357 lines
12 KiB
Diff
357 lines
12 KiB
Diff
diff -up libsoup-2.62.3/libsoup/soup-auth-ntlm.c.4 libsoup-2.62.3/libsoup/soup-auth-ntlm.c
|
|
--- libsoup-2.62.3/libsoup/soup-auth-ntlm.c.4 2021-03-12 07:30:03.366088932 +0100
|
|
+++ libsoup-2.62.3/libsoup/soup-auth-ntlm.c 2021-03-12 07:30:25.296043405 +0100
|
|
@@ -12,6 +12,8 @@
|
|
#include <errno.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
+#include <stdio.h>
|
|
+
|
|
#include <glib.h>
|
|
|
|
#include "soup-auth-ntlm.h"
|
|
@@ -26,14 +28,20 @@ static char *soup_ntlm_request
|
|
static gboolean soup_ntlm_parse_challenge (const char *challenge,
|
|
char **nonce,
|
|
char **default_domain,
|
|
- gboolean *ntlmv2_session);
|
|
-static char *soup_ntlm_response (const char *nonce,
|
|
+ gboolean *ntlmv2_session,
|
|
+ gboolean *negotiate_target,
|
|
+ char **target_info,
|
|
+ size_t *target_info_sz);
|
|
+static char *soup_ntlm_response (const char *nonce,
|
|
const char *user,
|
|
guchar nt_hash[21],
|
|
guchar lm_hash[21],
|
|
const char *host,
|
|
const char *domain,
|
|
- gboolean ntlmv2_session);
|
|
+ gboolean ntlmv2_session,
|
|
+ gboolean negotiate_target,
|
|
+ const char *target_info,
|
|
+ size_t target_info_sz);
|
|
|
|
typedef enum {
|
|
SOUP_NTLM_NEW,
|
|
@@ -49,6 +57,9 @@ typedef struct {
|
|
char *nonce;
|
|
char *response_header;
|
|
gboolean ntlmv2_session;
|
|
+ gboolean negotiate_target;
|
|
+ char *target_info;
|
|
+ size_t target_info_sz;
|
|
} SoupNTLMConnectionState;
|
|
|
|
typedef enum {
|
|
@@ -280,6 +291,7 @@ soup_auth_ntlm_free_connection_state (So
|
|
|
|
g_free (conn->nonce);
|
|
g_free (conn->response_header);
|
|
+ g_free (conn->target_info);
|
|
g_slice_free (SoupNTLMConnectionState, conn);
|
|
}
|
|
|
|
@@ -339,7 +351,8 @@ soup_auth_ntlm_update_connection (SoupCo
|
|
|
|
if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce,
|
|
priv->domain ? NULL : &priv->domain,
|
|
- &conn->ntlmv2_session)) {
|
|
+ &conn->ntlmv2_session, &conn->negotiate_target,
|
|
+ &conn->target_info, &conn->target_info_sz)) {
|
|
conn->state = SOUP_NTLM_FAILED;
|
|
return FALSE;
|
|
}
|
|
@@ -521,7 +534,10 @@ soup_auth_ntlm_get_connection_authorizat
|
|
priv->lm_hash,
|
|
NULL,
|
|
priv->domain,
|
|
- conn->ntlmv2_session);
|
|
+ conn->ntlmv2_session,
|
|
+ conn->negotiate_target,
|
|
+ conn->target_info,
|
|
+ conn->target_info_sz);
|
|
}
|
|
g_clear_pointer (&conn->nonce, g_free);
|
|
conn->state = SOUP_NTLM_SENT_RESPONSE;
|
|
@@ -647,14 +663,20 @@ typedef struct {
|
|
#define NTLM_CHALLENGE_NONCE_OFFSET 24
|
|
#define NTLM_CHALLENGE_NONCE_LENGTH 8
|
|
#define NTLM_CHALLENGE_DOMAIN_STRING_OFFSET 12
|
|
+#define NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET 40
|
|
|
|
#define NTLM_CHALLENGE_FLAGS_OFFSET 20
|
|
#define NTLM_FLAGS_NEGOTIATE_NTLMV2 0x00080000
|
|
+#define NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION 0x00800000
|
|
+#define NTLM_FLAGS_REQUEST_TARGET 0x00000004
|
|
|
|
#define NTLM_RESPONSE_HEADER "NTLMSSP\x00\x03\x00\x00\x00"
|
|
#define NTLM_RESPONSE_FLAGS 0x8201
|
|
+#define NTLM_RESPONSE_TARGET_INFORMATION_OFFSET 44
|
|
#define NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0x00080000
|
|
|
|
+#define HMAC_MD5_LENGTH 16
|
|
+
|
|
typedef struct {
|
|
guchar header[12];
|
|
|
|
@@ -686,10 +708,14 @@ static gboolean
|
|
soup_ntlm_parse_challenge (const char *challenge,
|
|
char **nonce,
|
|
char **default_domain,
|
|
- gboolean *ntlmv2_session)
|
|
+ gboolean *ntlmv2_session,
|
|
+ gboolean *negotiate_target,
|
|
+ char **target_info,
|
|
+ size_t *target_info_sz)
|
|
{
|
|
gsize clen;
|
|
NTLMString domain;
|
|
+ NTLMString target;
|
|
guchar *chall;
|
|
guint32 flags;
|
|
|
|
@@ -703,6 +729,14 @@ soup_ntlm_parse_challenge (const char *c
|
|
memcpy (&flags, chall + NTLM_CHALLENGE_FLAGS_OFFSET, sizeof(flags));
|
|
flags = GUINT_FROM_LE (flags);
|
|
*ntlmv2_session = (flags & NTLM_FLAGS_NEGOTIATE_NTLMV2) ? TRUE : FALSE;
|
|
+ /* To know if NTLMv2 responses should be calculated */
|
|
+ *negotiate_target = (flags & NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION ) ? TRUE : FALSE;
|
|
+ if (*negotiate_target) {
|
|
+ if (clen < NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET + sizeof (target)) {
|
|
+ g_free (chall);
|
|
+ return FALSE;
|
|
+ }
|
|
+ }
|
|
|
|
if (default_domain) {
|
|
memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain));
|
|
@@ -723,6 +757,19 @@ soup_ntlm_parse_challenge (const char *c
|
|
*nonce = g_memdup (chall + NTLM_CHALLENGE_NONCE_OFFSET,
|
|
NTLM_CHALLENGE_NONCE_LENGTH);
|
|
}
|
|
+ /* For NTLMv2 response */
|
|
+ if (*negotiate_target && target_info) {
|
|
+ memcpy (&target, chall + NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET, sizeof (target));
|
|
+ target.length = GUINT16_FROM_LE (target.length);
|
|
+ target.offset = GUINT16_FROM_LE (target.offset);
|
|
+
|
|
+ if (clen < target.length + target.offset) {
|
|
+ g_free (chall);
|
|
+ return FALSE;
|
|
+ }
|
|
+ *target_info = g_memdup (chall + target.offset, target.length);
|
|
+ *target_info_sz = target.length;
|
|
+ }
|
|
|
|
g_free (chall);
|
|
return TRUE;
|
|
@@ -761,6 +808,115 @@ calc_ntlm2_session_response (const char
|
|
calc_response (nt_hash, ntlmv2_hash, nt_resp);
|
|
}
|
|
|
|
+/* Compute HMAC-MD5 with Glib function*/
|
|
+static void
|
|
+calc_hmac_md5 (unsigned char *hmac, const guchar *key, gsize key_sz, const guchar *data, gsize data_sz)
|
|
+{
|
|
+ char *hmac_hex, *hex_pos;
|
|
+ size_t count;
|
|
+
|
|
+ hmac_hex = g_compute_hmac_for_data(G_CHECKSUM_MD5, key, key_sz, data, data_sz);
|
|
+ hex_pos = hmac_hex;
|
|
+ for (count = 0; count < HMAC_MD5_LENGTH; count++)
|
|
+ {
|
|
+ /* The 'hh' sscanf format modifier is C99, so we enable it on
|
|
+ * non-Windows or if __USE_MINGW_ANSI_STDIO is enabled or`
|
|
+ * if we are building on Visual Studio 2015 or later
|
|
+ */
|
|
+#if !defined (G_OS_WIN32) || (__USE_MINGW_ANSI_STDIO == 1) || (_MSC_VER >= 1900)
|
|
+ sscanf(hex_pos, "%2hhx", &hmac[count]);
|
|
+#else
|
|
+ unsigned int tmp_hmac;
|
|
+ sscanf(hex_pos, "%2x", &tmp_hmac);
|
|
+ hmac[count] = (guint8)tmp_hmac;
|
|
+#endif
|
|
+
|
|
+ hex_pos += 2;
|
|
+ }
|
|
+ g_free(hmac_hex);
|
|
+}
|
|
+
|
|
+static void
|
|
+calc_ntlmv2_response (const char *user, const char *domain,
|
|
+ const guchar *nt_hash, const gsize nt_hash_sz,
|
|
+ const guchar *nonce,
|
|
+ const char *target_info, size_t target_info_sz,
|
|
+ guchar *lm_resp, size_t lm_resp_sz,
|
|
+ guchar *nt_resp, size_t nt_resp_sz)
|
|
+{
|
|
+ const unsigned char blob_signature[] = {0x01,0x01,0x00,0x00};
|
|
+ const unsigned char blob_reserved[] = {0x00,0x00,0x00,0x00};
|
|
+ gint64 blob_timestamp;
|
|
+ unsigned char client_nonce[8];
|
|
+ const unsigned char blob_unknown[] = {0x00,0x00,0x00,0x00};
|
|
+
|
|
+ unsigned char ntv2_hash[HMAC_MD5_LENGTH];
|
|
+ guchar *nonce_blob, *blob, *p_blob;
|
|
+ unsigned char nonce_blob_hash[HMAC_MD5_LENGTH];
|
|
+ unsigned char nonce_client_nonce[16], nonce_client_nonce_hash[HMAC_MD5_LENGTH];
|
|
+ gchar *user_uppercase, *user_domain, *user_domain_conv;
|
|
+ gsize user_domain_conv_sz;
|
|
+ size_t blob_sz;
|
|
+ int i;
|
|
+
|
|
+ /* create HMAC-MD5 hash of Unicode uppercase username and Unicode domain */
|
|
+ user_uppercase = g_utf8_strup (user, strlen (user));
|
|
+ user_domain = g_strconcat (user_uppercase, domain, NULL);
|
|
+ user_domain_conv = g_convert (user_domain, -1, "UCS-2LE", "UTF-8", NULL, &user_domain_conv_sz, NULL);
|
|
+ calc_hmac_md5 (ntv2_hash, nt_hash, nt_hash_sz, (const guchar *)user_domain_conv, user_domain_conv_sz);
|
|
+ g_free (user_uppercase);
|
|
+ g_free (user_domain);
|
|
+ g_free (user_domain_conv);
|
|
+
|
|
+ /* create random client nonce */
|
|
+ for (i = 0; i < sizeof (client_nonce); i++)
|
|
+ {
|
|
+ client_nonce[i] = g_random_int();
|
|
+ }
|
|
+
|
|
+ /* create timestamp for blob
|
|
+ * LE, 64-bit signed value, number of tenths of a ms since January 1, 1601.*/
|
|
+ blob_timestamp = GINT64_TO_LE(((unsigned long)time(NULL) + 11644473600) * 10000000);
|
|
+
|
|
+ /* create blob */
|
|
+ blob_sz = sizeof (blob_signature) + sizeof (blob_reserved) +
|
|
+ sizeof (blob_timestamp) + sizeof (client_nonce) +
|
|
+ sizeof (blob_unknown) + target_info_sz;
|
|
+ p_blob = blob = g_malloc (blob_sz);
|
|
+ memset (blob, 0, blob_sz);
|
|
+ memcpy (p_blob, blob_signature, sizeof (blob_signature));
|
|
+ memcpy (p_blob += sizeof (blob_signature), blob_reserved, sizeof (blob_reserved));
|
|
+ memcpy (p_blob += sizeof (blob_reserved), &blob_timestamp, sizeof (blob_timestamp));
|
|
+ memcpy (p_blob += sizeof (blob_timestamp), client_nonce, sizeof (client_nonce));
|
|
+ memcpy (p_blob += sizeof (client_nonce), blob_unknown, sizeof (blob_unknown));
|
|
+ memcpy (p_blob += sizeof (blob_unknown), target_info, target_info_sz);
|
|
+
|
|
+ /* create HMAC-MD5 hash of concatenated nonce and blob */
|
|
+ nonce_blob = g_malloc (NTLM_CHALLENGE_NONCE_LENGTH + blob_sz);
|
|
+ memcpy (nonce_blob, nonce, NTLM_CHALLENGE_NONCE_LENGTH);
|
|
+ memcpy (nonce_blob + NTLM_CHALLENGE_NONCE_LENGTH, blob, blob_sz);
|
|
+ calc_hmac_md5 (nonce_blob_hash, (const guchar *)ntv2_hash, (gsize) sizeof (ntv2_hash), (const guchar *) nonce_blob, (gsize) NTLM_CHALLENGE_NONCE_LENGTH + blob_sz);
|
|
+ g_free (nonce_blob);
|
|
+
|
|
+ /* create NTv2 response */
|
|
+ memset (nt_resp, 0, nt_resp_sz);
|
|
+ memcpy (nt_resp, nonce_blob_hash, sizeof (nonce_blob_hash));
|
|
+ memcpy (nt_resp + sizeof (nonce_blob_hash), blob, blob_sz);
|
|
+
|
|
+ g_free (blob);
|
|
+
|
|
+ /* LMv2
|
|
+ * create HMAC-MD5 hash of concatenated nonce and client nonce
|
|
+ */
|
|
+ memcpy (nonce_client_nonce, nonce, NTLM_CHALLENGE_NONCE_LENGTH);
|
|
+ memcpy (nonce_client_nonce + NTLM_CHALLENGE_NONCE_LENGTH, client_nonce, sizeof (client_nonce));
|
|
+ calc_hmac_md5 (nonce_client_nonce_hash, (const guchar *) ntv2_hash, (gsize) sizeof (ntv2_hash), (const guchar *) nonce_client_nonce, (gsize) NTLM_CHALLENGE_NONCE_LENGTH + sizeof (client_nonce));
|
|
+
|
|
+ /* create LMv2 response */
|
|
+ memset (lm_resp, 0, lm_resp_sz);
|
|
+ memcpy (lm_resp, nonce_client_nonce_hash, sizeof (nonce_client_nonce_hash));
|
|
+ memcpy (lm_resp + sizeof (nonce_client_nonce_hash), client_nonce, sizeof (client_nonce));
|
|
+}
|
|
|
|
static char *
|
|
soup_ntlm_response (const char *nonce,
|
|
@@ -769,23 +925,45 @@ soup_ntlm_response (const char *nonce,
|
|
guchar lm_hash[21],
|
|
const char *host,
|
|
const char *domain,
|
|
- gboolean ntlmv2_session)
|
|
+ gboolean ntlmv2_session,
|
|
+ gboolean negotiate_target,
|
|
+ const char *target_info,
|
|
+ size_t target_info_sz)
|
|
{
|
|
+
|
|
int offset;
|
|
- gsize hlen, dlen, ulen;
|
|
- guchar lm_resp[24], nt_resp[24];
|
|
+ gsize hlen, dlen, ulen, nt_resp_sz;
|
|
+ guchar lm_resp[24], *nt_resp;
|
|
char *user_conv, *host_conv, *domain_conv;
|
|
NTLMResponse resp;
|
|
char *out, *p;
|
|
int state, save;
|
|
|
|
- if (ntlmv2_session) {
|
|
+ if (negotiate_target)
|
|
+ {
|
|
+ /* nonce_blob_hash 16 + blob_signature 4 + blob_reserved 4 +
|
|
+ * blob_timestamp 8 + client_nonce 8 + blob_unknown 4 +
|
|
+ * target_info*/
|
|
+ nt_resp_sz = NTLM_RESPONSE_TARGET_INFORMATION_OFFSET + target_info_sz;
|
|
+ } else {
|
|
+ nt_resp_sz = 24;
|
|
+ }
|
|
+ nt_resp = g_malloc (nt_resp_sz);
|
|
+
|
|
+ if (ntlmv2_session && !negotiate_target) {
|
|
calc_ntlm2_session_response (nonce, nt_hash, lm_hash,
|
|
lm_resp, sizeof(lm_resp), nt_resp);
|
|
- } else {
|
|
- /* Compute a regular response */
|
|
+ } else if (!negotiate_target){
|
|
+ /* Compute a regular NTLMv1 response */
|
|
calc_response (nt_hash, (guchar *) nonce, nt_resp);
|
|
calc_response (lm_hash, (guchar *) nonce, lm_resp);
|
|
+ } else {
|
|
+ calc_ntlmv2_response (user, domain,
|
|
+ nt_hash, 21,
|
|
+ (guchar *) nonce,
|
|
+ target_info, target_info_sz,
|
|
+ lm_resp, sizeof (lm_resp),
|
|
+ nt_resp, (size_t) nt_resp_sz);
|
|
}
|
|
|
|
memset (&resp, 0, sizeof (resp));
|
|
@@ -793,7 +971,8 @@ soup_ntlm_response (const char *nonce,
|
|
resp.flags = GUINT32_TO_LE (NTLM_RESPONSE_FLAGS);
|
|
if (ntlmv2_session)
|
|
resp.flags |= GUINT32_TO_LE (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY);
|
|
-
|
|
+ if (negotiate_target)
|
|
+ resp.flags |= GUINT32_TO_LE (NTLM_FLAGS_REQUEST_TARGET);
|
|
offset = sizeof (resp);
|
|
|
|
if (!host)
|
|
@@ -807,10 +986,10 @@ soup_ntlm_response (const char *nonce,
|
|
ntlm_set_string (&resp.user, &offset, ulen);
|
|
ntlm_set_string (&resp.host, &offset, hlen);
|
|
ntlm_set_string (&resp.lm_resp, &offset, sizeof (lm_resp));
|
|
- ntlm_set_string (&resp.nt_resp, &offset, sizeof (nt_resp));
|
|
+ ntlm_set_string (&resp.nt_resp, &offset, nt_resp_sz);
|
|
|
|
out = g_malloc (((offset + 3) * 4) / 3 + 6);
|
|
- strncpy (out, "NTLM ", 5);
|
|
+ memcpy (out, "NTLM ", 5);
|
|
p = out + 5;
|
|
|
|
state = save = 0;
|
|
@@ -825,7 +1004,7 @@ soup_ntlm_response (const char *nonce,
|
|
FALSE, p, &state, &save);
|
|
p += g_base64_encode_step (lm_resp, sizeof (lm_resp),
|
|
FALSE, p, &state, &save);
|
|
- p += g_base64_encode_step (nt_resp, sizeof (nt_resp),
|
|
+ p += g_base64_encode_step (nt_resp, nt_resp_sz,
|
|
FALSE, p, &state, &save);
|
|
p += g_base64_encode_close (FALSE, p, &state, &save);
|
|
*p = '\0';
|
|
@@ -833,6 +1012,7 @@ soup_ntlm_response (const char *nonce,
|
|
g_free (domain_conv);
|
|
g_free (user_conv);
|
|
g_free (host_conv);
|
|
+ g_free (nt_resp);
|
|
|
|
return out;
|
|
}
|