11375
|
1 /**
|
|
2 * @file ntlm.c
|
|
3 *
|
|
4 * gaim
|
|
5 *
|
|
6 * Copyright (C) 2005 Thomas Butter <butter@uni-mannheim.de>
|
|
7 *
|
|
8 * hashing done according to description of NTLM on
|
|
9 * http://www.innovation.ch/java/ntlm.html
|
|
10 *
|
|
11 * This program is free software; you can redistribute it and/or modify
|
|
12 * it under the terms of the GNU General Public License as published by
|
|
13 * the Free Software Foundation; either version 2 of the License, or
|
|
14 * (at your option) any later version.
|
|
15 *
|
|
16 * This program is distributed in the hope that it will be useful,
|
|
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
19 * GNU General Public License for more details.
|
|
20 *
|
|
21 * You should have received a copy of the GNU General Public License
|
|
22 * along with this program; if not, write to the Free Software
|
|
23 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
24 */
|
|
25
|
|
26 #include <glib.h>
|
|
27 #include <stdlib.h>
|
|
28 #include "util.h"
|
|
29 #include "ntlm.h"
|
|
30 #include "cipher.h"
|
|
31 #include <string.h>
|
|
32
|
|
33 struct type1_message {
|
|
34 guint8 protocol[8]; /* 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0' */
|
|
35 guint8 type; /* 0x01 */
|
|
36 guint8 zero1[3];
|
|
37 short flags; /* 0xb203 */
|
|
38 guint8 zero2[2];
|
|
39
|
|
40 short dom_len1; /* domain string length */
|
|
41 short dom_len2; /* domain string length */
|
|
42 short dom_off; /* domain string offset */
|
|
43 guint8 zero3[2];
|
|
44
|
|
45 short host_len1; /* host string length */
|
|
46 short host_len2; /* host string length */
|
|
47 short host_off; /* host string offset (always 0x20) */
|
|
48 guint8 zero4[2];
|
|
49
|
|
50 /* guint8 host[*]; // host string (ASCII)
|
|
51 guint8 dom[*]; // domain string (ASCII) */
|
|
52 };
|
|
53
|
|
54 struct type2_message {
|
|
55 guint8 protocol[8]; /* 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'*/
|
|
56 guint8 type; /* 0x02 */
|
|
57 guint8 zero1[7];
|
|
58 short msg_len; /* 0x28 */
|
|
59 guint8 zero2[2];
|
|
60 short flags; /* 0x8201 */
|
|
61 guint8 zero3[2];
|
|
62
|
|
63 guint8 nonce[8]; /* nonce */
|
|
64 guint8 zero[8];
|
|
65 };
|
|
66
|
|
67 struct type3_message {
|
|
68 guint8 protocol[8]; /* 'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'*/
|
|
69 guint8 type; /* 0x03 */
|
|
70 guint8 zero1[3];
|
|
71
|
|
72 short lm_resp_len1; /* LanManager response length (always 0x18)*/
|
|
73 short lm_resp_len2; /* LanManager response length (always 0x18)*/
|
|
74 short lm_resp_off; /* LanManager response offset */
|
|
75 guint8 zero2[2];
|
|
76
|
|
77 short nt_resp_len1; /* NT response length (always 0x18) */
|
|
78 short nt_resp_len2; /* NT response length (always 0x18) */
|
|
79 short nt_resp_off; /* NT response offset */
|
|
80 guint8 zero3[2];
|
|
81
|
|
82 short dom_len1; /* domain string length */
|
|
83 short dom_len2; /* domain string length */
|
|
84 short dom_off; /* domain string offset (always 0x40) */
|
|
85 guint8 zero4[2];
|
|
86
|
|
87 short user_len1; /* username string length */
|
|
88 short user_len2; /* username string length */
|
|
89 short user_off; /* username string offset */
|
|
90 guint8 zero5[2];
|
|
91
|
|
92 short host_len1; /* host string length */
|
|
93 short host_len2; /* host string length */
|
|
94 short host_off; /* host string offset */
|
|
95 guint8 zero6[6];
|
|
96
|
|
97 short msg_len; /* message length */
|
|
98 guint8 zero7[2];
|
|
99
|
|
100 short flags; /* 0x8201 */
|
|
101 guint8 zero8[2];
|
|
102
|
|
103 /* guint8 dom[*]; // domain string (unicode UTF-16LE)
|
|
104 guint8 user[*]; // username string (unicode UTF-16LE)
|
|
105 guint8 host[*]; // host string (unicode UTF-16LE)
|
|
106 guint8 lm_resp[*]; // LanManager response
|
|
107 guint8 nt_resp[*]; // NT response*/
|
|
108 };
|
|
109
|
|
110 gchar *gaim_ntlm_gen_type1(gchar *hostname, gchar *domain) {
|
|
111 char *msg = g_malloc0(sizeof(struct type1_message) + strlen(hostname) + strlen(domain));
|
|
112 struct type1_message *tmsg = (struct type1_message*)msg;
|
|
113 tmsg->protocol[0] = 'N';
|
|
114 tmsg->protocol[1] = 'T';
|
|
115 tmsg->protocol[2] = 'L';
|
|
116 tmsg->protocol[3] = 'M';
|
|
117 tmsg->protocol[4] = 'S';
|
|
118 tmsg->protocol[5] = 'S';
|
|
119 tmsg->protocol[6] = 'P';
|
|
120 tmsg->protocol[7] = '\0';
|
|
121 tmsg->type= 0x01;
|
|
122 tmsg->flags = 0xb202;
|
|
123 tmsg->dom_len1 = tmsg->dom_len2 = strlen(domain);
|
|
124 tmsg->dom_off = 32+strlen(hostname);
|
|
125 tmsg->host_len1 = tmsg->host_len2 = strlen(hostname);
|
|
126 tmsg->host_off= 32;
|
|
127 memcpy(msg+sizeof(struct type1_message),hostname,strlen(hostname));
|
|
128 memcpy(msg+sizeof(struct type1_message)+strlen(hostname),domain,strlen(domain));
|
|
129
|
|
130 return gaim_base64_encode(msg, sizeof(struct type1_message) + strlen(hostname) + strlen(domain));
|
|
131 }
|
|
132
|
|
133 gchar *gaim_ntlm_parse_type2(gchar *type2) {
|
|
134 int retlen;
|
|
135 static gchar nonce[8];
|
|
136 struct type2_message *tmsg = (struct type2_message*)gaim_base64_decode(type2, &retlen);
|
|
137 memcpy(nonce, tmsg->nonce, 8);
|
|
138 g_free(tmsg);
|
|
139 return nonce;
|
|
140 }
|
|
141
|
|
142 static void setup_des_key(unsigned char key_56[], char *key)
|
|
143 {
|
|
144 key[0] = key_56[0];
|
|
145 key[1] = ((key_56[0] << 7) & 0xFF) | (key_56[1] >> 1);
|
|
146 key[2] = ((key_56[1] << 6) & 0xFF) | (key_56[2] >> 2);
|
|
147 key[3] = ((key_56[2] << 5) & 0xFF) | (key_56[3] >> 3);
|
|
148 key[4] = ((key_56[3] << 4) & 0xFF) | (key_56[4] >> 4);
|
|
149 key[5] = ((key_56[4] << 3) & 0xFF) | (key_56[5] >> 5);
|
|
150 key[6] = ((key_56[5] << 2) & 0xFF) | (key_56[6] >> 6);
|
|
151 key[7] = (key_56[6] << 1) & 0xFF;
|
|
152 }
|
|
153
|
|
154 /*
|
|
155 * helper function for gaim cipher.c
|
|
156 */
|
|
157 static void des_ecb_encrypt(char *plaintext, char *result, char *key) {
|
|
158 GaimCipher *cipher;
|
|
159 GaimCipherContext *context;
|
|
160 int outlen;
|
|
161
|
|
162 cipher = gaim_ciphers_find_cipher("des");
|
|
163 context = gaim_cipher_context_new(cipher, NULL);
|
|
164 gaim_cipher_context_set_key(context, key);
|
|
165 gaim_cipher_context_encrypt(context, plaintext, 8, result, &outlen);
|
|
166 gaim_cipher_context_destroy(context);
|
|
167 }
|
|
168
|
|
169 /*
|
|
170 * takes a 21 byte array and treats it as 3 56-bit DES keys. The
|
|
171 * 8 byte plaintext is encrypted with each key and the resulting 24
|
|
172 * bytes are stored in the results array.
|
|
173 */
|
|
174 static void calc_resp(unsigned char *keys, unsigned char *plaintext, unsigned char *results)
|
|
175 {
|
|
176 gchar key[8];
|
|
177 setup_des_key(keys, key);
|
|
178 des_ecb_encrypt(plaintext, results, key);
|
|
179
|
|
180 setup_des_key(keys+7, key);
|
|
181 des_ecb_encrypt(plaintext, (results+8), key);
|
|
182
|
|
183 setup_des_key(keys+14, key);
|
|
184 des_ecb_encrypt(plaintext, (results+16), key);
|
|
185 }
|
|
186
|
|
187 gchar *gaim_ntlm_gen_type3(gchar *username, gchar *passw, gchar *hostname, gchar *domain, gchar *nonce) {
|
|
188 char lm_pw[14];
|
|
189 unsigned char lm_hpw[21];
|
|
190 gchar key[8];
|
|
191 struct type3_message *tmsg = g_malloc0(sizeof(struct type3_message)+
|
|
192 strlen(domain) + strlen(username) + strlen(hostname) + 24 +24);
|
|
193 int len = strlen(passw);
|
|
194 unsigned char lm_resp[24], nt_resp[24];
|
|
195 unsigned char magic[] = { 0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25 };
|
|
196 unsigned char nt_hpw[21];
|
|
197 int lennt;
|
|
198 char nt_pw[128];
|
|
199 GaimCipher *cipher;
|
|
200 GaimCipherContext *context;
|
|
201 char *tmp = 0;
|
|
202 int idx = 0;
|
|
203
|
|
204 /* type3 message initialization */
|
|
205 tmsg->protocol[0] = 'N';
|
|
206 tmsg->protocol[1] = 'T';
|
|
207 tmsg->protocol[2] = 'L';
|
|
208 tmsg->protocol[3] = 'M';
|
|
209 tmsg->protocol[4] = 'S';
|
|
210 tmsg->protocol[5] = 'S';
|
|
211 tmsg->protocol[6] = 'P';
|
|
212 tmsg->type = 0x03;
|
|
213 tmsg->lm_resp_len1 = tmsg->lm_resp_len2 = 0x18;
|
|
214 tmsg->lm_resp_off = sizeof(struct type3_message) + strlen(domain) + strlen(username) + strlen(hostname);
|
|
215 tmsg->nt_resp_len1 = tmsg->nt_resp_len2 = 0x18;
|
|
216 tmsg->nt_resp_off = sizeof(struct type3_message) + strlen(domain) + strlen(username) + strlen(hostname) + 0x18;
|
|
217
|
|
218 tmsg->dom_len1 = tmsg->dom_len2 = strlen(domain);
|
|
219 tmsg->dom_off = 0x40;
|
|
220
|
|
221 tmsg->user_len1 = tmsg->user_len2 = strlen(username);
|
|
222 tmsg->user_off = sizeof(struct type3_message) + strlen(domain);
|
|
223
|
|
224 tmsg->host_len1 = tmsg->host_len2 = strlen(hostname);
|
|
225 tmsg->host_off = sizeof(struct type3_message) + strlen(domain) + strlen(username);
|
|
226
|
|
227 tmsg->msg_len = sizeof(struct type3_message) + strlen(domain) + strlen(username) + strlen(hostname) + 0x18 + 0x18;
|
|
228 tmsg->flags = 0x8200;
|
|
229
|
|
230 tmp = ((char*) tmsg) + sizeof(struct type3_message);
|
|
231 strcpy(tmp, domain);
|
|
232 tmp += strlen(domain);
|
|
233 strcpy(tmp, username);
|
|
234 tmp += strlen(username);
|
|
235 strcpy(tmp, hostname);
|
|
236 tmp += strlen(hostname);
|
|
237
|
|
238 if (len > 14) len = 14;
|
|
239
|
|
240 for (idx=0; idx<len; idx++)
|
|
241 lm_pw[idx] = g_ascii_toupper(passw[idx]);
|
|
242 for (; idx<14; idx++)
|
|
243 lm_pw[idx] = 0;
|
|
244
|
|
245 setup_des_key(lm_pw, key);
|
|
246 des_ecb_encrypt(magic, lm_hpw, key);
|
|
247
|
|
248 setup_des_key(lm_pw+7, key);
|
|
249 des_ecb_encrypt(magic, lm_hpw+8, key);
|
|
250
|
|
251 memset(lm_hpw+16, 0, 5);
|
|
252
|
|
253
|
|
254 lennt = strlen(passw);
|
|
255 for (idx=0; idx<lennt; idx++)
|
|
256 {
|
|
257 nt_pw[2*idx] = passw[idx];
|
|
258 nt_pw[2*idx+1] = 0;
|
|
259 }
|
|
260
|
|
261 cipher = gaim_ciphers_find_cipher("md4");
|
|
262 context = gaim_cipher_context_new(cipher, NULL);
|
|
263 gaim_cipher_context_append(context, nt_pw, 2*lennt);
|
|
264 gaim_cipher_context_digest(context, 21, nt_hpw, NULL);
|
|
265 gaim_cipher_context_destroy(context);
|
|
266
|
|
267 memset(nt_hpw+16, 0, 5);
|
|
268
|
|
269
|
|
270 calc_resp(lm_hpw, nonce, lm_resp);
|
|
271 calc_resp(nt_hpw, nonce, nt_resp);
|
|
272 memcpy(tmp, lm_resp, 0x18);
|
|
273 memcpy(tmp+0x18, nt_resp, 0x18);
|
|
274 tmp = gaim_base64_encode((guchar*) tmsg, tmsg->msg_len);
|
|
275 g_free(tmsg);
|
|
276 return tmp;
|
|
277 }
|