LCOV - code coverage report
Current view: top level - source4/heimdal/lib/ntlm - ntlm.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 0 747 0.0 %
Date: 2021-08-25 13:27:56 Functions: 0 42 0.0 %

          Line data    Source code
       1             : /*
       2             :  * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
       3             :  * (Royal Institute of Technology, Stockholm, Sweden).
       4             :  * All rights reserved.
       5             :  *
       6             :  * Portions Copyright (c) 2010 Apple Inc. All rights reserved.
       7             :  *
       8             :  * Redistribution and use in source and binary forms, with or without
       9             :  * modification, are permitted provided that the following conditions
      10             :  * are met:
      11             :  *
      12             :  * 1. Redistributions of source code must retain the above copyright
      13             :  *    notice, this list of conditions and the following disclaimer.
      14             :  *
      15             :  * 2. Redistributions in binary form must reproduce the above copyright
      16             :  *    notice, this list of conditions and the following disclaimer in the
      17             :  *    documentation and/or other materials provided with the distribution.
      18             :  *
      19             :  * 3. Neither the name of the Institute nor the names of its contributors
      20             :  *    may be used to endorse or promote products derived from this software
      21             :  *    without specific prior written permission.
      22             :  *
      23             :  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
      24             :  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
      25             :  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
      26             :  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
      27             :  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
      28             :  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
      29             :  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
      30             :  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
      31             :  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
      32             :  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
      33             :  * SUCH DAMAGE.
      34             :  */
      35             : 
      36             : #include <config.h>
      37             : 
      38             : #include <stdio.h>
      39             : #include <stdlib.h>
      40             : #include <assert.h>
      41             : #include <string.h>
      42             : #include <ctype.h>
      43             : #include <errno.h>
      44             : #include <limits.h>
      45             : 
      46             : #include <roken.h>
      47             : #include <parse_units.h>
      48             : #include <krb5.h>
      49             : 
      50             : #define HC_DEPRECATED_CRYPTO
      51             : 
      52             : #include "krb5-types.h"
      53             : #include "crypto-headers.h"
      54             : 
      55             : #include <heimntlm.h>
      56             : 
      57             : /*! \mainpage Heimdal NTLM library
      58             :  *
      59             :  * \section intro Introduction
      60             :  *
      61             :  * Heimdal libheimntlm library is a implementation of the NTLM
      62             :  * protocol, both version 1 and 2. The GSS-API mech that uses this
      63             :  * library adds support for transport encryption and integrity
      64             :  * checking.
      65             :  *
      66             :  * NTLM is a protocol for mutual authentication, its still used in
      67             :  * many protocol where Kerberos is not support, one example is
      68             :  * EAP/X802.1x mechanism LEAP from Microsoft and Cisco.
      69             :  *
      70             :  * This is a support library for the core protocol, its used in
      71             :  * Heimdal to implement and GSS-API mechanism. There is also support
      72             :  * in the KDC to do remote digest authenticiation, this to allow
      73             :  * services to authenticate users w/o direct access to the users ntlm
      74             :  * hashes (same as Kerberos arcfour enctype keys).
      75             :  *
      76             :  * More information about the NTLM protocol can found here
      77             :  * http://davenport.sourceforge.net/ntlm.html .
      78             :  *
      79             :  * The Heimdal projects web page: http://www.h5l.org/
      80             :  *
      81             :  * @section ntlm_example NTLM Example
      82             :  *
      83             :  * Example to to use @ref test_ntlm.c .
      84             :  *
      85             :  * @example test_ntlm.c
      86             :  *
      87             :  * Example how to use the NTLM primitives.
      88             :  *
      89             :  */
      90             : 
      91             : /** @defgroup ntlm_core Heimdal NTLM library
      92             :  *
      93             :  * The NTLM core functions implement the string2key generation
      94             :  * function, message encode and decode function, and the hash function
      95             :  * functions.
      96             :  */
      97             : 
      98             : struct sec_buffer {
      99             :     uint16_t length;
     100             :     uint16_t allocated;
     101             :     uint32_t offset;
     102             : };
     103             : 
     104             : static const unsigned char ntlmsigature[8] = "NTLMSSP\x00";
     105             : 
     106             : /*
     107             :  *
     108             :  */
     109             : 
     110             : #define CHECK(f, e)                                                     \
     111             :     do {                                                                \
     112             :         ret = f;                                                        \
     113             :         if (ret != (ssize_t)(e)) {                                      \
     114             :             ret = HNTLM_ERR_DECODE;                                     \
     115             :             goto out;                                                   \
     116             :         }                                                               \
     117             :     } while(/*CONSTCOND*/0)
     118             : 
     119             : static struct units ntlm_flag_units[] = {
     120             : #define ntlm_flag(x) { #x, NTLM_##x }
     121             :     ntlm_flag(ENC_56),
     122             :     ntlm_flag(NEG_KEYEX),
     123             :     ntlm_flag(ENC_128),
     124             :     ntlm_flag(MBZ1),
     125             :     ntlm_flag(MBZ2),
     126             :     ntlm_flag(MBZ3),
     127             :     ntlm_flag(NEG_VERSION),
     128             :     ntlm_flag(MBZ4),
     129             :     ntlm_flag(NEG_TARGET_INFO),
     130             :     ntlm_flag(NON_NT_SESSION_KEY),
     131             :     ntlm_flag(MBZ5),
     132             :     ntlm_flag(NEG_IDENTIFY),
     133             :     ntlm_flag(NEG_NTLM2),
     134             :     ntlm_flag(TARGET_SHARE),
     135             :     ntlm_flag(TARGET_SERVER),
     136             :     ntlm_flag(TARGET_DOMAIN),
     137             :     ntlm_flag(NEG_ALWAYS_SIGN),
     138             :     ntlm_flag(MBZ6),
     139             :     ntlm_flag(OEM_SUPPLIED_WORKSTATION),
     140             :     ntlm_flag(OEM_SUPPLIED_DOMAIN),
     141             :     ntlm_flag(NEG_ANONYMOUS),
     142             :     ntlm_flag(NEG_NT_ONLY),
     143             :     ntlm_flag(NEG_NTLM),
     144             :     ntlm_flag(MBZ8),
     145             :     ntlm_flag(NEG_LM_KEY),
     146             :     ntlm_flag(NEG_DATAGRAM),
     147             :     ntlm_flag(NEG_SEAL),
     148             :     ntlm_flag(NEG_SIGN),
     149             :     ntlm_flag(MBZ9),
     150             :     ntlm_flag(NEG_TARGET),
     151             :     ntlm_flag(NEG_OEM),
     152             :     ntlm_flag(NEG_UNICODE),
     153             : #undef ntlm_flag
     154             :     {NULL, 0}
     155             : };
     156             : 
     157             : size_t
     158           0 : heim_ntlm_unparse_flags(uint32_t flags, char *s, size_t len)
     159             : {
     160           0 :     return unparse_flags(flags, ntlm_flag_units, s, len);
     161             : }
     162             : 
     163             : 
     164             : /**
     165             :  * heim_ntlm_free_buf frees the ntlm buffer
     166             :  *
     167             :  * @param p buffer to be freed
     168             :  *
     169             :  * @ingroup ntlm_core
     170             :  */
     171             : 
     172             : void
     173           0 : heim_ntlm_free_buf(struct ntlm_buf *p)
     174             : {
     175           0 :     if (p->data)
     176           0 :         free(p->data);
     177           0 :     p->data = NULL;
     178           0 :     p->length = 0;
     179           0 : }
     180             : 
     181             : 
     182             : static int
     183           0 : ascii2ucs2le(const char *string, int up, struct ntlm_buf *buf)
     184             : {
     185             :     unsigned char *p;
     186             :     size_t len, i;
     187             : 
     188           0 :     len = strlen(string);
     189           0 :     if (len / 2 > UINT_MAX)
     190           0 :         return ERANGE;
     191             : 
     192           0 :     buf->length = len * 2;
     193           0 :     buf->data = malloc(buf->length);
     194           0 :     if (buf->data == NULL && len != 0) {
     195           0 :         heim_ntlm_free_buf(buf);
     196           0 :         return ENOMEM;
     197             :     }
     198             : 
     199           0 :     p = buf->data;
     200           0 :     for (i = 0; i < len; i++) {
     201           0 :         unsigned char t = (unsigned char)string[i];
     202           0 :         if (t & 0x80) {
     203           0 :             heim_ntlm_free_buf(buf);
     204           0 :             return EINVAL;
     205             :         }
     206           0 :         if (up)
     207           0 :             t = toupper(t);
     208           0 :         p[(i * 2) + 0] = t;
     209           0 :         p[(i * 2) + 1] = 0;
     210             :     }
     211           0 :     return 0;
     212             : }
     213             : 
     214             : /*
     215             :  *
     216             :  */
     217             : 
     218             : static krb5_error_code
     219           0 : ret_sec_buffer(krb5_storage *sp, struct sec_buffer *buf)
     220             : {
     221             :     krb5_error_code ret;
     222           0 :     CHECK(krb5_ret_uint16(sp, &buf->length), 0);
     223           0 :     CHECK(krb5_ret_uint16(sp, &buf->allocated), 0);
     224           0 :     CHECK(krb5_ret_uint32(sp, &buf->offset), 0);
     225           0 : out:
     226           0 :     return ret;
     227             : }
     228             : 
     229             : static krb5_error_code
     230           0 : store_sec_buffer(krb5_storage *sp, const struct sec_buffer *buf)
     231             : {
     232             :     krb5_error_code ret;
     233           0 :     CHECK(krb5_store_uint16(sp, buf->length), 0);
     234           0 :     CHECK(krb5_store_uint16(sp, buf->allocated), 0);
     235           0 :     CHECK(krb5_store_uint32(sp, buf->offset), 0);
     236           0 : out:
     237           0 :     return ret;
     238             : }
     239             : 
     240             : /*
     241             :  * Strings are either OEM or UNICODE. The later is encoded as ucs2 on
     242             :  * wire, but using utf8 in memory.
     243             :  */
     244             : 
     245             : static krb5_error_code
     246           0 : len_string(int ucs2, const char *s)
     247             : {
     248           0 :     size_t len = strlen(s);
     249           0 :     if (ucs2)
     250           0 :         len *= 2;
     251           0 :     return len;
     252             : }
     253             : 
     254             : /*
     255             :  *
     256             :  */
     257             : 
     258             : static krb5_error_code
     259           0 : ret_string(krb5_storage *sp, int ucs2, size_t len, char **s)
     260             : {
     261             :     krb5_error_code ret;
     262             : 
     263           0 :     *s = malloc(len + 1);
     264           0 :     if (*s == NULL)
     265           0 :         return ENOMEM;
     266           0 :     CHECK(krb5_storage_read(sp, *s, len), len);
     267             : 
     268           0 :     (*s)[len] = '\0';
     269             : 
     270           0 :     if (ucs2) {
     271             :         size_t i;
     272           0 :         for (i = 0; i < len / 2; i++) {
     273           0 :             (*s)[i] = (*s)[i * 2];
     274           0 :             if ((*s)[i * 2 + 1]) {
     275           0 :                 free(*s);
     276           0 :                 *s = NULL;
     277           0 :                 return EINVAL;
     278             :             }
     279             :         }
     280           0 :         (*s)[i] = '\0';
     281             :     }
     282           0 :     ret = 0;
     283           0 :  out:
     284           0 :     return ret;
     285             : }
     286             : 
     287             : 
     288             : 
     289             : static krb5_error_code
     290           0 : ret_sec_string(krb5_storage *sp, int ucs2, struct sec_buffer *desc, char **s)
     291             : {
     292           0 :     krb5_error_code ret = 0;
     293           0 :     CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
     294           0 :     CHECK(ret_string(sp, ucs2, desc->length, s), 0);
     295           0 :  out:
     296           0 :     return ret;
     297             : }
     298             : 
     299             : static krb5_error_code
     300           0 : put_string(krb5_storage *sp, int ucs2, const char *s)
     301             : {
     302             :     krb5_error_code ret;
     303             :     struct ntlm_buf buf;
     304             : 
     305           0 :     if (ucs2) {
     306           0 :         ret = ascii2ucs2le(s, 0, &buf);
     307           0 :         if (ret)
     308           0 :             return ret;
     309             :     } else {
     310           0 :         buf.data = rk_UNCONST(s);
     311           0 :         buf.length = strlen(s);
     312             :     }
     313             : 
     314           0 :     CHECK(krb5_storage_write(sp, buf.data, buf.length), buf.length);
     315           0 :     if (ucs2)
     316           0 :         heim_ntlm_free_buf(&buf);
     317           0 :     ret = 0;
     318           0 : out:
     319           0 :     return ret;
     320             : }
     321             : 
     322             : /*
     323             :  *
     324             :  */
     325             : 
     326             : static krb5_error_code
     327           0 : ret_buf(krb5_storage *sp, struct sec_buffer *desc, struct ntlm_buf *buf)
     328             : {
     329             :     krb5_error_code ret;
     330             : 
     331           0 :     buf->data = malloc(desc->length);
     332           0 :     buf->length = desc->length;
     333           0 :     CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
     334           0 :     CHECK(krb5_storage_read(sp, buf->data, buf->length), buf->length);
     335           0 :     ret = 0;
     336           0 : out:
     337           0 :     return ret;
     338             : }
     339             : 
     340             : static krb5_error_code
     341           0 : put_buf(krb5_storage *sp, const struct ntlm_buf *buf)
     342             : {
     343             :     krb5_error_code ret;
     344           0 :     CHECK(krb5_storage_write(sp, buf->data, buf->length), buf->length);
     345           0 :     ret = 0;
     346           0 : out:
     347           0 :     return ret;
     348             : }
     349             : 
     350             : /**
     351             :  * Frees the ntlm_targetinfo message
     352             :  *
     353             :  * @param ti targetinfo to be freed
     354             :  *
     355             :  * @ingroup ntlm_core
     356             :  */
     357             : 
     358             : void
     359           0 : heim_ntlm_free_targetinfo(struct ntlm_targetinfo *ti)
     360             : {
     361           0 :     free(ti->servername);
     362           0 :     free(ti->domainname);
     363           0 :     free(ti->dnsdomainname);
     364           0 :     free(ti->dnsservername);
     365           0 :     free(ti->dnstreename);
     366           0 :     memset(ti, 0, sizeof(*ti));
     367           0 : }
     368             : 
     369             : static int
     370           0 : encode_ti_string(krb5_storage *out, uint16_t type, int ucs2, char *s)
     371             : {
     372             :     krb5_error_code ret;
     373           0 :     CHECK(krb5_store_uint16(out, type), 0);
     374           0 :     CHECK(krb5_store_uint16(out, len_string(ucs2, s)), 0);
     375           0 :     CHECK(put_string(out, ucs2, s), 0);
     376           0 : out:
     377           0 :     return ret;
     378             : }
     379             : 
     380             : /**
     381             :  * Encodes a ntlm_targetinfo message.
     382             :  *
     383             :  * @param ti the ntlm_targetinfo message to encode.
     384             :  * @param ucs2 ignored
     385             :  * @param data is the return buffer with the encoded message, should be
     386             :  * freed with heim_ntlm_free_buf().
     387             :  *
     388             :  * @return In case of success 0 is return, an errors, a errno in what
     389             :  * went wrong.
     390             :  *
     391             :  * @ingroup ntlm_core
     392             :  */
     393             : 
     394             : int
     395           0 : heim_ntlm_encode_targetinfo(const struct ntlm_targetinfo *ti,
     396             :                             int ucs2,
     397             :                             struct ntlm_buf *data)
     398             : {
     399             :     krb5_error_code ret;
     400             :     krb5_storage *out;
     401             : 
     402           0 :     data->data = NULL;
     403           0 :     data->length = 0;
     404             : 
     405           0 :     out = krb5_storage_emem();
     406           0 :     if (out == NULL)
     407           0 :         return ENOMEM;
     408             : 
     409           0 :     krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
     410             : 
     411           0 :     if (ti->servername)
     412           0 :         CHECK(encode_ti_string(out, 1, ucs2, ti->servername), 0);
     413           0 :     if (ti->domainname)
     414           0 :         CHECK(encode_ti_string(out, 2, ucs2, ti->domainname), 0);
     415           0 :     if (ti->dnsservername)
     416           0 :         CHECK(encode_ti_string(out, 3, ucs2, ti->dnsservername), 0);
     417           0 :     if (ti->dnsdomainname)
     418           0 :         CHECK(encode_ti_string(out, 4, ucs2, ti->dnsdomainname), 0);
     419           0 :     if (ti->dnstreename)
     420           0 :         CHECK(encode_ti_string(out, 5, ucs2, ti->dnstreename), 0);
     421           0 :     if (ti->avflags) {
     422           0 :         CHECK(krb5_store_uint16(out, 6), 0);
     423           0 :         CHECK(krb5_store_uint16(out, 4), 0);
     424           0 :         CHECK(krb5_store_uint32(out, ti->avflags), 0);
     425             :     }
     426             : 
     427             :     /* end tag */
     428           0 :     CHECK(krb5_store_int16(out, 0), 0);
     429           0 :     CHECK(krb5_store_int16(out, 0), 0);
     430             : 
     431             :     {
     432             :         krb5_data d;
     433           0 :         ret = krb5_storage_to_data(out, &d);
     434           0 :         data->data = d.data;
     435           0 :         data->length = d.length;
     436             :     }
     437           0 : out:
     438           0 :     krb5_storage_free(out);
     439           0 :     return ret;
     440             : }
     441             : 
     442             : /**
     443             :  * Decodes an NTLM targetinfo message
     444             :  *
     445             :  * @param data input data buffer with the encode NTLM targetinfo message
     446             :  * @param ucs2 if the strings should be encoded with ucs2 (selected by flag in message).
     447             :  * @param ti the decoded target info, should be freed with heim_ntlm_free_targetinfo().
     448             :  *
     449             :  * @return In case of success 0 is return, an errors, a errno in what
     450             :  * went wrong.
     451             :  *
     452             :  * @ingroup ntlm_core
     453             :  */
     454             : 
     455             : int
     456           0 : heim_ntlm_decode_targetinfo(const struct ntlm_buf *data,
     457             :                             int ucs2,
     458             :                             struct ntlm_targetinfo *ti)
     459             : {
     460             :     uint16_t type, len;
     461             :     krb5_storage *in;
     462           0 :     int ret = 0, done = 0;
     463             : 
     464           0 :     memset(ti, 0, sizeof(*ti));
     465             : 
     466           0 :     if (data->length == 0)
     467           0 :         return 0;
     468             : 
     469           0 :     in = krb5_storage_from_readonly_mem(data->data, data->length);
     470           0 :     if (in == NULL)
     471           0 :         return ENOMEM;
     472           0 :     krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
     473             : 
     474           0 :     while (!done) {
     475           0 :         CHECK(krb5_ret_uint16(in, &type), 0);
     476           0 :         CHECK(krb5_ret_uint16(in, &len), 0);
     477             : 
     478           0 :         switch (type) {
     479           0 :         case 0:
     480           0 :             done = 1;
     481           0 :             break;
     482           0 :         case 1:
     483           0 :             CHECK(ret_string(in, ucs2, len, &ti->servername), 0);
     484           0 :             break;
     485           0 :         case 2:
     486           0 :             CHECK(ret_string(in, ucs2, len, &ti->domainname), 0);
     487           0 :             break;
     488           0 :         case 3:
     489           0 :             CHECK(ret_string(in, ucs2, len, &ti->dnsservername), 0);
     490           0 :             break;
     491           0 :         case 4:
     492           0 :             CHECK(ret_string(in, ucs2, len, &ti->dnsdomainname), 0);
     493           0 :             break;
     494           0 :         case 5:
     495           0 :             CHECK(ret_string(in, ucs2, len, &ti->dnstreename), 0);
     496           0 :             break;
     497           0 :         case 6:
     498           0 :             CHECK(krb5_ret_uint32(in, &ti->avflags), 0);
     499           0 :             break;
     500           0 :         default:
     501           0 :             krb5_storage_seek(in, len, SEEK_CUR);
     502           0 :             break;
     503             :         }
     504             :     }
     505           0 :  out:
     506           0 :     if (in)
     507           0 :         krb5_storage_free(in);
     508           0 :     return ret;
     509             : }
     510             : 
     511             : /**
     512             :  * Frees the ntlm_type1 message
     513             :  *
     514             :  * @param data message to be freed
     515             :  *
     516             :  * @ingroup ntlm_core
     517             :  */
     518             : 
     519             : void
     520           0 : heim_ntlm_free_type1(struct ntlm_type1 *data)
     521             : {
     522           0 :     if (data->domain)
     523           0 :         free(data->domain);
     524           0 :     if (data->hostname)
     525           0 :         free(data->hostname);
     526           0 :     memset(data, 0, sizeof(*data));
     527           0 : }
     528             : 
     529             : int
     530           0 : heim_ntlm_decode_type1(const struct ntlm_buf *buf, struct ntlm_type1 *data)
     531             : {
     532             :     krb5_error_code ret;
     533             :     unsigned char sig[8];
     534             :     uint32_t type;
     535             :     struct sec_buffer domain, hostname;
     536             :     krb5_storage *in;
     537             : 
     538           0 :     memset(data, 0, sizeof(*data));
     539             : 
     540           0 :     in = krb5_storage_from_readonly_mem(buf->data, buf->length);
     541           0 :     if (in == NULL) {
     542           0 :         ret = ENOMEM;
     543           0 :         goto out;
     544             :     }
     545           0 :     krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
     546             : 
     547           0 :     CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
     548           0 :     CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
     549           0 :     CHECK(krb5_ret_uint32(in, &type), 0);
     550           0 :     CHECK(type, 1);
     551           0 :     CHECK(krb5_ret_uint32(in, &data->flags), 0);
     552           0 :     if (data->flags & NTLM_OEM_SUPPLIED_DOMAIN)
     553           0 :         CHECK(ret_sec_buffer(in, &domain), 0);
     554           0 :     if (data->flags & NTLM_OEM_SUPPLIED_WORKSTATION)
     555           0 :         CHECK(ret_sec_buffer(in, &hostname), 0);
     556             : #if 0
     557             :     if (domain.offset > 32) {
     558             :         CHECK(krb5_ret_uint32(in, &data->os[0]), 0);
     559             :         CHECK(krb5_ret_uint32(in, &data->os[1]), 0);
     560             :     }
     561             : #endif
     562           0 :     if (data->flags & NTLM_OEM_SUPPLIED_DOMAIN)
     563           0 :         CHECK(ret_sec_string(in, 0, &domain, &data->domain), 0);
     564           0 :     if (data->flags & NTLM_OEM_SUPPLIED_WORKSTATION)
     565           0 :         CHECK(ret_sec_string(in, 0, &hostname, &data->hostname), 0);
     566             : 
     567           0 : out:
     568           0 :     if (in)
     569           0 :         krb5_storage_free(in);
     570           0 :     if (ret)
     571           0 :         heim_ntlm_free_type1(data);
     572             : 
     573           0 :     return ret;
     574             : }
     575             : 
     576             : /**
     577             :  * Encodes an ntlm_type1 message.
     578             :  *
     579             :  * @param type1 the ntlm_type1 message to encode.
     580             :  * @param data is the return buffer with the encoded message, should be
     581             :  * freed with heim_ntlm_free_buf().
     582             :  *
     583             :  * @return In case of success 0 is return, an errors, a errno in what
     584             :  * went wrong.
     585             :  *
     586             :  * @ingroup ntlm_core
     587             :  */
     588             : 
     589             : int
     590           0 : heim_ntlm_encode_type1(const struct ntlm_type1 *type1, struct ntlm_buf *data)
     591             : {
     592             :     krb5_error_code ret;
     593             :     struct sec_buffer domain, hostname;
     594             :     krb5_storage *out;
     595             :     uint32_t base, flags;
     596             : 
     597           0 :     flags = type1->flags;
     598           0 :     base = 16;
     599             : 
     600           0 :     if (type1->domain) {
     601           0 :         base += 8;
     602           0 :         flags |= NTLM_OEM_SUPPLIED_DOMAIN;
     603             :     }
     604           0 :     if (type1->hostname) {
     605           0 :         base += 8;
     606           0 :         flags |= NTLM_OEM_SUPPLIED_WORKSTATION;
     607             :     }
     608           0 :     if (type1->os[0])
     609           0 :         base += 8;
     610             : 
     611           0 :     domain.offset = base;
     612           0 :     if (type1->domain) {
     613           0 :         domain.length = len_string(0, type1->domain);
     614           0 :         domain.allocated = domain.length;
     615             :     } else {
     616           0 :         domain.length = 0;
     617           0 :         domain.allocated = 0;
     618             :     }
     619             : 
     620           0 :     hostname.offset = domain.allocated + domain.offset;
     621           0 :     if (type1->hostname) {
     622           0 :         hostname.length = len_string(0, type1->hostname);
     623           0 :         hostname.allocated = hostname.length;
     624             :     } else {
     625           0 :         hostname.length = 0;
     626           0 :         hostname.allocated = 0;
     627             :     }
     628             : 
     629           0 :     out = krb5_storage_emem();
     630           0 :     if (out == NULL)
     631           0 :         return ENOMEM;
     632             : 
     633           0 :     krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
     634           0 :     CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
     635             :           sizeof(ntlmsigature));
     636           0 :     CHECK(krb5_store_uint32(out, 1), 0);
     637           0 :     CHECK(krb5_store_uint32(out, flags), 0);
     638             : 
     639           0 :     CHECK(store_sec_buffer(out, &domain), 0);
     640           0 :     CHECK(store_sec_buffer(out, &hostname), 0);
     641             : #if 0
     642             :         CHECK(krb5_store_uint32(out, type1->os[0]), 0);
     643             :         CHECK(krb5_store_uint32(out, type1->os[1]), 0);
     644             : #endif
     645           0 :     if (type1->domain)
     646           0 :         CHECK(put_string(out, 0, type1->domain), 0);
     647           0 :     if (type1->hostname)
     648           0 :         CHECK(put_string(out, 0, type1->hostname), 0);
     649             : 
     650             :     {
     651             :         krb5_data d;
     652           0 :         ret = krb5_storage_to_data(out, &d);
     653           0 :         data->data = d.data;
     654           0 :         data->length = d.length;
     655             :     }
     656           0 : out:
     657           0 :     krb5_storage_free(out);
     658             : 
     659           0 :     return ret;
     660             : }
     661             : 
     662             : /**
     663             :  * Frees the ntlm_type2 message
     664             :  *
     665             :  * @param data message to be freed
     666             :  *
     667             :  * @ingroup ntlm_core
     668             :  */
     669             : 
     670             : void
     671           0 : heim_ntlm_free_type2(struct ntlm_type2 *data)
     672             : {
     673           0 :     if (data->targetname)
     674           0 :         free(data->targetname);
     675           0 :     heim_ntlm_free_buf(&data->targetinfo);
     676           0 :     memset(data, 0, sizeof(*data));
     677           0 : }
     678             : 
     679             : int
     680           0 : heim_ntlm_decode_type2(const struct ntlm_buf *buf, struct ntlm_type2 *type2)
     681             : {
     682             :     krb5_error_code ret;
     683             :     unsigned char sig[8];
     684             :     uint32_t type, ctx[2];
     685             :     struct sec_buffer targetname, targetinfo;
     686             :     krb5_storage *in;
     687           0 :     int ucs2 = 0;
     688             : 
     689           0 :     memset(type2, 0, sizeof(*type2));
     690             : 
     691           0 :     in = krb5_storage_from_readonly_mem(buf->data, buf->length);
     692           0 :     if (in == NULL) {
     693           0 :         ret = ENOMEM;
     694           0 :         goto out;
     695             :     }
     696           0 :     krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
     697             : 
     698           0 :     CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
     699           0 :     CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
     700           0 :     CHECK(krb5_ret_uint32(in, &type), 0);
     701           0 :     CHECK(type, 2);
     702             : 
     703           0 :     CHECK(ret_sec_buffer(in, &targetname), 0);
     704           0 :     CHECK(krb5_ret_uint32(in, &type2->flags), 0);
     705           0 :     if (type2->flags & NTLM_NEG_UNICODE)
     706           0 :         ucs2 = 1;
     707           0 :     CHECK(krb5_storage_read(in, type2->challenge, sizeof(type2->challenge)),
     708             :           sizeof(type2->challenge));
     709           0 :     CHECK(krb5_ret_uint32(in, &ctx[0]), 0); /* context */
     710           0 :     CHECK(krb5_ret_uint32(in, &ctx[1]), 0);
     711           0 :     CHECK(ret_sec_buffer(in, &targetinfo), 0);
     712             :     /* os version */
     713           0 :     if (type2->flags & NTLM_NEG_VERSION) {
     714           0 :         CHECK(krb5_ret_uint32(in, &type2->os[0]), 0);
     715           0 :         CHECK(krb5_ret_uint32(in, &type2->os[1]), 0);
     716             :     }
     717             : 
     718           0 :     CHECK(ret_sec_string(in, ucs2, &targetname, &type2->targetname), 0);
     719           0 :     CHECK(ret_buf(in, &targetinfo, &type2->targetinfo), 0);
     720           0 :     ret = 0;
     721             : 
     722           0 : out:
     723           0 :     if (in)
     724           0 :         krb5_storage_free(in);
     725           0 :     if (ret)
     726           0 :         heim_ntlm_free_type2(type2);
     727             : 
     728           0 :     return ret;
     729             : }
     730             : 
     731             : /**
     732             :  * Encodes an ntlm_type2 message.
     733             :  *
     734             :  * @param type2 the ntlm_type2 message to encode.
     735             :  * @param data is the return buffer with the encoded message, should be
     736             :  * freed with heim_ntlm_free_buf().
     737             :  *
     738             :  * @return In case of success 0 is return, an errors, a errno in what
     739             :  * went wrong.
     740             :  *
     741             :  * @ingroup ntlm_core
     742             :  */
     743             : 
     744             : int
     745           0 : heim_ntlm_encode_type2(const struct ntlm_type2 *type2, struct ntlm_buf *data)
     746             : {
     747             :     struct sec_buffer targetname, targetinfo;
     748             :     krb5_error_code ret;
     749           0 :     krb5_storage *out = NULL;
     750             :     uint32_t base;
     751           0 :     int ucs2 = 0;
     752             : 
     753           0 :     base = 48;
     754             : 
     755           0 :     if (type2->flags & NTLM_NEG_VERSION)
     756           0 :         base += 8;
     757             : 
     758           0 :     if (type2->flags & NTLM_NEG_UNICODE)
     759           0 :         ucs2 = 1;
     760             : 
     761           0 :     targetname.offset = base;
     762           0 :     targetname.length = len_string(ucs2, type2->targetname);
     763           0 :     targetname.allocated = targetname.length;
     764             : 
     765           0 :     targetinfo.offset = targetname.allocated + targetname.offset;
     766           0 :     targetinfo.length = type2->targetinfo.length;
     767           0 :     targetinfo.allocated = type2->targetinfo.length;
     768             : 
     769           0 :     out = krb5_storage_emem();
     770           0 :     if (out == NULL)
     771           0 :         return ENOMEM;
     772             : 
     773           0 :     krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
     774           0 :     CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
     775             :           sizeof(ntlmsigature));
     776           0 :     CHECK(krb5_store_uint32(out, 2), 0);
     777           0 :     CHECK(store_sec_buffer(out, &targetname), 0);
     778           0 :     CHECK(krb5_store_uint32(out, type2->flags), 0);
     779           0 :     CHECK(krb5_storage_write(out, type2->challenge, sizeof(type2->challenge)),
     780             :           sizeof(type2->challenge));
     781           0 :     CHECK(krb5_store_uint32(out, 0), 0); /* context */
     782           0 :     CHECK(krb5_store_uint32(out, 0), 0);
     783           0 :     CHECK(store_sec_buffer(out, &targetinfo), 0);
     784             :     /* os version */
     785           0 :     if (type2->flags & NTLM_NEG_VERSION) {
     786           0 :         CHECK(krb5_store_uint32(out, type2->os[0]), 0);
     787           0 :         CHECK(krb5_store_uint32(out, type2->os[1]), 0);
     788             :     }
     789           0 :     CHECK(put_string(out, ucs2, type2->targetname), 0);
     790           0 :     CHECK(krb5_storage_write(out, type2->targetinfo.data,
     791             :                              type2->targetinfo.length),
     792             :           type2->targetinfo.length);
     793             : 
     794             :     {
     795             :         krb5_data d;
     796           0 :         ret = krb5_storage_to_data(out, &d);
     797           0 :         data->data = d.data;
     798           0 :         data->length = d.length;
     799             :     }
     800             : 
     801           0 : out:
     802           0 :     krb5_storage_free(out);
     803             : 
     804           0 :     return ret;
     805             : }
     806             : 
     807             : /**
     808             :  * Frees the ntlm_type3 message
     809             :  *
     810             :  * @param data message to be freed
     811             :  *
     812             :  * @ingroup ntlm_core
     813             :  */
     814             : 
     815             : void
     816           0 : heim_ntlm_free_type3(struct ntlm_type3 *data)
     817             : {
     818           0 :     heim_ntlm_free_buf(&data->lm);
     819           0 :     heim_ntlm_free_buf(&data->ntlm);
     820           0 :     if (data->targetname)
     821           0 :         free(data->targetname);
     822           0 :     if (data->username)
     823           0 :         free(data->username);
     824           0 :     if (data->ws)
     825           0 :         free(data->ws);
     826           0 :     heim_ntlm_free_buf(&data->sessionkey);
     827           0 :     memset(data, 0, sizeof(*data));
     828           0 : }
     829             : 
     830             : /*
     831             :  *
     832             :  */
     833             : 
     834             : int
     835           0 : heim_ntlm_decode_type3(const struct ntlm_buf *buf,
     836             :                        int ucs2,
     837             :                        struct ntlm_type3 *type3)
     838             : {
     839             :     krb5_error_code ret;
     840             :     unsigned char sig[8];
     841             :     uint32_t type;
     842             :     krb5_storage *in;
     843             :     struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
     844           0 :     uint32_t min_offset = 72;
     845             : 
     846           0 :     memset(type3, 0, sizeof(*type3));
     847           0 :     memset(&sessionkey, 0, sizeof(sessionkey));
     848             : 
     849           0 :     in = krb5_storage_from_readonly_mem(buf->data, buf->length);
     850           0 :     if (in == NULL) {
     851           0 :         ret = ENOMEM;
     852           0 :         goto out;
     853             :     }
     854           0 :     krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
     855             : 
     856           0 :     CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
     857           0 :     CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
     858           0 :     CHECK(krb5_ret_uint32(in, &type), 0);
     859           0 :     CHECK(type, 3);
     860           0 :     CHECK(ret_sec_buffer(in, &lm), 0);
     861           0 :     if (lm.allocated)
     862           0 :         min_offset = min(min_offset, lm.offset);
     863           0 :     CHECK(ret_sec_buffer(in, &ntlm), 0);
     864           0 :     if (ntlm.allocated)
     865           0 :         min_offset = min(min_offset, ntlm.offset);
     866           0 :     CHECK(ret_sec_buffer(in, &target), 0);
     867           0 :     if (target.allocated)
     868           0 :         min_offset = min(min_offset, target.offset);
     869           0 :     CHECK(ret_sec_buffer(in, &username), 0);
     870           0 :     if (username.allocated)
     871           0 :         min_offset = min(min_offset, username.offset);
     872           0 :     CHECK(ret_sec_buffer(in, &ws), 0);
     873           0 :     if (ws.allocated)
     874           0 :         min_offset = min(min_offset, ws.offset);
     875             : 
     876           0 :     if (min_offset > 52) {
     877           0 :         CHECK(ret_sec_buffer(in, &sessionkey), 0);
     878           0 :         min_offset = max(min_offset, sessionkey.offset);
     879           0 :         CHECK(krb5_ret_uint32(in, &type3->flags), 0);
     880             :     }
     881           0 :     if (min_offset > 52 + 8 + 4 + 8) {
     882           0 :         CHECK(krb5_ret_uint32(in, &type3->os[0]), 0);
     883           0 :         CHECK(krb5_ret_uint32(in, &type3->os[1]), 0);
     884             :     }
     885           0 :     CHECK(ret_buf(in, &lm, &type3->lm), 0);
     886           0 :     CHECK(ret_buf(in, &ntlm, &type3->ntlm), 0);
     887           0 :     CHECK(ret_sec_string(in, ucs2, &target, &type3->targetname), 0);
     888           0 :     CHECK(ret_sec_string(in, ucs2, &username, &type3->username), 0);
     889           0 :     CHECK(ret_sec_string(in, ucs2, &ws, &type3->ws), 0);
     890           0 :     if (sessionkey.offset)
     891           0 :         CHECK(ret_buf(in, &sessionkey, &type3->sessionkey), 0);
     892             : 
     893           0 : out:
     894           0 :     if (in)
     895           0 :         krb5_storage_free(in);
     896           0 :     if (ret)
     897           0 :         heim_ntlm_free_type3(type3);
     898             : 
     899           0 :     return ret;
     900             : }
     901             : 
     902             : /**
     903             :  * Encodes an ntlm_type3 message.
     904             :  *
     905             :  * @param type3 the ntlm_type3 message to encode.
     906             :  * @param data is the return buffer with the encoded message, should be
     907             :  * freed with heim_ntlm_free_buf().
     908             :  *
     909             :  * @return In case of success 0 is return, an errors, a errno in what
     910             :  * went wrong.
     911             :  *
     912             :  * @ingroup ntlm_core
     913             :  */
     914             : 
     915             : int
     916           0 : heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data)
     917             : {
     918             :     struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
     919             :     krb5_error_code ret;
     920           0 :     krb5_storage *out = NULL;
     921             :     uint32_t base;
     922           0 :     int ucs2 = 0;
     923             : 
     924           0 :     memset(&lm, 0, sizeof(lm));
     925           0 :     memset(&ntlm, 0, sizeof(ntlm));
     926           0 :     memset(&target, 0, sizeof(target));
     927           0 :     memset(&username, 0, sizeof(username));
     928           0 :     memset(&ws, 0, sizeof(ws));
     929           0 :     memset(&sessionkey, 0, sizeof(sessionkey));
     930             : 
     931           0 :     base = 52;
     932             : 
     933           0 :     base += 8; /* sessionkey sec buf */
     934           0 :     base += 4; /* flags */
     935             : 
     936           0 :     if (type3->os[0]) {
     937           0 :         base += 8;
     938             :     }
     939             : 
     940           0 :     if (type3->flags & NTLM_NEG_UNICODE)
     941           0 :         ucs2 = 1;
     942             : 
     943           0 :     target.offset = base;
     944           0 :     target.length = len_string(ucs2, type3->targetname);
     945           0 :     target.allocated = target.length;
     946             : 
     947           0 :     username.offset = target.offset + target.allocated;
     948           0 :     username.length = len_string(ucs2, type3->username);
     949           0 :     username.allocated = username.length;
     950             : 
     951           0 :     ws.offset = username.offset + username.allocated;
     952           0 :     ws.length = len_string(ucs2, type3->ws);
     953           0 :     ws.allocated = ws.length;
     954             : 
     955           0 :     lm.offset = ws.offset + ws.allocated;
     956           0 :     lm.length = type3->lm.length;
     957           0 :     lm.allocated = type3->lm.length;
     958             : 
     959           0 :     ntlm.offset = lm.offset + lm.allocated;
     960           0 :     ntlm.length = type3->ntlm.length;
     961           0 :     ntlm.allocated = ntlm.length;
     962             : 
     963           0 :     sessionkey.offset = ntlm.offset + ntlm.allocated;
     964           0 :     sessionkey.length = type3->sessionkey.length;
     965           0 :     sessionkey.allocated = type3->sessionkey.length;
     966             : 
     967           0 :     out = krb5_storage_emem();
     968           0 :     if (out == NULL)
     969           0 :         return ENOMEM;
     970             : 
     971           0 :     krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
     972           0 :     CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
     973             :           sizeof(ntlmsigature));
     974           0 :     CHECK(krb5_store_uint32(out, 3), 0);
     975             : 
     976           0 :     CHECK(store_sec_buffer(out, &lm), 0);
     977           0 :     CHECK(store_sec_buffer(out, &ntlm), 0);
     978           0 :     CHECK(store_sec_buffer(out, &target), 0);
     979           0 :     CHECK(store_sec_buffer(out, &username), 0);
     980           0 :     CHECK(store_sec_buffer(out, &ws), 0);
     981           0 :     CHECK(store_sec_buffer(out, &sessionkey), 0);
     982           0 :     CHECK(krb5_store_uint32(out, type3->flags), 0);
     983             : 
     984             : #if 0
     985             :     CHECK(krb5_store_uint32(out, 0), 0); /* os0 */
     986             :     CHECK(krb5_store_uint32(out, 0), 0); /* os1 */
     987             : #endif
     988             : 
     989           0 :     CHECK(put_string(out, ucs2, type3->targetname), 0);
     990           0 :     CHECK(put_string(out, ucs2, type3->username), 0);
     991           0 :     CHECK(put_string(out, ucs2, type3->ws), 0);
     992           0 :     CHECK(put_buf(out, &type3->lm), 0);
     993           0 :     CHECK(put_buf(out, &type3->ntlm), 0);
     994           0 :     CHECK(put_buf(out, &type3->sessionkey), 0);
     995             : 
     996             :     {
     997             :         krb5_data d;
     998           0 :         ret = krb5_storage_to_data(out, &d);
     999           0 :         data->data = d.data;
    1000           0 :         data->length = d.length;
    1001             :     }
    1002             : 
    1003           0 : out:
    1004           0 :     krb5_storage_free(out);
    1005             : 
    1006           0 :     return ret;
    1007             : }
    1008             : 
    1009             : 
    1010             : /*
    1011             :  *
    1012             :  */
    1013             : 
    1014             : static void
    1015           0 : splitandenc(unsigned char *hash,
    1016             :             unsigned char *challenge,
    1017             :             unsigned char *answer)
    1018             : {
    1019             :     EVP_CIPHER_CTX ctx;
    1020             :     unsigned char key[8];
    1021             : 
    1022           0 :     key[0] =  hash[0];
    1023           0 :     key[1] = (hash[0] << 7) | (hash[1] >> 1);
    1024           0 :     key[2] = (hash[1] << 6) | (hash[2] >> 2);
    1025           0 :     key[3] = (hash[2] << 5) | (hash[3] >> 3);
    1026           0 :     key[4] = (hash[3] << 4) | (hash[4] >> 4);
    1027           0 :     key[5] = (hash[4] << 3) | (hash[5] >> 5);
    1028           0 :     key[6] = (hash[5] << 2) | (hash[6] >> 6);
    1029           0 :     key[7] = (hash[6] << 1);
    1030             : 
    1031           0 :     EVP_CIPHER_CTX_init(&ctx);
    1032             : 
    1033           0 :     EVP_CipherInit_ex(&ctx, EVP_des_cbc(), NULL, key, NULL, 1);
    1034           0 :     EVP_Cipher(&ctx, answer, challenge, 8);
    1035           0 :     EVP_CIPHER_CTX_cleanup(&ctx);
    1036           0 :     memset(key, 0, sizeof(key));
    1037           0 : }
    1038             : 
    1039             : /**
    1040             :  * Calculate the NTLM key, the password is assumed to be in UTF8.
    1041             :  *
    1042             :  * @param password password to calcute the key for.
    1043             :  * @param key calcuted key, should be freed with heim_ntlm_free_buf().
    1044             :  *
    1045             :  * @return In case of success 0 is return, an errors, a errno in what
    1046             :  * went wrong.
    1047             :  *
    1048             :  * @ingroup ntlm_core
    1049             :  */
    1050             : 
    1051             : int
    1052           0 : heim_ntlm_nt_key(const char *password, struct ntlm_buf *key)
    1053             : {
    1054             :     struct ntlm_buf buf;
    1055             :     EVP_MD_CTX *m;
    1056             :     int ret;
    1057             : 
    1058           0 :     key->data = malloc(MD5_DIGEST_LENGTH);
    1059           0 :     if (key->data == NULL)
    1060           0 :         return ENOMEM;
    1061           0 :     key->length = MD5_DIGEST_LENGTH;
    1062             : 
    1063           0 :     ret = ascii2ucs2le(password, 0, &buf);
    1064           0 :     if (ret) {
    1065           0 :         heim_ntlm_free_buf(key);
    1066           0 :         return ret;
    1067             :     }
    1068             : 
    1069           0 :     m = EVP_MD_CTX_create();
    1070           0 :     if (m == NULL) {
    1071           0 :         heim_ntlm_free_buf(key);
    1072           0 :         heim_ntlm_free_buf(&buf);
    1073           0 :         return ENOMEM;
    1074             :     }
    1075             : 
    1076           0 :     EVP_DigestInit_ex(m, EVP_md4(), NULL);
    1077           0 :     EVP_DigestUpdate(m, buf.data, buf.length);
    1078           0 :     EVP_DigestFinal_ex(m, key->data, NULL);
    1079           0 :     EVP_MD_CTX_destroy(m);
    1080             : 
    1081           0 :     heim_ntlm_free_buf(&buf);
    1082           0 :     return 0;
    1083             : }
    1084             : 
    1085             : /**
    1086             :  * Calculate NTLMv1 response hash
    1087             :  *
    1088             :  * @param key the ntlm v1 key
    1089             :  * @param len length of key
    1090             :  * @param challenge sent by the server
    1091             :  * @param answer calculated answer, should be freed with heim_ntlm_free_buf().
    1092             :  *
    1093             :  * @return In case of success 0 is return, an errors, a errno in what
    1094             :  * went wrong.
    1095             :  *
    1096             :  * @ingroup ntlm_core
    1097             :  */
    1098             : 
    1099             : int
    1100           0 : heim_ntlm_calculate_ntlm1(void *key, size_t len,
    1101             :                           unsigned char challenge[8],
    1102             :                           struct ntlm_buf *answer)
    1103             : {
    1104             :     unsigned char res[21];
    1105             : 
    1106           0 :     if (len != MD4_DIGEST_LENGTH)
    1107           0 :         return HNTLM_ERR_INVALID_LENGTH;
    1108             : 
    1109           0 :     memcpy(res, key, len);
    1110           0 :     memset(&res[MD4_DIGEST_LENGTH], 0, sizeof(res) - MD4_DIGEST_LENGTH);
    1111             : 
    1112           0 :     answer->data = malloc(24);
    1113           0 :     if (answer->data == NULL)
    1114           0 :         return ENOMEM;
    1115           0 :     answer->length = 24;
    1116             : 
    1117           0 :     splitandenc(&res[0],  challenge, ((unsigned char *)answer->data) + 0);
    1118           0 :     splitandenc(&res[7],  challenge, ((unsigned char *)answer->data) + 8);
    1119           0 :     splitandenc(&res[14], challenge, ((unsigned char *)answer->data) + 16);
    1120             : 
    1121           0 :     return 0;
    1122             : }
    1123             : 
    1124             : int
    1125           0 : heim_ntlm_v1_base_session(void *key, size_t len,
    1126             :                           struct ntlm_buf *session)
    1127             : {
    1128             :     EVP_MD_CTX *m;
    1129             : 
    1130           0 :     session->length = MD4_DIGEST_LENGTH;
    1131           0 :     session->data = malloc(session->length);
    1132           0 :     if (session->data == NULL) {
    1133           0 :         session->length = 0;
    1134           0 :         return ENOMEM;
    1135             :     }
    1136             : 
    1137           0 :     m = EVP_MD_CTX_create();
    1138           0 :     if (m == NULL) {
    1139           0 :         heim_ntlm_free_buf(session);
    1140           0 :         return ENOMEM;
    1141             :     }
    1142           0 :     EVP_DigestInit_ex(m, EVP_md4(), NULL);
    1143           0 :     EVP_DigestUpdate(m, key, len);
    1144           0 :     EVP_DigestFinal_ex(m, session->data, NULL);
    1145           0 :     EVP_MD_CTX_destroy(m);
    1146             : 
    1147           0 :     return 0;
    1148             : }
    1149             : 
    1150             : int
    1151           0 : heim_ntlm_v2_base_session(void *key, size_t len,
    1152             :                           struct ntlm_buf *ntlmResponse,
    1153             :                           struct ntlm_buf *session)
    1154             : {
    1155             :     unsigned int hmaclen;
    1156             :     HMAC_CTX c;
    1157             : 
    1158           0 :     if (ntlmResponse->length <= 16)
    1159           0 :         return HNTLM_ERR_INVALID_LENGTH;
    1160             : 
    1161           0 :     session->data = malloc(16);
    1162           0 :     if (session->data == NULL)
    1163           0 :         return ENOMEM;
    1164           0 :     session->length = 16;
    1165             : 
    1166             :     /* Note: key is the NTLMv2 key */
    1167           0 :     HMAC_CTX_init(&c);
    1168           0 :     HMAC_Init_ex(&c, key, len, EVP_md5(), NULL);
    1169           0 :     HMAC_Update(&c, ntlmResponse->data, 16);
    1170           0 :     HMAC_Final(&c, session->data, &hmaclen);
    1171           0 :     HMAC_CTX_cleanup(&c);
    1172             : 
    1173           0 :     return 0;
    1174             : }
    1175             : 
    1176             : 
    1177             : int
    1178           0 : heim_ntlm_keyex_wrap(struct ntlm_buf *base_session,
    1179             :                      struct ntlm_buf *session,
    1180             :                      struct ntlm_buf *encryptedSession)
    1181             : {
    1182             :     EVP_CIPHER_CTX c;
    1183             :     int ret;
    1184             : 
    1185           0 :     session->length = MD4_DIGEST_LENGTH;
    1186           0 :     session->data = malloc(session->length);
    1187           0 :     if (session->data == NULL) {
    1188           0 :         session->length = 0;
    1189           0 :         return ENOMEM;
    1190             :     }
    1191           0 :     encryptedSession->length = MD4_DIGEST_LENGTH;
    1192           0 :     encryptedSession->data = malloc(encryptedSession->length);
    1193           0 :     if (encryptedSession->data == NULL) {
    1194           0 :         heim_ntlm_free_buf(session);
    1195           0 :         encryptedSession->length = 0;
    1196           0 :         return ENOMEM;
    1197             :     }
    1198             : 
    1199           0 :     EVP_CIPHER_CTX_init(&c);
    1200             : 
    1201           0 :     ret = EVP_CipherInit_ex(&c, EVP_rc4(), NULL, base_session->data, NULL, 1);
    1202           0 :     if (ret != 1) {
    1203           0 :         EVP_CIPHER_CTX_cleanup(&c);
    1204           0 :         heim_ntlm_free_buf(encryptedSession);
    1205           0 :         heim_ntlm_free_buf(session);
    1206           0 :         return HNTLM_ERR_CRYPTO;
    1207             :     }
    1208             : 
    1209           0 :     if (RAND_bytes(session->data, session->length) != 1) {
    1210           0 :         EVP_CIPHER_CTX_cleanup(&c);
    1211           0 :         heim_ntlm_free_buf(encryptedSession);
    1212           0 :         heim_ntlm_free_buf(session);
    1213           0 :         return HNTLM_ERR_RAND;
    1214             :     }
    1215             : 
    1216           0 :     EVP_Cipher(&c, encryptedSession->data, session->data, encryptedSession->length);
    1217           0 :     EVP_CIPHER_CTX_cleanup(&c);
    1218             : 
    1219           0 :     return 0;
    1220             : 
    1221             : 
    1222             : 
    1223             : }
    1224             : 
    1225             : 
    1226             : 
    1227             : /**
    1228             :  * Generates an NTLMv1 session random with assosited session master key.
    1229             :  *
    1230             :  * @param key the ntlm v1 key
    1231             :  * @param len length of key
    1232             :  * @param session generated session nonce, should be freed with heim_ntlm_free_buf().
    1233             :  * @param master calculated session master key, should be freed with heim_ntlm_free_buf().
    1234             :  *
    1235             :  * @return In case of success 0 is return, an errors, a errno in what
    1236             :  * went wrong.
    1237             :  *
    1238             :  * @ingroup ntlm_core
    1239             :  */
    1240             : 
    1241             : int
    1242           0 : heim_ntlm_build_ntlm1_master(void *key, size_t len,
    1243             :                              struct ntlm_buf *session,
    1244             :                              struct ntlm_buf *master)
    1245             : {
    1246             :     struct ntlm_buf sess;
    1247             :     int ret;
    1248             : 
    1249           0 :     ret = heim_ntlm_v1_base_session(key, len, &sess);
    1250           0 :     if (ret)
    1251           0 :         return ret;
    1252             : 
    1253           0 :     ret = heim_ntlm_keyex_wrap(&sess, session, master);
    1254           0 :     heim_ntlm_free_buf(&sess);
    1255             : 
    1256           0 :     return ret;
    1257             : }
    1258             : 
    1259             : /**
    1260             :  * Generates an NTLMv2 session random with associated session master key.
    1261             :  *
    1262             :  * @param key the NTLMv2 key
    1263             :  * @param len length of key
    1264             :  * @param blob the NTLMv2 "blob"
    1265             :  * @param session generated session nonce, should be freed with heim_ntlm_free_buf().
    1266             :  * @param master calculated session master key, should be freed with heim_ntlm_free_buf().
    1267             :  *
    1268             :  * @return In case of success 0 is return, an errors, a errno in what
    1269             :  * went wrong.
    1270             :  *
    1271             :  * @ingroup ntlm_core
    1272             :  */
    1273             : 
    1274             : 
    1275             : int
    1276           0 : heim_ntlm_build_ntlm2_master(void *key, size_t len,
    1277             :                              struct ntlm_buf *blob,
    1278             :                              struct ntlm_buf *session,
    1279             :                              struct ntlm_buf *master)
    1280             : {
    1281             :     struct ntlm_buf sess;
    1282             :     int ret;
    1283             : 
    1284           0 :     ret = heim_ntlm_v2_base_session(key, len, blob, &sess);
    1285           0 :     if (ret)
    1286           0 :         return ret;
    1287             : 
    1288           0 :     ret = heim_ntlm_keyex_wrap(&sess, session, master);
    1289           0 :     heim_ntlm_free_buf(&sess);
    1290             : 
    1291           0 :     return ret;
    1292             : }
    1293             : 
    1294             : /**
    1295             :  * Given a key and encrypted session, unwrap the session key
    1296             :  *
    1297             :  * @param baseKey the sessionBaseKey
    1298             :  * @param encryptedSession encrypted session, type3.session field.
    1299             :  * @param session generated session nonce, should be freed with heim_ntlm_free_buf().
    1300             :  *
    1301             :  * @return In case of success 0 is return, an errors, a errno in what
    1302             :  * went wrong.
    1303             :  *
    1304             :  * @ingroup ntlm_core
    1305             :  */
    1306             : 
    1307             : int
    1308           0 : heim_ntlm_keyex_unwrap(struct ntlm_buf *baseKey,
    1309             :                        struct ntlm_buf *encryptedSession,
    1310             :                        struct ntlm_buf *session)
    1311             : {
    1312             :     EVP_CIPHER_CTX c;
    1313             : 
    1314           0 :     memset(session, 0, sizeof(*session));
    1315             : 
    1316           0 :     if (baseKey->length != MD4_DIGEST_LENGTH)
    1317           0 :         return HNTLM_ERR_INVALID_LENGTH;
    1318             : 
    1319           0 :     session->length = MD4_DIGEST_LENGTH;
    1320           0 :     session->data = malloc(session->length);
    1321           0 :     if (session->data == NULL) {
    1322           0 :         session->length = 0;
    1323           0 :         return ENOMEM;
    1324             :     }
    1325           0 :     EVP_CIPHER_CTX_init(&c);
    1326             : 
    1327           0 :     if (EVP_CipherInit_ex(&c, EVP_rc4(), NULL, baseKey->data, NULL, 0) != 1) {
    1328           0 :         EVP_CIPHER_CTX_cleanup(&c);
    1329           0 :         heim_ntlm_free_buf(session);
    1330           0 :         return HNTLM_ERR_CRYPTO;
    1331             :     }
    1332             : 
    1333           0 :     EVP_Cipher(&c, session->data, encryptedSession->data, session->length);
    1334           0 :     EVP_CIPHER_CTX_cleanup(&c);
    1335             : 
    1336           0 :     return 0;
    1337             : }
    1338             : 
    1339             : 
    1340             : /**
    1341             :  * Generates an NTLMv2 session key.
    1342             :  *
    1343             :  * @param key the ntlm key
    1344             :  * @param len length of key
    1345             :  * @param username name of the user, as sent in the message, assumed to be in UTF8.
    1346             :  * @param target the name of the target, assumed to be in UTF8.
    1347             :  * @param ntlmv2 the ntlmv2 session key
    1348             :  *
    1349             :  * @return 0 on success, or an error code on failure.
    1350             :  *
    1351             :  * @ingroup ntlm_core
    1352             :  */
    1353             : 
    1354             : int
    1355           0 : heim_ntlm_ntlmv2_key(const void *key, size_t len,
    1356             :                      const char *username,
    1357             :                      const char *target,
    1358             :                      unsigned char ntlmv2[16])
    1359             : {
    1360             :     int ret;
    1361             :     unsigned int hmaclen;
    1362             :     HMAC_CTX c;
    1363             : 
    1364           0 :     HMAC_CTX_init(&c);
    1365           0 :     HMAC_Init_ex(&c, key, len, EVP_md5(), NULL);
    1366             :     {
    1367             :         struct ntlm_buf buf;
    1368             :         /* uppercase username and turn it into ucs2-le */
    1369           0 :         ret = ascii2ucs2le(username, 1, &buf);
    1370           0 :         if (ret)
    1371           0 :             goto out;
    1372           0 :         HMAC_Update(&c, buf.data, buf.length);
    1373           0 :         free(buf.data);
    1374             :         /* uppercase target and turn into ucs2-le */
    1375           0 :         ret = ascii2ucs2le(target, 1, &buf);
    1376           0 :         if (ret)
    1377           0 :             goto out;
    1378           0 :         HMAC_Update(&c, buf.data, buf.length);
    1379           0 :         free(buf.data);
    1380             :     }
    1381           0 :     HMAC_Final(&c, ntlmv2, &hmaclen);
    1382           0 :  out:
    1383           0 :     HMAC_CTX_cleanup(&c);
    1384             : 
    1385           0 :     return ret;
    1386             : }
    1387             : 
    1388             : /*
    1389             :  *
    1390             :  */
    1391             : 
    1392             : #define NTTIME_EPOCH 0x019DB1DED53E8000LL
    1393             : 
    1394             : static uint64_t
    1395           0 : unix2nttime(time_t unix_time)
    1396             : {
    1397             :     long long wt;
    1398           0 :     wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
    1399           0 :     return wt;
    1400             : }
    1401             : 
    1402             : static time_t
    1403           0 : nt2unixtime(uint64_t t)
    1404             : {
    1405           0 :     t = ((t - (uint64_t)NTTIME_EPOCH) / (uint64_t)10000000);
    1406           0 :     if (t > (((uint64_t)(time_t)(~(uint64_t)0)) >> 1))
    1407           0 :         return 0;
    1408           0 :     return (time_t)t;
    1409             : }
    1410             : 
    1411             : /**
    1412             :  * Calculate LMv2 response
    1413             :  *
    1414             :  * @param key the ntlm key
    1415             :  * @param len length of key
    1416             :  * @param username name of the user, as sent in the message, assumed to be in UTF8.
    1417             :  * @param target the name of the target, assumed to be in UTF8.
    1418             :  * @param serverchallenge challenge as sent by the server in the type2 message.
    1419             :  * @param ntlmv2 calculated session key
    1420             :  * @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
    1421             :  *
    1422             :  * @return In case of success 0 is return, an errors, a errno in what
    1423             :  * went wrong.
    1424             :  *
    1425             :  * @ingroup ntlm_core
    1426             :  */
    1427             : 
    1428             : int
    1429           0 : heim_ntlm_calculate_lm2(const void *key, size_t len,
    1430             :                         const char *username,
    1431             :                         const char *target,
    1432             :                         const unsigned char serverchallenge[8],
    1433             :                         unsigned char ntlmv2[16],
    1434             :                         struct ntlm_buf *answer)
    1435             : {
    1436             :     unsigned char clientchallenge[8];
    1437             : 
    1438           0 :     if (RAND_bytes(clientchallenge, sizeof(clientchallenge)) != 1)
    1439           0 :         return HNTLM_ERR_RAND;
    1440             : 
    1441             :     /* calculate ntlmv2 key */
    1442             : 
    1443           0 :     heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
    1444             : 
    1445           0 :     answer->data = malloc(24);
    1446           0 :     if (answer->data == NULL)
    1447           0 :         return ENOMEM;
    1448           0 :     answer->length = 24;
    1449             : 
    1450           0 :     heim_ntlm_derive_ntlm2_sess(ntlmv2, clientchallenge, 8,
    1451           0 :                                 serverchallenge, answer->data);
    1452             : 
    1453           0 :     memcpy(((uint8_t *)answer->data) + 16, clientchallenge, 8);
    1454             : 
    1455           0 :     return 0;
    1456             : }
    1457             : 
    1458             : 
    1459             : /**
    1460             :  * Calculate NTLMv2 response
    1461             :  *
    1462             :  * @param key the ntlm key
    1463             :  * @param len length of key
    1464             :  * @param username name of the user, as sent in the message, assumed to be in UTF8.
    1465             :  * @param target the name of the target, assumed to be in UTF8.
    1466             :  * @param serverchallenge challenge as sent by the server in the type2 message.
    1467             :  * @param infotarget infotarget as sent by the server in the type2 message.
    1468             :  * @param ntlmv2 calculated session key
    1469             :  * @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
    1470             :  *
    1471             :  * @return In case of success 0 is return, an errors, a errno in what
    1472             :  * went wrong.
    1473             :  *
    1474             :  * @ingroup ntlm_core
    1475             :  */
    1476             : 
    1477             : int
    1478           0 : heim_ntlm_calculate_ntlm2(const void *key, size_t len,
    1479             :                           const char *username,
    1480             :                           const char *target,
    1481             :                           const unsigned char serverchallenge[8],
    1482             :                           const struct ntlm_buf *infotarget,
    1483             :                           unsigned char ntlmv2[16],
    1484             :                           struct ntlm_buf *answer)
    1485             : {
    1486             :     krb5_error_code ret;
    1487             :     krb5_data data;
    1488             :     unsigned char ntlmv2answer[16];
    1489             :     krb5_storage *sp;
    1490             :     unsigned char clientchallenge[8];
    1491             :     uint64_t t;
    1492             : 
    1493           0 :     t = unix2nttime(time(NULL));
    1494             : 
    1495           0 :     if (RAND_bytes(clientchallenge, sizeof(clientchallenge)) != 1)
    1496           0 :         return HNTLM_ERR_RAND;
    1497             : 
    1498             :     /* calculate ntlmv2 key */
    1499             : 
    1500           0 :     heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
    1501             : 
    1502             :     /* calculate and build ntlmv2 answer */
    1503             : 
    1504           0 :     sp = krb5_storage_emem();
    1505           0 :     if (sp == NULL)
    1506           0 :         return ENOMEM;
    1507           0 :     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
    1508             : 
    1509           0 :     CHECK(krb5_store_uint32(sp, 0x00000101), 0);
    1510           0 :     CHECK(krb5_store_uint32(sp, 0), 0);
    1511             :     /* timestamp le 64 bit ts */
    1512           0 :     CHECK(krb5_store_uint32(sp, t & 0xffffffff), 0);
    1513           0 :     CHECK(krb5_store_uint32(sp, t >> 32), 0);
    1514             : 
    1515           0 :     CHECK(krb5_storage_write(sp, clientchallenge, 8), 8);
    1516             : 
    1517           0 :     CHECK(krb5_store_uint32(sp, 0), 0);  /* unknown but zero will work */
    1518           0 :     CHECK(krb5_storage_write(sp, infotarget->data, infotarget->length),
    1519             :           infotarget->length);
    1520           0 :     CHECK(krb5_store_uint32(sp, 0), 0); /* unknown but zero will work */
    1521             : 
    1522           0 :     CHECK(krb5_storage_to_data(sp, &data), 0);
    1523           0 :     krb5_storage_free(sp);
    1524           0 :     sp = NULL;
    1525             : 
    1526           0 :     heim_ntlm_derive_ntlm2_sess(ntlmv2, data.data, data.length, serverchallenge, ntlmv2answer);
    1527             : 
    1528           0 :     sp = krb5_storage_emem();
    1529           0 :     if (sp == NULL) {
    1530           0 :         krb5_data_free(&data);
    1531           0 :         return ENOMEM;
    1532             :     }
    1533             : 
    1534           0 :     CHECK(krb5_storage_write(sp, ntlmv2answer, 16), 16);
    1535           0 :     CHECK(krb5_storage_write(sp, data.data, data.length), data.length);
    1536           0 :     krb5_data_free(&data);
    1537             : 
    1538           0 :     CHECK(krb5_storage_to_data(sp, &data), 0);
    1539           0 :     krb5_storage_free(sp);
    1540           0 :     sp = NULL;
    1541             : 
    1542           0 :     answer->data = data.data;
    1543           0 :     answer->length = data.length;
    1544             : 
    1545           0 :     return 0;
    1546           0 : out:
    1547           0 :     if (sp)
    1548           0 :         krb5_storage_free(sp);
    1549           0 :     return ret;
    1550             : }
    1551             : 
    1552             : static const int authtimediff = 3600 * 2; /* 2 hours */
    1553             : 
    1554             : /**
    1555             :  * Verify NTLMv2 response.
    1556             :  *
    1557             :  * @param key the ntlm key
    1558             :  * @param len length of key
    1559             :  * @param username name of the user, as sent in the message, assumed to be in UTF8.
    1560             :  * @param target the name of the target, assumed to be in UTF8.
    1561             :  * @param now the time now (0 if the library should pick it up itself)
    1562             :  * @param serverchallenge challenge as sent by the server in the type2 message.
    1563             :  * @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
    1564             :  * @param infotarget infotarget as sent by the server in the type2 message.
    1565             :  * @param ntlmv2 calculated session key
    1566             :  *
    1567             :  * @return In case of success 0 is return, an errors, a errno in what
    1568             :  * went wrong.
    1569             :  *
    1570             :  * @ingroup ntlm_core
    1571             :  */
    1572             : 
    1573             : int
    1574           0 : heim_ntlm_verify_ntlm2(const void *key, size_t len,
    1575             :                        const char *username,
    1576             :                        const char *target,
    1577             :                        time_t now,
    1578             :                        const unsigned char serverchallenge[8],
    1579             :                        const struct ntlm_buf *answer,
    1580             :                        struct ntlm_buf *infotarget,
    1581             :                        unsigned char ntlmv2[16])
    1582             : {
    1583             :     krb5_error_code ret;
    1584             :     unsigned char clientanswer[16];
    1585             :     unsigned char clientnonce[8];
    1586             :     unsigned char serveranswer[16];
    1587             :     krb5_storage *sp;
    1588             :     time_t authtime;
    1589             :     uint32_t temp;
    1590             :     uint64_t t;
    1591             : 
    1592           0 :     infotarget->length = 0;
    1593           0 :     infotarget->data = NULL;
    1594             : 
    1595           0 :     if (answer->length < 16)
    1596           0 :         return HNTLM_ERR_INVALID_LENGTH;
    1597             : 
    1598           0 :     if (now == 0)
    1599           0 :         now = time(NULL);
    1600             : 
    1601             :     /* calculate ntlmv2 key */
    1602             : 
    1603           0 :     heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
    1604             : 
    1605             :     /* calculate and build ntlmv2 answer */
    1606             : 
    1607           0 :     sp = krb5_storage_from_readonly_mem(answer->data, answer->length);
    1608           0 :     if (sp == NULL)
    1609           0 :         return ENOMEM;
    1610           0 :     krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
    1611             : 
    1612           0 :     CHECK(krb5_storage_read(sp, clientanswer, 16), 16);
    1613             : 
    1614           0 :     CHECK(krb5_ret_uint32(sp, &temp), 0);
    1615           0 :     CHECK(temp, 0x00000101);
    1616           0 :     CHECK(krb5_ret_uint32(sp, &temp), 0);
    1617           0 :     CHECK(temp, 0);
    1618             :     /* timestamp le 64 bit ts */
    1619           0 :     CHECK(krb5_ret_uint32(sp, &temp), 0);
    1620           0 :     t = temp;
    1621           0 :     CHECK(krb5_ret_uint32(sp, &temp), 0);
    1622           0 :     t |= ((uint64_t)temp)<< 32;
    1623             : 
    1624           0 :     authtime = nt2unixtime(t);
    1625             : 
    1626           0 :     if (abs((int)(authtime - now)) > authtimediff) {
    1627           0 :         ret = HNTLM_ERR_TIME_SKEW;
    1628           0 :         goto out;
    1629             :     }
    1630             : 
    1631             :     /* client challenge */
    1632           0 :     CHECK(krb5_storage_read(sp, clientnonce, 8), 8);
    1633             : 
    1634           0 :     CHECK(krb5_ret_uint32(sp, &temp), 0); /* unknown */
    1635             : 
    1636             :     /* should really unparse the infotarget, but lets pick up everything */
    1637           0 :     infotarget->length = answer->length - krb5_storage_seek(sp, 0, SEEK_CUR);
    1638           0 :     infotarget->data = malloc(infotarget->length);
    1639           0 :     if (infotarget->data == NULL) {
    1640           0 :         ret = ENOMEM;
    1641           0 :         goto out;
    1642             :     }
    1643           0 :     CHECK(krb5_storage_read(sp, infotarget->data, infotarget->length),
    1644             :           infotarget->length);
    1645             :     /* XXX remove the unknown ?? */
    1646           0 :     krb5_storage_free(sp);
    1647           0 :     sp = NULL;
    1648             : 
    1649           0 :     if (answer->length < 16) {
    1650           0 :         ret = HNTLM_ERR_INVALID_LENGTH;
    1651           0 :         goto out;
    1652             :     }
    1653             : 
    1654           0 :     heim_ntlm_derive_ntlm2_sess(ntlmv2,
    1655           0 :                                 ((unsigned char *)answer->data) + 16, answer->length - 16,
    1656             :                                 serverchallenge,
    1657             :                                 serveranswer);
    1658             : 
    1659           0 :     if (memcmp(serveranswer, clientanswer, 16) != 0) {
    1660           0 :         heim_ntlm_free_buf(infotarget);
    1661           0 :         return HNTLM_ERR_AUTH;
    1662             :     }
    1663             : 
    1664           0 :     return 0;
    1665           0 : out:
    1666           0 :     heim_ntlm_free_buf(infotarget);
    1667           0 :     if (sp)
    1668           0 :         krb5_storage_free(sp);
    1669           0 :     return ret;
    1670             : }
    1671             : 
    1672             : 
    1673             : /*
    1674             :  * Calculate the NTLM2 Session Response
    1675             :  *
    1676             :  * @param clnt_nonce client nonce
    1677             :  * @param svr_chal server challage
    1678             :  * @param ntlm2_hash ntlm hash
    1679             :  * @param lm The LM response, should be freed with heim_ntlm_free_buf().
    1680             :  * @param ntlm The NTLM response, should be freed with heim_ntlm_free_buf().
    1681             :  *
    1682             :  * @return In case of success 0 is return, an errors, a errno in what
    1683             :  * went wrong.
    1684             :  *
    1685             :  * @ingroup ntlm_core
    1686             :  */
    1687             : 
    1688             : int
    1689           0 : heim_ntlm_calculate_ntlm2_sess(const unsigned char clnt_nonce[8],
    1690             :                                const unsigned char svr_chal[8],
    1691             :                                const unsigned char ntlm_hash[16],
    1692             :                                struct ntlm_buf *lm,
    1693             :                                struct ntlm_buf *ntlm)
    1694             : {
    1695             :     unsigned char ntlm2_sess_hash[8];
    1696             :     unsigned char res[21], *resp;
    1697             :     int code;
    1698             : 
    1699           0 :     code = heim_ntlm_calculate_ntlm2_sess_hash(clnt_nonce, svr_chal,
    1700             :                                                ntlm2_sess_hash);
    1701           0 :     if (code) {
    1702           0 :         return code;
    1703             :     }
    1704             : 
    1705           0 :     lm->data = malloc(24);
    1706           0 :     if (lm->data == NULL) {
    1707           0 :         return ENOMEM;
    1708             :     }
    1709           0 :     lm->length = 24;
    1710             : 
    1711           0 :     ntlm->data = malloc(24);
    1712           0 :     if (ntlm->data == NULL) {
    1713           0 :         free(lm->data);
    1714           0 :         lm->data = NULL;
    1715           0 :         return ENOMEM;
    1716             :     }
    1717           0 :     ntlm->length = 24;
    1718             : 
    1719             :     /* first setup the lm resp */
    1720           0 :     memset(lm->data, 0, 24);
    1721           0 :     memcpy(lm->data, clnt_nonce, 8);
    1722             : 
    1723           0 :     memset(res, 0, sizeof(res));
    1724           0 :     memcpy(res, ntlm_hash, 16);
    1725             : 
    1726           0 :     resp = ntlm->data;
    1727           0 :     splitandenc(&res[0], ntlm2_sess_hash, resp + 0);
    1728           0 :     splitandenc(&res[7], ntlm2_sess_hash, resp + 8);
    1729           0 :     splitandenc(&res[14], ntlm2_sess_hash, resp + 16);
    1730             : 
    1731           0 :     return 0;
    1732             : }
    1733             : 
    1734             : 
    1735             : /*
    1736             :  * Calculate the NTLM2 Session "Verifier"
    1737             :  *
    1738             :  * @param clnt_nonce client nonce
    1739             :  * @param svr_chal server challage
    1740             :  * @param hash The NTLM session verifier
    1741             :  *
    1742             :  * @return In case of success 0 is return, an errors, a errno in what
    1743             :  * went wrong.
    1744             :  *
    1745             :  * @ingroup ntlm_core
    1746             :  */
    1747             : 
    1748             : int
    1749           0 : heim_ntlm_calculate_ntlm2_sess_hash(const unsigned char clnt_nonce[8],
    1750             :                                     const unsigned char svr_chal[8],
    1751             :                                     unsigned char verifier[8])
    1752             : {
    1753             :     unsigned char ntlm2_sess_hash[MD5_DIGEST_LENGTH];
    1754             :     EVP_MD_CTX *m;
    1755             : 
    1756           0 :     m = EVP_MD_CTX_create();
    1757           0 :     if (m == NULL)
    1758           0 :         return ENOMEM;
    1759             : 
    1760           0 :     EVP_DigestInit_ex(m, EVP_md5(), NULL);
    1761           0 :     EVP_DigestUpdate(m, svr_chal, 8); /* session nonce part 1 */
    1762           0 :     EVP_DigestUpdate(m, clnt_nonce, 8); /* session nonce part 2 */
    1763           0 :     EVP_DigestFinal_ex(m, ntlm2_sess_hash, NULL); /* will only use first 8 bytes */
    1764           0 :     EVP_MD_CTX_destroy(m);
    1765             : 
    1766           0 :     memcpy(verifier, ntlm2_sess_hash, 8);
    1767             : 
    1768           0 :     return 0;
    1769             : }
    1770             : 
    1771             : 
    1772             : /*
    1773             :  * Derive a NTLM2 session key
    1774             :  *
    1775             :  * @param sessionkey session key from domain controller
    1776             :  * @param clnt_nonce client nonce
    1777             :  * @param svr_chal server challenge
    1778             :  * @param derivedkey salted session key
    1779             :  *
    1780             :  * @return In case of success 0 is return, an errors, a errno in what
    1781             :  * went wrong.
    1782             :  *
    1783             :  * @ingroup ntlm_core
    1784             :  */
    1785             : 
    1786             : void
    1787           0 : heim_ntlm_derive_ntlm2_sess(const unsigned char sessionkey[16],
    1788             :                             const unsigned char *clnt_nonce, size_t clnt_nonce_length,
    1789             :                             const unsigned char svr_chal[8],
    1790             :                             unsigned char derivedkey[16])
    1791             : {
    1792             :     unsigned int hmaclen;
    1793             :     HMAC_CTX c;
    1794             : 
    1795             :     /* HMAC(Ksession, serverchallenge || clientchallenge) */
    1796           0 :     HMAC_CTX_init(&c);
    1797           0 :     HMAC_Init_ex(&c, sessionkey, 16, EVP_md5(), NULL);
    1798           0 :     HMAC_Update(&c, svr_chal, 8);
    1799           0 :     HMAC_Update(&c, clnt_nonce, clnt_nonce_length);
    1800           0 :     HMAC_Final(&c, derivedkey, &hmaclen);
    1801           0 :     HMAC_CTX_cleanup(&c);
    1802           0 : }
    1803             : 

Generated by: LCOV version 1.13