/** * Decode a base64 string in-place - wrapper for the above **/ _PUBLIC_ void base64_decode_inplace(char *s) { DATA_BLOB decoded = base64_decode_data_blob(s); if ( decoded.length != 0 ) { memcpy(s, decoded.data, decoded.length); /* null terminate */ s[decoded.length] = '\0'; } else { *s = '\0'; } data_blob_free(&decoded); }
static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, char *buf, int length, void **private1, unsigned int mux_id, void **password) { DATA_BLOB in; if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); mux_printf(mux_id, "BH Query invalid\n"); return; } if (strlen(buf) > 3) { in = base64_decode_data_blob(buf + 3); } else { in = data_blob(NULL, 0); } if (strncmp(buf, "PW ", 3) == 0) { *password = talloc_strndup(*private1 /* hopefully the right gensec context, useful to use for talloc */, (const char *)in.data, in.length); if (*password == NULL) { DEBUG(1, ("Out of memory\n")); mux_printf(mux_id, "BH Out of memory\n"); data_blob_free(&in); return; } mux_printf(mux_id, "OK\n"); data_blob_free(&in); return; } DEBUG(1, ("Asked for (and expected) a password\n")); mux_printf(mux_id, "BH Expected a password\n"); data_blob_free(&in); }
static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, struct loadparm_context *lp_ctx, char *buf, int length, void **private1, unsigned int mux_id, void **private2) { DATA_BLOB in; DATA_BLOB out = data_blob(NULL, 0); char *out_base64 = NULL; const char *reply_arg = NULL; struct gensec_ntlm_state { struct gensec_security *gensec_state; const char *set_password; }; struct gensec_ntlm_state *state; struct tevent_context *ev; struct imessaging_context *msg; NTSTATUS nt_status; bool first = false; const char *reply_code; struct cli_credentials *creds; static char *want_feature_list = NULL; static DATA_BLOB session_key; TALLOC_CTX *mem_ctx; if (*private1) { state = (struct gensec_ntlm_state *)*private1; } else { state = talloc_zero(NULL, struct gensec_ntlm_state); if (!state) { mux_printf(mux_id, "BH No Memory\n"); exit(1); } *private1 = state; if (opt_password) { state->set_password = opt_password; } } if (strlen(buf) < 2) { DEBUG(1, ("query [%s] invalid", buf)); mux_printf(mux_id, "BH Query invalid\n"); return; } if (strlen(buf) > 3) { if(strncmp(buf, "SF ", 3) == 0) { DEBUG(10, ("Setting flags to negotiate\n")); talloc_free(want_feature_list); want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3); mux_printf(mux_id, "OK\n"); return; } in = base64_decode_data_blob(buf + 3); } else { in = data_blob(NULL, 0); } if (strncmp(buf, "YR", 2) == 0) { if (state->gensec_state) { talloc_free(state->gensec_state); state->gensec_state = NULL; } } else if ( (strncmp(buf, "OK", 2) == 0)) { /* Just return BH, like ntlm_auth from Samba 3 does. */ mux_printf(mux_id, "BH Command expected\n"); data_blob_free(&in); return; } else if ( (strncmp(buf, "TT ", 3) != 0) && (strncmp(buf, "KK ", 3) != 0) && (strncmp(buf, "AF ", 3) != 0) && (strncmp(buf, "NA ", 3) != 0) && (strncmp(buf, "UG", 2) != 0) && (strncmp(buf, "PW ", 3) != 0) && (strncmp(buf, "GK", 2) != 0) && (strncmp(buf, "GF", 2) != 0)) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); mux_printf(mux_id, "BH SPNEGO request invalid\n"); data_blob_free(&in); return; } ev = s4_event_context_init(state); if (!ev) { exit(1); } mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx"); /* setup gensec */ if (!(state->gensec_state)) { switch (stdio_helper_mode) { case GSS_SPNEGO_CLIENT: case NTLMSSP_CLIENT_1: /* setup the client side */ nt_status = gensec_client_start(NULL, &state->gensec_state, ev, lpcfg_gensec_settings(NULL, lp_ctx)); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); exit(1); } break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: { const char *winbind_method[] = { "winbind", NULL }; struct auth4_context *auth_context; msg = imessaging_client_init(state, lpcfg_imessaging_path(state, lp_ctx), ev); if (!msg) { talloc_free(mem_ctx); exit(1); } nt_status = auth_context_create_methods(mem_ctx, winbind_method, ev, msg, lp_ctx, NULL, &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); exit(1); } if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lpcfg_gensec_settings(state, lp_ctx), auth_context, &state->gensec_state))) { talloc_free(mem_ctx); exit(1); } break; } default: talloc_free(mem_ctx); abort(); } creds = cli_credentials_init(state->gensec_state); cli_credentials_set_conf(creds, lp_ctx); if (opt_username) { cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED); } if (opt_domain) { cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED); } if (state->set_password) { cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED); } else { cli_credentials_set_password_callback(creds, get_password); creds->priv_data = (void*)(uintptr_t)mux_id; } if (opt_workstation) { cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED); } switch (stdio_helper_mode) { case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: cli_credentials_set_machine_account(creds, lp_ctx); break; default: break; } gensec_set_credentials(state->gensec_state, creds); gensec_want_feature_list(state->gensec_state, want_feature_list); switch (stdio_helper_mode) { case GSS_SPNEGO_CLIENT: case GSS_SPNEGO_SERVER: nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_SPNEGO); if (!in.length) { first = true; } break; case NTLMSSP_CLIENT_1: if (!in.length) { first = true; } /* fall through */ case SQUID_2_5_NTLMSSP: nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP); break; default: talloc_free(mem_ctx); abort(); } if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH GENSEC mech failed to start\n"); talloc_free(mem_ctx); return; } } /* update */ if (strncmp(buf, "PW ", 3) == 0) { state->set_password = talloc_strndup(state, (const char *)in.data, in.length); cli_credentials_set_password(gensec_get_credentials(state->gensec_state), state->set_password, CRED_SPECIFIED); mux_printf(mux_id, "OK\n"); data_blob_free(&in); talloc_free(mem_ctx); return; } if (strncmp(buf, "UG", 2) == 0) { int i; char *grouplist = NULL; struct auth_session_info *session_info; nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status)); data_blob_free(&in); talloc_free(mem_ctx); return; } /* get the string onto the context */ grouplist = talloc_strdup(mem_ctx, ""); for (i=0; i<session_info->security_token->num_sids; i++) { struct security_token *token = session_info->security_token; const char *sidstr = dom_sid_string(session_info, &token->sids[i]); grouplist = talloc_asprintf_append_buffer(grouplist, "%s,", sidstr); } mux_printf(mux_id, "GL %s\n", grouplist); talloc_free(session_info); data_blob_free(&in); talloc_free(mem_ctx); return; } if (strncmp(buf, "GK", 2) == 0) { char *base64_key; DEBUG(10, ("Requested session key\n")); nt_status = gensec_session_key(state->gensec_state, mem_ctx, &session_key); if(!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH No session key\n"); talloc_free(mem_ctx); return; } else { base64_key = base64_encode_data_blob(state, session_key); mux_printf(mux_id, "GK %s\n", base64_key); talloc_free(base64_key); } talloc_free(mem_ctx); return; } if (strncmp(buf, "GF", 2) == 0) { struct ntlmssp_state *ntlmssp_state; uint32_t neg_flags; ntlmssp_state = talloc_get_type(state->gensec_state->private_data, struct ntlmssp_state); neg_flags = ntlmssp_state->neg_flags; DEBUG(10, ("Requested negotiated feature flags\n")); mux_printf(mux_id, "GF 0x%08x\n", neg_flags); return; } nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ nt_status = nt_status_squash(nt_status); if (out.length) { out_base64 = base64_encode_data_blob(mem_ctx, out); } else { out_base64 = NULL; } if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { reply_arg = "*"; if (first) { reply_code = "YR"; } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { reply_code = "KK"; } else if (state->gensec_state->gensec_role == GENSEC_SERVER) { reply_code = "TT"; } else { abort(); } } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { reply_code = "BH NT_STATUS_ACCESS_DENIED"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) { reply_code = "BH NT_STATUS_UNSUCCESSFUL"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); } else if (!NT_STATUS_IS_OK(nt_status)) { reply_code = "NA"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status))); } else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) { struct auth_session_info *session_info; nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { reply_code = "BH Failed to retrive session info"; reply_arg = nt_errstr(nt_status); DEBUG(1, ("GENSEC failed to retrieve the session info: %s\n", nt_errstr(nt_status))); } else { reply_code = "AF"; reply_arg = talloc_asprintf(state->gensec_state, "%s%s%s", session_info->info->domain_name, lpcfg_winbind_separator(lp_ctx), session_info->info->account_name); talloc_free(session_info); } } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { reply_code = "AF"; reply_arg = out_base64; } else { abort(); } switch (stdio_helper_mode) { case GSS_SPNEGO_SERVER: mux_printf(mux_id, "%s %s %s\n", reply_code, out_base64 ? out_base64 : "*", reply_arg ? reply_arg : "*"); break; default: if (out_base64) { mux_printf(mux_id, "%s %s\n", reply_code, out_base64); } else if (reply_arg) { mux_printf(mux_id, "%s %s\n", reply_code, reply_arg); } else { mux_printf(mux_id, "%s\n", reply_code); } } talloc_free(mem_ctx); return; }
static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { static NTLMSSP_STATE *ntlmssp_state = NULL; SPNEGO_DATA request, response; DATA_BLOB token; NTSTATUS status; ssize_t len; char *user = NULL; char *domain = NULL; const char *reply_code; char *reply_base64; pstring reply_argument; if (strlen(buf) < 2) { DEBUG(1, ("SPENGO query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } if (strncmp(buf, "YR", 2) == 0) { if (ntlmssp_state) ntlmssp_end(&ntlmssp_state); } else if (strncmp(buf, "KK", 2) == 0) { } else { DEBUG(1, ("SPENGO query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } if ( (strlen(buf) == 2)) { /* no client data, get the negTokenInit offering mechanisms */ offer_gss_spnego_mechs(); return; } /* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */ if (strlen(buf) <= 3) { DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf)); x_fprintf(x_stdout, "BH\n"); return; } token = base64_decode_data_blob(buf + 3); len = read_spnego_data(token, &request); data_blob_free(&token); if (len == -1) { DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } if (request.type == SPNEGO_NEG_TOKEN_INIT) { /* Second request from Client. This is where the client offers its mechanism to use. */ if ( (request.negTokenInit.mechTypes == NULL) || (request.negTokenInit.mechTypes[0] == NULL) ) { DEBUG(1, ("Client did not offer any mechanism")); x_fprintf(x_stdout, "BH\n"); return; } status = NT_STATUS_UNSUCCESSFUL; if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) { if ( request.negTokenInit.mechToken.data == NULL ) { DEBUG(1, ("Client did not provide NTLMSSP data\n")); x_fprintf(x_stdout, "BH\n"); return; } if ( ntlmssp_state != NULL ) { DEBUG(1, ("Client wants a new NTLMSSP challenge, but " "already got one\n")); x_fprintf(x_stdout, "BH\n"); ntlmssp_end(&ntlmssp_state); return; } if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) { x_fprintf(x_stdout, "BH %s\n", nt_errstr(status)); return; } DEBUG(10, ("got NTLMSSP packet:\n")); dump_data(10, (const char *)request.negTokenInit.mechToken.data, request.negTokenInit.mechToken.length); response.type = SPNEGO_NEG_TOKEN_TARG; response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP); response.negTokenTarg.mechListMIC = data_blob(NULL, 0); status = ntlmssp_update(ntlmssp_state, request.negTokenInit.mechToken, &response.negTokenTarg.responseToken); } #ifdef HAVE_KRB5 if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) { TALLOC_CTX *mem_ctx = talloc_init("manage_gss_spnego_request"); char *principal; DATA_BLOB ap_rep; DATA_BLOB session_key; if ( request.negTokenInit.mechToken.data == NULL ) { DEBUG(1, ("Client did not provide Kerberos data\n")); x_fprintf(x_stdout, "BH\n"); return; } response.type = SPNEGO_NEG_TOKEN_TARG; response.negTokenTarg.supportedMech = SMB_STRDUP(OID_KERBEROS5_OLD); response.negTokenTarg.mechListMIC = data_blob(NULL, 0); response.negTokenTarg.responseToken = data_blob(NULL, 0); status = ads_verify_ticket(mem_ctx, lp_realm(), 0, &request.negTokenInit.mechToken, &principal, NULL, &ap_rep, &session_key); talloc_destroy(mem_ctx); /* Now in "principal" we have the name we are authenticated as. */ if (NT_STATUS_IS_OK(status)) { domain = strchr_m(principal, '@'); if (domain == NULL) { DEBUG(1, ("Did not get a valid principal " "from ads_verify_ticket\n")); x_fprintf(x_stdout, "BH\n"); return; } *domain++ = '\0'; domain = SMB_STRDUP(domain); user = SMB_STRDUP(principal); data_blob_free(&ap_rep); SAFE_FREE(principal); } } #endif } else { if ( (request.negTokenTarg.supportedMech == NULL) || ( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) { /* Kerberos should never send a negTokenTarg, OID_NTLMSSP is the only one we support that sends this stuff */ DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n", request.negTokenTarg.supportedMech)); x_fprintf(x_stdout, "BH\n"); return; } if (request.negTokenTarg.responseToken.data == NULL) { DEBUG(1, ("Got a negTokenTarg without a responseToken!\n")); x_fprintf(x_stdout, "BH\n"); return; } status = ntlmssp_update(ntlmssp_state, request.negTokenTarg.responseToken, &response.negTokenTarg.responseToken); response.type = SPNEGO_NEG_TOKEN_TARG; response.negTokenTarg.supportedMech = SMB_STRDUP(OID_NTLMSSP); response.negTokenTarg.mechListMIC = data_blob(NULL, 0); if (NT_STATUS_IS_OK(status)) { user = SMB_STRDUP(ntlmssp_state->user); domain = SMB_STRDUP(ntlmssp_state->domain); ntlmssp_end(&ntlmssp_state); } } free_spnego_data(&request); if (NT_STATUS_IS_OK(status)) { response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; reply_code = "AF"; pstr_sprintf(reply_argument, "%s\\%s", domain, user); } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; reply_code = "TT"; pstr_sprintf(reply_argument, "*"); } else { response.negTokenTarg.negResult = SPNEGO_REJECT; reply_code = "NA"; pstrcpy(reply_argument, nt_errstr(status)); } SAFE_FREE(user); SAFE_FREE(domain); len = write_spnego_data(&token, &response); free_spnego_data(&response); if (len == -1) { DEBUG(1, ("Could not write SPNEGO data blob\n")); x_fprintf(x_stdout, "BH\n"); return; } reply_base64 = base64_encode_data_blob(token); x_fprintf(x_stdout, "%s %s %s\n", reply_code, reply_base64, reply_argument); SAFE_FREE(reply_base64); data_blob_free(&token); return; }
static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { static NTLMSSP_STATE *ntlmssp_state = NULL; DATA_BLOB request, reply; NTSTATUS nt_status; BOOL first = False; if (strlen(buf) < 2) { DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } if (strlen(buf) > 3) { request = base64_decode_data_blob(buf + 3); } else { request = data_blob(NULL, 0); } if (strncmp(buf, "PW ", 3) == 0) { /* We asked for a password and obviously got it :-) */ opt_password = SMB_STRNDUP((const char *)request.data, request.length); if (opt_password == NULL) { DEBUG(1, ("Out of memory\n")); x_fprintf(x_stdout, "BH\n"); data_blob_free(&request); return; } x_fprintf(x_stdout, "OK\n"); data_blob_free(&request); return; } if (opt_password == NULL) { /* Request a password from the calling process. After sending it, the calling process should retry asking for the negotiate. */ DEBUG(10, ("Requesting password\n")); x_fprintf(x_stdout, "PW\n"); return; } if (strncmp(buf, "YR", 2) == 0) { if (ntlmssp_state) ntlmssp_end(&ntlmssp_state); } else if (strncmp(buf, "TT", 2) == 0) { } else { DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } if (!ntlmssp_state) { if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_client(&ntlmssp_state))) { x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); return; } first = True; } DEBUG(10, ("got NTLMSSP packet:\n")); dump_data(10, (const char *)request.data, request.length); nt_status = ntlmssp_update(ntlmssp_state, request, &reply); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { char *reply_base64 = base64_encode_data_blob(reply); if (first) { x_fprintf(x_stdout, "YR %s\n", reply_base64); } else { x_fprintf(x_stdout, "KK %s\n", reply_base64); } SAFE_FREE(reply_base64); data_blob_free(&reply); DEBUG(10, ("NTLMSSP challenge\n")); } else if (NT_STATUS_IS_OK(nt_status)) { char *reply_base64 = base64_encode_data_blob(reply); x_fprintf(x_stdout, "AF %s\n", reply_base64); SAFE_FREE(reply_base64); DEBUG(10, ("NTLMSSP OK!\n")); if (ntlmssp_state) ntlmssp_end(&ntlmssp_state); } else { x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status))); if (ntlmssp_state) ntlmssp_end(&ntlmssp_state); } data_blob_free(&request); }
static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { static NTLMSSP_STATE *ntlmssp_state = NULL; DATA_BLOB request, reply; NTSTATUS nt_status; if (strlen(buf) < 2) { DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } if (strlen(buf) > 3) { request = base64_decode_data_blob(buf + 3); } else { request = data_blob(NULL, 0); } if ((strncmp(buf, "PW ", 3) == 0)) { /* The calling application wants us to use a local password (rather than winbindd) */ opt_password = SMB_STRNDUP((const char *)request.data, request.length); if (opt_password == NULL) { DEBUG(1, ("Out of memory\n")); x_fprintf(x_stdout, "BH\n"); data_blob_free(&request); return; } x_fprintf(x_stdout, "OK\n"); data_blob_free(&request); return; } if (strncmp(buf, "YR", 2) == 0) { if (ntlmssp_state) ntlmssp_end(&ntlmssp_state); } else if (strncmp(buf, "KK", 2) == 0) { } else { DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } if (!ntlmssp_state) { if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) { x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); return; } } DEBUG(10, ("got NTLMSSP packet:\n")); dump_data(10, (const char *)request.data, request.length); nt_status = ntlmssp_update(ntlmssp_state, request, &reply); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { char *reply_base64 = base64_encode_data_blob(reply); x_fprintf(x_stdout, "TT %s\n", reply_base64); SAFE_FREE(reply_base64); data_blob_free(&reply); DEBUG(10, ("NTLMSSP challenge\n")); } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status))); ntlmssp_end(&ntlmssp_state); } else if (!NT_STATUS_IS_OK(nt_status)) { x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status)); DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status))); } else { x_fprintf(x_stdout, "AF %s\n", (char *)ntlmssp_state->auth_context); DEBUG(10, ("NTLMSSP OK!\n")); } data_blob_free(&request); }
static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { DATA_BLOB request; SPNEGO_DATA spnego; ssize_t len; if (strlen(buf) <= 3) { DEBUG(1, ("SPNEGO query [%s] too short\n", buf)); x_fprintf(x_stdout, "BH\n"); return; } request = base64_decode_data_blob(buf+3); if (strncmp(buf, "PW ", 3) == 0) { /* We asked for a password and obviously got it :-) */ opt_password = SMB_STRNDUP((const char *)request.data, request.length); if (opt_password == NULL) { DEBUG(1, ("Out of memory\n")); x_fprintf(x_stdout, "BH\n"); data_blob_free(&request); return; } x_fprintf(x_stdout, "OK\n"); data_blob_free(&request); return; } if ( (strncmp(buf, "TT ", 3) != 0) && (strncmp(buf, "AF ", 3) != 0) && (strncmp(buf, "NA ", 3) != 0) ) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); x_fprintf(x_stdout, "BH\n"); data_blob_free(&request); return; } /* So we got a server challenge to generate a SPNEGO client-to-server request... */ len = read_spnego_data(request, &spnego); data_blob_free(&request); if (len == -1) { DEBUG(1, ("Could not read SPNEGO data for [%s]\n", buf)); x_fprintf(x_stdout, "BH\n"); return; } if (spnego.type == SPNEGO_NEG_TOKEN_INIT) { /* The server offers a list of mechanisms */ const char **mechType = (const char **)spnego.negTokenInit.mechTypes; while (*mechType != NULL) { #ifdef HAVE_KRB5 if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) || (strcmp(*mechType, OID_KERBEROS5) == 0) ) { if (manage_client_krb5_init(spnego)) goto out; } #endif if (strcmp(*mechType, OID_NTLMSSP) == 0) { if (manage_client_ntlmssp_init(spnego)) goto out; } mechType++; } DEBUG(1, ("Server offered no compatible mechanism\n")); x_fprintf(x_stdout, "BH\n"); return; } if (spnego.type == SPNEGO_NEG_TOKEN_TARG) { if (spnego.negTokenTarg.supportedMech == NULL) { /* On accept/reject Windows does not send the mechanism anymore. Handle that here and shut down the mechanisms. */ switch (spnego.negTokenTarg.negResult) { case SPNEGO_ACCEPT_COMPLETED: x_fprintf(x_stdout, "AF\n"); break; case SPNEGO_REJECT: x_fprintf(x_stdout, "NA\n"); break; default: DEBUG(1, ("Got a negTokenTarg with no mech and an " "unknown negResult: %d\n", spnego.negTokenTarg.negResult)); x_fprintf(x_stdout, "BH\n"); } ntlmssp_end(&client_ntlmssp_state); goto out; } if (strcmp(spnego.negTokenTarg.supportedMech, OID_NTLMSSP) == 0) { manage_client_ntlmssp_targ(spnego); goto out; } #if HAVE_KRB5 if (strcmp(spnego.negTokenTarg.supportedMech, OID_KERBEROS5_OLD) == 0) { manage_client_krb5_targ(spnego); goto out; } #endif } DEBUG(1, ("Got an SPNEGO token I could not handle [%s]!\n", buf)); x_fprintf(x_stdout, "BH\n"); return; out: free_spnego_data(&spnego); return; }
static BOOL afs_decode_token(const char *string, char **cell, DATA_BLOB *ticket, struct ClearToken *ct) { DATA_BLOB blob; struct ClearToken result_ct; char *s = strdup(string); char *t; if ((t = strtok(s, "\n")) == NULL) { DEBUG(10, ("strtok failed\n")); return False; } *cell = strdup(t); if ((t = strtok(NULL, "\n")) == NULL) { DEBUG(10, ("strtok failed\n")); return False; } if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) { DEBUG(10, ("sscanf AuthHandle failed\n")); return False; } if ((t = strtok(NULL, "\n")) == NULL) { DEBUG(10, ("strtok failed\n")); return False; } blob = base64_decode_data_blob(t); if ( (blob.data == NULL) || (blob.length != sizeof(result_ct.HandShakeKey) )) { DEBUG(10, ("invalid key: %x/%d\n", (uint32)blob.data, blob.length)); return False; } memcpy(result_ct.HandShakeKey, blob.data, blob.length); data_blob_free(&blob); if ((t = strtok(NULL, "\n")) == NULL) { DEBUG(10, ("strtok failed\n")); return False; } if (sscanf(t, "%u", &result_ct.ViceId) != 1) { DEBUG(10, ("sscanf ViceId failed\n")); return False; } if ((t = strtok(NULL, "\n")) == NULL) { DEBUG(10, ("strtok failed\n")); return False; } if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) { DEBUG(10, ("sscanf BeginTimestamp failed\n")); return False; } if ((t = strtok(NULL, "\n")) == NULL) { DEBUG(10, ("strtok failed\n")); return False; } if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) { DEBUG(10, ("sscanf EndTimestamp failed\n")); return False; } if ((t = strtok(NULL, "\n")) == NULL) { DEBUG(10, ("strtok failed\n")); return False; } blob = base64_decode_data_blob(t); if (blob.data == NULL) { DEBUG(10, ("Could not get ticket\n")); return False; } *ticket = blob; *ct = result_ct; return True; }
static bool afs_decode_token(const char *string, char **cell, DATA_BLOB *ticket, struct ClearToken *ct) { DATA_BLOB blob; struct ClearToken result_ct; char *saveptr; char *s = SMB_STRDUP(string); char *t; if ((t = strtok_r(s, "\n", &saveptr)) == NULL) { DEBUG(10, ("strtok_r failed\n")); return false; } *cell = SMB_STRDUP(t); if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { DEBUG(10, ("strtok_r failed\n")); return false; } if (sscanf(t, "%u", &result_ct.AuthHandle) != 1) { DEBUG(10, ("sscanf AuthHandle failed\n")); return false; } if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { DEBUG(10, ("strtok_r failed\n")); return false; } blob = base64_decode_data_blob(t); if ( (blob.data == NULL) || (blob.length != sizeof(result_ct.HandShakeKey) )) { DEBUG(10, ("invalid key: %x/%lu\n", (uint8_t)*blob.data, (unsigned long) blob.length)); return false; } memcpy(result_ct.HandShakeKey, blob.data, blob.length); data_blob_free(&blob); if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { DEBUG(10, ("strtok_r failed\n")); return false; } if (sscanf(t, "%u", &result_ct.ViceId) != 1) { DEBUG(10, ("sscanf ViceId failed\n")); return false; } if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { DEBUG(10, ("strtok_r failed\n")); return false; } if (sscanf(t, "%u", &result_ct.BeginTimestamp) != 1) { DEBUG(10, ("sscanf BeginTimestamp failed\n")); return false; } if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { DEBUG(10, ("strtok_r failed\n")); return false; } if (sscanf(t, "%u", &result_ct.EndTimestamp) != 1) { DEBUG(10, ("sscanf EndTimestamp failed\n")); return false; } if ((t = strtok_r(NULL, "\n", &saveptr)) == NULL) { DEBUG(10, ("strtok_r failed\n")); return false; } blob = base64_decode_data_blob(t); if (blob.data == NULL) { DEBUG(10, ("Could not get ticket\n")); return false; } *ticket = blob; *ct = result_ct; return true; }