Merge pull request #28 from wneessen/27-add-ntlm-hash-support

#27: Implement NTLM hash support for PwnedPassAPI

hibp.go

@@ -49,8 +49,18 @@ var (
 	// expected length
 	ErrSHA1LengthMismatch = errors.New("SHA1 hash size needs to be 160 bits")
 
+	// ErrNTLMLengthMismatch should be used if a given NTLM hash does not match the
+	// expected length
+	ErrNTLMLengthMismatch = errors.New("NTLM hash size needs to be 128 bits")
+
 	// ErrSHA1Invalid should be used if a given string does not represent a valid SHA1 hash
 	ErrSHA1Invalid = errors.New("not a valid SHA1 hash")
+
+	// ErrNTLMInvalid should be used if a given string does not represent a valid NTLM hash
+	ErrNTLMInvalid = errors.New("not a valid NTLM hash")
+
+	// ErrUnsupportedHashMode should be used if a given hash mode is not supported
+	ErrUnsupportedHashMode = errors.New("hash mode not supported")
 )
 
 // Client is the HIBP client object
@@ -80,7 +90,10 @@ func New(options ...Option) Client {
 
 	// Set defaults
 	c.to = DefaultTimeout
-	c.PwnedPassAPIOpts = &PwnedPasswordOptions{}
+	c.PwnedPassAPIOpts = &PwnedPasswordOptions{
+		HashMode:    HashModeSHA1,
+		WithPadding: false,
+	}
 	c.ua = DefaultUserAgent
 
 	// Set additional options
@@ -95,7 +108,10 @@ func New(options ...Option) Client {
 	c.hc = httpClient(c.to)
 
 	// Associate the different HIBP service APIs with the Client
-	c.PwnedPassAPI = &PwnedPassAPI{hibp: &c}
+	c.PwnedPassAPI = &PwnedPassAPI{
+		hibp:     &c,
+		ParamMap: make(map[string]string),
+	}
 	c.BreachAPI = &BreachAPI{hibp: &c}
 	c.PasteAPI = &PasteAPI{hibp: &c}
 
@@ -140,6 +156,18 @@ func WithRateLimitSleep() Option {
 	}
 }
 
+// WithPwnedNTLMHash sets the hash mode for the PwnedPasswords API to NTLM hashes
+//
+// Note: This option only affects the generic methods like PwnedPassAPI.CheckPassword
+// or PwnedPassAPI.ListHashesPassword. For any specifc method with the hash type in
+// the method name, this option is ignored and the hash type of the function is
+// forced
+func WithPwnedNTLMHash() Option {
+	return func(c *Client) {
+		c.PwnedPassAPIOpts.HashMode = HashModeNTLM
+	}
+}
+
 // HTTPReq performs an HTTP request to the corresponding API
 func (c *Client) HTTPReq(m, p string, q map[string]string) (*http.Request, error) {
 	u, err := url.Parse(p)

hibp_test.go

@@ -37,11 +37,25 @@ func TestNewWithHttpTimeout(t *testing.T) {
 func TestNewWithPwnedPadding(t *testing.T) {
 	hc := New(WithPwnedPadding())
 	if !hc.PwnedPassAPIOpts.WithPadding {
-		t.Errorf("hibp client pwned padding option was not set properly. Expected %v, got: %v",
+		t.Errorf("hibp client pwned padding option was not set properly. Expected %t, got: %t",
 			true, hc.PwnedPassAPIOpts.WithPadding)
 	}
 }
 
+// TestNewWithPwnedNTLMHash tests the New() function with the PwnedPadding option
+func TestNewWithPwnedNTLMHash(t *testing.T) {
+	hc := New(WithPwnedNTLMHash())
+	if hc.PwnedPassAPIOpts.HashMode != HashModeNTLM {
+		t.Errorf("hibp client NTLM hash mode option was not set properly. Expected %d, got: %d",
+			HashModeNTLM, hc.PwnedPassAPIOpts.HashMode)
+	}
+	hc = New()
+	if hc.PwnedPassAPIOpts.HashMode != HashModeSHA1 {
+		t.Errorf("hibp client SHA-1 hash mode option was not set properly. Expected %d, got: %d",
+			HashModeSHA1, hc.PwnedPassAPIOpts.HashMode)
+	}
+}
+
 // TestNewWithApiKey tests the New() function with the API key set
 func TestNewWithApiKey(t *testing.T) {
 	apiKey := os.Getenv("HIBP_API_KEY")

md4/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

md4/md4.go

@@ -0,0 +1,122 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package md4 implements the MD4 hash algorithm as defined in RFC 1320.
+//
+// NOTE: MD4 is cryptographically broken and should should only be used
+// where compatibility with legacy systems, not security, is the goal. Instead,
+// use a secure hash like SHA-256 (from crypto/sha256).
+package md4 // import "golang.org/x/crypto/md4"
+
+import (
+	"crypto"
+	"hash"
+)
+
+func init() {
+	crypto.RegisterHash(crypto.MD4, New)
+}
+
+// Size is the size of an MD4 checksum in bytes.
+const Size = 16
+
+// BlockSize is the blocksize of MD4 in bytes.
+const BlockSize = 64
+
+const (
+	_Chunk = 64
+	_Init0 = 0x67452301
+	_Init1 = 0xEFCDAB89
+	_Init2 = 0x98BADCFE
+	_Init3 = 0x10325476
+)
+
+// digest represents the partial evaluation of a checksum.
+type digest struct {
+	s   [4]uint32
+	x   [_Chunk]byte
+	nx  int
+	len uint64
+}
+
+func (d *digest) Reset() {
+	d.s[0] = _Init0
+	d.s[1] = _Init1
+	d.s[2] = _Init2
+	d.s[3] = _Init3
+	d.nx = 0
+	d.len = 0
+}
+
+// New returns a new hash.Hash computing the MD4 checksum.
+func New() hash.Hash {
+	d := new(digest)
+	d.Reset()
+	return d
+}
+
+func (d *digest) Size() int { return Size }
+
+func (d *digest) BlockSize() int { return BlockSize }
+
+func (d *digest) Write(p []byte) (nn int, err error) {
+	nn = len(p)
+	d.len += uint64(nn)
+	if d.nx > 0 {
+		n := len(p)
+		if n > _Chunk-d.nx {
+			n = _Chunk - d.nx
+		}
+		for i := 0; i < n; i++ {
+			d.x[d.nx+i] = p[i]
+		}
+		d.nx += n
+		if d.nx == _Chunk {
+			_Block(d, d.x[0:])
+			d.nx = 0
+		}
+		p = p[n:]
+	}
+	n := _Block(d, p)
+	p = p[n:]
+	if len(p) > 0 {
+		d.nx = copy(d.x[:], p)
+	}
+	return
+}
+
+func (d *digest) Sum(in []byte) []byte {
+	// Make a copy of d0, so that caller can keep writing and summing.
+	dc := new(digest)
+	*dc = *d
+
+	// Padding.  Add a 1 bit and 0 bits until 56 bytes mod 64.
+	plen := dc.len
+	var tmp [64]byte
+	tmp[0] = 0x80
+	if plen%64 < 56 {
+		_, _ = dc.Write(tmp[0 : 56-plen%64])
+	} else {
+		_, _ = dc.Write(tmp[0 : 64+56-plen%64])
+	}
+
+	// Length in bits.
+	plen <<= 3
+	for i := uint(0); i < 8; i++ {
+		tmp[i] = byte(plen >> (8 * i))
+	}
+	_, _ = dc.Write(tmp[0:8])
+
+	if dc.nx != 0 {
+		panic("dc.nx != 0")
+	}
+
+	for _, s := range dc.s {
+		in = append(in, byte(s>>0))
+		in = append(in, byte(s>>8))
+		in = append(in, byte(s>>16))
+		in = append(in, byte(s>>24))
+	}
+	return in
+}

md4/md4_test.go

@@ -0,0 +1,71 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package md4
+
+import (
+	"fmt"
+	"io"
+	"testing"
+)
+
+type md4Test struct {
+	out string
+	in  string
+}
+
+var golden = []md4Test{
+	{"31d6cfe0d16ae931b73c59d7e0c089c0", ""},
+	{"bde52cb31de33e46245e05fbdbd6fb24", "a"},
+	{"ec388dd78999dfc7cf4632465693b6bf", "ab"},
+	{"a448017aaf21d8525fc10ae87aa6729d", "abc"},
+	{"41decd8f579255c5200f86a4bb3ba740", "abcd"},
+	{"9803f4a34e8eb14f96adba49064a0c41", "abcde"},
+	{"804e7f1c2586e50b49ac65db5b645131", "abcdef"},
+	{"752f4adfe53d1da0241b5bc216d098fc", "abcdefg"},
+	{"ad9daf8d49d81988590a6f0e745d15dd", "abcdefgh"},
+	{"1e4e28b05464316b56402b3815ed2dfd", "abcdefghi"},
+	{"dc959c6f5d6f9e04e4380777cc964b3d", "abcdefghij"},
+	{"1b5701e265778898ef7de5623bbe7cc0", "Discard medicine more than two years old."},
+	{"d7f087e090fe7ad4a01cb59dacc9a572", "He who has a shady past knows that nice guys finish last."},
+	{"a6f8fd6df617c72837592fc3570595c9", "I wouldn't marry him with a ten foot pole."},
+	{"c92a84a9526da8abc240c05d6b1a1ce0", "Free! Free!/A trip/to Mars/for 900/empty jars/Burma Shave"},
+	{"f6013160c4dcb00847069fee3bb09803", "The days of the digital watch are numbered.  -Tom Stoppard"},
+	{"2c3bb64f50b9107ed57640fe94bec09f", "Nepal premier won't resign."},
+	{"45b7d8a32c7806f2f7f897332774d6e4", "For every action there is an equal and opposite government program."},
+	{"b5b4f9026b175c62d7654bdc3a1cd438", "His money is twice tainted: 'taint yours and 'taint mine."},
+	{"caf44e80f2c20ce19b5ba1cab766e7bd", "There is no reason for any individual to have a computer in their home. -Ken Olsen, 1977"},
+	{"191fae6707f496aa54a6bce9f2ecf74d", "It's a tiny change to the code and not completely disgusting. - Bob Manchek"},
+	{"9ddc753e7a4ccee6081cd1b45b23a834", "size:  a.out:  bad magic"},
+	{"8d050f55b1cadb9323474564be08a521", "The major problem is with sendmail.  -Mark Horton"},
+	{"ad6e2587f74c3e3cc19146f6127fa2e3", "Give me a rock, paper and scissors and I will move the world.  CCFestoon"},
+	{"1d616d60a5fabe85589c3f1566ca7fca", "If the enemy is within range, then so are you."},
+	{"aec3326a4f496a2ced65a1963f84577f", "It's well we cannot hear the screams/That we create in others' dreams."},
+	{"77b4fd762d6b9245e61c50bf6ebf118b", "You remind me of a TV show, but that's all right: I watch it anyway."},
+	{"e8f48c726bae5e516f6ddb1a4fe62438", "C is as portable as Stonehedge!!"},
+	{"a3a84366e7219e887423b01f9be7166e", "Even if I could be Shakespeare, I think I should still choose to be Faraday. - A. Huxley"},
+	{"a6b7aa35157e984ef5d9b7f32e5fbb52", "The fugacity of a constituent in a mixture of gases at a given temperature is proportional to its mole fraction.  Lewis-Randall Rule"},
+	{"75661f0545955f8f9abeeb17845f3fd6", "How can you write a big system without C++?  -Paul Glick"},
+}
+
+func TestGolden(t *testing.T) {
+	for i := 0; i < len(golden); i++ {
+		g := golden[i]
+		c := New()
+		for j := 0; j < 3; j++ {
+			if j < 2 {
+				_, _ = io.WriteString(c, g.in)
+			} else {
+				_, _ = io.WriteString(c, g.in[0:len(g.in)/2])
+				c.Sum(nil)
+				_, _ = io.WriteString(c, g.in[len(g.in)/2:])
+			}
+			s := fmt.Sprintf("%x", c.Sum(nil))
+			if s != g.out {
+				t.Fatalf("md4[%d](%s) = %s want %s", j, g.in, s, g.out)
+			}
+			c.Reset()
+		}
+	}
+}