static INT_PTR NtlmCreateResponseService2( WPARAM wParam, LPARAM lParam )
{
NETLIBNTLMREQUEST2* req = ( NETLIBNTLMREQUEST2* )lParam;
if (req->cbSize < sizeof(*req)) return 0;
char* response;
#ifdef UNICODE
if (req->flags & NNR_UNICODE)
{
response = NtlmCreateResponseFromChallenge(( HANDLE )wParam, req->szChallenge,
req->szUserName, req->szPassword, false, req->complete );
}
else
{
TCHAR *szLogin = mir_a2t((char*)req->szUserName);
TCHAR *szPassw = mir_a2t((char*)req->szPassword);
response = NtlmCreateResponseFromChallenge(( HANDLE )wParam, req->szChallenge,
szLogin, szPassw, false, req->complete );
mir_free(szLogin);
mir_free(szPassw);
}
#else
response = NtlmCreateResponseFromChallenge(( HANDLE )wParam, req->szChallenge,
req->szUserName, req->szPassword, false, req->complete );
#endif
return (INT_PTR)response;
}
static INT_PTR NtlmCreateResponseService2(WPARAM wParam, LPARAM lParam)
{
NETLIBNTLMREQUEST2 *req = (NETLIBNTLMREQUEST2*)lParam;
if (req == NULL || req->cbSize < sizeof(*req))
return 0;
if (req->flags & NNR_UNICODE)
return (INT_PTR)NtlmCreateResponseFromChallenge((HANDLE)wParam, req->szChallenge, req->szUserName, req->szPassword, false, req->complete);
return (INT_PTR)NtlmCreateResponseFromChallenge((HANDLE)wParam, req->szChallenge, _A2T((char*)req->szUserName), _A2T((char*)req->szPassword), false, req->complete);
}
char* Execute(NetlibConnection *nlc, char *szHost, const char *szProvider, const char *szChallenge, unsigned &complete)
{
char *szAuthHdr = NULL;
bool justCreated = false;
NetlibUser *nlu = nlc->nlu;
if (m_hNtlmSecurity) {
bool newAuth = !m_szProvider || !szProvider || _stricmp(m_szProvider, szProvider);
newAuth = newAuth || (m_szHost != szHost && (!m_szHost || !szHost || _stricmp(m_szHost, szHost)));
if (newAuth)
Destroy();
}
if (m_hNtlmSecurity == NULL) {
char szSpnStr[256] = "";
if (szHost && _stricmp(szProvider, "Basic")) {
unsigned long ip = inet_addr(szHost);
PHOSTENT host = (ip == INADDR_NONE) ? gethostbyname(szHost) : gethostbyaddr((char*)&ip, 4, AF_INET);
mir_snprintf(szSpnStr, "HTTP/%s", host && host->h_name ? host->h_name : szHost);
_strlwr(szSpnStr + 5);
NetlibLogf(nlu, "Host SPN: %s", szSpnStr);
}
m_hNtlmSecurity = NetlibInitSecurityProvider(szProvider, szSpnStr[0] ? szSpnStr : NULL);
if (m_hNtlmSecurity) {
m_szProvider = mir_strdup(szProvider);
m_szHost = mir_strdup(szHost);
justCreated = true;
}
}
if (m_hNtlmSecurity) {
TCHAR *szLogin = NULL, *szPassw = NULL;
if (nlu->settings.useProxyAuth) {
mir_cslock lck(csNetlibUser);
szLogin = mir_a2t(nlu->settings.szProxyAuthUser);
szPassw = mir_a2t(nlu->settings.szProxyAuthPassword);
}
szAuthHdr = NtlmCreateResponseFromChallenge(m_hNtlmSecurity,
szChallenge, szLogin, szPassw, true, complete);
if (!szAuthHdr) {
NetlibLogf(NULL, "Security login %s failed, user: %S pssw: %S",
szProvider, szLogin ? szLogin : _T("(no user)"), szPassw ? _T("(exist)") : _T("(no psw)"));
}
else if (justCreated)
proxyAuthList.add(m_szHost, m_szProvider);
mir_free(szLogin);
mir_free(szPassw);
}
else complete = 1;
return szAuthHdr;
}
static INT_PTR NtlmCreateResponseService( WPARAM wParam, LPARAM lParam )
{
NETLIBNTLMREQUEST* req = ( NETLIBNTLMREQUEST* )lParam;
unsigned complete;
char* response = NtlmCreateResponseFromChallenge(( HANDLE )wParam, req->szChallenge,
StrConvT(req->userName), StrConvT(req->password), false, complete );
return (INT_PTR)response;
}
char* NtlmCreateResponseFromChallenge(HANDLE hSecurity, const char *szChallenge, const TCHAR* login, const TCHAR* psw,
bool http, unsigned& complete)
{
SECURITY_STATUS sc;
SecBufferDesc outputBufferDescriptor,inputBufferDescriptor;
SecBuffer outputSecurityToken,inputSecurityToken;
TimeStamp tokenExpiration;
ULONG contextAttributes;
NETLIBBASE64 nlb64 = { 0 };
NtlmHandleType* hNtlm = (NtlmHandleType*)hSecurity;
if (hSecurity == NULL || ntlmCnt == 0) return NULL;
if (_tcsicmp(hNtlm->szProvider, _T("Basic")))
{
bool isGSSAPI = _tcsicmp(hNtlm->szProvider, _T("GSSAPI")) == 0;
TCHAR *szProvider = isGSSAPI ? _T("Kerberos") : hNtlm->szProvider;
bool hasChallenge = szChallenge != NULL && szChallenge[0] != '\0';
if (hasChallenge)
{
nlb64.cchEncoded = lstrlenA(szChallenge);
nlb64.pszEncoded = (char*)szChallenge;
nlb64.cbDecoded = Netlib_GetBase64DecodedBufferSize(nlb64.cchEncoded);
nlb64.pbDecoded = (PBYTE)alloca(nlb64.cbDecoded);
if (!NetlibBase64Decode(0, (LPARAM)&nlb64)) return NULL;
if (isGSSAPI && complete)
return CompleteGssapi(hSecurity, nlb64.pbDecoded, nlb64.cbDecoded);
inputBufferDescriptor.cBuffers = 1;
inputBufferDescriptor.pBuffers = &inputSecurityToken;
inputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
inputSecurityToken.BufferType = SECBUFFER_TOKEN;
inputSecurityToken.cbBuffer = nlb64.cbDecoded;
inputSecurityToken.pvBuffer = nlb64.pbDecoded;
// try to decode the domain name from the NTLM challenge
if (login != NULL && login[0] != '\0' && !hNtlm->hasDomain)
{
NtlmType2packet* pkt = ( NtlmType2packet* )nlb64.pbDecoded;
if (!strncmp(pkt->sign, "NTLMSSP", 8) && pkt->type == 2)
{
#ifdef UNICODE
wchar_t* domainName = (wchar_t*)&nlb64.pbDecoded[pkt->targetName.offset];
int domainLen = pkt->targetName.len;
// Negotiate ANSI? if yes, convert the ANSI name to unicode
if ((pkt->flags & 1) == 0)
{
int bufsz = MultiByteToWideChar(CP_ACP, 0, (char*)domainName, domainLen, NULL, 0);
wchar_t* buf = (wchar_t*)alloca(bufsz * sizeof(wchar_t));
domainLen = MultiByteToWideChar(CP_ACP, 0, (char*)domainName, domainLen, buf, bufsz) - 1;
domainName = buf;
}
else
domainLen /= sizeof(wchar_t);
#else
char* domainName = (char*)&nlb64.pbDecoded[pkt->targetName.offset];
int domainLen = pkt->targetName.len;
// Negotiate Unicode? if yes, convert the unicode name to ANSI
if (pkt->flags & 1)
{
int bufsz = WideCharToMultiByte(CP_ACP, 0, (WCHAR*)domainName, domainLen, NULL, 0, NULL, NULL);
char* buf = (char*)alloca(bufsz);
domainLen = WideCharToMultiByte(CP_ACP, 0, (WCHAR*)domainName, domainLen, buf, bufsz, NULL, NULL) - 1;
domainName = buf;
}
#endif
if (domainLen)
{
size_t newLoginLen = _tcslen(login) + domainLen + 1;
TCHAR *newLogin = (TCHAR*)alloca(newLoginLen * sizeof(TCHAR));
_tcsncpy(newLogin, domainName, domainLen);
newLogin[domainLen] = '\\';
_tcscpy(newLogin + domainLen + 1, login);
char* szChl = NtlmCreateResponseFromChallenge(hSecurity, NULL, newLogin, psw, http, complete);
mir_free(szChl);
}
}
}
}
else
{
if (SecIsValidHandle(&hNtlm->hClientContext)) g_pSSPI->DeleteSecurityContext(&hNtlm->hClientContext);
if (SecIsValidHandle(&hNtlm->hClientCredential)) g_pSSPI->FreeCredentialsHandle(&hNtlm->hClientCredential);
SEC_WINNT_AUTH_IDENTITY auth;
if (login != NULL && login[0] != '\0')
{
memset(&auth, 0, sizeof(auth));
#ifdef _UNICODE
NetlibLogf(NULL, "Security login requested, user: %S pssw: %s", login, psw ? "(exist)" : "(no psw)");
#else
NetlibLogf(NULL, "Security login requested, user: %s pssw: %s", login, psw ? "(exist)" : "(no psw)");
#endif
const TCHAR* loginName = login;
const TCHAR* domainName = _tcschr(login, '\\');
int domainLen = 0;
int loginLen = lstrlen(loginName);
if (domainName != NULL)
{
loginName = domainName + 1;
loginLen = lstrlen(loginName);
domainLen = domainName - login;
domainName = login;
}
else if ((domainName = _tcschr(login, '@')) != NULL)
{
loginName = login;
loginLen = domainName - login;
domainLen = lstrlen(++domainName);
}
#ifdef UNICODE
auth.User = (PWORD)loginName;
auth.UserLength = loginLen;
auth.Password = (PWORD)psw;
auth.PasswordLength = lstrlen(psw);
auth.Domain = (PWORD)domainName;
auth.DomainLength = domainLen;
auth.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
#else
auth.User = (PBYTE)loginName;
auth.UserLength = loginLen;
auth.Password = (PBYTE)psw;
auth.PasswordLength = lstrlen(psw);
auth.Domain = (PBYTE)domainName;
auth.DomainLength = domainLen;
auth.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
#endif
hNtlm->hasDomain = domainLen != 0;
}
sc = g_pSSPI->AcquireCredentialsHandle(NULL, szProvider,
SECPKG_CRED_OUTBOUND, NULL, hNtlm->hasDomain ? &auth : NULL, NULL, NULL,
&hNtlm->hClientCredential, &tokenExpiration);
if (sc != SEC_E_OK)
{
ReportSecError(sc, __LINE__);
return NULL;
}
}
outputBufferDescriptor.cBuffers = 1;
outputBufferDescriptor.pBuffers = &outputSecurityToken;
outputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
outputSecurityToken.BufferType = SECBUFFER_TOKEN;
outputSecurityToken.cbBuffer = hNtlm->cbMaxToken;
outputSecurityToken.pvBuffer = alloca(outputSecurityToken.cbBuffer);
sc = g_pSSPI->InitializeSecurityContext(&hNtlm->hClientCredential,
hasChallenge ? &hNtlm->hClientContext : NULL,
hNtlm->szPrincipal, isGSSAPI ? ISC_REQ_MUTUAL_AUTH | ISC_REQ_STREAM : 0, 0, SECURITY_NATIVE_DREP,
hasChallenge ? &inputBufferDescriptor : NULL, 0, &hNtlm->hClientContext,
&outputBufferDescriptor, &contextAttributes, &tokenExpiration);
complete = (sc != SEC_I_COMPLETE_AND_CONTINUE && sc != SEC_I_CONTINUE_NEEDED);
if (sc == SEC_I_COMPLETE_NEEDED || sc == SEC_I_COMPLETE_AND_CONTINUE)
{
sc = g_pSSPI->CompleteAuthToken(&hNtlm->hClientContext, &outputBufferDescriptor);
}
if (sc != SEC_E_OK && sc != SEC_I_CONTINUE_NEEDED)
{
ReportSecError(sc, __LINE__);
return NULL;
}
nlb64.cbDecoded = outputSecurityToken.cbBuffer;
nlb64.pbDecoded = (PBYTE)outputSecurityToken.pvBuffer;
}
else
{
if (!login || !psw) return NULL;
char *szLogin = mir_t2a(login);
char *szPassw = mir_t2a(psw);
size_t authLen = strlen(szLogin) + strlen(szPassw) + 5;
char *szAuth = (char*)alloca(authLen);
nlb64.cbDecoded = mir_snprintf(szAuth, authLen,"%s:%s", szLogin, szPassw);
nlb64.pbDecoded=(PBYTE)szAuth;
complete = true;
mir_free(szPassw);
mir_free(szLogin);
}
nlb64.cchEncoded = Netlib_GetBase64EncodedBufferSize(nlb64.cbDecoded);
nlb64.pszEncoded = (char*)alloca(nlb64.cchEncoded);
if (!NetlibBase64Encode(0,(LPARAM)&nlb64)) return NULL;
char* result;
if (http)
{
char* szProvider = mir_t2a(hNtlm->szProvider);
nlb64.cchEncoded += (int)strlen(szProvider) + 10;
result = (char*)mir_alloc(nlb64.cchEncoded);
mir_snprintf(result, nlb64.cchEncoded, "%s %s", szProvider, nlb64.pszEncoded);
mir_free(szProvider);
}
else
result = mir_strdup(nlb64.pszEncoded);
return result;
}
char* NtlmCreateResponseFromChallenge(HANDLE hSecurity, const char *szChallenge, const TCHAR* login, const TCHAR* psw, bool http, unsigned& complete)
{
if (hSecurity == NULL || ntlmCnt == 0)
return NULL;
SecBufferDesc outputBufferDescriptor, inputBufferDescriptor;
SecBuffer outputSecurityToken, inputSecurityToken;
TimeStamp tokenExpiration;
ULONG contextAttributes;
char *szOutputToken;
NtlmHandleType* hNtlm = (NtlmHandleType*)hSecurity;
if (mir_tstrcmpi(hNtlm->szProvider, _T("Basic"))) {
bool isGSSAPI = mir_tstrcmpi(hNtlm->szProvider, _T("GSSAPI")) == 0;
TCHAR *szProvider = isGSSAPI ? (TCHAR*)_T("Kerberos") : hNtlm->szProvider;
bool hasChallenge = szChallenge != NULL && szChallenge[0] != '\0';
if (hasChallenge) {
unsigned tokenLen;
BYTE *token = (BYTE*)mir_base64_decode(szChallenge, &tokenLen);
if (token == NULL)
return NULL;
if (isGSSAPI && complete)
return CompleteGssapi(hSecurity, token, tokenLen);
inputBufferDescriptor.cBuffers = 1;
inputBufferDescriptor.pBuffers = &inputSecurityToken;
inputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
inputSecurityToken.BufferType = SECBUFFER_TOKEN;
inputSecurityToken.cbBuffer = tokenLen;
inputSecurityToken.pvBuffer = token;
// try to decode the domain name from the NTLM challenge
if (login != NULL && login[0] != '\0' && !hNtlm->hasDomain) {
NtlmType2packet* pkt = (NtlmType2packet*)token;
if (!strncmp(pkt->sign, "NTLMSSP", 8) && pkt->type == 2) {
wchar_t* domainName = (wchar_t*)&token[pkt->targetName.offset];
int domainLen = pkt->targetName.len;
// Negotiate ANSI? if yes, convert the ANSI name to unicode
if ((pkt->flags & 1) == 0) {
int bufsz = MultiByteToWideChar(CP_ACP, 0, (char*)domainName, domainLen, NULL, 0);
wchar_t* buf = (wchar_t*)alloca(bufsz * sizeof(wchar_t));
domainLen = MultiByteToWideChar(CP_ACP, 0, (char*)domainName, domainLen, buf, bufsz) - 1;
domainName = buf;
}
else domainLen /= sizeof(wchar_t);
if (domainLen) {
size_t newLoginLen = mir_tstrlen(login) + domainLen + 1;
TCHAR *newLogin = (TCHAR*)alloca(newLoginLen * sizeof(TCHAR));
_tcsncpy(newLogin, domainName, domainLen);
newLogin[domainLen] = '\\';
mir_tstrcpy(newLogin + domainLen + 1, login);
char* szChl = NtlmCreateResponseFromChallenge(hSecurity, NULL, newLogin, psw, http, complete);
mir_free(szChl);
}
}
}
}
else {
if (SecIsValidHandle(&hNtlm->hClientContext))
DeleteSecurityContext(&hNtlm->hClientContext);
if (SecIsValidHandle(&hNtlm->hClientCredential))
FreeCredentialsHandle(&hNtlm->hClientCredential);
SEC_WINNT_AUTH_IDENTITY auth;
if (login != NULL && login[0] != '\0') {
memset(&auth, 0, sizeof(auth));
NetlibLogf(NULL, "Security login requested, user: %S pssw: %s", login, psw ? "(exist)" : "(no psw)");
const TCHAR* loginName = login;
const TCHAR* domainName = _tcschr(login, '\\');
size_t domainLen = 0;
size_t loginLen = mir_tstrlen(loginName);
if (domainName != NULL) {
loginName = domainName + 1;
loginLen = mir_tstrlen(loginName);
domainLen = domainName - login;
domainName = login;
}
else if ((domainName = _tcschr(login, '@')) != NULL) {
loginName = login;
loginLen = domainName - login;
domainLen = mir_tstrlen(++domainName);
}
auth.User = (PWORD)loginName;
auth.UserLength = (ULONG)loginLen;
auth.Password = (PWORD)psw;
auth.PasswordLength = (ULONG)mir_tstrlen(psw);
auth.Domain = (PWORD)domainName;
auth.DomainLength = (ULONG)domainLen;
auth.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
hNtlm->hasDomain = domainLen != 0;
}
SECURITY_STATUS sc = AcquireCredentialsHandle(NULL, szProvider,
SECPKG_CRED_OUTBOUND, NULL, hNtlm->hasDomain ? &auth : NULL, NULL, NULL,
&hNtlm->hClientCredential, &tokenExpiration);
if (sc != SEC_E_OK) {
ReportSecError(sc, __LINE__);
return NULL;
}
}
outputBufferDescriptor.cBuffers = 1;
outputBufferDescriptor.pBuffers = &outputSecurityToken;
outputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
outputSecurityToken.BufferType = SECBUFFER_TOKEN;
outputSecurityToken.cbBuffer = hNtlm->cbMaxToken;
outputSecurityToken.pvBuffer = alloca(outputSecurityToken.cbBuffer);
SECURITY_STATUS sc = InitializeSecurityContext(&hNtlm->hClientCredential,
hasChallenge ? &hNtlm->hClientContext : NULL,
hNtlm->szPrincipal, isGSSAPI ? ISC_REQ_MUTUAL_AUTH | ISC_REQ_STREAM : 0, 0, SECURITY_NATIVE_DREP,
hasChallenge ? &inputBufferDescriptor : NULL, 0, &hNtlm->hClientContext,
&outputBufferDescriptor, &contextAttributes, &tokenExpiration);
complete = (sc != SEC_I_COMPLETE_AND_CONTINUE && sc != SEC_I_CONTINUE_NEEDED);
if (sc == SEC_I_COMPLETE_NEEDED || sc == SEC_I_COMPLETE_AND_CONTINUE)
sc = CompleteAuthToken(&hNtlm->hClientContext, &outputBufferDescriptor);
if (sc != SEC_E_OK && sc != SEC_I_CONTINUE_NEEDED) {
ReportSecError(sc, __LINE__);
return NULL;
}
szOutputToken = mir_base64_encode((PBYTE)outputSecurityToken.pvBuffer, outputSecurityToken.cbBuffer);
}
else {
if (!login || !psw) return NULL;
char *szLogin = mir_t2a(login);
char *szPassw = mir_t2a(psw);
size_t authLen = mir_strlen(szLogin) + mir_strlen(szPassw) + 5;
char *szAuth = (char*)alloca(authLen);
int len = mir_snprintf(szAuth, authLen, "%s:%s", szLogin, szPassw);
szOutputToken = mir_base64_encode((BYTE*)szAuth, len);
complete = true;
mir_free(szPassw);
mir_free(szLogin);
}
if (szOutputToken == NULL)
return NULL;
if (!http)
return szOutputToken;
ptrA szProvider(mir_t2a(hNtlm->szProvider));
size_t resLen = mir_strlen(szOutputToken) + mir_strlen(szProvider) + 10;
char *result = (char*)mir_alloc(resLen);
mir_snprintf(result, resLen, "%s %s", szProvider, szOutputToken);
mir_free(szOutputToken);
return result;
}
