// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.
package rdpclient.ntlmssp;
/**
* During NTLM authentication, each of the following flags is a possible value
* of the NegotiateFlags field of the NEGOTIATE_MESSAGE, CHALLENGE_MESSAGE, and
* AUTHENTICATE_MESSAGE, unless otherwise noted. These flags define client or
* server NTLM capabilities supported by the sender.
*
* @see http://msdn.microsoft.com/en-us/library/cc236650.aspx
*/
public class NegoFlags {
/**
* 56-bit encryption. If the client sends NTLMSSP_NEGOTIATE_SEAL or
* NTLMSSP_NEGOTIATE_SIGN with NTLMSSP_NEGOTIATE_56 to the server in the
* NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_56 to the
* client in the CHALLENGE_MESSAGE. Otherwise it is ignored. If both
* NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 are requested and supported
* by the client and server, NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128
* will both be returned to the client. Clients and servers that set
* NTLMSSP_NEGOTIATE_SEAL SHOULD set NTLMSSP_NEGOTIATE_56 if it is supported.
* An alternate name for this field is
*/
public static final int NTLMSSP_NEGOTIATE_56 = 0x80000000;
/**
* Explicit key exchange. This capability SHOULD be used because it improves
* security for message integrity or confidentiality. See sections 3.2.5.1.2,
* 3.2.5.2.1, and 3.2.5.2.2 for details.
*/
public static final int NTLMSSP_NEGOTIATE_KEY_EXCH = 0x40000000;
/**
* 128-bit session key negotiation. An alternate name for this field is
* NTLMSSP_NEGOTIATE_128. If the client sends NTLMSSP_NEGOTIATE_128 to the
* server in the NEGOTIATE_MESSAGE, the server MUST return
* NTLMSSP_NEGOTIATE_128 to the client in the CHALLENGE_MESSAGE only if the
* client sets NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN. Otherwise it
* is ignored. If both NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 are
* requested and supported by the client and server, NTLMSSP_NEGOTIATE_56 and
* NTLMSSP_NEGOTIATE_128 will both be returned to the client. Clients and
* servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD set NTLMSSP_NEGOTIATE_128 if
* it is supported.
*/
public static final int NTLMSSP_NEGOTIATE_128 = 0x20000000;
/**
* Protocol version number. The data corresponding to this flag is provided in
* the Version field of the NEGOTIATE_MESSAGE, the CHALLENGE_MESSAGE, and the
* AUTHENTICATE_MESSAGE.
*/
public static final int NTLMSSP_NEGOTIATE_VERSION = 0x02000000;
/**
* TargetInfo fields in the CHALLENGE_MESSAGE (section 2.2.1.2) are populated.
*/
public static final int NTLMSSP_NEGOTIATE_TARGET_INFO = 0x00800000;
/** LMOWF (section 3.3). */
public static final int NTLMSSP_REQUEST_NON_NT_SESSION_KEY = 0x00400000;
/** An identify level token. */
public static final int NTLMSSP_NEGOTIATE_IDENTIFY = 0x00100000;
/**
* NTLM v2 session security. NTLM v2 session security is a misnomer because it
* is not NTLM v2. It is NTLM v1 using the extended session security that is
* also in NTLM v2. NTLMSSP_NEGOTIATE_LM_KEY and
* NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are mutually exclusive. If both
* NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY and NTLMSSP_NEGOTIATE_LM_KEY are
* requested, NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be
* returned to the client. NTLM v2 authentication session key generation MUST
* be supported by both the client and the DC in order to be used, and
* extended session security signing and sealing requires support from the
* client and the server in order to be used.
*/
public static final int NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY = 0x00080000;
/**
* TargetName MUST be a server name. The data corresponding to this flag is
* provided by the server in the TargetName field of the CHALLENGE_MESSAGE. If
* this bit is set, then NTLMSSP_TARGET_TYPE_DOMAIN MUST NOT be set. This flag
* MUST be ignored in the NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE.
*/
public static final int NTLMSSP_TARGET_TYPE_SERVER = 0x00020000;
/**
* TargetName MUST be a domain name. The data corresponding to this flag is
* provided by the server in the TargetName field of the CHALLENGE_MESSAGE. If
* set, then NTLMSSP_TARGET_TYPE_SERVER MUST NOT be set. This flag MUST be
* ignored in the NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE.
*/
public static final int NTLMSSP_TARGET_TYPE_DOMAIN = 0x00010000;
/**
* Signature block on all messages. NTLMSSP_NEGOTIATE_ALWAYS_SIGN MUST be set
* in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the
* client. NTLMSSP_NEGOTIATE_ALWAYS_SIGN is overridden by
* NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL, if they are supported.
*/
public static final int NTLMSSP_NEGOTIATE_ALWAYS_SIGN = 0x00008000;
/**
* Workstation field is present. If this flag is not set, the Workstation
* field MUST be ignored. If this flag is set, the length field of the
* Workstation field specifies whether the workstation name is nonempty or
* not.
*/
public static final int NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED = 0x00002000;
/**
* Domain name is provided.
*
* Sent by the client in the Type 1 message to indicate that the name of the
* domain in which the client workstation has membership is included in the
* message. This is used by the server to determine whether the client is
* eligible for local authentication.
*/
public static final int NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED = 0x00001000;
/**
* Connection SHOULD be anonymous.
*
* Sent by the client in the Type 3 message to indicate that an anonymous
* context has been established. This also affects the response fields (as
* detailed in the "Anonymous Response" section).
*/
public static final int NTLMSSP_NEGOTIATE_ANONYMOUS = 0x00000800;
/**
* Usage of the NTLM v1 session security protocol. NTLMSSP_NEGOTIATE_NTLM MUST
* be set in the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to
* the client.
*/
public static final int NTLMSSP_NEGOTIATE_NTLM = 0x00000200;
/**
* LAN Manager (LM) session key computation. NTLMSSP_NEGOTIATE_LM_KEY and
* NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are mutually exclusive. If both
* NTLMSSP_NEGOTIATE_LM_KEY and NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are
* requested, NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be
* returned to the client. NTLM v2 authentication session key generation MUST
* be supported by both the client and the DC in order to be used, and
* extended session security signing and sealing requires support from the
* client and the server to be used.
*/
public static final int NTLMSSP_NEGOTIATE_LM_KEY = 0x00000080;
/**
* Connectionless authentication. If NTLMSSP_NEGOTIATE_DATAGRAM is set, then
* NTLMSSP_NEGOTIATE_KEY_EXCH MUST always be set in the AUTHENTICATE_MESSAGE
* to the server and the CHALLENGE_MESSAGE to the client.
*/
public static final int NTLMSSP_NEGOTIATE_DATAGRAM = 0x00000040;
/**
* Session key negotiation for message confidentiality. If the client sends
* NTLMSSP_NEGOTIATE_SEAL to the server in the NEGOTIATE_MESSAGE, the server
* MUST return NTLMSSP_NEGOTIATE_SEAL to the client in the CHALLENGE_MESSAGE.
* Clients and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD always set
* NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128, if they are supported.
*/
public static final int NTLMSSP_NEGOTIATE_SEAL = 0x00000020;
/**
* Session key negotiation for message signatures. If the client sends
* NTLMSSP_NEGOTIATE_SIGN to the server in the NEGOTIATE_MESSAGE, the server
* MUST return NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE.
*/
public static final int NTLMSSP_NEGOTIATE_SIGN = 0x00000010;
/**
* TargetName field of the CHALLENGE_MESSAGE (section 2.2.1.2) MUST be
* supplied.
*/
public static final int NTLMSSP_REQUEST_TARGET = 0x00000004;
/**
* OEM character set encoding.
*
* @see NTLMSSP_NEGOTIATE_UNICODE
*/
public static final int NTLMSSP_NEGOTIATE_OEM = 0x00000002;
/**
* Unicode character set encoding.
*
* The NTLMSSP_NEGOTIATE_UNICODE(A) and NTLM_NEGOTIATE_OEM(B) bits are
* evaluated together as follows:
* <ul>
* <li>A==1: The choice of character set encoding MUST be Unicode.
*
* <li>A==0 and B==1: The choice of character set encoding MUST be OEM.
*
* <li>A==0 and B==0: The protocol MUST return SEC_E_INVALID_TOKEN.
* <ul>
* */
public static final int NTLMSSP_NEGOTIATE_UNICODE = 0x00000001;
public int value;
public NegoFlags(int value) {
this.value = value;
}
public NegoFlags() {
value = 0;
}
@Override
public String toString() {
return String.format("NegoFlags [value=0x%04x (%s)]", value, flagsToSting());
}
public String flagsToSting() {
String str = "";
if (NEGOTIATE_56())
str += "NEGOTIATE_56 ";
if (NEGOTIATE_KEY_EXCH())
str += "NEGOTIATE_KEY_EXCH ";
if (NEGOTIATE_128())
str += "NEGOTIATE_128 ";
if (NEGOTIATE_VERSION())
str += "NEGOTIATE_VERSION ";
if (NEGOTIATE_TARGET_INFO())
str += "NEGOTIATE_TARGET_INFO ";
if (REQUEST_NON_NT_SESSION_KEY())
str += "REQUEST_NON_NT_SESSION_KEY ";
if (NEGOTIATE_IDENTIFY())
str += "NEGOTIATE_IDENTIFY ";
if (NEGOTIATE_EXTENDED_SESSION_SECURITY())
str += "NEGOTIATE_EXTENDED_SESSION_SECURITY ";
if (TARGET_TYPE_SERVER())
str += "TARGET_TYPE_SERVER ";
if (TARGET_TYPE_DOMAIN())
str += "TARGET_TYPE_DOMAIN ";
if (NEGOTIATE_ALWAYS_SIGN())
str += "NEGOTIATE_ALWAYS_SIGN ";
if (NEGOTIATE_OEM_WORKSTATION_SUPPLIED())
str += "NEGOTIATE_OEM_WORKSTATION_SUPPLIED ";
if (NEGOTIATE_OEM_DOMAIN_SUPPLIED())
str += "NEGOTIATE_OEM_DOMAIN_SUPPLIED ";
if (NEGOTIATE_ANONYMOUS())
str += "NEGOTIATE_ANONYMOUS ";
if (NEGOTIATE_NTLM())
str += "NEGOTIATE_NTLM ";
if (NEGOTIATE_LM_KEY())
str += "NEGOTIATE_LM_KEY ";
if (NEGOTIATE_DATAGRAM())
str += "NEGOTIATE_DATAGRAM ";
if (NEGOTIATE_SEAL())
str += "NEGOTIATE_SEAL ";
if (NEGOTIATE_SIGN())
str += "NEGOTIATE_SIGN ";
if (REQUEST_TARGET())
str += "REQUEST_TARGET ";
if (NEGOTIATE_OEM())
str += "NEGOTIATE_OEM ";
if (NEGOTIATE_UNICODE())
str += "NEGOTIATE_UNICODE ";
return str;
}
public boolean NEGOTIATE_56() {
return ((value & NTLMSSP_NEGOTIATE_56) != 0);
}
public boolean NEGOTIATE_KEY_EXCH() {
return ((value & NTLMSSP_NEGOTIATE_KEY_EXCH) != 0);
}
public boolean NEGOTIATE_128() {
return ((value & NTLMSSP_NEGOTIATE_128) != 0);
}
public boolean NEGOTIATE_VERSION() {
return ((value & NTLMSSP_NEGOTIATE_VERSION) != 0);
}
public boolean NEGOTIATE_TARGET_INFO() {
return ((value & NTLMSSP_NEGOTIATE_TARGET_INFO) != 0);
}
public boolean REQUEST_NON_NT_SESSION_KEY() {
return ((value & NTLMSSP_REQUEST_NON_NT_SESSION_KEY) != 0);
}
public boolean NEGOTIATE_IDENTIFY() {
return ((value & NTLMSSP_NEGOTIATE_IDENTIFY) != 0);
}
public boolean NEGOTIATE_EXTENDED_SESSION_SECURITY() {
return ((value & NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY) != 0);
}
public boolean TARGET_TYPE_SERVER() {
return ((value & NTLMSSP_TARGET_TYPE_SERVER) != 0);
}
public boolean TARGET_TYPE_DOMAIN() {
return ((value & NTLMSSP_TARGET_TYPE_DOMAIN) != 0);
}
public boolean NEGOTIATE_ALWAYS_SIGN() {
return ((value & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) != 0);
}
public boolean NEGOTIATE_OEM_WORKSTATION_SUPPLIED() {
return ((value & NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED) != 0);
}
public boolean NEGOTIATE_OEM_DOMAIN_SUPPLIED() {
return ((value & NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED) != 0);
}
public boolean NEGOTIATE_ANONYMOUS() {
return ((value & NTLMSSP_NEGOTIATE_ANONYMOUS) != 0);
}
public boolean NEGOTIATE_NTLM() {
return ((value & NTLMSSP_NEGOTIATE_NTLM) != 0);
}
public boolean NEGOTIATE_LM_KEY() {
return ((value & NTLMSSP_NEGOTIATE_LM_KEY) != 0);
}
public boolean NEGOTIATE_DATAGRAM() {
return ((value & NTLMSSP_NEGOTIATE_DATAGRAM) != 0);
}
public boolean NEGOTIATE_SEAL() {
return ((value & NTLMSSP_NEGOTIATE_SEAL) != 0);
}
public boolean NEGOTIATE_SIGN() {
return ((value & NTLMSSP_NEGOTIATE_SIGN) != 0);
}
public boolean REQUEST_TARGET() {
return ((value & NTLMSSP_REQUEST_TARGET) != 0);
}
public boolean NEGOTIATE_OEM() {
return ((value & NTLMSSP_NEGOTIATE_OEM) != 0);
}
public boolean NEGOTIATE_UNICODE() {
return ((value & NTLMSSP_NEGOTIATE_UNICODE) != 0);
}
public NegoFlags set_NEGOTIATE_56() {
value |= NTLMSSP_NEGOTIATE_56;
return this;
}
public NegoFlags set_NEGOTIATE_KEY_EXCH() {
value |= NTLMSSP_NEGOTIATE_KEY_EXCH;
return this;
}
public NegoFlags set_NEGOTIATE_128() {
value |= NTLMSSP_NEGOTIATE_128;
return this;
}
public NegoFlags set_NEGOTIATE_VERSION() {
value |= NTLMSSP_NEGOTIATE_VERSION;
return this;
}
public NegoFlags set_NEGOTIATE_TARGET_INFO() {
value |= NTLMSSP_NEGOTIATE_TARGET_INFO;
return this;
}
public NegoFlags set_REQUEST_NON_NT_SESSION_KEY() {
value |= NTLMSSP_REQUEST_NON_NT_SESSION_KEY;
return this;
}
public NegoFlags set_NEGOTIATE_IDENTIFY() {
value |= NTLMSSP_NEGOTIATE_IDENTIFY;
return this;
}
public NegoFlags set_NEGOTIATE_EXTENDED_SESSION_SECURITY() {
value |= NTLMSSP_NEGOTIATE_EXTENDED_SESSION_SECURITY;
return this;
}
public NegoFlags set_TARGET_TYPE_SERVER() {
value |= NTLMSSP_TARGET_TYPE_SERVER;
return this;
}
public NegoFlags set_TARGET_TYPE_DOMAIN() {
value |= NTLMSSP_TARGET_TYPE_DOMAIN;
return this;
}
public NegoFlags set_NEGOTIATE_ALWAYS_SIGN() {
value |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
return this;
}
public NegoFlags set_NEGOTIATE_OEM_WORKSTATION_SUPPLIED() {
value |= NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED;
return this;
}
public NegoFlags set_NEGOTIATE_OEM_DOMAIN_SUPPLIED() {
value |= NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED;
return this;
}
public NegoFlags set_NEGOTIATE_ANONYMOUS() {
value |= NTLMSSP_NEGOTIATE_ANONYMOUS;
return this;
}
public NegoFlags set_NEGOTIATE_NTLM() {
value |= NTLMSSP_NEGOTIATE_NTLM;
return this;
}
public NegoFlags set_NEGOTIATE_LM_KEY() {
value |= NTLMSSP_NEGOTIATE_LM_KEY;
return this;
}
public NegoFlags set_NEGOTIATE_DATAGRAM() {
value |= NTLMSSP_NEGOTIATE_DATAGRAM;
return this;
}
public NegoFlags set_NEGOTIATE_SEAL() {
value |= NTLMSSP_NEGOTIATE_SEAL;
return this;
}
public NegoFlags set_NEGOTIATE_SIGN() {
value |= NTLMSSP_NEGOTIATE_SIGN;
return this;
}
public NegoFlags set_REQUEST_TARGET() {
value |= NTLMSSP_REQUEST_TARGET;
return this;
}
public NegoFlags set_NEGOTIATE_OEM() {
value |= NTLMSSP_NEGOTIATE_OEM;
return this;
}
public NegoFlags set_NEGOTIATE_UNICODE() {
value |= NTLMSSP_NEGOTIATE_UNICODE;
return this;
}
/**
* Example.
*/
public static void main(String args[]) {
NegoFlags flags = new NegoFlags(0xe20882b7);
System.out.println("Negotiation flags: " + flags);
}
}