rubyntlm 0.6.3 → 0.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ef7e8c4a2e91abd9fac8aff17da320fc011a25b0a74b14e8f121332daa33ee6
-  data.tar.gz: 9158fdcca0c6121fbfc27731bae0865398aee7a410e0be463872cfe764924b61
+  metadata.gz: 7e8301388316487463cdc7dece7772084e18b8935407fe769dc57c073a4d092a
+  data.tar.gz: eb6610456e83f88a4a7ffc8f8372770efc601f8398ce85bd99240296ce0ed3bf
 SHA512:
-  metadata.gz: f3150588419fc1a400aacc52cbbdd61df58212e77cead9cc7b90b71af31d9a9d0cae90285e9d555bb1a953b4085af47ddc82c350b89b2ce31475e70f6c909a49
-  data.tar.gz: 20f50357f7ae738617386d1504dfae5d759ecceb2f7adc501e1458be80d22ea2864dc1b216d4853cda568271e81134fcda182f520477f8fd8613386e168ceefc
+  metadata.gz: e77ad737f9292ee7662ae65ea6cceb137d3780e95831e1ff44a1a2f9b79dded84a1a80f84c4be8c1b1930991140b18ebb385f926a1f86ba11d9a981eb154bb2f
+  data.tar.gz: d7f817bf3750b9cd8a47249f665dc618e40d94ec6b0bff410dbde2bc2906b53bf7a4f79f65f424d1d613e20a2055679254a779b0941d1284595a1bc10fa1d727

data/.devcontainer/devcontainer.json

@@ -0,0 +1,22 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ruby
+{
+	"name": "Ruby",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	"image": "mcr.microsoft.com/devcontainers/ruby:1-3.3-bullseye"
+
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	// "features": {},
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "ruby --version",
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

data/.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "devcontainers"
+    directory: "/"
+    schedule:
+      interval: weekly

data/.github/workflows/build.yml

@@ -0,0 +1,24 @@
+---
+name: build
+
+"on":
+  pull_request:
+  push:
+    branches:
+      - master
+
+jobs:
+  unit:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-2019]
+        ruby: ['2.6', '2.7', '3.0', '3.1', '3.2', '3.3']
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+    - run: bundle exec rake

data/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## 0.6.4 (2024-06-06)
+
+* Fix applying DES-CBC when using OpenSSL 3 by @paulvt in https://github.com/WinRb/rubyntlm/pull/51
+* Add dependency to `base64` gem by @yahonda in https://github.com/WinRb/rubyntlm/pull/62
+* Avoid usage of legacy algorithms on libssl-3.0+ by @larskanis in https://github.com/WinRb/rubyntlm/pull/53
+* Add anonymous authentication support by @zeroSteiner in https://github.com/WinRb/rubyntlm/pull/45
+* Update minimum supported ruby to 2.6. Add support for ruby 3.2 and 3.3
+
 ## [0.6.3](https://github.com/WinRb/rubyntlm/tree/0.6.3) (2021-01-26)
 [Full Changelog](https://github.com/WinRb/rubyntlm/compare/v0.6.2...0.6.3)
 
@@ -124,4 +132,4 @@
 ## [v0.2.0](https://github.com/WinRb/rubyntlm/tree/v0.2.0) (2013-03-22)
 
 
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

data/README.md

@@ -1,6 +1,6 @@
 # Ruby/NTLM -- NTLM Authentication Library for Ruby
 
-[![Build Status](https://travis-ci.org/WinRb/rubyntlm.png)](https://travis-ci.org/WinRb/rubyntlm)
+[![CI status](https://github.com/WinRb/rubyntlm/actions/workflows/build.yml/badge.svg)](https://github.com/WinRb/rubyntlm/actions/workflows/build.yml)
 
 Ruby/NTLM provides message creator and parser for the NTLM authentication. 
 

data/lib/net/ntlm/client/session.rb

@@ -26,8 +26,8 @@ module Net
       def authenticate!
         calculate_user_session_key!
         type3_opts = {
-          :lm_response   => lmv2_resp,
-          :ntlm_response => ntlmv2_resp,
+          :lm_response   => is_anonymous? ? "\x00".b : lmv2_resp,
+          :ntlm_response => is_anonymous? ? '' : ntlmv2_resp,
           :domain        => domain,
           :user          => username,
           :workstation   => workstation,
@@ -36,11 +36,8 @@ module Net
         t3 = Message::Type3.create type3_opts
         if negotiate_key_exchange?
           t3.enable(:session_key)
-          rc4 = OpenSSL::Cipher.new("rc4")
-          rc4.encrypt
-          rc4.key = user_session_key
-          sk = rc4.update exported_session_key
-          sk << rc4.final
+          rc4 = Net::NTLM::Rc4.new(user_session_key)
+          sk = rc4.encrypt exported_session_key
           t3.session_key = sk
         end
         t3
@@ -50,7 +47,7 @@ module Net
         @exported_session_key ||=
           begin
             if negotiate_key_exchange?
-              OpenSSL::Cipher.new("rc4").random_key
+              OpenSSL::Random.random_bytes(16)
             else
               user_session_key
             end
@@ -61,8 +58,7 @@ module Net
         seq = sequence
         sig = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, client_sign_key, "#{seq}#{message}")[0..7]
         if negotiate_key_exchange?
-          sig = client_cipher.update sig
-          sig << client_cipher.final
+          sig = client_cipher.encrypt sig
         end
         "#{VERSION_MAGIC}#{sig}#{seq}"
       end
@@ -71,20 +67,21 @@ module Net
         seq = signature[-4..-1]
         sig = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, server_sign_key, "#{seq}#{message}")[0..7]
         if negotiate_key_exchange?
-          sig = server_cipher.update sig
-          sig << server_cipher.final
+          sig = server_cipher.encrypt sig
         end
         "#{VERSION_MAGIC}#{sig}#{seq}" == signature
       end
 
       def seal_message(message)
-        emessage = client_cipher.update(message)
-        emessage + client_cipher.final
+        client_cipher.encrypt(message)
       end
 
       def unseal_message(emessage)
-        message = server_cipher.update(emessage)
-        message + server_cipher.final
+        server_cipher.encrypt(emessage)
+      end
+
+      def is_anonymous?
+        username == '' && password == ''
       end
 
       private
@@ -123,23 +120,11 @@ module Net
       end
 
       def client_cipher
-        @client_cipher ||=
-          begin
-            rc4 = OpenSSL::Cipher.new("rc4")
-            rc4.encrypt
-            rc4.key = client_seal_key
-            rc4
-          end
+        @client_cipher ||= Net::NTLM::Rc4.new(client_seal_key)
       end
 
       def server_cipher
-        @server_cipher ||=
-          begin
-            rc4 = OpenSSL::Cipher.new("rc4")
-            rc4.decrypt
-            rc4.key = server_seal_key
-            rc4
-          end
+        @server_cipher ||= Net::NTLM::Rc4.new(server_seal_key)
       end
 
       def client_challenge
@@ -157,7 +142,8 @@ module Net
       end
 
       def use_oem_strings?
-        challenge_message.has_flag? :OEM
+        # @see https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832
+        !challenge_message.has_flag?(:UNICODE) && challenge_message.has_flag?(:OEM)
       end
 
       def negotiate_key_exchange?
@@ -193,7 +179,12 @@ module Net
       end
 
       def calculate_user_session_key!
-        @user_session_key = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, nt_proof_str)
+        if is_anonymous?
+          # see MS-NLMP section 3.4
+          @user_session_key = "\x00".b * 16
+        else
+          @user_session_key = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmv2_hash, nt_proof_str)
+        end
       end
 
       def lmv2_resp
@@ -231,7 +222,6 @@ module Net
           end
         end
       end
-
     end
   end
 end

data/lib/net/ntlm/md4.rb

@@ -0,0 +1,80 @@
+require 'openssl'
+
+module Net
+module NTLM
+
+  class Md4
+
+    begin
+      OpenSSL::Digest::MD4.digest("")
+    rescue
+      # libssl-3.0+ doesn't support legacy MD4 -> use our own implementation
+
+      require 'stringio'
+
+      def self.digest(string)
+        # functions
+        mask = (1 << 32) - 1
+        f = proc {|x, y, z| x & y | x.^(mask) & z}
+        g = proc {|x, y, z| x & y | x & z | y & z}
+        h = proc {|x, y, z| x ^ y ^ z}
+        r = proc {|v, s| (v << s).&(mask) | (v.&(mask) >> (32 - s))}
+
+        # initial hash
+        a, b, c, d = 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476
+
+        bit_len = string.size << 3
+        string += "\x80"
+        while (string.size % 64) != 56
+          string += "\0"
+        end
+        string = string.force_encoding('ascii-8bit') + [bit_len & mask, bit_len >> 32].pack("V2")
+
+        if string.size % 64 != 0
+          fail "failed to pad to correct length"
+        end
+
+        io = StringIO.new(string)
+        block = ""
+
+        while io.read(64, block)
+          x = block.unpack("V16")
+
+          # Process this block.
+          aa, bb, cc, dd = a, b, c, d
+          [0, 4, 8, 12].each {|i|
+            a = r[a + f[b, c, d] + x[i],  3]; i += 1
+            d = r[d + f[a, b, c] + x[i],  7]; i += 1
+            c = r[c + f[d, a, b] + x[i], 11]; i += 1
+            b = r[b + f[c, d, a] + x[i], 19]
+          }
+          [0, 1, 2, 3].each {|i|
+            a = r[a + g[b, c, d] + x[i] + 0x5a827999,  3]; i += 4
+            d = r[d + g[a, b, c] + x[i] + 0x5a827999,  5]; i += 4
+            c = r[c + g[d, a, b] + x[i] + 0x5a827999,  9]; i += 4
+            b = r[b + g[c, d, a] + x[i] + 0x5a827999, 13]
+          }
+          [0, 2, 1, 3].each {|i|
+            a = r[a + h[b, c, d] + x[i] + 0x6ed9eba1,  3]; i += 8
+            d = r[d + h[a, b, c] + x[i] + 0x6ed9eba1,  9]; i -= 4
+            c = r[c + h[d, a, b] + x[i] + 0x6ed9eba1, 11]; i += 8
+            b = r[b + h[c, d, a] + x[i] + 0x6ed9eba1, 15]
+          }
+          a = (a + aa) & mask
+          b = (b + bb) & mask
+          c = (c + cc) & mask
+          d = (d + dd) & mask
+        end
+
+        [a, b, c, d].pack("V4")
+      end
+
+    else
+      # Openssl/libssl provides MD4, so we can use it.
+      def self.digest(string)
+        OpenSSL::Digest::MD4.digest(string)
+      end
+    end
+  end
+end
+end

data/lib/net/ntlm/message.rb

@@ -35,7 +35,6 @@ module NTLM
       :TYPE3 => FLAGS[:UNICODE] | FLAGS[:REQUEST_TARGET] | FLAGS[:NTLM] | FLAGS[:ALWAYS_SIGN] | FLAGS[:NTLM2_KEY]
   }
 
-
   # @private false
   class Message < FieldSet
     class << Message
@@ -87,7 +86,7 @@ module NTLM
 
     def serialize
       deflag
-      super + security_buffers.map{|n, f| f.value}.join
+      super + security_buffers.map{|n, f| f.value + (has_flag?(:UNICODE) ? "\x00".b * (f.value.length % 2) : '')}.join
     end
 
     def encode64
@@ -117,6 +116,7 @@ module NTLM
       security_buffers.inject(head_size){|cur, a|
         a[1].offset = cur
         cur += a[1].data_size
+        has_flag?(:UNICODE) ? cur + cur % 2 : cur
       }
     end
 

data/lib/net/ntlm/rc4.rb

@@ -0,0 +1,59 @@
+require 'openssl'
+
+module Net
+module NTLM
+
+  begin
+    OpenSSL::Cipher.new("rc4")
+  rescue
+    # libssl-3.0+ doesn't support legacy Rc4 -> use our own implementation
+
+    class Rc4
+      def initialize(str)
+        raise ArgumentError, "RC4: Key supplied is blank"  if str.eql?('')
+        initialize_state(str)
+        @q1, @q2 = 0, 0
+      end
+
+      def encrypt(text)
+        text.each_byte.map do |b|
+          @q1 = (@q1 + 1) % 256
+          @q2 = (@q2 + @state[@q1]) % 256
+          @state[@q1], @state[@q2] = @state[@q2], @state[@q1]
+          b ^ @state[(@state[@q1] + @state[@q2]) % 256]
+        end.pack("C*")
+      end
+
+      private
+
+      # The initial state which is then modified by the key-scheduling algorithm
+      INITIAL_STATE = (0..255).to_a
+
+      # Performs the key-scheduling algorithm to initialize the state.
+      def initialize_state(key)
+        i = j = 0
+        @state = INITIAL_STATE.dup
+        key_length = key.length
+        while i < 256
+          j = (j + @state[i] + key.getbyte(i % key_length)) % 256
+          @state[i], @state[j] = @state[j], @state[i]
+          i += 1
+        end
+      end
+    end
+
+  else
+    # Openssl/libssl provides RC4, so we can use it.
+    class Rc4
+      def initialize(str)
+        @ci = OpenSSL::Cipher.new("rc4")
+        @ci.key = str
+      end
+
+      def encrypt(text)
+        @ci.update(text) + @ci.final
+      end
+    end
+  end
+end
+end

data/lib/net/ntlm/version.rb

@@ -4,7 +4,7 @@ module Net
     module VERSION
       MAJOR = 0
       MINOR = 6
-      TINY  = 3
+      TINY  = 4
       STRING = [MAJOR, MINOR, TINY].join('.')
     end
   end

data/lib/net/ntlm.rb

@@ -59,6 +59,8 @@ require 'net/ntlm/message/type2'
 require 'net/ntlm/message/type3'
 
 require 'net/ntlm/encode_util'
+require 'net/ntlm/md4'
+require 'net/ntlm/rc4'
 
 require 'net/ntlm/client'
 require 'net/ntlm/channel_binding'
@@ -94,10 +96,10 @@ module Net
         end
       end
 
-      # Conver the value to a 64-Bit Little Endian Int
+      # Convert the value to a 64-bit little-endian integer
       # @param [String] val The string to convert
       def pack_int64le(val)
-          [val & 0x00000000ffffffff, val >> 32].pack("V2")
+        [val & 0x00000000ffffffff, val >> 32].pack("V2")
       end
 
       # Builds an array of strings that are 7 characters long
@@ -111,7 +113,8 @@ module Net
         ret
       end
 
-      # Not sure what this is doing
+      # Each byte of a DES key contains seven bits of key material and one odd-parity bit.
+      # The parity bit should be set so that there are an odd number of 1 bits in each byte.
       # @param [String] str String to generate keys for
       # @api private
       def gen_keys(str)
@@ -123,22 +126,24 @@ module Net
       end
 
       def apply_des(plain, keys)
-        dec = OpenSSL::Cipher.new("des-cbc").encrypt
-        dec.padding = 0
         keys.map {|k|
-          dec.key = k
+          # Spec requires des-cbc, but openssl 3 does not support single des
+          # by default, so just do triple DES (EDE) with the same key
+          dec = OpenSSL::Cipher.new("des-ede-cbc").encrypt
+          dec.padding = 0
+          dec.key = k + k
           dec.update(plain) + dec.final
         }
       end
 
-      # Generates a Lan Manager Hash
+      # Generates a {https://en.wikipedia.org/wiki/LAN_Manager LAN Manager Hash}
       # @param [String] password The password to base the hash on
       def lm_hash(password)
         keys = gen_keys password.upcase.ljust(14, "\0")
         apply_des(LM_MAGIC, keys).join
       end
 
-      # Generate a NTLM Hash
+      # Generate an NTLM Hash
       # @param [String] password The password to base the hash on
       # @option opt :unicode (false) Unicode encode the password
       def ntlm_hash(password, opt = {})
@@ -146,14 +151,14 @@ module Net
         unless opt[:unicode]
           pwd = EncodeUtil.encode_utf16le(pwd)
         end
-        OpenSSL::Digest::MD4.digest pwd
+        Net::NTLM::Md4.digest pwd
       end
 
       # Generate a NTLMv2 Hash
       # @param [String] user The username
       # @param [String] password The password
       # @param [String] target The domain or workstation to authenticate to
-      # @option opt :unicode (false) Unicode encode the domain
+      # @option [Boolean] opt :unicode (false) Unicode encode the domain.
       def ntlmv2_hash(user, password, target, opt={})
         if is_ntlm_hash? password
           decoded_password = EncodeUtil.decode_utf16le(password)

data/rubyntlm.gemspec

@@ -13,11 +13,10 @@ Gem::Specification.new do |s|
 
 
   s.files         = `git ls-files`.split($/)
-  s.executables   = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
   s.test_files    = s.files.grep(%r{^(test|spec|features)/})
   s.require_paths = ["lib"]
 
-  s.required_ruby_version = '>= 1.8.7'
+  s.required_ruby_version = '>= 2.6.0'
 
   s.license = 'MIT'
 
@@ -26,4 +25,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency "rake"
   s.add_development_dependency "rspec", ">= 2.11"
   s.add_development_dependency "simplecov"
+  s.add_dependency "base64"
+
+  s.metadata["rubygems_mfa_required"] = "true"
 end

data/spec/lib/net/ntlm/client/session_spec.rb

@@ -65,4 +65,23 @@ describe Net::NTLM::Client::Session do
     end
   end
 
+  context 'when authenticating anonymously' do
+    let(:inst) { Net::NTLM::Client::Session.new(Net::NTLM::Client.new('', ''), t2_challenge) }
+
+    describe "#authenticate!" do
+      it "should set the response fields correctly" do
+        t3 = inst.authenticate!
+        expect(t3).to be_a(Net::NTLM::Message::Type3)
+        expect(t3.lm_response).to eq("\x00".b)
+        expect(t3.ntlm_response).to eq('')
+      end
+    end
+
+    describe "#is_anonymous?" do
+      it "should be true" do
+        expect(inst.is_anonymous?).to be_truthy
+      end
+    end
+  end
+
 end

data/spec/lib/net/ntlm/message/type3_spec.rb

@@ -222,4 +222,25 @@ describe Net::NTLM::Message::Type3 do
 
   end
 
+  describe '.serialize' do
+    subject(:message) { described_class.create(opts) }
+    context 'with the UNICODE flag set' do
+      let(:opts) { {lm_response: "\x00".b, ntlm_response: '', domain: '', workstation: '', user: '', flag: Net::NTLM::DEFAULT_FLAGS[:TYPE3] | Net::NTLM::FLAGS[:UNICODE] } }
+
+      it 'should pad the domain field to a multiple of 2' do
+        message.serialize
+        expect(message[:domain][:offset].value % 2).to eq 0
+      end
+
+      it 'should pad the user field to a multiple of 2' do
+        message.serialize
+        expect(message[:user][:offset].value % 2).to eq 0
+      end
+
+      it 'should pad the workstation field to a multiple of 2' do
+        message.serialize
+        expect(message[:workstation][:offset].value % 2).to eq 0
+      end
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubyntlm
 version: !ruby/object:Gem::Version
-  version: 0.6.3
+  version: 0.6.4
 platform: ruby
 authors:
 - Kohei Kajimoto
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-27 00:00:00.000000000 Z
+date: 2024-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: github_changelog_generator
@@ -81,6 +81,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Ruby/NTLM provides message creator and parser for the NTLM authentication.
 email:
 - koheik@gmail.com
@@ -89,9 +103,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".devcontainer/devcontainer.json"
+- ".github/dependabot.yml"
+- ".github/workflows/build.yml"
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE
@@ -112,11 +128,13 @@ files:
 - lib/net/ntlm/int16_le.rb
 - lib/net/ntlm/int32_le.rb
 - lib/net/ntlm/int64_le.rb
+- lib/net/ntlm/md4.rb
 - lib/net/ntlm/message.rb
 - lib/net/ntlm/message/type0.rb
 - lib/net/ntlm/message/type1.rb
 - lib/net/ntlm/message/type2.rb
 - lib/net/ntlm/message/type3.rb
+- lib/net/ntlm/rc4.rb
 - lib/net/ntlm/security_buffer.rb
 - lib/net/ntlm/string.rb
 - lib/net/ntlm/target_info.rb
@@ -152,7 +170,8 @@ files:
 homepage: https://github.com/winrb/rubyntlm
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -161,14 +180,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.8.7
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: Ruby/NTLM library.

data/.travis.yml

@@ -1,13 +0,0 @@
-language: ruby
-rvm:
-  - 2.1.9
-  - 2.6.6
-  - 2.7.1
-  - 3.0.0
-before_install:
-  - gem update bundler
-
-# This prevents testing branches that are created just for PRs
-branches:
-  only:
-  - master