[Dovecot] [PATCH 0/10] NTLM patchset submission
Hello all,
as I promised some days ago here is NTLM (aka SPA, aka MSN) authentication support patchset.
It contains common code in src/lib-ntlm directory, Samba compatible NTLM password scheme and authentication mechanism itself.
All patches are against 1.0-test30.
Please take a look.
Best regards.
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
This patch adds some header files with NTLM reated definitions.
src/lib-ntlm/ntlm-byteorder.h | 111 +++++++++++++++++++++++++++++++++
src/lib-ntlm/ntlm-flags.h | 139 ++++++++++++++++++++++++++++++++++++++++++
src/lib-ntlm/ntlm-types.h | 130 +++++++++++++++++++++++++++++++++++++++
src/lib-ntlm/ntlm.h | 34 ++++++++++
4 files changed, 414 insertions(+)
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-types.h dovecot-1.0-test30/src/lib-ntlm/ntlm-types.h
--- dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-types.h 1970-01-01 03:00:00.000000000 +0300
+++ dovecot-1.0-test30/src/lib-ntlm/ntlm-types.h 2004-07-27 15:47:25.000000000 +0400
@@ -0,0 +1,130 @@
+/*
+ * NTLM data structures.
+ *
+ * Copyright (c) 2004 Andrey Panin
This patch adds MD4 code, which is used in NTLM password hash calculation.
src/lib-ntlm/md4.c | 266 +++++++++++++++++++++++++++++++++++++++++++++++++++++
src/lib-ntlm/md4.h | 25 ++++
2 files changed, 291 insertions(+)
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/lib-ntlm/md4.c dovecot-1.0-test30/src/lib-ntlm/md4.c
--- dovecot-1.0-test30.vanilla/src/lib-ntlm/md4.c 1970-01-01 03:00:00.000000000 +0300
+++ dovecot-1.0-test30/src/lib-ntlm/md4.c 2004-07-27 10:18:26.000000000 +0400
@@ -0,0 +1,266 @@
+/*
+ * MD4 (RFC-1320) message digest.
+ * Modified from MD5 code by Andrey Panin
This patch adds HMAC-MD5 code, which is used in NTLMv2 response calculation.
src/lib-ntlm/hmac-md5.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
src/lib-ntlm/hmac-md5.h | 21 +++++++++++++++++++++
2 files changed, 69 insertions(+)
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/lib-ntlm/hmac-md5.c dovecot-1.0-test30/src/lib-ntlm/hmac-md5.c
--- dovecot-1.0-test30.vanilla/src/lib-ntlm/hmac-md5.c 1970-01-01 03:00:00.000000000 +0300
+++ dovecot-1.0-test30/src/lib-ntlm/hmac-md5.c 2004-07-27 14:04:24.000000000 +0400
@@ -0,0 +1,48 @@
+/*
+ * HMAC-MD5 (RFC-2104) implementation.
+ *
+ * Copyright (c) 2004 Andrey Panin
This patch adds DES encryption code which is used in NTLM response calculation.
src/lib-ntlm/ntlm-des.c | 604 ++++++++++++++++++++++++++++++++++++++++++++++++
src/lib-ntlm/ntlm-des.h | 6
2 files changed, 610 insertions(+)
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-des.c dovecot-1.0-test30/src/lib-ntlm/ntlm-des.c
--- dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-des.c 1970-01-01 03:00:00.000000000 +0300
+++ dovecot-1.0-test30/src/lib-ntlm/ntlm-des.c 2004-07-27 10:19:45.000000000 +0400
@@ -0,0 +1,604 @@
+/*
+ * Implements DES encryption, but not decryption.
+ * DES is used to create LM password hashes and both LM and NTLM Responses.
+ *
+ * Copyright (C) 2003, 2004 by Christopher R. Hertel
This patch adds NTLM and NTLMv2 hash and response calculation code.
src/lib-ntlm/ntlm-encrypt.c | 123 ++++++++++++++++++++++++++++++++++++++++++++
src/lib-ntlm/ntlm-encrypt.h | 17 ++++++
2 files changed, 140 insertions(+)
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-encrypt.c dovecot-1.0-test30/src/lib-ntlm/ntlm-encrypt.c
--- dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-encrypt.c 1970-01-01 03:00:00.000000000 +0300
+++ dovecot-1.0-test30/src/lib-ntlm/ntlm-encrypt.c 2004-07-27 14:02:37.000000000 +0400
@@ -0,0 +1,123 @@
+/*
+ * NTLM and NTLMv2 hash generation.
+ *
+ * Copyright (c) 2004 Andrey Panin
This patch adds code for checking ad creating NTLM messages.
src/lib-ntlm/ntlm-message.c | 235 ++++++++++++++++++++++++++++++++++++++++++++
src/lib-ntlm/ntlm-message.h | 10 +
2 files changed, 245 insertions(+)
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-message.c dovecot-1.0-test30/src/lib-ntlm/ntlm-message.c
--- dovecot-1.0-test30.vanilla/src/lib-ntlm/ntlm-message.c 1970-01-01 03:00:00.000000000 +0300
+++ dovecot-1.0-test30/src/lib-ntlm/ntlm-message.c 2004-07-27 14:03:13.000000000 +0400
@@ -0,0 +1,235 @@
+/*
+ * NTLM message handling.
+ *
+ * Copyright (c) 2004 Andrey Panin
This patch includes lib-ntlm directory into the dovecot build process. configure.in | 1 + src/Makefile.am | 2 +- src/auth/Makefile.am | 2 ++ src/lib-ntlm/Makefile.am | 22 ++++++++++++++++++++++ 4 files changed, 26 insertions(+), 1 deletion(-) diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/configure.in dovecot-1.0-test30/configure.in --- dovecot-1.0-test30.vanilla/configure.in 2004-07-27 10:03:21.000000000 +0400 +++ dovecot-1.0-test30/configure.in 2004-07-27 11:06:12.000000000 +0400 @@ -1282,6 +1282,7 @@ src/lib-charset/Makefile src/lib-imap/Makefile src/lib-index/Makefile src/lib-mail/Makefile +src/lib-ntlm/Makefile src/lib-settings/Makefile src/lib-storage/Makefile src/lib-storage/index/Makefile diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/Makefile.am dovecot-1.0-test30/src/auth/Makefile.am --- dovecot-1.0-test30.vanilla/src/auth/Makefile.am 2004-07-27 10:03:23.000000000 +0400 +++ dovecot-1.0-test30/src/auth/Makefile.am 2004-07-27 11:56:34.000000000 +0400 @@ -5,12 +5,14 @@ pkglibexec_PROGRAMS = dovecot-auth check INCLUDES = \ -I$(top_srcdir)/src/lib \ -I$(top_srcdir)/src/lib-settings \ + -I$(top_srcdir)/src/lib-ntlm \ -DAUTH_MODULE_DIR=\""$(moduledir)/auth"\" \ -DPKG_LIBEXECDIR=\""$(pkglibexecdir)"\" \ $(AUTH_CFLAGS) dovecot_auth_LDADD = \ ../lib-settings/libsettings.a \ + ../lib-ntlm/libntlm.a \ ../lib/liblib.a \ $(AUTH_LIBS) \ $(RAND_LIBS) \ diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/lib-ntlm/Makefile.am dovecot-1.0-test30/src/lib-ntlm/Makefile.am --- dovecot-1.0-test30.vanilla/src/lib-ntlm/Makefile.am 1970-01-01 03:00:00.000000000 +0300 +++ dovecot-1.0-test30/src/lib-ntlm/Makefile.am 2004-07-27 14:26:55.000000000 +0400 @@ -0,0 +1,22 @@ +noinst_LIBRARIES = libntlm.a + +INCLUDES = \ + -I$(top_srcdir)/src/lib + +libntlm_a_SOURCES = \ + md4.c \ + hmac-md5.c \ + ntlm-des.c \ + ntlm-encrypt.c \ + ntlm-message.c + +noinst_HEADERS = \ + md4.h \ + hmac-md5.h \ + ntlm.h \ + ntlm-types.h \ + ntlm-flags.h \ + ntlm-byteorder.h \ + ntlm-des.h \ + ntlm-encrypt.h \ + ntlm-message.h diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/Makefile.am dovecot-1.0-test30/src/Makefile.am --- dovecot-1.0-test30.vanilla/src/Makefile.am 2004-07-27 10:03:22.000000000 +0400 +++ dovecot-1.0-test30/src/Makefile.am 2004-07-27 11:03:29.000000000 +0400 @@ -2,4 +2,4 @@ if BUILD_POP3D POP3D = pop3-login pop3 endif -SUBDIRS = lib lib-settings lib-charset lib-mail lib-imap lib-index lib-storage lib-auth auth master login-common imap-login imap $(POP3D) util +SUBDIRS = lib lib-ntlm lib-settings lib-charset lib-mail lib-imap lib-index lib-storage lib-auth auth master login-common imap-login imap $(POP3D) util
This patch adds NTLM password scheme. As a bonus it can be used to authenticate users using Samba password database. src/auth/Makefile.am | 1 + src/auth/passdb.c | 2 ++ src/auth/passdb.h | 3 ++- src/auth/password-scheme-ntlm.c | 15 +++++++++++++++ src/auth/password-scheme.c | 13 +++++++++++++ src/auth/password-scheme.h | 1 + 6 files changed, 34 insertions(+), 1 deletion(-) diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/Makefile.am dovecot-1.0-test30/src/auth/Makefile.am --- dovecot-1.0-test30.vanilla/src/auth/Makefile.am 2004-07-27 10:03:23.000000000 +0400 +++ dovecot-1.0-test30/src/auth/Makefile.am 2004-07-27 11:56:34.000000000 +0400 @@ -48,6 +51,7 @@ dovecot_auth_SOURCES = \ password-scheme.c \ password-scheme-md5crypt.c \ password-scheme-cram-md5.c \ + password-scheme-ntlm.c \ userdb.c \ userdb-ldap.c \ userdb-passwd.c \ diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/passdb.c dovecot-1.0-test30/src/auth/passdb.c --- dovecot-1.0-test30.vanilla/src/auth/passdb.c 2004-07-27 10:03:23.000000000 +0400 +++ dovecot-1.0-test30/src/auth/passdb.c 2004-07-27 10:19:58.000000000 +0400 @@ -28,6 +28,8 @@ passdb_credentials_to_str(enum passdb_cr return "HMAC-MD5"; case PASSDB_CREDENTIALS_DIGEST_MD5: return "DIGEST-MD5"; + case PASSDB_CREDENTIALS_NTLM: + return "NTLM"; } return "??"; diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/passdb.h dovecot-1.0-test30/src/auth/passdb.h --- dovecot-1.0-test30.vanilla/src/auth/passdb.h 2004-07-27 10:03:23.000000000 +0400 +++ dovecot-1.0-test30/src/auth/passdb.h 2004-07-27 10:19:58.000000000 +0400 @@ -12,7 +12,8 @@ enum passdb_credentials { PASSDB_CREDENTIALS_PLAINTEXT, PASSDB_CREDENTIALS_CRYPT, PASSDB_CREDENTIALS_CRAM_MD5, - PASSDB_CREDENTIALS_DIGEST_MD5 + PASSDB_CREDENTIALS_DIGEST_MD5, + PASSDB_CREDENTIALS_NTLM }; enum passdb_result { diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/password-scheme.c dovecot-1.0-test30/src/auth/password-scheme.c --- dovecot-1.0-test30.vanilla/src/auth/password-scheme.c 2004-07-27 10:03:23.000000000 +0400 +++ dovecot-1.0-test30/src/auth/password-scheme.c 2004-07-27 10:19:58.000000000 +0400 @@ -216,6 +216,18 @@ static const char *plain_md5_generate(co return binary_to_hex(digest, sizeof(digest)); } +static int ntlm_verify(const char *plaintext, const char *password, + const char *user __attr_unused__) +{ + return strcmp(password, password_generate_ntlm(plaintext)) == 0; +} + +static const char *ntlm_generate(const char *plaintext, + const char *user __attr_unused__) +{ + return password_generate_ntlm(plaintext); +} + static const struct password_scheme default_schemes[] = { { "CRYPT", crypt_verify, crypt_generate }, { "MD5", md5_verify, md5_generate }, @@ -227,6 +239,7 @@ static const struct password_scheme defa { "HMAC-MD5", hmac_md5_verify, hmac_md5_generate }, { "DIGEST-MD5", digest_md5_verify, digest_md5_generate }, { "PLAIN-MD5", plain_md5_verify, plain_md5_generate }, + { "NTLM", ntlm_verify, ntlm_generate }, { NULL, NULL, NULL } }; diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/password-scheme.h dovecot-1.0-test30/src/auth/password-scheme.h --- dovecot-1.0-test30.vanilla/src/auth/password-scheme.h 2004-07-27 10:03:23.000000000 +0400 +++ dovecot-1.0-test30/src/auth/password-scheme.h 2004-07-27 10:19:58.000000000 +0400 @@ -27,5 +27,6 @@ void password_schemes_deinit(void); /* INTERNAL: */ const char *password_generate_md5_crypt(const char *pw, const char *salt); const char *password_generate_cram_md5(const char *pw); +const char *password_generate_ntlm(const char *pw); #endif diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/password-scheme-ntlm.c dovecot-1.0-test30/src/auth/password-scheme-ntlm.c --- dovecot-1.0-test30.vanilla/src/auth/password-scheme-ntlm.c 1970-01-01 03:00:00.000000000 +0300 +++ dovecot-1.0-test30/src/auth/password-scheme-ntlm.c 2004-07-27 10:19:58.000000000 +0400 @@ -0,0 +1,15 @@ + +#include "lib.h" +#include "hex-binary.h" +#include "password-scheme.h" + +#include "ntlm.h" + +const char *password_generate_ntlm(const char *plaintext) +{ + unsigned char hash[16]; + + ntlm_v1_hash(plaintext, hash); + + return str_ucase((char *)binary_to_hex(hash, sizeof(hash))); +}
This patch adds NTLM authentication mechanism itself. Depends on NTLM password
scheme.
src/auth/Makefile.am | 1
src/auth/mech-ntlm.c | 201 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/auth/mech.c | 4 +
3 files changed, 206 insertions(+)
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/mech.c dovecot-1.0-test30/src/auth/mech.c
--- dovecot-1.0-test30.vanilla/src/auth/mech.c 2004-07-27 10:03:23.000000000 +0400
+++ dovecot-1.0-test30/src/auth/mech.c 2004-07-27 10:19:51.000000000 +0400
@@ -388,6 +388,7 @@ extern struct mech_module mech_login;
extern struct mech_module mech_apop;
extern struct mech_module mech_cram_md5;
extern struct mech_module mech_digest_md5;
+extern struct mech_module mech_ntlm;
extern struct mech_module mech_anonymous;
void mech_init(void)
@@ -421,6 +422,8 @@ void mech_init(void)
mech_register_module(&mech_cram_md5);
else if (strcasecmp(*mechanisms, "DIGEST-MD5") == 0)
mech_register_module(&mech_digest_md5);
+ else if (strcasecmp(*mechanisms, "NTLM") == 0)
+ mech_register_module(&mech_ntlm);
else if (strcasecmp(*mechanisms, "ANONYMOUS") == 0) {
if (anonymous_username == NULL) {
i_fatal("ANONYMOUS listed in mechanisms, "
@@ -481,5 +484,6 @@ void mech_deinit(void)
mech_unregister_module(&mech_apop);
mech_unregister_module(&mech_cram_md5);
mech_unregister_module(&mech_digest_md5);
+ mech_unregister_module(&mech_ntlm);
mech_unregister_module(&mech_anonymous);
}
diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/auth/mech-ntlm.c dovecot-1.0-test30/src/auth/mech-ntlm.c
--- dovecot-1.0-test30.vanilla/src/auth/mech-ntlm.c 1970-01-01 03:00:00.000000000 +0300
+++ dovecot-1.0-test30/src/auth/mech-ntlm.c 2004-07-27 11:46:54.000000000 +0400
@@ -0,0 +1,201 @@
+/*
+ * NTLM and NTLMv2 authentication mechanism.
+ *
+ * Copyright (c) 2004 Andrey Panin
This patch is needed to allow MS Outlook to use NTLM authentication with POP3. Sometimes this kludge is called "old-style SASL discovery". src/pop3-login/client-authenticate.c | 7 +++++++ 1 files changed, 7 insertions(+) diff -urpNX /usr/share/dontdiff dovecot-1.0-test30.vanilla/src/pop3-login/client-authenticate.c dovecot-1.0-test30/src/pop3-login/client-authenticate.c --- dovecot-1.0-test30.vanilla/src/pop3-login/client-authenticate.c 2004-07-27 10:03:24.000000000 +0400 +++ dovecot-1.0-test30/src/pop3-login/client-authenticate.c 2004-07-27 10:06:15.000000000 +0400 @@ -289,6 +289,13 @@ int cmd_auth(struct pop3_client *client, args = p+1; } + if (mech_name && !*mech_name && auth_client_find_mech(auth_client, "NTLM")) { + client_send_line(client, "+OK"); + client_send_line(client, "NTLM"); + client_send_line(client, "."); + return TRUE; + } + mech = auth_client_find_mech(auth_client, mech_name); if (mech == NULL) { client_send_line(client,
On 27.7.2004, at 16:18, Andrey Panin wrote:
It contains common code in src/lib-ntlm directory, Samba compatible NTLM password scheme and authentication mechanism itself.
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.. Or anyway md4 and des would be better in lib/ than lib-ntlm/.
Please take a look.
HMAC-MD5 code looks quite similiar to src/auth/password-scheme-cram-md5.c. Could they be merged somehow?
You use "char var[0]" in end of some structures. I've tried to avoid them so far everywhere since C89 doesn't support it. But I guess it's common enough feature that it could be allowed the way C99 supports it, var[].
- int len = strlen(passwd);
- ucs2le_t wpwd[len + 1];
Another C99ism.. Are there enough C99 compilers that it'd be good idea to require it? gcc of course works, but how about others?
+ntlmssp_v1_response(const unsigned char *hash, ..
- memset(des_hash + NTLMSSP_HASH_SIZE, 0, sizeof(hash) - NTLMSSP_HASH_SIZE);
sizeof(des_hash)
+#define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
offsetof() is ansi-c and defined in stddef.h
+const char * __ntlmssp_t_str(void *message, struct ntlmssp_buffer *buffer) ..
- str_append_c(str, '\0');
- return str_c(str);
str_c() nul-terminates the returned string so str_append_c() isn't needed there.
+static int ntlmssp_check_buffer(struct ntlmssp_buffer *buffer, size_t data_size, const char **error) +{
- uint32_t offset = read_le32(&buffer->offset);
- if (offset <= data_size) {
*error = "buffer offset out of bounds";return 0;- }
offset >= data_size I'd think?
On Tue, 2004-07-27 at 17:36, Timo Sirainen wrote:
You use "char var[0]" in end of some structures. I've tried to avoid them so far everywhere since C89 doesn't support it. But I guess it's common enough feature that it could be allowed the way C99 supports it, var[].
var[1] is safe and then malloc-1. Still C89-ok.
- int len = strlen(passwd);
- ucs2le_t wpwd[len + 1];
Another C99ism.. Are there enough C99 compilers that it'd be good idea to require it? gcc of course works, but how about others?
No. gcc on debian woody (stable) requires --std=c99 to do it. Use alloca() if it's available (more widely so than C99) instead.
Geo Carncross geocar@internetconnection.net writes:
On Tue, 2004-07-27 at 17:36, Timo Sirainen wrote:
You use "char var[0]" in end of some structures. I've tried to avoid them so far everywhere since C89 doesn't support it. But I guess it's common enough feature that it could be allowed the way C99 supports it, var[].
var[1] is safe and then malloc-1. Still C89-ok.
- int len = strlen(passwd);
- ucs2le_t wpwd[len + 1];
Another C99ism.. Are there enough C99 compilers that it'd be good idea to require it? gcc of course works, but how about others?
No. gcc on debian woody (stable) requires --std=c99 to do it. Use alloca() if it's available (more widely so than C99) instead.
alloca() isn't really portable either, and having one OS use alloca() and another one malloc() with free() or similar isn't exactly going to aid debugging unfortunately.
-- Matthias Andree
Encrypted mail welcome: my GnuPG key ID is 0x052E7D95 (PGP/MIME preferred)
On 28.7.2004, at 01:51, Geo Carncross wrote:
On Tue, 2004-07-27 at 17:36, Timo Sirainen wrote:
You use "char var[0]" in end of some structures. I've tried to avoid them so far everywhere since C89 doesn't support it. But I guess it's common enough feature that it could be allowed the way C99 supports it, var[].
var[1] is safe and then malloc-1. Still C89-ok.
BTW. This works only as long as you don't care if sizeof() returns more data than the structure actually uses. struct foo { int size; char data[1]; }; sizeof(foo) == 8 with most compilers nowadays because of alignmentation issues.
On Sat, 2004-07-31 at 00:03, Timo Sirainen wrote:
On 28.7.2004, at 01:51, Geo Carncross wrote:
On Tue, 2004-07-27 at 17:36, Timo Sirainen wrote:
You use "char var[0]" in end of some structures. I've tried to avoid them so far everywhere since C89 doesn't support it. But I guess it's common enough feature that it could be allowed the way C99 supports it, var[].
var[1] is safe and then malloc-1. Still C89-ok.
BTW. This works only as long as you don't care if sizeof() returns more data than the structure actually uses. struct foo { int size; char data[1]; }; sizeof(foo) == 8 with most compilers nowadays because of alignmentation issues.
No, for one can always:
typedef char _structure_ext[1];
sizeof(struct foo)-sizeof(_structure_ext)
-- Geo Carncross geocar@internetconnection.net Internet Connection Reliable Web Hosting http://www.internetconnection.net/
On Wed, Jul 28, 2004 at 12:36:30AM +0300, Timo Sirainen wrote:
HMAC-MD5 code looks quite similiar to src/auth/password-scheme-cram-md5.c. Could they be merged somehow?
The use of HMAC in CRAM-MD5 is different to that in NTLM; although both start with the construction of the inner and outer pads, the stored form in CRAM-MD5 is the internal structures of the md5 contexts midway through the HMAC computation. As a result, the CRAM-MD5 generator reaches inside the md5_context struct itself and directly touches a,b,c & d.
There is one other possible issue with Andrey's code, in that it leaves the key in memory (XOR'd) in between hmac_md5_init and final, in the ipad and opad. The MD5 algorithm only leaves bits of the bits of the input if it wasn't a multiple of 512 bits, which is one reason I think CRAM-MD5 is deliberately using that block size. We can remove the issue, and make the struct smaller, by initializing the outer MD5 context first.
The attached files are a draft merge of the two, and the two new functions would be used by password-scheme-cram-md5.c and mech-cram-md5.c (and also wipe the ipad/opad after use). WARNING: Since Andrey's code isn't committed yet, I haven't tried to compile them, but this is how they should look, notwithstanding possible typos or missed #includes.
Joshua.
On Wed, 2004-07-28 at 22:57 +1000, Joshua Goodall wrote:
The attached files are a draft merge of the two, and the two new functions would be used by password-scheme-cram-md5.c and mech-cram-md5.c (and also wipe the ipad/opad after use). WARNING: Since Andrey's code isn't committed yet, I haven't tried to compile them, but this is how they should look, notwithstanding possible typos or missed #includes.
Committed. Did I break them?
On Fri, Jul 30, 2004 at 04:58:06AM +0300, Timo Sirainen wrote:
On Wed, 2004-07-28 at 22:57 +1000, Joshua Goodall wrote:
The attached files are a draft merge of the two, and the two new functions would be used by password-scheme-cram-md5.c and mech-cram-md5.c (and also wipe the ipad/opad after use). WARNING: Since Andrey's code isn't committed yet, I haven't tried to compile them, but this is how they should look, notwithstanding possible typos or missed #includes.
Committed. Did I break them?
You understood my intention 100%. It looks good in the dovecotpw verify mode and I'll test cram-md5 itself later. BTW, Andrey supplies hmac_md5_update(ctxptr, ...) for API cleanliness so you don't have to do md5_update(&ctx.ctx, ...).
regards Joshua.
-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109
On 210, 07 28, 2004 at 12:36:30AM +0300, Timo Sirainen wrote:
On 27.7.2004, at 16:18, Andrey Panin wrote:
It contains common code in src/lib-ntlm directory, Samba compatible NTLM password scheme and authentication mechanism itself.
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.. Or anyway md4 and des would be better in lib/ than lib-ntlm/.
md4 and hmac-md5 can be moved to lib/ easily. I'm not sure about usefulness of ntlm-des.c outside of NTLM authentication code.
Please take a look.
HMAC-MD5 code looks quite similiar to src/auth/password-scheme-cram-md5.c. Could they be merged somehow?
I'll take a look at them later today.
You use "char var[0]" in end of some structures. I've tried to avoid them so far everywhere since C89 doesn't support it. But I guess it's common enough feature that it could be allowed the way C99 supports it, var[].
We can safely remove this fields, now they serve to illustrate NTLM message structure only.
- int len = strlen(passwd);
- ucs2le_t wpwd[len + 1];
Another C99ism.. Are there enough C99 compilers that it'd be good idea to require it? gcc of course works, but how about others?
Reworked using buffer API.
+ntlmssp_v1_response(const unsigned char *hash, ..
- memset(des_hash + NTLMSSP_HASH_SIZE, 0, sizeof(hash) - NTLMSSP_HASH_SIZE);
sizeof(des_hash)
Fixed.
+#define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
offsetof() is ansi-c and defined in stddef.h
Removed.
+const char * __ntlmssp_t_str(void *message, struct ntlmssp_buffer *buffer) ..
- str_append_c(str, '\0');
- return str_c(str);
str_c() nul-terminates the returned string so str_append_c() isn't needed there.
Fixed.
+static int ntlmssp_check_buffer(struct ntlmssp_buffer *buffer, size_t data_size, const char **error) +{
- uint32_t offset = read_le32(&buffer->offset);
- if (offset <= data_size) {
*error = "buffer offset out of bounds";return 0;- }
offset >= data_size I'd think?
Fixed.
Updated patches attached.
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
On Wed, 2004-07-28 at 16:15, Andrey Panin wrote:
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.. Or anyway md4 and des would be better in lib/ than lib-ntlm/.
md4 and hmac-md5 can be moved to lib/ easily. I'm not sure about usefulness of ntlm-des.c outside of NTLM authentication code.
Oh, right. It wasn't a full DES implementation.
Updated patches attached.
Committed. I added some consts and split lines so they won't be wider than 80 chars.
The POP3 NTLM kludge probably should be added to pop3_client_workarounds?
On 210, 07 28, 2004 at 06:44:16PM +0300, Timo Sirainen wrote:
On Wed, 2004-07-28 at 16:15, Andrey Panin wrote:
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.. Or anyway md4 and des would be better in lib/ than lib-ntlm/.
md4 and hmac-md5 can be moved to lib/ easily. I'm not sure about usefulness of ntlm-des.c outside of NTLM authentication code.
Oh, right. It wasn't a full DES implementation.
Updated patches attached.
Committed. I added some consts and split lines so they won't be wider than 80 chars.
The POP3 NTLM kludge probably should be added to pop3_client_workarounds?
I don't think so. If we do it separate workaround, it will probably become a common gotcha: "I enabled NTLM authentication, but it doesn't work !" :)
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
On Wed, Jul 28, 2004 at 12:36:30AM +0300, Timo Sirainen wrote:
On 27.7.2004, at 16:18, Andrey Panin wrote:
It contains common code in src/lib-ntlm directory, Samba compatible NTLM password scheme and authentication mechanism itself.
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.
Yes.
Especially since I was thinking about doing a {BLOWFISH} for the $2$ MCF this weekend.
Also, Timo, do you think it would be worth have a compatability userdb/passdb for migrants from Courier's USERDB?
Andrey, how does the NTLM password scheme relate to OpenLDAP's {LANMAN} scheme? As far as I can tell, {NTLM} uses md4 whilst {LANMAN} uses des. Is that correct?
Joshua.
-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109
On Wed, 2004-07-28 at 16:33, Joshua Goodall wrote:
Also, Timo, do you think it would be worth have a compatability userdb/passdb for migrants from Courier's USERDB?
I don't know. So far no-one's requested support for it. I'm not opposed to it if you want to implement it though. Since it uses gdbm/bdb it could be useful anyway.
Perhaps it could be implemented in some generic way so with configuration file changes it could be made compatible with either Courier userdb or Cyrus sasldb?
On 210, 07 28, 2004 at 11:33:40PM +1000, Joshua Goodall wrote:
On Wed, Jul 28, 2004 at 12:36:30AM +0300, Timo Sirainen wrote:
On 27.7.2004, at 16:18, Andrey Panin wrote:
It contains common code in src/lib-ntlm directory, Samba compatible NTLM password scheme and authentication mechanism itself.
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.
Yes.
Especially since I was thinking about doing a {BLOWFISH} for the $2$ MCF this weekend.
Also, Timo, do you think it would be worth have a compatability userdb/passdb for migrants from Courier's USERDB?
Andrey, how does the NTLM password scheme relate to OpenLDAP's {LANMAN} scheme? As far as I can tell, {NTLM} uses md4 whilst {LANMAN} uses des. Is that correct?
As i can guess from the {LANMAN} name, it probably uses older Lan Manager password hash format which is DES based. We can get support for it in ten minutes, all needed pieces are in place.
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
On 211, 07 29, 2004 at 08:31:19AM +0400, Andrey Panin wrote:
On 210, 07 28, 2004 at 11:33:40PM +1000, Joshua Goodall wrote:
On Wed, Jul 28, 2004 at 12:36:30AM +0300, Timo Sirainen wrote:
On 27.7.2004, at 16:18, Andrey Panin wrote:
It contains common code in src/lib-ntlm directory, Samba compatible NTLM password scheme and authentication mechanism itself.
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.
Yes.
Especially since I was thinking about doing a {BLOWFISH} for the $2$ MCF this weekend.
Also, Timo, do you think it would be worth have a compatability userdb/passdb for migrants from Courier's USERDB?
Andrey, how does the NTLM password scheme relate to OpenLDAP's {LANMAN} scheme? As far as I can tell, {NTLM} uses md4 whilst {LANMAN} uses des. Is that correct?
As i can guess from the {LANMAN} name, it probably uses older Lan Manager password hash format which is DES based. We can get support for it in ten minutes, all needed pieces are in place.
Well it taked a little more than ten minutes :)
If you are still interested attached patch adds OpenLDAP {LANMAN} compatible (I hope) password scheme.
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
On 211, 07 29, 2004 at 02:04:03PM +0400, Andrey Panin wrote:
On 211, 07 29, 2004 at 08:31:19AM +0400, Andrey Panin wrote:
On 210, 07 28, 2004 at 11:33:40PM +1000, Joshua Goodall wrote:
On Wed, Jul 28, 2004 at 12:36:30AM +0300, Timo Sirainen wrote:
On 27.7.2004, at 16:18, Andrey Panin wrote:
It contains common code in src/lib-ntlm directory, Samba compatible NTLM password scheme and authentication mechanism itself.
So now Dovecot has md4, md5, sha1 and des code. Maybe there should be a lib-crypto or something similiar for those.
Yes.
Especially since I was thinking about doing a {BLOWFISH} for the $2$ MCF this weekend.
Also, Timo, do you think it would be worth have a compatability userdb/passdb for migrants from Courier's USERDB?
Andrey, how does the NTLM password scheme relate to OpenLDAP's {LANMAN} scheme? As far as I can tell, {NTLM} uses md4 whilst {LANMAN} uses des. Is that correct?
As i can guess from the {LANMAN} name, it probably uses older Lan Manager password hash format which is DES based. We can get support for it in ten minutes, all needed pieces are in place.
Well it taked a little more than ten minutes :)
If you are still interested attached patch adds OpenLDAP {LANMAN} compatible (I hope) password scheme.
s/taked/took/ :(
Better patch attached: - added missing safe_memset() in lm_hash() function; - modified mech-ntlm.c to use {LANMAN} scheme if {NTLM} isn't available.
-- Andrey Panin | Linux and UNIX system administrator pazke@donpac.ru | PGP key: wwwkeys.pgp.net
On Thu, Jul 29, 2004 at 02:04:03PM +0400, Andrey Panin wrote:
If you are still interested attached patch adds OpenLDAP {LANMAN} compatible (I hope) password scheme.
This is compatible with OpenLDAP's scheme, and works correctly for PLAIN authentications on my small test set (as does {NTLM}). I needed a small patch to compile it with latest CVS: Index: Makefile.am =================================================================== RCS file: /home/cvs/dovecot/src/util/Makefile.am,v retrieving revision 1.4 diff -u -r1.4 Makefile.am --- Makefile.am 26 Jul 2004 17:59:38 -0000 1.4 +++ Makefile.am 29 Jul 2004 15:31:26 -0000 @@ -14,10 +14,12 @@ rawlog.c dovecotpw_LDADD = \ + ../lib-ntlm/libntlm.a \ ../lib/liblib.a \ ../auth/password-scheme.o \ ../auth/password-scheme-cram-md5.o \ ../auth/password-scheme-md5crypt.o \ + ../auth/password-scheme-ntlm.o \ ../auth/mycrypt.o \ $(AUTH_LIBS) regards Joshua. -- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109
participants (6)
-
Andrey Panin
-
Geo Carncross
-
Geo Carncross
-
Joshua Goodall
-
Matthias Andree
-
Timo Sirainen