blob: d1163babaf7bcd4c2c1739d372c2a50b2dd76a17 [file] [log] [blame]
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_NTLM_NTLM_CONSTANTS_H_
#define NET_NTLM_NTLM_CONSTANTS_H_
#include <stddef.h>
#include <stdint.h>
#include <vector>
#include "base/cxx17_backports.h"
#include "net/base/net_export.h"
namespace net {
namespace ntlm {
// A security buffer is a structure within an NTLM message that indicates
// the offset from the beginning of the message and the length of a payload
// that occurs later in the message. Within the raw message there is also
// an additional field, however the field is always written with the same
// value as length, and readers must always ignore it.
struct SecurityBuffer {
SecurityBuffer(uint32_t offset, uint16_t length)
: offset(offset), length(length) {}
SecurityBuffer() : SecurityBuffer(0, 0) {}
uint32_t offset;
uint16_t length;
};
struct NtlmFeatures {
explicit NtlmFeatures(bool enable_NTLMv2) : enable_NTLMv2(enable_NTLMv2) {}
// Whether the use NTLMv2.
bool enable_NTLMv2 = true;
// Enables Message Integrity Check (MIC). This flag is ignored if
// enable_NTLMv2 is false.
bool enable_MIC = true;
// Enables Extended Protection for Authentication (EPA). This flag is
// ignored if enable_NTLMv2 is false.
bool enable_EPA = true;
};
// There are 3 types of messages in NTLM. The message type is a field in
// every NTLM message header. See [MS-NLMP] Section 2.2.
enum class MessageType : uint32_t {
kNegotiate = 0x01,
kChallenge = 0x02,
kAuthenticate = 0x03,
};
// Defined in [MS-NLMP] Section 2.2.2.5
// Only the used subset is defined.
enum class NegotiateFlags : uint32_t {
kNone = 0,
kUnicode = 0x01,
kOem = 0x02,
kRequestTarget = 0x04,
kNtlm = 0x200,
kAlwaysSign = 0x8000,
kExtendedSessionSecurity = 0x80000,
kTargetInfo = 0x800000,
};
constexpr NegotiateFlags operator|(NegotiateFlags lhs, NegotiateFlags rhs) {
using TFlagsInt = std::underlying_type<NegotiateFlags>::type;
return static_cast<NegotiateFlags>(static_cast<TFlagsInt>(lhs) |
static_cast<TFlagsInt>(rhs));
}
constexpr NegotiateFlags operator&(NegotiateFlags lhs, NegotiateFlags rhs) {
using TFlagsInt = std::underlying_type<NegotiateFlags>::type;
return static_cast<NegotiateFlags>(static_cast<TFlagsInt>(lhs) &
static_cast<TFlagsInt>(rhs));
}
// Identifies the payload type in an AV Pair. See [MS-NLMP] 2.2.2.1
enum class TargetInfoAvId : uint16_t {
kEol = 0x0000,
kServerName = 0x00001,
kDomainName = 0x00002,
kFlags = 0x0006,
kTimestamp = 0x0007,
kTargetName = 0x0009,
kChannelBindings = 0x000A,
};
// Flags used in an TargetInfoAvId::kFlags AV Pair. See [MS-NLMP] 2.2.2.1
enum class TargetInfoAvFlags : uint32_t {
kNone = 0,
kMicPresent = 0x00000002,
};
using TAvFlagsInt = std::underlying_type<TargetInfoAvFlags>::type;
constexpr TargetInfoAvFlags operator|(TargetInfoAvFlags lhs,
TargetInfoAvFlags rhs) {
return static_cast<TargetInfoAvFlags>(static_cast<TAvFlagsInt>(lhs) |
static_cast<TAvFlagsInt>(rhs));
}
constexpr TargetInfoAvFlags operator&(TargetInfoAvFlags lhs,
TargetInfoAvFlags rhs) {
return static_cast<TargetInfoAvFlags>(static_cast<TAvFlagsInt>(lhs) &
static_cast<TAvFlagsInt>(rhs));
}
// An AV Pair is a structure that appears inside the target info field. It
// consists of an |avid| to identify the data type and an |avlen| specifying
// the size of the payload. Following that is |avlen| bytes of inline payload.
// AV Pairs are concatenated together and a special terminator with |avid|
// equal to |kEol| and |avlen| equal to zero signals that no further pairs
// follow. See [MS-NLMP] 2.2.2.1
//
// AV Pairs from the Challenge message are read from the challenge message
// and a potentially modified version is written into the authenticate
// message. In some cases the existing AV Pair is modified, eg. flags. In
// some cases new AV Pairs are add, eg. channel bindings and spn.
//
// For simplicity of processing two special fields |flags|, and |timestamp|
// are populated during the initial parsing phase for AVIDs |kFlags| and
// |kTimestamp| respectively. This avoids subsequent code having to
// manipulate the payload value through the buffer directly. For all
// other AvPairs the value of these 2 fields is undefined and the payload
// is in the |buffer| field. For these fields the payload is copied verbatim
// and it's content is not read or validated in any way.
struct NET_EXPORT_PRIVATE AvPair {
AvPair();
AvPair(TargetInfoAvId avid, uint16_t avlen);
AvPair(TargetInfoAvId avid, std::vector<uint8_t> buffer);
AvPair(const AvPair& other);
AvPair(AvPair&& other);
~AvPair();
AvPair& operator=(const AvPair& other);
AvPair& operator=(AvPair&& other);
std::vector<uint8_t> buffer;
uint64_t timestamp;
TargetInfoAvFlags flags;
TargetInfoAvId avid;
uint16_t avlen;
};
static constexpr uint8_t kSignature[] = "NTLMSSP";
static constexpr size_t kSignatureLen = base::size(kSignature);
static constexpr uint16_t kProofInputVersionV2 = 0x0101;
static constexpr size_t kSecurityBufferLen =
(2 * sizeof(uint16_t)) + sizeof(uint32_t);
static constexpr size_t kNegotiateMessageLen = 32;
static constexpr size_t kMinChallengeHeaderLen = 32;
static constexpr size_t kChallengeHeaderLen = 48;
static constexpr size_t kResponseLenV1 = 24;
static constexpr size_t kChallengeLen = 8;
static constexpr size_t kVersionFieldLen = 8;
static constexpr size_t kNtlmHashLen = 16;
static constexpr size_t kNtlmProofLenV2 = kNtlmHashLen;
static constexpr size_t kSessionKeyLenV2 = kNtlmHashLen;
static constexpr size_t kMicLenV2 = kNtlmHashLen;
static constexpr size_t kChannelBindingsHashLen = kNtlmHashLen;
static constexpr size_t kEpaUnhashedStructHeaderLen = 20;
static constexpr size_t kProofInputLenV2 = 28;
static constexpr size_t kAvPairHeaderLen = 2 * sizeof(uint16_t);
static constexpr size_t kNtlmResponseHeaderLenV2 =
kNtlmProofLenV2 + kProofInputLenV2;
static constexpr size_t kAuthenticateHeaderLenV1 = 64;
static constexpr size_t kMicOffsetV2 = 72;
static constexpr size_t kAuthenticateHeaderLenV2 = 88;
static constexpr size_t kMaxFqdnLen = 255;
static constexpr size_t kMaxUsernameLen = 104;
static constexpr size_t kMaxPasswordLen = 256;
static constexpr NegotiateFlags kNegotiateMessageFlags =
NegotiateFlags::kUnicode | NegotiateFlags::kOem |
NegotiateFlags::kRequestTarget | NegotiateFlags::kNtlm |
NegotiateFlags::kAlwaysSign | NegotiateFlags::kExtendedSessionSecurity;
} // namespace ntlm
} // namespace net
#endif // NET_NTLM_NTLM_CONSTANTS_H_