diff options
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/ntlm.c | 334 |
1 files changed, 334 insertions, 0 deletions
diff --git a/src/crypto/ntlm.c b/src/crypto/ntlm.c new file mode 100644 index 00000000..870af213 --- /dev/null +++ b/src/crypto/ntlm.c @@ -0,0 +1,334 @@ +/* + * Copyright (C) 2017 Michael Brown <mbrown@fensystems.co.uk>. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +/** @file + * + * NT LAN Manager (NTLM) authentication + * + */ + +#include <stdlib.h> +#include <string.h> +#include <ctype.h> +#include <errno.h> +#include <byteswap.h> +#include <ipxe/md4.h> +#include <ipxe/md5.h> +#include <ipxe/hmac.h> +#include <ipxe/ntlm.h> + +/** Negotiate message + * + * This message content is fixed since there is no need to specify the + * calling workstation name or domain name, and the set of flags is + * mandated by the MS-NLMP specification. + */ +const struct ntlm_negotiate ntlm_negotiate = { + .header = { + .magic = NTLM_MAGIC, + .type = cpu_to_le32 ( NTLM_NEGOTIATE ), + }, + .flags = cpu_to_le32 ( NTLM_NEGOTIATE_EXTENDED_SESSIONSECURITY | + NTLM_NEGOTIATE_ALWAYS_SIGN | + NTLM_NEGOTIATE_NTLM | + NTLM_REQUEST_TARGET | + NTLM_NEGOTIATE_UNICODE ), +}; + +/** + * Parse NTLM Challenge + * + * @v challenge Challenge message + * @v len Length of Challenge message + * @v info Challenge information to fill in + * @ret rc Return status code + */ +int ntlm_challenge ( struct ntlm_challenge *challenge, size_t len, + struct ntlm_challenge_info *info ) { + size_t offset; + + DBGC ( challenge, "NTLM challenge message:\n" ); + DBGC_HDA ( challenge, 0, challenge, len ); + + /* Sanity checks */ + if ( len < sizeof ( *challenge ) ) { + DBGC ( challenge, "NTLM underlength challenge (%zd bytes)\n", + len ); + return -EINVAL; + } + + /* Extract nonce */ + info->nonce = &challenge->nonce; + DBGC ( challenge, "NTLM challenge nonce:\n" ); + DBGC_HDA ( challenge, 0, info->nonce, sizeof ( *info->nonce ) ); + + /* Extract target information */ + info->len = le16_to_cpu ( challenge->info.len ); + offset = le32_to_cpu ( challenge->info.offset ); + if ( ( offset > len ) || + ( info->len > ( len - offset ) ) ) { + DBGC ( challenge, "NTLM target information outside " + "challenge\n" ); + DBGC_HDA ( challenge, 0, challenge, len ); + return -EINVAL; + } + info->target = ( ( ( void * ) challenge ) + offset ); + DBGC ( challenge, "NTLM challenge target information:\n" ); + DBGC_HDA ( challenge, 0, info->target, info->len ); + + return 0; +} + +/** + * Calculate NTLM verification key + * + * @v domain Domain name (or NULL) + * @v username User name (or NULL) + * @v password Password (or NULL) + * @v key Key to fill in + * + * This is the NTOWFv2() function as defined in MS-NLMP. + */ +void ntlm_key ( const char *domain, const char *username, + const char *password, struct ntlm_key *key ) { + struct digest_algorithm *md4 = &md4_algorithm; + struct digest_algorithm *md5 = &md5_algorithm; + union { + uint8_t md4[MD4_CTX_SIZE]; + uint8_t md5[MD5_CTX_SIZE]; + } ctx; + uint8_t digest[MD4_DIGEST_SIZE]; + size_t digest_len; + uint8_t c; + uint16_t wc; + + /* Use empty usernames/passwords if not specified */ + if ( ! domain ) + domain = ""; + if ( ! username ) + username = ""; + if ( ! password ) + password = ""; + + /* Construct MD4 digest of (Unicode) password */ + digest_init ( md4, ctx.md4 ); + while ( ( c = *(password++) ) ) { + wc = cpu_to_le16 ( c ); + digest_update ( md4, ctx.md4, &wc, sizeof ( wc ) ); + } + digest_final ( md4, ctx.md4, digest ); + + /* Construct HMAC-MD5 of (Unicode) upper-case username */ + digest_len = sizeof ( digest ); + hmac_init ( md5, ctx.md5, digest, &digest_len ); + while ( ( c = *(username++) ) ) { + wc = cpu_to_le16 ( toupper ( c ) ); + hmac_update ( md5, ctx.md5, &wc, sizeof ( wc ) ); + } + while ( ( c = *(domain++) ) ) { + wc = cpu_to_le16 ( c ); + hmac_update ( md5, ctx.md5, &wc, sizeof ( wc ) ); + } + hmac_final ( md5, ctx.md5, digest, &digest_len, key->raw ); + DBGC ( key, "NTLM key:\n" ); + DBGC_HDA ( key, 0, key, sizeof ( *key ) ); +} + +/** + * Construct NTLM responses + * + * @v info Challenge information + * @v key Verification key + * @v nonce Nonce, or NULL to use a random nonce + * @v lm LAN Manager response to fill in + * @v nt NT response to fill in + */ +void ntlm_response ( struct ntlm_challenge_info *info, struct ntlm_key *key, + struct ntlm_nonce *nonce, struct ntlm_lm_response *lm, + struct ntlm_nt_response *nt ) { + struct digest_algorithm *md5 = &md5_algorithm; + struct ntlm_nonce tmp_nonce; + uint8_t ctx[MD5_CTX_SIZE]; + size_t key_len = sizeof ( *key ); + unsigned int i; + + /* Generate random nonce, if needed */ + if ( ! nonce ) { + for ( i = 0 ; i < sizeof ( tmp_nonce ) ; i++ ) + tmp_nonce.raw[i] = random(); + nonce = &tmp_nonce; + } + + /* Construct LAN Manager response */ + memcpy ( &lm->nonce, nonce, sizeof ( lm->nonce ) ); + hmac_init ( md5, ctx, key->raw, &key_len ); + hmac_update ( md5, ctx, info->nonce, sizeof ( *info->nonce ) ); + hmac_update ( md5, ctx, &lm->nonce, sizeof ( lm->nonce ) ); + hmac_final ( md5, ctx, key->raw, &key_len, lm->digest ); + DBGC ( key, "NTLM LAN Manager response:\n" ); + DBGC_HDA ( key, 0, lm, sizeof ( *lm ) ); + + /* Construct NT response */ + memset ( nt, 0, sizeof ( *nt ) ); + nt->version = NTLM_VERSION_NTLMV2; + nt->high = NTLM_VERSION_NTLMV2; + memcpy ( &nt->nonce, nonce, sizeof ( nt->nonce ) ); + hmac_init ( md5, ctx, key->raw, &key_len ); + hmac_update ( md5, ctx, info->nonce, sizeof ( *info->nonce ) ); + hmac_update ( md5, ctx, &nt->version, + ( sizeof ( *nt ) - + offsetof ( typeof ( *nt ), version ) ) ); + hmac_update ( md5, ctx, info->target, info->len ); + hmac_update ( md5, ctx, &nt->zero, sizeof ( nt->zero ) ); + hmac_final ( md5, ctx, key->raw, &key_len, nt->digest ); + DBGC ( key, "NTLM NT response prefix:\n" ); + DBGC_HDA ( key, 0, nt, sizeof ( *nt ) ); +} + +/** + * Append data to NTLM message + * + * @v header Message header, or NULL to only calculate next payload + * @v data Data descriptor + * @v payload Data payload + * @v len Length of data + * @ret payload Next data payload + */ +static void * ntlm_append ( struct ntlm_header *header, struct ntlm_data *data, + void *payload, size_t len ) { + + /* Populate data descriptor */ + if ( header ) { + data->offset = cpu_to_le32 ( payload - ( ( void * ) header ) ); + data->len = data->max_len = cpu_to_le16 ( len ); + } + + return ( payload + len ); +} + +/** + * Append Unicode string data to NTLM message + * + * @v header Message header, or NULL to only calculate next payload + * @v data Data descriptor + * @v payload Data payload + * @v string String to append, or NULL + * @ret payload Next data payload + */ +static void * ntlm_append_string ( struct ntlm_header *header, + struct ntlm_data *data, void *payload, + const char *string ) { + uint16_t *tmp = payload; + uint8_t c; + + /* Convert string to Unicode */ + for ( tmp = payload ; ( string && ( c = *(string++) ) ) ; tmp++ ) { + if ( header ) + *tmp = cpu_to_le16 ( c ); + } + + /* Append string data */ + return ntlm_append ( header, data, payload, + ( ( ( void * ) tmp ) - payload ) ); +} + +/** + * Construct NTLM Authenticate message + * + * @v info Challenge information + * @v domain Domain name, or NULL + * @v username User name, or NULL + * @v workstation Workstation name, or NULL + * @v lm LAN Manager response + * @v nt NT response + * @v auth Message to fill in, or NULL to only calculate length + * @ret len Length of message + */ +size_t ntlm_authenticate ( struct ntlm_challenge_info *info, const char *domain, + const char *username, const char *workstation, + struct ntlm_lm_response *lm, + struct ntlm_nt_response *nt, + struct ntlm_authenticate *auth ) { + void *tmp; + size_t nt_len; + size_t len; + + /* Construct response header */ + if ( auth ) { + memset ( auth, 0, sizeof ( *auth ) ); + memcpy ( auth->header.magic, ntlm_negotiate.header.magic, + sizeof ( auth->header.magic ) ); + auth->header.type = cpu_to_le32 ( NTLM_AUTHENTICATE ); + auth->flags = ntlm_negotiate.flags; + } + tmp = ( ( ( void * ) auth ) + sizeof ( *auth ) ); + + /* Construct LAN Manager response */ + if ( auth ) + memcpy ( tmp, lm, sizeof ( *lm ) ); + tmp = ntlm_append ( &auth->header, &auth->lm, tmp, sizeof ( *lm ) ); + + /* Construct NT response */ + nt_len = ( sizeof ( *nt ) + info->len + sizeof ( nt->zero ) ); + if ( auth ) { + memcpy ( tmp, nt, sizeof ( *nt ) ); + memcpy ( ( tmp + sizeof ( *nt ) ), info->target, info->len ); + memset ( ( tmp + sizeof ( *nt ) + info->len ), 0, + sizeof ( nt->zero ) ); + } + tmp = ntlm_append ( &auth->header, &auth->nt, tmp, nt_len ); + + /* Populate domain, user, and workstation names */ + tmp = ntlm_append_string ( &auth->header, &auth->domain, tmp, domain ); + tmp = ntlm_append_string ( &auth->header, &auth->user, tmp, username ); + tmp = ntlm_append_string ( &auth->header, &auth->workstation, tmp, + workstation ); + + /* Calculate length */ + len = ( tmp - ( ( void * ) auth ) ); + if ( auth ) { + DBGC ( auth, "NTLM authenticate message:\n" ); + DBGC_HDA ( auth, 0, auth, len ); + } + + return len; +} + +/** + * Calculate NTLM Authenticate message length + * + * @v info Challenge information + * @v domain Domain name, or NULL + * @v username User name, or NULL + * @v workstation Workstation name, or NULL + * @ret len Length of Authenticate message + */ +size_t ntlm_authenticate_len ( struct ntlm_challenge_info *info, + const char *domain, const char *username, + const char *workstation ) { + + return ntlm_authenticate ( info, domain, username, workstation, + NULL, NULL, NULL ); +} |