1:
747
default: /* for the weird cases we (re)start here */
748
#ifdef USE_WINDOWS_SSPI
752
SECURITY_STATUS status;
756
TimeStamp tsDummy; /* For Windows 9x compatibility of SPPI calls */
758
ntlm_sspi_cleanup(ntlm);
760
user = strchr(userp, '\\');
762
user = strchr(userp, '/');
766
domlen = user - userp;
776
/* note: initialize all of this before doing the mallocs so that
777
* it can be cleaned up later without leaking memory.
779
ntlm->p_identity = &ntlm->identity;
780
memset(ntlm->p_identity, 0, sizeof(*ntlm->p_identity));
781
if((ntlm->identity.User = (unsigned char *)strdup(user)) == NULL)
782
return CURLE_OUT_OF_MEMORY;
783
ntlm->identity.UserLength = strlen(user);
784
if((ntlm->identity.Password = (unsigned char *)strdup(passwdp)) == NULL)
785
return CURLE_OUT_OF_MEMORY;
786
ntlm->identity.PasswordLength = strlen(passwdp);
787
if((ntlm->identity.Domain = malloc(domlen+1)) == NULL)
788
return CURLE_OUT_OF_MEMORY;
789
strncpy((char *)ntlm->identity.Domain, domain, domlen);
790
ntlm->identity.Domain[domlen] = '\0';
791
ntlm->identity.DomainLength = domlen;
792
ntlm->identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
795
ntlm->p_identity = NULL;
798
if(s_pSecFn->AcquireCredentialsHandleA(
799
NULL, (char *)"NTLM", SECPKG_CRED_OUTBOUND, NULL, ntlm->p_identity,
800
NULL, NULL, &ntlm->handle, &tsDummy
802
return CURLE_OUT_OF_MEMORY;
805
desc.ulVersion = SECBUFFER_VERSION;
807
desc.pBuffers = &buf;
808
buf.cbBuffer = sizeof(ntlmbuf);
809
buf.BufferType = SECBUFFER_TOKEN;
810
buf.pvBuffer = ntlmbuf;
812
status = s_pSecFn->InitializeSecurityContextA(&ntlm->handle, NULL,
814
ISC_REQ_CONFIDENTIALITY |
815
ISC_REQ_REPLAY_DETECT |
817
0, SECURITY_NETWORK_DREP,
819
&ntlm->c_handle, &desc,
822
if(status == SEC_I_COMPLETE_AND_CONTINUE ||
823
status == SEC_I_CONTINUE_NEEDED) {
824
s_pSecFn->CompleteAuthToken(&ntlm->c_handle, &desc);
826
else if(status != SEC_E_OK) {
827
s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
828
return CURLE_RECV_ERROR;
831
ntlm->has_handles = 1;
836
domoff = hostoff + hostlen; /* This is 0: remember that host and domain
839
/* Create and send a type-1 message:
841
Index Description Content
842
0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
844
8 NTLM Message Type long (0x01000000)
846
16 Supplied Domain security buffer(*)
847
24 Supplied Workstation security buffer(*)
848
32 start of data block
852
#define NTLM2FLAG NTLMFLAG_NEGOTIATE_NTLM2_KEY
856
snprintf((char *)ntlmbuf, sizeof(ntlmbuf), NTLMSSP_SIGNATURE "%c"
857
"\x01%c%c%c" /* 32-bit type = 1 */
858
"%c%c%c%c" /* 32-bit NTLM flag field */
859
"%c%c" /* domain length */
860
"%c%c" /* domain allocated space */
861
"%c%c" /* domain name offset */
862
"%c%c" /* 2 zeroes */
863
"%c%c" /* host length */
864
"%c%c" /* host allocated space */
865
"%c%c" /* host name offset */
866
"%c%c" /* 2 zeroes */
868
"%s", /* domain string */
869
0, /* trailing zero */
870
0,0,0, /* part of type-1 long */
873
NTLMFLAG_NEGOTIATE_OEM|
874
NTLMFLAG_REQUEST_TARGET|
875
NTLMFLAG_NEGOTIATE_NTLM_KEY|
877
NTLMFLAG_NEGOTIATE_ALWAYS_SIGN
887
host /* this is empty */, domain /* this is empty */);
889
/* initial packet length */
890
size = 32 + hostlen + domlen;
894
fprintf(stderr, "* TYPE1 header flags=0x%02.2x%02.2x%02.2x%02.2x "
896
LONGQUARTET(NTLMFLAG_NEGOTIATE_OEM|
897
NTLMFLAG_REQUEST_TARGET|
898
NTLMFLAG_NEGOTIATE_NTLM_KEY|
900
NTLMFLAG_NEGOTIATE_ALWAYS_SIGN),
901
NTLMFLAG_NEGOTIATE_OEM|
902
NTLMFLAG_REQUEST_TARGET|
903
NTLMFLAG_NEGOTIATE_NTLM_KEY|
905
NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
907
NTLMFLAG_NEGOTIATE_OEM|
908
NTLMFLAG_REQUEST_TARGET|
909
NTLMFLAG_NEGOTIATE_NTLM_KEY|
911
NTLMFLAG_NEGOTIATE_ALWAYS_SIGN);
912
fprintf(stderr, "\n****\n");
915
/* now size is the size of the base64 encoded package size */
916
size = Curl_base64_encode(NULL, (char *)ntlmbuf, size, &base64);
919
Curl_safefree(*allocuserpwd);
920
*allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
923
DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
927
return CURLE_OUT_OF_MEMORY; /* FIX TODO */
931
case NTLMSTATE_TYPE2:
932
/* We received the type-2 message already, create a type-3 message:
934
Index Description Content
935
0 NTLMSSP Signature Null-terminated ASCII "NTLMSSP"
937
8 NTLM Message Type long (0x03000000)
938
12 LM/LMv2 Response security buffer(*)
939
20 NTLM/NTLMv2 Response security buffer(*)
940
28 Domain Name security buffer(*)
941
36 User Name security buffer(*)
942
44 Workstation Name security buffer(*)
943
(52) Session Key (optional) security buffer(*)
944
(60) Flags (optional) long
945
52 (64) start of data block
950
#ifdef USE_WINDOWS_SSPI
951
SecBuffer type_2, type_3;
952
SecBufferDesc type_2_desc, type_3_desc;
953
SECURITY_STATUS status;
955
TimeStamp tsDummy; /* For Windows 9x compatibility of SPPI calls */
957
type_2_desc.ulVersion = type_3_desc.ulVersion = SECBUFFER_VERSION;
958
type_2_desc.cBuffers = type_3_desc.cBuffers = 1;
959
type_2_desc.pBuffers = &type_2;
960
type_3_desc.pBuffers = &type_3;
962
type_2.BufferType = SECBUFFER_TOKEN;
963
type_2.pvBuffer = ntlm->type_2;
964
type_2.cbBuffer = ntlm->n_type_2;
965
type_3.BufferType = SECBUFFER_TOKEN;
966
type_3.pvBuffer = ntlmbuf;
967
type_3.cbBuffer = sizeof(ntlmbuf);
969
status = s_pSecFn->InitializeSecurityContextA(&ntlm->handle,
972
ISC_REQ_CONFIDENTIALITY |
973
ISC_REQ_REPLAY_DETECT |
975
0, SECURITY_NETWORK_DREP,
981
if(status != SEC_E_OK)
982
return CURLE_RECV_ERROR;
984
size = type_3.cbBuffer;
986
ntlm_sspi_cleanup(ntlm);
990
unsigned char lmresp[24]; /* fixed-size */
993
unsigned char ntresp[24]; /* fixed-size */
995
bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE)?TRUE:FALSE;
1001
user = strchr(userp, '\\');
1003
user = strchr(userp, '/');
1007
domlen = (user - domain);
1012
userlen = strlen(user);
1014
if(Curl_gethostname(host, HOSTNAME_MAX)) {
1015
infof(conn->data, "gethostname() failed, continuing without!");
1019
/* If the workstation if configured with a full DNS name (i.e.
1020
* workstation.somewhere.net) gethostname() returns the fully qualified
1021
* name, which NTLM doesn't like.
1023
char *dot = strchr(host, '.');
1026
hostlen = strlen(host);
1030
domlen = domlen * 2;
1031
userlen = userlen * 2;
1032
hostlen = hostlen * 2;
1035
#if USE_NTLM2SESSION
1036
/* We don't support NTLM2 if we don't have USE_NTRESPONSES */
1037
if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) {
1038
unsigned char ntbuffer[0x18];
1039
unsigned char tmp[0x18];
1040
unsigned char md5sum[MD5_DIGEST_LENGTH];
1041
unsigned char entropy[8];
1043
/* Need to create 8 bytes random data */
1046
Curl_ossl_seed(conn->data); /* Initiate the seed if not already done */
1047
RAND_bytes(entropy,8);
1048
#elif defined(USE_GNUTLS)
1050
Curl_gtls_seed(conn->data); /* Initiate the seed if not already done */
1051
gcry_randomize(entropy, 8, GCRY_STRONG_RANDOM);
1052
#elif defined(USE_NSS)
1054
unsigned int outlen;
1055
Curl_nss_seed(conn->data); /* Initiate the seed if not already done */
1056
PK11_GenerateRandom(entropy, 8);
1059
/* 8 bytes random data as challenge in lmresp */
1060
memcpy(lmresp,entropy,8);
1061
/* Pad with zeros */
1062
memset(lmresp+8,0,0x10);
1064
/* Fill tmp with challenge(nonce?) + entropy */
1065
memcpy(tmp,&ntlm->nonce[0],8);
1066
memcpy(tmp+8,entropy,8);
1070
MD5_Update(&MD5pw, tmp, 16);
1071
MD5_Final(md5sum, &MD5pw);
1072
#elif defined(USE_GNUTLS)
1073
gcry_md_open(&MD5pw, GCRY_MD_MD5, 0);
1074
gcry_md_write(MD5pw, tmp, MD5_DIGEST_LENGTH);
1075
memcpy(md5sum, gcry_md_read (MD5pw, 0), MD5_DIGEST_LENGTH);
1076
gcry_md_close(MD5pw);
1077
#elif defined(USE_NSS)
1078
MD5pw = PK11_CreateDigestContext(SEC_OID_MD5);
1079
PK11_DigestOp(MD5pw, tmp, 16);
1080
PK11_DigestFinal(MD5pw, md5sum, &outlen, MD5_DIGEST_LENGTH);
1081
PK11_DestroyContext(MD5pw, PR_TRUE);
1084
/* We shall only use the first 8 bytes of md5sum,
1085
but the des code in lm_resp only encrypt the first 8 bytes */
1086
if(mk_nt_hash(conn->data, passwdp, ntbuffer) == CURLE_OUT_OF_MEMORY)
1087
return CURLE_OUT_OF_MEMORY;
1088
lm_resp(ntbuffer, md5sum, ntresp);
1090
/* End of NTLM2 Session code */
1097
unsigned char ntbuffer[0x18];
1099
unsigned char lmbuffer[0x18];
1102
if(mk_nt_hash(conn->data, passwdp, ntbuffer) == CURLE_OUT_OF_MEMORY)
1103
return CURLE_OUT_OF_MEMORY;
1104
lm_resp(ntbuffer, &ntlm->nonce[0], ntresp);
1107
mk_lm_hash(conn->data, passwdp, lmbuffer);
1108
lm_resp(lmbuffer, &ntlm->nonce[0], lmresp);
1109
/* A safer but less compatible alternative is:
1110
* lm_resp(ntbuffer, &ntlm->nonce[0], lmresp);
1111
* See http://davenport.sourceforge.net/ntlm.html#ntlmVersion2 */
1114
lmrespoff = 64; /* size of the message header */
1116
ntrespoff = lmrespoff + 0x18;
1117
domoff = ntrespoff + 0x18;
1119
domoff = lmrespoff + 0x18;
1121
useroff = domoff + domlen;
1122
hostoff = useroff + userlen;
1124
/* Create the big type-3 message binary blob */
1125
size = snprintf((char *)ntlmbuf, sizeof(ntlmbuf),
1126
NTLMSSP_SIGNATURE "%c"
1127
"\x03%c%c%c" /* type-3, 32 bits */
1129
"%c%c" /* LanManager length */
1130
"%c%c" /* LanManager allocated space */
1131
"%c%c" /* LanManager offset */
1132
"%c%c" /* 2 zeroes */
1134
"%c%c" /* NT-response length */
1135
"%c%c" /* NT-response allocated space */
1136
"%c%c" /* NT-response offset */
1137
"%c%c" /* 2 zeroes */
1139
"%c%c" /* domain length */
1140
"%c%c" /* domain allocated space */
1141
"%c%c" /* domain name offset */
1142
"%c%c" /* 2 zeroes */
1144
"%c%c" /* user length */
1145
"%c%c" /* user allocated space */
1146
"%c%c" /* user offset */
1147
"%c%c" /* 2 zeroes */
1149
"%c%c" /* host length */
1150
"%c%c" /* host allocated space */
1151
"%c%c" /* host offset */
1152
"%c%c" /* 2 zeroes */
1154
"%c%c" /* session key length (unknown purpose) */
1155
"%c%c" /* session key allocated space (unknown purpose) */
1156
"%c%c" /* session key offset (unknown purpose) */
1157
"%c%c" /* 2 zeroes */
1159
"%c%c%c%c" /* flags */
1164
/* LanManager response */
1167
0, /* zero termination */
1168
0,0,0, /* type-3 long, the 24 upper bits */
1170
SHORTPAIR(0x18), /* LanManager response length, twice */
1172
SHORTPAIR(lmrespoff),
1176
SHORTPAIR(0x18), /* NT-response length, twice */
1178
SHORTPAIR(ntrespoff),
1206
LONGQUARTET(ntlm->flags));
1207
DEBUGASSERT(size==64);
1209
DEBUGASSERT(size == (size_t)lmrespoff);
1210
/* We append the binary hashes */
1211
if(size < (sizeof(ntlmbuf) - 0x18)) {
1212
memcpy(&ntlmbuf[size], lmresp, 0x18);
1217
fprintf(stderr, "**** TYPE3 header lmresp=");
1218
print_hex(stderr, (char *)&ntlmbuf[lmrespoff], 0x18);
1222
if(size < (sizeof(ntlmbuf) - 0x18)) {
1223
DEBUGASSERT(size == (size_t)ntrespoff);
1224
memcpy(&ntlmbuf[size], ntresp, 0x18);
1229
fprintf(stderr, "\n ntresp=");
1230
print_hex(stderr, (char *)&ntlmbuf[ntrespoff], 0x18);
1236
fprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
1237
LONGQUARTET(ntlm->flags), ntlm->flags);
1238
print_flags(stderr, ntlm->flags);
1239
fprintf(stderr, "\n****\n");
1243
/* Make sure that the domain, user and host strings fit in the target
1244
buffer before we copy them there. */
1245
if(size + userlen + domlen + hostlen >= sizeof(ntlmbuf)) {
1246
failf(conn->data, "user + domain + host name too big");
1247
return CURLE_OUT_OF_MEMORY;
1250
DEBUGASSERT(size == domoff);
1252
unicodecpy(&ntlmbuf[size], domain, domlen/2);
1254
memcpy(&ntlmbuf[size], domain, domlen);
1258
DEBUGASSERT(size == useroff);
1260
unicodecpy(&ntlmbuf[size], user, userlen/2);
1262
memcpy(&ntlmbuf[size], user, userlen);
1266
DEBUGASSERT(size == hostoff);
1268
unicodecpy(&ntlmbuf[size], host, hostlen/2);
1270
memcpy(&ntlmbuf[size], host, hostlen);
1274
/* convert domain, user, and host to ASCII but leave the rest as-is */
1275
res = Curl_convert_to_network(conn->data, (char *)&ntlmbuf[domoff],
1278
return CURLE_CONV_FAILED;
1282
/* convert the binary blob into base64 */
1283
size = Curl_base64_encode(NULL, (char *)ntlmbuf, size, &base64);
1286
Curl_safefree(*allocuserpwd);
1287
*allocuserpwd = aprintf("%sAuthorization: NTLM %s\r\n",
1290
DEBUG_OUT(fprintf(stderr, "**** %s\n ", *allocuserpwd));
1294
return CURLE_OUT_OF_MEMORY; /* FIX TODO */
1296
ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */
1301
case NTLMSTATE_TYPE3:
1302
/* connection is already authenticated,
1303
* don't send a header in future requests */
1305
free(*allocuserpwd);
1317
Curl_ntlm_cleanup(struct connectdata *conn)
1319
#ifdef USE_WINDOWS_SSPI
1320
ntlm_sspi_cleanup(&conn->ntlm);
1321
ntlm_sspi_cleanup(&conn->proxyntlm);
1328
#endif /* USE_NTLM */
1329
#endif /* !CURL_DISABLE_HTTP */