/* * Copyright (C) 2017 Michael Brown . * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; either version 2 of the * License, or any later version. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA * 02110-1301, USA. * * You can also choose to distribute this program under the terms of * the Unmodified Binary Distribution Licence (as given in the file * COPYING.UBDL), provided that you have satisfied its requirements. */ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); /** @file * * NT LAN Manager (NTLM) authentication * */ #include #include #include #include #include #include #include #include #include /** Negotiate message * * This message content is fixed since there is no need to specify the * calling workstation name or domain name, and the set of flags is * mandated by the MS-NLMP specification. */ const struct ntlm_negotiate ntlm_negotiate = { .header = { .magic = NTLM_MAGIC, .type = cpu_to_le32 ( NTLM_NEGOTIATE ), }, .flags = cpu_to_le32 ( NTLM_NEGOTIATE_EXTENDED_SESSIONSECURITY | NTLM_NEGOTIATE_ALWAYS_SIGN | NTLM_NEGOTIATE_NTLM | NTLM_REQUEST_TARGET | NTLM_NEGOTIATE_UNICODE ), }; /** * Parse NTLM Challenge * * @v challenge Challenge message * @v len Length of Challenge message * @v info Challenge information to fill in * @ret rc Return status code */ int ntlm_challenge ( struct ntlm_challenge *challenge, size_t len, struct ntlm_challenge_info *info ) { size_t offset; DBGC ( challenge, "NTLM challenge message:\n" ); DBGC_HDA ( challenge, 0, challenge, len ); /* Sanity checks */ if ( len < sizeof ( *challenge ) ) { DBGC ( challenge, "NTLM underlength challenge (%zd bytes)\n", len ); return -EINVAL; } /* Extract nonce */ info->nonce = &challenge->nonce; DBGC ( challenge, "NTLM challenge nonce:\n" ); DBGC_HDA ( challenge, 0, info->nonce, sizeof ( *info->nonce ) ); /* Extract target information */ info->len = le16_to_cpu ( challenge->info.len ); offset = le32_to_cpu ( challenge->info.offset ); if ( ( offset > len ) || ( info->len > ( len - offset ) ) ) { DBGC ( challenge, "NTLM target information outside " "challenge\n" ); DBGC_HDA ( challenge, 0, challenge, len ); return -EINVAL; } info->target = ( ( ( void * ) challenge ) + offset ); DBGC ( challenge, "NTLM challenge target information:\n" ); DBGC_HDA ( challenge, 0, info->target, info->len ); return 0; } /** * Calculate NTLM verification key * * @v domain Domain name (or NULL) * @v username User name (or NULL) * @v password Password (or NULL) * @v key Key to fill in * * This is the NTOWFv2() function as defined in MS-NLMP. */ void ntlm_key ( const char *domain, const char *username, const char *password, struct ntlm_key *key ) { struct digest_algorithm *md4 = &md4_algorithm; struct digest_algorithm *md5 = &md5_algorithm; union { uint8_t md4[MD4_CTX_SIZE]; uint8_t md5[MD5_CTX_SIZE]; } ctx; uint8_t digest[MD4_DIGEST_SIZE]; size_t digest_len; uint8_t c; uint16_t wc; /* Use empty usernames/passwords if not specified */ if ( ! domain ) domain = ""; if ( ! username ) username = ""; if ( ! password ) password = ""; /* Construct MD4 digest of (Unicode) password */ digest_init ( md4, ctx.md4 ); while ( ( c = *(password++) ) ) { wc = cpu_to_le16 ( c ); digest_update ( md4, ctx.md4, &wc, sizeof ( wc ) ); } digest_final ( md4, ctx.md4, digest ); /* Construct HMAC-MD5 of (Unicode) upper-case username */ digest_len = sizeof ( digest ); hmac_init ( md5, ctx.md5, digest, &digest_len ); while ( ( c = *(username++) ) ) { wc = cpu_to_le16 ( toupper ( c ) ); hmac_update ( md5, ctx.md5, &wc, sizeof ( wc ) ); } while ( ( c = *(domain++) ) ) { wc = cpu_to_le16 ( c ); hmac_update ( md5, ctx.md5, &wc, sizeof ( wc ) ); } hmac_final ( md5, ctx.md5, digest, &digest_len, key->raw ); DBGC ( key, "NTLM key:\n" ); DBGC_HDA ( key, 0, key, sizeof ( *key ) ); } /** * Construct NTLM responses * * @v info Challenge information * @v key Verification key * @v nonce Nonce, or NULL to use a random nonce * @v lm LAN Manager response to fill in * @v nt NT response to fill in */ void ntlm_response ( struct ntlm_challenge_info *info, struct ntlm_key *key, struct ntlm_nonce *nonce, struct ntlm_lm_response *lm, struct ntlm_nt_response *nt ) { struct digest_algorithm *md5 = &md5_algorithm; struct ntlm_nonce tmp_nonce; uint8_t ctx[MD5_CTX_SIZE]; size_t key_len = sizeof ( *key ); unsigned int i; /* Generate random nonce, if needed */ if ( ! nonce ) { for ( i = 0 ; i < sizeof ( tmp_nonce ) ; i++ ) tmp_nonce.raw[i] = random(); nonce = &tmp_nonce; } /* Construct LAN Manager response */ memcpy ( &lm->nonce, nonce, sizeof ( lm->nonce ) ); hmac_init ( md5, ctx, key->raw, &key_len ); hmac_update ( md5, ctx, info->nonce, sizeof ( *info->nonce ) ); hmac_update ( md5, ctx, &lm->nonce, sizeof ( lm->nonce ) ); hmac_final ( md5, ctx, key->raw, &key_len, lm->digest ); DBGC ( key, "NTLM LAN Manager response:\n" ); DBGC_HDA ( key, 0, lm, sizeof ( *lm ) ); /* Construct NT response */ memset ( nt, 0, sizeof ( *nt ) ); nt->version = NTLM_VERSION_NTLMV2; nt->high = NTLM_VERSION_NTLMV2; memcpy ( &nt->nonce, nonce, sizeof ( nt->nonce ) ); hmac_init ( md5, ctx, key->raw, &key_len ); hmac_update ( md5, ctx, info->nonce, sizeof ( *info->nonce ) ); hmac_update ( md5, ctx, &nt->version, ( sizeof ( *nt ) - offsetof ( typeof ( *nt ), version ) ) ); hmac_update ( md5, ctx, info->target, info->len ); hmac_update ( md5, ctx, &nt->zero, sizeof ( nt->zero ) ); hmac_final ( md5, ctx, key->raw, &key_len, nt->digest ); DBGC ( key, "NTLM NT response prefix:\n" ); DBGC_HDA ( key, 0, nt, sizeof ( *nt ) ); } /** * Append data to NTLM message * * @v header Message header, or NULL to only calculate next payload * @v data Data descriptor * @v payload Data payload * @v len Length of data * @ret payload Next data payload */ static void * ntlm_append ( struct ntlm_header *header, struct ntlm_data *data, void *payload, size_t len ) { /* Populate data descriptor */ if ( header ) { data->offset = cpu_to_le32 ( payload - ( ( void * ) header ) ); data->len = data->max_len = cpu_to_le16 ( len ); } return ( payload + len ); } /** * Append Unicode string data to NTLM message * * @v header Message header, or NULL to only calculate next payload * @v data Data descriptor * @v payload Data payload * @v string String to append, or NULL * @ret payload Next data payload */ static void * ntlm_append_string ( struct ntlm_header *header, struct ntlm_data *data, void *payload, const char *string ) { uint16_t *tmp = payload; uint8_t c; /* Convert string to Unicode */ for ( tmp = payload ; ( string && ( c = *(string++) ) ) ; tmp++ ) { if ( header ) *tmp = cpu_to_le16 ( c ); } /* Append string data */ return ntlm_append ( header, data, payload, ( ( ( void * ) tmp ) - payload ) ); } /** * Construct NTLM Authenticate message * * @v info Challenge information * @v domain Domain name, or NULL * @v username User name, or NULL * @v workstation Workstation name, or NULL * @v lm LAN Manager response * @v nt NT response * @v auth Message to fill in, or NULL to only calculate length * @ret len Length of message */ size_t ntlm_authenticate ( struct ntlm_challenge_info *info, const char *domain, const char *username, const char *workstation, struct ntlm_lm_response *lm, struct ntlm_nt_response *nt, struct ntlm_authenticate *auth ) { void *tmp; size_t nt_len; size_t len; /* Construct response header */ if ( auth ) { memset ( auth, 0, sizeof ( *auth ) ); memcpy ( auth->header.magic, ntlm_negotiate.header.magic, sizeof ( auth->header.magic ) ); auth->header.type = cpu_to_le32 ( NTLM_AUTHENTICATE ); auth->flags = ntlm_negotiate.flags; } tmp = ( ( ( void * ) auth ) + sizeof ( *auth ) ); /* Construct LAN Manager response */ if ( auth ) memcpy ( tmp, lm, sizeof ( *lm ) ); tmp = ntlm_append ( &auth->header, &auth->lm, tmp, sizeof ( *lm ) ); /* Construct NT response */ nt_len = ( sizeof ( *nt ) + info->len + sizeof ( nt->zero ) ); if ( auth ) { memcpy ( tmp, nt, sizeof ( *nt ) ); memcpy ( ( tmp + sizeof ( *nt ) ), info->target, info->len ); memset ( ( tmp + sizeof ( *nt ) + info->len ), 0, sizeof ( nt->zero ) ); } tmp = ntlm_append ( &auth->header, &auth->nt, tmp, nt_len ); /* Populate domain, user, and workstation names */ tmp = ntlm_append_string ( &auth->header, &auth->domain, tmp, domain ); tmp = ntlm_append_string ( &auth->header, &auth->user, tmp, username ); tmp = ntlm_append_string ( &auth->header, &auth->workstation, tmp, workstation ); /* Calculate length */ len = ( tmp - ( ( void * ) auth ) ); if ( auth ) { DBGC ( auth, "NTLM authenticate message:\n" ); DBGC_HDA ( auth, 0, auth, len ); } return len; } /** * Calculate NTLM Authenticate message length * * @v info Challenge information * @v domain Domain name, or NULL * @v username User name, or NULL * @v workstation Workstation name, or NULL * @ret len Length of Authenticate message */ size_t ntlm_authenticate_len ( struct ntlm_challenge_info *info, const char *domain, const char *username, const char *workstation ) { return ntlm_authenticate ( info, domain, username, workstation, NULL, NULL, NULL ); }