/crypto/heimdal/lib/gssapi/ntlm/init_sec_context.c

  1/*
  2 * Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
  3 * (Royal Institute of Technology, Stockholm, Sweden).
  4 * All rights reserved.
  5 *
  6 * Redistribution and use in source and binary forms, with or without
  7 * modification, are permitted provided that the following conditions
  8 * are met:
  9 *
 10 * 1. Redistributions of source code must retain the above copyright
 11 *    notice, this list of conditions and the following disclaimer.
 12 *
 13 * 2. Redistributions in binary form must reproduce the above copyright
 14 *    notice, this list of conditions and the following disclaimer in the
 15 *    documentation and/or other materials provided with the distribution.
 16 *
 17 * 3. Neither the name of the Institute nor the names of its contributors
 18 *    may be used to endorse or promote products derived from this software
 19 *    without specific prior written permission.
 20 *
 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 31 * SUCH DAMAGE.
 32 */
 33
 34#include "ntlm.h"
 35
 36static int
 37from_file(const char *fn, const char *target_domain,
 38	  char **username, struct ntlm_buf *key)
 39{
 40    char *str, buf[1024];
 41    FILE *f;
 42
 43    f = fopen(fn, "r");
 44    if (f == NULL)
 45	return ENOENT;
 46    rk_cloexec_file(f);
 47
 48    while (fgets(buf, sizeof(buf), f) != NULL) {
 49	char *d, *u, *p;
 50	buf[strcspn(buf, "\r\n")] = '\0';
 51	if (buf[0] == '#')
 52	    continue;
 53	str = NULL;
 54	d = strtok_r(buf, ":", &str);
 55	if (d && strcasecmp(target_domain, d) != 0)
 56	    continue;
 57	u = strtok_r(NULL, ":", &str);
 58	p = strtok_r(NULL, ":", &str);
 59	if (u == NULL || p == NULL)
 60	    continue;
 61
 62	*username = strdup(u);
 63
 64	heim_ntlm_nt_key(p, key);
 65
 66	memset(buf, 0, sizeof(buf));
 67	fclose(f);
 68	return 0;
 69    }
 70    memset(buf, 0, sizeof(buf));
 71    fclose(f);
 72    return ENOENT;
 73}
 74
 75static int
 76get_user_file(const ntlm_name target_name,
 77	      char **username, struct ntlm_buf *key)
 78{
 79    const char *fn;
 80
 81    if (issuid())
 82	return ENOENT;
 83
 84    fn = getenv("NTLM_USER_FILE");
 85    if (fn == NULL)
 86	return ENOENT;
 87    if (from_file(fn, target_name->domain, username, key) == 0)
 88	return 0;
 89
 90    return ENOENT;
 91}
 92
 93/*
 94 * Pick up the ntlm cred from the default krb5 credential cache.
 95 */
 96
 97static int
 98get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
 99{
100    krb5_context context = NULL;
101    krb5_principal client;
102    krb5_ccache id = NULL;
103    krb5_error_code ret;
104    char *confname;
105    krb5_data data;
106
107    *username = NULL;
108    krb5_data_zero(&data);
109    key->length = 0;
110    key->data = NULL;
111
112    ret = krb5_init_context(&context);
113    if (ret)
114	return ret;
115
116    ret = krb5_cc_default(context, &id);
117    if (ret)
118	goto out;
119
120    ret = krb5_cc_get_principal(context, id, &client);
121    if (ret)
122	goto out;
123
124    ret = krb5_unparse_name_flags(context, client,
125				  KRB5_PRINCIPAL_UNPARSE_NO_REALM,
126				  username);
127    krb5_free_principal(context, client);
128    if (ret)
129	goto out;
130
131    asprintf(&confname, "ntlm-key-%s", name->domain);
132    if (confname == NULL) {
133	krb5_clear_error_message(context);
134	ret = ENOMEM;
135	goto out;
136    }
137
138    ret = krb5_cc_get_config(context, id, NULL,
139			     confname, &data);
140    if (ret)
141	goto out;
142
143    key->data = malloc(data.length);
144    if (key->data == NULL) {
145	ret = ENOMEM;
146	goto out;
147    }
148    key->length = data.length;
149    memcpy(key->data, data.data, data.length);
150
151 out:
152    krb5_data_free(&data);
153    if (id)
154	krb5_cc_close(context, id);
155
156    krb5_free_context(context);
157
158    return ret;
159}
160
161int
162_gss_ntlm_get_user_cred(const ntlm_name target_name,
163			ntlm_cred *rcred)
164{
165    ntlm_cred cred;
166    int ret;
167
168    cred = calloc(1, sizeof(*cred));
169    if (cred == NULL)
170	return ENOMEM;
171
172    ret = get_user_file(target_name, &cred->username, &cred->key);
173    if (ret)
174	ret = get_user_ccache(target_name, &cred->username, &cred->key);
175    if (ret) {
176	free(cred);
177	return ret;
178    }
179
180    cred->domain = strdup(target_name->domain);
181    *rcred = cred;
182
183    return ret;
184}
185
186static int
187_gss_copy_cred(ntlm_cred from, ntlm_cred *to)
188{
189    *to = calloc(1, sizeof(**to));
190    if (*to == NULL)
191	return ENOMEM;
192    (*to)->username = strdup(from->username);
193    if ((*to)->username == NULL) {
194	free(*to);
195	return ENOMEM;
196    }
197    (*to)->domain = strdup(from->domain);
198    if ((*to)->domain == NULL) {
199	free((*to)->username);
200	free(*to);
201	return ENOMEM;
202    }
203    (*to)->key.data = malloc(from->key.length);
204    if ((*to)->key.data == NULL) {
205	free((*to)->domain);
206	free((*to)->username);
207	free(*to);
208	return ENOMEM;
209    }
210    memcpy((*to)->key.data, from->key.data, from->key.length);
211    (*to)->key.length = from->key.length;
212
213    return 0;
214}
215
216OM_uint32 GSSAPI_CALLCONV
217_gss_ntlm_init_sec_context
218           (OM_uint32 * minor_status,
219            const gss_cred_id_t initiator_cred_handle,
220            gss_ctx_id_t * context_handle,
221            const gss_name_t target_name,
222            const gss_OID mech_type,
223            OM_uint32 req_flags,
224            OM_uint32 time_req,
225            const gss_channel_bindings_t input_chan_bindings,
226            const gss_buffer_t input_token,
227            gss_OID * actual_mech_type,
228            gss_buffer_t output_token,
229            OM_uint32 * ret_flags,
230            OM_uint32 * time_rec
231	   )
232{
233    ntlm_ctx ctx;
234    ntlm_name name = (ntlm_name)target_name;
235
236    *minor_status = 0;
237
238    if (ret_flags)
239	*ret_flags = 0;
240    if (time_rec)
241	*time_rec = 0;
242    if (actual_mech_type)
243	*actual_mech_type = GSS_C_NO_OID;
244
245    if (*context_handle == GSS_C_NO_CONTEXT) {
246	struct ntlm_type1 type1;
247	struct ntlm_buf data;
248	uint32_t flags = 0;
249	int ret;
250
251	ctx = calloc(1, sizeof(*ctx));
252	if (ctx == NULL) {
253	    *minor_status = EINVAL;
254	    return GSS_S_FAILURE;
255	}
256	*context_handle = (gss_ctx_id_t)ctx;
257
258	if (initiator_cred_handle != GSS_C_NO_CREDENTIAL) {
259	    ntlm_cred cred = (ntlm_cred)initiator_cred_handle;
260	    ret = _gss_copy_cred(cred, &ctx->client);
261	} else
262	    ret = _gss_ntlm_get_user_cred(name, &ctx->client);
263
264	if (ret) {
265	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
266	    *minor_status = ret;
267	    return GSS_S_FAILURE;
268	}
269
270	if (req_flags & GSS_C_CONF_FLAG)
271	    flags |= NTLM_NEG_SEAL;
272	if (req_flags & GSS_C_INTEG_FLAG)
273	    flags |= NTLM_NEG_SIGN;
274	else
275	    flags |= NTLM_NEG_ALWAYS_SIGN;
276
277	flags |= NTLM_NEG_UNICODE;
278	flags |= NTLM_NEG_NTLM;
279	flags |= NTLM_NEG_NTLM2_SESSION;
280	flags |= NTLM_NEG_KEYEX;
281
282	memset(&type1, 0, sizeof(type1));
283
284	type1.flags = flags;
285	type1.domain = name->domain;
286	type1.hostname = NULL;
287	type1.os[0] = 0;
288	type1.os[1] = 0;
289
290	ret = heim_ntlm_encode_type1(&type1, &data);
291	if (ret) {
292	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
293	    *minor_status = ret;
294	    return GSS_S_FAILURE;
295	}
296
297	output_token->value = data.data;
298	output_token->length = data.length;
299
300	return GSS_S_CONTINUE_NEEDED;
301    } else {
302	krb5_error_code ret;
303	struct ntlm_type2 type2;
304	struct ntlm_type3 type3;
305	struct ntlm_buf data;
306
307	ctx = (ntlm_ctx)*context_handle;
308
309	data.data = input_token->value;
310	data.length = input_token->length;
311
312	ret = heim_ntlm_decode_type2(&data, &type2);
313	if (ret) {
314	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
315	    *minor_status = ret;
316	    return GSS_S_FAILURE;
317	}
318
319	ctx->flags = type2.flags;
320
321	/* XXX check that type2.targetinfo matches `target_name´ */
322	/* XXX check verify targetinfo buffer */
323
324	memset(&type3, 0, sizeof(type3));
325
326	type3.username = ctx->client->username;
327	type3.flags = type2.flags;
328	type3.targetname = type2.targetname;
329	type3.ws = rk_UNCONST("workstation");
330
331	/*
332	 * NTLM Version 1 if no targetinfo buffer.
333	 */
334
335	if (1 || type2.targetinfo.length == 0) {
336	    struct ntlm_buf sessionkey;
337
338	    if (type2.flags & NTLM_NEG_NTLM2_SESSION) {
339		unsigned char nonce[8];
340
341		if (RAND_bytes(nonce, sizeof(nonce)) != 1) {
342		    _gss_ntlm_delete_sec_context(minor_status,
343						 context_handle, NULL);
344		    *minor_status = EINVAL;
345		    return GSS_S_FAILURE;
346		}
347
348		ret = heim_ntlm_calculate_ntlm2_sess(nonce,
349						     type2.challenge,
350						     ctx->client->key.data,
351						     &type3.lm,
352						     &type3.ntlm);
353	    } else {
354		ret = heim_ntlm_calculate_ntlm1(ctx->client->key.data,
355						ctx->client->key.length,
356						type2.challenge,
357						&type3.ntlm);
358
359	    }
360	    if (ret) {
361		_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
362		*minor_status = ret;
363		return GSS_S_FAILURE;
364	    }
365
366	    ret = heim_ntlm_build_ntlm1_master(ctx->client->key.data,
367					       ctx->client->key.length,
368					       &sessionkey,
369					       &type3.sessionkey);
370	    if (ret) {
371		if (type3.lm.data)
372		    free(type3.lm.data);
373		if (type3.ntlm.data)
374		    free(type3.ntlm.data);
375		_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
376		*minor_status = ret;
377		return GSS_S_FAILURE;
378	    }
379
380	    ret = krb5_data_copy(&ctx->sessionkey,
381				 sessionkey.data, sessionkey.length);
382	    free(sessionkey.data);
383	    if (ret) {
384		if (type3.lm.data)
385		    free(type3.lm.data);
386		if (type3.ntlm.data)
387		    free(type3.ntlm.data);
388		_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
389		*minor_status = ret;
390		return GSS_S_FAILURE;
391	    }
392	    ctx->status |= STATUS_SESSIONKEY;
393
394	} else {
395	    struct ntlm_buf sessionkey;
396	    unsigned char ntlmv2[16];
397	    struct ntlm_targetinfo ti;
398
399	    /* verify infotarget */
400
401	    ret = heim_ntlm_decode_targetinfo(&type2.targetinfo, 1, &ti);
402	    if(ret) {
403		_gss_ntlm_delete_sec_context(minor_status,
404					     context_handle, NULL);
405		*minor_status = ret;
406		return GSS_S_FAILURE;
407	    }
408
409	    if (ti.domainname && strcmp(ti.domainname, name->domain) != 0) {
410		_gss_ntlm_delete_sec_context(minor_status,
411					     context_handle, NULL);
412		*minor_status = EINVAL;
413		return GSS_S_FAILURE;
414	    }
415
416	    ret = heim_ntlm_calculate_ntlm2(ctx->client->key.data,
417					    ctx->client->key.length,
418					    ctx->client->username,
419					    name->domain,
420					    type2.challenge,
421					    &type2.targetinfo,
422					    ntlmv2,
423					    &type3.ntlm);
424	    if (ret) {
425		_gss_ntlm_delete_sec_context(minor_status,
426					     context_handle, NULL);
427		*minor_status = ret;
428		return GSS_S_FAILURE;
429	    }
430
431	    ret = heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
432					       &sessionkey,
433					       &type3.sessionkey);
434	    memset(ntlmv2, 0, sizeof(ntlmv2));
435	    if (ret) {
436		_gss_ntlm_delete_sec_context(minor_status,
437					     context_handle, NULL);
438		*minor_status = ret;
439		return GSS_S_FAILURE;
440	    }
441
442	    ctx->flags |= NTLM_NEG_NTLM2_SESSION;
443
444	    ret = krb5_data_copy(&ctx->sessionkey,
445				 sessionkey.data, sessionkey.length);
446	    free(sessionkey.data);
447	    if (ret) {
448		_gss_ntlm_delete_sec_context(minor_status,
449					     context_handle, NULL);
450		*minor_status = ret;
451		return GSS_S_FAILURE;
452	    }
453	}
454
455	if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
456	    ctx->status |= STATUS_SESSIONKEY;
457	    _gss_ntlm_set_key(&ctx->u.v2.send, 0, (ctx->flags & NTLM_NEG_KEYEX),
458			      ctx->sessionkey.data,
459			      ctx->sessionkey.length);
460	    _gss_ntlm_set_key(&ctx->u.v2.recv, 1, (ctx->flags & NTLM_NEG_KEYEX),
461			      ctx->sessionkey.data,
462			      ctx->sessionkey.length);
463	} else {
464	    ctx->status |= STATUS_SESSIONKEY;
465	    RC4_set_key(&ctx->u.v1.crypto_recv.key,
466			ctx->sessionkey.length,
467			ctx->sessionkey.data);
468	    RC4_set_key(&ctx->u.v1.crypto_send.key,
469			ctx->sessionkey.length,
470			ctx->sessionkey.data);
471	}
472
473
474
475	ret = heim_ntlm_encode_type3(&type3, &data);
476	free(type3.sessionkey.data);
477	if (type3.lm.data)
478	    free(type3.lm.data);
479	if (type3.ntlm.data)
480	    free(type3.ntlm.data);
481	if (ret) {
482	    _gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
483	    *minor_status = ret;
484	    return GSS_S_FAILURE;
485	}
486
487	output_token->length = data.length;
488	output_token->value = data.data;
489
490	if (actual_mech_type)
491	    *actual_mech_type = GSS_NTLM_MECHANISM;
492	if (ret_flags)
493	    *ret_flags = 0;
494	if (time_rec)
495	    *time_rec = GSS_C_INDEFINITE;
496
497	ctx->status |= STATUS_OPEN;
498
499	return GSS_S_COMPLETE;
500    }
501}