2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "ntlm/ntlm.h"
36 RCSID("$Id: digest.c 22169 2007-12-04 22:19:16Z lha $");
45 krb5_realm kerberos_realm;
54 static OM_uint32 kdc_destroy(OM_uint32 *, void *);
57 * Get credential cache that the ntlm code can use to talk to the KDC
58 * using the digest API.
61 static krb5_error_code
62 get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
64 krb5_principal principal = NULL;
66 krb5_keytab kt = NULL;
73 cache = getenv("NTLM_ACCEPTOR_CCACHE");
75 ret = krb5_cc_resolve(context, cache, id);
82 ret = krb5_sname_to_principal(context, NULL, "host",
83 KRB5_NT_SRV_HST, &principal);
87 ret = krb5_cc_cache_match(context, principal, NULL, id);
91 /* did not find in default credcache, lets try default keytab */
92 ret = krb5_kt_default(context, &kt);
96 /* XXX check in keytab */
98 krb5_get_init_creds_opt *opt;
101 memset(&cred, 0, sizeof(cred));
103 ret = krb5_cc_new_unique(context, "MEMORY", NULL, id);
107 ret = krb5_get_init_creds_opt_alloc(context, &opt);
110 ret = krb5_get_init_creds_keytab (context,
117 krb5_get_init_creds_opt_free(context, opt);
120 ret = krb5_cc_initialize (context, *id, cred.client);
122 krb5_free_cred_contents (context, &cred);
125 ret = krb5_cc_store_cred (context, *id, &cred);
126 krb5_free_cred_contents (context, &cred);
131 krb5_kt_close(context, kt);
137 krb5_cc_destroy(context, *id);
139 krb5_cc_close(context, *id);
144 krb5_kt_close(context, kt);
147 krb5_free_principal(context, principal);
156 kdc_alloc(OM_uint32 *minor, void **ctx)
162 c = calloc(1, sizeof(*c));
165 return GSS_S_FAILURE;
168 ret = krb5_init_context(&c->context);
170 kdc_destroy(&junk, c);
172 return GSS_S_FAILURE;
175 ret = get_ccache(c->context, &c->destroy, &c->id);
177 kdc_destroy(&junk, c);
179 return GSS_S_FAILURE;
182 ret = krb5_ntlm_alloc(c->context, &c->ntlm);
184 kdc_destroy(&junk, c);
186 return GSS_S_FAILURE;
191 return GSS_S_COMPLETE;
195 kdc_probe(OM_uint32 *minor, void *ctx, const char *realm)
197 struct ntlmkrb5 *c = ctx;
201 ret = krb5_digest_probe(c->context, rk_UNCONST(realm), c->id, &flags);
205 if ((flags & (1|2|4)) == 0)
216 kdc_destroy(OM_uint32 *minor, void *ctx)
218 struct ntlmkrb5 *c = ctx;
219 krb5_data_free(&c->opaque);
220 krb5_data_free(&c->sessionkey);
222 krb5_ntlm_free(c->context, c->ntlm);
225 krb5_cc_destroy(c->context, c->id);
227 krb5_cc_close(c->context, c->id);
230 krb5_free_context(c->context);
231 memset(c, 0, sizeof(*c));
234 return GSS_S_COMPLETE;
242 kdc_type2(OM_uint32 *minor_status,
245 const char *hostname,
248 struct ntlm_buf *out)
250 struct ntlmkrb5 *c = ctx;
252 struct ntlm_type2 type2;
254 struct ntlm_buf data;
257 memset(&type2, 0, sizeof(type2));
260 * Request data for type 2 packet from the KDC.
262 ret = krb5_ntlm_init_request(c->context,
271 return GSS_S_FAILURE;
278 ret = krb5_ntlm_init_get_opaque(c->context, c->ntlm, &c->opaque);
281 return GSS_S_FAILURE;
288 ret = krb5_ntlm_init_get_flags(c->context, c->ntlm, &type2.flags);
291 return GSS_S_FAILURE;
293 *ret_flags = type2.flags;
295 ret = krb5_ntlm_init_get_challange(c->context, c->ntlm, &challange);
298 return GSS_S_FAILURE;
301 if (challange.length != sizeof(type2.challange)) {
302 *minor_status = EINVAL;
303 return GSS_S_FAILURE;
305 memcpy(type2.challange, challange.data, sizeof(type2.challange));
306 krb5_data_free(&challange);
308 ret = krb5_ntlm_init_get_targetname(c->context, c->ntlm,
312 return GSS_S_FAILURE;
315 ret = krb5_ntlm_init_get_targetinfo(c->context, c->ntlm, &ti);
317 free(type2.targetname);
319 return GSS_S_FAILURE;
322 type2.targetinfo.data = ti.data;
323 type2.targetinfo.length = ti.length;
325 ret = heim_ntlm_encode_type2(&type2, &data);
326 free(type2.targetname);
330 return GSS_S_FAILURE;
333 out->data = data.data;
334 out->length = data.length;
336 return GSS_S_COMPLETE;
344 kdc_type3(OM_uint32 *minor_status,
346 const struct ntlm_type3 *type3,
347 struct ntlm_buf *sessionkey)
349 struct ntlmkrb5 *c = ctx;
352 sessionkey->data = NULL;
353 sessionkey->length = 0;
355 ret = krb5_ntlm_req_set_flags(c->context, c->ntlm, type3->flags);
357 ret = krb5_ntlm_req_set_username(c->context, c->ntlm, type3->username);
359 ret = krb5_ntlm_req_set_targetname(c->context, c->ntlm,
362 ret = krb5_ntlm_req_set_lm(c->context, c->ntlm,
363 type3->lm.data, type3->lm.length);
365 ret = krb5_ntlm_req_set_ntlm(c->context, c->ntlm,
366 type3->ntlm.data, type3->ntlm.length);
368 ret = krb5_ntlm_req_set_opaque(c->context, c->ntlm, &c->opaque);
371 if (type3->sessionkey.length) {
372 ret = krb5_ntlm_req_set_session(c->context, c->ntlm,
373 type3->sessionkey.data,
374 type3->sessionkey.length);
379 * Verify with the KDC the type3 packet is ok
381 ret = krb5_ntlm_request(c->context,
388 if (krb5_ntlm_rep_get_status(c->context, c->ntlm) != TRUE) {
393 if (type3->sessionkey.length) {
394 ret = krb5_ntlm_rep_get_sessionkey(c->context,
400 sessionkey->data = c->sessionkey.data;
401 sessionkey->length = c->sessionkey.length;
408 return GSS_S_FAILURE;
416 kdc_free_buffer(struct ntlm_buf *sessionkey)
418 if (sessionkey->data)
419 free(sessionkey->data);
420 sessionkey->data = NULL;
421 sessionkey->length = 0;
428 struct ntlm_server_interface ntlmsspi_kdc_digest = {