summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-11-24 08:32:03 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-11-24 08:32:03 +0000
commit5aca399a382fcd1e1664749f7b6fe7b9a67ac75e (patch)
treef7fc8cc002562720a385e3cf515a001a03993a1e
parent191dff2d279dd8315f093e313d8c149e786eb19f (diff)
downloadsamba-5aca399a382fcd1e1664749f7b6fe7b9a67ac75e.tar.gz
samba-5aca399a382fcd1e1664749f7b6fe7b9a67ac75e.tar.bz2
samba-5aca399a382fcd1e1664749f7b6fe7b9a67ac75e.zip
Add ntlm_auth, a new program to provide a stable interface to winbind's
authentication code. In particular, ntlm_auth is designed to replace the winbind authentication 'helpers' currently supplied by Squid. I have added support for the current plaintext password protocol used by Squid, and will add the real guts (NTLMSSP support) shortly. I'll merge this into 3.0 when I've got the interface more stable (error message format etc) and got the important NTLMSSP support added. Also move SWAT's URL decoding code into util_str.c, for use in both utilities. Andrew Bartlett (This used to be commit 82dbf838879e8a2d2d3f9dd5be6eda50b780b787)
-rw-r--r--source3/Makefile.in10
-rw-r--r--source3/lib/util_str.c41
-rw-r--r--source3/utils/ntlm_auth.c416
-rw-r--r--source3/web/cgi.c45
4 files changed, 470 insertions, 42 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index a8401968f3..05457ec03c 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -99,7 +99,7 @@ SBIN_PROGS = bin/smbd bin/nmbd bin/swat bin/wrepld @EXTRA_SBIN_PROGS@
BIN_PROGS1 = bin/smbclient bin/net bin/smbspool bin/testparm bin/testprns bin/smbstatus
BIN_PROGS2 = bin/smbcontrol bin/smbtree bin/tdbbackup bin/nmblookup bin/pdbedit
-BIN_PROGS3 = bin/smbpasswd bin/rpcclient bin/smbcacls bin/profiles bin/smbgroupedit
+BIN_PROGS3 = bin/smbpasswd bin/rpcclient bin/smbcacls bin/profiles bin/smbgroupedit bin/ntlm_auth
TORTURE_PROGS = bin/smbtorture bin/msgtest bin/masktest bin/locktest \
bin/locktest2 bin/nsstest bin/vfstest
@@ -533,6 +533,8 @@ POPT_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \
TDBBACKUP_OBJ = tdb/tdbbackup.o $(TDBBASE_OBJ)
+NTLM_AUTH_OBJ = utils/ntlm_auth.o $(POPT_LIB_OBJ)
+
######################################################################
# now the rules...
######################################################################
@@ -872,6 +874,12 @@ bin/wbinfo: $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
@$(LINK) -o $@ $(WBINFO_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
$(UBIQX_OBJ) $(SECRETS_OBJ) $(LIBS) @BUILD_POPT@
+bin/ntlm_auth: $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
+ $(UBIQX_OBJ) @BUILD_POPT@ bin/.dummy
+ @echo Linking $@
+ @$(LINK) -o $@ $(NTLM_AUTH_OBJ) $(PARAM_OBJ) $(LIB_OBJ) \
+ $(UBIQX_OBJ) $(LIBS) @BUILD_POPT@
+
bin/pam_smbpass.@SHLIBEXT@: $(PAM_SMBPASS_PICOOBJ)
@echo "Linking shared library $@"
$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_SMBPASS_PICOOBJ) -lpam $(DYNEXP) $(LIBS) -lc
diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c
index 32efee1536..dfadac0e47 100644
--- a/source3/lib/util_str.c
+++ b/source3/lib/util_str.c
@@ -1366,3 +1366,44 @@ BOOL str_list_substitute(char **list, const char *pattern, const char *insert)
return True;
}
+
+/***********************************************************
+ Unescape a URL encoded string, in place.
+***********************************************************/
+
+void rfc1738_unescape(char *buf)
+{
+ char *p=buf;
+
+ while ((p=strchr_m(p,'+')))
+ *p = ' ';
+
+ p = buf;
+
+ while (p && *p && (p=strchr_m(p,'%'))) {
+ int c1 = p[1];
+ int c2 = p[2];
+
+ if (c1 >= '0' && c1 <= '9')
+ c1 = c1 - '0';
+ else if (c1 >= 'A' && c1 <= 'F')
+ c1 = 10 + c1 - 'A';
+ else if (c1 >= 'a' && c1 <= 'f')
+ c1 = 10 + c1 - 'a';
+ else {p++; continue;}
+
+ if (c2 >= '0' && c2 <= '9')
+ c2 = c2 - '0';
+ else if (c2 >= 'A' && c2 <= 'F')
+ c2 = 10 + c2 - 'A';
+ else if (c2 >= 'a' && c2 <= 'f')
+ c2 = 10 + c2 - 'a';
+ else {p++; continue;}
+
+ *p = (c1<<4) | c2;
+
+ memmove(p+1, p+3, strlen(p+3)+1);
+ p++;
+ }
+}
+
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
new file mode 100644
index 0000000000..bd876d694e
--- /dev/null
+++ b/source3/utils/ntlm_auth.c
@@ -0,0 +1,416 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Winbind status program.
+
+ Copyright (C) Tim Potter 2000-2002
+ Copyright (C) Andrew Bartlett 2002
+ Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_WINBIND
+
+#define SQUID_BUFFER_SIZE 2010
+
+extern int winbindd_fd;
+
+static const char *helper_protocol;
+static const char *username;
+static const char *domain;
+static const char *workstation;
+static const char *hex_challenge;
+static const char *hex_lm_response;
+static const char *hex_nt_response;
+static unsigned char *challenge;
+static size_t challenge_len;
+static unsigned char *lm_response;
+static size_t lm_response_len;
+static unsigned char *nt_response;
+static size_t nt_response_len;
+
+static char *password;
+
+static char winbind_separator(void)
+{
+ struct winbindd_response response;
+ static BOOL got_sep;
+ static char sep;
+
+ if (got_sep)
+ return sep;
+
+ ZERO_STRUCT(response);
+
+ /* Send off request */
+
+ if (winbindd_request(WINBINDD_INFO, NULL, &response) !=
+ NSS_STATUS_SUCCESS) {
+ d_printf("could not obtain winbind separator!\n");
+ return '\\';
+ }
+
+ sep = response.data.info.winbind_separator;
+ got_sep = True;
+
+ if (!sep) {
+ d_printf("winbind separator was NULL!\n");
+ return '\\';
+ }
+
+ return sep;
+}
+
+static const char *get_winbind_domain(void)
+{
+ struct winbindd_response response;
+
+ static fstring winbind_domain;
+
+ ZERO_STRUCT(response);
+
+ /* Send off request */
+
+ if (winbindd_request(WINBINDD_DOMAIN_NAME, NULL, &response) !=
+ NSS_STATUS_SUCCESS) {
+ d_printf("could not obtain winbind domain name!\n");
+ return NULL;
+ }
+
+ fstrcpy(winbind_domain, response.data.domain_name);
+
+ return winbind_domain;
+
+}
+
+/* Authenticate a user with a plaintext password */
+
+static BOOL check_plaintext_auth(const char *user, const char *pass, BOOL stdout_diagnostics)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.auth.user, user);
+ fstrcpy(request.data.auth.pass, pass);
+
+ result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response);
+
+ /* Display response */
+
+ if (stdout_diagnostics) {
+ if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
+ d_printf("Reading winbind reply failed! (0x01)\n");
+ }
+
+ d_printf("%s (0x%x)\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status);
+ } else {
+ if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
+ DEBUG(1, ("Reading winbind reply failed! (0x01)\n"));
+ }
+
+ DEBUG(3, ("%s (0x%x)\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status));
+ }
+
+ return (result == NSS_STATUS_SUCCESS);
+}
+
+static void manage_squid_2_5_basic_request()
+{
+ char buf[SQUID_BUFFER_SIZE+1];
+ int length;
+ char *c, *user, *pass;
+ static BOOL err;
+
+ if (x_fgets(buf, sizeof(buf)-1, x_stdin) == NULL) {
+ DEBUG(1, ("fgets() failed! dying..... errno=%d (%s)\n", errno,
+ strerror(errno)));
+ exit(1); /* BIIG buffer */
+ }
+
+ c=memchr(buf,'\n',sizeof(buf)-1);
+ if (c) {
+ *c = '\0';
+ length = c-buf;
+ } else {
+ err = 1;
+ return;
+ }
+ if (err) {
+ DEBUG(2, ("Oversized message\n"));
+ x_fprintf(x_stderr, "ERR\n");
+ err = 0;
+ return;
+ }
+
+ DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length));
+
+ if (buf[0] == '\0') {
+ DEBUG(2, ("Invalid Request\n"));
+ x_fprintf(x_stderr, "ERR\n");
+ return;
+ }
+
+ user=buf;
+
+ pass=memchr(buf,' ',length);
+ if (!pass) {
+ DEBUG(2, ("Password not found. Denying access\n"));
+ x_fprintf(x_stderr, "ERR\n");
+ return;
+ }
+ *pass='\0';
+ pass++;
+
+ rfc1738_unescape(user);
+ rfc1738_unescape(pass);
+
+ if (check_plaintext_auth(user, pass, False)) {
+ x_fprintf(x_stdout, "OK\n");
+ } else {
+ x_fprintf(x_stdout, "ERR\n");
+ }
+}
+
+
+static void squid_2_5_basic(void) {
+ /* initialize FDescs */
+ x_setbuf(x_stdout, NULL);
+ x_setbuf(x_stderr, NULL);
+ while(1) {
+ manage_squid_2_5_basic_request();
+ }
+}
+
+
+/* Authenticate a user with a challenge/response */
+
+static BOOL check_auth_crap(void)
+{
+ struct winbindd_request request;
+ struct winbindd_response response;
+ NSS_STATUS result;
+ /* Send off request */
+
+ ZERO_STRUCT(request);
+ ZERO_STRUCT(response);
+
+ fstrcpy(request.data.auth_crap.user, username);
+
+ fstrcpy(request.data.auth_crap.domain, domain);
+ fstrcpy(request.data.auth_crap.workstation, workstation);
+
+ memcpy(request.data.auth_crap.chal, challenge, MIN(challenge_len, 8));
+
+ memcpy(request.data.auth_crap.lm_resp, lm_response, MIN(lm_response_len, sizeof(request.data.auth_crap.lm_resp)));
+
+ memcpy(request.data.auth_crap.nt_resp, nt_response, MIN(nt_response_len, sizeof(request.data.auth_crap.nt_resp)));
+
+ request.data.auth_crap.lm_resp_len = lm_response_len;
+ request.data.auth_crap.nt_resp_len = nt_response_len;
+
+ result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
+
+ /* Display response */
+
+ if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
+ d_printf("Reading winbind reply failed! (0x01)\n");
+ }
+
+ d_printf("%s (0x%x)\n",
+ response.data.auth.nt_status_string,
+ response.data.auth.nt_status);
+
+ return result == NSS_STATUS_SUCCESS;
+}
+
+/* Main program */
+
+enum {
+ OPT_USERNAME = 1000,
+ OPT_DOMAIN,
+ OPT_WORKSTATION,
+ OPT_CHALLENGE,
+ OPT_RESPONSE,
+ OPT_LM,
+ OPT_NT,
+ OPT_PASSWORD
+};
+
+/*************************************************************
+ Routine to set hex password characters into an allocated array.
+**************************************************************/
+
+void hex_encode(const unsigned char *buff_in, size_t len, char **out_hex_buffer)
+{
+ int i;
+ char *hex_buffer;
+
+ *out_hex_buffer = smb_xmalloc((len*2)+1);
+ hex_buffer = *out_hex_buffer;
+
+ for (i = 0; i < len; i++)
+ slprintf(&hex_buffer[i*2], 3, "%02X", buff_in[i]);
+}
+
+/*************************************************************
+ Routine to get the 32 hex characters and turn them
+ into a 16 byte array.
+**************************************************************/
+
+BOOL hex_decode(const char *hex_buf_in, unsigned char **out_buffer, size_t *size)
+{
+ int i;
+ size_t hex_buf_in_len = strlen(hex_buf_in);
+ unsigned char partial_byte_hex;
+ unsigned char partial_byte;
+ char *hexchars = "0123456789ABCDEF";
+ char *p;
+ BOOL high = True;
+
+ if (!hex_buf_in)
+ return (False);
+
+ *size = (hex_buf_in_len + 1) / 2;
+
+ *out_buffer = smb_xmalloc(*size);
+
+ for (i = 0; i < hex_buf_in_len; i++) {
+ partial_byte_hex = toupper(hex_buf_in[i]);
+
+ p = strchr(hexchars, partial_byte_hex);
+
+ if (!p)
+ return (False);
+
+ partial_byte = PTR_DIFF(p, hexchars);
+
+ if (high) {
+ (*out_buffer)[i / 2] = (partial_byte << 4);
+ } else {
+ (*out_buffer)[i / 2] |= partial_byte;
+ }
+ high = !high;
+ }
+ return (True);
+}
+
+
+int main(int argc, const char **argv)
+{
+ int opt;
+
+ poptContext pc;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+
+ { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
+ { "username", 0, POPT_ARG_STRING, &username, OPT_USERNAME, "username"},
+ { "domain", 0, POPT_ARG_STRING, &domain, OPT_DOMAIN, "domain name"},
+ { "workstation", 0, POPT_ARG_STRING, &domain, OPT_WORKSTATION, "workstation"},
+ { "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"},
+ { "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"},
+ { "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"},
+ { "password", 0, POPT_ARG_STRING, &password, OPT_PASSWORD, "User's plaintext password"},
+ { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debug },
+ { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile },
+ { 0, 0, 0, 0 }
+ };
+
+ /* Samba client initialisation */
+
+ dbf = x_stderr;
+
+ /* Parse options */
+
+ pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
+
+ /* Parse command line options */
+
+ if (argc == 1) {
+ poptPrintHelp(pc, stderr, 0);
+ return 1;
+ }
+
+ pc = poptGetContext(NULL, argc, (const char **)argv, long_options,
+ POPT_CONTEXT_KEEP_FIRST);
+
+ while((opt = poptGetNextOpt(pc)) != -1) {
+ switch (opt) {
+ case OPT_CHALLENGE:
+ if (!hex_decode(hex_challenge, &challenge, &challenge_len)) {
+ fprintf(stderr, "hex decode of %s failed!\n", hex_challenge);
+ exit(1);
+ }
+ break;
+ case OPT_LM:
+ if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) {
+ fprintf(stderr, "hex decode of %s failed!\n", lm_response);
+ exit(1);
+ }
+ break;
+ case OPT_NT:
+ if (!hex_decode(hex_lm_response, &lm_response, &lm_response_len)) {
+ fprintf(stderr, "hex decode of %s failed!\n", lm_response);
+ exit(1);
+ }
+ break;
+ }
+ }
+
+ if (helper_protocol) {
+ if (strcmp(helper_protocol, "squid-2.5-basic")== 0) {
+ squid_2_5_basic();
+ }
+ }
+
+ if (domain == NULL) {
+ domain = get_winbind_domain();
+ }
+
+ if (workstation == NULL) {
+ workstation = "";
+ }
+
+ if (challenge) {
+ if (!check_auth_crap()) {
+ exit(1);
+ }
+ } else if (password) {
+ fstring user;
+ snprintf(user, sizeof(user)-1, "%s%c%s", domain, winbind_separator(), username);
+ if (!check_plaintext_auth(user, password, True)) {
+ exit(1);
+ }
+ }
+
+ /* Exit code */
+
+ poptFreeContext(pc);
+ return 0;
+}
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index c9cb78f6f1..96520c0eef 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -46,43 +46,6 @@ static char *C_user;
static BOOL inetd_server;
static BOOL got_request;
-static void unescape(char *buf)
-{
- char *p=buf;
-
- while ((p=strchr_m(p,'+')))
- *p = ' ';
-
- p = buf;
-
- while (p && *p && (p=strchr_m(p,'%'))) {
- int c1 = p[1];
- int c2 = p[2];
-
- if (c1 >= '0' && c1 <= '9')
- c1 = c1 - '0';
- else if (c1 >= 'A' && c1 <= 'F')
- c1 = 10 + c1 - 'A';
- else if (c1 >= 'a' && c1 <= 'f')
- c1 = 10 + c1 - 'a';
- else {p++; continue;}
-
- if (c2 >= '0' && c2 <= '9')
- c2 = c2 - '0';
- else if (c2 >= 'A' && c2 <= 'F')
- c2 = 10 + c2 - 'A';
- else if (c2 >= 'a' && c2 <= 'f')
- c2 = 10 + c2 - 'a';
- else {p++; continue;}
-
- *p = (c1<<4) | c2;
-
- memmove(p+1, p+3, strlen(p+3)+1);
- p++;
- }
-}
-
-
static char *grab_line(FILE *f, int *cl)
{
char *ret = NULL;
@@ -167,8 +130,8 @@ void cgi_load_variables(void)
!variables[num_variables].value)
continue;
- unescape(variables[num_variables].value);
- unescape(variables[num_variables].name);
+ rfc1738_unescape(variables[num_variables].value);
+ rfc1738_unescape(variables[num_variables].name);
#ifdef DEBUG_COMMENTS
printf("<!== POST var %s has value \"%s\" ==>\n",
@@ -198,8 +161,8 @@ void cgi_load_variables(void)
!variables[num_variables].value)
continue;
- unescape(variables[num_variables].value);
- unescape(variables[num_variables].name);
+ rfc1738_unescape(variables[num_variables].value);
+ rfc1738_unescape(variables[num_variables].name);
#ifdef DEBUG_COMMENTS
printf("<!== Commandline var %s has value \"%s\" ==>\n",