ntlm

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2024 License: MIT Imports: 17 Imported by: 0

Documentation

Overview

package ntlm implements the NTLM client security service as described in MS-NLMP (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp).

This package also contains client-side GSSAPI bindings (InitSecurityContext, Wrap, Unwrap and so on).

Index

Constants

View Source 
const (
	// Indicates to the client that the account authentication is
	// constrained.
	AccountAuthenticationConstrained AttrFlag = 1 << 0
	// Indicates that the client is providing message integrity in
	// the MIC field in the AuthenticateMessage.
	MICProvided = 1 << 1
	// Indicates that the client is providing a target SPN generated
	// from an untrusted source.
	SPNFromUntrustedSource = 1 << 2
)
View Source 
const (
	NTLMv1 = 1
	NTLMv2 = 2
)
View Source 
const (
	WindowsMajorVersion5  = 0x05
	WindowsMajorVersion6  = 0x06
	WindowsMajorVersion10 = 0x0a

	WindowsMinorVersion0 = 0x00
	WindowsMinorVersion1 = 0x01
	WindowsMinorVersion2 = 0x02
	WindowsMinorVersion3 = 0x03
)
View Source 
const (
	// The signature version.
	SignatureVersion = 0x01
)

Variables

View Source 
var (
	// ErrIntegrityNotAvailable
	ErrIntegrityNotAvailable = errors.New("integrity, replay_detection, or sequencing were requested but not available")
	// ErrConfidentialityNotAvailable
	ErrConfidentialityNotAvailable = errors.New("confidentiality was requested but not available")
	// Err128BitEncryptionNotAvailable
	Err128BitEncryptionNotSupported = errors.New("128-bit encryption was requested but not supported")
)
View Source 
var (
	ErrMutualAuthnNotSupported = errors.New("mutual authn is not supported")
	ErrDelegationNotSupported  = errors.New("delegation is not supported")
)
View Source 
var (
	ErrInvalidNTLMSignature = errors.New("invalid ntlmssp signature, expected 'NTLMSSP'")
	ErrInvalidMessageType   = errors.New("unexpected message type")
)
View Source 
var (
	// Windows XP ServicePack 2.
	WindowsXPSP2 = ProductVersion{WindowsMajorVersion5, WindowsMinorVersion1}
	// Windows Vista.
	WindowsVista = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion0}
	// Windows 7.
	Windows7 = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion1}
	// Windows 8.
	Windows8 = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion2}
	// Windows 8.1
	Windows8_1 = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion3}
	// Windows 10.
	Windows10 = ProductVersion{WindowsMajorVersion10, WindowsMinorVersion0}
	// Windows Server 2003.
	WindowsServer2003 = ProductVersion{WindowsMajorVersion5, WindowsMinorVersion2}
	// Windows Server 2008.
	WindowsServer2008 = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion0}
	// Windows Server 2008 R2.
	WindowsServer2008R2 = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion1}
	// WindowsServer 2012.
	WindowsServer2012 = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion2}
	// Windows Server 2012 R2.
	WindowsServer2012R2 = ProductVersion{WindowsMajorVersion6, WindowsMinorVersion3}
	// Windows Server 2016/2019.
	WindowsServer2016_2019 = ProductVersion{WindowsMajorVersion10, WindowsMinorVersion0}
)
View Source 
var (
	// The list of allowed attributes.
	AttrIDList = [...]AttrValueID{
		AttrEOL,
		AttrNetBIOSComputerName,
		AttrNetBIOSDomainName,
		AttrDNSComputerName,
		AttrDNSDomainName,
		AttrDNSTreeName,
		AttrFlags,
		AttrTimestamp,
		AttrSingleHost,
		AttrTargetName,
		AttrChannelBindings,
	}
)
View Source 
var DefaultVersion = Version{ProductVersion: Windows10, ProductBuild: 19044, Revision: RevisionCurrent}
View Source 
var (
	ErrLogonFailure = errors.New("logon failure")
)
View Source 
var (
	MechanismType = gssapi.OID{1, 3, 6, 1, 4, 1, 311, 2, 2, 10}
)
View Source 
var (
	// The default NTLM signature.
	NTLMSignature = []byte{'N', 'T', 'L', 'M', 'S', 'S', 'P', 0}
)

Functions

func CRC32 

func CRC32(key []byte) func(uint32) hash.Hash

The CRC32 checksum.

func HMACMD5 

func HMACMD5(key []byte) func(uint32) hash.Hash

The HMAC-MD5 checksum.

func RC4K 

func RC4K(ctx context.Context, key []byte, src []byte) ([]byte, error)

RC4K performs XOR key stream on bytes `src` once.

Types

type AttrFlag 

type AttrFlag uint32

A 32-bit value indicating server or client configuration.

func (AttrFlag) IsSet 

func (f AttrFlag) IsSet(ff AttrFlag) bool

IsSet function returns `true` if flag is set.

type AttrValueID 

type AttrValueID uint16

The attribute-value pair identifier. 

const (
	// Indicates that this is the last AV_PAIR in the list.
	// This type of information MUST be present in the AV pair list.
	AttrEOL AttrValueID = 0x0000
	// The server's NetBIOS computer name. The name MUST be in Unicode,
	// and is not null-terminated.
	// This type of information MUST be present in the AV pair list.
	AttrNetBIOSComputerName AttrValueID = 0x0001
	// The server's NetBIOS domain name. The name MUST be in Unicode,
	// and is not null-terminated.
	// This type of information MUST be present in the AV_pair list.
	AttrNetBIOSDomainName AttrValueID = 0x0002
	// The fully qualified domain name (FQDN) of the computer.
	// The name MUST be in Unicode, and is not null-terminated.
	AttrDNSComputerName AttrValueID = 0x0003
	// The FQDN of the domain. The name MUST be in Unicode,
	// and is not null-terminated.
	AttrDNSDomainName AttrValueID = 0x0004
	// The FQDN of the forest. The name MUST be in Unicode,
	// and is not null-terminated.
	AttrDNSTreeName AttrValueID = 0x0005
	// A 32-bit value indicating server or client configuration.
	AttrFlags AttrValueID = 0x0006
	// A FILETIME structure in little-endian byte order that
	// contains the server local time. This structure is
	// always sent in the ChallengeMessage.
	AttrTimestamp AttrValueID = 0x0007
	// A SingleHostData structure. The Value field contains a
	// platform-specific blob, as well as a MachineID created at
	// computer startup to identify the calling machine.
	AttrSingleHost AttrValueID = 0x0008
	// The SPN of the target server. The name MUST be in Unicode and is
	// not null-terminated.
	AttrTargetName AttrValueID = 0x0009
	// A channel bindings hash. The Value field contains an MD5 hash of
	// a gss_channel_bindings_struct. An all-zero value of the hash is
	// used to indicate absence of channel bindings.
	AttrChannelBindings AttrValueID = 0x000a
)

type AttrValues 

type AttrValues map[AttrValueID]*Value

AttrValues represents the map of attribute-value pairs.

func (AttrValues) Flag 

func (avl AttrValues) Flag() AttrFlag

Flag function returns the flag attribute.

func (AttrValues) HasAttr 

func (avl AttrValues) HasAttr(attr AttrValueID) bool

HasAttr function returns 'true' if the attribute is present.

func (*AttrValues) Marshal 

func (avl *AttrValues) Marshal(ctx context.Context) ([]byte, error)

Marshal function marshals the attribute-value pairs.

func (AttrValues) Timestamp 

func (avl AttrValues) Timestamp() Filetime

Timestamp function returns the timestamp attribute.

func (AttrValues) ToValue 

func (avl AttrValues) ToValue() *Value

func (*AttrValues) Unmarshal 

func (avl *AttrValues) Unmarshal(ctx context.Context, b []byte) error

Unmarshal function unmarshals the attribute value pairs.

type AuthLevel 

type AuthLevel int

The authentication level. 

const (
	// Client devices use LM and NTLM authentication, and they
	// never use NTLMv2 session security.
	LMv1AndNTLMv1 AuthLevel = iota
	// Client devices use LM and NTLM authentication, and they use
	// NTLMv2 session security if the server supports it.
	LMv1AndNTLMv1WithESS
	// Client devices use NTLMv1 authentication, and they use NTLMv2
	// session security if the server supports it.
	NTLMv1WithESS
	// Client devices use NTLMv2 authentication, and they use NTLMv2
	// session security if the server supports it.
	NTLMv2WithESS
)

type AuthenticateMessage 

type AuthenticateMessage struct {
	// An 8-byte character array that MUST contain the ASCII
	// string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').
	Signature []byte
	// A 32-bit unsigned integer that indicates the message type.
	// This field MUST be set to 0x00000003.
	MessageType MessageType
	// A 16-bit unsigned integer that defines the size, in bytes,
	// of LmChallengeResponse in Payload.
	LMChallengeResponseLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of
	// LmChallengeResponseLen and MUST be ignored on receipt.
	LMChallengeResponseMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes,
	// from the beginning of the AuthenticateMessage to LmChallengeResponse
	// in Payload.
	LMChallengeResponseOffset uint32
	// A 16-bit unsigned integer that defines the size, in bytes, of
	// NtChallengeResponse in Payload.
	NTChallengeResponseLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of
	// NtChallengeResponseLen and MUST be ignored on receipt.
	NTChallengeResponseMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes,
	// from the beginning of the AuthenticateMessage to NtChallengeResponse
	// in Payload.
	NTChallengeResponseOffset uint32
	// A 16-bit unsigned integer that defines the size, in bytes, of DomainName
	// in Payload.
	DomainNameLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of DomainNameLen
	// and MUST be ignored on receipt.
	DomainNameMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes, from the
	// beginning of the AuthenticateMessage to DomainName in Payload. If DomainName
	// is a Unicode string, the values of DomainNameBufferOffset and DomainNameLen
	// MUST be multiples of 2.
	DomainNameOffset uint32
	// A 16-bit unsigned integer that defines the size, in bytes, of UserName in
	// Payload, not including a NULL terminator.
	UserNameLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of UserNameLen
	// and MUST be ignored on receipt.
	UserNameMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes, from the
	// beginning of the AuthenticateMessage to UserName in Payload. If the UserName
	// to be sent contains a Unicode string, the values of UserNameBufferOffset
	// and UserNameLen MUST be multiples of 2.
	UserNameOffset uint32
	// A 16-bit unsigned integer that defines the size, in bytes, of Workstation
	// in Payload.
	WorkstationLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of WorkstationLen
	// and MUST be ignored on receipt.
	WorkstationMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes, from the beginning
	// of the AuthenticateMessage to Workstation in Payload. If Workstation contains
	// a Unicode string, the values of WorkstationBufferOffset and WorkstationLen
	// MUST be multiples of 2.
	WorkstationOffset uint32
	// A 16-bit unsigned integer that defines the size, in bytes,
	// of EncryptedRandomSessionKey in Payload.
	EncryptedRandomSessionKeyLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of
	// EncryptedRandomSessionKeyLen and MUST be ignored on receipt.
	EncryptedRandomSessionKeyMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes,
	// from the beginning of the AuthenticateMessage to EncryptedRandomSessionKey
	// in Payload.
	EncryptedRandomSessionKeyOffset uint32
	// In connectionless mode, a NEGOTIATE structure that contains a set of
	// flags and represents the conclusion of negotiation—the choices the
	// client has made from the options the server offered in the ChallengeMessage.
	// In connection-oriented mode, a NEGOTIATE structure that contains the set of
	// bit flags negotiated in the previous messages.
	Negotiate Flag
	// A Version structure that is populated only when the NegotiateVersion
	// flag is set in the NegotiateFlags field; otherwise, it MUST be set to
	// all zero. This structure SHOULD be used for debugging purposes only.
	// In normal (nondebugging) protocol messages, it is ignored and does not
	// affect the NTLM message processing.
	Version Version
	// The message integrity for the NTLM NegotiateMessage, ChallengeMessage, and
	// AuthenticateMessage.
	MIC []byte
	// An LMResponse structure or an LMv2Response structure that contains
	// the computed LM response to the challenge. If NTLM v2 authentication is
	// configured, then LmChallengeResponse MUST be an LMv2Response structure.
	// Otherwise, it MUST be an LMResponse structure.
	LMChallengeResponse []byte
	// An NTLMResponse structure or NTLMv2Response structure
	// that contains the computed NT response to the challenge. If NTLM v2
	// authentication is configured, NtChallengeResponse MUST be an NTLMv2Response.
	// Otherwise, it MUST be an NTLMResponse.
	NTChallengeResponse []byte
	// The domain or computer name hosting the user account. DomainName MUST
	// be encoded in the negotiated character set.
	DomainName string
	// The name of the user to be authenticated. UserName MUST be encoded in the
	// negotiated character set.
	UserName string
	// The name of the computer to which the user is logged on. Workstation MUST
	// be encoded in the negotiated character set.
	Workstation string
	// The client's encrypted random session key.
	EncryptedRandomSessionKey []byte
}

The AuthenticateMessage defines an NTLM authenticate message that is sent from the client to the server after the ChallengeMessage is processed by the client.

func (*AuthenticateMessage) Marshal 

func (m *AuthenticateMessage) Marshal(ctx context.Context) ([]byte, error)

Marshal function marshals the AuthenticateMessage.

func (*AuthenticateMessage) Unmarshal 

func (m *AuthenticateMessage) Unmarshal(ctx context.Context, b []byte) error

Unmarshal function unmarshals the AuthenticateMessage.

type Authentifier 

type Authentifier struct {
	// The authentifier configuration.
	Config *Config
	// contains filtered or unexported fields
}

The NTLM Authentifier.

func (*Authentifier) ApplyInboundCipher 

func (a *Authentifier) ApplyInboundCipher(ctx context.Context, b []byte) error

func (*Authentifier) ApplyOutboundCipher 

func (a *Authentifier) ApplyOutboundCipher(ctx context.Context, b []byte) error

func (*Authentifier) Authenticate 

func (a *Authentifier) Authenticate(ctx context.Context, b []byte) ([]byte, error)

Authenticate function accepts the token containing the ChallengeMessage and returns the AuthenticateMessage token.

func (*Authentifier) MakeInboundChecksum 

func (a *Authentifier) MakeInboundChecksum(ctx context.Context, b [][]byte) ([]byte, error)

func (*Authentifier) MakeInboundSignature 

func (a *Authentifier) MakeInboundSignature(ctx context.Context, checksum []byte) ([]byte, error)

func (*Authentifier) MakeOutboundChecksum 

func (a *Authentifier) MakeOutboundChecksum(ctx context.Context, b [][]byte) ([]byte, error)

func (*Authentifier) MakeOutboundSignature 

func (a *Authentifier) MakeOutboundSignature(ctx context.Context, checksum []byte) ([]byte, error)

func (*Authentifier) Negotiate 

func (a *Authentifier) Negotiate(ctx context.Context) ([]byte, error)

Negotiate function returns the initial token.

func (*Authentifier) Reset 

func (a *Authentifier) Reset()

func (*Authentifier) ResetSecurityService 

func (a *Authentifier) ResetSecurityService(ctx context.Context) error

func (*Authentifier) SessionKey 

func (a *Authentifier) SessionKey() []byte

func (*Authentifier) TargetName 

func (a *Authentifier) TargetName() string

type ChallengeMessage 

type ChallengeMessage struct {
	// An 8-byte character array that MUST contain the ASCII
	// string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').
	Signature []byte
	// A 32-bit unsigned integer that indicates the message type.
	// This field MUST be set to 0x00000002.
	MessageType MessageType
	// A 16-bit unsigned integer that defines the size, in bytes,
	// of TargetInfo in Payload.
	TargetNameLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value
	// of TargetInfoLen and MUST be ignored on receipt.
	TargetNameMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes,
	// from the beginning of the CHALLENGE_MESSAGE to TargetInfo in
	// Payload.
	TargetNameOffset uint32
	// A set of flags. The server sets flags to indicate options it
	// supports or, if there has been a NegotiateMessage, the choices
	// it has made from the options offered by the client.
	Negotiate Flag
	// A 64-bit value that contains the NTLM challenge. The challenge is a
	// 64-bit nonce.
	ServerChallenge []byte

	// A 16-bit unsigned integer that defines the size, in bytes, of
	// TargetInfo in Payload.
	TargetInfoLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of
	// TargetInfoLen and MUST be ignored on receipt.
	TargetInfoMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes,
	// from the beginning of the ChallengeMessage to TargetInfo in
	// Payload.
	TargetInfoOffset uint32
	// A VERSION structure that is populated only when the NegotiateVersion
	// flag is set in the NegotiateFlags field; otherwise, it MUST be set to
	// all zero. This structure SHOULD be used for debugging purposes only.
	// In normal (nondebugging) protocol messages, it is ignored and does not
	// affect the NTLM message processing.
	Version Version
	// If TargetNameLen does not equal 0x0000, TargetName MUST be a byte array
	// that contains the name of the server authentication realm, and MUST be
	// expressed in the negotiated character set. A server that is a member of
	// a domain returns the domain of which it is a member, and a server that
	// is not a member of a domain returns the server name.
	TargetName string
	// If TargetInfoLen does not equal 0x0000, TargetInfo MUST be a byte array
	// that contains a sequence of AV_PAIR structures.
	// The length of each AV_PAIR is determined by its AvLen field (plus 4 bytes).
	TargetInfo AttrValues
	// contains filtered or unexported fields
}

The ChallengeMessage defines an NTLM challenge message that is sent from the server to the client. The ChallengeMessage is used by the server to challenge the client to prove its identity. For connection-oriented requests, the ChallengeMessage generated by the server is in response to the NegotiateMessage from the client.

func (*ChallengeMessage) Marshal 

func (m *ChallengeMessage) Marshal(ctx context.Context) ([]byte, error)

Marshal function marshals the ChallengeMessage.

func (*ChallengeMessage) Unmarshal 

func (m *ChallengeMessage) Unmarshal(ctx context.Context, b []byte) error

Unmarshal function unmarshals the ChallengeMessage.

type ChallengeResponse 

type ChallengeResponse struct {
	// NT challenge response.
	NT []byte
	// LM challenge response.
	LM []byte
	// Tmp.
	Tmp []byte
	// The session base key.
	SessionBaseKey []byte
	// The NT one-way-function.
	KeyNT []byte
	// The LM one-way-function.
	KeyLM []byte
	// The key exchange key.
	KeyExchangeKey []byte
	// If 'true', username and password are empty.
	// (anonymous session).
	IsAnonymous bool
	// RequestMIC.
	RequestMIC bool
}

The computed challenge response.

type Cipher 

type Cipher struct {
	// contains filtered or unexported fields
}

func NewCipher 

func NewCipher(ctx context.Context, key []byte, hashFunc func(uint32) hash.Hash) (*Cipher, error)

func (*Cipher) Checksum 

func (c *Cipher) Checksum(seqNum uint32, ms ...[]byte) ([]byte, error)

HMAC_MD5 function computes hash over the data provided and returns the first 8 bytes.

func (*Cipher) XORKeyStream 

func (c *Cipher) XORKeyStream(data any) error

XORKeyStream function XOr-s the data with a random cipher.

type Config 

type Config struct {
	// The services available for the NTLM.
	Integrity, Confidentiality, Identify, Anonymity, Datagram bool
	// The flag that indicates whether the MIC must be computed.
	RequestMIC bool
	// The set of client configuration flags that specify the
	// full set of capabilities of the client.
	ClientConfigFlags Flag
	// The client credential.
	Credential Credential
	// The version.
	Version Version
	// A flag that should control using the NTLM response
	// for the LM response to the server challenge when NTLMv1
	// authentication is used.
	NoLMResponse bool
	// Explicitly disable extended session security (for compatibility
	// level 0). Cannot be used with NTLMv2.
	NoESS bool
	// A flag that requires the client to use 128-bit encryption.
	Require128BitEncryption bool
	// The maximum lifetime for challenge/response pairs.
	MaxLifetime time.Duration
	// Service principal name (SPN) of the service to which the client
	// wishes to authenticate.
	TargetName string
	// An octet string provided by the application used for channel binding.
	ChannelBindings []byte
	// A Boolean setting that indicates that the caller generated the target's
	// SPN from an untrusted source.
	UnverifiedTargetName bool
	// The NTLM version.
	NTLMVersion int
	// IsServer.
	IsServer bool
	// The flag that indicates whether all the input buffers must be used to
	// build a signature. (DO NOT USE IT).
	NoSignAllBuffers bool
}

The NTLM configuration.

func NewConfig 

func NewConfig() *Config

NewConfig function returns the configuration for the NTLM SSP.

func NewConfigFromAuthLevel 

func NewConfigFromAuthLevel(lvl AuthLevel) *Config

NewConfigFromAuthLevel function returns new configuration for the NTLM based on the authentication levels.

func (*Config) Negotiate 

func (c *Config) Negotiate() Flag

Negotiate function returns the set of negotiated flags.

func (*Config) NewNTLMVersion 

func (c *Config) NewNTLMVersion(ctx context.Context, cfg *Config, sess *SecurityParameters) NTLMVersion

func (Config) Type 

func (Config) Type() gssapi.OID

Config binding for GSS.

func (*Config) Verify 

func (c *Config) Verify(f Flag) error

Verify function verifies the negotiated flags.

type Credential 

type Credential = credential.Password

Use password credential.

type Filetime 

type Filetime uint64

func TimeToFiletime 

func TimeToFiletime(t time.Time) Filetime

TimeToFiletime function converts the time.Time to filetime.

func (Filetime) AsTime 

func (ft Filetime) AsTime() time.Time

AsTime function returns the time.Time.

type Flag 

type Flag uint32

The negotiation flag. 

const (
	// If set, requests 56-bit encryption. If the client sends NegotiateSeal
	// or NegotiateSign with Negotiate56 to the server in the
	// NegotiateMessage, the server MUST return Negotiate56 to the client
	// in the ChallengeMessage. Otherwise it is ignored. If both Negotiate56
	// and Negotiate128 are requested and supported by the client and server,
	// Negotiate56 and Negotiate128 will both be returned to the client.
	// Clients and servers that set NegotiateSeal SHOULD set Negotiate56
	// if it is supported.
	Negotiate56 Flag = 1 << (31 - 0)
	// If set, requests an explicit key exchange. This capability SHOULD be used because
	// it improves security for message integrity or confidentiality.
	NegotiateKeyExchange Flag = 1 << (31 - 1)
	// If set, requests 128-bit session key negotiation. If the client sends Negotiate128
	// to the server in the NegotiateMessage, the server MUST return Negotiate128
	// to the client in the ChallengeMessage only if the client sets NegotiateSeal
	// or NegotiateSign. Otherwise it is ignored. If both Negotiate56 and
	// Negotiate128 are requested and supported by the client and server,
	// Negotiate56 and Negotiate128 will both be returned to the client.
	// Clients and servers that set NegotiateSeal SHOULD set Negotiate128
	// if it is supported.
	Negotiate128 Flag = 1 << (31 - 2)
	// This bit is unused and MUST be zero.
	R1 Flag = 1 << (31 - 3)
	// This bit is unused and MUST be zero.
	R2 Flag = 1 << (31 - 4)
	// This bit is unused and MUST be zero.
	R3 Flag = 1 << (31 - 5)
	// If set, requests the protocol version number. The data corresponding to this flag is
	// provided in the Version field of the NegotiateMessage, the ChallengeMessage, and
	// the AuthenticateMessage.
	NegotiateVersion Flag = 1 << (31 - 6)
	// This bit is unused and MUST be zero.
	R4 Flag = 1 << (31 - 7)
	// If set, indicates that the TargetInfo fields in the ChallengeMessage
	// are populated.
	NegotiateTargetInfo Flag = 1 << (31 - 8)
	// If set, requests the usage of the LMOWF.
	RequestNonNTSessionKey Flag = 1 << (31 - 9)
	// This bit is unused and MUST be zero.
	R5 Flag = 1 << (31 - 10)
	// If set, requests an identify level token.
	NegotiateIdentify Flag = 1 << (31 - 11)
	// If set, requests usage of the NTLM v2 session security. NTLM v2 session security
	// is a misnomer because it is not NTLM v2. It is NTLM v1 using the extended session
	// security that is also in NTLM v2. NegotiateLMKey and
	// NegotiateExtendedSessionSecurity are mutually exclusive. If both
	// NegotiateExtendedSessionSecurity and NegotiateLMKey are
	// requested, NegotiateExtendedSessionSecurity alone MUST be returned
	// to the client. NTLM v2 authentication session key generation MUST be supported
	// by both the client and the DC in order to be used, and extended session security
	// signing and sealing requires support from the client and the server in order
	// to be used.
	NegotiateExtendedSessionSecurity Flag = 1 << (31 - 12)
	// This bit is unused and MUST be zero.
	R6 Flag = 1 << (31 - 13)
	// If set, TargetName MUST be a server name. The data corresponding to this flag
	// is provided by the server in the TargetName field of the ChallengeMessage.
	// If this bit is set, then TARGET_TYPE_DOMAIN MUST NOT be set.
	// This flag MUST be ignored in the NegotiateMessage and the AuthenticateMessage.
	TargetTypeServer Flag = 1 << (31 - 14)
	// If set, TargetName MUST be a domain name. The data corresponding to this flag is
	// provided by the server in the TargetName field of the ChallengeMessage. If set,
	// then TARGET_TYPE_SERVER MUST NOT be set. This flag MUST be ignored in
	// the NegotiateMessage and the AuthenticateMessage.
	TargetTypeDomain Flag = 1 << (31 - 15)
	// If set, a session key is generated regardless of the states of NegotiateSign
	// and NegotiateSeal. A session key MUST always exist to generate the MIC in
	// the authenticate message. NegotiateAlwaysSign MUST be set in the
	// NegotiateMessage to the server and the ChallengeMessage to the client.
	// NegotiateAlwaysSign is overridden by NegotiateSign and
	// NegotiateSeal, if they are supported.
	NegotiateAlwaysSign Flag = 1 << (31 - 16)
	// This bit is unused and MUST be zero.
	R7 Flag = 1 << (31 - 17)
	// This flag indicates whether the Workstation field is present.
	// If this flag is not set, the Workstation field MUST be ignored.
	// If this flag is set, the length of the Workstation field specifies
	// whether the workstation name is nonempty or not.
	NegotiateOEMWorkstationSupplied Flag = 1 << (31 - 18)
	// If set, the domain name is provided.
	NegotiateOEMDomainSupplied Flag = 1 << (31 - 19)
	// If set, the connection SHOULD be anonymous.
	Anonymous Flag = 1 << (31 - 20)
	// This bit is unused and MUST be zero.
	R8 Flag = 1 << (31 - 21)
	// If set, requests usage of the NTLM v1 session security protocol.
	// NegotiateNTLM MUST be set in the NegotiateMessage to
	// the server and the ChallengeMessage to the client.
	NegotiateNTLM Flag = 1 << (31 - 22)
	// This bit is unused and MUST be zero.
	R9 Flag = 1 << (31 - 23)
	// If set, requests LAN Manager (LM) session key computation.
	// NegotiateLMKey and NegotiateExtendedSessionSecurity
	// are mutually exclusive. If both NegotiateLMKey and
	// NegotiateExtendedSessionSecurity are requested,
	// NegotiateExtendedSessionSecurity alone MUST be returned
	// to the client. NTLM v2 authentication session key generation MUST be
	// supported by both the client and the DC in order to be used, and extended
	// session security signing and sealing requires support from the client and
	// the server to be used.
	NegotiateLMKey Flag = 1 << (31 - 24)
	// If set, requests connectionless authentication. If NegotiateDatagram
	// is set, then NegotiateKeyExchange MUST always be set in the
	// AuthenticateMessage to the server and the ChallengeMessage to the client.
	NegotiateDatagram Flag = 1 << (31 - 25)
	// If set, requests session key negotiation for message confidentiality.
	// If the client sends NegotiateSeal to the server in the
	// NegotiateMessage, the server MUST return NegotiateSeal to the
	// client in the ChallengeMessage. Clients and servers that set
	// NegotiateSeal SHOULD always set Negotiate56 and
	// Negotiate128, if they are supported.
	NegotiateSeal Flag = 1 << (31 - 26)
	// If set, requests session key negotiation for message signatures.
	// If the client sends NegotiateSign to the server in the
	// NegotiateMessage, the server MUST return NegotiateSign
	// to the client in the ChallengeMessage.
	NegotiateSign Flag = 1 << (31 - 27)
	// This bit is unused and MUST be zero.
	R10 Flag = 1 << (31 - 28)
	// If set, a TargetName field of the ChallengeMessage MUST be supplied.
	RequestTarget Flag = 1 << (31 - 29)
	// If set, requests OEM character set encoding.
	NegotiateOEM Flag = 1 << (31 - 30)
	// If set, requests Unicode character set encoding.
	NegotiateUnicode Flag = 1 << (31 - 31)
)

func (Flag) IsSet 

func (f Flag) IsSet(ff Flag) bool

IsSet returns `true` if flag is set.

func (Flag) Set 

func (f Flag) Set(ff Flag) Flag

Set function sets the provided flag.

func (Flag) Unset 

func (f Flag) Unset(ff Flag) Flag

Unset function unsets the provided flag.

type LMv1Response 

type LMv1Response struct {
	// A 24-byte array of unsigned char that contains the client's
	// LmChallengeResponse
	Response []byte
}

The LMv1Respons structure defines the NTLM v1 authentication LmChallengeResponse in the AuthenticateMessage. This response is used only when NTLMv1 authentication is configured.

func (*LMv1Response) Marshal 

func (m *LMv1Response) Marshal(ctx context.Context) ([]byte, error)

func (*LMv1Response) Unmarshal 

func (m *LMv1Response) Unmarshal(ctx context.Context, b []byte) error

type LMv2Response 

type LMv2Response struct {
	// A 16-byte array of unsigned char that contains the client's
	// LM challenge-response. This is the portion of the LmChallengeResponse
	// field to which the HMAC_MD5 algorithm has been applied.
	// Specifically, Response corresponds to the result of applying the
	// HMAC_MD5 algorithm, using the key ResponseKeyLM, to a message consisting
	// of the concatenation of the ResponseKeyLM, ServerChallenge and
	// ClientChallenge.
	Response []byte
	// An 8-byte array of unsigned char that contains the client's
	// ClientChallenge.
	ChallengeFromClient []byte
}

The LMv2Response structure defines the NTLM v2 authentication LmChallengeResponse in the AuthenticateMessage. This response is used only when NTLM v2 authentication is configured.

func (*LMv2Response) Marshal 

func (m *LMv2Response) Marshal(ctx context.Context) ([]byte, error)

func (*LMv2Response) Unmarshal 

func (m *LMv2Response) Unmarshal(ctx context.Context, b []byte) error

type MachineID 

type MachineID []byte

A 256-bit random number created at computer startup to identify the calling machine.

type Mechanism 

type Mechanism struct {
	*Authentifier
}

The NTLMSSP GSS API Mechanism.

func (*Mechanism) Accept 

func (m *Mechanism) Accept(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context accept call.

func (Mechanism) DefaultConfig 

func (Mechanism) DefaultConfig(ctx context.Context) (gssapi.MechanismConfig, error)

DefaultConfig function returns the default config.

func (*Mechanism) Init 

func (m *Mechanism) Init(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context init call.

func (*Mechanism) MakeSignature 

func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

MakeSignature token.

func (*Mechanism) MakeSignatureEx 

func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

MakeSignature token.

func (Mechanism) New 

func (Mechanism) New(ctx context.Context) (gssapi.Mechanism, error)

New function returns the new mechanism instance from the GSSAPI configuration.

func (Mechanism) Type 

func (Mechanism) Type() gssapi.OID

The mechanism type object identifier.

func (*Mechanism) Unwrap 

func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Unwrap token.

func (*Mechanism) UnwrapEx 

func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

UnwrapEx function accepts the list of encrypted payloads and signature and returns the unencrypted paylaod.

func (*Mechanism) VerifySignature 

func (m *Mechanism) VerifySignature(ctx context.Context, tok *gssapi.MessageToken) error

VerifySignature token.

func (*Mechanism) VerifySignatureEx 

func (m *Mechanism) VerifySignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) error

VerifySignatureEx token.

func (*Mechanism) Wrap 

func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Wrap token.

func (*Mechanism) WrapEx 

func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

WrapEx function accepts the list of unencrypted payloads and returns the encrypted payload and signature.

func (*Mechanism) WrapSizeLimit 

func (m *Mechanism) WrapSizeLimit(ctx context.Context, sz int, conf bool) int

The maximum message size for the given limit. (and flag determining if conf is required).

type MessageType 

type MessageType uint32

The NTLM message type. 

const (
	// None.
	MessageTypeNone MessageType = 0x00000000
	// Negotiate Message.
	MessageTypeNegotiate MessageType = 0x00000001
	// Challenge Message.
	MessageTypeChallenge MessageType = 0x00000002
	// Authenticate Message.
	MessageTypeAuthenticate MessageType = 0x00000003
)

type NTLMVersion 

type NTLMVersion interface {
	// WithConfig function adds the configuration to the NTLM version.
	WithConfig(context.Context, *Config) NTLMVersion
	// LMOWF function is a NT LAN Manager (LM) one-way function used to create
	// a hash based on the user's password.
	LMOWF(context.Context, Credential) ([]byte, error)
	// NTOWF function is a NT LAN Manager (NT) one-way function used to create
	// a hash based on user's password.
	NTOWF(context.Context, Credential) ([]byte, error)
	// ChallengeResponse function computes the response for the server challenge message
	// based on client challenge `nonce` parameter and set of negotiated flags.
	ChallengeResponse(context.Context, Credential, *ChallengeMessage, []byte) (*ChallengeResponse, error)
	// KeyExchangeKey function returns the key used to protect the session key that is
	// generated by the client.
	KeyExchangeKey(context.Context, *ChallengeMessage, *ChallengeResponse) ([]byte, error)
}

The NTLM authentification version.

type NTLMv1Response 

type NTLMv1Response = LMv1Response

The NTLMv1 Response.

type NTLMv2ClientChallenge 

type NTLMv2ClientChallenge struct {
	// An 8-bit unsigned char that contains the current version of the
	// challenge response type. This field MUST be 0x01.
	RespType uint8
	// An 8-bit unsigned char that contains the maximum supported version
	// of the challenge response type. This field MUST be 0x01.
	HiRespType uint8

	// A 64-bit unsigned integer that contains the current system time,
	// represented as the number of 100 nanosecond ticks elapsed since
	// midnight of January 1, 1601 (UTC).
	Timestamp Filetime
	// An 8-byte array of unsigned char that contains the client's
	// ClientChallenge.
	ChallengeFromClient []byte

	// A byte array that contains a sequence of AttrValue structures.
	// The sequence contains the server-naming context and is terminated
	// by an AttrValue structure with an AvId field of MsvAvEOL.
	AttrValues AttrValues
	// contains filtered or unexported fields
}

The NTLMv2ClientChallenge structure defines the client challenge in the AuthenticateMessage. This structure is used only when NTLM v2 authentication is configured and is transported in the NTLMv2 structure.

func (*NTLMv2ClientChallenge) Marshal 

func (m *NTLMv2ClientChallenge) Marshal(ctx context.Context) ([]byte, error)

func (*NTLMv2ClientChallenge) Unmarshal 

func (m *NTLMv2ClientChallenge) Unmarshal(ctx context.Context, b []byte) error

type NTLMv2Response 

type NTLMv2Response struct {
	// A 16-byte array of unsigned char that contains the client's
	// NTChallengeResponse.
	Response []byte
	// A variable-length byte array, that contains the ClientChallenge.
	NTLMv2ClientChallenge *NTLMv2ClientChallenge
}

The NTLMv2Response structure defines the NTLMv2 authentication NtChallengeResponse in the AuthenticateMessage. This response is used only when NTLMv2 authentication is configured.

func (*NTLMv2Response) Marshal 

func (m *NTLMv2Response) Marshal(ctx context.Context) ([]byte, error)

func (*NTLMv2Response) Unmarshal 

func (m *NTLMv2Response) Unmarshal(ctx context.Context, b []byte) error

type NegotiateMessage 

type NegotiateMessage struct {
	// An 8-byte character array that MUST contain the ASCII
	// string ('N', 'T', 'L', 'M', 'S', 'S', 'P', '\0').
	Signature []byte
	// A 32-bit unsigned integer that indicates the message type.
	// This field MUST be set to 0x00000001.
	MessageType MessageType
	// A NEGOTIATE structure that contains a set of flags.
	// The client sets flags to indicate options it supports.
	Negotiate Flag
	// A 16-bit unsigned integer that defines the size, in bytes,
	// of DomainName in the Payload.
	DomainNameLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of
	// DomainNameLen, and MUST be ignored on receipt.
	DomainNameMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes,
	// from the beginning of the NegotiateMessage to DomainName in
	// Payload.
	DomainNameOffset uint32
	// A 16-bit unsigned integer that defines the size, in bytes,
	// of WorkStationName in the Payload.
	WorkstationLen uint16
	// A 16-bit unsigned integer that SHOULD be set to the value of
	// WorkstationLen and MUST be ignored on receipt.
	WorkstationMaxLen uint16
	// A 32-bit unsigned integer that defines the offset, in bytes, from
	// the beginning of the NegotiateMessage to WorkstationName in the
	// Payload.
	WorkstationOffset uint32
	// A Version structure that is populated only when the NegotiateVersion
	// flag is set in the NegotiateFlags field; otherwise, it MUST be set to
	// all zero. This structure SHOULD be used for debugging purposes only.
	// In normal (nondebugging) protocol messages, it is ignored and does not
	// affect the NTLM message processing.
	Version Version
	// If DomainNameLen does not equal 0x0000, DomainName MUST be a byte-array
	// that contains the name of the client authentication domain that MUST be
	// encoded using the OEM character set. Otherwise, this data is not present.
	DomainName string
	// If WorkstationLen does not equal 0x0000, WorkstationName MUST be a byte
	// array that contains the name of the client machine that MUST be encoded
	// using the OEM character set. Otherwise, this data is not present.
	Workstation string
}

The NegotiateMessage defines an NTLM negotiate message that is sent from the client to the server. This message allows the client to specify its supported NTLM options to the server.

func (*NegotiateMessage) Marshal 

func (m *NegotiateMessage) Marshal(ctx context.Context) ([]byte, error)

Marshal function marshals the NegotiateMessage.

func (*NegotiateMessage) Unmarshal 

func (m *NegotiateMessage) Unmarshal(ctx context.Context, b []byte) error

Unmarshal function unmarshals the NegotiateMessage.

type ProductVersion 

type ProductVersion struct {
	// An 8-bit unsigned integer that SHOULD contain the major version number
	// of the operating system in use.
	Major uint8
	// An 8-bit unsigned integer that SHOULD contain the minor version number
	// of the operating system in use.
	Minor uint8
}

type Revision 

type Revision uint8

An 8-bit unsigned integer that contains a value indicating the revision of the NTLMSSP in use. 

const (
	// NTLMSSP_REVISION_W2K3. Version 15 of the NTLMSSP is in use.
	RevisionCurrent Revision = 0x0f
)

type SecurityParameters 

type SecurityParameters struct {
	ExtendedSessionSecurity bool
	UseLMKey                bool
	NonNTSessionKey         bool
	Datagram                bool
	KeyExchange             bool
	KeySize                 int
	ServerName              string
	DomainName              string
}

type SecurityService 

type SecurityService struct {
	// The exported session key.
	ExportedSessionKey []byte
	// The client signing key.
	ClientSignKey []byte
	// The client sealing key.
	ClientSealKey []byte
	// The server signing key.
	ServerSignKey []byte
	// The server sealing key.
	ServerSealKey []byte
	// The client cipher.
	OutboundCipher *Cipher
	// The server cipher.
	InboundCipher *Cipher
	// The sequence number to send.
	OutboundSequenceNumber uint32
	// The sequence number to receive.
	InboundSequenceNumber uint32
}

The authentifier state structure represents the negotiated authentication state.

type Signature 

type Signature struct {
	Version  uint32
	Checksum []byte
	SeqNum   uint32
}

func (*Signature) Marshal 

func (s *Signature) Marshal(ctx context.Context) ([]byte, error)

func (*Signature) Unmarshal 

func (s *Signature) Unmarshal(ctx context.Context, b []byte) error

type SingleHostData 

type SingleHostData struct {
	// A 32-bit unsigned integer that defines the length, in bytes, of
	// the Value field in the AV_PAIR structure.
	Size uint32

	//  An 8-byte platform-specific blob containing info only relevant when
	// the client and the server are on the same host.
	CustomData []byte
	// A 256-bit random number created at computer startup to identify
	// the calling machine.
	MachineID MachineID
	// contains filtered or unexported fields
}

The Single_Host_Data structure allows a client to send machine-specific information within an authentication exchange to services on the same machine. The client can produce additional information to be processed in an implementation-specific way when the client and server are on the same host. If the server and client platforms are different or if they are on different hosts, then the information MUST be ignored. Any fields after the MachineID field MUST be ignored on receipt.

func (*SingleHostData) Marshal 

func (v *SingleHostData) Marshal(ctx context.Context) ([]byte, error)

Marshal function marshals the SingleHostData structure.

func (*SingleHostData) Unmarshal 

func (v *SingleHostData) Unmarshal(ctx context.Context, b []byte) error

Unmarshal function unmarshals the SingleHostData structure.

type V1 

type V1 struct {
	*Config
	*SecurityParameters
}

func (*V1) ChallengeResponse 

func (v1 *V1) ChallengeResponse(ctx context.Context, cred Credential,
	c *ChallengeMessage, nonce []byte) (*ChallengeResponse, error)

ChallengeResponse function computes the response for the server challenge message based on client challenge `nonce` parameter and set of negotiated flags.

func (*V1) KeyExchangeKey 

func (v1 *V1) KeyExchangeKey(ctx context.Context, c *ChallengeMessage, chal *ChallengeResponse) ([]byte, error)

KeyExchangeKey function returns the key used to protect the session key that is generated by the client.

func (*V1) LMOWF 

func (v1 *V1) LMOWF(ctx context.Context, cred Credential) ([]byte, error)

LMOWF function is a NT LAN Manager (LM) one-way function used to create a hash based on the user's password.

func (*V1) NTOWF 

func (v1 *V1) NTOWF(ctx context.Context, cred Credential) ([]byte, error)

NTOWF function is a NT LAN Manager (NT) one-way function used to create a hash based on user's password.

func (*V1) WithConfig 

func (v1 *V1) WithConfig(ctx context.Context, config *Config) NTLMVersion

type V2 

type V2 struct {
	*Config
	*SecurityParameters
}

func (*V2) ChallengeResponse 

func (v2 *V2) ChallengeResponse(ctx context.Context, cred Credential, c *ChallengeMessage, nonce []byte) (*ChallengeResponse, error)

ChallengeResponse function computes the response for the server challenge message based on client challenge `nonce` parameter and set of negotiated flags.

func (*V2) KeyExchangeKey 

func (v2 *V2) KeyExchangeKey(ctx context.Context, c *ChallengeMessage, chal *ChallengeResponse) ([]byte, error)

KeyExchangeKey function returns the key used to protect the session key that is generated by the client.

func (*V2) LMOWF 

func (v2 *V2) LMOWF(ctx context.Context, cred Credential) ([]byte, error)

LMOWF function is a NT LAN Manager (LM) one-way function used to create a hash based on the user's password.

func (*V2) NTOWF 

func (v2 *V2) NTOWF(ctx context.Context, cred Credential) ([]byte, error)

NTOWF function is a NT LAN Manager (NT) one-way function used to create a hash based on user's password.

func (*V2) WithConfig 

func (v2 *V2) WithConfig(ctx context.Context, config *Config) NTLMVersion

type Value 

type Value struct {
	// The server's NetBIOS computer name. The name MUST be in Unicode,
	// and is not null-terminated.
	NetBIOSComputerName string
	// The server's NetBIOS domain name. The name MUST be in Unicode,
	// and is not null-terminated.
	NetBIOSDomainName string
	// The fully qualified domain name (FQDN) of the computer.
	// The name MUST be in Unicode, and is not null-terminated.
	DNSComputerName string
	// The fully qualified domain name (FQDN) of the computer.
	DNSDomainName string
	// The FQDN of the forest. The name MUST be in Unicode,
	// and is not null-terminated.
	DNSTreeName string
	// A 32-bit value indicating server or client configuration.
	Flag AttrFlag
	// A FILETIME structure in little-endian byte order that
	// contains the server local time. This structure is
	// always sent in the ChallengeMessage.
	Timestamp Filetime
	// A SingleHostData structure. The Value field contains a
	// platform-specific blob, as well as a MachineID created at
	// computer startup to identify the calling machine.
	SingleHostData *SingleHostData
	// The SPN of the target server. The name MUST be in Unicode and is
	// not null-terminated.
	TargetName string
	// A channel bindings hash. The Value field contains an MD5 hash of
	// a gss_channel_bindings_struct. An all-zero value of the hash is
	// used to indicate absence of channel bindings.
	ChannelBindings []byte
}

The attribute value.

func (*Value) MarshalAttr 

func (v *Value) MarshalAttr(ctx context.Context, attrID AttrValueID) ([]byte, error)

MarshalAttr function marshals the given attribute.

func (*Value) UnmarshalAttr 

func (v *Value) UnmarshalAttr(ctx context.Context, attrID AttrValueID, b []byte) error

UnmarshalAttr function unmarshals the given attribute.

type Version 

type Version struct {
	// The product version.
	ProductVersion ProductVersion
	// A 16-bit unsigned integer that contains the build number of the
	// operating system in use. This field SHOULD be set to a 16-bit
	// quantity that identifies the operating system build number.
	ProductBuild uint16

	// An 8-bit unsigned integer that contains a value indicating
	// the current revision of the NTLMSSP in use. This field
	// SHOULD contain the following value:
	// NTLMSSP_REVISION_W2K3: 0x0F (Version 15 of the NTLMSSP is in use).
	Revision Revision
	// contains filtered or unexported fields
}

func (Version) IsZero 

func (v Version) IsZero() bool

IsZero function returns `true` if version is empty.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.