ruby-ntlm 0.0.1

data/README.markdown

@@ -0,0 +1,70 @@
+ruby-ntlm
+=========
+
+ruby-ntlm is NTLM authentication client for Ruby.
+This library supports NTLM v1 only.
+
+NTLM authentication is used in Microsoft's server products,
+such as MS Exchange Server and IIS.
+
+
+Install
+-------
+
+    $ sudo gem install ruby-ntlm
+
+
+Usage
+-----
+
+### HTTP ###
+
+    require 'ntlm/http'
+    http = Net::HTTP.new('www.example.com')
+    request = Net::HTTP::Get.new('/')
+    request.ntlm_auth('User', 'Domain', 'Password')
+    response = http.request(request)
+
+### HTTP (using Mechanize) ###
+
+    require 'ntlm/mechanize'
+    mech = Mechanize.new
+    mech.auth('Domain\\User', 'Password')
+    mech.get('http://www.example.com/index.html')
+
+### IMAP ###
+
+    require 'ntlm/imap'
+    imap = Net::IMAP.new('imap.example.com')
+    imap.authenticate('NTLM', 'User', 'Domain', 'Password')
+
+### SMTP ###
+
+    require 'ntlm/smtp'
+    smtp = Net::SMTP.new('smtp.example.com')
+    smtp.start('localhost.localdomain', 'Domain\\User', 'Password', :ntlm) do |smtp|
+      smtp.send_mail(mail_body, from_addr, to_addr)
+    end
+
+
+Author
+------
+
+MATSUYAMA Kengo (<macksx@gmail.com>)
+
+
+License
+-------
+
+MIT License.
+
+Copyright (c) 2010 MATSUYAMA Kengo
+
+
+References
+----------
+
+ * [MS-NLMP][]: NT LAN Manager (NTLM) Authentication Protocol Specification
+   [MS-NLMP]: http://msdn.microsoft.com/en-us/library/cc236621%28PROT.13%29.aspx
+ * [Ruby/NTLM][]: Another NTLM implementation for Ruby
+   [Ruby/NTLM]: http://rubyforge.org/projects/rubyntlm/

data/Rakefile

@@ -0,0 +1,34 @@
+require 'rubygems'
+require 'rake'
+require 'jeweler'
+require 'rake/testtask'
+
+task :default => :test
+
+Jeweler::Tasks.new do |gem|
+  gem.name = 'ruby-ntlm'
+  gem.summary = %Q{NTLM implementation for Ruby}
+  gem.description = %Q{NTLM implementation for Ruby.}
+  gem.email = 'macksx@gmail.com'
+  gem.homepage = 'http://github.com/macks/ruby-ntlm'
+  gem.authors = ['MATSUYAMA Kengo']
+end
+
+Rake::TestTask.new(:test) do |task|
+  task.libs << 'lib:test'
+  task.pattern = 'test/**/*_test.rb'
+  task.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |task|
+    task.libs << 'lib:test'
+    task.pattern = 'test/**/*_test.rb'
+    task.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort 'rcov is not available.'
+  end
+end

data/VERSION

@@ -0,0 +1 @@
+0.0.1

data/examples/http.rb

@@ -0,0 +1,19 @@
+require 'ntlm'
+require 'net/http'
+
+Net::HTTP.start('www.example.com') do |http|
+  request = Net::HTTP::Get.new('/')
+  request['authorization'] = 'NTLM ' + NTLM.negotiate.to_base64
+
+  response = http.request(request)
+
+  # The connection must be keep-alive!
+
+  challenge = response['www-authenticate'][/NTLM (.*)/, 1].unpack('m').first
+  request['authorization'] = 'NTLM ' + NTLM.authenticate(challenge, 'User', 'Domain', 'Password').to_base64
+
+  response = http.request(request)
+
+  p response
+  print response.body
+end

data/examples/http2.rb

@@ -0,0 +1,9 @@
+require 'ntlm/http'
+
+http = Net::HTTP.new('www.example.com')
+request = Net::HTTP::Get.new('/')
+request.ntlm_auth('User', 'Domain', 'Password')
+response = http.request(request)
+
+p response
+print response.body

data/examples/imap.rb

@@ -0,0 +1,10 @@
+require 'ntlm/imap'
+
+imap = Net::IMAP.new('imap.example.com')
+abort 'NTLM authentication is not supported.' unless imap.capability.include?('AUTH=NTLM')
+imap.authenticate('NTLM', 'User', 'Domain', 'Password')
+
+imap.select('INBOX')
+uids = imap.uid_search(['ALL'])
+data = imap.uid_fetch(uids[0], 'BODY[]')
+print data.first.attr['BODY[]']

data/examples/mechanize.rb

@@ -0,0 +1,9 @@
+$LOAD_PATH << File.dirname(__FILE__) + '/lib'
+require 'rubygems'
+require 'ntlm/mechanize'
+
+mech = Mechanize.new
+mech.auth('Domain\\User', 'Password')
+mech.get('http://www.example.com/index.html')
+
+puts mech.page.body

data/examples/smtp.rb

@@ -0,0 +1,18 @@
+require 'ntlm/smtp'
+
+from_addr = 'from@example.com'
+to_addr = 'to@example.com'
+
+mail_body = <<-EOS
+From: #{from_addr}
+To: #{to_addr}
+Subject: Example
+Content-Type: text/plain
+
+Hello world!
+EOS
+
+smtp = Net::SMTP.new('smtp.example.com')
+smtp.start('localhost.localdomain', 'Domain\\User', 'Password', :ntlm) do |smtp|
+  smtp.send_mail(mail_body, from_addr, to_addr)
+end

data/lib/ntlm.rb

@@ -0,0 +1,34 @@
+# vim: set et sw=2 sts=2:
+
+require 'ntlm/util'
+require 'ntlm/message'
+
+module NTLM
+
+  begin
+    Version = File.read(File.dirname(__FILE__) + '/../VERSION').strip
+  rescue
+    Version = 'unknown'
+  end
+
+  def self.negotiate(args = {})
+    Message::Negotiate.new(args)
+  end
+
+  def self.authenticate(challenge_message, user, domain, password, options = {})
+    challenge = Message::Challenge.parse(challenge_message)
+
+    opt = options.merge({
+      :ntlm_v2_session => challenge.has_flag?(:NEGOTIATE_EXTENDED_SECURITY),
+    })
+    nt_response, lm_response = Util.ntlm_v1_response(challenge.challenge, password, opt)
+
+    Message::Authenticate.new(
+      :user        => user,
+      :domain      => domain,
+      :lm_response => lm_response,
+      :nt_response => nt_response
+    )
+  end
+
+end # NTLM

data/lib/ntlm/http.rb

@@ -0,0 +1,51 @@
+require 'ntlm'
+require 'net/http'
+
+module Net
+
+  module HTTPHeader
+    attr_reader :ntlm_auth_params
+
+    def ntlm_auth(user, domain, password)
+      @ntlm_auth_params = [user, domain, password]
+    end
+  end
+
+  class HTTP
+
+    unless method_defined?(:request_without_ntlm_auth)
+      alias request_without_ntlm_auth request
+    end
+
+    def request(req, body = nil, &block)
+      unless req.ntlm_auth_params
+        return request_without_ntlm_auth(req, body, &block)
+      end
+
+      unless started?
+        start do
+          req.delete('connection')
+          return request(req, body, &block)
+        end
+      end
+
+      # Negotiation
+      req['authorization'] = 'NTLM ' + NTLM.negotiate.to_base64
+      res = request_without_ntlm_auth(req, body)
+      challenge = res['www-authenticate'][/NTLM (.*)/, 1].unpack('m').first rescue nil
+
+      if challenge && res.code == '401'
+        # Authentication
+        user, domain, password = req.ntlm_auth_params
+        req['authorization'] = 'NTLM ' + NTLM.authenticate(challenge, user, domain, password).to_base64
+        req.body_stream.rewind if req.body_stream
+        request_without_ntlm_auth(req, body, &block)  # We must re-use the connection.
+      else
+        yield res if block_given?
+        res
+      end
+    end
+
+  end # HTTP
+
+end # Net

data/lib/ntlm/imap.rb

@@ -0,0 +1,37 @@
+require 'ntlm'
+require 'net/imap'
+
+module Net
+  class IMAP
+    class ResponseParser
+      def continue_req
+        match(T_PLUS)
+        if lookahead.symbol == T_CRLF
+          return ContinuationRequest.new(ResponseText.new(nil, ''), @str)
+        else
+          match(T_SPACE)
+          return ContinuationRequest.new(resp_text, @str)
+        end
+      end
+    end # ResponseParser
+
+    class NTLMAuthenticator
+      def initialize(user, domain, password)
+        @user, @domain, @password = user, domain, password
+        @state = 0
+      end
+
+      def process(data)
+        case (@state += 1)
+        when 1
+          NTLM.negotiate.to_s
+        when 2
+          NTLM.authenticate(data, @user, @domain, @password).to_s
+        end
+      end
+    end # NTLMAuthenticator
+
+    add_authenticator 'NTLM', NTLMAuthenticator
+
+  end # IMAP
+end  # Net

data/lib/ntlm/mechanize.rb

@@ -0,0 +1,42 @@
+require 'mechanize'
+require 'ntlm/http'
+
+class Mechanize
+  class Chain
+    class AuthHeaders
+
+      unless method_defined?(:handle_without_ntlm)
+        alias handle_without_ntlm handle
+      end
+
+      def handle(ctx, params)
+        if @auth_hash[params[:uri].host] == :ntlm && @user && @password
+          if @user.index('\\')
+            domain, user = @user.split('\\', 2)
+          end
+          params[:request].ntlm_auth(user, domain, @password)
+        end
+        handle_without_ntlm(ctx, params)
+      end
+    end
+  end
+
+  unless private_method_defined?(:fetch_page_without_ntlm)
+    alias fetch_page_without_ntlm fetch_page
+  end
+
+  private
+
+  def fetch_page(params)
+    begin
+      fetch_page_without_ntlm(params)
+    rescue Mechanize::ResponseCodeError => e
+      if e.response_code == '401' && e.page.header['www-authenticate'] =~ /NTLM/ && @auth_hash[e.page.uri.host] != :ntlm
+        @auth_hash[e.page.uri.host] = :ntlm
+        fetch_page_without_ntlm(params)
+      else
+        raise
+      end
+    end
+  end
+end

data/lib/ntlm/message.rb

@@ -0,0 +1,361 @@
+# vim: set et sw=2 sts=2:
+
+require 'ntlm/util'
+
+module NTLM
+  class Message
+
+    include Util
+
+    SSP_SIGNATURE  = "NTLMSSP\0"
+
+    # [MS-NLMP] 2.2.2.5
+    FLAGS = {
+      :NEGOTIATE_UNICODE           => 0x00000001,  # Unicode character set encoding
+      :NEGOTIATE_OEM               => 0x00000002,  # OEM character set encoding
+      :REQUEST_TARGET              => 0x00000004,  # TargetName is supplied in challenge message
+      :UNUSED10                    => 0x00000008,
+      :NEGOTIATE_SIGN              => 0x00000010,  # Session key negotiation for message signatures
+      :NEGOTIATE_SEAL              => 0x00000020,  # Session key negotiation for message confidentiality
+      :NEGOTIATE_DATAGRAM          => 0x00000040,  # Connectionless authentication
+      :NEGOTIATE_LM_KEY            => 0x00000080,  # LAN Manager session key computation
+      :UNUSED9                     => 0x00000100,
+      :NEGOTIATE_NTLM              => 0x00000200,  # NTLM v1 protocol
+      :UNUSED8                     => 0x00000400,
+      :ANONYMOUS                   => 0x00000800,  # Anonymous connection
+      :OEM_DOMAIN_SUPPLIED         => 0x00001000,  # Domain field is present
+      :OEM_WORKSTATION_SUPPLIED    => 0x00002000,  # Workstations field is present
+      :UNUSED7                     => 0x00004000,
+      :NEGOTIATE_ALWAYS_SIGN       => 0x00008000,
+      :TARGET_TYPE_DOMAIN          => 0x00010000,  # TargetName is domain name
+      :TARGET_TYPE_SERVER          => 0x00020000,  # TargetName is server name
+      :UNUSED6                     => 0x00040000,
+      :NEGOTIATE_EXTENDED_SECURITY => 0x00080000,  # NTLM v2 session security
+      :NEGOTIATE_IDENTIFY          => 0x00100000,  # Requests identify level token
+      :UNUSED5                     => 0x00200000,
+      :REQUEST_NON_NT_SESSION_KEY  => 0x00400000,  # LM session key is used
+      :NEGOTIATE_TARGET_INFO       => 0x00800000,  # Requests TargetInfo
+      :UNUSED4                     => 0x01000000,
+      :NEGOTIATE_VERSION           => 0x02000000,  # Version field is present
+      :UNUSED3                     => 0x04000000,
+      :UNUSED2                     => 0x08000000,
+      :UNUSED1                     => 0x10000000,
+      :NEGOTIATE_128               => 0x20000000,  # 128bit encryption
+      :NEGOTIATE_KEY_EXCH          => 0x40000000,  # Explicit key exchange
+      :NEGOTIATE_56                => 0x80000000,  # 56bit encryption
+    }
+
+    # [MS-NLMP] 2.2.2.1
+    AV_PAIRS = {
+      :AV_EOL               => 0,
+      :AV_NB_COMPUTER_NAME  => 1,
+      :AV_NB_DOMAIN_NAME    => 2,
+      :AV_DNS_COMPUTER_NAME => 3,
+      :AV_DNS_DOMAIN_NAME   => 4,
+      :AV_DNS_TREE_NAME     => 5,
+      :AV_FLAGS             => 6,
+      :AV_TIMESTAMP         => 7,
+      :AV_RESTRICTIONS      => 8,
+      :AV_TARGET_NAME       => 9,
+      :AV_CHANNEL_BINDINGS  => 10,
+    }
+    AV_PAIR_NAMES = AV_PAIRS.invert
+
+    FLAGS.each do |name, val|
+      const_set(name, val)
+    end
+
+    AV_PAIRS.each do |name, val|
+      const_set(name, val)
+    end
+
+    class ParseError < StandardError; end
+
+    attr_accessor :flag
+
+
+    def self.parse(*args)
+      new.parse(*args)
+    end
+
+    def initialize(args = {})
+      @buffer = ''
+      @offset  = 0
+      @flag    = args[:flag] || self.class::DEFAULT_FLAGS
+
+      self.class::ATTRIBUTES.each do |key|
+        instance_variable_set("@#{key}", args[key]) if args[key]
+      end
+    end
+
+    def to_s
+      serialize
+    end
+
+    def serialize_to_base64
+      [serialize].pack('m').delete("\r\n")
+    end
+
+    alias to_base64 serialize_to_base64
+
+    def has_flag?(symbol)
+      (@flag & FLAGS[symbol]) != 0
+    end
+
+    def set(symbol)
+      @flag |= FLAGS[symbol]
+    end
+
+    def clear(symbol)
+      @flag &= ~FLAGS[symbol]
+    end
+
+    def unicode?
+      has_flag?(:NEGOTIATE_UNICODE)
+    end
+
+    def inspect_flags
+      flags = []
+      FLAGS.sort_by(&:last).each do |name, val|
+        flags << name if (@flag & val).nonzero?
+      end
+      "[#{flags.join(', ')}]"
+    end
+
+    def inspect
+      variables = (instance_variables.map(&:to_sym) - [:@offset, :@buffer, :@flag]).sort.map {|name| "#{name}=#{instance_variable_get(name).inspect}, " }.join
+      "\#<#{self.class.name} #{variables}@flag=#{inspect_flags}>"
+    end
+
+    private
+
+    def parse(string)
+      @buffer = string
+      signature, type = string.unpack('a8V')
+      raise ParseError, 'Unknown signature' if signature != SSP_SIGNATURE
+      raise ParseError, "Wrong type (expected #{self.class::TYPE}, but got #{type})" if type != self.class::TYPE
+    end
+
+    def append_payload(string, allocation_size = nil)
+      size = string.size
+      allocation_size ||= (size + 1) & ~1
+      string = string.ljust(allocation_size, "\0")
+      @buffer << string[0, allocation_size]
+      result = [size, allocation_size, @offset].pack('vvV')
+      @offset += allocation_size
+      result
+    end
+
+    def fetch_payload(fields)
+      size, allocated_size, offset = fields.unpack('vvV')
+      return nil if size.zero?
+      @buffer[offset, size]
+    end
+
+    def encode_version(array)
+      array.pack('CCvx3C')   # major, minor, build, ntlm revision
+    end
+
+    def decode_version(string)
+      string.unpack('CCvx3C')   # major, minor, build, ntlm revision
+    end
+
+    def decode_av_pair(string)
+      result = []
+      string = string.dup
+      while true
+        id, length = string.slice!(0, 4).unpack('vv')
+        value = string.slice!(0, length)
+
+        case sym = AV_PAIR_NAMES[id]
+        when :AV_EOL
+          break
+        when :AV_NB_COMPUTER_NAME, :AV_NB_DOMAIN_NAME, :AV_DNS_COMPUTER_NAME, :AV_DNS_DOMAIN_NAME, :AV_DNS_TREE_NAME, :AV_TARGET_NAME
+          value = decode_utf16(value)
+        when :AV_FLAGS
+          value = data.unpack('V').first
+        end
+
+        result << [sym, value]
+      end
+      result
+    end
+
+    def encode_av_pair(av_pair)
+      result = ''
+      av_pair.each do |(id, value)|
+        case id
+        when :AV_NB_COMPUTER_NAME, :AV_NB_DOMAIN_NAME, :AV_DNS_COMPUTER_NAME, :AV_DNS_DOMAIN_NAME, :AV_DNS_TREE_NAME, :AV_TARGET_NAME
+          value = encode_utf16(value)
+        when :AV_FLAGS
+          value = [data].pack('V')
+        end
+        result << [AV_PAIRS[id], value.size, value].pack('vva*')
+      end
+
+      result << [AV_EOL, 0].pack('vv')
+    end
+
+
+    # [MS-NLMP] 2.2.1.1
+    class Negotiate < Message
+
+      TYPE          = 1
+      ATTRIBUTES    = [:domain, :workstation, :version]
+      DEFAULT_FLAGS = [NEGOTIATE_UNICODE, NEGOTIATE_OEM, REQUEST_TARGET, NEGOTIATE_NTLM, NEGOTIATE_ALWAYS_SIGN, NEGOTIATE_EXTENDED_SECURITY].inject(:|)
+
+      attr_accessor *ATTRIBUTES
+
+      def parse(string)
+        super
+        @flag, domain, workstation, version = string.unpack('x12Va8a8a8')
+        @domain      = fetch_payload(domain) if has_flag?(:OEM_DOMAIN_SUPPLIED)
+        @workstation = fetch_payload(workstation) if has_flag?(:OEM_WORKSTATION_SUPPLIED)
+        @version     = decode_version(version)  if has_flag?(:NEGOTIATE_VERSION)
+        self
+      end
+
+      def serialize
+        @buffer = ''
+        @offset = 40  # (8 + 4) + 4 + (8 * 3)
+
+        if @domain
+          set(:OEM_DOMAIN_SUPPLIED)
+          domain = append_payload(@domain)
+        end
+
+        if @workstation
+          set(:OEM_WORKSTATION_SUPPLIED)
+          workstation = append_payload(@workstation)
+        end
+
+        if @version
+          set(:NEGOTIATE_VERSION)
+          version = encode_version(@version)
+        end
+
+        [SSP_SIGNATURE, TYPE, @flag, domain, workstation, version].pack('a8VVa8a8a8') + @buffer
+      end
+
+    end # Negotiate
+
+
+    # [MS-NLMP] 2.2.1.2
+    class Challenge < Message
+
+      TYPE          = 2
+      ATTRIBUTES    = [:target_name, :challenge, :target_info, :version]
+      DEFAULT_FLAGS = 0
+
+      attr_accessor *ATTRIBUTES
+
+      def parse(string)
+        super
+        target_name, @flag, @challenge, target_info, version = string.unpack('x12a8Va8x8a8a8')
+        @target_name = fetch_payload(target_name) if has_flag?(:REQUEST_TARGET)
+        @target_info = fetch_payload(target_info) if has_flag?(:NEGOTIATE_TARGET_INFO)
+        @version     = decode_version(version)  if has_flag?(:NEGOTIATE_VERSION)
+
+        @target_name &&= decode_utf16(@target_name) if unicode?
+        @target_info &&= decode_av_pair(@target_info)
+
+        self
+      end
+
+      def serialize
+        @buffer = ''
+        @offset = 56  # (8 + 4) + 8 + 4 + (8 * 4)
+
+        @challenge ||= OpenSSL::Random.random_bytes(8)
+
+        if @target_name
+          set(:REQUEST_TARGET)
+          if unicode?
+            target_name = append_payload(encode_utf16(@target_name))
+          else
+            target_name = append_payload(@target_name)
+          end
+        end
+
+        if @target_info
+          set(:NEGOTIATE_TARGET_INFO)
+          target_info = append_payload(encode_av_pair(@target_info))
+        end
+
+        if @version
+          set(:NEGOTIATE_VERSION)
+          version = encode_version(@version)
+        end
+
+        [SSP_SIGNATURE, TYPE, target_name, @flag, @challenge, target_info, version].pack('a8Va8Va8x8a8a8') + @buffer
+      end
+
+    end # Challenge
+
+
+    # [MS-NLMP] 2.2.1.3
+    class Authenticate < Message
+
+      TYPE          = 3
+      ATTRIBUTES    = [:lm_response, :nt_response, :domain, :user, :workstation, :session_key, :version, :mic]
+      DEFAULT_FLAGS = [NEGOTIATE_UNICODE, REQUEST_TARGET, NEGOTIATE_NTLM, NEGOTIATE_ALWAYS_SIGN, NEGOTIATE_EXTENDED_SECURITY].inject(:|)
+
+      attr_accessor *ATTRIBUTES
+
+      def parse(string)
+        super
+        lm_response, nt_response, domain, user, workstation, session_key, @flag, version, mic = \
+          string.unpack('x12a8a8a8a8a8a8Va8a16')
+
+        @lm_response = fetch_payload(lm_response)
+        @nt_response = fetch_payload(nt_response)
+        @domain      = fetch_payload(domain)
+        @user        = fetch_payload(user)
+        @workstation = fetch_payload(workstation)
+        @session_key = fetch_payload(session_key) if has_flag?(:NEGOTIATE_KEY_EXCH)
+        @version     = decode_version(version) if has_flag?(:NEGOTIATE_VERSION)
+        @mic         = mic
+
+        if unicode?
+          @domain      = decode_utf16(@domain)
+          @user        = decode_utf16(@user)
+          @workstation = decode_utf16(@workstation)
+        end
+
+        self
+      end
+
+      def serialize
+        @buffer = ''
+        @offset = 88  # (8 + 4) + (8 * 6) + 4 + 8 + 16
+
+        lm_response = append_payload(@lm_response)
+        nt_response = append_payload(@nt_response)
+
+        if unicode?
+          domain      = append_payload(encode_utf16(@domain))
+          user        = append_payload(encode_utf16(@user))
+          workstation = append_payload(encode_utf16(@workstation))
+        else
+          domain      = append_payload(@domain)
+          user        = append_payload(@user)
+          workstation = append_payload(@workstation)
+        end
+
+        if @session_key
+          set(:NEGOTIATE_KEY_EXCH)
+          session_key = append_payload(@session_key)
+        end
+
+        if @version
+          set(:NEGOTIATE_VERSION)
+          version = encode_version(@version)
+        end
+
+        [SSP_SIGNATURE, TYPE, lm_response, nt_response, domain, user, workstation, session_key, @flag, version, @mic].pack('a8Va8a8a8a8a8a8Va8a16') + @buffer
+      end
+
+    end # Authenticate
+
+  end # Message
+end # NTLM

data/lib/ntlm/smtp.rb

@@ -0,0 +1,30 @@
+require 'ntlm'
+require 'net/smtp'
+
+module Net
+  class SMTP
+
+    def capable_ntlm_auth?
+      auth_capable?('NTLM')
+    end
+
+    def auth_ntlm(user, secret)
+      check_auth_args(user, secret)
+      if user.index('\\')
+        domain, user = user.split('\\', 2)
+      else
+        domain = ''
+      end
+
+      res = critical {
+        r = get_response("AUTH NTLM #{NTLM.negotiate.to_base64}")
+        check_auth_continue(r)
+        challenge = r.string.split(/ /, 2).last.unpack('m').first
+        get_response(NTLM.authenticate(challenge, user, domain, secret).to_base64)
+      }
+      check_auth_response(res)
+      res
+    end
+
+  end # SMTP
+end # Net

data/lib/ntlm/util.rb

@@ -0,0 +1,105 @@
+# vim: set et sw=2 sts=2:
+
+require 'openssl'
+
+module NTLM
+  module Util
+
+    LM_MAGIC_TEXT = 'KGS!@#$%'
+
+    module_function
+
+    if RUBY_VERSION >= '1.9'
+
+      def decode_utf16(str)
+        str.encode(Encoding::UTF_8, Encoding::UTF_16LE)
+      end
+
+      def encode_utf16(str)
+        str.to_s.encode(Encoding::UTF_16LE).force_encoding(Encoding::ASCII_8BIT)
+      end
+
+    else
+
+      require 'iconv'
+
+      def decode_utf16(str)
+        Iconv.conv('UTF-8', 'UTF-16LE', str)
+      end
+
+      def encode_utf16(str)
+        Iconv.conv('UTF-16LE', 'UTF-8', str)
+      end
+
+    end
+
+    def create_des_keys(string)
+      keys = []
+      string = string.dup
+      until (key = string.slice!(0, 7)).empty?
+        # key is 56 bits
+        key = key.unpack('B*').first
+        str = ''
+        until (bits = key.slice!(0, 7)).empty?
+          str << bits
+          str << (bits.count('1').even? ? '1' : '0')  # parity
+        end
+        keys << [str].pack('B*')
+      end
+      keys
+    end
+
+    def encrypt(plain_text, key, key_length)
+      key = key.ljust(key_length, "\0")
+      keys = create_des_keys(key[0, key_length])
+
+      result = ''
+      cipher = OpenSSL::Cipher::DES.new
+      keys.each do |k|
+        cipher.encrypt
+        cipher.key = k
+        result << cipher.update(plain_text)
+      end
+
+      result
+    end
+
+    # [MS-NLMP] 3.3.1
+    def lm_v1_hash(password)
+      encrypt(LM_MAGIC_TEXT, password.upcase, 14)
+    end
+
+    # [MS-NLMP] 3.3.1
+    def nt_v1_hash(password)
+      OpenSSL::Digest::MD4.digest(encode_utf16(password))
+    end
+
+    # [MS-NLMP] 3.3.1
+    def ntlm_v1_response(challenge, password, options = {})
+      if options[:ntlm_v2_session]
+        client_challenge = options[:client_challenge] || OpenSSL::Random.random_bytes(8)
+        hash = OpenSSL::Digest::MD5.digest(challenge + client_challenge)[0, 8]
+        nt_response = encrypt(hash, nt_v1_hash(password), 21)
+        lm_response = client_challenge + ("\0" * 16)
+      else
+        nt_response = encrypt(challenge, nt_v1_hash(password), 21)
+        lm_response = encrypt(challenge, lm_v1_hash(password), 21)
+      end
+
+      [nt_response, lm_response]
+    end
+
+
+    # [MS-NLMP] 3.3.2
+    def nt_v2_hash(user, password, domain)
+      user_domain = encode_utf16(user.upcase + domain)
+      OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, nt_v1_hash(password), user_domain)
+    end
+
+    # [MS-NLMP] 3.3.2
+    def ntlm_v2_response(*)
+      raise NotImplemnetedError
+    end
+
+  end # Util
+end # NTLM

data/test/auth_test.rb

@@ -0,0 +1,27 @@
+# vim: set et sw=2 sts=2:
+
+require File.dirname(__FILE__) + '/test_helper'
+
+class AuthenticationTest < Test::Unit::TestCase
+
+  include NTLM::TestUtility
+  include NTLM::Util
+
+  def setup
+    @challenge = hex_to_bin("4e 54 4c 4d 53 53 50 00 02 00 00 00 0c 00 0c 00 38 00 00 00 05 82 01 00 11 11 11 11 11 11 11 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 6f 00 6d 00 61 00 69 00 6e 00")
+  end
+
+  def test_negotiate
+    assert_equal(hex_to_bin("4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"), NTLM.negotiate.to_s)
+  end
+
+  def test_authenticate
+    assert_equal(hex_to_bin("4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 58 00 00 00 18 00 18 00 70 00 00 00 0c 00 0c 00 88 00 00 00 08 00 08 00 94 00 00 00 00 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 05 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 b0 c5 31 28 0e ed 8d 32 c3 1b ce b2 19 5a fd 58 2b b7 8e a0 d5 f2 78 8d 76 96 b7 58 49 16 14 2d 09 f0 a0 1f f2 35 10 be 2c ff 96 82 e0 e3 3b 44 00 6f 00 6d 00 61 00 69 00 6e 00 55 00 73 00 65 00 72 00"), NTLM.authenticate(@challenge, 'User', 'Domain', 'Password').to_s)
+
+    challenge = NTLM::Message::Challenge.parse(@challenge)
+    challenge.set(:NEGOTIATE_EXTENDED_SECURITY)
+
+    assert_equal(hex_to_bin("4e 54 4c 4d 53 53 50 00 03 00 00 00 18 00 18 00 58 00 00 00 18 00 18 00 70 00 00 00 0c 00 0c 00 88 00 00 00 08 00 08 00 94 00 00 00 00 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 05 82 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 22 22 22 22 22 22 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c2 1e db 62 54 34 d2 13 34 1a 04 3d f3 01 6d f3 01 c9 32 b4 ae 97 1e ac 44 00 6f 00 6d 00 61 00 69 00 6e 00 55 00 73 00 65 00 72 00"), NTLM.authenticate(challenge.to_s, 'User', 'Domain', 'Password', :client_challenge => "\x22" * 8).to_s)
+  end
+
+end

data/test/function_test.rb

@@ -0,0 +1,43 @@
+# vim: set et sw=2 sts=2:
+
+require File.dirname(__FILE__) + '/test_helper'
+
+class FunctionTest < Test::Unit::TestCase
+  # Test pattern is borrowed from pyton-ntlm
+
+  include NTLM::TestUtility
+  include NTLM::Util
+
+  def setup
+    @server_challenge = hex_to_bin('01 23 45 67 89 ab cd ef')
+    @client_challenge = "\xaa" * 8
+    @time = "\0" * 8
+    @workstation = 'COMPUTER'
+    @server_name = 'Server'
+    @user = 'User'
+    @domain = 'Domain'
+    @password = 'Password'
+    @random_session_key = "\55" * 16
+  end
+
+  def test_lm_v1_hash
+    assert_equal(hex_to_bin("e5 2c ac 67 41 9a 9a 22 4a 3b 10 8f 3f a6 cb 6d"), lm_v1_hash(@password))
+  end
+
+  def test_nt_v1_hash
+    assert_equal(hex_to_bin("a4 f4 9c 40 65 10 bd ca b6 82 4e e7 c3 0f d8 52"), nt_v1_hash(@password))
+  end
+
+  def test_ntlm_v1_response
+    nt_response, lm_response = ntlm_v1_response(@server_challenge, @password)
+    assert_equal(hex_to_bin("67 c4 30 11 f3 02 98 a2 ad 35 ec e6 4f 16 33 1c 44 bd be d9 27 84 1f 94"), nt_response, 'nt_response')
+    assert_equal(hex_to_bin("98 de f7 b8 7f 88 aa 5d af e2 df 77 96 88 a1 72 de f1 1c 7d 5c cd ef 13"), lm_response, 'lm_response')
+  end
+
+  def test_ntlm_v1_response_with_ntlm_v2_session_security
+    nt_response, lm_response = ntlm_v1_response(@server_challenge, @password, :ntlm_v2_session => true, :client_challenge => @client_challenge)
+    assert_equal(hex_to_bin("75 37 f8 03 ae 36 71 28 ca 45 82 04 bd e7 ca f8 1e 97 ed 26 83 26 72 32"), nt_response, 'nt_response')
+    assert_equal(hex_to_bin("aa aa aa aa aa aa aa aa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"), lm_response, 'lm_response')
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,20 @@
+# vim: set et sw=2 sts=2:
+
+require 'test/unit'
+
+$LOAD_PATH << File.dirname(__FILE__) + '/../lib'
+require 'ntlm'
+
+module NTLM
+  module TestUtility
+
+    def bin_to_hex(bin)
+      bin.unpack('H*').first.gsub(/..(?=.)/, '\0 ')
+    end
+
+    def hex_to_bin(hex)
+      [hex.delete(' ')].pack('H*')
+    end
+
+  end
+end

data/unused/extconf.rb

@@ -0,0 +1,9 @@
+require 'mkmf'
+
+$CFLAGS     = '-Wall -O2'
+$LDFLAGS    = '-lntlm'
+
+if have_library('ntlm')
+  create_makefile('ntlm')
+end
+

data/unused/http_example.rb

@@ -0,0 +1,20 @@
+require 'ntlm.so'
+require 'net/http'
+
+Net::HTTP.start('host.localdomain') do |http|
+  request = Net::HTTP::Get.new('/')
+  request['authorization'] = 'NTLM ' + [NTLM.negotiate].pack('m').delete("\r\n")
+
+  response = http.request(request)
+
+  # Connection is keep-alive!
+
+  challenge = response['www-authenticate'][/NTLM (.*)/, 1].unpack('m').first
+  auth_response = NTLM.authenticate(challenge, 'User@Domain', 'Password')
+  request['authorization'] = 'NTLM ' + [auth_response].pack('m').delete("\r\n")
+
+  response = http.request(request)
+
+  p response
+  print response.body
+end

data/unused/ntlm.c

@@ -0,0 +1,40 @@
+/* vim: set et sw=2:
+ *
+ * NTLM for Ruby
+ *   by MATSUYAMA Kengo
+ *
+ */
+
+#include <ntlm.h>
+#include <ruby.h>
+
+static VALUE mNTLM;
+
+static VALUE
+ntlm_negotiate(VALUE obj)
+{
+  tSmbNtlmAuthRequest request;
+  buildSmbNtlmAuthRequest(&request, "Workstation", "Domain");
+  return rb_str_new((const char *)&request, SmbLength(&request));
+}
+
+static VALUE
+ntlm_authenticate(VALUE obj, VALUE challenge, VALUE user_at_domain, VALUE password)
+{
+  tSmbNtlmAuthResponse response;
+
+  Check_Type(challenge, T_STRING);
+  Check_Type(user_at_domain, T_STRING);
+  Check_Type(password, T_STRING);
+
+  buildSmbNtlmAuthResponse((tSmbNtlmAuthChallenge *)RSTRING_PTR(challenge), &response, RSTRING_PTR(user_at_domain), RSTRING_PTR(password));
+
+  return rb_str_new((const char *)&response, SmbLength(&response));
+}
+
+void Init_ntlm()
+{
+  mNTLM = rb_define_module("NTLM");
+  rb_define_module_function(mNTLM, "negotiate", ntlm_negotiate, 0);
+  rb_define_module_function(mNTLM, "authenticate", ntlm_authenticate, 3);
+}

metadata

@@ -0,0 +1,94 @@
+--- !ruby/object:Gem::Specification 
+name: ruby-ntlm
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- MATSUYAMA Kengo
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-01-18 00:00:00 +09:00
+default_executable: 
+dependencies: []
+
+description: NTLM implementation for Ruby.
+email: macksx@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.markdown
+files: 
+- README.markdown
+- Rakefile
+- VERSION
+- examples/http.rb
+- examples/http2.rb
+- examples/imap.rb
+- examples/mechanize.rb
+- examples/smtp.rb
+- lib/ntlm.rb
+- lib/ntlm/http.rb
+- lib/ntlm/imap.rb
+- lib/ntlm/mechanize.rb
+- lib/ntlm/message.rb
+- lib/ntlm/smtp.rb
+- lib/ntlm/util.rb
+- test/auth_test.rb
+- test/function_test.rb
+- test/test_helper.rb
+- unused/extconf.rb
+- unused/http_example.rb
+- unused/ntlm.c
+has_rdoc: true
+homepage: http://github.com/macks/ruby-ntlm
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: NTLM implementation for Ruby
+test_files: 
+- examples/http.rb
+- examples/http2.rb
+- examples/imap.rb
+- examples/mechanize.rb
+- examples/smtp.rb
+- test/auth_test.rb
+- test/function_test.rb
+- test/test_helper.rb