2 * Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
45 krb5_realm kerberos_realm;
54 static OM_uint32 kdc_destroy(OM_uint32 *, void *);
57 * Get credential cache that the ntlm code can use to talk to the KDC
58 * using the digest API.
61 static krb5_error_code
62 get_ccache(krb5_context context, int *destroy, krb5_ccache *id)
64 krb5_principal principal = NULL;
66 krb5_keytab kt = NULL;
67 const char *cache = secure_getenv("NTLM_ACCEPTOR_CCACHE");
72 ret = krb5_cc_resolve(context, cache, id);
78 ret = krb5_sname_to_principal(context, NULL, "host",
79 KRB5_NT_SRV_HST, &principal);
83 ret = krb5_cc_cache_match(context, principal, id);
87 /* did not find in default credcache, lets try default keytab */
88 ret = krb5_kt_default(context, &kt);
92 /* XXX check in keytab */
94 krb5_get_init_creds_opt *opt;
97 memset(&cred, 0, sizeof(cred));
99 ret = krb5_cc_new_unique(context, "MEMORY", NULL, id);
103 ret = krb5_get_init_creds_opt_alloc(context, &opt);
106 ret = krb5_get_init_creds_keytab (context,
113 krb5_get_init_creds_opt_free(context, opt);
116 ret = krb5_cc_initialize (context, *id, cred.client);
118 krb5_free_cred_contents (context, &cred);
121 ret = krb5_cc_store_cred (context, *id, &cred);
122 krb5_free_cred_contents (context, &cred);
127 krb5_kt_close(context, kt);
134 krb5_cc_destroy(context, *id);
136 krb5_cc_close(context, *id);
141 krb5_kt_close(context, kt);
144 krb5_free_principal(context, principal);
153 kdc_alloc(OM_uint32 *minor, void **ctx)
159 c = calloc(1, sizeof(*c));
162 return GSS_S_FAILURE;
165 ret = krb5_init_context(&c->context);
167 kdc_destroy(&junk, c);
169 return GSS_S_FAILURE;
172 ret = get_ccache(c->context, &c->destroy, &c->id);
174 kdc_destroy(&junk, c);
176 return GSS_S_FAILURE;
179 ret = krb5_ntlm_alloc(c->context, &c->ntlm);
181 kdc_destroy(&junk, c);
183 return GSS_S_FAILURE;
188 return GSS_S_COMPLETE;
192 kdc_probe(OM_uint32 *minor, void *ctx, const char *realm)
194 struct ntlmkrb5 *c = ctx;
198 ret = krb5_digest_probe(c->context, rk_UNCONST(realm), c->id, &flags);
202 if ((flags & (1|2|4)) == 0)
213 kdc_destroy(OM_uint32 *minor, void *ctx)
215 struct ntlmkrb5 *c = ctx;
216 krb5_data_free(&c->opaque);
217 krb5_data_free(&c->sessionkey);
219 krb5_ntlm_free(c->context, c->ntlm);
222 krb5_cc_destroy(c->context, c->id);
224 krb5_cc_close(c->context, c->id);
227 krb5_free_context(c->context);
228 memset(c, 0, sizeof(*c));
231 return GSS_S_COMPLETE;
239 kdc_type2(OM_uint32 *minor_status,
242 const char *hostname,
245 struct ntlm_buf *out)
247 struct ntlmkrb5 *c = ctx;
249 struct ntlm_type2 type2;
251 struct ntlm_buf data;
254 memset(&type2, 0, sizeof(type2));
257 * Request data for type 2 packet from the KDC.
259 ret = krb5_ntlm_init_request(c->context,
268 return GSS_S_FAILURE;
275 ret = krb5_ntlm_init_get_opaque(c->context, c->ntlm, &c->opaque);
278 return GSS_S_FAILURE;
285 ret = krb5_ntlm_init_get_flags(c->context, c->ntlm, &type2.flags);
288 return GSS_S_FAILURE;
290 *ret_flags = type2.flags;
292 ret = krb5_ntlm_init_get_challenge(c->context, c->ntlm, &challenge);
295 return GSS_S_FAILURE;
298 if (challenge.length != sizeof(type2.challenge)) {
299 *minor_status = EINVAL;
300 return GSS_S_FAILURE;
302 memcpy(type2.challenge, challenge.data, sizeof(type2.challenge));
303 krb5_data_free(&challenge);
305 ret = krb5_ntlm_init_get_targetname(c->context, c->ntlm,
309 return GSS_S_FAILURE;
312 ret = krb5_ntlm_init_get_targetinfo(c->context, c->ntlm, &ti);
314 free(type2.targetname);
316 return GSS_S_FAILURE;
319 type2.targetinfo.data = ti.data;
320 type2.targetinfo.length = ti.length;
322 ret = heim_ntlm_encode_type2(&type2, &data);
323 free(type2.targetname);
327 return GSS_S_FAILURE;
330 out->data = data.data;
331 out->length = data.length;
333 return GSS_S_COMPLETE;
341 kdc_type3(OM_uint32 *minor_status,
343 const struct ntlm_type3 *type3,
344 struct ntlm_buf *sessionkey)
346 struct ntlmkrb5 *c = ctx;
349 sessionkey->data = NULL;
350 sessionkey->length = 0;
352 ret = krb5_ntlm_req_set_flags(c->context, c->ntlm, type3->flags);
354 ret = krb5_ntlm_req_set_username(c->context, c->ntlm, type3->username);
356 ret = krb5_ntlm_req_set_targetname(c->context, c->ntlm,
359 ret = krb5_ntlm_req_set_lm(c->context, c->ntlm,
360 type3->lm.data, type3->lm.length);
362 ret = krb5_ntlm_req_set_ntlm(c->context, c->ntlm,
363 type3->ntlm.data, type3->ntlm.length);
365 ret = krb5_ntlm_req_set_opaque(c->context, c->ntlm, &c->opaque);
368 if (type3->sessionkey.length) {
369 ret = krb5_ntlm_req_set_session(c->context, c->ntlm,
370 type3->sessionkey.data,
371 type3->sessionkey.length);
376 * Verify with the KDC the type3 packet is ok
378 ret = krb5_ntlm_request(c->context,
385 if (krb5_ntlm_rep_get_status(c->context, c->ntlm) != TRUE) {
390 if (type3->sessionkey.length) {
391 ret = krb5_ntlm_rep_get_sessionkey(c->context,
397 sessionkey->data = c->sessionkey.data;
398 sessionkey->length = c->sessionkey.length;
405 return GSS_S_FAILURE;
413 kdc_free_buffer(struct ntlm_buf *sessionkey)
415 if (sessionkey->data)
416 free(sessionkey->data);
417 sessionkey->data = NULL;
418 sessionkey->length = 0;
425 struct ntlm_server_interface ntlmsspi_kdc_digest = {