oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

bump libheimntlm to the version from OSX 10.9 Mavericks

Browse Source
This commit is contained in:
Love Hörnquist Åstrand
2013-11-17 13:15:55 +01:00
parent 22a5077835
commit cde59c543d
8 changed files with 1436 additions and 348 deletions
Download Patch File Download Diff File Expand all files Collapse all files

546
lib/ntlm/ntlm.c
View File

@@ -44,9 +44,12 @@
#include <limits.h>
#include <roken.h>
#include <wind.h>
#include <parse_units.h>
#include <krb5.h>
#define HC_DEPRECATED_CRYPTO
#include "krb5-types.h"
@@ -103,6 +106,8 @@ struct sec_buffer {
static const unsigned char ntlmsigature[8] = "NTLMSSP\x00";
time_t heim_ntlm_time_skew = 300;
/*
*
*/
@@ -116,6 +121,25 @@ static const unsigned char ntlmsigature[8] = "NTLMSSP\x00";
} \
} while(/*CONSTCOND*/0)
#define CHECK_SIZE(f, e) \
do { \
ssize_t sret = f; \
if (sret != (ssize_t)(e)) { \
ret = HNTLM_ERR_DECODE; \
goto out; \
} \
} while(/*CONSTCOND*/0)
#define CHECK_OFFSET(f, e) \
do { \
off_t sret = f; \
if (sret != (e)) { \
ret = HNTLM_ERR_DECODE; \
goto out; \
} \
} while(/*CONSTCOND*/0)
static struct units ntlm_flag_units[] = {
#define ntlm_flag(x) { #x, NTLM_##x }
ntlm_flag(ENC_56),
@@ -182,32 +206,57 @@ heim_ntlm_free_buf(struct ntlm_buf *p)
static int
ascii2ucs2le(const char *string, int up, struct ntlm_buf *buf)
{
unsigned char *p;
size_t len, i;
uint16_t *data;
size_t len, n;
uint8_t *p;
int ret;
len = strlen(string);
if (len / 2 > UINT_MAX)
ret = wind_utf8ucs2_length(string, &len);
if (ret)
return ret;
if (len > UINT_MAX / sizeof(data[0]))
return ERANGE;
data = malloc(len * sizeof(data[0]));
if (data == NULL)
return ENOMEM;
ret = wind_utf8ucs2(string, data, &len);
if (ret) {
free(data);
return ret;
}
if (len == 0) {
free(data);
buf->data = NULL;
buf->length = 0;
return 0;
}
/* uppercase string, only handle ascii right now */
if (up) {
for (n = 0; n < len ; n++) {
if (data[n] < 128)
data[n] = toupper((int)data[n]);
}
}
buf->length = len * 2;
buf->data = malloc(buf->length);
p = buf->data = malloc(buf->length);
if (buf->data == NULL && len != 0) {
free(data);
heim_ntlm_free_buf(buf);
return ENOMEM;
}
p = buf->data;
for (i = 0; i < len; i++) {
unsigned char t = (unsigned char)string[i];
if (t & 0x80) {
heim_ntlm_free_buf(buf);
return EINVAL;
}
if (up)
t = toupper(t);
p[(i * 2) + 0] = t;
p[(i * 2) + 1] = 0;
for (n = 0; n < len ; n++) {
p[(n * 2) + 0] = (data[n] ) & 0xff;
p[(n * 2) + 1] = (data[n] >> 8) & 0xff;
}
memset(data, 0, sizeof(data[0]) * len);
free(data);
return 0;
}
@@ -242,13 +291,20 @@ out:
* wire, but using utf8 in memory.
*/
static krb5_error_code
static size_t
len_string(int ucs2, const char *s)
{
size_t len = strlen(s);
if (ucs2)
len *= 2;
return len;
if (ucs2) {
size_t len;
int ret;
ret = wind_utf8ucs2_length(s, &len);
if (ret == 0)
return len * 2;
return strlen(s) * 5 * 2;
} else {
return strlen(s);
}
}
/*
@@ -259,28 +315,50 @@ static krb5_error_code
ret_string(krb5_storage *sp, int ucs2, size_t len, char **s)
{
krb5_error_code ret;
uint16_t *data = NULL;
*s = malloc(len + 1);
if (*s == NULL)
return ENOMEM;
CHECK(krb5_storage_read(sp, *s, len), len);
CHECK_SIZE(krb5_storage_read(sp, *s, len), len);
(*s)[len] = '\0';
if (ucs2) {
size_t i;
for (i = 0; i < len / 2; i++) {
(*s)[i] = (*s)[i * 2];
if ((*s)[i * 2 + 1]) {
free(*s);
*s = NULL;
return EINVAL;
}
unsigned int flags = WIND_RW_LE;
size_t utf16len = len / 2;
size_t utf8len;
data = malloc(utf16len * sizeof(data[0]));
if (data == NULL) {
free(*s); *s = NULL;
ret = ENOMEM;
goto out;
}
(*s)[i] = '\0';
ret = wind_ucs2read(*s, len, &flags, data, &utf16len);
free(*s); *s = NULL;
if (ret) {
goto out;
}
CHECK(wind_ucs2utf8_length(data, utf16len, &utf8len), 0);
utf8len += 1;
*s = malloc(utf8len);
if (s == NULL) {
ret = ENOMEM;
goto out;
}
CHECK(wind_ucs2utf8(data, utf16len, *s, &utf8len), 0);
}
ret = 0;
out:
if (data)
free(data);
return ret;
}
@@ -290,10 +368,10 @@ static krb5_error_code
ret_sec_string(krb5_storage *sp, int ucs2, struct sec_buffer *desc, char **s)
{
krb5_error_code ret = 0;
CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
CHECK_OFFSET(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
CHECK(ret_string(sp, ucs2, desc->length, s), 0);
out:
return ret;
return ret;
}
static krb5_error_code
@@ -311,7 +389,7 @@ put_string(krb5_storage *sp, int ucs2, const char *s)
buf.length = strlen(s);
}
CHECK(krb5_storage_write(sp, buf.data, buf.length), buf.length);
CHECK_SIZE(krb5_storage_write(sp, buf.data, buf.length), buf.length);
if (ucs2)
heim_ntlm_free_buf(&buf);
ret = 0;
@@ -330,8 +408,8 @@ ret_buf(krb5_storage *sp, struct sec_buffer *desc, struct ntlm_buf *buf)
buf->data = malloc(desc->length);
buf->length = desc->length;
CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
CHECK(krb5_storage_read(sp, buf->data, buf->length), buf->length);
CHECK_OFFSET(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
CHECK_SIZE(krb5_storage_read(sp, buf->data, buf->length), buf->length);
ret = 0;
out:
return ret;
@@ -341,7 +419,7 @@ static krb5_error_code
put_buf(krb5_storage *sp, const struct ntlm_buf *buf)
{
krb5_error_code ret;
CHECK(krb5_storage_write(sp, buf->data, buf->length), buf->length);
CHECK_SIZE(krb5_storage_write(sp, buf->data, buf->length), buf->length);
ret = 0;
out:
return ret;
@@ -363,6 +441,8 @@ heim_ntlm_free_targetinfo(struct ntlm_targetinfo *ti)
free(ti->dnsdomainname);
free(ti->dnsservername);
free(ti->dnstreename);
free(ti->targetname);
heim_ntlm_free_buf(&ti->channel_bindings);
memset(ti, 0, sizeof(*ti));
}
@@ -423,6 +503,20 @@ heim_ntlm_encode_targetinfo(const struct ntlm_targetinfo *ti,
CHECK(krb5_store_uint16(out, 4), 0);
CHECK(krb5_store_uint32(out, ti->avflags), 0);
}
if (ti->timestamp) {
CHECK(krb5_store_uint16(out, 7), 0);
CHECK(krb5_store_uint16(out, 8), 0);
CHECK(krb5_store_uint32(out, ti->timestamp & 0xffffffff), 0);
CHECK(krb5_store_uint32(out, (ti->timestamp >> 32) & 0xffffffff), 0);
}
if (ti->targetname) {
CHECK(encode_ti_string(out, 9, ucs2, ti->targetname), 0);
}
if (ti->channel_bindings.length) {
CHECK(krb5_store_uint16(out, 10), 0);
CHECK(krb5_store_uint16(out, ti->channel_bindings.length), 0);
CHECK_SIZE(krb5_storage_write(out, ti->channel_bindings.data, ti->channel_bindings.length), ti->channel_bindings.length);
}
/* end tag */
CHECK(krb5_store_int16(out, 0), 0);
@@ -497,6 +591,26 @@ heim_ntlm_decode_targetinfo(const struct ntlm_buf *data,
case 6:
CHECK(krb5_ret_uint32(in, &ti->avflags), 0);
break;
case 7: {
uint32_t tmp;
CHECK(krb5_ret_uint32(in, &tmp), 0);
ti->timestamp = tmp;
CHECK(krb5_ret_uint32(in, &tmp), 0);
ti->timestamp |= ((uint64_t)tmp) << 32;
break;
}
case 9:
CHECK(ret_string(in, 1, len, &ti->targetname), 0);
break;
case 10:
ti->channel_bindings.data = malloc(len);
if (ti->channel_bindings.data == NULL) {
ret = ENOMEM;
goto out;
}
ti->channel_bindings.length = len;
CHECK_SIZE(krb5_storage_read(in, ti->channel_bindings.data, len), len);
break;
default:
krb5_storage_seek(in, len, SEEK_CUR);
break;
@@ -508,6 +622,21 @@ heim_ntlm_decode_targetinfo(const struct ntlm_buf *data,
return ret;
}
static krb5_error_code
encode_os_version(krb5_storage *out)
{
krb5_error_code ret;
CHECK(krb5_store_uint8(out, 0x06), 0);
CHECK(krb5_store_uint8(out, 0x01), 0);
CHECK(krb5_store_uint16(out, 0x1db0), 0);
CHECK(krb5_store_uint8(out, 0x0f), 0); /* ntlm version 15 */
CHECK(krb5_store_uint8(out, 0x00), 0);
CHECK(krb5_store_uint8(out, 0x00), 0);
CHECK(krb5_store_uint8(out, 0x00), 0);
out:
return ret;
}
/**
* Frees the ntlm_type1 message
*
@@ -544,7 +673,7 @@ heim_ntlm_decode_type1(const struct ntlm_buf *buf, struct ntlm_type1 *data)
}
krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
CHECK_SIZE(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
CHECK(krb5_ret_uint32(in, &type), 0);
CHECK(type, 1);
@@ -605,8 +734,8 @@ heim_ntlm_encode_type1(const struct ntlm_type1 *type1, struct ntlm_buf *data)
base += 8;
flags |= NTLM_OEM_SUPPLIED_WORKSTATION;
}
if (type1->os[0])
base += 8;
if (flags & NTLM_NEG_VERSION)
base += 8; /* os */
domain.offset = base;
if (type1->domain) {
@@ -631,17 +760,16 @@ heim_ntlm_encode_type1(const struct ntlm_type1 *type1, struct ntlm_buf *data)
return ENOMEM;
krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
CHECK_SIZE(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
sizeof(ntlmsigature));
CHECK(krb5_store_uint32(out, 1), 0);
CHECK(krb5_store_uint32(out, flags), 0);
CHECK(store_sec_buffer(out, &domain), 0);
CHECK(store_sec_buffer(out, &hostname), 0);
#if 0
CHECK(krb5_store_uint32(out, type1->os[0]), 0);
CHECK(krb5_store_uint32(out, type1->os[1]), 0);
#endif
if (flags & NTLM_NEG_VERSION) {
CHECK(encode_os_version(out), 0);
}
if (type1->domain)
CHECK(put_string(out, 0, type1->domain), 0);
if (type1->hostname)
@@ -695,7 +823,7 @@ heim_ntlm_decode_type2(const struct ntlm_buf *buf, struct ntlm_type2 *type2)
}
krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
CHECK_SIZE(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
CHECK(krb5_ret_uint32(in, &type), 0);
CHECK(type, 2);
@@ -704,7 +832,7 @@ heim_ntlm_decode_type2(const struct ntlm_buf *buf, struct ntlm_type2 *type2)
CHECK(krb5_ret_uint32(in, &type2->flags), 0);
if (type2->flags & NTLM_NEG_UNICODE)
ucs2 = 1;
CHECK(krb5_storage_read(in, type2->challenge, sizeof(type2->challenge)),
CHECK_SIZE(krb5_storage_read(in, type2->challenge, sizeof(type2->challenge)),
sizeof(type2->challenge));
CHECK(krb5_ret_uint32(in, &ctx[0]), 0); /* context */
CHECK(krb5_ret_uint32(in, &ctx[1]), 0);
@@ -771,23 +899,22 @@ heim_ntlm_encode_type2(const struct ntlm_type2 *type2, struct ntlm_buf *data)
return ENOMEM;
krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
CHECK_SIZE(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
sizeof(ntlmsigature));
CHECK(krb5_store_uint32(out, 2), 0);
CHECK(store_sec_buffer(out, &targetname), 0);
CHECK(krb5_store_uint32(out, type2->flags), 0);
CHECK(krb5_storage_write(out, type2->challenge, sizeof(type2->challenge)),
CHECK_SIZE(krb5_storage_write(out, type2->challenge, sizeof(type2->challenge)),
sizeof(type2->challenge));
CHECK(krb5_store_uint32(out, 0), 0); /* context */
CHECK(krb5_store_uint32(out, 0), 0);
CHECK(store_sec_buffer(out, &targetinfo), 0);
/* os version */
if (type2->flags & NTLM_NEG_VERSION) {
CHECK(krb5_store_uint32(out, type2->os[0]), 0);
CHECK(krb5_store_uint32(out, type2->os[1]), 0);
CHECK(encode_os_version(out), 0);
}
CHECK(put_string(out, ucs2, type2->targetname), 0);
CHECK(krb5_storage_write(out, type2->targetinfo.data,
CHECK_SIZE(krb5_storage_write(out, type2->targetinfo.data,
type2->targetinfo.length),
type2->targetinfo.length);
@@ -841,7 +968,7 @@ heim_ntlm_decode_type3(const struct ntlm_buf *buf,
uint32_t type;
krb5_storage *in;
struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
uint32_t min_offset = 72;
uint32_t min_offset = 0xffffffff;
memset(type3, 0, sizeof(*type3));
memset(&sessionkey, 0, sizeof(sessionkey));
@@ -853,35 +980,38 @@ heim_ntlm_decode_type3(const struct ntlm_buf *buf,
}
krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
CHECK_SIZE(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
CHECK(krb5_ret_uint32(in, &type), 0);
CHECK(type, 3);
CHECK(ret_sec_buffer(in, &lm), 0);
if (lm.allocated)
min_offset = min(min_offset, lm.offset);
min_offset = MIN(min_offset, lm.offset);
CHECK(ret_sec_buffer(in, &ntlm), 0);
if (ntlm.allocated)
min_offset = min(min_offset, ntlm.offset);
min_offset = MIN(min_offset, ntlm.offset);
CHECK(ret_sec_buffer(in, &target), 0);
if (target.allocated)
min_offset = min(min_offset, target.offset);
min_offset = MIN(min_offset, target.offset);
CHECK(ret_sec_buffer(in, &username), 0);
if (username.allocated)
min_offset = min(min_offset, username.offset);
min_offset = MIN(min_offset, username.offset);
CHECK(ret_sec_buffer(in, &ws), 0);
if (ws.allocated)
min_offset = min(min_offset, ws.offset);
min_offset = MIN(min_offset, ws.offset);
if (min_offset > 52) {
if (min_offset >= 52) {
CHECK(ret_sec_buffer(in, &sessionkey), 0);
min_offset = max(min_offset, sessionkey.offset);
min_offset = MIN(min_offset, sessionkey.offset);
CHECK(krb5_ret_uint32(in, &type3->flags), 0);
}
if (min_offset > 52 + 8 + 4 + 8) {
if (min_offset >= 52 + 8 + 4 + 8) {
CHECK(krb5_ret_uint32(in, &type3->os[0]), 0);
CHECK(krb5_ret_uint32(in, &type3->os[1]), 0);
}
if (min_offset >= 52 + 8 + 4 + 8 + 16) {
type3->mic_offset = 52 + 8 + 4 + 8;
CHECK_SIZE(krb5_storage_read(in, type3->mic, sizeof(type3->mic)), sizeof(type3->mic));
} else
type3->mic_offset = 0;
CHECK(ret_buf(in, &lm, &type3->lm), 0);
CHECK(ret_buf(in, &ntlm, &type3->ntlm), 0);
CHECK(ret_sec_string(in, ucs2, &target, &type3->targetname), 0);
@@ -913,7 +1043,7 @@ out:
*/
int
heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data)
heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data, size_t *mic_offset)
{
struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
krb5_error_code ret;
@@ -932,9 +1062,12 @@ heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data)
base += 8; /* sessionkey sec buf */
base += 4; /* flags */
if (type3->flags & NTLM_NEG_VERSION)
base += 8; /* os flags */
if (type3->os[0]) {
base += 8;
if (mic_offset) {
*mic_offset = base;
base += 16;
}
if (type3->flags & NTLM_NEG_UNICODE)
@@ -969,7 +1102,7 @@ heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data)
return ENOMEM;
krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
CHECK_SIZE(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
sizeof(ntlmsigature));
CHECK(krb5_store_uint32(out, 3), 0);
@@ -981,10 +1114,15 @@ heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data)
CHECK(store_sec_buffer(out, &sessionkey), 0);
CHECK(krb5_store_uint32(out, type3->flags), 0);
#if 0
CHECK(krb5_store_uint32(out, 0), 0); /* os0 */
CHECK(krb5_store_uint32(out, 0), 0); /* os1 */
#endif
/* os version */
if (type3->flags & NTLM_NEG_VERSION) {
CHECK(encode_os_version(out), 0);
}
if (mic_offset) {
static const uint8_t buf[16] = { 0 };
CHECK_SIZE(krb5_storage_write(out, buf, sizeof(buf)), sizeof(buf));
}
CHECK(put_string(out, ucs2, type3->targetname), 0);
CHECK(put_string(out, ucs2, type3->username), 0);
@@ -1055,10 +1193,10 @@ heim_ntlm_nt_key(const char *password, struct ntlm_buf *key)
EVP_MD_CTX *m;
int ret;
key->data = malloc(MD5_DIGEST_LENGTH);
key->data = malloc(MD4_DIGEST_LENGTH);
if (key->data == NULL)
return ENOMEM;
key->length = MD5_DIGEST_LENGTH;
key->length = MD4_DIGEST_LENGTH;
ret = ascii2ucs2le(password, 0, &buf);
if (ret) {
@@ -1133,7 +1271,7 @@ heim_ntlm_v1_base_session(void *key, size_t len,
session->length = 0;
return ENOMEM;
}
m = EVP_MD_CTX_create();
if (m == NULL) {
heim_ntlm_free_buf(session);
@@ -1182,6 +1320,9 @@ heim_ntlm_keyex_wrap(struct ntlm_buf *base_session,
EVP_CIPHER_CTX c;
int ret;
if (base_session->length != MD4_DIGEST_LENGTH)
return HNTLM_ERR_INVALID_LENGTH;
session->length = MD4_DIGEST_LENGTH;
session->data = malloc(session->length);
if (session->data == NULL) {
@@ -1222,8 +1363,6 @@ heim_ntlm_keyex_wrap(struct ntlm_buf *base_session,
}
/**
* Generates an NTLMv1 session random with assosited session master key.
*
@@ -1313,6 +1452,8 @@ heim_ntlm_keyex_unwrap(struct ntlm_buf *baseKey,
memset(session, 0, sizeof(*session));
if (encryptedSession->length != MD4_DIGEST_LENGTH)
return HNTLM_ERR_INVALID_LENGTH;
if (baseKey->length != MD4_DIGEST_LENGTH)
return HNTLM_ERR_INVALID_LENGTH;
@@ -1344,6 +1485,7 @@ heim_ntlm_keyex_unwrap(struct ntlm_buf *baseKey,
* @param len length of key
* @param username name of the user, as sent in the message, assumed to be in UTF8.
* @param target the name of the target, assumed to be in UTF8.
* @param upper_case_target upper case the target, should not be used only for legacy systems
* @param ntlmv2 the ntlmv2 session key
*
* @return 0 on success, or an error code on failure.
@@ -1355,6 +1497,7 @@ int
heim_ntlm_ntlmv2_key(const void *key, size_t len,
const char *username,
const char *target,
int upper_case_target,
unsigned char ntlmv2[16])
{
int ret;
@@ -1371,8 +1514,8 @@ heim_ntlm_ntlmv2_key(const void *key, size_t len,
goto out;
HMAC_Update(&c, buf.data, buf.length);
free(buf.data);
/* uppercase target and turn into ucs2-le */
ret = ascii2ucs2le(target, 1, &buf);
/* turn target into ucs2-le */
ret = ascii2ucs2le(target, upper_case_target, &buf);
if (ret)
goto out;
HMAC_Update(&c, buf.data, buf.length);
@@ -1381,6 +1524,7 @@ heim_ntlm_ntlmv2_key(const void *key, size_t len,
HMAC_Final(&c, ntlmv2, &hmaclen);
out:
HMAC_CTX_cleanup(&c);
memset(&c, 0, sizeof(c));
return ret;
}
@@ -1391,16 +1535,16 @@ heim_ntlm_ntlmv2_key(const void *key, size_t len,
#define NTTIME_EPOCH 0x019DB1DED53E8000LL
static uint64_t
unix2nttime(time_t unix_time)
uint64_t
heim_ntlm_unix2ts_time(time_t unix_time)
{
long long wt;
wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
return wt;
}
static time_t
nt2unixtime(uint64_t t)
time_t
heim_ntlm_ts2unixtime(uint64_t t)
{
t = ((t - (uint64_t)NTTIME_EPOCH) / (uint64_t)10000000);
if (t > (((uint64_t)(time_t)(~(uint64_t)0)) >> 1))
@@ -1416,6 +1560,7 @@ nt2unixtime(uint64_t t)
* @param username name of the user, as sent in the message, assumed to be in UTF8.
* @param target the name of the target, assumed to be in UTF8.
* @param serverchallenge challenge as sent by the server in the type2 message.
* @param infotarget infotarget as sent by the server in the type2 message.
* @param ntlmv2 calculated session key
* @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
*
@@ -1440,7 +1585,7 @@ heim_ntlm_calculate_lm2(const void *key, size_t len,
/* calculate ntlmv2 key */
heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
heim_ntlm_ntlmv2_key(key, len, username, target, 0, ntlmv2);
answer->data = malloc(24);
if (answer->data == NULL)
@@ -1450,7 +1595,7 @@ heim_ntlm_calculate_lm2(const void *key, size_t len,
heim_ntlm_derive_ntlm2_sess(ntlmv2, clientchallenge, 8,
serverchallenge, answer->data);
memcpy(((uint8_t *)answer->data) + 16, clientchallenge, 8);
memcpy(((unsigned char *)answer->data) + 16, clientchallenge, 8);
return 0;
}
@@ -1490,14 +1635,14 @@ heim_ntlm_calculate_ntlm2(const void *key, size_t len,
unsigned char clientchallenge[8];
uint64_t t;
t = unix2nttime(time(NULL));
t = heim_ntlm_unix2ts_time(time(NULL));
if (RAND_bytes(clientchallenge, sizeof(clientchallenge)) != 1)
return HNTLM_ERR_RAND;
/* calculate ntlmv2 key */
heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
heim_ntlm_ntlmv2_key(key, len, username, target, 0, ntlmv2);
/* calculate and build ntlmv2 answer */
@@ -1512,12 +1657,19 @@ heim_ntlm_calculate_ntlm2(const void *key, size_t len,
CHECK(krb5_store_uint32(sp, t & 0xffffffff), 0);
CHECK(krb5_store_uint32(sp, t >> 32), 0);
CHECK(krb5_storage_write(sp, clientchallenge, 8), 8);
CHECK_SIZE(krb5_storage_write(sp, clientchallenge, 8), 8);
CHECK(krb5_store_uint32(sp, 0), 0); /* unknown but zero will work */
CHECK(krb5_storage_write(sp, infotarget->data, infotarget->length),
CHECK(krb5_store_uint32(sp, 0), 0); /* Z(4) */
CHECK_SIZE(krb5_storage_write(sp, infotarget->data, infotarget->length),
infotarget->length);
CHECK(krb5_store_uint32(sp, 0), 0); /* unknown but zero will work */
/*
* These last 4 bytes(Z(4)) are not documented by MicroSoft and
* SnowLeopard doesn't send them, Lion expected them to be there,
* so we have to continue to send them. That is ok, since everyone
* else (except Snow) seems to do that too.
*/
CHECK(krb5_store_uint32(sp, 0), 0); /* Z(4) */
CHECK(krb5_storage_to_data(sp, &data), 0);
krb5_storage_free(sp);
@@ -1531,8 +1683,8 @@ heim_ntlm_calculate_ntlm2(const void *key, size_t len,
return ENOMEM;
}
CHECK(krb5_storage_write(sp, ntlmv2answer, 16), 16);
CHECK(krb5_storage_write(sp, data.data, data.length), data.length);
CHECK_SIZE(krb5_storage_write(sp, ntlmv2answer, 16), 16);
CHECK_SIZE(krb5_storage_write(sp, data.data, data.length), data.length);
krb5_data_free(&data);
CHECK(krb5_storage_to_data(sp, &data), 0);
@@ -1551,6 +1703,110 @@ out:
static const int authtimediff = 3600 * 2; /* 2 hours */
static int
verify_ntlm2(const void *key, size_t len,
const char *username,
const char *target,
int upper_case_target,
time_t now,
const unsigned char serverchallenge[8],
const struct ntlm_buf *answer,
struct ntlm_buf *infotarget,
unsigned char ntlmv2[16])
{
krb5_error_code ret;
unsigned char clientanswer[16];
unsigned char clientnonce[8];
unsigned char serveranswer[16];
krb5_storage *sp;
uint64_t t;
time_t authtime;
uint32_t temp;
infotarget->length = 0;
infotarget->data = NULL;
if (answer->length < 16)
return HNTLM_ERR_INVALID_LENGTH;
if (now == 0)
now = time(NULL);
/* calculate ntlmv2 key */
heim_ntlm_ntlmv2_key(key, len, username, target, upper_case_target, ntlmv2);
/* calculate and build ntlmv2 answer */
sp = krb5_storage_from_readonly_mem(answer->data, answer->length);
if (sp == NULL)
return ENOMEM;
krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
CHECK_SIZE(krb5_storage_read(sp, clientanswer, 16), 16);
CHECK(krb5_ret_uint32(sp, &temp), 0);
CHECK(temp, 0x00000101);
CHECK(krb5_ret_uint32(sp, &temp), 0);
CHECK(temp, 0);
/* timestamp le 64 bit ts */
CHECK(krb5_ret_uint32(sp, &temp), 0);
t = temp;
CHECK(krb5_ret_uint32(sp, &temp), 0);
t |= ((uint64_t)temp)<< 32;
authtime = heim_ntlm_ts2unixtime(t);
if (abs((int)(authtime - now)) > authtimediff) {
ret = HNTLM_ERR_TIME_SKEW;
goto out;
}
/* client challenge */
CHECK_SIZE(krb5_storage_read(sp, clientnonce, 8), 8);
CHECK(krb5_ret_uint32(sp, &temp), 0); /* Z(4) */
/* let pick up targetinfo */
infotarget->length = answer->length - (size_t)krb5_storage_seek(sp, 0, SEEK_CUR);
if (infotarget->length < 4) {
ret = HNTLM_ERR_INVALID_LENGTH;
goto out;
}
infotarget->data = malloc(infotarget->length);
if (infotarget->data == NULL) {
ret = ENOMEM;
goto out;
}
CHECK_SIZE(krb5_storage_read(sp, infotarget->data, infotarget->length),
infotarget->length);
krb5_storage_free(sp);
sp = NULL;
if (answer->length < 16) {
ret = HNTLM_ERR_INVALID_LENGTH;
goto out;
}
heim_ntlm_derive_ntlm2_sess(ntlmv2,
((unsigned char *)answer->data) + 16, answer->length - 16,
serverchallenge,
serveranswer);
if (memcmp(serveranswer, clientanswer, 16) != 0) {
heim_ntlm_free_buf(infotarget);
return HNTLM_ERR_AUTH;
}
return 0;
out:
heim_ntlm_free_buf(infotarget);
if (sp)
krb5_storage_free(sp);
return ret;
}
/**
* Verify NTLMv2 response.
*
@@ -1580,96 +1836,32 @@ heim_ntlm_verify_ntlm2(const void *key, size_t len,
struct ntlm_buf *infotarget,
unsigned char ntlmv2[16])
{
krb5_error_code ret;
unsigned char clientanswer[16];
unsigned char clientnonce[8];
unsigned char serveranswer[16];
krb5_storage *sp;
time_t authtime;
uint32_t temp;
uint64_t t;
int ret;
/**
* First check with the domain as the client passed it to the function.
*/
infotarget->length = 0;
infotarget->data = NULL;
ret = verify_ntlm2(key, len, username, target, 0, now,
serverchallenge, answer, infotarget, ntlmv2);
if (answer->length < 16)
return HNTLM_ERR_INVALID_LENGTH;
/**
* Second check with domain uppercased.
*/
if (now == 0)
now = time(NULL);
if (ret)
ret = verify_ntlm2(key, len, username, target, 1, now,
serverchallenge, answer, infotarget, ntlmv2);
/* calculate ntlmv2 key */
heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
/* calculate and build ntlmv2 answer */
sp = krb5_storage_from_readonly_mem(answer->data, answer->length);
if (sp == NULL)
return ENOMEM;
krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
CHECK(krb5_storage_read(sp, clientanswer, 16), 16);
CHECK(krb5_ret_uint32(sp, &temp), 0);
CHECK(temp, 0x00000101);
CHECK(krb5_ret_uint32(sp, &temp), 0);
CHECK(temp, 0);
/* timestamp le 64 bit ts */
CHECK(krb5_ret_uint32(sp, &temp), 0);
t = temp;
CHECK(krb5_ret_uint32(sp, &temp), 0);
t |= ((uint64_t)temp)<< 32;
authtime = nt2unixtime(t);
if (abs((int)(authtime - now)) > authtimediff) {
ret = HNTLM_ERR_TIME_SKEW;
goto out;
}
/* client challenge */
CHECK(krb5_storage_read(sp, clientnonce, 8), 8);
CHECK(krb5_ret_uint32(sp, &temp), 0); /* unknown */
/* should really unparse the infotarget, but lets pick up everything */
infotarget->length = answer->length - krb5_storage_seek(sp, 0, SEEK_CUR);
infotarget->data = malloc(infotarget->length);
if (infotarget->data == NULL) {
ret = ENOMEM;
goto out;
}
CHECK(krb5_storage_read(sp, infotarget->data, infotarget->length),
infotarget->length);
/* XXX remove the unknown ?? */
krb5_storage_free(sp);
sp = NULL;
if (answer->length < 16) {
ret = HNTLM_ERR_INVALID_LENGTH;
goto out;
}
heim_ntlm_derive_ntlm2_sess(ntlmv2,
((unsigned char *)answer->data) + 16, answer->length - 16,
serverchallenge,
serveranswer);
if (memcmp(serveranswer, clientanswer, 16) != 0) {
heim_ntlm_free_buf(infotarget);
return HNTLM_ERR_AUTH;
}
return 0;
out:
heim_ntlm_free_buf(infotarget);
if (sp)
krb5_storage_free(sp);
/**
* Third check with empty domain.
*/
if (ret)
ret = verify_ntlm2(key, len, username, "", 0, now,
serverchallenge, answer, infotarget, ntlmv2);
return ret;
}
/*
* Calculate the NTLM2 Session Response
*
@@ -1799,5 +1991,5 @@ heim_ntlm_derive_ntlm2_sess(const unsigned char sessionkey[16],
HMAC_Update(&c, clnt_nonce, clnt_nonce_length);
HMAC_Final(&c, derivedkey, &hmaclen);
HMAC_CTX_cleanup(&c);
memset(&c, 0, sizeof(c));
}