1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_auth_handler_ntlm.h" 6 7 #include <stdlib.h> 8 // For gethostname 9 #if defined(OS_POSIX) 10 #include <unistd.h> 11 #elif defined(OS_WIN) 12 #include <winsock2.h> 13 #endif 14 15 #include "base/md5.h" 16 #include "base/rand_util.h" 17 #include "base/strings/string_util.h" 18 #include "base/strings/sys_string_conversions.h" 19 #include "base/strings/utf_string_conversions.h" 20 #include "net/base/net_errors.h" 21 #include "net/base/net_util.h" 22 #include "net/base/zap.h" 23 #include "net/http/des.h" 24 #include "net/http/md4.h" 25 26 namespace net { 27 28 // Based on mozilla/security/manager/ssl/src/nsNTLMAuthModule.cpp, 29 // CVS rev. 1.14. 30 // 31 // TODO(wtc): 32 // - The IS_BIG_ENDIAN code is not tested. 33 // - Enable the logging code or just delete it. 34 // - Delete or comment out the LM code, which hasn't been tested and isn't 35 // being used. 36 37 /* ***** BEGIN LICENSE BLOCK ***** 38 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 39 * 40 * The contents of this file are subject to the Mozilla Public License Version 41 * 1.1 (the "License"); you may not use this file except in compliance with 42 * the License. You may obtain a copy of the License at 43 * http://www.mozilla.org/MPL/ 44 * 45 * Software distributed under the License is distributed on an "AS IS" basis, 46 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 47 * for the specific language governing rights and limitations under the 48 * License. 49 * 50 * The Original Code is Mozilla. 51 * 52 * The Initial Developer of the Original Code is IBM Corporation. 53 * Portions created by IBM Corporation are Copyright (C) 2003 54 * IBM Corporation. All Rights Reserved. 55 * 56 * Contributor(s): 57 * Darin Fisher <darin (at) meer.net> 58 * 59 * Alternatively, the contents of this file may be used under the terms of 60 * either the GNU General Public License Version 2 or later (the "GPL"), or 61 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), 62 * in which case the provisions of the GPL or the LGPL are applicable instead 63 * of those above. If you wish to allow use of your version of this file only 64 * under the terms of either the GPL or the LGPL, and not to allow others to 65 * use your version of this file under the terms of the MPL, indicate your 66 * decision by deleting the provisions above and replace them with the notice 67 * and other provisions required by the GPL or the LGPL. If you do not delete 68 * the provisions above, a recipient may use your version of this file under 69 * the terms of any one of the MPL, the GPL or the LGPL. 70 * 71 * ***** END LICENSE BLOCK ***** */ 72 73 #if defined(ARCH_CPU_LITTLE_ENDIAN) 74 #define IS_LITTLE_ENDIAN 1 75 #undef IS_BIG_ENDIAN 76 #elif defined(ARCH_CPU_BIG_ENDIAN) 77 #define IS_BIG_ENDIAN 1 78 #undef IS_LITTLE_ENDIAN 79 #else 80 #error "Unknown endianness" 81 #endif 82 83 #define NTLM_LOG(x) ((void) 0) 84 85 //----------------------------------------------------------------------------- 86 // This file contains a cross-platform NTLM authentication implementation. It 87 // is based on documentation from: http://davenport.sourceforge.net/ntlm.html 88 //----------------------------------------------------------------------------- 89 90 enum { 91 NTLM_NegotiateUnicode = 0x00000001, 92 NTLM_NegotiateOEM = 0x00000002, 93 NTLM_RequestTarget = 0x00000004, 94 NTLM_Unknown1 = 0x00000008, 95 NTLM_NegotiateSign = 0x00000010, 96 NTLM_NegotiateSeal = 0x00000020, 97 NTLM_NegotiateDatagramStyle = 0x00000040, 98 NTLM_NegotiateLanManagerKey = 0x00000080, 99 NTLM_NegotiateNetware = 0x00000100, 100 NTLM_NegotiateNTLMKey = 0x00000200, 101 NTLM_Unknown2 = 0x00000400, 102 NTLM_Unknown3 = 0x00000800, 103 NTLM_NegotiateDomainSupplied = 0x00001000, 104 NTLM_NegotiateWorkstationSupplied = 0x00002000, 105 NTLM_NegotiateLocalCall = 0x00004000, 106 NTLM_NegotiateAlwaysSign = 0x00008000, 107 NTLM_TargetTypeDomain = 0x00010000, 108 NTLM_TargetTypeServer = 0x00020000, 109 NTLM_TargetTypeShare = 0x00040000, 110 NTLM_NegotiateNTLM2Key = 0x00080000, 111 NTLM_RequestInitResponse = 0x00100000, 112 NTLM_RequestAcceptResponse = 0x00200000, 113 NTLM_RequestNonNTSessionKey = 0x00400000, 114 NTLM_NegotiateTargetInfo = 0x00800000, 115 NTLM_Unknown4 = 0x01000000, 116 NTLM_Unknown5 = 0x02000000, 117 NTLM_Unknown6 = 0x04000000, 118 NTLM_Unknown7 = 0x08000000, 119 NTLM_Unknown8 = 0x10000000, 120 NTLM_Negotiate128 = 0x20000000, 121 NTLM_NegotiateKeyExchange = 0x40000000, 122 NTLM_Negotiate56 = 0x80000000 123 }; 124 125 // We send these flags with our type 1 message. 126 enum { 127 NTLM_TYPE1_FLAGS = (NTLM_NegotiateUnicode | 128 NTLM_NegotiateOEM | 129 NTLM_RequestTarget | 130 NTLM_NegotiateNTLMKey | 131 NTLM_NegotiateAlwaysSign | 132 NTLM_NegotiateNTLM2Key) 133 }; 134 135 static const char NTLM_SIGNATURE[] = "NTLMSSP"; 136 static const char NTLM_TYPE1_MARKER[] = { 0x01, 0x00, 0x00, 0x00 }; 137 static const char NTLM_TYPE2_MARKER[] = { 0x02, 0x00, 0x00, 0x00 }; 138 static const char NTLM_TYPE3_MARKER[] = { 0x03, 0x00, 0x00, 0x00 }; 139 140 enum { 141 NTLM_TYPE1_HEADER_LEN = 32, 142 NTLM_TYPE2_HEADER_LEN = 32, 143 NTLM_TYPE3_HEADER_LEN = 64, 144 145 LM_HASH_LEN = 16, 146 LM_RESP_LEN = 24, 147 148 NTLM_HASH_LEN = 16, 149 NTLM_RESP_LEN = 24 150 }; 151 152 //----------------------------------------------------------------------------- 153 154 // The return value of this function controls whether or not the LM hash will 155 // be included in response to a NTLM challenge. 156 // 157 // In Mozilla, this function returns the value of the boolean preference 158 // "network.ntlm.send-lm-response". By default, the preference is disabled 159 // since servers should almost never need the LM hash, and the LM hash is what 160 // makes NTLM authentication less secure. See 161 // https://bugzilla.mozilla.org/show_bug.cgi?id=250691 for further details. 162 // 163 // We just return a hardcoded false. 164 static bool SendLM() { 165 return false; 166 } 167 168 //----------------------------------------------------------------------------- 169 170 #define LogFlags(x) ((void) 0) 171 #define LogBuf(a, b, c) ((void) 0) 172 #define LogToken(a, b, c) ((void) 0) 173 174 //----------------------------------------------------------------------------- 175 176 // Byte order swapping. 177 #define SWAP16(x) ((((x) & 0xff) << 8) | (((x) >> 8) & 0xff)) 178 #define SWAP32(x) ((SWAP16((x) & 0xffff) << 16) | (SWAP16((x) >> 16))) 179 180 static void* WriteBytes(void* buf, const void* data, uint32 data_len) { 181 memcpy(buf, data, data_len); 182 return static_cast<char*>(buf) + data_len; 183 } 184 185 static void* WriteDWORD(void* buf, uint32 dword) { 186 #ifdef IS_BIG_ENDIAN 187 // NTLM uses little endian on the wire. 188 dword = SWAP32(dword); 189 #endif 190 return WriteBytes(buf, &dword, sizeof(dword)); 191 } 192 193 static void* WriteSecBuf(void* buf, uint16 length, uint32 offset) { 194 #ifdef IS_BIG_ENDIAN 195 length = SWAP16(length); 196 offset = SWAP32(offset); 197 #endif 198 // Len: 2 bytes. 199 buf = WriteBytes(buf, &length, sizeof(length)); 200 // MaxLen: 2 bytes. The sender should set it to the value of Len. The 201 // recipient must ignore it. 202 buf = WriteBytes(buf, &length, sizeof(length)); 203 // BufferOffset: 4 bytes. 204 buf = WriteBytes(buf, &offset, sizeof(offset)); 205 return buf; 206 } 207 208 #ifdef IS_BIG_ENDIAN 209 /** 210 * WriteUnicodeLE copies a unicode string from one buffer to another. The 211 * resulting unicode string is in little-endian format. The input string is 212 * assumed to be in the native endianness of the local machine. It is safe 213 * to pass the same buffer as both input and output, which is a handy way to 214 * convert the unicode buffer to little-endian on big-endian platforms. 215 */ 216 static void* WriteUnicodeLE( 217 void* buf, const base::char16* str, uint32 str_len) { 218 // Convert input string from BE to LE. 219 uint8* cursor = static_cast<uint8*>(buf); 220 const uint8* input = reinterpret_cast<const uint8*>(str); 221 for (uint32 i = 0; i < str_len; ++i, input += 2, cursor += 2) { 222 // Allow for the case where |buf == str|. 223 uint8 temp = input[0]; 224 cursor[0] = input[1]; 225 cursor[1] = temp; 226 } 227 return buf; 228 } 229 #endif 230 231 static uint16 ReadUint16(const uint8*& buf) { 232 uint16 x = (static_cast<uint16>(buf[0])) | 233 (static_cast<uint16>(buf[1]) << 8); 234 buf += sizeof(x); 235 return x; 236 } 237 238 static uint32 ReadUint32(const uint8*& buf) { 239 uint32 x = (static_cast<uint32>(buf[0])) | 240 (static_cast<uint32>(buf[1]) << 8) | 241 (static_cast<uint32>(buf[2]) << 16) | 242 (static_cast<uint32>(buf[3]) << 24); 243 buf += sizeof(x); 244 return x; 245 } 246 247 //----------------------------------------------------------------------------- 248 249 // LM_Hash computes the LM hash of the given password. 250 // 251 // param password 252 // unicode password. 253 // param hash 254 // 16-byte result buffer 255 // 256 // Note: This function is not being used because our SendLM() function always 257 // returns false. 258 static void LM_Hash(const base::string16& password, uint8* hash) { 259 static const uint8 LM_MAGIC[] = "KGS!@#$%"; 260 261 // Convert password to OEM character set. We'll just use the native 262 // filesystem charset. 263 std::string passbuf = base::SysWideToNativeMB(base::UTF16ToWide(password)); 264 StringToUpperASCII(&passbuf); 265 passbuf.resize(14, '\0'); 266 267 uint8 k1[8], k2[8]; 268 DESMakeKey(reinterpret_cast<const uint8*>(passbuf.data()) , k1); 269 DESMakeKey(reinterpret_cast<const uint8*>(passbuf.data()) + 7, k2); 270 ZapString(&passbuf); 271 272 // Use password keys to hash LM magic string twice. 273 DESEncrypt(k1, LM_MAGIC, hash); 274 DESEncrypt(k2, LM_MAGIC, hash + 8); 275 } 276 277 // NTLM_Hash computes the NTLM hash of the given password. 278 // 279 // param password 280 // null-terminated unicode password. 281 // param hash 282 // 16-byte result buffer 283 static void NTLM_Hash(const base::string16& password, uint8* hash) { 284 #ifdef IS_BIG_ENDIAN 285 uint32 len = password.length(); 286 uint8* passbuf; 287 288 passbuf = static_cast<uint8*>(malloc(len * 2)); 289 WriteUnicodeLE(passbuf, password.data(), len); 290 weak_crypto::MD4Sum(passbuf, len * 2, hash); 291 292 ZapBuf(passbuf, len * 2); 293 free(passbuf); 294 #else 295 weak_crypto::MD4Sum(reinterpret_cast<const uint8*>(password.data()), 296 password.length() * 2, hash); 297 #endif 298 } 299 300 //----------------------------------------------------------------------------- 301 302 // LM_Response generates the LM response given a 16-byte password hash and the 303 // challenge from the Type-2 message. 304 // 305 // param hash 306 // 16-byte password hash 307 // param challenge 308 // 8-byte challenge from Type-2 message 309 // param response 310 // 24-byte buffer to contain the LM response upon return 311 static void LM_Response(const uint8* hash, 312 const uint8* challenge, 313 uint8* response) { 314 uint8 keybytes[21], k1[8], k2[8], k3[8]; 315 316 memcpy(keybytes, hash, 16); 317 ZapBuf(keybytes + 16, 5); 318 319 DESMakeKey(keybytes , k1); 320 DESMakeKey(keybytes + 7, k2); 321 DESMakeKey(keybytes + 14, k3); 322 323 DESEncrypt(k1, challenge, response); 324 DESEncrypt(k2, challenge, response + 8); 325 DESEncrypt(k3, challenge, response + 16); 326 } 327 328 //----------------------------------------------------------------------------- 329 330 // Returns OK or a network error code. 331 static int GenerateType1Msg(void** out_buf, uint32* out_len) { 332 // 333 // Verify that buf_len is sufficient. 334 // 335 *out_len = NTLM_TYPE1_HEADER_LEN; 336 *out_buf = malloc(*out_len); 337 if (!*out_buf) 338 return ERR_OUT_OF_MEMORY; 339 340 // 341 // Write out type 1 message. 342 // 343 void* cursor = *out_buf; 344 345 // 0 : signature 346 cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)); 347 348 // 8 : marker 349 cursor = WriteBytes(cursor, NTLM_TYPE1_MARKER, sizeof(NTLM_TYPE1_MARKER)); 350 351 // 12 : flags 352 cursor = WriteDWORD(cursor, NTLM_TYPE1_FLAGS); 353 354 // 355 // NOTE: It is common for the domain and workstation fields to be empty. 356 // This is true of Win2k clients, and my guess is that there is 357 // little utility to sending these strings before the charset has 358 // been negotiated. We follow suite -- anyways, it doesn't hurt 359 // to save some bytes on the wire ;-) 360 // 361 362 // 16 : supplied domain security buffer (empty) 363 cursor = WriteSecBuf(cursor, 0, 0); 364 365 // 24 : supplied workstation security buffer (empty) 366 cursor = WriteSecBuf(cursor, 0, 0); 367 368 return OK; 369 } 370 371 struct Type2Msg { 372 uint32 flags; // NTLM_Xxx bitwise combination 373 uint8 challenge[8]; // 8 byte challenge 374 const void* target; // target string (type depends on flags) 375 uint32 target_len; // target length in bytes 376 }; 377 378 // Returns OK or a network error code. 379 // TODO(wtc): This function returns ERR_UNEXPECTED when the input message is 380 // invalid. We should return a better error code. 381 static int ParseType2Msg(const void* in_buf, uint32 in_len, Type2Msg* msg) { 382 // Make sure in_buf is long enough to contain a meaningful type2 msg. 383 // 384 // 0 NTLMSSP Signature 385 // 8 NTLM Message Type 386 // 12 Target Name 387 // 20 Flags 388 // 24 Challenge 389 // 32 end of header, start of optional data blocks 390 // 391 if (in_len < NTLM_TYPE2_HEADER_LEN) 392 return ERR_UNEXPECTED; 393 394 const uint8* cursor = (const uint8*) in_buf; 395 396 // verify NTLMSSP signature 397 if (memcmp(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) != 0) 398 return ERR_UNEXPECTED; 399 cursor += sizeof(NTLM_SIGNATURE); 400 401 // verify Type-2 marker 402 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) 403 return ERR_UNEXPECTED; 404 cursor += sizeof(NTLM_TYPE2_MARKER); 405 406 // read target name security buffer 407 uint32 target_len = ReadUint16(cursor); 408 ReadUint16(cursor); // discard next 16-bit value 409 uint32 offset = ReadUint32(cursor); // get offset from in_buf 410 msg->target_len = 0; 411 msg->target = NULL; 412 // Check the offset / length combo is in range of the input buffer, including 413 // integer overflow checking. 414 if (offset + target_len > offset && offset + target_len <= in_len) { 415 msg->target_len = target_len; 416 msg->target = ((const uint8*) in_buf) + offset; 417 } 418 419 // read flags 420 msg->flags = ReadUint32(cursor); 421 422 // read challenge 423 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); 424 cursor += sizeof(msg->challenge); 425 426 NTLM_LOG(("NTLM type 2 message:\n")); 427 LogBuf("target", (const uint8*) msg->target, msg->target_len); 428 LogBuf("flags", (const uint8*) &msg->flags, 4); 429 LogFlags(msg->flags); 430 LogBuf("challenge", msg->challenge, sizeof(msg->challenge)); 431 432 // We currently do not implement LMv2/NTLMv2 or NTLM2 responses, 433 // so we can ignore target information. We may want to enable 434 // support for these alternate mechanisms in the future. 435 return OK; 436 } 437 438 static void GenerateRandom(uint8* output, size_t n) { 439 for (size_t i = 0; i < n; ++i) 440 output[i] = base::RandInt(0, 255); 441 } 442 443 // Returns OK or a network error code. 444 static int GenerateType3Msg(const base::string16& domain, 445 const base::string16& username, 446 const base::string16& password, 447 const std::string& hostname, 448 const void* rand_8_bytes, 449 const void* in_buf, 450 uint32 in_len, 451 void** out_buf, 452 uint32* out_len) { 453 // in_buf contains Type-2 msg (the challenge) from server. 454 455 int rv; 456 Type2Msg msg; 457 458 rv = ParseType2Msg(in_buf, in_len, &msg); 459 if (rv != OK) 460 return rv; 461 462 bool unicode = (msg.flags & NTLM_NegotiateUnicode) != 0; 463 464 // Temporary buffers for unicode strings 465 #ifdef IS_BIG_ENDIAN 466 base::string16 ucs_domain_buf, ucs_user_buf; 467 #endif 468 base::string16 ucs_host_buf; 469 // Temporary buffers for oem strings 470 std::string oem_domain_buf, oem_user_buf; 471 // Pointers and lengths for the string buffers; encoding is unicode if 472 // the "negotiate unicode" flag was set in the Type-2 message. 473 const void* domain_ptr; 474 const void* user_ptr; 475 const void* host_ptr; 476 uint32 domain_len, user_len, host_len; 477 478 // 479 // Get domain name. 480 // 481 if (unicode) { 482 #ifdef IS_BIG_ENDIAN 483 ucs_domain_buf = domain; 484 domain_ptr = ucs_domain_buf.data(); 485 domain_len = ucs_domain_buf.length() * 2; 486 WriteUnicodeLE(const_cast<void*>(domain_ptr), 487 (const base::char16*) domain_ptr, 488 ucs_domain_buf.length()); 489 #else 490 domain_ptr = domain.data(); 491 domain_len = domain.length() * 2; 492 #endif 493 } else { 494 oem_domain_buf = base::SysWideToNativeMB(base::UTF16ToWide(domain)); 495 domain_ptr = oem_domain_buf.data(); 496 domain_len = oem_domain_buf.length(); 497 } 498 499 // 500 // Get user name. 501 // 502 if (unicode) { 503 #ifdef IS_BIG_ENDIAN 504 ucs_user_buf = username; 505 user_ptr = ucs_user_buf.data(); 506 user_len = ucs_user_buf.length() * 2; 507 WriteUnicodeLE(const_cast<void*>(user_ptr), (const base::char16*) user_ptr, 508 ucs_user_buf.length()); 509 #else 510 user_ptr = username.data(); 511 user_len = username.length() * 2; 512 #endif 513 } else { 514 oem_user_buf = base::SysWideToNativeMB(base::UTF16ToWide(username)); 515 user_ptr = oem_user_buf.data(); 516 user_len = oem_user_buf.length(); 517 } 518 519 // 520 // Get workstation name (use local machine's hostname). 521 // 522 if (unicode) { 523 // hostname is ASCII, so we can do a simple zero-pad expansion: 524 ucs_host_buf.assign(hostname.begin(), hostname.end()); 525 host_ptr = ucs_host_buf.data(); 526 host_len = ucs_host_buf.length() * 2; 527 #ifdef IS_BIG_ENDIAN 528 WriteUnicodeLE(const_cast<void*>(host_ptr), (const base::char16*) host_ptr, 529 ucs_host_buf.length()); 530 #endif 531 } else { 532 host_ptr = hostname.data(); 533 host_len = hostname.length(); 534 } 535 536 // 537 // Now that we have generated all of the strings, we can allocate out_buf. 538 // 539 *out_len = NTLM_TYPE3_HEADER_LEN + host_len + domain_len + user_len + 540 LM_RESP_LEN + NTLM_RESP_LEN; 541 *out_buf = malloc(*out_len); 542 if (!*out_buf) 543 return ERR_OUT_OF_MEMORY; 544 545 // 546 // Next, we compute the LM and NTLM responses. 547 // 548 uint8 lm_resp[LM_RESP_LEN]; 549 uint8 ntlm_resp[NTLM_RESP_LEN]; 550 uint8 ntlm_hash[NTLM_HASH_LEN]; 551 if (msg.flags & NTLM_NegotiateNTLM2Key) { 552 // compute NTLM2 session response 553 base::MD5Digest session_hash; 554 uint8 temp[16]; 555 556 memcpy(lm_resp, rand_8_bytes, 8); 557 memset(lm_resp + 8, 0, LM_RESP_LEN - 8); 558 559 memcpy(temp, msg.challenge, 8); 560 memcpy(temp + 8, lm_resp, 8); 561 base::MD5Sum(temp, 16, &session_hash); 562 563 NTLM_Hash(password, ntlm_hash); 564 LM_Response(ntlm_hash, session_hash.a, ntlm_resp); 565 } else { 566 NTLM_Hash(password, ntlm_hash); 567 LM_Response(ntlm_hash, msg.challenge, ntlm_resp); 568 569 if (SendLM()) { 570 uint8 lm_hash[LM_HASH_LEN]; 571 LM_Hash(password, lm_hash); 572 LM_Response(lm_hash, msg.challenge, lm_resp); 573 } else { 574 // According to http://davenport.sourceforge.net/ntlm.html#ntlmVersion2, 575 // the correct way to not send the LM hash is to send the NTLM hash twice 576 // in both the LM and NTLM response fields. 577 LM_Response(ntlm_hash, msg.challenge, lm_resp); 578 } 579 } 580 581 // 582 // Finally, we assemble the Type-3 msg :-) 583 // 584 void* cursor = *out_buf; 585 uint32 offset; 586 587 // 0 : signature 588 cursor = WriteBytes(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)); 589 590 // 8 : marker 591 cursor = WriteBytes(cursor, NTLM_TYPE3_MARKER, sizeof(NTLM_TYPE3_MARKER)); 592 593 // 12 : LM response sec buf 594 offset = NTLM_TYPE3_HEADER_LEN + domain_len + user_len + host_len; 595 cursor = WriteSecBuf(cursor, LM_RESP_LEN, offset); 596 memcpy(static_cast<uint8*>(*out_buf) + offset, lm_resp, LM_RESP_LEN); 597 598 // 20 : NTLM response sec buf 599 offset += LM_RESP_LEN; 600 cursor = WriteSecBuf(cursor, NTLM_RESP_LEN, offset); 601 memcpy(static_cast<uint8*>(*out_buf) + offset, ntlm_resp, NTLM_RESP_LEN); 602 603 // 28 : domain name sec buf 604 offset = NTLM_TYPE3_HEADER_LEN; 605 cursor = WriteSecBuf(cursor, domain_len, offset); 606 memcpy(static_cast<uint8*>(*out_buf) + offset, domain_ptr, domain_len); 607 608 // 36 : user name sec buf 609 offset += domain_len; 610 cursor = WriteSecBuf(cursor, user_len, offset); 611 memcpy(static_cast<uint8*>(*out_buf) + offset, user_ptr, user_len); 612 613 // 44 : workstation (host) name sec buf 614 offset += user_len; 615 cursor = WriteSecBuf(cursor, host_len, offset); 616 memcpy(static_cast<uint8*>(*out_buf) + offset, host_ptr, host_len); 617 618 // 52 : session key sec buf (not used) 619 cursor = WriteSecBuf(cursor, 0, 0); 620 621 // 60 : negotiated flags 622 cursor = WriteDWORD(cursor, msg.flags & NTLM_TYPE1_FLAGS); 623 624 return OK; 625 } 626 627 // NTLM authentication is specified in "NTLM Over HTTP Protocol Specification" 628 // [MS-NTHT]. 629 630 // static 631 HttpAuthHandlerNTLM::GenerateRandomProc 632 HttpAuthHandlerNTLM::generate_random_proc_ = GenerateRandom; 633 634 // static 635 HttpAuthHandlerNTLM::HostNameProc 636 HttpAuthHandlerNTLM::get_host_name_proc_ = GetHostName; 637 638 HttpAuthHandlerNTLM::HttpAuthHandlerNTLM() { 639 } 640 641 bool HttpAuthHandlerNTLM::NeedsIdentity() { 642 // This gets called for each round-trip. Only require identity on 643 // the first call (when auth_data_ is empty). On subsequent calls, 644 // we use the initially established identity. 645 return auth_data_.empty(); 646 } 647 648 bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() { 649 // Default credentials are not supported in the portable implementation of 650 // NTLM, but are supported in the SSPI implementation. 651 return false; 652 } 653 654 int HttpAuthHandlerNTLM::InitializeBeforeFirstChallenge() { 655 return OK; 656 } 657 658 HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() { 659 credentials_.Zap(); 660 } 661 662 // static 663 HttpAuthHandlerNTLM::GenerateRandomProc 664 HttpAuthHandlerNTLM::SetGenerateRandomProc( 665 GenerateRandomProc proc) { 666 GenerateRandomProc old_proc = generate_random_proc_; 667 generate_random_proc_ = proc; 668 return old_proc; 669 } 670 671 // static 672 HttpAuthHandlerNTLM::HostNameProc HttpAuthHandlerNTLM::SetHostNameProc( 673 HostNameProc proc) { 674 HostNameProc old_proc = get_host_name_proc_; 675 get_host_name_proc_ = proc; 676 return old_proc; 677 } 678 679 HttpAuthHandlerNTLM::Factory::Factory() { 680 } 681 682 HttpAuthHandlerNTLM::Factory::~Factory() { 683 } 684 685 int HttpAuthHandlerNTLM::GetNextToken(const void* in_token, 686 uint32 in_token_len, 687 void** out_token, 688 uint32* out_token_len) { 689 int rv = 0; 690 691 // If in_token is non-null, then assume it contains a type 2 message... 692 if (in_token) { 693 LogToken("in-token", in_token, in_token_len); 694 std::string hostname = get_host_name_proc_(); 695 if (hostname.empty()) 696 return ERR_UNEXPECTED; 697 uint8 rand_buf[8]; 698 generate_random_proc_(rand_buf, 8); 699 rv = GenerateType3Msg(domain_, 700 credentials_.username(), credentials_.password(), 701 hostname, rand_buf, 702 in_token, in_token_len, out_token, out_token_len); 703 } else { 704 rv = GenerateType1Msg(out_token, out_token_len); 705 } 706 707 if (rv == OK) 708 LogToken("out-token", *out_token, *out_token_len); 709 710 return rv; 711 } 712 713 int HttpAuthHandlerNTLM::Factory::CreateAuthHandler( 714 HttpAuthChallengeTokenizer* challenge, 715 HttpAuth::Target target, 716 const GURL& origin, 717 CreateReason reason, 718 int digest_nonce_count, 719 const BoundNetLog& net_log, 720 scoped_ptr<HttpAuthHandler>* handler) { 721 if (reason == CREATE_PREEMPTIVE) 722 return ERR_UNSUPPORTED_AUTH_SCHEME; 723 // TODO(cbentzel): Move towards model of parsing in the factory 724 // method and only constructing when valid. 725 // NOTE: Default credentials are not supported for the portable implementation 726 // of NTLM. 727 scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM); 728 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) 729 return ERR_INVALID_RESPONSE; 730 handler->swap(tmp_handler); 731 return OK; 732 } 733 734 } // namespace net 735
