search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[HEIMDAL-646] malloc(0) checks for AIX
[heimdal.git] / lib / ntlm / ntlm.c
blob36a04f1ff281933b83f7b0c4e6ea59ec1095f466
1 /*
2 * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <config.h>
35
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <assert.h>
39 #include <string.h>
40 #include <ctype.h>
41 #include <errno.h>
42 #include <limits.h>
43
44 #include <krb5.h>
45 #include <roken.h>
46
47 #define HC_DEPRECATED_CRYPTO
48
49 #include "krb5-types.h"
50 #include "crypto-headers.h"
51
52 #include <heimntlm.h>
53
54 /*! \mainpage Heimdal NTLM library
55 *
56 * \section intro Introduction
57 *
58 * Heimdal libheimntlm library is a implementation of the NTLM
59 * protocol, both version 1 and 2. The GSS-API mech that uses this
60 * library adds support for transport encryption and integrity
61 * checking.
62 *
63 * NTLM is a protocol for mutual authentication, its still used in
64 * many protocol where Kerberos is not support, one example is
65 * EAP/X802.1x mechanism LEAP from Microsoft and Cisco.
66 *
67 * This is a support library for the core protocol, its used in
68 * Heimdal to implement and GSS-API mechanism. There is also support
69 * in the KDC to do remote digest authenticiation, this to allow
70 * services to authenticate users w/o direct access to the users ntlm
71 * hashes (same as Kerberos arcfour enctype keys).
72 *
73 * More information about the NTLM protocol can found here
74 * http://davenport.sourceforge.net/ntlm.html .
75 *
76 * The Heimdal projects web page: http://www.h5l.org/
77 *
78 * @section ntlm_example NTLM Example
79 *
80 * Example to to use @ref test_ntlm.c .
81 *
82 * @example test_ntlm.c
83 *
84 * Example how to use the NTLM primitives.
85 *
86 */
87
88 /** @defgroup ntlm_core Heimdal NTLM library
89 *
90 * The NTLM core functions implement the string2key generation
91 * function, message encode and decode function, and the hash function
92 * functions.
93 */
94
95 struct sec_buffer {
96 uint16_t length;
97 uint16_t allocated;
98 uint32_t offset;
99 };
100
101 static const unsigned char ntlmsigature[8] = "NTLMSSP\x00";
102
103 /*
104 *
105 */
106
107 #define CHECK(f, e) \
108 do { ret = f ; if (ret != (e)) { ret = EINVAL; goto out; } } while(0)
109
110 /**
111 * heim_ntlm_free_buf frees the ntlm buffer
112 *
113 * @param p buffer to be freed
114 *
115 * @ingroup ntlm_core
116 */
117
118 void
119 heim_ntlm_free_buf(struct ntlm_buf *p)
120 {
121 if (p->data)
122 free(p->data);
123 p->data = NULL;
124 p->length = 0;
125 }
126
127
128 static int
129 ascii2ucs2le(const char *string, int up, struct ntlm_buf *buf)
130 {
131 unsigned char *p;
132 size_t len, i;
133
134 len = strlen(string);
135 if (len / 2 > UINT_MAX)
136 return ERANGE;
137
138 buf->length = len * 2;
139 buf->data = malloc(buf->length);
140 if (buf->data == NULL && len != 0) {
141 heim_ntlm_free_buf(buf);
142 return ENOMEM;
143 }
144
145 p = buf->data;
146 for (i = 0; i < len; i++) {
147 unsigned char t = (unsigned char)string[i];
148 if (t & 0x80) {
149 heim_ntlm_free_buf(buf);
150 return EINVAL;
151 }
152 if (up)
153 t = toupper(t);
154 p[(i * 2) + 0] = t;
155 p[(i * 2) + 1] = 0;
156 }
157 return 0;
158 }
159
160 /*
161 *
162 */
163
164 static krb5_error_code
165 ret_sec_buffer(krb5_storage *sp, struct sec_buffer *buf)
166 {
167 krb5_error_code ret;
168 CHECK(krb5_ret_uint16(sp, &buf->length), 0);
169 CHECK(krb5_ret_uint16(sp, &buf->allocated), 0);
170 CHECK(krb5_ret_uint32(sp, &buf->offset), 0);
171 out:
172 return ret;
173 }
174
175 static krb5_error_code
176 store_sec_buffer(krb5_storage *sp, const struct sec_buffer *buf)
177 {
178 krb5_error_code ret;
179 CHECK(krb5_store_uint16(sp, buf->length), 0);
180 CHECK(krb5_store_uint16(sp, buf->allocated), 0);
181 CHECK(krb5_store_uint32(sp, buf->offset), 0);
182 out:
183 return ret;
184 }
185
186 /*
187 * Strings are either OEM or UNICODE. The later is encoded as ucs2 on
188 * wire, but using utf8 in memory.
189 */
190
191 static krb5_error_code
192 len_string(int ucs2, const char *s)
193 {
194 size_t len = strlen(s);
195 if (ucs2)
196 len *= 2;
197 return len;
198 }
199
200 static krb5_error_code
201 ret_string(krb5_storage *sp, int ucs2, struct sec_buffer *desc, char **s)
202 {
203 krb5_error_code ret;
204
205 *s = malloc(desc->length + 1);
206 CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
207 CHECK(krb5_storage_read(sp, *s, desc->length), desc->length);
208 (*s)[desc->length] = '\0';
209
210 if (ucs2) {
211 size_t i;
212 for (i = 0; i < desc->length / 2; i++) {
213 (*s)[i] = (*s)[i * 2];
214 if ((*s)[i * 2 + 1]) {
215 free(*s);
216 *s = NULL;
217 return EINVAL;
218 }
219 }
220 (*s)[i] = '\0';
221 }
222 ret = 0;
223 out:
224 return ret;
225
226 return 0;
227 }
228
229 static krb5_error_code
230 put_string(krb5_storage *sp, int ucs2, const char *s)
231 {
232 krb5_error_code ret;
233 struct ntlm_buf buf;
234
235 if (ucs2) {
236 ret = ascii2ucs2le(s, 0, &buf);
237 if (ret)
238 return ret;
239 } else {
240 buf.data = rk_UNCONST(s);
241 buf.length = strlen(s);
242 }
243
244 CHECK(krb5_storage_write(sp, buf.data, buf.length), buf.length);
245 if (ucs2)
246 heim_ntlm_free_buf(&buf);
247 ret = 0;
248 out:
249 return ret;
250 }
251
252 /*
253 *
254 */
255
256 static krb5_error_code
257 ret_buf(krb5_storage *sp, struct sec_buffer *desc, struct ntlm_buf *buf)
258 {
259 krb5_error_code ret;
260
261 buf->data = malloc(desc->length);
262 buf->length = desc->length;
263 CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
264 CHECK(krb5_storage_read(sp, buf->data, buf->length), buf->length);
265 ret = 0;
266 out:
267 return ret;
268 }
269
270 static krb5_error_code
271 put_buf(krb5_storage *sp, const struct ntlm_buf *buf)
272 {
273 krb5_error_code ret;
274 CHECK(krb5_storage_write(sp, buf->data, buf->length), buf->length);
275 ret = 0;
276 out:
277 return ret;
278 }
279
280 /**
281 * Frees the ntlm_targetinfo message
282 *
283 * @param ti targetinfo to be freed
284 *
285 * @ingroup ntlm_core
286 */
287
288 void
289 heim_ntlm_free_targetinfo(struct ntlm_targetinfo *ti)
290 {
291 free(ti->servername);
292 free(ti->domainname);
293 free(ti->dnsdomainname);
294 free(ti->dnsservername);
295 memset(ti, 0, sizeof(*ti));
296 }
297
298 static int
299 encode_ti_blob(krb5_storage *out, uint16_t type, int ucs2, char *s)
300 {
301 krb5_error_code ret;
302 CHECK(krb5_store_uint16(out, type), 0);
303 CHECK(krb5_store_uint16(out, len_string(ucs2, s)), 0);
304 CHECK(put_string(out, ucs2, s), 0);
305 out:
306 return ret;
307 }
308
309 /**
310 * Encodes a ntlm_targetinfo message.
311 *
312 * @param ti the ntlm_targetinfo message to encode.
313 * @param ucs2 if the strings should be encoded with ucs2 (selected by flag in message).
314 * @param data is the return buffer with the encoded message, should be
315 * freed with heim_ntlm_free_buf().
316 *
317 * @return In case of success 0 is return, an errors, a errno in what
318 * went wrong.
319 *
320 * @ingroup ntlm_core
321 */
322
323 int
324 heim_ntlm_encode_targetinfo(const struct ntlm_targetinfo *ti,
325 int ucs2,
326 struct ntlm_buf *data)
327 {
328 krb5_error_code ret;
329 krb5_storage *out;
330
331 data->data = NULL;
332 data->length = 0;
333
334 out = krb5_storage_emem();
335 if (out == NULL)
336 return ENOMEM;
337
338 if (ti->servername)
339 CHECK(encode_ti_blob(out, 1, ucs2, ti->servername), 0);
340 if (ti->domainname)
341 CHECK(encode_ti_blob(out, 2, ucs2, ti->domainname), 0);
342 if (ti->dnsservername)
343 CHECK(encode_ti_blob(out, 3, ucs2, ti->dnsservername), 0);
344 if (ti->dnsdomainname)
345 CHECK(encode_ti_blob(out, 4, ucs2, ti->dnsdomainname), 0);
346
347 /* end tag */
348 CHECK(krb5_store_int16(out, 0), 0);
349 CHECK(krb5_store_int16(out, 0), 0);
350
351 {
352 krb5_data d;
353 ret = krb5_storage_to_data(out, &d);
354 data->data = d.data;
355 data->length = d.length;
356 }
357 out:
358 krb5_storage_free(out);
359 return ret;
360 }
361
362 /**
363 * Decodes an NTLM targetinfo message
364 *
365 * @param data input data buffer with the encode NTLM targetinfo message
366 * @param ucs2 if the strings should be encoded with ucs2 (selected by flag in message).
367 * @param ti the decoded target info, should be freed with heim_ntlm_free_targetinfo().
368 *
369 * @return In case of success 0 is return, an errors, a errno in what
370 * went wrong.
371 *
372 * @ingroup ntlm_core
373 */
374
375 int
376 heim_ntlm_decode_targetinfo(const struct ntlm_buf *data,
377 int ucs2,
378 struct ntlm_targetinfo *ti)
379 {
380 memset(ti, 0, sizeof(*ti));
381 return 0;
382 }
383
384 /**
385 * Frees the ntlm_type1 message
386 *
387 * @param data message to be freed
388 *
389 * @ingroup ntlm_core
390 */
391
392 void
393 heim_ntlm_free_type1(struct ntlm_type1 *data)
394 {
395 if (data->domain)
396 free(data->domain);
397 if (data->hostname)
398 free(data->hostname);
399 memset(data, 0, sizeof(*data));
400 }
401
402 int
403 heim_ntlm_decode_type1(const struct ntlm_buf *buf, struct ntlm_type1 *data)
404 {
405 krb5_error_code ret;
406 unsigned char sig[8];
407 uint32_t type;
408 struct sec_buffer domain, hostname;
409 krb5_storage *in;
410
411 memset(data, 0, sizeof(*data));
412
413 in = krb5_storage_from_readonly_mem(buf->data, buf->length);
414 if (in == NULL) {
415 ret = EINVAL;
416 goto out;
417 }
418 krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
419
420 CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
421 CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
422 CHECK(krb5_ret_uint32(in, &type), 0);
423 CHECK(type, 1);
424 CHECK(krb5_ret_uint32(in, &data->flags), 0);
425 if (data->flags & NTLM_SUPPLIED_DOMAIN)
426 CHECK(ret_sec_buffer(in, &domain), 0);
427 if (data->flags & NTLM_SUPPLIED_WORKSTAION)
428 CHECK(ret_sec_buffer(in, &hostname), 0);
429 #if 0
430 if (domain.offset > 32) {
431 CHECK(krb5_ret_uint32(in, &data->os[0]), 0);
432 CHECK(krb5_ret_uint32(in, &data->os[1]), 0);
433 }
434 #endif
435 if (data->flags & NTLM_SUPPLIED_DOMAIN)
436 CHECK(ret_string(in, 0, &domain, &data->domain), 0);
437 if (data->flags & NTLM_SUPPLIED_WORKSTAION)
438 CHECK(ret_string(in, 0, &hostname, &data->hostname), 0);
439
440 out:
441 if (in)
442 krb5_storage_free(in);
443 if (ret)
444 heim_ntlm_free_type1(data);
445
446 return ret;
447 }
448
449 /**
450 * Encodes an ntlm_type1 message.
451 *
452 * @param type1 the ntlm_type1 message to encode.
453 * @param data is the return buffer with the encoded message, should be
454 * freed with heim_ntlm_free_buf().
455 *
456 * @return In case of success 0 is return, an errors, a errno in what
457 * went wrong.
458 *
459 * @ingroup ntlm_core
460 */
461
462 int
463 heim_ntlm_encode_type1(const struct ntlm_type1 *type1, struct ntlm_buf *data)
464 {
465 krb5_error_code ret;
466 struct sec_buffer domain, hostname;
467 krb5_storage *out;
468 uint32_t base, flags;
469
470 flags = type1->flags;
471 base = 16;
472
473 if (type1->domain) {
474 base += 8;
475 flags |= NTLM_SUPPLIED_DOMAIN;
476 }
477 if (type1->hostname) {
478 base += 8;
479 flags |= NTLM_SUPPLIED_WORKSTAION;
480 }
481 if (type1->os[0])
482 base += 8;
483
484 if (type1->domain) {
485 domain.offset = base;
486 domain.length = len_string(0, type1->domain);
487 domain.allocated = domain.length;
488 }
489 if (type1->hostname) {
490 hostname.offset = domain.allocated + domain.offset;
491 hostname.length = len_string(0, type1->hostname);
492 hostname.allocated = hostname.length;
493 }
494
495 out = krb5_storage_emem();
496 if (out == NULL)
497 return ENOMEM;
498
499 krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
500 CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
501 sizeof(ntlmsigature));
502 CHECK(krb5_store_uint32(out, 1), 0);
503 CHECK(krb5_store_uint32(out, flags), 0);
504
505 if (type1->domain)
506 CHECK(store_sec_buffer(out, &domain), 0);
507 if (type1->hostname)
508 CHECK(store_sec_buffer(out, &hostname), 0);
509 if (type1->os[0]) {
510 CHECK(krb5_store_uint32(out, type1->os[0]), 0);
511 CHECK(krb5_store_uint32(out, type1->os[1]), 0);
512 }
513 if (type1->domain)
514 CHECK(put_string(out, 0, type1->domain), 0);
515 if (type1->hostname)
516 CHECK(put_string(out, 0, type1->hostname), 0);
517
518 {
519 krb5_data d;
520 ret = krb5_storage_to_data(out, &d);
521 data->data = d.data;
522 data->length = d.length;
523 }
524 out:
525 krb5_storage_free(out);
526
527 return ret;
528 }
529
530 /**
531 * Frees the ntlm_type2 message
532 *
533 * @param data message to be freed
534 *
535 * @ingroup ntlm_core
536 */
537
538 void
539 heim_ntlm_free_type2(struct ntlm_type2 *data)
540 {
541 if (data->targetname)
542 free(data->targetname);
543 heim_ntlm_free_buf(&data->targetinfo);
544 memset(data, 0, sizeof(*data));
545 }
546
547 int
548 heim_ntlm_decode_type2(const struct ntlm_buf *buf, struct ntlm_type2 *type2)
549 {
550 krb5_error_code ret;
551 unsigned char sig[8];
552 uint32_t type, ctx[2];
553 struct sec_buffer targetname, targetinfo;
554 krb5_storage *in;
555 int ucs2 = 0;
556
557 memset(type2, 0, sizeof(*type2));
558
559 in = krb5_storage_from_readonly_mem(buf->data, buf->length);
560 if (in == NULL) {
561 ret = EINVAL;
562 goto out;
563 }
564 krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
565
566 CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
567 CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
568 CHECK(krb5_ret_uint32(in, &type), 0);
569 CHECK(type, 2);
570
571 CHECK(ret_sec_buffer(in, &targetname), 0);
572 CHECK(krb5_ret_uint32(in, &type2->flags), 0);
573 if (type2->flags & NTLM_NEG_UNICODE)
574 ucs2 = 1;
575 CHECK(krb5_storage_read(in, type2->challange, sizeof(type2->challange)),
576 sizeof(type2->challange));
577 CHECK(krb5_ret_uint32(in, &ctx[0]), 0); /* context */
578 CHECK(krb5_ret_uint32(in, &ctx[1]), 0);
579 CHECK(ret_sec_buffer(in, &targetinfo), 0);
580 /* os version */
581 #if 0
582 CHECK(krb5_ret_uint32(in, &type2->os[0]), 0);
583 CHECK(krb5_ret_uint32(in, &type2->os[1]), 0);
584 #endif
585
586 CHECK(ret_string(in, ucs2, &targetname, &type2->targetname), 0);
587 CHECK(ret_buf(in, &targetinfo, &type2->targetinfo), 0);
588 ret = 0;
589
590 out:
591 if (in)
592 krb5_storage_free(in);
593 if (ret)
594 heim_ntlm_free_type2(type2);
595
596 return ret;
597 }
598
599 /**
600 * Encodes an ntlm_type2 message.
601 *
602 * @param type2 the ntlm_type2 message to encode.
603 * @param data is the return buffer with the encoded message, should be
604 * freed with heim_ntlm_free_buf().
605 *
606 * @return In case of success 0 is return, an errors, a errno in what
607 * went wrong.
608 *
609 * @ingroup ntlm_core
610 */
611
612 int
613 heim_ntlm_encode_type2(const struct ntlm_type2 *type2, struct ntlm_buf *data)
614 {
615 struct sec_buffer targetname, targetinfo;
616 krb5_error_code ret;
617 krb5_storage *out = NULL;
618 uint32_t base;
619 int ucs2 = 0;
620
621 if (type2->os[0])
622 base = 56;
623 else
624 base = 48;
625
626 if (type2->flags & NTLM_NEG_UNICODE)
627 ucs2 = 1;
628
629 targetname.offset = base;
630 targetname.length = len_string(ucs2, type2->targetname);
631 targetname.allocated = targetname.length;
632
633 targetinfo.offset = targetname.allocated + targetname.offset;
634 targetinfo.length = type2->targetinfo.length;
635 targetinfo.allocated = type2->targetinfo.length;
636
637 out = krb5_storage_emem();
638 if (out == NULL)
639 return ENOMEM;
640
641 krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
642 CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
643 sizeof(ntlmsigature));
644 CHECK(krb5_store_uint32(out, 2), 0);
645 CHECK(store_sec_buffer(out, &targetname), 0);
646 CHECK(krb5_store_uint32(out, type2->flags), 0);
647 CHECK(krb5_storage_write(out, type2->challange, sizeof(type2->challange)),
648 sizeof(type2->challange));
649 CHECK(krb5_store_uint32(out, 0), 0); /* context */
650 CHECK(krb5_store_uint32(out, 0), 0);
651 CHECK(store_sec_buffer(out, &targetinfo), 0);
652 /* os version */
653 if (type2->os[0]) {
654 CHECK(krb5_store_uint32(out, type2->os[0]), 0);
655 CHECK(krb5_store_uint32(out, type2->os[1]), 0);
656 }
657 CHECK(put_string(out, ucs2, type2->targetname), 0);
658 CHECK(krb5_storage_write(out, type2->targetinfo.data,
659 type2->targetinfo.length),
660 type2->targetinfo.length);
661
662 {
663 krb5_data d;
664 ret = krb5_storage_to_data(out, &d);
665 data->data = d.data;
666 data->length = d.length;
667 }
668
669 out:
670 krb5_storage_free(out);
671
672 return ret;
673 }
674
675 /**
676 * Frees the ntlm_type3 message
677 *
678 * @param data message to be freed
679 *
680 * @ingroup ntlm_core
681 */
682
683 void
684 heim_ntlm_free_type3(struct ntlm_type3 *data)
685 {
686 heim_ntlm_free_buf(&data->lm);
687 heim_ntlm_free_buf(&data->ntlm);
688 if (data->targetname)
689 free(data->targetname);
690 if (data->username)
691 free(data->username);
692 if (data->ws)
693 free(data->ws);
694 heim_ntlm_free_buf(&data->sessionkey);
695 memset(data, 0, sizeof(*data));
696 }
697
698 /*
699 *
700 */
701
702 int
703 heim_ntlm_decode_type3(const struct ntlm_buf *buf,
704 int ucs2,
705 struct ntlm_type3 *type3)
706 {
707 krb5_error_code ret;
708 unsigned char sig[8];
709 uint32_t type;
710 krb5_storage *in;
711 struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
712
713 memset(type3, 0, sizeof(*type3));
714 memset(&sessionkey, 0, sizeof(sessionkey));
715
716 in = krb5_storage_from_readonly_mem(buf->data, buf->length);
717 if (in == NULL) {
718 ret = EINVAL;
719 goto out;
720 }
721 krb5_storage_set_byteorder(in, KRB5_STORAGE_BYTEORDER_LE);
722
723 CHECK(krb5_storage_read(in, sig, sizeof(sig)), sizeof(sig));
724 CHECK(memcmp(ntlmsigature, sig, sizeof(ntlmsigature)), 0);
725 CHECK(krb5_ret_uint32(in, &type), 0);
726 CHECK(type, 3);
727 CHECK(ret_sec_buffer(in, &lm), 0);
728 CHECK(ret_sec_buffer(in, &ntlm), 0);
729 CHECK(ret_sec_buffer(in, &target), 0);
730 CHECK(ret_sec_buffer(in, &username), 0);
731 CHECK(ret_sec_buffer(in, &ws), 0);
732 if (lm.offset >= 60) {
733 CHECK(ret_sec_buffer(in, &sessionkey), 0);
734 }
735 if (lm.offset >= 64) {
736 CHECK(krb5_ret_uint32(in, &type3->flags), 0);
737 }
738 if (lm.offset >= 72) {
739 CHECK(krb5_ret_uint32(in, &type3->os[0]), 0);
740 CHECK(krb5_ret_uint32(in, &type3->os[1]), 0);
741 }
742 CHECK(ret_buf(in, &lm, &type3->lm), 0);
743 CHECK(ret_buf(in, &ntlm, &type3->ntlm), 0);
744 CHECK(ret_string(in, ucs2, &target, &type3->targetname), 0);
745 CHECK(ret_string(in, ucs2, &username, &type3->username), 0);
746 CHECK(ret_string(in, ucs2, &ws, &type3->ws), 0);
747 if (sessionkey.offset)
748 CHECK(ret_buf(in, &sessionkey, &type3->sessionkey), 0);
749
750 out:
751 if (in)
752 krb5_storage_free(in);
753 if (ret)
754 heim_ntlm_free_type3(type3);
755
756 return ret;
757 }
758
759 /**
760 * Encodes an ntlm_type3 message.
761 *
762 * @param type3 the ntlm_type3 message to encode.
763 * @param data is the return buffer with the encoded message, should be
764 * freed with heim_ntlm_free_buf().
765 *
766 * @return In case of success 0 is return, an errors, a errno in what
767 * went wrong.
768 *
769 * @ingroup ntlm_core
770 */
771
772 int
773 heim_ntlm_encode_type3(const struct ntlm_type3 *type3, struct ntlm_buf *data)
774 {
775 struct sec_buffer lm, ntlm, target, username, sessionkey, ws;
776 krb5_error_code ret;
777 krb5_storage *out = NULL;
778 uint32_t base;
779 int ucs2 = 0;
780
781 memset(&lm, 0, sizeof(lm));
782 memset(&ntlm, 0, sizeof(ntlm));
783 memset(&target, 0, sizeof(target));
784 memset(&username, 0, sizeof(username));
785 memset(&ws, 0, sizeof(ws));
786 memset(&sessionkey, 0, sizeof(sessionkey));
787
788 base = 52;
789 if (type3->sessionkey.length) {
790 base += 8; /* sessionkey sec buf */
791 base += 4; /* flags */
792 }
793 if (type3->os[0]) {
794 base += 8;
795 }
796
797 if (type3->flags & NTLM_NEG_UNICODE)
798 ucs2 = 1;
799
800 lm.offset = base;
801 lm.length = type3->lm.length;
802 lm.allocated = type3->lm.length;
803
804 ntlm.offset = lm.offset + lm.allocated;
805 ntlm.length = type3->ntlm.length;
806 ntlm.allocated = ntlm.length;
807
808 target.offset = ntlm.offset + ntlm.allocated;
809 target.length = len_string(ucs2, type3->targetname);
810 target.allocated = target.length;
811
812 username.offset = target.offset + target.allocated;
813 username.length = len_string(ucs2, type3->username);
814 username.allocated = username.length;
815
816 ws.offset = username.offset + username.allocated;
817 ws.length = len_string(ucs2, type3->ws);
818 ws.allocated = ws.length;
819
820 sessionkey.offset = ws.offset + ws.allocated;
821 sessionkey.length = type3->sessionkey.length;
822 sessionkey.allocated = type3->sessionkey.length;
823
824 out = krb5_storage_emem();
825 if (out == NULL)
826 return ENOMEM;
827
828 krb5_storage_set_byteorder(out, KRB5_STORAGE_BYTEORDER_LE);
829 CHECK(krb5_storage_write(out, ntlmsigature, sizeof(ntlmsigature)),
830 sizeof(ntlmsigature));
831 CHECK(krb5_store_uint32(out, 3), 0);
832
833 CHECK(store_sec_buffer(out, &lm), 0);
834 CHECK(store_sec_buffer(out, &ntlm), 0);
835 CHECK(store_sec_buffer(out, &target), 0);
836 CHECK(store_sec_buffer(out, &username), 0);
837 CHECK(store_sec_buffer(out, &ws), 0);
838 /* optional */
839 if (type3->sessionkey.length) {
840 CHECK(store_sec_buffer(out, &sessionkey), 0);
841 CHECK(krb5_store_uint32(out, type3->flags), 0);
842 }
843 #if 0
844 CHECK(krb5_store_uint32(out, 0), 0); /* os0 */
845 CHECK(krb5_store_uint32(out, 0), 0); /* os1 */
846 #endif
847
848 CHECK(put_buf(out, &type3->lm), 0);
849 CHECK(put_buf(out, &type3->ntlm), 0);
850 CHECK(put_string(out, ucs2, type3->targetname), 0);
851 CHECK(put_string(out, ucs2, type3->username), 0);
852 CHECK(put_string(out, ucs2, type3->ws), 0);
853 CHECK(put_buf(out, &type3->sessionkey), 0);
854
855 {
856 krb5_data d;
857 ret = krb5_storage_to_data(out, &d);
858 data->data = d.data;
859 data->length = d.length;
860 }
861
862 out:
863 krb5_storage_free(out);
864
865 return ret;
866 }
867
868
869 /*
870 *
871 */
872
873 static void
874 splitandenc(unsigned char *hash,
875 unsigned char *challange,
876 unsigned char *answer)
877 {
878 EVP_CIPHER_CTX ctx;
879 unsigned char key[8];
880
881 key[0] = hash[0];
882 key[1] = (hash[0] << 7) | (hash[1] >> 1);
883 key[2] = (hash[1] << 6) | (hash[2] >> 2);
884 key[3] = (hash[2] << 5) | (hash[3] >> 3);
885 key[4] = (hash[3] << 4) | (hash[4] >> 4);
886 key[5] = (hash[4] << 3) | (hash[5] >> 5);
887 key[6] = (hash[5] << 2) | (hash[6] >> 6);
888 key[7] = (hash[6] << 1);
889
890 EVP_CIPHER_CTX_init(&ctx);
891
892 EVP_CipherInit_ex(&ctx, EVP_des_cbc(), NULL, key, NULL, 1);
893 EVP_Cipher(&ctx, answer, challange, 8);
894 EVP_CIPHER_CTX_cleanup(&ctx);
895 memset(key, 0, sizeof(key));
896 }
897
898 /**
899 * Calculate the NTLM key, the password is assumed to be in UTF8.
900 *
901 * @param password password to calcute the key for.
902 * @param key calcuted key, should be freed with heim_ntlm_free_buf().
903 *
904 * @return In case of success 0 is return, an errors, a errno in what
905 * went wrong.
906 *
907 * @ingroup ntlm_core
908 */
909
910 int
911 heim_ntlm_nt_key(const char *password, struct ntlm_buf *key)
912 {
913 struct ntlm_buf buf;
914 EVP_MD_CTX *m;
915 int ret;
916
917 key->data = malloc(MD5_DIGEST_LENGTH);
918 if (key->data == NULL)
919 return ENOMEM;
920 key->length = MD5_DIGEST_LENGTH;
921
922 ret = ascii2ucs2le(password, 0, &buf);
923 if (ret) {
924 heim_ntlm_free_buf(key);
925 return ret;
926 }
927
928 m = EVP_MD_CTX_create();
929 if (m == NULL) {
930 heim_ntlm_free_buf(key);
931 heim_ntlm_free_buf(&buf);
932 return ENOMEM;
933 }
934
935 EVP_DigestInit_ex(m, EVP_md4(), NULL);
936 EVP_DigestUpdate(m, buf.data, buf.length);
937 EVP_DigestFinal_ex(m, key->data, NULL);
938 EVP_MD_CTX_destroy(m);
939
940 heim_ntlm_free_buf(&buf);
941 return 0;
942 }
943
944 /**
945 * Calculate NTLMv1 response hash
946 *
947 * @param key the ntlm v1 key
948 * @param len length of key
949 * @param challange sent by the server
950 * @param answer calculated answer, should be freed with heim_ntlm_free_buf().
951 *
952 * @return In case of success 0 is return, an errors, a errno in what
953 * went wrong.
954 *
955 * @ingroup ntlm_core
956 */
957
958 int
959 heim_ntlm_calculate_ntlm1(void *key, size_t len,
960 unsigned char challange[8],
961 struct ntlm_buf *answer)
962 {
963 unsigned char res[21];
964
965 if (len != MD4_DIGEST_LENGTH)
966 return EINVAL;
967
968 memcpy(res, key, len);
969 memset(&res[MD4_DIGEST_LENGTH], 0, sizeof(res) - MD4_DIGEST_LENGTH);
970
971 answer->data = malloc(24);
972 if (answer->data == NULL)
973 return ENOMEM;
974 answer->length = 24;
975
976 splitandenc(&res[0], challange, ((unsigned char *)answer->data) + 0);
977 splitandenc(&res[7], challange, ((unsigned char *)answer->data) + 8);
978 splitandenc(&res[14], challange, ((unsigned char *)answer->data) + 16);
979
980 return 0;
981 }
982
983 /**
984 * Generates an NTLMv1 session random with assosited session master key.
985 *
986 * @param key the ntlm v1 key
987 * @param len length of key
988 * @param session generated session nonce, should be freed with heim_ntlm_free_buf().
989 * @param master calculated session master key, should be freed with heim_ntlm_free_buf().
990 *
991 * @return In case of success 0 is return, an errors, a errno in what
992 * went wrong.
993 *
994 * @ingroup ntlm_core
995 */
996
997 int
998 heim_ntlm_build_ntlm1_master(void *key, size_t len,
999 struct ntlm_buf *session,
1000 struct ntlm_buf *master)
1001 {
1002 EVP_CIPHER_CTX c;
1003
1004 memset(master, 0, sizeof(*master));
1005 memset(session, 0, sizeof(*session));
1006
1007 if (len != MD4_DIGEST_LENGTH)
1008 return EINVAL;
1009
1010 session->length = MD4_DIGEST_LENGTH;
1011 session->data = malloc(session->length);
1012 if (session->data == NULL) {
1013 session->length = 0;
1014 return EINVAL;
1015 }
1016 master->length = MD4_DIGEST_LENGTH;
1017 master->data = malloc(master->length);
1018 if (master->data == NULL) {
1019 heim_ntlm_free_buf(master);
1020 heim_ntlm_free_buf(session);
1021 return EINVAL;
1022 }
1023
1024 EVP_CIPHER_CTX_init(&c);
1025
1026 {
1027 unsigned char sessionkey[MD4_DIGEST_LENGTH];
1028 EVP_MD_CTX *m;
1029
1030 m = EVP_MD_CTX_create();
1031 if (m == NULL) {
1032 EVP_CIPHER_CTX_cleanup(&c);
1033 heim_ntlm_free_buf(master);
1034 heim_ntlm_free_buf(session);
1035 return ENOMEM;
1036 }
1037
1038 EVP_DigestInit_ex(m, EVP_md4(), NULL);
1039 EVP_DigestUpdate(m, key, len);
1040 EVP_DigestFinal_ex(m, sessionkey, NULL);
1041 EVP_MD_CTX_destroy(m);
1042
1043 if (EVP_CipherInit_ex(&c, EVP_rc4(), NULL, sessionkey, NULL, 1) != 1) {
1044 EVP_CIPHER_CTX_cleanup(&c);
1045 heim_ntlm_free_buf(master);
1046 heim_ntlm_free_buf(session);
1047 return EINVAL;
1048 }
1049 }
1050
1051 if (RAND_bytes(session->data, session->length) != 1) {
1052 EVP_CIPHER_CTX_cleanup(&c);
1053 heim_ntlm_free_buf(master);
1054 heim_ntlm_free_buf(session);
1055 return EINVAL;
1056 }
1057
1058 EVP_Cipher(&c, master->data, session->data, master->length);
1059 EVP_CIPHER_CTX_cleanup(&c);
1060
1061 return 0;
1062 }
1063
1064 /**
1065 * Generates an NTLMv2 session key.
1066 *
1067 * @param key the ntlm key
1068 * @param len length of key
1069 * @param username name of the user, as sent in the message, assumed to be in UTF8.
1070 * @param target the name of the target, assumed to be in UTF8.
1071 * @param ntlmv2 the ntlmv2 session key
1072 *
1073 * @return 0 on success, or an error code on failure.
1074 *
1075 * @ingroup ntlm_core
1076 */
1077
1078 int
1079 heim_ntlm_ntlmv2_key(const void *key, size_t len,
1080 const char *username,
1081 const char *target,
1082 unsigned char ntlmv2[16])
1083 {
1084 int ret;
1085 unsigned int hmaclen;
1086 HMAC_CTX c;
1087
1088 HMAC_CTX_init(&c);
1089 HMAC_Init_ex(&c, key, len, EVP_md5(), NULL);
1090 {
1091 struct ntlm_buf buf;
1092 /* uppercase username and turn it into ucs2-le */
1093 ret = ascii2ucs2le(username, 1, &buf);
1094 if (ret)
1095 goto out;
1096 HMAC_Update(&c, buf.data, buf.length);
1097 free(buf.data);
1098 /* uppercase target and turn into ucs2-le */
1099 ret = ascii2ucs2le(target, 1, &buf);
1100 if (ret)
1101 goto out;
1102 HMAC_Update(&c, buf.data, buf.length);
1103 free(buf.data);
1104 }
1105 HMAC_Final(&c, ntlmv2, &hmaclen);
1106 out:
1107 HMAC_CTX_cleanup(&c);
1108
1109 return ret;
1110 }
1111
1112 /*
1113 *
1114 */
1115
1116 #define NTTIME_EPOCH 0x019DB1DED53E8000LL
1117
1118 static uint64_t
1119 unix2nttime(time_t unix_time)
1120 {
1121 long long wt;
1122 wt = unix_time * (uint64_t)10000000 + (uint64_t)NTTIME_EPOCH;
1123 return wt;
1124 }
1125
1126 static time_t
1127 nt2unixtime(uint64_t t)
1128 {
1129 t = ((t - (uint64_t)NTTIME_EPOCH) / (uint64_t)10000000);
1130 if (t > (((time_t)(~(uint64_t)0)) >> 1))
1131 return 0;
1132 return (time_t)t;
1133 }
1134
1135
1136 /**
1137 * Calculate NTLMv2 response
1138 *
1139 * @param key the ntlm key
1140 * @param len length of key
1141 * @param username name of the user, as sent in the message, assumed to be in UTF8.
1142 * @param target the name of the target, assumed to be in UTF8.
1143 * @param serverchallange challange as sent by the server in the type2 message.
1144 * @param infotarget infotarget as sent by the server in the type2 message.
1145 * @param ntlmv2 calculated session key
1146 * @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
1147 *
1148 * @return In case of success 0 is return, an errors, a errno in what
1149 * went wrong.
1150 *
1151 * @ingroup ntlm_core
1152 */
1153
1154 int
1155 heim_ntlm_calculate_ntlm2(const void *key, size_t len,
1156 const char *username,
1157 const char *target,
1158 const unsigned char serverchallange[8],
1159 const struct ntlm_buf *infotarget,
1160 unsigned char ntlmv2[16],
1161 struct ntlm_buf *answer)
1162 {
1163 krb5_error_code ret;
1164 krb5_data data;
1165 unsigned int hmaclen;
1166 unsigned char ntlmv2answer[16];
1167 krb5_storage *sp;
1168 unsigned char clientchallange[8];
1169 HMAC_CTX c;
1170 uint64_t t;
1171
1172 t = unix2nttime(time(NULL));
1173
1174 if (RAND_bytes(clientchallange, sizeof(clientchallange)) != 1)
1175 return EINVAL;
1176
1177 /* calculate ntlmv2 key */
1178
1179 heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
1180
1181 /* calculate and build ntlmv2 answer */
1182
1183 sp = krb5_storage_emem();
1184 if (sp == NULL)
1185 return ENOMEM;
1186 krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
1187
1188 CHECK(krb5_store_uint32(sp, 0x00000101), 0);
1189 CHECK(krb5_store_uint32(sp, 0), 0);
1190 /* timestamp le 64 bit ts */
1191 CHECK(krb5_store_uint32(sp, t & 0xffffffff), 0);
1192 CHECK(krb5_store_uint32(sp, t >> 32), 0);
1193
1194 CHECK(krb5_storage_write(sp, clientchallange, 8), 8);
1195
1196 CHECK(krb5_store_uint32(sp, 0), 0); /* unknown but zero will work */
1197 CHECK(krb5_storage_write(sp, infotarget->data, infotarget->length),
1198 infotarget->length);
1199 CHECK(krb5_store_uint32(sp, 0), 0); /* unknown but zero will work */
1200
1201 CHECK(krb5_storage_to_data(sp, &data), 0);
1202 krb5_storage_free(sp);
1203 sp = NULL;
1204
1205 HMAC_CTX_init(&c);
1206 HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL);
1207 HMAC_Update(&c, serverchallange, 8);
1208 HMAC_Update(&c, data.data, data.length);
1209 HMAC_Final(&c, ntlmv2answer, &hmaclen);
1210 HMAC_CTX_cleanup(&c);
1211
1212 sp = krb5_storage_emem();
1213 if (sp == NULL) {
1214 krb5_data_free(&data);
1215 return ENOMEM;
1216 }
1217
1218 CHECK(krb5_storage_write(sp, ntlmv2answer, 16), 16);
1219 CHECK(krb5_storage_write(sp, data.data, data.length), data.length);
1220 krb5_data_free(&data);
1221
1222 CHECK(krb5_storage_to_data(sp, &data), 0);
1223 krb5_storage_free(sp);
1224 sp = NULL;
1225
1226 answer->data = data.data;
1227 answer->length = data.length;
1228
1229 return 0;
1230 out:
1231 if (sp)
1232 krb5_storage_free(sp);
1233 return ret;
1234 }
1235
1236 static const int authtimediff = 3600 * 2; /* 2 hours */
1237
1238 /**
1239 * Verify NTLMv2 response.
1240 *
1241 * @param key the ntlm key
1242 * @param len length of key
1243 * @param username name of the user, as sent in the message, assumed to be in UTF8.
1244 * @param target the name of the target, assumed to be in UTF8.
1245 * @param now the time now (0 if the library should pick it up itself)
1246 * @param serverchallange challange as sent by the server in the type2 message.
1247 * @param answer ntlm response answer, should be freed with heim_ntlm_free_buf().
1248 * @param infotarget infotarget as sent by the server in the type2 message.
1249 * @param ntlmv2 calculated session key
1250 *
1251 * @return In case of success 0 is return, an errors, a errno in what
1252 * went wrong.
1253 *
1254 * @ingroup ntlm_core
1255 */
1256
1257 int
1258 heim_ntlm_verify_ntlm2(const void *key, size_t len,
1259 const char *username,
1260 const char *target,
1261 time_t now,
1262 const unsigned char serverchallange[8],
1263 const struct ntlm_buf *answer,
1264 struct ntlm_buf *infotarget,
1265 unsigned char ntlmv2[16])
1266 {
1267 krb5_error_code ret;
1268 unsigned int hmaclen;
1269 unsigned char clientanswer[16];
1270 unsigned char clientnonce[8];
1271 unsigned char serveranswer[16];
1272 krb5_storage *sp;
1273 HMAC_CTX c;
1274 uint64_t t;
1275 time_t authtime;
1276 uint32_t temp;
1277
1278 infotarget->length = 0;
1279 infotarget->data = NULL;
1280
1281 if (answer->length < 16)
1282 return EINVAL;
1283
1284 if (now == 0)
1285 now = time(NULL);
1286
1287 /* calculate ntlmv2 key */
1288
1289 heim_ntlm_ntlmv2_key(key, len, username, target, ntlmv2);
1290
1291 /* calculate and build ntlmv2 answer */
1292
1293 sp = krb5_storage_from_readonly_mem(answer->data, answer->length);
1294 if (sp == NULL)
1295 return ENOMEM;
1296 krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
1297
1298 CHECK(krb5_storage_read(sp, clientanswer, 16), 16);
1299
1300 CHECK(krb5_ret_uint32(sp, &temp), 0);
1301 CHECK(temp, 0x00000101);
1302 CHECK(krb5_ret_uint32(sp, &temp), 0);
1303 CHECK(temp, 0);
1304 /* timestamp le 64 bit ts */
1305 CHECK(krb5_ret_uint32(sp, &temp), 0);
1306 t = temp;
1307 CHECK(krb5_ret_uint32(sp, &temp), 0);
1308 t |= ((uint64_t)temp)<< 32;
1309
1310 authtime = nt2unixtime(t);
1311
1312 if (abs((int)(authtime - now)) > authtimediff) {
1313 ret = EINVAL;
1314 goto out;
1315 }
1316
1317 /* client challange */
1318 CHECK(krb5_storage_read(sp, clientnonce, 8), 8);
1319
1320 CHECK(krb5_ret_uint32(sp, &temp), 0); /* unknown */
1321
1322 /* should really unparse the infotarget, but lets pick up everything */
1323 infotarget->length = answer->length - krb5_storage_seek(sp, 0, SEEK_CUR);
1324 infotarget->data = malloc(infotarget->length);
1325 if (infotarget->data == NULL) {
1326 ret = ENOMEM;
1327 goto out;
1328 }
1329 CHECK(krb5_storage_read(sp, infotarget->data, infotarget->length),
1330 infotarget->length);
1331 /* XXX remove the unknown ?? */
1332 krb5_storage_free(sp);
1333 sp = NULL;
1334
1335 HMAC_CTX_init(&c);
1336 HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL);
1337 HMAC_Update(&c, serverchallange, 8);
1338 HMAC_Update(&c, ((unsigned char *)answer->data) + 16, answer->length - 16);
1339 HMAC_Final(&c, serveranswer, &hmaclen);
1340 HMAC_CTX_cleanup(&c);
1341
1342 if (memcmp(serveranswer, clientanswer, 16) != 0) {
1343 heim_ntlm_free_buf(infotarget);
1344 return EINVAL;
1345 }
1346
1347 return 0;
1348 out:
1349 heim_ntlm_free_buf(infotarget);
1350 if (sp)
1351 krb5_storage_free(sp);
1352 return ret;
1353 }
1354
1355
1356 /*
1357 * Calculate the NTLM2 Session Response
1358 *
1359 * @param clnt_nonce client nonce
1360 * @param svr_chal server challage
1361 * @param ntlm2_hash ntlm hash
1362 * @param lm The LM response, should be freed with heim_ntlm_free_buf().
1363 * @param ntlm The NTLM response, should be freed with heim_ntlm_free_buf().
1364 *
1365 * @return In case of success 0 is return, an errors, a errno in what
1366 * went wrong.
1367 *
1368 * @ingroup ntlm_core
1369 */
1370
1371 int
1372 heim_ntlm_calculate_ntlm2_sess(const unsigned char clnt_nonce[8],
1373 const unsigned char svr_chal[8],
1374 const unsigned char ntlm_hash[16],
1375 struct ntlm_buf *lm,
1376 struct ntlm_buf *ntlm)
1377 {
1378 unsigned char ntlm2_sess_hash[MD5_DIGEST_LENGTH];
1379 unsigned char res[21], *resp;
1380 EVP_MD_CTX *m;
1381
1382 m = EVP_MD_CTX_create();
1383 if (m == NULL)
1384 return ENOMEM;
1385
1386 lm->data = malloc(24);
1387 if (lm->data == NULL) {
1388 EVP_MD_CTX_destroy(m);
1389 return ENOMEM;
1390 }
1391 lm->length = 24;
1392
1393 ntlm->data = malloc(24);
1394 if (ntlm->data == NULL) {
1395 EVP_MD_CTX_destroy(m);
1396 free(lm->data);
1397 lm->data = NULL;
1398 return ENOMEM;
1399 }
1400 ntlm->length = 24;
1401
1402 /* first setup the lm resp */
1403 memset(lm->data, 0, 24);
1404 memcpy(lm->data, clnt_nonce, 8);
1405
1406 EVP_DigestInit_ex(m, EVP_md5(), NULL);
1407 EVP_DigestUpdate(m, svr_chal, 8); /* session nonce part 1 */
1408 EVP_DigestUpdate(m, clnt_nonce, 8); /* session nonce part 2 */
1409 EVP_DigestFinal_ex(m, ntlm2_sess_hash, NULL); /* will only use first 8 bytes */
1410 EVP_MD_CTX_destroy(m);
1411
1412 memset(res, 0, sizeof(res));
1413 memcpy(res, ntlm_hash, 16);
1414
1415 resp = ntlm->data;
1416 splitandenc(&res[0], ntlm2_sess_hash, resp + 0);
1417 splitandenc(&res[7], ntlm2_sess_hash, resp + 8);
1418 splitandenc(&res[14], ntlm2_sess_hash, resp + 16);
1419
1420 return 0;
1421 }
Heimdal