OpenI
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 2c93a0a029
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2c93a0a029'
${ noResults }
aiforge/vendor/github.com/denisenkom/go-mssqldb/ntlm.go

405 lines
13 kB
Raw Blame History 

  1. // +build !windows

  2. 

  3. package mssql

  4. 

  5. import (

  6. 	"crypto/des"

  7. 	"crypto/hmac"

  8. 	"crypto/md5"

  9. 	"crypto/rand"

  10. 	"encoding/binary"

  11. 	"errors"

  12. 	"fmt"

  13. 	"strings"

  14. 	"time"

  15. 	"unicode/utf16"

  16. 

  17. 	"golang.org/x/crypto/md4"

  18. )

  19. 

  20. const (

  21. 	_NEGOTIATE_MESSAGE    = 1

  22. 	_CHALLENGE_MESSAGE    = 2

  23. 	_AUTHENTICATE_MESSAGE = 3

  24. )

  25. 

  26. const (

  27. 	_NEGOTIATE_UNICODE                  = 0x00000001

  28. 	_NEGOTIATE_OEM                      = 0x00000002

  29. 	_NEGOTIATE_TARGET                   = 0x00000004

  30. 	_NEGOTIATE_SIGN                     = 0x00000010

  31. 	_NEGOTIATE_SEAL                     = 0x00000020

  32. 	_NEGOTIATE_DATAGRAM                 = 0x00000040

  33. 	_NEGOTIATE_LMKEY                    = 0x00000080

  34. 	_NEGOTIATE_NTLM                     = 0x00000200

  35. 	_NEGOTIATE_ANONYMOUS                = 0x00000800

  36. 	_NEGOTIATE_OEM_DOMAIN_SUPPLIED      = 0x00001000

  37. 	_NEGOTIATE_OEM_WORKSTATION_SUPPLIED = 0x00002000

  38. 	_NEGOTIATE_ALWAYS_SIGN              = 0x00008000

  39. 	_NEGOTIATE_TARGET_TYPE_DOMAIN       = 0x00010000

  40. 	_NEGOTIATE_TARGET_TYPE_SERVER       = 0x00020000

  41. 	_NEGOTIATE_EXTENDED_SESSIONSECURITY = 0x00080000

  42. 	_NEGOTIATE_IDENTIFY                 = 0x00100000

  43. 	_REQUEST_NON_NT_SESSION_KEY         = 0x00400000

  44. 	_NEGOTIATE_TARGET_INFO              = 0x00800000

  45. 	_NEGOTIATE_VERSION                  = 0x02000000

  46. 	_NEGOTIATE_128                      = 0x20000000

  47. 	_NEGOTIATE_KEY_EXCH                 = 0x40000000

  48. 	_NEGOTIATE_56                       = 0x80000000

  49. )

  50. 

  51. const _NEGOTIATE_FLAGS = _NEGOTIATE_UNICODE |

  52. 	_NEGOTIATE_NTLM |

  53. 	_NEGOTIATE_OEM_DOMAIN_SUPPLIED |

  54. 	_NEGOTIATE_OEM_WORKSTATION_SUPPLIED |

  55. 	_NEGOTIATE_ALWAYS_SIGN |

  56. 	_NEGOTIATE_EXTENDED_SESSIONSECURITY

  57. 

  58. type ntlmAuth struct {

  59. 	Domain      string

  60. 	UserName    string

  61. 	Password    string

  62. 	Workstation string

  63. }

  64. 

  65. func getAuth(user, password, service, workstation string) (auth, bool) {

  66. 	if !strings.ContainsRune(user, '\\') {

  67. 		return nil, false

  68. 	}

  69. 	domain_user := strings.SplitN(user, "\\", 2)

  70. 	return &ntlmAuth{

  71. 		Domain:      domain_user[0],

  72. 		UserName:    domain_user[1],

  73. 		Password:    password,

  74. 		Workstation: workstation,

  75. 	}, true

  76. }

  77. 

  78. func utf16le(val string) []byte {

  79. 	var v []byte

  80. 	for _, r := range val {

  81. 		if utf16.IsSurrogate(r) {

  82. 			r1, r2 := utf16.EncodeRune(r)

  83. 			v = append(v, byte(r1), byte(r1>>8))

  84. 			v = append(v, byte(r2), byte(r2>>8))

  85. 		} else {

  86. 			v = append(v, byte(r), byte(r>>8))

  87. 		}

  88. 	}

  89. 	return v

  90. }

  91. 

  92. func (auth *ntlmAuth) InitialBytes() ([]byte, error) {

  93. 	domain_len := len(auth.Domain)

  94. 	workstation_len := len(auth.Workstation)

  95. 	msg := make([]byte, 40+domain_len+workstation_len)

  96. 	copy(msg, []byte("NTLMSSP\x00"))

  97. 	binary.LittleEndian.PutUint32(msg[8:], _NEGOTIATE_MESSAGE)

  98. 	binary.LittleEndian.PutUint32(msg[12:], _NEGOTIATE_FLAGS)

  99. 	// Domain Name Fields

  100. 	binary.LittleEndian.PutUint16(msg[16:], uint16(domain_len))

  101. 	binary.LittleEndian.PutUint16(msg[18:], uint16(domain_len))

  102. 	binary.LittleEndian.PutUint32(msg[20:], 40)

  103. 	// Workstation Fields

  104. 	binary.LittleEndian.PutUint16(msg[24:], uint16(workstation_len))

  105. 	binary.LittleEndian.PutUint16(msg[26:], uint16(workstation_len))

  106. 	binary.LittleEndian.PutUint32(msg[28:], uint32(40+domain_len))

  107. 	// Version

  108. 	binary.LittleEndian.PutUint32(msg[32:], 0)

  109. 	binary.LittleEndian.PutUint32(msg[36:], 0)

  110. 	// Payload

  111. 	copy(msg[40:], auth.Domain)

  112. 	copy(msg[40+domain_len:], auth.Workstation)

  113. 	return msg, nil

  114. }

  115. 

  116. var errorNTLM = errors.New("NTLM protocol error")

  117. 

  118. func createDesKey(bytes, material []byte) {

  119. 	material[0] = bytes[0]

  120. 	material[1] = (byte)(bytes[0]<<7 | (bytes[1]&0xff)>>1)

  121. 	material[2] = (byte)(bytes[1]<<6 | (bytes[2]&0xff)>>2)

  122. 	material[3] = (byte)(bytes[2]<<5 | (bytes[3]&0xff)>>3)

  123. 	material[4] = (byte)(bytes[3]<<4 | (bytes[4]&0xff)>>4)

  124. 	material[5] = (byte)(bytes[4]<<3 | (bytes[5]&0xff)>>5)

  125. 	material[6] = (byte)(bytes[5]<<2 | (bytes[6]&0xff)>>6)

  126. 	material[7] = (byte)(bytes[6] << 1)

  127. }

  128. 

  129. func oddParity(bytes []byte) {

  130. 	for i := 0; i < len(bytes); i++ {

  131. 		b := bytes[i]

  132. 		needsParity := (((b >> 7) ^ (b >> 6) ^ (b >> 5) ^ (b >> 4) ^ (b >> 3) ^ (b >> 2) ^ (b >> 1)) & 0x01) == 0

  133. 		if needsParity {

  134. 			bytes[i] = bytes[i] | byte(0x01)

  135. 		} else {

  136. 			bytes[i] = bytes[i] & byte(0xfe)

  137. 		}

  138. 	}

  139. }

  140. 

  141. func encryptDes(key []byte, cleartext []byte, ciphertext []byte) {

  142. 	var desKey [8]byte

  143. 	createDesKey(key, desKey[:])

  144. 	cipher, err := des.NewCipher(desKey[:])

  145. 	if err != nil {

  146. 		panic(err)

  147. 	}

  148. 	cipher.Encrypt(ciphertext, cleartext)

  149. }

  150. 

  151. func response(challenge [8]byte, hash [21]byte) (ret [24]byte) {

  152. 	encryptDes(hash[:7], challenge[:], ret[:8])

  153. 	encryptDes(hash[7:14], challenge[:], ret[8:16])

  154. 	encryptDes(hash[14:], challenge[:], ret[16:])

  155. 	return

  156. }

  157. 

  158. func lmHash(password string) (hash [21]byte) {

  159. 	var lmpass [14]byte

  160. 	copy(lmpass[:14], []byte(strings.ToUpper(password)))

  161. 	magic := []byte("KGS!@#$%")

  162. 	encryptDes(lmpass[:7], magic, hash[:8])

  163. 	encryptDes(lmpass[7:], magic, hash[8:])

  164. 	return

  165. }

  166. 

  167. func lmResponse(challenge [8]byte, password string) [24]byte {

  168. 	hash := lmHash(password)

  169. 	return response(challenge, hash)

  170. }

  171. 

  172. func ntlmHash(password string) (hash [21]byte) {

  173. 	h := md4.New()

  174. 	h.Write(utf16le(password))

  175. 	h.Sum(hash[:0])

  176. 	return

  177. }

  178. 

  179. func ntResponse(challenge [8]byte, password string) [24]byte {

  180. 	hash := ntlmHash(password)

  181. 	return response(challenge, hash)

  182. }

  183. 

  184. func clientChallenge() (nonce [8]byte) {

  185. 	_, err := rand.Read(nonce[:])

  186. 	if err != nil {

  187. 		panic(err)

  188. 	}

  189. 	return

  190. }

  191. 

  192. func ntlmSessionResponse(clientNonce [8]byte, serverChallenge [8]byte, password string) [24]byte {

  193. 	var sessionHash [16]byte

  194. 	h := md5.New()

  195. 	h.Write(serverChallenge[:])

  196. 	h.Write(clientNonce[:])

  197. 	h.Sum(sessionHash[:0])

  198. 	var hash [8]byte

  199. 	copy(hash[:], sessionHash[:8])

  200. 	passwordHash := ntlmHash(password)

  201. 	return response(hash, passwordHash)

  202. }

  203. 

  204. func ntlmHashNoPadding(val string) []byte {

  205. 	hash := make([]byte, 16)

  206. 	h := md4.New()

  207. 	h.Write(utf16le(val))

  208. 	h.Sum(hash[:0])

  209. 

  210. 	return hash

  211. }

  212. 

  213. func hmacMD5(passwordHash, data []byte) []byte {

  214. 	hmacEntity := hmac.New(md5.New, passwordHash)

  215. 	hmacEntity.Write(data)

  216. 

  217. 	return hmacEntity.Sum(nil)

  218. }

  219. 

  220. func getNTLMv2AndLMv2ResponsePayloads(userDomain, username, password string, challenge, nonce [8]byte, targetInfoFields []byte, timestamp time.Time) (ntlmV2Payload, lmV2Payload []byte) {

  221. 	// NTLMv2 response payload: http://davenport.sourceforge.net/ntlm.html#theNtlmv2Response

  222. 

  223. 	ntlmHash := ntlmHashNoPadding(password)

  224. 	usernameAndTargetBytes := utf16le(strings.ToUpper(username) + userDomain)

  225. 	ntlmV2Hash := hmacMD5(ntlmHash, usernameAndTargetBytes)

  226. 	targetInfoLength := len(targetInfoFields)

  227. 	blob := make([]byte, 32+targetInfoLength)

  228. 	binary.BigEndian.PutUint32(blob[:4], 0x01010000)

  229. 	binary.BigEndian.PutUint32(blob[4:8], 0x00000000)

  230. 	binary.BigEndian.PutUint64(blob[8:16], uint64(timestamp.UnixNano()))

  231. 	copy(blob[16:24], nonce[:])

  232. 	binary.BigEndian.PutUint32(blob[24:28], 0x00000000)

  233. 	copy(blob[28:], targetInfoFields)

  234. 	binary.BigEndian.PutUint32(blob[28+targetInfoLength:], 0x00000000)

  235. 	challengeLength := len(challenge)

  236. 	blobLength := len(blob)

  237. 	challengeAndBlob := make([]byte, challengeLength+blobLength)

  238. 	copy(challengeAndBlob[:challengeLength], challenge[:])

  239. 	copy(challengeAndBlob[challengeLength:], blob)

  240. 	hashedChallenge := hmacMD5(ntlmV2Hash, challengeAndBlob)

  241. 	ntlmV2Payload = append(hashedChallenge, blob...)

  242. 

  243. 	// LMv2 response payload: http://davenport.sourceforge.net/ntlm.html#theLmv2Response

  244. 	ntlmV2hash := hmacMD5(ntlmHash, usernameAndTargetBytes)

  245. 	challengeAndNonce := make([]byte, 16)

  246. 	copy(challengeAndNonce[:8], challenge[:])

  247. 	copy(challengeAndNonce[8:], nonce[:])

  248. 	hashedChallenge = hmacMD5(ntlmV2hash, challengeAndNonce)

  249. 	lmV2Payload = append(hashedChallenge, nonce[:]...)

  250. 

  251. 	return

  252. }

  253. 

  254. func negotiateExtendedSessionSecurity(flags uint32, message []byte, challenge [8]byte, username, password, userDom string) (lm, nt []byte, err error) {

  255. 	nonce := clientChallenge()

  256. 

  257. 	// Official specification: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4

  258. 	// Unofficial walk through referenced by https://www.freetds.org/userguide/domains.htm: http://davenport.sourceforge.net/ntlm.html

  259. 	if (flags & _NEGOTIATE_TARGET_INFO) != 0 {

  260. 		targetInfoFields, err := getNTLMv2TargetInfoFields(message)

  261. 		if err != nil {

  262. 			return lm, nt, err

  263. 		}

  264. 

  265. 		nt, lm = getNTLMv2AndLMv2ResponsePayloads(userDom, username, password, challenge, nonce, targetInfoFields, time.Now())

  266. 

  267. 		return lm, nt, nil

  268. 	}

  269. 

  270. 	var lm_bytes [24]byte

  271. 	copy(lm_bytes[:8], nonce[:])

  272. 	lm = lm_bytes[:]

  273. 	nt_bytes := ntlmSessionResponse(nonce, challenge, password)

  274. 	nt = nt_bytes[:]

  275. 

  276. 	return lm, nt, nil

  277. }

  278. 

  279. func getNTLMv2TargetInfoFields(type2Message []byte) (info []byte, err error) {

  280. 	type2MessageError := "mssql: while parsing NTLMv2 type 2 message, length %d too small for offset %d"

  281. 	type2MessageLength := len(type2Message)

  282. 	if type2MessageLength < 20 {

  283. 		return nil, fmt.Errorf(type2MessageError, type2MessageLength, 20)

  284. 	}

  285. 

  286. 	targetNameAllocated := binary.LittleEndian.Uint16(type2Message[14:16])

  287. 	targetNameOffset := binary.LittleEndian.Uint32(type2Message[16:20])

  288. 	endOfOffset := int(targetNameOffset + uint32(targetNameAllocated))

  289. 	if type2MessageLength < endOfOffset {

  290. 		return nil, fmt.Errorf(type2MessageError, type2MessageLength, endOfOffset)

  291. 	}

  292. 

  293. 	targetInformationAllocated := binary.LittleEndian.Uint16(type2Message[42:44])

  294. 	targetInformationDataOffset := binary.LittleEndian.Uint32(type2Message[44:48])

  295. 	endOfOffset = int(targetInformationDataOffset + uint32(targetInformationAllocated))

  296. 	if type2MessageLength < endOfOffset {

  297. 		return nil, fmt.Errorf(type2MessageError, type2MessageLength, endOfOffset)

  298. 	}

  299. 

  300. 	targetInformationBytes := make([]byte, targetInformationAllocated)

  301. 	copy(targetInformationBytes, type2Message[targetInformationDataOffset:targetInformationDataOffset+uint32(targetInformationAllocated)])

  302. 

  303. 	return targetInformationBytes, nil

  304. }

  305. 

  306. func buildNTLMResponsePayload(lm, nt []byte, flags uint32, domain, workstation, username string) ([]byte, error) {

  307. 	lm_len := len(lm)

  308. 	nt_len := len(nt)

  309. 	domain16 := utf16le(domain)

  310. 	domain_len := len(domain16)

  311. 	user16 := utf16le(username)

  312. 	user_len := len(user16)

  313. 	workstation16 := utf16le(workstation)

  314. 	workstation_len := len(workstation16)

  315. 	msg := make([]byte, 88+lm_len+nt_len+domain_len+user_len+workstation_len)

  316. 	copy(msg, []byte("NTLMSSP\x00"))

  317. 	binary.LittleEndian.PutUint32(msg[8:], _AUTHENTICATE_MESSAGE)

  318. 

  319. 	// Lm Challenge Response Fields

  320. 	binary.LittleEndian.PutUint16(msg[12:], uint16(lm_len))

  321. 	binary.LittleEndian.PutUint16(msg[14:], uint16(lm_len))

  322. 	binary.LittleEndian.PutUint32(msg[16:], 88)

  323. 

  324. 	// Nt Challenge Response Fields

  325. 	binary.LittleEndian.PutUint16(msg[20:], uint16(nt_len))

  326. 	binary.LittleEndian.PutUint16(msg[22:], uint16(nt_len))

  327. 	binary.LittleEndian.PutUint32(msg[24:], uint32(88+lm_len))

  328. 

  329. 	// Domain Name Fields

  330. 	binary.LittleEndian.PutUint16(msg[28:], uint16(domain_len))

  331. 	binary.LittleEndian.PutUint16(msg[30:], uint16(domain_len))

  332. 	binary.LittleEndian.PutUint32(msg[32:], uint32(88+lm_len+nt_len))

  333. 

  334. 	// User Name Fields

  335. 	binary.LittleEndian.PutUint16(msg[36:], uint16(user_len))

  336. 	binary.LittleEndian.PutUint16(msg[38:], uint16(user_len))

  337. 	binary.LittleEndian.PutUint32(msg[40:], uint32(88+lm_len+nt_len+domain_len))

  338. 

  339. 	// Workstation Fields

  340. 	binary.LittleEndian.PutUint16(msg[44:], uint16(workstation_len))

  341. 	binary.LittleEndian.PutUint16(msg[46:], uint16(workstation_len))

  342. 	binary.LittleEndian.PutUint32(msg[48:], uint32(88+lm_len+nt_len+domain_len+user_len))

  343. 

  344. 	// Encrypted Random Session Key Fields

  345. 	binary.LittleEndian.PutUint16(msg[52:], 0)

  346. 	binary.LittleEndian.PutUint16(msg[54:], 0)

  347. 	binary.LittleEndian.PutUint32(msg[56:], uint32(88+lm_len+nt_len+domain_len+user_len+workstation_len))

  348. 

  349. 	// Negotiate Flags

  350. 	binary.LittleEndian.PutUint32(msg[60:], flags)

  351. 

  352. 	// Version

  353. 	binary.LittleEndian.PutUint32(msg[64:], 0)

  354. 	binary.LittleEndian.PutUint32(msg[68:], 0)

  355. 

  356. 	// MIC

  357. 	binary.LittleEndian.PutUint32(msg[72:], 0)

  358. 	binary.LittleEndian.PutUint32(msg[76:], 0)

  359. 	binary.LittleEndian.PutUint32(msg[88:], 0)

  360. 	binary.LittleEndian.PutUint32(msg[84:], 0)

  361. 

  362. 	// Payload

  363. 	copy(msg[88:], lm)

  364. 	copy(msg[88+lm_len:], nt)

  365. 	copy(msg[88+lm_len+nt_len:], domain16)

  366. 	copy(msg[88+lm_len+nt_len+domain_len:], user16)

  367. 	copy(msg[88+lm_len+nt_len+domain_len+user_len:], workstation16)

  368. 

  369. 	return msg, nil

  370. }

  371. 

  372. func (auth *ntlmAuth) NextBytes(bytes []byte) ([]byte, error) {

  373. 	signature := string(bytes[0:8])

  374. 	if signature != "NTLMSSP\x00" {

  375. 		return nil, errorNTLM

  376. 	}

  377. 

  378. 	messageTypeIndicator := binary.LittleEndian.Uint32(bytes[8:12])

  379. 	if messageTypeIndicator != _CHALLENGE_MESSAGE {

  380. 		return nil, errorNTLM

  381. 	}

  382. 

  383. 	var challenge [8]byte

  384. 	copy(challenge[:], bytes[24:32])

  385. 	flags := binary.LittleEndian.Uint32(bytes[20:24])

  386. 	if (flags & _NEGOTIATE_EXTENDED_SESSIONSECURITY) != 0 {

  387. 		lm, nt, err := negotiateExtendedSessionSecurity(flags, bytes, challenge, auth.UserName, auth.Password, auth.Domain)

  388. 		if err != nil {

  389. 			return nil, err

  390. 		}

  391. 

  392. 		return buildNTLMResponsePayload(lm, nt, flags, auth.Domain, auth.Workstation, auth.UserName)

  393. 	}

  394. 

  395. 	lm_bytes := lmResponse(challenge, auth.Password)

  396. 	lm := lm_bytes[:]

  397. 	nt_bytes := ntResponse(challenge, auth.Password)

  398. 	nt := nt_bytes[:]

  399. 

  400. 	return buildNTLMResponsePayload(lm, nt, flags, auth.Domain, auth.Workstation, auth.UserName)

  401. }

  402. 

  403. func (auth *ntlmAuth) Free() {

  404. }