OLD | NEW |
(Empty) | |
| 1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "net/http/http_auth_handler_ntlm.h" |
| 6 |
| 7 #include <stdlib.h> |
| 8 // For gethostname |
| 9 #if defined(OS_POSIX) |
| 10 #include <unistd.h> |
| 11 #elif defined(OS_WIN) |
| 12 #include <winsock2.h> |
| 13 #endif |
| 14 |
| 15 #include "base/md5.h" |
| 16 #include "base/rand_util.h" |
| 17 #include "base/string_util.h" |
| 18 #include "base/sys_string_conversions.h" |
| 19 #include "net/base/base64.h" |
| 20 #include "net/base/net_errors.h" |
| 21 #include "net/http/des.h" |
| 22 #include "net/http/md4.h" |
| 23 |
| 24 namespace net { |
| 25 |
| 26 // Based on mozilla/security/manager/ssl/src/nsNTLMAuthModule.cpp, |
| 27 // CVS rev. 1.14. |
| 28 // |
| 29 // TODO(wtc): |
| 30 // - The IS_BIG_ENDIAN code is not tested. |
| 31 // - Enable the logging code or just delete it. |
| 32 // - Delete or comment out the LM code, which hasn't been tested and isn't |
| 33 // being used. |
| 34 |
| 35 /* ***** BEGIN LICENSE BLOCK ***** |
| 36 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
| 37 * |
| 38 * The contents of this file are subject to the Mozilla Public License Version |
| 39 * 1.1 (the "License"); you may not use this file except in compliance with |
| 40 * the License. You may obtain a copy of the License at |
| 41 * http://www.mozilla.org/MPL/ |
| 42 * |
| 43 * Software distributed under the License is distributed on an "AS IS" basis, |
| 44 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License |
| 45 * for the specific language governing rights and limitations under the |
| 46 * License. |
| 47 * |
| 48 * The Original Code is Mozilla. |
| 49 * |
| 50 * The Initial Developer of the Original Code is IBM Corporation. |
| 51 * Portions created by IBM Corporation are Copyright (C) 2003 |
| 52 * IBM Corporation. All Rights Reserved. |
| 53 * |
| 54 * Contributor(s): |
| 55 * Darin Fisher <darin@meer.net> |
| 56 * |
| 57 * Alternatively, the contents of this file may be used under the terms of |
| 58 * either the GNU General Public License Version 2 or later (the "GPL"), or |
| 59 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), |
| 60 * in which case the provisions of the GPL or the LGPL are applicable instead |
| 61 * of those above. If you wish to allow use of your version of this file only |
| 62 * under the terms of either the GPL or the LGPL, and not to allow others to |
| 63 * use your version of this file under the terms of the MPL, indicate your |
| 64 * decision by deleting the provisions above and replace them with the notice |
| 65 * and other provisions required by the GPL or the LGPL. If you do not delete |
| 66 * the provisions above, a recipient may use your version of this file under |
| 67 * the terms of any one of the MPL, the GPL or the LGPL. |
| 68 * |
| 69 * ***** END LICENSE BLOCK ***** */ |
| 70 |
| 71 // Discover the endianness by testing processor architecture. |
| 72 #if defined(ARCH_CPU_X86) || defined(ARCH_CPU_X86_64) |
| 73 #define IS_LITTLE_ENDIAN 1 |
| 74 #undef IS_BIG_ENDIAN |
| 75 #else |
| 76 #error "Unknown endianness" |
| 77 #endif |
| 78 |
| 79 #define NTLM_LOG(x) ((void) 0) |
| 80 |
| 81 //----------------------------------------------------------------------------- |
| 82 // This file contains a cross-platform NTLM authentication implementation. It |
| 83 // is based on documentation from: http://davenport.sourceforge.net/ntlm.html |
| 84 //----------------------------------------------------------------------------- |
| 85 |
| 86 enum { |
| 87 NTLM_NegotiateUnicode = 0x00000001, |
| 88 NTLM_NegotiateOEM = 0x00000002, |
| 89 NTLM_RequestTarget = 0x00000004, |
| 90 NTLM_Unknown1 = 0x00000008, |
| 91 NTLM_NegotiateSign = 0x00000010, |
| 92 NTLM_NegotiateSeal = 0x00000020, |
| 93 NTLM_NegotiateDatagramStyle = 0x00000040, |
| 94 NTLM_NegotiateLanManagerKey = 0x00000080, |
| 95 NTLM_NegotiateNetware = 0x00000100, |
| 96 NTLM_NegotiateNTLMKey = 0x00000200, |
| 97 NTLM_Unknown2 = 0x00000400, |
| 98 NTLM_Unknown3 = 0x00000800, |
| 99 NTLM_NegotiateDomainSupplied = 0x00001000, |
| 100 NTLM_NegotiateWorkstationSupplied = 0x00002000, |
| 101 NTLM_NegotiateLocalCall = 0x00004000, |
| 102 NTLM_NegotiateAlwaysSign = 0x00008000, |
| 103 NTLM_TargetTypeDomain = 0x00010000, |
| 104 NTLM_TargetTypeServer = 0x00020000, |
| 105 NTLM_TargetTypeShare = 0x00040000, |
| 106 NTLM_NegotiateNTLM2Key = 0x00080000, |
| 107 NTLM_RequestInitResponse = 0x00100000, |
| 108 NTLM_RequestAcceptResponse = 0x00200000, |
| 109 NTLM_RequestNonNTSessionKey = 0x00400000, |
| 110 NTLM_NegotiateTargetInfo = 0x00800000, |
| 111 NTLM_Unknown4 = 0x01000000, |
| 112 NTLM_Unknown5 = 0x02000000, |
| 113 NTLM_Unknown6 = 0x04000000, |
| 114 NTLM_Unknown7 = 0x08000000, |
| 115 NTLM_Unknown8 = 0x10000000, |
| 116 NTLM_Negotiate128 = 0x20000000, |
| 117 NTLM_NegotiateKeyExchange = 0x40000000, |
| 118 NTLM_Negotiate56 = 0x80000000 |
| 119 }; |
| 120 |
| 121 // We send these flags with our type 1 message. |
| 122 enum { |
| 123 NTLM_TYPE1_FLAGS = |
| 124 NTLM_NegotiateUnicode | |
| 125 NTLM_NegotiateOEM | |
| 126 NTLM_RequestTarget | |
| 127 NTLM_NegotiateNTLMKey | |
| 128 NTLM_NegotiateAlwaysSign | |
| 129 NTLM_NegotiateNTLM2Key |
| 130 }; |
| 131 |
| 132 static const char NTLM_SIGNATURE[] = "NTLMSSP"; |
| 133 static const char NTLM_TYPE1_MARKER[] = { 0x01, 0x00, 0x00, 0x00 }; |
| 134 static const char NTLM_TYPE2_MARKER[] = { 0x02, 0x00, 0x00, 0x00 }; |
| 135 static const char NTLM_TYPE3_MARKER[] = { 0x03, 0x00, 0x00, 0x00 }; |
| 136 |
| 137 enum { |
| 138 NTLM_TYPE1_HEADER_LEN = 32, |
| 139 NTLM_TYPE2_HEADER_LEN = 32, |
| 140 NTLM_TYPE3_HEADER_LEN = 64, |
| 141 |
| 142 LM_HASH_LEN = 16, |
| 143 LM_RESP_LEN = 24, |
| 144 |
| 145 NTLM_HASH_LEN = 16, |
| 146 NTLM_RESP_LEN = 24 |
| 147 }; |
| 148 |
| 149 //----------------------------------------------------------------------------- |
| 150 |
| 151 // The return value of this function controls whether or not the LM hash will |
| 152 // be included in response to a NTLM challenge. |
| 153 // |
| 154 // In Mozilla, this function returns the value of the boolean preference |
| 155 // "network.ntlm.send-lm-response". By default, the preference is disabled |
| 156 // since servers should almost never need the LM hash, and the LM hash is what |
| 157 // makes NTLM authentication less secure. See |
| 158 // https://bugzilla.mozilla.org/show_bug.cgi?id=250691 for further details. |
| 159 // |
| 160 // We just return a hardcoded false. |
| 161 static bool SendLM() { |
| 162 return false; |
| 163 } |
| 164 |
| 165 //----------------------------------------------------------------------------- |
| 166 |
| 167 #define LogFlags(x) ((void) 0) |
| 168 #define LogBuf(a, b, c) ((void) 0) |
| 169 #define LogToken(a, b, c) ((void) 0) |
| 170 |
| 171 //----------------------------------------------------------------------------- |
| 172 |
| 173 // Byte order swapping. |
| 174 #define SWAP16(x) ((((x) & 0xff) << 8) | (((x) >> 8) & 0xff)) |
| 175 #define SWAP32(x) ((SWAP16((x) & 0xffff) << 16) | (SWAP16((x) >> 16))) |
| 176 |
| 177 static void* WriteBytes(void* buf, const void* data, uint32 data_len) { |
| 178 memcpy(buf, data, data_len); |
| 179 return static_cast<char*>(buf) + data_len; |
| 180 } |
| 181 |
| 182 static void* WriteDWORD(void* buf, uint32 dword) { |
| 183 #ifdef IS_BIG_ENDIAN |
| 184 // NTLM uses little endian on the wire. |
| 185 dword = SWAP32(dword); |
| 186 #endif |
| 187 return WriteBytes(buf, &dword, sizeof(dword)); |
| 188 } |
| 189 |
| 190 static void* WriteSecBuf(void* buf, uint16 length, uint32 offset) { |
| 191 #ifdef IS_BIG_ENDIAN |
| 192 length = SWAP16(length); |
| 193 offset = SWAP32(offset); |
| 194 #endif |
| 195 buf = WriteBytes(buf, &length, sizeof(length)); |
| 196 buf = WriteBytes(buf, &length, sizeof(length)); |
| 197 buf = WriteBytes(buf, &offset, sizeof(offset)); |
| 198 return buf; |
| 199 } |
| 200 |
| 201 #ifdef IS_BIG_ENDIAN |
| 202 /** |
| 203 * WriteUnicodeLE copies a unicode string from one buffer to another. The |
| 204 * resulting unicode string is in little-endian format. The input string is |
| 205 * assumed to be in the native endianness of the local machine. It is safe |
| 206 * to pass the same buffer as both input and output, which is a handy way to |
| 207 * convert the unicode buffer to little-endian on big-endian platforms. |
| 208 */ |
| 209 static void* WriteUnicodeLE(void* buf, const char16* str, uint32 str_len) { |
| 210 // Convert input string from BE to LE. |
| 211 uint8* cursor = static_cast<uint8*>(buf); |
| 212 const uint8* input = reinterpret_cast<const uint8*>(str); |
| 213 for (uint32 i = 0; i < str_len; ++i, input += 2, cursor += 2) { |
| 214 // Allow for the case where |buf == str|. |
| 215 uint8 temp = input[0]; |
| 216 cursor[0] = input[1]; |
| 217 cursor[1] = temp; |
| 218 } |
| 219 return buf; |
| 220 } |
| 221 #endif |
| 222 |
| 223 static uint16 ReadUint16(const uint8*& buf) { |
| 224 uint16 x = (static_cast<uint16>(buf[0])) | |
| 225 (static_cast<uint16>(buf[1]) << 8); |
| 226 buf += sizeof(x); |
| 227 return x; |
| 228 } |
| 229 |
| 230 static uint32 ReadUint32(const uint8*& buf) { |
| 231 uint32 x = (static_cast<uint32>(buf[0])) | |
| 232 (static_cast<uint32>(buf[1]) << 8) | |
| 233 (static_cast<uint32>(buf[2]) << 16) | |
| 234 (static_cast<uint32>(buf[3]) << 24); |
| 235 buf += sizeof(x); |
| 236 return x; |
| 237 } |
| 238 |
| 239 //----------------------------------------------------------------------------- |
| 240 |
| 241 static void ZapBuf(void* buf, size_t buf_len) { |
| 242 memset(buf, 0, buf_len); |
| 243 } |
| 244 |
| 245 // TODO(wtc): Can we implement ZapString as |
| 246 // s.replace(0, s.size(), s.size(), '\0)? |
| 247 static void ZapString(std::string* s) { |
| 248 ZapBuf(&(*s)[0], s->length()); |
| 249 } |
| 250 |
| 251 static void ZapString(string16* s) { |
| 252 ZapBuf(&(*s)[0], s->length() * 2); |
| 253 } |
| 254 |
| 255 // LM_Hash computes the LM hash of the given password. |
| 256 // |
| 257 // param password |
| 258 // unicode password. |
| 259 // param hash |
| 260 // 16-byte result buffer |
| 261 // |
| 262 // Note: This function is not being used because our SendLM() function always |
| 263 // returns false. |
| 264 static void LM_Hash(const string16& password, uint8* hash) { |
| 265 static const uint8 LM_MAGIC[] = "KGS!@#$%"; |
| 266 |
| 267 // Convert password to OEM character set. We'll just use the native |
| 268 // filesystem charset. |
| 269 std::string passbuf = base::SysWideToNativeMB(UTF16ToWide(password)); |
| 270 StringToUpperASCII(&passbuf); |
| 271 passbuf.resize(14, '\0'); |
| 272 |
| 273 uint8 k1[8], k2[8]; |
| 274 DESMakeKey(reinterpret_cast<const uint8*>(passbuf.data()) , k1); |
| 275 DESMakeKey(reinterpret_cast<const uint8*>(passbuf.data()) + 7, k2); |
| 276 ZapString(&passbuf); |
| 277 |
| 278 // Use password keys to hash LM magic string twice. |
| 279 DESEncrypt(k1, LM_MAGIC, hash); |
| 280 DESEncrypt(k2, LM_MAGIC, hash + 8); |
| 281 } |
| 282 |
| 283 // NTLM_Hash computes the NTLM hash of the given password. |
| 284 // |
| 285 // param password |
| 286 // null-terminated unicode password. |
| 287 // param hash |
| 288 // 16-byte result buffer |
| 289 static void NTLM_Hash(const string16& password, uint8* hash) { |
| 290 #ifdef IS_BIG_ENDIAN |
| 291 uint32 len = password.length(); |
| 292 uint8* passbuf; |
| 293 |
| 294 passbuf = static_cast<uint8*>(malloc(len * 2)); |
| 295 WriteUnicodeLE(passbuf, password.data(), len); |
| 296 weak_crypto::MD4Sum(passbuf, len * 2, hash); |
| 297 |
| 298 ZapBuf(passbuf, len * 2); |
| 299 free(passbuf); |
| 300 #else |
| 301 weak_crypto::MD4Sum(reinterpret_cast<const uint8*>(password.data()), |
| 302 password.length() * 2, hash); |
| 303 #endif |
| 304 } |
| 305 |
| 306 //----------------------------------------------------------------------------- |
| 307 |
| 308 // LM_Response generates the LM response given a 16-byte password hash and the |
| 309 // challenge from the Type-2 message. |
| 310 // |
| 311 // param hash |
| 312 // 16-byte password hash |
| 313 // param challenge |
| 314 // 8-byte challenge from Type-2 message |
| 315 // param response |
| 316 // 24-byte buffer to contain the LM response upon return |
| 317 static void LM_Response(const uint8* hash, |
| 318 const uint8* challenge, |
| 319 uint8* response) { |
| 320 uint8 keybytes[21], k1[8], k2[8], k3[8]; |
| 321 |
| 322 memcpy(keybytes, hash, 16); |
| 323 ZapBuf(keybytes + 16, 5); |
| 324 |
| 325 DESMakeKey(keybytes , k1); |
| 326 DESMakeKey(keybytes + 7, k2); |
| 327 DESMakeKey(keybytes + 14, k3); |
| 328 |
| 329 DESEncrypt(k1, challenge, response); |
| 330 DESEncrypt(k2, challenge, response + 8); |
| 331 DESEncrypt(k3, challenge, response + 16); |
| 332 } |
| 333 |
| 334 //----------------------------------------------------------------------------- |
| 335 |
| 336 // Returns OK or a network error code. |
| 337 static int GenerateType1Msg(void** out_buf, uint32* out_len) { |
| 338 // |
| 339 // Verify that buf_len is sufficient. |
| 340 // |
| 341 *out_len = NTLM_TYPE1_HEADER_LEN; |
| 342 *out_buf = malloc(*out_len); |
| 343 if (!*out_buf) |
| 344 return ERR_OUT_OF_MEMORY; |
| 345 |
| 346 // |
| 347 // Write out type 1 message. |
| 348 // |
| 349 void* cursor = *out_buf; |
| 350 |
| 351 // 0 : signature |
| 352 cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)); |
| 353 |
| 354 // 8 : marker |
| 355 cursor = WriteBytes(cursor, NTLM_TYPE1_MARKER, sizeof(NTLM_TYPE1_MARKER)); |
| 356 |
| 357 // 12 : flags |
| 358 cursor = WriteDWORD(cursor, NTLM_TYPE1_FLAGS); |
| 359 |
| 360 // |
| 361 // NOTE: It is common for the domain and workstation fields to be empty. |
| 362 // This is true of Win2k clients, and my guess is that there is |
| 363 // little utility to sending these strings before the charset has |
| 364 // been negotiated. We follow suite -- anyways, it doesn't hurt |
| 365 // to save some bytes on the wire ;-) |
| 366 // |
| 367 |
| 368 // 16 : supplied domain security buffer (empty) |
| 369 cursor = WriteSecBuf(cursor, 0, 0); |
| 370 |
| 371 // 24 : supplied workstation security buffer (empty) |
| 372 cursor = WriteSecBuf(cursor, 0, 0); |
| 373 |
| 374 return OK; |
| 375 } |
| 376 |
| 377 struct Type2Msg { |
| 378 uint32 flags; // NTLM_Xxx bitwise combination |
| 379 uint8 challenge[8]; // 8 byte challenge |
| 380 const void* target; // target string (type depends on flags) |
| 381 uint32 target_len; // target length in bytes |
| 382 }; |
| 383 |
| 384 // Returns OK or a network error code. |
| 385 // TODO(wtc): This function returns ERR_UNEXPECTED when the input message is |
| 386 // invalid. We should return a better error code. |
| 387 static int ParseType2Msg(const void* in_buf, uint32 in_len, Type2Msg* msg) { |
| 388 // Make sure in_buf is long enough to contain a meaningful type2 msg. |
| 389 // |
| 390 // 0 NTLMSSP Signature |
| 391 // 8 NTLM Message Type |
| 392 // 12 Target Name |
| 393 // 20 Flags |
| 394 // 24 Challenge |
| 395 // 32 end of header, start of optional data blocks |
| 396 // |
| 397 if (in_len < NTLM_TYPE2_HEADER_LEN) |
| 398 return ERR_UNEXPECTED; |
| 399 |
| 400 const uint8* cursor = (const uint8*) in_buf; |
| 401 |
| 402 // verify NTLMSSP signature |
| 403 if (memcmp(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) != 0) |
| 404 return ERR_UNEXPECTED; |
| 405 cursor += sizeof(NTLM_SIGNATURE); |
| 406 |
| 407 // verify Type-2 marker |
| 408 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) |
| 409 return ERR_UNEXPECTED; |
| 410 cursor += sizeof(NTLM_TYPE2_MARKER); |
| 411 |
| 412 // read target name security buffer |
| 413 msg->target_len = ReadUint16(cursor); |
| 414 ReadUint16(cursor); // discard next 16-bit value |
| 415 uint32 offset = ReadUint32(cursor); // get offset from in_buf |
| 416 msg->target = ((const uint8*) in_buf) + offset; |
| 417 |
| 418 // read flags |
| 419 msg->flags = ReadUint32(cursor); |
| 420 |
| 421 // read challenge |
| 422 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); |
| 423 cursor += sizeof(msg->challenge); |
| 424 |
| 425 NTLM_LOG(("NTLM type 2 message:\n")); |
| 426 LogBuf("target", (const uint8*) msg->target, msg->target_len); |
| 427 LogBuf("flags", (const uint8*) &msg->flags, 4); |
| 428 LogFlags(msg->flags); |
| 429 LogBuf("challenge", msg->challenge, sizeof(msg->challenge)); |
| 430 |
| 431 // We currently do not implement LMv2/NTLMv2 or NTLM2 responses, |
| 432 // so we can ignore target information. We may want to enable |
| 433 // support for these alternate mechanisms in the future. |
| 434 return OK; |
| 435 } |
| 436 |
| 437 // Returns OK or a network error code. |
| 438 static int GenerateType3Msg(const string16& domain, |
| 439 const string16& username, |
| 440 const string16& password, |
| 441 const void* in_buf, |
| 442 uint32 in_len, |
| 443 void** out_buf, |
| 444 uint32* out_len) { |
| 445 // in_buf contains Type-2 msg (the challenge) from server. |
| 446 |
| 447 int rv; |
| 448 Type2Msg msg; |
| 449 |
| 450 rv = ParseType2Msg(in_buf, in_len, &msg); |
| 451 if (rv != OK) |
| 452 return rv; |
| 453 |
| 454 bool unicode = (msg.flags & NTLM_NegotiateUnicode) != 0; |
| 455 |
| 456 // Temporary buffers for unicode strings |
| 457 #ifdef IS_BIG_ENDIAN |
| 458 string16 ucs_domain_buf, ucs_user_buf; |
| 459 #endif |
| 460 string16 ucs_host_buf; |
| 461 // Temporary buffers for oem strings |
| 462 std::string oem_domain_buf, oem_user_buf, oem_host_buf; |
| 463 // Pointers and lengths for the string buffers; encoding is unicode if |
| 464 // the "negotiate unicode" flag was set in the Type-2 message. |
| 465 const void* domain_ptr; |
| 466 const void* user_ptr; |
| 467 const void* host_ptr; |
| 468 uint32 domain_len, user_len, host_len; |
| 469 |
| 470 // |
| 471 // Get domain name. |
| 472 // |
| 473 if (unicode) { |
| 474 #ifdef IS_BIG_ENDIAN |
| 475 ucs_domain_buf = domain; |
| 476 domain_ptr = ucs_domain_buf.data(); |
| 477 domain_len = ucs_domain_buf.length() * 2; |
| 478 WriteUnicodeLE(const_cast<void*>(domain_ptr), (const char16*) domain_ptr, |
| 479 ucs_domain_buf.length()); |
| 480 #else |
| 481 domain_ptr = domain.data(); |
| 482 domain_len = domain.length() * 2; |
| 483 #endif |
| 484 } else { |
| 485 oem_domain_buf = base::SysWideToNativeMB(UTF16ToWide(domain)); |
| 486 domain_ptr = oem_domain_buf.data(); |
| 487 domain_len = oem_domain_buf.length(); |
| 488 } |
| 489 |
| 490 // |
| 491 // Get user name. |
| 492 // |
| 493 if (unicode) { |
| 494 #ifdef IS_BIG_ENDIAN |
| 495 ucs_user_buf = username; |
| 496 user_ptr = ucs_user_buf.data(); |
| 497 user_len = ucs_user_buf.length() * 2; |
| 498 WriteUnicodeLE(const_cast<void*>(user_ptr), (const char16*) user_ptr, |
| 499 ucs_user_buf.length()); |
| 500 #else |
| 501 user_ptr = username.data(); |
| 502 user_len = username.length() * 2; |
| 503 #endif |
| 504 } else { |
| 505 oem_user_buf = base::SysWideToNativeMB(UTF16ToWide(username)); |
| 506 user_ptr = oem_user_buf.data(); |
| 507 user_len = oem_user_buf.length(); |
| 508 } |
| 509 |
| 510 // |
| 511 // Get workstation name (use local machine's hostname). |
| 512 // |
| 513 char host_buf[256]; // Host names are limited to 255 bytes. |
| 514 if (gethostname(host_buf, sizeof(host_buf)) != 0) |
| 515 return ERR_UNEXPECTED; |
| 516 host_len = strlen(host_buf); |
| 517 if (unicode) { |
| 518 // hostname is ASCII, so we can do a simple zero-pad expansion: |
| 519 ucs_host_buf.assign(host_buf, host_buf + host_len); |
| 520 host_ptr = ucs_host_buf.data(); |
| 521 host_len = ucs_host_buf.length() * 2; |
| 522 #ifdef IS_BIG_ENDIAN |
| 523 WriteUnicodeLE(const_cast<void*>(host_ptr), (const char16*) host_ptr, |
| 524 ucs_host_buf.length()); |
| 525 #endif |
| 526 } else { |
| 527 host_ptr = host_buf; |
| 528 } |
| 529 |
| 530 // |
| 531 // Now that we have generated all of the strings, we can allocate out_buf. |
| 532 // |
| 533 *out_len = NTLM_TYPE3_HEADER_LEN + host_len + domain_len + user_len + |
| 534 LM_RESP_LEN + NTLM_RESP_LEN; |
| 535 *out_buf = malloc(*out_len); |
| 536 if (!*out_buf) |
| 537 return ERR_OUT_OF_MEMORY; |
| 538 |
| 539 // |
| 540 // Next, we compute the LM and NTLM responses. |
| 541 // |
| 542 uint8 lm_resp[LM_RESP_LEN]; |
| 543 uint8 ntlm_resp[NTLM_RESP_LEN]; |
| 544 uint8 ntlm_hash[NTLM_HASH_LEN]; |
| 545 if (msg.flags & NTLM_NegotiateNTLM2Key) { |
| 546 // compute NTLM2 session response |
| 547 MD5Digest session_hash; |
| 548 uint8 temp[16]; |
| 549 |
| 550 // TODO(wtc): Add a function that generates random bytes so we can say: |
| 551 // GenerateRandom(lm_resp, 8); |
| 552 for (int i = 0; i < 8; ++i) |
| 553 lm_resp[i] = base::RandInt(0, 255); |
| 554 memset(lm_resp + 8, 0, LM_RESP_LEN - 8); |
| 555 |
| 556 memcpy(temp, msg.challenge, 8); |
| 557 memcpy(temp + 8, lm_resp, 8); |
| 558 MD5Sum(temp, 16, &session_hash); |
| 559 |
| 560 NTLM_Hash(password, ntlm_hash); |
| 561 LM_Response(ntlm_hash, session_hash.a, ntlm_resp); |
| 562 } else { |
| 563 NTLM_Hash(password, ntlm_hash); |
| 564 LM_Response(ntlm_hash, msg.challenge, ntlm_resp); |
| 565 |
| 566 if (SendLM()) { |
| 567 uint8 lm_hash[LM_HASH_LEN]; |
| 568 LM_Hash(password, lm_hash); |
| 569 LM_Response(lm_hash, msg.challenge, lm_resp); |
| 570 } else { |
| 571 // According to http://davenport.sourceforge.net/ntlm.html#ntlmVersion2, |
| 572 // the correct way to not send the LM hash is to send the NTLM hash twice |
| 573 // in both the LM and NTLM response fields. |
| 574 LM_Response(ntlm_hash, msg.challenge, lm_resp); |
| 575 } |
| 576 } |
| 577 |
| 578 // |
| 579 // Finally, we assemble the Type-3 msg :-) |
| 580 // |
| 581 void* cursor = *out_buf; |
| 582 uint32 offset; |
| 583 |
| 584 // 0 : signature |
| 585 cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)); |
| 586 |
| 587 // 8 : marker |
| 588 cursor = WriteBytes(cursor, NTLM_TYPE3_MARKER, sizeof(NTLM_TYPE3_MARKER)); |
| 589 |
| 590 // 12 : LM response sec buf |
| 591 offset = NTLM_TYPE3_HEADER_LEN + domain_len + user_len + host_len; |
| 592 cursor = WriteSecBuf(cursor, LM_RESP_LEN, offset); |
| 593 memcpy(static_cast<uint8*>(*out_buf) + offset, lm_resp, LM_RESP_LEN); |
| 594 |
| 595 // 20 : NTLM response sec buf |
| 596 offset += LM_RESP_LEN; |
| 597 cursor = WriteSecBuf(cursor, NTLM_RESP_LEN, offset); |
| 598 memcpy(static_cast<uint8*>(*out_buf) + offset, ntlm_resp, NTLM_RESP_LEN); |
| 599 |
| 600 // 28 : domain name sec buf |
| 601 offset = NTLM_TYPE3_HEADER_LEN; |
| 602 cursor = WriteSecBuf(cursor, domain_len, offset); |
| 603 memcpy(static_cast<uint8*>(*out_buf) + offset, domain_ptr, domain_len); |
| 604 |
| 605 // 36 : user name sec buf |
| 606 offset += domain_len; |
| 607 cursor = WriteSecBuf(cursor, user_len, offset); |
| 608 memcpy(static_cast<uint8*>(*out_buf) + offset, user_ptr, user_len); |
| 609 |
| 610 // 44 : workstation (host) name sec buf |
| 611 offset += user_len; |
| 612 cursor = WriteSecBuf(cursor, host_len, offset); |
| 613 memcpy(static_cast<uint8*>(*out_buf) + offset, host_ptr, host_len); |
| 614 |
| 615 // 52 : session key sec buf (not used) |
| 616 cursor = WriteSecBuf(cursor, 0, 0); |
| 617 |
| 618 // 60 : negotiated flags |
| 619 cursor = WriteDWORD(cursor, msg.flags & NTLM_TYPE1_FLAGS); |
| 620 |
| 621 return OK; |
| 622 } |
| 623 |
| 624 //----------------------------------------------------------------------------- |
| 625 |
| 626 class NTLMAuthModule { |
| 627 public: |
| 628 NTLMAuthModule() {} |
| 629 |
| 630 ~NTLMAuthModule(); |
| 631 |
| 632 int Init(const string16& domain, |
| 633 const string16& username, |
| 634 const string16& password); |
| 635 |
| 636 int GetNextToken(const void* in_token, |
| 637 uint32 in_token_len, |
| 638 void** out_token, |
| 639 uint32* out_token_len); |
| 640 |
| 641 private: |
| 642 string16 domain_; |
| 643 string16 username_; |
| 644 string16 password_; |
| 645 }; |
| 646 |
| 647 NTLMAuthModule::~NTLMAuthModule() { |
| 648 ZapString(&password_); |
| 649 } |
| 650 |
| 651 int NTLMAuthModule::Init(const string16& domain, |
| 652 const string16& username, |
| 653 const string16& password) { |
| 654 domain_ = domain; |
| 655 username_ = username; |
| 656 password_ = password; |
| 657 return OK; |
| 658 } |
| 659 |
| 660 int NTLMAuthModule::GetNextToken(const void* in_token, |
| 661 uint32 in_token_len, |
| 662 void** out_token, |
| 663 uint32* out_token_len) { |
| 664 int rv; |
| 665 |
| 666 // If in_token is non-null, then assume it contains a type 2 message... |
| 667 if (in_token) { |
| 668 LogToken("in-token", in_token, in_token_len); |
| 669 rv = GenerateType3Msg(domain_, username_, password_, in_token, |
| 670 in_token_len, out_token, out_token_len); |
| 671 } else { |
| 672 rv = GenerateType1Msg(out_token, out_token_len); |
| 673 } |
| 674 |
| 675 if (rv == OK) |
| 676 LogToken("out-token", *out_token, *out_token_len); |
| 677 |
| 678 return rv; |
| 679 } |
| 680 |
| 681 // NTLM authentication is specified in "NTLM Over HTTP Protocol Specification" |
| 682 // [MS-NTHT]. |
| 683 |
| 684 HttpAuthHandlerNTLM::HttpAuthHandlerNTLM() |
| 685 : ntlm_module_(new NTLMAuthModule) { |
| 686 } |
| 687 |
| 688 HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() { |
| 689 } |
| 690 |
| 691 bool HttpAuthHandlerNTLM::NeedsIdentity() { |
| 692 return !auth_data_.empty(); |
| 693 } |
| 694 |
| 695 std::string HttpAuthHandlerNTLM::GenerateCredentials( |
| 696 const std::wstring& username, |
| 697 const std::wstring& password, |
| 698 const HttpRequestInfo* request, |
| 699 const ProxyInfo* proxy) { |
| 700 int rv; |
| 701 // TODO(wtc): See if we can use char* instead of void* for in_buf and |
| 702 // out_buf. This change will need to propagate to GetNextToken, |
| 703 // GenerateType1Msg, and GenerateType3Msg, and perhaps further. |
| 704 const void* in_buf; |
| 705 void* out_buf; |
| 706 uint32 in_buf_len, out_buf_len; |
| 707 std::string decoded_auth_data; |
| 708 |
| 709 // |username| may be in the form "DOMAIN\user". Parse it into the two |
| 710 // components. |
| 711 std::wstring domain; |
| 712 std::wstring user; |
| 713 size_t backslash_idx = username.find(L'\\'); |
| 714 if (backslash_idx == std::wstring::npos) { |
| 715 user = username; |
| 716 } else { |
| 717 domain = username.substr(0, backslash_idx); |
| 718 user = username.substr(backslash_idx + 1); |
| 719 } |
| 720 rv = ntlm_module_->Init(WideToUTF16(domain), WideToUTF16(user), |
| 721 WideToUTF16(password)); |
| 722 |
| 723 // Initial challenge. |
| 724 if (auth_data_.empty()) { |
| 725 in_buf_len = 0; |
| 726 in_buf = NULL; |
| 727 } else { |
| 728 // Decode |auth_data_| into the input buffer. |
| 729 int len = auth_data_.length(); |
| 730 |
| 731 // Strip off any padding. |
| 732 // (See https://bugzilla.mozilla.org/show_bug.cgi?id=230351.) |
| 733 // |
| 734 // Our base64 decoder requires that the length be a multiple of 4. |
| 735 while (len > 0 && len % 4 != 0 && auth_data_[len - 1] == '=') |
| 736 len--; |
| 737 auth_data_.erase(len); |
| 738 |
| 739 if (!Base64Decode(auth_data_, &decoded_auth_data)) |
| 740 return std::string(); // Improper base64 encoding |
| 741 in_buf_len = decoded_auth_data.length(); |
| 742 in_buf = decoded_auth_data.data(); |
| 743 } |
| 744 |
| 745 rv = ntlm_module_->GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len); |
| 746 if (rv != OK) |
| 747 return std::string(); |
| 748 |
| 749 // Base64 encode data in output buffer and prepend "NTLM ". |
| 750 std::string encode_input(static_cast<char*>(out_buf), out_buf_len); |
| 751 std::string encode_output; |
| 752 bool ok = Base64Encode(encode_input, &encode_output); |
| 753 // OK, we are done with |out_buf| |
| 754 free(out_buf); |
| 755 if (!ok) |
| 756 return std::string(); |
| 757 return std::string("NTLM ") + encode_output; |
| 758 } |
| 759 |
| 760 // The NTLM challenge header looks like: |
| 761 // WWW-Authenticate: NTLM auth-data |
| 762 bool HttpAuthHandlerNTLM::ParseChallenge( |
| 763 std::string::const_iterator challenge_begin, |
| 764 std::string::const_iterator challenge_end) { |
| 765 scheme_ = "ntlm"; |
| 766 score_ = 3; |
| 767 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; |
| 768 auth_data_.clear(); |
| 769 |
| 770 // Verify the challenge's auth-scheme. |
| 771 HttpAuth::ChallengeTokenizer challenge_tok(challenge_begin, challenge_end); |
| 772 if (!challenge_tok.valid() || |
| 773 !LowerCaseEqualsASCII(challenge_tok.scheme(), "ntlm")) |
| 774 return false; |
| 775 |
| 776 // Extract the auth-data. We can't use challenge_tok.GetNext() because |
| 777 // auth-data is base64-encoded and may contain '=' padding at the end, |
| 778 // which would be mistaken for a name=value pair. |
| 779 challenge_begin += 4; // Skip over "NTLM". |
| 780 HttpUtil::TrimLWS(&challenge_begin, &challenge_end); |
| 781 |
| 782 auth_data_.assign(challenge_begin, challenge_end); |
| 783 |
| 784 return true; |
| 785 } |
| 786 |
| 787 } // namespace net |
OLD | NEW |