OpenVPN
ntlm.c
Go to the documentation of this file.
1 /*
2  * ntlm proxy support for OpenVPN
3  *
4  * Copyright (C) 2004 William Preston
5  *
6  * *NTLMv2 support and domain name parsing by Miroslav Zajic, Nextsoft s.r.o.*
7  *
8  * This program is free software; you can redistribute it and/or modify
9  * it under the terms of the GNU General Public License as published by
10  * the Free Software Foundation; either version 2 of the License, or
11  * (at your option) any later version.
12  *
13  * This program is distributed in the hope that it will be useful,
14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16  * GNU General Public License for more details.
17  *
18  * You should have received a copy of the GNU General Public License along
19  * with this program; if not, write to the Free Software Foundation, Inc.,
20  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21  */
22 
23 #ifdef HAVE_CONFIG_H
24 #include "config.h"
25 #elif defined(_MSC_VER)
26 #include "config-msvc.h"
27 #endif
28 
29 #include "syshead.h"
30 
31 #if NTLM
32 
33 #include "common.h"
34 #include "buffer.h"
35 #include "misc.h"
36 #include "socket.h"
37 #include "fdmisc.h"
38 #include "proxy.h"
39 #include "ntlm.h"
40 #include "base64.h"
41 #include "crypto.h"
42 
43 #include "memdbg.h"
44 
45 
46 /* 64bit datatype macros */
47 #ifdef _MSC_VER
48 /* MS compilers */
49 #define UINTEGER64 __int64
50 #define UINT64(c) c ## Ui64
51 #else
52 /* Non MS compilers */
53 #define UINTEGER64 unsigned long long
54 #define UINT64(c) c ## LL
55 #endif
56 
57 
58 
59 static void
60 create_des_keys(const unsigned char *hash, unsigned char *key)
61 {
62  key[0] = hash[0];
63  key[1] = ((hash[0] & 1) << 7) | (hash[1] >> 1);
64  key[2] = ((hash[1] & 3) << 6) | (hash[2] >> 2);
65  key[3] = ((hash[2] & 7) << 5) | (hash[3] >> 3);
66  key[4] = ((hash[3] & 15) << 4) | (hash[4] >> 4);
67  key[5] = ((hash[4] & 31) << 3) | (hash[5] >> 5);
68  key[6] = ((hash[5] & 63) << 2) | (hash[6] >> 6);
69  key[7] = ((hash[6] & 127) << 1);
70  key_des_fixup(key, 8, 1);
71 }
72 
73 static void
74 gen_md4_hash(const uint8_t *data, int data_len, uint8_t *result)
75 {
76  /* result is 16 byte md4 hash */
77  const md_kt_t *md4_kt = md_kt_get("MD4");
79 
80  md_full(md4_kt, data, data_len, md);
81  memcpy(result, md, MD4_DIGEST_LENGTH);
82 }
83 
84 static void
85 gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len,
86  uint8_t *result)
87 {
88  const md_kt_t *md5_kt = md_kt_get("MD5");
89  hmac_ctx_t *hmac_ctx = hmac_ctx_new();
90 
91  hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
92  hmac_ctx_update(hmac_ctx, data, data_len);
93  hmac_ctx_final(hmac_ctx, result);
94  hmac_ctx_cleanup(hmac_ctx);
95  hmac_ctx_free(hmac_ctx);
96 }
97 
98 static void
100 {
101  /* Copies 8 bytes long timestamp into "timestamp" buffer.
102  * Timestamp is Little-endian, 64-bit signed value representing the
103  * number of tenths of a microsecond since January 1, 1601.
104  */
105 
106  UINTEGER64 timestamp_ull;
107 
108  timestamp_ull = openvpn_time(NULL);
109  timestamp_ull = (timestamp_ull + UINT64(11644473600)) * UINT64(10000000);
110 
111  /* store little endian value */
112  timestamp[0] = timestamp_ull & UINT64(0xFF);
113  timestamp[1] = (timestamp_ull >> 8) & UINT64(0xFF);
114  timestamp[2] = (timestamp_ull >> 16) & UINT64(0xFF);
115  timestamp[3] = (timestamp_ull >> 24) & UINT64(0xFF);
116  timestamp[4] = (timestamp_ull >> 32) & UINT64(0xFF);
117  timestamp[5] = (timestamp_ull >> 40) & UINT64(0xFF);
118  timestamp[6] = (timestamp_ull >> 48) & UINT64(0xFF);
119  timestamp[7] = (timestamp_ull >> 56) & UINT64(0xFF);
120 }
121 
122 static void
123 gen_nonce(unsigned char *nonce)
124 {
125  /* Generates 8 random bytes to be used as client nonce */
126  int i;
127 
128  for (i = 0; i<8; i++)
129  {
130  nonce[i] = (unsigned char)get_random();
131  }
132 }
133 
134 static void
135 my_strupr(char *str)
136 {
137  /* converts string to uppercase in place */
138 
139  while (*str)
140  {
141  *str = toupper(*str);
142  str++;
143  }
144 }
145 
146 static int
147 unicodize(char *dst, const char *src)
148 {
149  /* not really unicode... */
150  int i = 0;
151  do
152  {
153  dst[i++] = *src;
154  dst[i++] = 0;
155  } while (*src++);
156 
157  return i;
158 }
159 
160 static void
161 add_security_buffer(int sb_offset, void *data, int length,
162  unsigned char *msg_buf, int *msg_bufpos)
163 {
164  /* Adds security buffer data to a message and sets security buffer's
165  * offset and length */
166  msg_buf[sb_offset] = (unsigned char)length;
167  msg_buf[sb_offset + 2] = msg_buf[sb_offset];
168  msg_buf[sb_offset + 4] = (unsigned char)(*msg_bufpos & 0xff);
169  msg_buf[sb_offset + 5] = (unsigned char)((*msg_bufpos >> 8) & 0xff);
170  memcpy(&msg_buf[*msg_bufpos], data, msg_buf[sb_offset]);
171  *msg_bufpos += length;
172 }
173 
174 const char *
175 ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc)
176 {
177  struct buffer out = alloc_buf_gc(96, gc);
178  /* try a minimal NTLM handshake
179  *
180  * http://davenport.sourceforge.net/ntlm.html
181  *
182  * This message contains only the NTLMSSP signature,
183  * the NTLM message type,
184  * and the minimal set of flags (Negotiate NTLM and Negotiate OEM).
185  *
186  */
187  buf_printf(&out, "%s", "TlRMTVNTUAABAAAAAgIAAA==");
188  return (BSTR(&out));
189 }
190 
191 const char *
192 ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2,
193  struct gc_arena *gc)
194 {
195  /* NTLM handshake
196  *
197  * http://davenport.sourceforge.net/ntlm.html
198  *
199  */
200 
201  char pwbuf[sizeof(p->up.password) * 2]; /* for unicode password */
202  uint8_t buf2[128]; /* decoded reply from proxy */
203  uint8_t phase3[464];
204 
205  uint8_t md4_hash[MD4_DIGEST_LENGTH + 5];
206  uint8_t challenge[8], ntlm_response[24];
207  int i, ret_val;
208 
209  uint8_t ntlmv2_response[144];
210  char userdomain_u[256]; /* for uppercase unicode username and domain */
211  char userdomain[128]; /* the same as previous but ascii */
212  uint8_t ntlmv2_hash[MD5_DIGEST_LENGTH];
213  uint8_t ntlmv2_hmacmd5[16];
214  uint8_t *ntlmv2_blob = ntlmv2_response + 16; /* inside ntlmv2_response, length: 128 */
215  int ntlmv2_blob_size = 0;
216  int phase3_bufpos = 0x40; /* offset to next security buffer data to be added */
217  size_t len;
218 
219  char domain[128];
220  char username[128];
221  char *separator;
222 
223  bool ntlmv2_enabled = (p->auth_method == HTTP_AUTH_NTLM2);
224 
225  CLEAR(buf2);
226 
227  ASSERT(strlen(p->up.username) > 0);
228  ASSERT(strlen(p->up.password) > 0);
229 
230  /* username parsing */
231  separator = strchr(p->up.username, '\\');
232  if (separator == NULL)
233  {
234  strncpy(username, p->up.username, sizeof(username)-1);
235  username[sizeof(username)-1] = 0;
236  domain[0] = 0;
237  }
238  else
239  {
240  strncpy(username, separator+1, sizeof(username)-1);
241  username[sizeof(username)-1] = 0;
242  len = separator - p->up.username;
243  if (len > sizeof(domain) - 1)
244  {
245  len = sizeof(domain) - 1;
246  }
247  strncpy(domain, p->up.username, len);
248  domain[len] = 0;
249  }
250 
251 
252  /* fill 1st 16 bytes with md4 hash, disregard terminating null */
253  int unicode_len = unicodize(pwbuf, p->up.password) - 2;
254  gen_md4_hash((uint8_t *)pwbuf, unicode_len, md4_hash);
255 
256  /* pad to 21 bytes */
257  memset(md4_hash + MD4_DIGEST_LENGTH, 0, 5);
258 
259  ret_val = openvpn_base64_decode(phase_2, buf2, -1);
260  if (ret_val < 0)
261  {
262  return NULL;
263  }
264 
265  /* we can be sure that phase_2 is less than 128
266  * therefore buf2 needs to be (3/4 * 128) */
267 
268  /* extract the challenge from bytes 24-31 */
269  for (i = 0; i<8; i++)
270  {
271  challenge[i] = buf2[i+24];
272  }
273 
274  if (ntlmv2_enabled) /* Generate NTLMv2 response */
275  {
276  int tib_len;
277 
278  /* NTLMv2 hash */
279  strcpy(userdomain, username);
280  my_strupr(userdomain);
281  if (strlen(username) + strlen(domain) < sizeof(userdomain))
282  {
283  strcat(userdomain, domain);
284  }
285  else
286  {
287  msg(M_INFO, "Warning: Username or domain too long");
288  }
289  unicodize(userdomain_u, userdomain);
290  gen_hmac_md5((uint8_t *)userdomain_u, 2 * strlen(userdomain), md4_hash,
291  MD5_DIGEST_LENGTH, ntlmv2_hash);
292 
293  /* NTLMv2 Blob */
294  memset(ntlmv2_blob, 0, 128); /* Clear blob buffer */
295  ntlmv2_blob[0x00] = 1; /* Signature */
296  ntlmv2_blob[0x01] = 1; /* Signature */
297  ntlmv2_blob[0x04] = 0; /* Reserved */
298  gen_timestamp(&ntlmv2_blob[0x08]); /* 64-bit Timestamp */
299  gen_nonce(&ntlmv2_blob[0x10]); /* 64-bit Client Nonce */
300  ntlmv2_blob[0x18] = 0; /* Unknown, zero should work */
301 
302  /* Add target information block to the blob */
303 
304  /* Check for Target Information block */
305  /* The NTLM spec instructs to interpret these 4 consecutive bytes as a
306  * 32bit long integer. However, no endianness is specified.
307  * The code here and that found in other NTLM implementations point
308  * towards the assumption that the byte order on the wire has to
309  * match the order on the sending and receiving hosts. Probably NTLM has
310  * been thought to be always running on x86_64/i386 machine thus
311  * implying Little-Endian everywhere.
312  *
313  * This said, in case of future changes, we should keep in mind that the
314  * byte order on the wire for the NTLM header is LE.
315  */
316  const size_t hoff = 0x14;
317  unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8)
318  |(buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
319  if ((flags & 0x00800000) == 0x00800000)
320  {
321  tib_len = buf2[0x28]; /* Get Target Information block size */
322  if (tib_len > 96)
323  {
324  tib_len = 96;
325  }
326 
327  {
328  uint8_t *tib_ptr;
329  uint8_t tib_pos = buf2[0x2c];
330  if (tib_pos + tib_len > sizeof(buf2))
331  {
332  return NULL;
333  }
334  /* Get Target Information block pointer */
335  tib_ptr = buf2 + tib_pos;
336  /* Copy Target Information block into the blob */
337  memcpy(&ntlmv2_blob[0x1c], tib_ptr, tib_len);
338  }
339  }
340  else
341  {
342  tib_len = 0;
343  }
344 
345  /* Unknown, zero works */
346  ntlmv2_blob[0x1c + tib_len] = 0;
347 
348  /* Get blob length */
349  ntlmv2_blob_size = 0x20 + tib_len;
350 
351  /* Add challenge from message 2 */
352  memcpy(&ntlmv2_response[8], challenge, 8);
353 
354  /* hmac-md5 */
355  gen_hmac_md5(&ntlmv2_response[8], ntlmv2_blob_size + 8, ntlmv2_hash,
356  MD5_DIGEST_LENGTH, ntlmv2_hmacmd5);
357 
358  /* Add hmac-md5 result to the blob.
359  * Note: This overwrites challenge previously written at
360  * ntlmv2_response[8..15] */
361  memcpy(ntlmv2_response, ntlmv2_hmacmd5, MD5_DIGEST_LENGTH);
362  }
363  else /* Generate NTLM response */
364  {
365  unsigned char key1[DES_KEY_LENGTH], key2[DES_KEY_LENGTH];
366  unsigned char key3[DES_KEY_LENGTH];
367 
368  create_des_keys(md4_hash, key1);
369  cipher_des_encrypt_ecb(key1, challenge, ntlm_response);
370 
371  create_des_keys(&md4_hash[DES_KEY_LENGTH - 1], key2);
372  cipher_des_encrypt_ecb(key2, challenge, &ntlm_response[DES_KEY_LENGTH]);
373 
374  create_des_keys(&md4_hash[2 * (DES_KEY_LENGTH - 1)], key3);
375  cipher_des_encrypt_ecb(key3, challenge,
376  &ntlm_response[DES_KEY_LENGTH * 2]);
377  }
378 
379 
380  memset(phase3, 0, sizeof(phase3)); /* clear reply */
381 
382  strcpy((char *)phase3, "NTLMSSP\0"); /* signature */
383  phase3[8] = 3; /* type 3 */
384 
385  if (ntlmv2_enabled) /* NTLMv2 response */
386  {
387  add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16,
388  phase3, &phase3_bufpos);
389  }
390  else /* NTLM response */
391  {
392  add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos);
393  }
394 
395  /* username in ascii */
396  add_security_buffer(0x24, username, strlen(username), phase3,
397  &phase3_bufpos);
398 
399  /* Set domain. If <domain> is empty, default domain will be used
400  * (i.e. proxy's domain) */
401  add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos);
402 
403  /* other security buffers will be empty */
404  phase3[0x10] = phase3_bufpos; /* lm not used */
405  phase3[0x30] = phase3_bufpos; /* no workstation name supplied */
406  phase3[0x38] = phase3_bufpos; /* no session key */
407 
408  /* flags */
409  phase3[0x3c] = 0x02; /* negotiate oem */
410  phase3[0x3d] = 0x02; /* negotiate ntlm */
411 
412  return ((const char *)make_base64_string2((unsigned char *)phase3,
413  phase3_bufpos, gc));
414 }
415 
416 #else /* if NTLM */
417 static void
418 dummy(void)
419 {
420 }
421 #endif /* if NTLM */
int md_full(const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst)
#define M_INFO
Definition: errlevel.h:55
static void add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos)
Definition: ntlm.c:161
const char * ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc)
Definition: ntlm.c:192
static void my_strupr(char *str)
Definition: ntlm.c:135
int auth_method
Definition: proxy.h:69
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define UINTEGER64
Definition: ntlm.c:53
static void dummy(void)
Definition: comp-lz4.c:319
const char * ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc)
Definition: ntlm.c:175
#define ASSERT(x)
Definition: error.h:221
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
char username[USER_PASS_LEN]
Definition: misc.h:74
void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], unsigned char src[DES_KEY_LENGTH], unsigned char dst[DES_KEY_LENGTH])
Encrypt the given block, using DES ECB mode.
#define MD5_DIGEST_LENGTH
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define CLEAR(x)
Definition: basic.h:33
#define MD4_DIGEST_LENGTH
static void gen_md4_hash(const uint8_t *data, int data_len, uint8_t *result)
Definition: ntlm.c:74
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
int openvpn_base64_decode(const char *str, void *data, int size)
Definition: base64.c:160
mbedtls_md_info_t md_kt_t
Generic message digest key type context.
uint8_t * make_base64_string2(const uint8_t *str, int src_len, struct gc_arena *gc)
Definition: proxy.c:229
static void gen_hmac_md5(const uint8_t *data, int data_len, const uint8_t *key, int key_len, uint8_t *result)
Definition: ntlm.c:85
struct gc_arena gc
Definition: multi.h:78
void key_des_fixup(uint8_t *key, int key_len, int ndc)
static void gen_timestamp(uint8_t *timestamp)
Definition: ntlm.c:99
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
static time_t openvpn_time(time_t *t)
Definition: otime.h:123
#define msg
Definition: error.h:173
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
static void create_des_keys(const unsigned char *hash, unsigned char *key)
Definition: ntlm.c:60
unsigned __int8 uint8_t
Definition: config-msvc.h:123
#define UINT64(c)
Definition: ntlm.c:54
static void gen_nonce(unsigned char *nonce)
Definition: ntlm.c:123
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define HTTP_AUTH_NTLM2
Definition: proxy.h:35
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
static int unicodize(char *dst, const char *src)
Definition: ntlm.c:147
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, const md_kt_t *kt)
struct user_pass up
Definition: proxy.h:71
char * dst
Definition: compat-lz4.h:455
#define BSTR(buf)
Definition: buffer.h:129
hmac_ctx_t * hmac_ctx_new(void)
long int get_random(void)
Definition: crypto.c:1767
char password[USER_PASS_LEN]
Definition: misc.h:75
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
Definition: list.h:60
#define DES_KEY_LENGTH
void hmac_ctx_free(hmac_ctx_t *ctx)
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151