static int
test_libntlm_v2(int flags)
{
const char *user = "******",
*domain = "mydomain",
*password = "******";
OM_uint32 maj_stat, min_stat;
gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
gss_buffer_desc input, output;
struct ntlm_type1 type1;
struct ntlm_type2 type2;
struct ntlm_type3 type3;
struct ntlm_buf data;
krb5_error_code ret;
memset(&type1, 0, sizeof(type1));
memset(&type2, 0, sizeof(type2));
memset(&type3, 0, sizeof(type3));
type1.flags = NTLM_NEG_UNICODE|NTLM_NEG_NTLM|flags;
type1.domain = strdup(domain);
type1.hostname = NULL;
type1.os[0] = 0;
type1.os[1] = 0;
ret = heim_ntlm_encode_type1(&type1, &data);
if (ret)
errx(1, "heim_ntlm_encode_type1");
input.value = data.data;
input.length = data.length;
output.length = 0;
output.value = NULL;
maj_stat = gss_accept_sec_context(&min_stat,
&ctx,
GSS_C_NO_CREDENTIAL,
&input,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
NULL,
&output,
NULL,
NULL,
NULL);
free(data.data);
if (GSS_ERROR(maj_stat))
errx(1, "accept_sec_context v2 %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
if (output.length == 0)
errx(1, "output.length == 0");
data.data = output.value;
data.length = output.length;
ret = heim_ntlm_decode_type2(&data, &type2);
if (ret)
errx(1, "heim_ntlm_decode_type2");
type3.flags = type2.flags;
type3.username = rk_UNCONST(user);
type3.targetname = type2.targetname;
type3.ws = rk_UNCONST("workstation");
{
struct ntlm_buf key;
unsigned char ntlmv2[16];
heim_ntlm_nt_key(password, &key);
heim_ntlm_calculate_ntlm2(key.data, key.length,
user,
type2.targetname,
type2.challenge,
&type2.targetinfo,
ntlmv2,
&type3.ntlm);
free(key.data);
if (flags & NTLM_NEG_KEYEX) {
struct ntlm_buf sessionkey;
heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
&sessionkey,
&type3.sessionkey);
free(sessionkey.data);
}
}
ret = heim_ntlm_encode_type3(&type3, &data);
if (ret)
errx(1, "heim_ntlm_encode_type3");
input.length = data.length;
input.value = data.data;
maj_stat = gss_accept_sec_context(&min_stat,
&ctx,
GSS_C_NO_CREDENTIAL,
&input,
GSS_C_NO_CHANNEL_BINDINGS,
NULL,
NULL,
&output,
NULL,
NULL,
NULL);
free(input.value);
if (maj_stat != GSS_S_COMPLETE)
errx(1, "accept_sec_context v2 2 %s",
gssapi_err(maj_stat, min_stat, GSS_C_NO_OID));
gss_delete_sec_context(&min_stat, &ctx, NULL);
return 0;
}
static krb5_error_code
kcm_op_do_ntlm(krb5_context context,
kcm_client *client,
kcm_operation opcode,
krb5_storage *request,
krb5_storage *response)
{
struct kcm_ntlm_cred *c;
struct ntlm_type2 type2;
struct ntlm_type3 type3;
char *user = NULL, *domain = NULL;
struct ntlm_buf ndata, sessionkey;
krb5_data data;
krb5_error_code ret;
uint32_t flags = 0;
memset(&type2, 0, sizeof(type2));
memset(&type3, 0, sizeof(type3));
sessionkey.data = NULL;
sessionkey.length = 0;
ret = krb5_ret_stringz(request, &user);
if (ret)
goto error;
ret = krb5_ret_stringz(request, &domain);
if (ret)
goto error;
if (domain[0] == '\0') {
free(domain);
domain = NULL;
}
c = find_ntlm_cred(user, domain, client);
if (c == NULL) {
ret = EINVAL;
goto error;
}
ret = krb5_ret_data(request, &data);
if (ret)
goto error;
ndata.data = data.data;
ndata.length = data.length;
ret = heim_ntlm_decode_type2(&ndata, &type2);
krb5_data_free(&data);
if (ret)
goto error;
if (domain && strcmp(domain, type2.targetname) == 0) {
ret = EINVAL;
goto error;
}
type3.username = c->user;
type3.flags = type2.flags;
type3.targetname = type2.targetname;
type3.ws = rk_UNCONST("workstation");
/*
* NTLM Version 1 if no targetinfo buffer.
*/
if (1 || type2.targetinfo.length == 0) {
struct ntlm_buf sessionkey;
if (type2.flags & NTLM_NEG_NTLM2_SESSION) {
unsigned char nonce[8];
if (RAND_bytes(nonce, sizeof(nonce)) != 1) {
ret = EINVAL;
goto error;
}
ret = heim_ntlm_calculate_ntlm2_sess(nonce,
type2.challenge,
c->nthash.data,
&type3.lm,
&type3.ntlm);
} else {
ret = heim_ntlm_calculate_ntlm1(c->nthash.data,
c->nthash.length,
type2.challenge,
&type3.ntlm);
}
if (ret)
goto error;
ret = heim_ntlm_build_ntlm1_master(c->nthash.data,
c->nthash.length,
&sessionkey,
&type3.sessionkey);
if (ret) {
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
goto error;
}
free(sessionkey.data);
if (ret) {
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
goto error;
}
flags |= NTLM_FLAG_SESSIONKEY;
#if 0
} else {
struct ntlm_buf sessionkey;
unsigned char ntlmv2[16];
struct ntlm_targetinfo ti;
/* verify infotarget */
ret = heim_ntlm_decode_targetinfo(&type2.targetinfo, 1, &ti);
if(ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
if (ti.domainname && strcmp(ti.domainname, name->domain) != 0) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = heim_ntlm_calculate_ntlm2(ctx->client->key.data,
ctx->client->key.length,
type3.username,
name->domain,
type2.challenge,
&type2.targetinfo,
ntlmv2,
&type3.ntlm);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
&sessionkey,
&type3.sessionkey);
memset(ntlmv2, 0, sizeof(ntlmv2));
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
flags |= NTLM_FLAG_NTLM2_SESSION |
NTLM_FLAG_SESSION;
if (type3.flags & NTLM_NEG_KEYEX)
flags |= NTLM_FLAG_KEYEX;
ret = krb5_data_copy(&ctx->sessionkey,
sessionkey.data, sessionkey.length);
free(sessionkey.data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
#endif
}
#if 0
if (flags & NTLM_FLAG_NTLM2_SESSION) {
_gss_ntlm_set_key(&ctx->u.v2.send, 0, (ctx->flags & NTLM_NEG_KEYEX),
ctx->sessionkey.data,
ctx->sessionkey.length);
_gss_ntlm_set_key(&ctx->u.v2.recv, 1, (ctx->flags & NTLM_NEG_KEYEX),
ctx->sessionkey.data,
ctx->sessionkey.length);
} else {
flags |= NTLM_FLAG_SESSION;
RC4_set_key(&ctx->u.v1.crypto_recv.key,
ctx->sessionkey.length,
ctx->sessionkey.data);
RC4_set_key(&ctx->u.v1.crypto_send.key,
ctx->sessionkey.length,
ctx->sessionkey.data);
}
#endif
ret = heim_ntlm_encode_type3(&type3, &ndata);
if (ret)
goto error;
data.data = ndata.data;
data.length = ndata.length;
ret = krb5_store_data(response, data);
heim_ntlm_free_buf(&ndata);
if (ret) goto error;
ret = krb5_store_int32(response, flags);
if (ret) goto error;
data.data = sessionkey.data;
data.length = sessionkey.length;
ret = krb5_store_data(response, data);
if (ret) goto error;
error:
free(type3.username);
heim_ntlm_free_type2(&type2);
free(user);
if (domain)
free(domain);
return ret;
}
OM_uint32 GSSAPI_CALLCONV
_gss_ntlm_init_sec_context
(OM_uint32 * minor_status,
gss_const_cred_id_t initiator_cred_handle,
gss_ctx_id_t * context_handle,
gss_const_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID * actual_mech_type,
gss_buffer_t output_token,
OM_uint32 * ret_flags,
OM_uint32 * time_rec
)
{
ntlm_ctx ctx;
ntlm_name name = (ntlm_name)target_name;
*minor_status = 0;
if (ret_flags)
*ret_flags = 0;
if (time_rec)
*time_rec = 0;
if (actual_mech_type)
*actual_mech_type = GSS_C_NO_OID;
if (*context_handle == GSS_C_NO_CONTEXT) {
struct ntlm_type1 type1;
struct ntlm_buf data;
uint32_t flags = 0;
int ret;
ctx = calloc(1, sizeof(*ctx));
if (ctx == NULL) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
*context_handle = (gss_ctx_id_t)ctx;
if (initiator_cred_handle != GSS_C_NO_CREDENTIAL) {
ntlm_cred cred = (ntlm_cred)initiator_cred_handle;
ret = _gss_copy_cred(cred, &ctx->client);
} else
ret = _gss_ntlm_get_user_cred(name, &ctx->client);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
if (req_flags & GSS_C_CONF_FLAG)
flags |= NTLM_NEG_SEAL;
if (req_flags & GSS_C_INTEG_FLAG)
flags |= NTLM_NEG_SIGN;
else
flags |= NTLM_NEG_ALWAYS_SIGN;
flags |= NTLM_NEG_UNICODE;
flags |= NTLM_NEG_NTLM;
flags |= NTLM_NEG_NTLM2_SESSION;
flags |= NTLM_NEG_KEYEX;
memset(&type1, 0, sizeof(type1));
type1.flags = flags;
type1.domain = name->domain;
type1.hostname = NULL;
type1.os[0] = 0;
type1.os[1] = 0;
ret = heim_ntlm_encode_type1(&type1, &data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
output_token->value = data.data;
output_token->length = data.length;
return GSS_S_CONTINUE_NEEDED;
} else {
krb5_error_code ret;
struct ntlm_type2 type2;
struct ntlm_type3 type3;
struct ntlm_buf data;
ctx = (ntlm_ctx)*context_handle;
data.data = input_token->value;
data.length = input_token->length;
ret = heim_ntlm_decode_type2(&data, &type2);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ctx->flags = type2.flags;
/* XXX check that type2.targetinfo matches `target_name´ */
/* XXX check verify targetinfo buffer */
memset(&type3, 0, sizeof(type3));
type3.username = ctx->client->username;
type3.flags = type2.flags;
type3.targetname = type2.targetname;
type3.ws = rk_UNCONST("workstation");
/*
* NTLM Version 1 if no targetinfo buffer.
*/
if (1 || type2.targetinfo.length == 0) {
struct ntlm_buf sessionkey;
if (type2.flags & NTLM_NEG_NTLM2_SESSION) {
unsigned char nonce[8];
if (RAND_bytes(nonce, sizeof(nonce)) != 1) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = heim_ntlm_calculate_ntlm2_sess(nonce,
type2.challenge,
ctx->client->key.data,
&type3.lm,
&type3.ntlm);
} else {
ret = heim_ntlm_calculate_ntlm1(ctx->client->key.data,
ctx->client->key.length,
type2.challenge,
&type3.ntlm);
}
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = heim_ntlm_build_ntlm1_master(ctx->client->key.data,
ctx->client->key.length,
&sessionkey,
&type3.sessionkey);
if (ret) {
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_data_copy(&ctx->sessionkey,
sessionkey.data, sessionkey.length);
free(sessionkey.data);
if (ret) {
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
_gss_ntlm_delete_sec_context(minor_status,context_handle,NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ctx->status |= STATUS_SESSIONKEY;
} else {
struct ntlm_buf sessionkey;
unsigned char ntlmv2[16];
struct ntlm_targetinfo ti;
/* verify infotarget */
ret = heim_ntlm_decode_targetinfo(&type2.targetinfo, 1, &ti);
if(ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
if (ti.domainname && strcmp(ti.domainname, name->domain) != 0) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
ret = heim_ntlm_calculate_ntlm2(ctx->client->key.data,
ctx->client->key.length,
ctx->client->username,
name->domain,
type2.challenge,
&type2.targetinfo,
ntlmv2,
&type3.ntlm);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = heim_ntlm_build_ntlm1_master(ntlmv2, sizeof(ntlmv2),
&sessionkey,
&type3.sessionkey);
memset(ntlmv2, 0, sizeof(ntlmv2));
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
ctx->flags |= NTLM_NEG_NTLM2_SESSION;
ret = krb5_data_copy(&ctx->sessionkey,
sessionkey.data, sessionkey.length);
free(sessionkey.data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status,
context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
}
if (ctx->flags & NTLM_NEG_NTLM2_SESSION) {
ctx->status |= STATUS_SESSIONKEY;
_gss_ntlm_set_key(&ctx->u.v2.send, 0, (ctx->flags & NTLM_NEG_KEYEX),
ctx->sessionkey.data,
ctx->sessionkey.length);
_gss_ntlm_set_key(&ctx->u.v2.recv, 1, (ctx->flags & NTLM_NEG_KEYEX),
ctx->sessionkey.data,
ctx->sessionkey.length);
} else {
ctx->status |= STATUS_SESSIONKEY;
RC4_set_key(&ctx->u.v1.crypto_recv.key,
ctx->sessionkey.length,
ctx->sessionkey.data);
RC4_set_key(&ctx->u.v1.crypto_send.key,
ctx->sessionkey.length,
ctx->sessionkey.data);
}
ret = heim_ntlm_encode_type3(&type3, &data, NULL);
free(type3.sessionkey.data);
if (type3.lm.data)
free(type3.lm.data);
if (type3.ntlm.data)
free(type3.ntlm.data);
if (ret) {
_gss_ntlm_delete_sec_context(minor_status, context_handle, NULL);
*minor_status = ret;
return GSS_S_FAILURE;
}
output_token->length = data.length;
output_token->value = data.data;
if (actual_mech_type)
*actual_mech_type = GSS_NTLM_MECHANISM;
if (ret_flags)
*ret_flags = 0;
if (time_rec)
*time_rec = GSS_C_INDEFINITE;
ctx->status |= STATUS_OPEN;
return GSS_S_COMPLETE;
}
}
static int
test_keys(void)
{
const char
*username = "******",
*password = "******",
*target = "TESTNT";
const unsigned char
serverchallenge[8] = "\x67\x7f\x1c\x55\x7a\x5e\xe9\x6c";
struct ntlm_buf infotarget, infotarget2, answer, key;
unsigned char ntlmv2[16], ntlmv2_1[16];
int ret;
infotarget.length = 70;
infotarget.data =
"\x02\x00\x0c\x00\x54\x00\x45\x00\x53\x00\x54\x00\x4e\x00\x54\x00"
"\x01\x00\x0c\x00\x4d\x00\x45\x00\x4d\x00\x42\x00\x45\x00\x52\x00"
"\x03\x00\x1e\x00\x6d\x00\x65\x00\x6d\x00\x62\x00\x65\x00\x72\x00"
"\x2e\x00\x74\x00\x65\x00\x73\x00\x74\x00\x2e\x00\x63\x00\x6f"
"\x00\x6d\x00"
"\x00\x00\x00\x00";
answer.length = 0;
answer.data = NULL;
heim_ntlm_nt_key(password, &key);
ret = heim_ntlm_calculate_ntlm2(key.data,
key.length,
username,
target,
serverchallenge,
&infotarget,
ntlmv2,
&answer);
if (ret)
errx(1, "heim_ntlm_calculate_ntlm2");
ret = heim_ntlm_verify_ntlm2(key.data,
key.length,
username,
target,
0,
serverchallenge,
&answer,
&infotarget2,
ntlmv2_1);
if (ret)
errx(1, "heim_ntlm_verify_ntlm2");
if (memcmp(ntlmv2, ntlmv2_1, sizeof(ntlmv2)) != 0)
errx(1, "ntlm master key not same");
if (infotarget.length > infotarget2.length)
errx(1, "infotarget length");
if (memcmp(infotarget.data, infotarget2.data, infotarget.length) != 0)
errx(1, "infotarget not the same");
free(key.data);
free(answer.data);
free(infotarget2.data);
return 0;
}