init_sec_context.c [plain text]
#include "ntlm.h"
#include <fnmatch.h>
static int
validate_hostname(ntlm_name name)
{
CFArrayRef array;
CFStringRef el;
CFIndex n, max;
char *str;
int res = 0;
if (name->domain == NULL)
return 0;
array = _gss_mg_copy_key(CFSTR("com.apple.GSS.NTLM"), CFSTR("AllowedHosts"));
if (array == NULL)
return 1;
if (CFGetTypeID(array) != CFArrayGetTypeID()) {
_gss_mg_log(1, "NTLM: invalid type of AllowedHosts");
CFRelease(array);
return 0;
}
max = CFArrayGetCount(array);
for (n = 0, res = 0; n < max && !res; n++) {
el = CFArrayGetValueAtIndex(array, n);
if (el == NULL || CFGetTypeID(el) != CFStringGetTypeID())
continue;
str = rk_cfstring2cstring(el);
if (str == NULL)
continue;
res = (fnmatch(str, name->domain, FNM_CASEFOLD) == 0);
free(str);
}
CFRelease(array);
return res;
}
static OM_uint32
_gss_ntlm_copy_cred(OM_uint32 * minor, ntlm_cred from, ntlm_cred *to)
{
return _gss_ntlm_duplicate_name(minor, (gss_name_t)from, (gss_name_t *)to);
}
OM_uint32
_gss_ntlm_init_sec_context(OM_uint32 * minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec)
{
OM_uint32 major;
ntlm_ctx ctx;
ntlm_name name = (ntlm_name) target_name;
*minor_status = 0;
if (ret_flags)
*ret_flags = 0;
if (time_rec)
*time_rec = 0;
if (actual_mech_type)
*actual_mech_type = GSS_C_NO_OID;
if (name == NULL)
return GSS_S_BAD_NAME;
if (!gss_mo_get(GSS_NTLM_MECHANISM, GSS_C_NTLM_V1, NULL) &&
!gss_mo_get(GSS_NTLM_MECHANISM, GSS_C_NTLM_V2, NULL))
{
*minor_status = 0;
return GSS_S_UNAVAILABLE;
}
ctx = (ntlm_ctx) *context_handle;
if (actual_mech_type)
*actual_mech_type = GSS_NTLM_MECHANISM;
if (ret_flags)
*ret_flags = 0;
if (ctx == NULL) {
struct ntlm_type1 type1;
struct ntlm_buf data;
uint32_t flags = 0;
int ret;
if (!validate_hostname(name))
return gss_mg_set_error_string(GSS_NTLM_MECHANISM, GSS_S_FAILURE,
(*minor_status = EAUTH),
"Not allowed to use NTLM to host %s",
name->domain ? name->domain : "???");
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
*minor_status = ENOMEM;
return gss_mg_set_error_string(GSS_NTLM_MECHANISM, GSS_S_FAILURE,
ENOMEM, "out of memory");
}
*context_handle = (gss_ctx_id_t) ctx;
ctx->status |= STATUS_CLIENT;
if (initiator_cred_handle != GSS_C_NO_CREDENTIAL) {
ntlm_cred cred = (ntlm_cred) initiator_cred_handle;
major = _gss_ntlm_copy_cred(minor_status, cred, &ctx->client);
} else {
ctx->client = calloc(1, sizeof(*ctx->client));
ctx->client->user = strdup("");
ctx->client->domain = strdup("");
major = GSS_S_COMPLETE;
}
if (major) {
OM_uint32 junk;
_gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
return major;
}
major = _gss_ntlm_duplicate_name(minor_status, (gss_name_t)name, &ctx->targetname);
if (major) {
OM_uint32 junk;
_gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
return major;
}
ret = asprintf(&ctx->clientsuppliedtargetname, "%s/%s", name->user, name->domain);
if (ret < 0 || ctx->clientsuppliedtargetname == NULL) {
OM_uint32 junk;
_gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
return major;
}
flags |= NTLM_NEG_UNICODE;
flags |= NTLM_NEG_NTLM;
flags |= NTLM_NEG_TARGET;
flags |= NTLM_NEG_VERSION;
if (req_flags & GSS_C_ANON_FLAG) {
flags |= NTLM_NEG_ANONYMOUS;
} else {
if ((ctx->client->flags & NTLM_ANON_NAME) != 0) {
OM_uint32 junk;
_gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
gss_mg_set_error_string(GSS_NTLM_MECHANISM, GSS_S_NO_CRED, 0,
"Cant authenticate with anon name");
*minor_status = 0;
return GSS_S_NO_CRED;
}
if (req_flags & GSS_C_CONF_FLAG) {
flags |= NTLM_NEG_SEAL;
flags |= NTLM_NEG_SIGN;
flags |= NTLM_NEG_ALWAYS_SIGN;
}
if (req_flags & GSS_C_INTEG_FLAG) {
flags |= NTLM_NEG_SIGN;
flags |= NTLM_NEG_ALWAYS_SIGN;
}
flags |= NTLM_NEG_NTLM2_SESSION;
flags |= NTLM_ENC_128;
flags |= NTLM_NEG_KEYEX;
flags |= NTLM_NEG_TARGET_INFO;
}
memset(&type1, 0, sizeof(type1));
type1.flags = flags;
type1.domain = NULL;
type1.hostname = NULL;
type1.os[0] = 0x0601b01d;
type1.os[1] = 0x0000000f;
ret = heim_ntlm_encode_type1(&type1, &data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
output_token->value = data.data;
output_token->length = data.length;
ret = krb5_data_copy(&ctx->type1, data.data, data.length);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ctx->flags = flags;
_gss_mg_log(1, "ntlm-isc-type1: %s\\%s",
ctx->client->domain, ctx->client->user);
return GSS_S_CONTINUE_NEEDED;
} else if (ctx->flags & NTLM_NEG_ANONYMOUS) {
struct ntlm_type2 type2;
struct ntlm_type3 type3;
struct ntlm_buf ndata;
int ret;
memset(&type2, 0, sizeof(type2));
memset(&type3, 0, sizeof(type3));
if (input_token == GSS_C_NO_BUFFER)
return GSS_S_FAILURE;
ndata.data = input_token->value;
ndata.length = input_token->length;
ret = heim_ntlm_decode_type2(&ndata, &type2);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
type3.username = "";
type3.flags = ctx->flags;
type3.targetname = "";
type3.ws = "";
type3.lm.data = "\x00";
type3.lm.length = 1;
ret = heim_ntlm_encode_type3(&type3, &ndata, NULL);
heim_ntlm_free_type2(&type2);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
output_token->value = ndata.data;
output_token->length = ndata.length;
ctx->gssflags |= GSS_C_ANON_FLAG;
ctx->srcname = _gss_ntlm_create_name(minor_status, "", "", 0);
if (ctx->srcname == NULL) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
return GSS_S_FAILURE;
}
_gss_mg_log(1, "ntlm-isc-type3: anonymous");
} else {
krb5_context context;
krb5_error_code ret;
krb5_storage *request, *response;
krb5_data response_data, data, cb;
char *ruser = NULL, *rdomain = NULL;
uint8_t channelbinding[16];
data.data = input_token->value;
data.length = input_token->length;
if (input_chan_bindings) {
major = gss_mg_gen_cb(minor_status, input_chan_bindings,
channelbinding, NULL);
if (major) {
OM_uint32 junk;
_gss_ntlm_delete_sec_context(&junk, context_handle, NULL);
return major;
}
cb.data = channelbinding;
cb.length = sizeof(channelbinding);
} else
krb5_data_zero(&cb);
ret = krb5_init_context(&context);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
return ret;
}
ret = krb5_kcm_storage_request(context, KCM_OP_DO_NTLM_AUTH, &request);
if (ret) {
krb5_free_context(context);
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_store_stringz(request, ctx->client->user);
if (ret == 0)
ret = krb5_store_stringz(request, ctx->client->domain);
if (ret == 0)
ret = krb5_store_data(request, data);
if (ret == 0)
ret = krb5_store_data(request, cb);
if (ret == 0)
ret = krb5_store_data(request, ctx->type1);
if (ret == 0)
ret = krb5_store_stringz(request, ctx->clientsuppliedtargetname);
if (ret == 0)
ret = krb5_store_uint32(request, ctx->flags);
if (ret == 0)
ret = krb5_kcm_call(context, request, &response, &response_data);
krb5_free_context(context);
krb5_storage_free(request);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return gss_mg_set_error_string(GSS_NTLM_MECHANISM, GSS_S_FAILURE, ret,
"failed to create ntlm response");
}
ret = krb5_ret_data(response, &data);
if (ret == 0)
ret = krb5_ret_uint32(response, &ctx->kcmflags);
if (ret == 0)
ret = krb5_ret_data(response, &ctx->sessionkey);
if (ret == 0)
ret = krb5_ret_string(response, &ruser);
if (ret == 0)
ret = krb5_ret_string(response, &rdomain);
if (ret == 0)
ret = krb5_ret_uint32(response, &ctx->flags);
if (ret)
ret = KRB5_CC_IO;
krb5_storage_free(response);
krb5_data_free(&response_data);
_gss_mg_log(1, "ntlm-isc-type3: kcm returned %d", ret);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
krb5_data_free(&data);
free(ruser);
free(rdomain);
*minor_status = ret;
return gss_mg_set_error_string(GSS_NTLM_MECHANISM, GSS_S_FAILURE, ret,
"failed parse kcm reply");
}
_gss_mg_log(1, "ntlm-isc-type3: %s\\%s", rdomain, ruser);
ctx->srcname = _gss_ntlm_create_name(minor_status, ruser, rdomain, 0);
free(ruser);
free(rdomain);
if (ctx->srcname == NULL) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
krb5_data_free(&data);
return GSS_S_FAILURE;
}
output_token->length = data.length;
output_token->value = data.data;
}
ctx->status |= STATUS_OPEN;
_gss_ntlm_set_keys(ctx);
if (ret_flags)
*ret_flags = ctx->gssflags;
if (time_rec)
*time_rec = GSS_C_INDEFINITE;
return GSS_S_COMPLETE;
}