Mercurial > dovecot > original-hg > dovecot-1.2

annotate src/auth/mech-ntlm.c @ 9608:f30e6a345d73 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added tag 1.2.14 for changeset eb04e2b13e3d
author Timo Sirainen <tss@iki.fi>
date Tue, 24 Aug 2010 18:10:29 +0100
parents 84eea1977632
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
1 /*
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
2 * NTLM and NTLMv2 authentication mechanism.
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
3 *
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
4 * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
5 *
4382
f8d37e26a2b3 Relicensed dovecot-auth to MIT.
Timo Sirainen <tss@iki.fi>
parents: 4020
diff changeset
6 * This software is released under the MIT license.
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
7 */
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
8
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
9 #include "common.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
10 #include "mech.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
11 #include "passdb.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
12 #include "str.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
13 #include "buffer.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
14 #include "hex-binary.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
15 #include "safe-memset.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
16
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
17 #include "ntlm.h"
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
18
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
19 struct ntlm_auth_request {
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
20 struct auth_request auth_request;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
21
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
22 pool_t pool;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
23
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
24 /* requested: */
3863
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents: 3766
diff changeset
25 bool ntlm2_negotiated;
55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents: 3766
diff changeset
26 bool unicode_negotiated;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
27 const unsigned char *challenge;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
28
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
29 /* received: */
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
30 struct ntlmssp_response *response;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
31 };
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
32
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
33 static bool lm_verify_credentials(struct ntlm_auth_request *request,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
34 const unsigned char *credentials, size_t size)
2381
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
35 {
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
36 const unsigned char *client_response;
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
37 unsigned char lm_response[LM_RESPONSE_SIZE];
2876
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
38 unsigned int response_length;
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
39
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
40 if (size != LM_HASH_SIZE) {
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
41 auth_request_log_error(&request->auth_request, "lm",
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
42 "invalid credentials length");
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
43 return FALSE;
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
44 }
2381
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
45
2876
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
46 response_length =
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
47 ntlmssp_buffer_length(request->response, lm_response);
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
48 client_response = ntlmssp_buffer_data(request->response, lm_response);
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
49
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
50 if (response_length < LM_RESPONSE_SIZE) {
3069
131151e25e4b Added auth_request_log_*().
Timo Sirainen <tss@iki.fi>
parents: 3068
diff changeset
51 auth_request_log_error(&request->auth_request, "ntlm",
3229
bb7282d1e2da Fixes incorrect error message and adds missing hex_to_binary() return value
Timo Sirainen <tss@iki.fi>
parents: 3072
diff changeset
52 "LM response length is too small");
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
53 return FALSE;
2381
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
54 }
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
55
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
56 ntlmssp_v1_response(credentials, request->challenge, lm_response);
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
57 return memcmp(lm_response, client_response, LM_RESPONSE_SIZE) == 0;
2381
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
58 }
6531fd0f779f Added LANMAN password scheme. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2377
diff changeset
59
5475
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
60 static void
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
61 lm_credentials_callback(enum passdb_result result,
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
62 const unsigned char *credentials, size_t size,
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
63 struct auth_request *auth_request)
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
64 {
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
65 struct ntlm_auth_request *request =
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
66 (struct ntlm_auth_request *)auth_request;
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
67
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
68 switch (result) {
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
69 case PASSDB_RESULT_OK:
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
70 if (lm_verify_credentials(request, credentials, size))
5475
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
71 auth_request_success(auth_request, NULL, 0);
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
72 else
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
73 auth_request_fail(auth_request);
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
74 break;
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
75 case PASSDB_RESULT_INTERNAL_FAILURE:
3064
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents: 3058
diff changeset
76 auth_request_internal_failure(auth_request);
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
77 break;
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
78 default:
3064
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents: 3058
diff changeset
79 auth_request_fail(auth_request);
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
80 break;
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
81 }
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
82 }
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
83
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
84 static int
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
85 ntlm_verify_credentials(struct ntlm_auth_request *request,
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
86 const unsigned char *credentials, size_t size)
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
87 {
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
88 struct auth_request *auth_request = &request->auth_request;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
89 const unsigned char *client_response;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
90 unsigned int response_length;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
91
2876
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
92 response_length =
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
93 ntlmssp_buffer_length(request->response, ntlm_response);
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
94 client_response = ntlmssp_buffer_data(request->response, ntlm_response);
78dc2381f3af allow LM authentication for older (Win9x) clients
Timo Sirainen <tss@iki.fi>
parents: 2808
diff changeset
95
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
96 if (response_length == 0) {
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
97 /* try LM authentication unless NTLM2 was negotiated */
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
98 return request->ntlm2_negotiated ? -1 : 0;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
99 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
100
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
101 if (size != NTLMSSP_HASH_SIZE) {
3229
bb7282d1e2da Fixes incorrect error message and adds missing hex_to_binary() return value
Timo Sirainen <tss@iki.fi>
parents: 3072
diff changeset
102 auth_request_log_error(&request->auth_request, "ntlm",
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
103 "invalid credentials length");
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
104 return -1;
3229
bb7282d1e2da Fixes incorrect error message and adds missing hex_to_binary() return value
Timo Sirainen <tss@iki.fi>
parents: 3072
diff changeset
105 }
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
106
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
107 if (response_length > NTLMSSP_RESPONSE_SIZE) {
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
108 unsigned char ntlm_v2_response[NTLMSSP_V2_RESPONSE_SIZE];
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
109 const unsigned char *blob =
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
110 client_response + NTLMSSP_V2_RESPONSE_SIZE;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
111
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
112 /*
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
113 * Authentication target == NULL because we are acting
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
114 * as a standalone server, not as NT domain member.
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
115 */
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
116 ntlmssp_v2_response(auth_request->user, NULL,
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
117 credentials, request->challenge, blob,
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
118 response_length - NTLMSSP_V2_RESPONSE_SIZE,
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
119 ntlm_v2_response);
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
120
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
121 return memcmp(ntlm_v2_response, client_response,
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
122 NTLMSSP_V2_RESPONSE_SIZE) == 0 ? 1 : -1;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
123 } else {
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
124 unsigned char ntlm_response[NTLMSSP_RESPONSE_SIZE];
2692
1065a557516b NTLM2 authentication support. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2522
diff changeset
125 const unsigned char *client_lm_response =
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
126 ntlmssp_buffer_data(request->response, lm_response);
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
127
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
128 if (request->ntlm2_negotiated)
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
129 ntlmssp2_response(credentials, request->challenge,
2692
1065a557516b NTLM2 authentication support. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2522
diff changeset
130 client_lm_response,
1065a557516b NTLM2 authentication support. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2522
diff changeset
131 ntlm_response);
1065a557516b NTLM2 authentication support. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2522
diff changeset
132 else
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
133 ntlmssp_v1_response(credentials, request->challenge,
2692
1065a557516b NTLM2 authentication support. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents: 2522
diff changeset
134 ntlm_response);
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
135
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
136 return memcmp(ntlm_response, client_response,
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
137 NTLMSSP_RESPONSE_SIZE) == 0 ? 1 : -1;
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
138 }
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
139 }
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
140
5475
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
141 static void
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
142 ntlm_credentials_callback(enum passdb_result result,
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
143 const unsigned char *credentials, size_t size,
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
144 struct auth_request *auth_request)
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
145 {
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
146 struct ntlm_auth_request *request =
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
147 (struct ntlm_auth_request *)auth_request;
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
148 int ret;
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
149
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
150 switch (result) {
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
151 case PASSDB_RESULT_OK:
5598
971050640e3b All password schemes can now be encoded with base64 or hex. The encoding is
Timo Sirainen <tss@iki.fi>
parents: 5593
diff changeset
152 ret = ntlm_verify_credentials(request, credentials, size);
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
153 if (ret > 0) {
3064
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents: 3058
diff changeset
154 auth_request_success(auth_request, NULL, 0);
5475
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
155 return;
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
156 }
5475
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
157 if (ret < 0) {
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
158 auth_request_fail(auth_request);
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
159 return;
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
160 }
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
161 break;
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
162 case PASSDB_RESULT_INTERNAL_FAILURE:
3064
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents: 3058
diff changeset
163 auth_request_internal_failure(auth_request);
5475
769aaaee6821 Reverted accidental commit. This code isn't ready yet.
Timo Sirainen <tss@iki.fi>
parents: 5462
diff changeset
164 return;
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
165 default:
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
166 break;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
167 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
168
3058
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
169 /* NTLM credentials not found or didn't want to use them,
052f3a5743af Make FAIL reply contain "temp" parameter if the authentication failed
Timo Sirainen <tss@iki.fi>
parents: 2915
diff changeset
170 try with LM credentials */
5593
f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents: 5475
diff changeset
171 auth_request_lookup_credentials(auth_request, "LANMAN",
3068
b01a8fa09f94 Cleanups.
Timo Sirainen <tss@iki.fi>
parents: 3065
diff changeset
172 lm_credentials_callback);
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
173 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
174
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
175 static void
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
176 mech_ntlm_auth_continue(struct auth_request *auth_request,
3071
c7db6b291daa API cleanup
Timo Sirainen <tss@iki.fi>
parents: 3069
diff changeset
177 const unsigned char *data, size_t data_size)
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
178 {
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
179 struct ntlm_auth_request *request =
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
180 (struct ntlm_auth_request *)auth_request;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
181 const char *error;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
182
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
183 if (!request->challenge) {
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
184 const struct ntlmssp_request *ntlm_request =
4020
fcfd44f56b04 While casting const pointers to something else, the const was often
Timo Sirainen <tss@iki.fi>
parents: 3863
diff changeset
185 (const struct ntlmssp_request *)data;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
186 const struct ntlmssp_challenge *message;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
187 size_t message_size;
2808
48250919bbc4 support OEM encoding in NTLM messages. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents: 2736
diff changeset
188 uint32_t flags;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
189
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
190 if (!ntlmssp_check_request(ntlm_request, data_size, &error)) {
3069
131151e25e4b Added auth_request_log_*().
Timo Sirainen <tss@iki.fi>
parents: 3068
diff changeset
191 auth_request_log_info(auth_request, "ntlm",
131151e25e4b Added auth_request_log_*().
Timo Sirainen <tss@iki.fi>
parents: 3068
diff changeset
192 "invalid NTLM request: %s", error);
3064
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents: 3058
diff changeset
193 auth_request_fail(auth_request);
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
194 return;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
195 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
196
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
197 message = ntlmssp_create_challenge(request->pool, ntlm_request,
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
198 &message_size);
2808
48250919bbc4 support OEM encoding in NTLM messages. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents: 2736
diff changeset
199 flags = read_le32(&message->flags);
48250919bbc4 support OEM encoding in NTLM messages. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents: 2736
diff changeset
200 request->ntlm2_negotiated = flags & NTLMSSP_NEGOTIATE_NTLM2;
48250919bbc4 support OEM encoding in NTLM messages. Patch by Andrey Panin.
Timo Sirainen <tss@iki.fi>
parents: 2736
diff changeset
201 request->unicode_negotiated = flags & NTLMSSP_NEGOTIATE_UNICODE;
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
202 request->challenge = message->challenge;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
203
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
204 auth_request->callback(auth_request,
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
205 AUTH_CLIENT_RESULT_CONTINUE,
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
206 message, message_size);
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
207 } else {
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
208 const struct ntlmssp_response *response =
4020
fcfd44f56b04 While casting const pointers to something else, the const was often
Timo Sirainen <tss@iki.fi>
parents: 3863
diff changeset
209 (const struct ntlmssp_response *)data;
3065
29d83a8bb50d Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents: 3064
diff changeset
210 const char *username;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
211
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
212 if (!ntlmssp_check_response(response, data_size, &error)) {
3069
131151e25e4b Added auth_request_log_*().
Timo Sirainen <tss@iki.fi>
parents: 3068
diff changeset
213 auth_request_log_info(auth_request, "ntlm",
131151e25e4b Added auth_request_log_*().
Timo Sirainen <tss@iki.fi>
parents: 3068
diff changeset
214 "invalid NTLM response: %s", error);
3064
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents: 3058
diff changeset
215 auth_request_fail(auth_request);
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
216 return;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
217 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
218
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
219 request->response = p_malloc(request->pool, data_size);
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
220 memcpy(request->response, response, data_size);
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
221
3065
29d83a8bb50d Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents: 3064
diff changeset
222 username = ntlmssp_t_str(request->response, user,
29d83a8bb50d Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents: 3064
diff changeset
223 request->unicode_negotiated);
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
224
3065
29d83a8bb50d Reorganized the code to have less global/static variables.
Timo Sirainen <tss@iki.fi>
parents: 3064
diff changeset
225 if (!auth_request_set_username(auth_request, username, &error)) {
3069
131151e25e4b Added auth_request_log_*().
Timo Sirainen <tss@iki.fi>
parents: 3068
diff changeset
226 auth_request_log_info(auth_request, "ntlm",
131151e25e4b Added auth_request_log_*().
Timo Sirainen <tss@iki.fi>
parents: 3068
diff changeset
227 "%s", error);
3064
2d33734b16d5 Split auth_request* functions from mech.c to auth-request.c
Timo Sirainen <tss@iki.fi>
parents: 3058
diff changeset
228 auth_request_fail(auth_request);
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
229 return;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
230 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
231
5593
f8dc0bdb06a7 Removed enum passdb_credentials. Use scheme strings directly instead. This
Timo Sirainen <tss@iki.fi>
parents: 5475
diff changeset
232 auth_request_lookup_credentials(auth_request, "NTLM",
3068
b01a8fa09f94 Cleanups.
Timo Sirainen <tss@iki.fi>
parents: 3065
diff changeset
233 ntlm_credentials_callback);
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
234 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
235 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
236
3072
289a98ba5d95 Another try with API cleanup.
Timo Sirainen <tss@iki.fi>
parents: 3071
diff changeset
237 static struct auth_request *mech_ntlm_auth_new(void)
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
238 {
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
239 struct ntlm_auth_request *request;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
240 pool_t pool;
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
241
3695
4f8598b0ca62 Use a bit larger initial pool sizes
Timo Sirainen <tss@iki.fi>
parents: 3683
diff changeset
242 pool = pool_alloconly_create("ntlm_auth_request", 1024);
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
243 request = p_new(pool, struct ntlm_auth_request, 1);
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
244 request->pool = pool;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
245
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
246 request->auth_request.pool = pool;
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
247 return &request->auth_request;
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
248 }
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
249
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
250 const struct mech_module mech_ntlm = {
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
251 "NTLM",
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
252
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
253 MEMBER(flags) MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
8605
84eea1977632 auth: Code cleanup for specifying what passdb features auth mechanisms need.
Timo Sirainen <tss@iki.fi>
parents: 5598
diff changeset
254 MEMBER(passdb_need) MECH_PASSDB_NEED_LOOKUP_CREDENTIALS,
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
255
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
256 mech_ntlm_auth_new,
4414
9017db478693 Added mech_generic_auth_internal() and mech_generic_auth_free() functions
Timo Sirainen <tss@iki.fi>
parents: 4382
diff changeset
257 mech_generic_auth_initial,
2736
0f31778d3c34 Changed dovecot-auth protocol to ASCII based. Should be easier now to write
Timo Sirainen <tss@iki.fi>
parents: 2696
diff changeset
258 mech_ntlm_auth_continue,
4414
9017db478693 Added mech_generic_auth_internal() and mech_generic_auth_free() functions
Timo Sirainen <tss@iki.fi>
parents: 4382
diff changeset
259 mech_generic_auth_free
2377
8f5be0be3199 NTLM authentication. Patch by Andrey Panin
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
260 };