* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
*
***************************************************************************/
-#include "setup.h"
+#include "curl_setup.h"
#ifdef USE_NTLM
#define DEBUG_ME 0
-#ifdef USE_SSLEAY
-
-# ifdef USE_OPENSSL
-# include <openssl/des.h>
-# ifndef OPENSSL_NO_MD4
-# include <openssl/md4.h>
-# endif
-# include <openssl/md5.h>
-# include <openssl/ssl.h>
-# include <openssl/rand.h>
-# else
-# include <des.h>
-# ifndef OPENSSL_NO_MD4
-# include <md4.h>
-# endif
-# include <md5.h>
-# include <ssl.h>
-# include <rand.h>
-# endif
-# include "ssluse.h"
-
-#elif defined(USE_GNUTLS)
-
-# include <gcrypt.h>
-# include "gtls.h"
-# define MD5_DIGEST_LENGTH 16
-# define MD4_DIGEST_LENGTH 16
-
-#elif defined(USE_NSS)
-
-# include <nss.h>
-# include <pk11pub.h>
-# include <hasht.h>
-# include "nssg.h"
-# include "curl_md4.h"
-# define MD5_DIGEST_LENGTH MD5_LENGTH
-
-#elif defined(USE_WINDOWS_SSPI)
-# include "curl_sspi.h"
-#else
-# error "Can't compile NTLM support without a crypto library."
-#endif
-
#include "urldata.h"
#include "non-ascii.h"
#include "sendf.h"
#include "curl_base64.h"
#include "curl_ntlm_core.h"
#include "curl_gethostname.h"
+#include "curl_multibyte.h"
+#include "warnless.h"
#include "curl_memory.h"
+#ifdef USE_WINDOWS_SSPI
+# include "curl_sspi.h"
+#endif
+
+#include "vtls/vtls.h"
+
#define BUILDING_CURL_NTLM_MSGS_C
#include "curl_ntlm_msgs.h"
return ((unsigned int)buf[0]) | ((unsigned int)buf[1] << 8) |
((unsigned int)buf[2] << 16) | ((unsigned int)buf[3] << 24);
}
+
+/*
+ * This function converts from the little endian format used in the incoming
+ * package to whatever endian format we're using natively. Argument is a
+ * pointer to a 2 byte buffer.
+ */
+static unsigned int readshort_le(unsigned char *buf)
+{
+ return ((unsigned int)buf[0]) | ((unsigned int)buf[1] << 8);
+}
+
+/*
+ * Curl_ntlm_decode_type2_target()
+ *
+ * This is used to decode the "target info" in the ntlm type-2 message
+ * received.
+ *
+ * Parameters:
+ *
+ * data [in] - Pointer to the session handle
+ * buffer [in] - The decoded base64 ntlm header of Type 2
+ * size [in] - The input buffer size, atleast 32 bytes
+ * ntlm [in] - Pointer to ntlm data struct being used and modified.
+ *
+ * Returns CURLE_OK on success.
+ */
+CURLcode Curl_ntlm_decode_type2_target(struct SessionHandle *data,
+ unsigned char *buffer,
+ size_t size,
+ struct ntlmdata *ntlm)
+{
+ unsigned int target_info_len = 0;
+ unsigned int target_info_offset = 0;
+
+ Curl_safefree(ntlm->target_info);
+ ntlm->target_info_len = 0;
+
+ if(size >= 48) {
+ target_info_len = readshort_le(&buffer[40]);
+ target_info_offset = readint_le(&buffer[44]);
+ if(target_info_len > 0) {
+ if(((target_info_offset + target_info_len) > size) ||
+ (target_info_offset < 48)) {
+ infof(data, "NTLM handshake failure (bad type-2 message). "
+ "Target Info Offset Len is set incorrect by the peer\n");
+ return CURLE_REMOTE_ACCESS_DENIED;
+ }
+
+ ntlm->target_info = malloc(target_info_len);
+ if(!ntlm->target_info)
+ return CURLE_OUT_OF_MEMORY;
+
+ memcpy(ntlm->target_info, &buffer[target_info_offset], target_info_len);
+ ntlm->target_info_len = target_info_len;
+
+ }
+
+ }
+
+ return CURLE_OK;
+}
+
#endif
/*
/*
* Curl_ntlm_decode_type2_message()
*
- * This is used to decode a ntlm type-2 message received from a: HTTP, SMTP
- * or POP3 server. The message is first decoded from a base64 string into a
- * raw ntlm message and checked for validity before the appropriate data for
- * creating a type-3 message is written to the given ntlm data structure.
+ * This is used to decode a ntlm type-2 message received from a HTTP or SASL
+ * based (such as SMTP, POP3 or IMAP) server. The message is first decoded
+ * from a base64 string into a raw ntlm message and checked for validity
+ * before the appropriate data for creating a type-3 message is written to
+ * the given ntlm data structure.
*
* Parameters:
*
* Returns CURLE_OK on success.
*/
CURLcode Curl_ntlm_decode_type2_message(struct SessionHandle *data,
- const char* header,
- struct ntlmdata* ntlm)
+ const char *header,
+ struct ntlmdata *ntlm)
{
#ifndef USE_WINDOWS_SSPI
static const char type2_marker[] = { 0x02, 0x00, 0x00, 0x00 };
free(buffer);
return CURLE_OUT_OF_MEMORY;
}
- ntlm->n_type_2 = (unsigned long)size;
+ ntlm->n_type_2 = curlx_uztoul(size);
memcpy(ntlm->type_2, buffer, size);
#else
ntlm->flags = 0;
ntlm->flags = readint_le(&buffer[20]);
memcpy(ntlm->nonce, &buffer[24], 8);
+ if(ntlm->flags & NTLMFLAG_NEGOTIATE_TARGET_INFO) {
+ error = Curl_ntlm_decode_type2_target(data, buffer, size, ntlm);
+ if(error) {
+ free(buffer);
+ infof(data, "NTLM handshake failure (bad type-2 message)\n");
+ return error;
+ }
+ }
+
DEBUG_OUT({
fprintf(stderr, "**** TYPE2 header flags=0x%08.8lx ", ntlm->flags);
ntlm_print_flags(stderr, ntlm->flags);
#ifdef USE_WINDOWS_SSPI
void Curl_ntlm_sspi_cleanup(struct ntlmdata *ntlm)
{
- if(ntlm->type_2) {
- free(ntlm->type_2);
- ntlm->type_2 = NULL;
- }
+ Curl_safefree(ntlm->type_2);
+
if(ntlm->has_handles) {
s_pSecFn->DeleteSecurityContext(&ntlm->c_handle);
s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
ntlm->has_handles = 0;
}
- if(ntlm->p_identity) {
- if(ntlm->identity.User) free(ntlm->identity.User);
- if(ntlm->identity.Password) free(ntlm->identity.Password);
- if(ntlm->identity.Domain) free(ntlm->identity.Domain);
- ntlm->p_identity = NULL;
- }
+
+ Curl_sspi_free_identity(ntlm->p_identity);
+ ntlm->p_identity = NULL;
}
#endif
#ifndef USE_WINDOWS_SSPI
/* copy the source to the destination and fill in zeroes in every
other destination byte! */
-static void unicodecpy(unsigned char *dest,
- const char *src, size_t length)
+static void unicodecpy(unsigned char *dest, const char *src, size_t length)
{
size_t i;
for(i = 0; i < length; i++) {
/*
* Curl_ntlm_create_type1_message()
*
- * This is used to generate an already encoded NTLM type-1 message ready
- * for sending to the recipient, be it a: HTTP, SMTP or POP3 server,
- * using the appropriate compile time crypo API.
+ * This is used to generate an already encoded NTLM type-1 message ready for
+ * sending to the recipient, be it a HTTP or SASL based (such as SMTP, POP3
+ * or IMAP) server, using the appropriate compile time crypo API.
*
* Parameters:
*
* userp [in] - The user name in the format User or Domain\User.
* passdwp [in] - The user's password.
* ntlm [in/out] - The ntlm data struct being used and modified.
- * outptr [in/out] - The adress where a pointer to newly allocated memory
+ * outptr [in/out] - The address where a pointer to newly allocated memory
* holding the result will be stored upon completion.
* outlen [out] - The length of the output message.
*
#ifdef USE_WINDOWS_SSPI
- SecBuffer buf;
- SecBufferDesc desc;
+ SecBuffer type_1_buf;
+ SecBufferDesc type_1_desc;
SECURITY_STATUS status;
- ULONG attrs;
- const char *dest = "";
- const char *user;
- const char *domain = "";
- size_t userlen = 0;
- size_t domlen = 0;
- size_t passwdlen = 0;
+ unsigned long attrs;
TimeStamp tsDummy; /* For Windows 9x compatibility of SSPI calls */
Curl_ntlm_sspi_cleanup(ntlm);
- user = strchr(userp, '\\');
- if(!user)
- user = strchr(userp, '/');
-
- if(user) {
- domain = userp;
- domlen = user - userp;
- user++;
- }
- else {
- user = userp;
- domain = "";
- domlen = 0;
- }
-
- if(user)
- userlen = strlen(user);
+ if(userp && *userp) {
+ CURLcode result;
- if(passwdp)
- passwdlen = strlen(passwdp);
+ /* Populate our identity structure */
+ result = Curl_create_sspi_identity(userp, passwdp, &ntlm->identity);
+ if(result)
+ return result;
- if(userlen > 0) {
- /* note: initialize all of this before doing the mallocs so that
- * it can be cleaned up later without leaking memory.
- */
+ /* Allow proper cleanup of the identity structure */
ntlm->p_identity = &ntlm->identity;
- memset(ntlm->p_identity, 0, sizeof(*ntlm->p_identity));
- if((ntlm->identity.User = (unsigned char *)strdup(user)) == NULL)
- return CURLE_OUT_OF_MEMORY;
-
- ntlm->identity.UserLength = (unsigned long)userlen;
- if((ntlm->identity.Password = (unsigned char *)strdup(passwdp)) == NULL)
- return CURLE_OUT_OF_MEMORY;
-
- ntlm->identity.PasswordLength = (unsigned long)strlen(passwdp);
- if((ntlm->identity.Domain = malloc(domlen + 1)) == NULL)
- return CURLE_OUT_OF_MEMORY;
-
- strncpy((char *)ntlm->identity.Domain, domain, domlen);
- ntlm->identity.Domain[domlen] = '\0';
- ntlm->identity.DomainLength = (unsigned long)domlen;
- ntlm->identity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
}
else
+ /* Use the current Windows user */
ntlm->p_identity = NULL;
- status = s_pSecFn->AcquireCredentialsHandleA(NULL, (void *)"NTLM",
- SECPKG_CRED_OUTBOUND, NULL,
- ntlm->p_identity, NULL, NULL,
- &ntlm->handle, &tsDummy);
+ /* Acquire our credientials handle */
+ status = s_pSecFn->AcquireCredentialsHandle(NULL,
+ (TCHAR *) TEXT("NTLM"),
+ SECPKG_CRED_OUTBOUND, NULL,
+ ntlm->p_identity, NULL, NULL,
+ &ntlm->handle, &tsDummy);
if(status != SEC_E_OK)
return CURLE_OUT_OF_MEMORY;
- desc.ulVersion = SECBUFFER_VERSION;
- desc.cBuffers = 1;
- desc.pBuffers = &buf;
- buf.cbBuffer = NTLM_BUFSIZE;
- buf.BufferType = SECBUFFER_TOKEN;
- buf.pvBuffer = ntlmbuf;
-
- status = s_pSecFn->InitializeSecurityContextA(&ntlm->handle, NULL,
- (void *)dest,
- ISC_REQ_CONFIDENTIALITY |
- ISC_REQ_REPLAY_DETECT |
- ISC_REQ_CONNECTION,
- 0, SECURITY_NETWORK_DREP,
- NULL, 0,
- &ntlm->c_handle, &desc,
- &attrs, &tsDummy);
+ /* Setup the type-1 "output" security buffer */
+ type_1_desc.ulVersion = SECBUFFER_VERSION;
+ type_1_desc.cBuffers = 1;
+ type_1_desc.pBuffers = &type_1_buf;
+ type_1_buf.cbBuffer = NTLM_BUFSIZE;
+ type_1_buf.BufferType = SECBUFFER_TOKEN;
+ type_1_buf.pvBuffer = ntlmbuf;
+
+ /* Generate our type-1 message */
+ status = s_pSecFn->InitializeSecurityContext(&ntlm->handle, NULL,
+ (TCHAR *) TEXT(""),
+ ISC_REQ_CONFIDENTIALITY |
+ ISC_REQ_REPLAY_DETECT |
+ ISC_REQ_CONNECTION,
+ 0, SECURITY_NETWORK_DREP,
+ NULL, 0,
+ &ntlm->c_handle, &type_1_desc,
+ &attrs, &tsDummy);
if(status == SEC_I_COMPLETE_AND_CONTINUE ||
status == SEC_I_CONTINUE_NEEDED)
- s_pSecFn->CompleteAuthToken(&ntlm->c_handle, &desc);
+ s_pSecFn->CompleteAuthToken(&ntlm->c_handle, &type_1_desc);
else if(status != SEC_E_OK) {
s_pSecFn->FreeCredentialsHandle(&ntlm->handle);
return CURLE_RECV_ERROR;
}
ntlm->has_handles = 1;
- size = buf.cbBuffer;
+ size = type_1_buf.cbBuffer;
#else
/*
* Curl_ntlm_create_type3_message()
*
- * This is used to generate an already encoded NTLM type-3 message ready
- * for sending to the recipient, be it a: HTTP, SMTP or POP3 server,
- * using the appropriate compile time crypo API.
+ * This is used to generate an already encoded NTLM type-3 message ready for
+ * sending to the recipient, be it a HTTP or SASL based (such as SMTP, POP3
+ * or IMAP) server, using the appropriate compile time crypo API.
*
* Parameters:
*
* userp [in] - The user name in the format User or Domain\User.
* passdwp [in] - The user's password.
* ntlm [in/out] - The ntlm data struct being used and modified.
- * outptr [in/out] - The adress where a pointer to newly allocated memory
+ * outptr [in/out] - The address where a pointer to newly allocated memory
* holding the result will be stored upon completion.
* outlen [out] - The length of the output message.
*
size_t size;
#ifdef USE_WINDOWS_SSPI
- const char *dest = "";
- SecBuffer type_2;
- SecBuffer type_3;
+ SecBuffer type_2_buf;
+ SecBuffer type_3_buf;
SecBufferDesc type_2_desc;
SecBufferDesc type_3_desc;
SECURITY_STATUS status;
- ULONG attrs;
+ unsigned long attrs;
TimeStamp tsDummy; /* For Windows 9x compatibility of SSPI calls */
(void)passwdp;
(void)userp;
(void)data;
- type_2_desc.ulVersion = type_3_desc.ulVersion = SECBUFFER_VERSION;
- type_2_desc.cBuffers = type_3_desc.cBuffers = 1;
- type_2_desc.pBuffers = &type_2;
- type_3_desc.pBuffers = &type_3;
-
- type_2.BufferType = SECBUFFER_TOKEN;
- type_2.pvBuffer = ntlm->type_2;
- type_2.cbBuffer = ntlm->n_type_2;
- type_3.BufferType = SECBUFFER_TOKEN;
- type_3.pvBuffer = ntlmbuf;
- type_3.cbBuffer = NTLM_BUFSIZE;
-
- status = s_pSecFn->InitializeSecurityContextA(&ntlm->handle,
- &ntlm->c_handle,
- (void *)dest,
- ISC_REQ_CONFIDENTIALITY |
- ISC_REQ_REPLAY_DETECT |
- ISC_REQ_CONNECTION,
- 0, SECURITY_NETWORK_DREP,
- &type_2_desc,
- 0, &ntlm->c_handle,
- &type_3_desc,
- &attrs, &tsDummy);
+ /* Setup the type-2 "input" security buffer */
+ type_2_desc.ulVersion = SECBUFFER_VERSION;
+ type_2_desc.cBuffers = 1;
+ type_2_desc.pBuffers = &type_2_buf;
+ type_2_buf.BufferType = SECBUFFER_TOKEN;
+ type_2_buf.pvBuffer = ntlm->type_2;
+ type_2_buf.cbBuffer = ntlm->n_type_2;
+
+ /* Setup the type-3 "output" security buffer */
+ type_3_desc.ulVersion = SECBUFFER_VERSION;
+ type_3_desc.cBuffers = 1;
+ type_3_desc.pBuffers = &type_3_buf;
+ type_3_buf.BufferType = SECBUFFER_TOKEN;
+ type_3_buf.pvBuffer = ntlmbuf;
+ type_3_buf.cbBuffer = NTLM_BUFSIZE;
+
+ /* Generate our type-3 message */
+ status = s_pSecFn->InitializeSecurityContext(&ntlm->handle,
+ &ntlm->c_handle,
+ (TCHAR *) TEXT(""),
+ ISC_REQ_CONFIDENTIALITY |
+ ISC_REQ_REPLAY_DETECT |
+ ISC_REQ_CONNECTION,
+ 0, SECURITY_NETWORK_DREP,
+ &type_2_desc,
+ 0, &ntlm->c_handle,
+ &type_3_desc,
+ &attrs, &tsDummy);
if(status != SEC_E_OK)
return CURLE_RECV_ERROR;
- size = type_3.cbBuffer;
+ size = type_3_buf.cbBuffer;
Curl_ntlm_sspi_cleanup(ntlm);
unsigned char lmresp[24]; /* fixed-size */
#if USE_NTRESPONSES
int ntrespoff;
+ unsigned int ntresplen = 24;
unsigned char ntresp[24]; /* fixed-size */
+ unsigned char *ptr_ntresp = &ntresp[0];
+ unsigned char *ntlmv2resp = NULL;
#endif
bool unicode = (ntlm->flags & NTLMFLAG_NEGOTIATE_UNICODE) ? TRUE : FALSE;
char host[HOSTNAME_MAX + 1] = "";
size_t hostlen = 0;
size_t userlen = 0;
size_t domlen = 0;
- CURLcode res;
+ CURLcode res = CURLE_OK;
user = strchr(userp, '\\');
if(!user)
/* Get the machine's un-qualified host name as NTLM doesn't like the fully
qualified domain name */
if(Curl_gethostname(host, sizeof(host))) {
- infof(data, "gethostname() failed, continuing without!");
+ infof(data, "gethostname() failed, continuing without!\n");
hostlen = 0;
}
else {
hostlen = strlen(host);
}
- if(unicode) {
- domlen = domlen * 2;
- userlen = userlen * 2;
- hostlen = hostlen * 2;
+#if USE_NTRESPONSES
+ if(ntlm->target_info_len) {
+ unsigned char ntbuffer[0x18];
+ unsigned int entropy[2];
+ unsigned char ntlmv2hash[0x18];
+
+ entropy[0] = Curl_rand(data);
+ entropy[1] = Curl_rand(data);
+
+ res = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
+ if(res)
+ return res;
+
+ res = Curl_ntlm_core_mk_ntlmv2_hash(user, userlen, domain, domlen,
+ ntbuffer, ntlmv2hash);
+ if(res)
+ return res;
+
+ /* LMv2 response */
+ res = Curl_ntlm_core_mk_lmv2_resp(ntlmv2hash,
+ (unsigned char *)&entropy[0],
+ &ntlm->nonce[0], lmresp);
+ if(res)
+ return res;
+
+ /* NTLMv2 response */
+ res = Curl_ntlm_core_mk_ntlmv2_resp(ntlmv2hash,
+ (unsigned char *)&entropy[0],
+ ntlm, &ntlmv2resp, &ntresplen);
+ if(res)
+ return res;
+
+ ptr_ntresp = ntlmv2resp;
}
+ else
+#endif
#if USE_NTLM2SESSION
/* We don't support NTLM2 if we don't have USE_NTRESPONSES */
unsigned char ntbuffer[0x18];
unsigned char tmp[0x18];
unsigned char md5sum[MD5_DIGEST_LENGTH];
- unsigned char entropy[8];
+ unsigned int entropy[2];
/* Need to create 8 bytes random data */
-#ifdef USE_SSLEAY
- MD5_CTX MD5pw;
- Curl_ossl_seed(data); /* Initiate the seed if not already done */
- RAND_bytes(entropy, 8);
-#elif defined(USE_GNUTLS)
- gcry_md_hd_t MD5pw;
- Curl_gtls_seed(data); /* Initiate the seed if not already done */
- gcry_randomize(entropy, 8, GCRY_STRONG_RANDOM);
-#elif defined(USE_NSS)
- PK11Context *MD5pw;
- unsigned int outlen;
- Curl_nss_seed(data); /* Initiate the seed if not already done */
- PK11_GenerateRandom(entropy, 8);
-#endif
+ entropy[0] = Curl_rand(data);
+ entropy[1] = Curl_rand(data);
/* 8 bytes random data as challenge in lmresp */
memcpy(lmresp, entropy, 8);
memcpy(tmp, &ntlm->nonce[0], 8);
memcpy(tmp + 8, entropy, 8);
-#ifdef USE_SSLEAY
- MD5_Init(&MD5pw);
- MD5_Update(&MD5pw, tmp, 16);
- MD5_Final(md5sum, &MD5pw);
-#elif defined(USE_GNUTLS)
- gcry_md_open(&MD5pw, GCRY_MD_MD5, 0);
- gcry_md_write(MD5pw, tmp, MD5_DIGEST_LENGTH);
- memcpy(md5sum, gcry_md_read (MD5pw, 0), MD5_DIGEST_LENGTH);
- gcry_md_close(MD5pw);
-#elif defined(USE_NSS)
- MD5pw = PK11_CreateDigestContext(SEC_OID_MD5);
- PK11_DigestOp(MD5pw, tmp, 16);
- PK11_DigestFinal(MD5pw, md5sum, &outlen, MD5_DIGEST_LENGTH);
- PK11_DestroyContext(MD5pw, PR_TRUE);
-#endif
+ Curl_ssl_md5sum(tmp, 16, md5sum, MD5_DIGEST_LENGTH);
/* We shall only use the first 8 bytes of md5sum, but the des
code in Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */
if(CURLE_OUT_OF_MEMORY ==
Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer))
return CURLE_OUT_OF_MEMORY;
+
Curl_ntlm_core_lm_resp(ntbuffer, md5sum, ntresp);
/* End of NTLM2 Session code */
+
}
else
#endif
* See http://davenport.sourceforge.net/ntlm.html#ntlmVersion2 */
}
+ if(unicode) {
+ domlen = domlen * 2;
+ userlen = userlen * 2;
+ hostlen = hostlen * 2;
+ }
+
lmrespoff = 64; /* size of the message header */
#if USE_NTRESPONSES
ntrespoff = lmrespoff + 0x18;
- domoff = ntrespoff + 0x18;
+ domoff = ntrespoff + ntresplen;
#else
domoff = lmrespoff + 0x18;
#endif
0x0, 0x0,
#if USE_NTRESPONSES
- SHORTPAIR(0x18), /* NT-response length, twice */
- SHORTPAIR(0x18),
+ SHORTPAIR(ntresplen), /* NT-response length, twice */
+ SHORTPAIR(ntresplen),
SHORTPAIR(ntrespoff),
0x0, 0x0,
#else
});
#if USE_NTRESPONSES
- if(size < (NTLM_BUFSIZE - 0x18)) {
+ if(size < (NTLM_BUFSIZE - ntresplen)) {
DEBUGASSERT(size == (size_t)ntrespoff);
- memcpy(&ntlmbuf[size], ntresp, 0x18);
- size += 0x18;
+ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+ size += ntresplen;
}
DEBUG_OUT({
fprintf(stderr, "\n ntresp=");
- ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], 0x18);
+ ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
});
+ Curl_safefree(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
+
#endif
DEBUG_OUT({
projects / platform / upstream / curl.git / blobdiff