1 | /**************************************************************************** |
2 | ** |
3 | ** Copyright (C) 2016 The Qt Company Ltd. |
4 | ** Contact: https://www.qt.io/licensing/ |
5 | ** |
6 | ** This file is part of the QtNetwork module of the Qt Toolkit. |
7 | ** |
8 | ** $QT_BEGIN_LICENSE:LGPL$ |
9 | ** Commercial License Usage |
10 | ** Licensees holding valid commercial Qt licenses may use this file in |
11 | ** accordance with the commercial license agreement provided with the |
12 | ** Software or, alternatively, in accordance with the terms contained in |
13 | ** a written agreement between you and The Qt Company. For licensing terms |
14 | ** and conditions see https://www.qt.io/terms-conditions. For further |
15 | ** information use the contact form at https://www.qt.io/contact-us. |
16 | ** |
17 | ** GNU Lesser General Public License Usage |
18 | ** Alternatively, this file may be used under the terms of the GNU Lesser |
19 | ** General Public License version 3 as published by the Free Software |
20 | ** Foundation and appearing in the file LICENSE.LGPL3 included in the |
21 | ** packaging of this file. Please review the following information to |
22 | ** ensure the GNU Lesser General Public License version 3 requirements |
23 | ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html. |
24 | ** |
25 | ** GNU General Public License Usage |
26 | ** Alternatively, this file may be used under the terms of the GNU |
27 | ** General Public License version 2.0 or (at your option) the GNU General |
28 | ** Public license version 3 or any later version approved by the KDE Free |
29 | ** Qt Foundation. The licenses are as published by the Free Software |
30 | ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3 |
31 | ** included in the packaging of this file. Please review the following |
32 | ** information to ensure the GNU General Public License requirements will |
33 | ** be met: https://www.gnu.org/licenses/gpl-2.0.html and |
34 | ** https://www.gnu.org/licenses/gpl-3.0.html. |
35 | ** |
36 | ** $QT_END_LICENSE$ |
37 | ** |
38 | ****************************************************************************/ |
39 | |
40 | #include <qauthenticator.h> |
41 | #include <qauthenticator_p.h> |
42 | #include <qdebug.h> |
43 | #include <qloggingcategory.h> |
44 | #include <qhash.h> |
45 | #include <qbytearray.h> |
46 | #include <qcryptographichash.h> |
47 | #include <qiodevice.h> |
48 | #include <qdatastream.h> |
49 | #include <qendian.h> |
50 | #include <qstring.h> |
51 | #include <qdatetime.h> |
52 | #include <qrandom.h> |
53 | #include "private/qsystemlibrary_p.h" |
54 | |
55 | #ifdef Q_OS_WIN |
56 | #include <qmutex.h> |
57 | #include <rpc.h> |
58 | #endif |
59 | |
60 | #if QT_CONFIG(sspi) // SSPI |
61 | #define SECURITY_WIN32 1 |
62 | #include <security.h> |
63 | #elif QT_CONFIG(gssapi) // GSSAPI |
64 | #if defined(Q_OS_DARWIN) |
65 | #include <GSS/GSS.h> |
66 | #else |
67 | #include <gssapi/gssapi.h> |
68 | #endif // Q_OS_DARWIN |
69 | #endif // Q_CONFIG(sspi) |
70 | |
71 | QT_BEGIN_NAMESPACE |
72 | |
73 | Q_DECLARE_LOGGING_CATEGORY(lcAuthenticator); |
74 | Q_LOGGING_CATEGORY(lcAuthenticator, "qt.network.authenticator" ); |
75 | |
76 | static QByteArray qNtlmPhase1(); |
77 | static QByteArray qNtlmPhase3(QAuthenticatorPrivate *ctx, const QByteArray& phase2data); |
78 | #if QT_CONFIG(sspi) // SSPI |
79 | static bool q_SSPI_library_load(); |
80 | static QByteArray qSspiStartup(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
81 | const QString& host); |
82 | static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
83 | const QString& host, const QByteArray& challenge = QByteArray()); |
84 | #elif QT_CONFIG(gssapi) // GSSAPI |
85 | static bool qGssapiTestGetCredentials(const QString &host); |
86 | static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString& host); |
87 | static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, |
88 | const QByteArray& challenge = QByteArray()); |
89 | #endif // gssapi |
90 | |
91 | /*! |
92 | \class QAuthenticator |
93 | \brief The QAuthenticator class provides an authentication object. |
94 | \since 4.3 |
95 | |
96 | \reentrant |
97 | \ingroup network |
98 | \inmodule QtNetwork |
99 | |
100 | The QAuthenticator class is usually used in the |
101 | \l{QNetworkAccessManager::}{authenticationRequired()} and |
102 | \l{QNetworkAccessManager::}{proxyAuthenticationRequired()} signals of QNetworkAccessManager and |
103 | QAbstractSocket. The class provides a way to pass back the required |
104 | authentication information to the socket when accessing services that |
105 | require authentication. |
106 | |
107 | QAuthenticator supports the following authentication methods: |
108 | \list |
109 | \li Basic |
110 | \li NTLM version 2 |
111 | \li Digest-MD5 |
112 | \li SPNEGO/Negotiate |
113 | \endlist |
114 | |
115 | \target qauthenticator-options |
116 | \section1 Options |
117 | |
118 | In addition to the username and password required for authentication, a |
119 | QAuthenticator object can also contain additional options. The |
120 | options() function can be used to query incoming options sent by |
121 | the server; the setOption() function can |
122 | be used to set outgoing options, to be processed by the authenticator |
123 | calculation. The options accepted and provided depend on the authentication |
124 | type (see method()). |
125 | |
126 | The following tables list known incoming options as well as accepted |
127 | outgoing options. The list of incoming options is not exhaustive, since |
128 | servers may include additional information at any time. The list of |
129 | outgoing options is exhaustive, however, and no unknown options will be |
130 | treated or sent back to the server. |
131 | |
132 | \section2 Basic |
133 | |
134 | \table |
135 | \header \li Option \li Direction \li Type \li Description |
136 | \row \li \tt{realm} \li Incoming \li QString \li Contains the realm of the authentication, the same as realm() |
137 | \endtable |
138 | |
139 | The Basic authentication mechanism supports no outgoing options. |
140 | |
141 | \section2 NTLM version 2 |
142 | |
143 | The NTLM authentication mechanism currently supports no incoming or outgoing options. |
144 | On Windows, if no \a user has been set, domain\\user credentials will be searched for on the |
145 | local system to enable Single-Sign-On functionality. |
146 | |
147 | \section2 Digest-MD5 |
148 | |
149 | \table |
150 | \header \li Option \li Direction \li Type \li Description |
151 | \row \li \tt{realm} \li Incoming \li QString \li Contains the realm of the authentication, the same as realm() |
152 | \endtable |
153 | |
154 | The Digest-MD5 authentication mechanism supports no outgoing options. |
155 | |
156 | \section2 SPNEGO/Negotiate |
157 | |
158 | This authentication mechanism currently supports no incoming or outgoing options. |
159 | |
160 | \sa QSslSocket |
161 | */ |
162 | |
163 | |
164 | /*! |
165 | Constructs an empty authentication object. |
166 | */ |
167 | QAuthenticator::QAuthenticator() |
168 | : d(nullptr) |
169 | { |
170 | } |
171 | |
172 | /*! |
173 | Destructs the object. |
174 | */ |
175 | QAuthenticator::~QAuthenticator() |
176 | { |
177 | if (d) |
178 | delete d; |
179 | } |
180 | |
181 | /*! |
182 | Constructs a copy of \a other. |
183 | */ |
184 | QAuthenticator::QAuthenticator(const QAuthenticator &other) |
185 | : d(nullptr) |
186 | { |
187 | if (other.d) |
188 | *this = other; |
189 | } |
190 | |
191 | /*! |
192 | Assigns the contents of \a other to this authenticator. |
193 | */ |
194 | QAuthenticator &QAuthenticator::operator=(const QAuthenticator &other) |
195 | { |
196 | if (d == other.d) |
197 | return *this; |
198 | |
199 | // Do not share the d since challange reponse/based changes |
200 | // could corrupt the internal store and different network requests |
201 | // can utilize different types of proxies. |
202 | detach(); |
203 | if (other.d) { |
204 | d->user = other.d->user; |
205 | d->userDomain = other.d->userDomain; |
206 | d->workstation = other.d->workstation; |
207 | d->extractedUser = other.d->extractedUser; |
208 | d->password = other.d->password; |
209 | d->realm = other.d->realm; |
210 | d->method = other.d->method; |
211 | d->options = other.d->options; |
212 | } else if (d->phase == QAuthenticatorPrivate::Start) { |
213 | delete d; |
214 | d = nullptr; |
215 | } |
216 | return *this; |
217 | } |
218 | |
219 | /*! |
220 | Returns \c true if this authenticator is identical to \a other; otherwise |
221 | returns \c false. |
222 | */ |
223 | bool QAuthenticator::operator==(const QAuthenticator &other) const |
224 | { |
225 | if (d == other.d) |
226 | return true; |
227 | if (!d || !other.d) |
228 | return false; |
229 | return d->user == other.d->user |
230 | && d->password == other.d->password |
231 | && d->realm == other.d->realm |
232 | && d->method == other.d->method |
233 | && d->options == other.d->options; |
234 | } |
235 | |
236 | /*! |
237 | \fn bool QAuthenticator::operator!=(const QAuthenticator &other) const |
238 | |
239 | Returns \c true if this authenticator is different from \a other; otherwise |
240 | returns \c false. |
241 | */ |
242 | |
243 | /*! |
244 | Returns the user used for authentication. |
245 | */ |
246 | QString QAuthenticator::user() const |
247 | { |
248 | return d ? d->user : QString(); |
249 | } |
250 | |
251 | /*! |
252 | Sets the \a user used for authentication. |
253 | |
254 | \sa QNetworkAccessManager::authenticationRequired() |
255 | */ |
256 | void QAuthenticator::setUser(const QString &user) |
257 | { |
258 | if (!d || d->user != user) { |
259 | detach(); |
260 | d->user = user; |
261 | d->updateCredentials(); |
262 | } |
263 | } |
264 | |
265 | /*! |
266 | Returns the password used for authentication. |
267 | */ |
268 | QString QAuthenticator::password() const |
269 | { |
270 | return d ? d->password : QString(); |
271 | } |
272 | |
273 | /*! |
274 | Sets the \a password used for authentication. |
275 | |
276 | \sa QNetworkAccessManager::authenticationRequired() |
277 | */ |
278 | void QAuthenticator::setPassword(const QString &password) |
279 | { |
280 | if (!d || d->password != password) { |
281 | detach(); |
282 | d->password = password; |
283 | } |
284 | } |
285 | |
286 | /*! |
287 | \internal |
288 | */ |
289 | void QAuthenticator::detach() |
290 | { |
291 | if (!d) { |
292 | d = new QAuthenticatorPrivate; |
293 | return; |
294 | } |
295 | |
296 | if (d->phase == QAuthenticatorPrivate::Done) |
297 | d->phase = QAuthenticatorPrivate::Start; |
298 | } |
299 | |
300 | /*! |
301 | Returns the realm requiring authentication. |
302 | */ |
303 | QString QAuthenticator::realm() const |
304 | { |
305 | return d ? d->realm : QString(); |
306 | } |
307 | |
308 | /*! |
309 | \internal |
310 | */ |
311 | void QAuthenticator::setRealm(const QString &realm) |
312 | { |
313 | if (!d || d->realm != realm) { |
314 | detach(); |
315 | d->realm = realm; |
316 | } |
317 | } |
318 | |
319 | /*! |
320 | \since 4.7 |
321 | Returns the value related to option \a opt if it was set by the server. |
322 | See the \l{QAuthenticator#qauthenticator-options}{Options section} for |
323 | more information on incoming options. |
324 | If option \a opt isn't found, an invalid QVariant will be returned. |
325 | |
326 | \sa options(), {QAuthenticator#qauthenticator-options}{QAuthenticator options} |
327 | */ |
328 | QVariant QAuthenticator::option(const QString &opt) const |
329 | { |
330 | return d ? d->options.value(akey: opt) : QVariant(); |
331 | } |
332 | |
333 | /*! |
334 | \since 4.7 |
335 | Returns all incoming options set in this QAuthenticator object by parsing |
336 | the server reply. See the \l{QAuthenticator#qauthenticator-options}{Options section} |
337 | for more information on incoming options. |
338 | |
339 | \sa option(), {QAuthenticator#qauthenticator-options}{QAuthenticator options} |
340 | */ |
341 | QVariantHash QAuthenticator::options() const |
342 | { |
343 | return d ? d->options : QVariantHash(); |
344 | } |
345 | |
346 | /*! |
347 | \since 4.7 |
348 | |
349 | Sets the outgoing option \a opt to value \a value. |
350 | See the \l{QAuthenticator#qauthenticator-options}{Options section} for more information on outgoing options. |
351 | |
352 | \sa options(), option(), {QAuthenticator#qauthenticator-options}{QAuthenticator options} |
353 | */ |
354 | void QAuthenticator::setOption(const QString &opt, const QVariant &value) |
355 | { |
356 | if (option(opt) != value) { |
357 | detach(); |
358 | d->options.insert(akey: opt, avalue: value); |
359 | } |
360 | } |
361 | |
362 | |
363 | /*! |
364 | Returns \c true if the object has not been initialized. Returns |
365 | \c false if non-const member functions have been called, or |
366 | the content was constructed or copied from another initialized |
367 | QAuthenticator object. |
368 | */ |
369 | bool QAuthenticator::isNull() const |
370 | { |
371 | return !d; |
372 | } |
373 | |
374 | #if QT_CONFIG(sspi) // SSPI |
375 | class QSSPIWindowsHandles |
376 | { |
377 | public: |
378 | CredHandle credHandle; |
379 | CtxtHandle ctxHandle; |
380 | }; |
381 | #elif QT_CONFIG(gssapi) // GSSAPI |
382 | class QGssApiHandles |
383 | { |
384 | public: |
385 | gss_ctx_id_t gssCtx = nullptr; |
386 | gss_name_t targetName; |
387 | }; |
388 | #endif // gssapi |
389 | |
390 | |
391 | QAuthenticatorPrivate::QAuthenticatorPrivate() |
392 | : method(None) |
393 | , hasFailed(false) |
394 | , phase(Start) |
395 | , nonceCount(0) |
396 | { |
397 | cnonce = QCryptographicHash::hash(data: QByteArray::number(QRandomGenerator::system()->generate64(), base: 16), |
398 | method: QCryptographicHash::Md5).toHex(); |
399 | nonceCount = 0; |
400 | } |
401 | |
402 | QAuthenticatorPrivate::~QAuthenticatorPrivate() = default; |
403 | |
404 | void QAuthenticatorPrivate::updateCredentials() |
405 | { |
406 | int separatorPosn = 0; |
407 | |
408 | switch (method) { |
409 | case QAuthenticatorPrivate::Ntlm: |
410 | if ((separatorPosn = user.indexOf(s: QLatin1String("\\" ))) != -1) { |
411 | //domain name is present |
412 | realm.clear(); |
413 | userDomain = user.left(n: separatorPosn); |
414 | extractedUser = user.mid(position: separatorPosn + 1); |
415 | } else { |
416 | extractedUser = user; |
417 | realm.clear(); |
418 | userDomain.clear(); |
419 | } |
420 | break; |
421 | default: |
422 | userDomain.clear(); |
423 | break; |
424 | } |
425 | } |
426 | |
427 | static bool verifyDigestMD5(const QByteArray &value) |
428 | { |
429 | auto opts = QAuthenticatorPrivate::parseDigestAuthenticationChallenge(challenge: value); |
430 | auto it = opts.constFind(akey: "algorithm" ); |
431 | if (it != opts.cend()) { |
432 | QByteArray alg = it.value(); |
433 | if (alg.size() < 3) |
434 | return false; |
435 | // Just compare the first 3 characters, that way we match other subvariants as well, such as |
436 | // "MD5-sess" |
437 | auto view = QByteArray::fromRawData(alg.data(), size: 3); |
438 | return view.compare(c: "MD5" , cs: Qt::CaseInsensitive) == 0; |
439 | } |
440 | return true; // assume it's ok if algorithm is not specified |
441 | } |
442 | |
443 | void QAuthenticatorPrivate::parseHttpResponse(const QList<QPair<QByteArray, QByteArray> > &values, bool isProxy, const QString &host) |
444 | { |
445 | #if !QT_CONFIG(gssapi) |
446 | Q_UNUSED(host); |
447 | #endif |
448 | const char *search = isProxy ? "proxy-authenticate" : "www-authenticate" ; |
449 | |
450 | method = None; |
451 | /* |
452 | Fun from the HTTP 1.1 specs, that we currently ignore: |
453 | |
454 | User agents are advised to take special care in parsing the WWW- |
455 | Authenticate field value as it might contain more than one challenge, |
456 | or if more than one WWW-Authenticate header field is provided, the |
457 | contents of a challenge itself can contain a comma-separated list of |
458 | authentication parameters. |
459 | */ |
460 | |
461 | QByteArray ; |
462 | for (int i = 0; i < values.size(); ++i) { |
463 | const QPair<QByteArray, QByteArray> ¤t = values.at(i); |
464 | if (current.first.compare(c: search, cs: Qt::CaseInsensitive) != 0) |
465 | continue; |
466 | QByteArray str = current.second.toLower(); |
467 | if (method < Basic && str.startsWith(c: "basic" )) { |
468 | method = Basic; |
469 | headerVal = current.second.mid(index: 6); |
470 | } else if (method < Ntlm && str.startsWith(c: "ntlm" )) { |
471 | method = Ntlm; |
472 | headerVal = current.second.mid(index: 5); |
473 | } else if (method < DigestMd5 && str.startsWith(c: "digest" )) { |
474 | // Make sure the algorithm is actually MD5 before committing to it: |
475 | QByteArray fieldValue = current.second.mid(index: 7); |
476 | if (!verifyDigestMD5(value: fieldValue)) |
477 | continue; |
478 | |
479 | method = DigestMd5; |
480 | headerVal = fieldValue; |
481 | } else if (method < Negotiate && str.startsWith(c: "negotiate" )) { |
482 | #if QT_CONFIG(sspi) || QT_CONFIG(gssapi) // if it's not supported then we shouldn't try to use it |
483 | #if QT_CONFIG(gssapi) |
484 | // For GSSAPI there needs to be a KDC set up for the host (afaict). |
485 | // So let's only conditionally use it if we can fetch the credentials. |
486 | // Sadly it's a bit slow because it requires a DNS lookup. |
487 | if (!qGssapiTestGetCredentials(host)) |
488 | continue; |
489 | #endif |
490 | method = Negotiate; |
491 | headerVal = current.second.mid(10); |
492 | #endif |
493 | } |
494 | } |
495 | |
496 | // Reparse credentials since we know the method now |
497 | updateCredentials(); |
498 | challenge = headerVal.trimmed(); |
499 | QHash<QByteArray, QByteArray> options = parseDigestAuthenticationChallenge(challenge); |
500 | |
501 | // Sets phase to Start if this updates our realm and sets the two locations where we store |
502 | // realm |
503 | auto privSetRealm = [this](QString newRealm) { |
504 | if (newRealm != realm) { |
505 | if (phase == Done) |
506 | phase = Start; |
507 | realm = newRealm; |
508 | this->options[QLatin1String("realm" )] = realm; |
509 | } |
510 | }; |
511 | |
512 | switch(method) { |
513 | case Basic: |
514 | privSetRealm(QString::fromLatin1(str: options.value(akey: "realm" ))); |
515 | if (user.isEmpty() && password.isEmpty()) |
516 | phase = Done; |
517 | break; |
518 | case Ntlm: |
519 | case Negotiate: |
520 | // work is done in calculateResponse() |
521 | break; |
522 | case DigestMd5: { |
523 | privSetRealm(QString::fromLatin1(str: options.value(akey: "realm" ))); |
524 | if (options.value(akey: "stale" ).compare(c: "true" , cs: Qt::CaseInsensitive) == 0) { |
525 | phase = Start; |
526 | nonceCount = 0; |
527 | } |
528 | if (user.isEmpty() && password.isEmpty()) |
529 | phase = Done; |
530 | break; |
531 | } |
532 | default: |
533 | realm.clear(); |
534 | challenge = QByteArray(); |
535 | phase = Invalid; |
536 | } |
537 | } |
538 | |
539 | QByteArray QAuthenticatorPrivate::calculateResponse(const QByteArray &requestMethod, const QByteArray &path, const QString& host) |
540 | { |
541 | #if !QT_CONFIG(sspi) && !QT_CONFIG(gssapi) |
542 | Q_UNUSED(host); |
543 | #endif |
544 | QByteArray response; |
545 | const char* methodString = nullptr; |
546 | switch(method) { |
547 | case QAuthenticatorPrivate::None: |
548 | methodString = "" ; |
549 | phase = Done; |
550 | break; |
551 | case QAuthenticatorPrivate::Basic: |
552 | methodString = "Basic" ; |
553 | response = user.toLatin1() + ':' + password.toLatin1(); |
554 | response = response.toBase64(); |
555 | phase = Done; |
556 | break; |
557 | case QAuthenticatorPrivate::DigestMd5: |
558 | methodString = "Digest" ; |
559 | response = digestMd5Response(challenge, method: requestMethod, path); |
560 | phase = Done; |
561 | break; |
562 | case QAuthenticatorPrivate::Ntlm: |
563 | methodString = "NTLM" ; |
564 | if (challenge.isEmpty()) { |
565 | #if QT_CONFIG(sspi) // SSPI |
566 | QByteArray phase1Token; |
567 | if (user.isEmpty()) { // Only pull from system if no user was specified in authenticator |
568 | phase1Token = qSspiStartup(this, method, host); |
569 | } else if (!q_SSPI_library_load()) { |
570 | // Since we're not running qSspiStartup we have to make sure the library is loaded |
571 | qWarning("Failed to load the SSPI libraries" ); |
572 | return "" ; |
573 | } |
574 | if (!phase1Token.isEmpty()) { |
575 | response = phase1Token.toBase64(); |
576 | phase = Phase2; |
577 | } else |
578 | #endif |
579 | { |
580 | response = qNtlmPhase1().toBase64(); |
581 | if (user.isEmpty()) |
582 | phase = Done; |
583 | else |
584 | phase = Phase2; |
585 | } |
586 | } else { |
587 | #if QT_CONFIG(sspi) // SSPI |
588 | QByteArray phase3Token; |
589 | if (sspiWindowsHandles) |
590 | phase3Token = qSspiContinue(this, method, host, QByteArray::fromBase64(challenge)); |
591 | if (!phase3Token.isEmpty()) { |
592 | response = phase3Token.toBase64(); |
593 | phase = Done; |
594 | } else |
595 | #endif |
596 | { |
597 | response = qNtlmPhase3(ctx: this, phase2data: QByteArray::fromBase64(base64: challenge)).toBase64(); |
598 | phase = Done; |
599 | } |
600 | challenge = "" ; |
601 | } |
602 | |
603 | break; |
604 | case QAuthenticatorPrivate::Negotiate: |
605 | methodString = "Negotiate" ; |
606 | if (challenge.isEmpty()) { |
607 | QByteArray phase1Token; |
608 | #if QT_CONFIG(sspi) // SSPI |
609 | phase1Token = qSspiStartup(this, method, host); |
610 | #elif QT_CONFIG(gssapi) // GSSAPI |
611 | phase1Token = qGssapiStartup(this, host); |
612 | #endif |
613 | |
614 | if (!phase1Token.isEmpty()) { |
615 | response = phase1Token.toBase64(); |
616 | phase = Phase2; |
617 | } else { |
618 | phase = Done; |
619 | return "" ; |
620 | } |
621 | } else { |
622 | QByteArray phase3Token; |
623 | #if QT_CONFIG(sspi) // SSPI |
624 | phase3Token = qSspiContinue(this, method, host, QByteArray::fromBase64(challenge)); |
625 | #elif QT_CONFIG(gssapi) // GSSAPI |
626 | phase3Token = qGssapiContinue(this, QByteArray::fromBase64(challenge)); |
627 | #endif |
628 | if (!phase3Token.isEmpty()) { |
629 | response = phase3Token.toBase64(); |
630 | phase = Done; |
631 | challenge = "" ; |
632 | } else { |
633 | phase = Done; |
634 | return "" ; |
635 | } |
636 | } |
637 | |
638 | break; |
639 | } |
640 | |
641 | return QByteArray::fromRawData(methodString, size: qstrlen(str: methodString)) + ' ' + response; |
642 | } |
643 | |
644 | |
645 | // ---------------------------- Digest Md5 code ---------------------------------------- |
646 | |
647 | QHash<QByteArray, QByteArray> QAuthenticatorPrivate::parseDigestAuthenticationChallenge(const QByteArray &challenge) |
648 | { |
649 | QHash<QByteArray, QByteArray> options; |
650 | // parse the challenge |
651 | const char *d = challenge.constData(); |
652 | const char *end = d + challenge.length(); |
653 | while (d < end) { |
654 | while (d < end && (*d == ' ' || *d == '\n' || *d == '\r')) |
655 | ++d; |
656 | const char *start = d; |
657 | while (d < end && *d != '=') |
658 | ++d; |
659 | QByteArray key = QByteArray(start, d - start); |
660 | ++d; |
661 | if (d >= end) |
662 | break; |
663 | bool quote = (*d == '"'); |
664 | if (quote) |
665 | ++d; |
666 | if (d >= end) |
667 | break; |
668 | start = d; |
669 | QByteArray value; |
670 | while (d < end) { |
671 | bool backslash = false; |
672 | if (*d == '\\' && d < end - 1) { |
673 | ++d; |
674 | backslash = true; |
675 | } |
676 | if (!backslash) { |
677 | if (quote) { |
678 | if (*d == '"') |
679 | break; |
680 | } else { |
681 | if (*d == ',') |
682 | break; |
683 | } |
684 | } |
685 | value += *d; |
686 | ++d; |
687 | } |
688 | while (d < end && *d != ',') |
689 | ++d; |
690 | ++d; |
691 | options[key] = value; |
692 | } |
693 | |
694 | QByteArray qop = options.value(akey: "qop" ); |
695 | if (!qop.isEmpty()) { |
696 | QList<QByteArray> qopoptions = qop.split(sep: ','); |
697 | if (!qopoptions.contains(t: "auth" )) |
698 | return QHash<QByteArray, QByteArray>(); |
699 | // #### can't do auth-int currently |
700 | // if (qop.contains("auth-int")) |
701 | // qop = "auth-int"; |
702 | // else if (qop.contains("auth")) |
703 | // qop = "auth"; |
704 | // else |
705 | // qop = QByteArray(); |
706 | options["qop" ] = "auth" ; |
707 | } |
708 | |
709 | return options; |
710 | } |
711 | |
712 | /* |
713 | Digest MD5 implementation |
714 | |
715 | Code taken from RFC 2617 |
716 | |
717 | Currently we don't support the full SASL authentication mechanism (which includes cyphers) |
718 | */ |
719 | |
720 | |
721 | /* calculate request-digest/response-digest as per HTTP Digest spec */ |
722 | static QByteArray digestMd5ResponseHelper( |
723 | const QByteArray &alg, |
724 | const QByteArray &userName, |
725 | const QByteArray &realm, |
726 | const QByteArray &password, |
727 | const QByteArray &nonce, /* nonce from server */ |
728 | const QByteArray &nonceCount, /* 8 hex digits */ |
729 | const QByteArray &cNonce, /* client nonce */ |
730 | const QByteArray &qop, /* qop-value: "", "auth", "auth-int" */ |
731 | const QByteArray &method, /* method from the request */ |
732 | const QByteArray &digestUri, /* requested URL */ |
733 | const QByteArray &hEntity /* H(entity body) if qop="auth-int" */ |
734 | ) |
735 | { |
736 | QCryptographicHash hash(QCryptographicHash::Md5); |
737 | hash.addData(data: userName); |
738 | hash.addData(data: ":" , length: 1); |
739 | hash.addData(data: realm); |
740 | hash.addData(data: ":" , length: 1); |
741 | hash.addData(data: password); |
742 | QByteArray ha1 = hash.result(); |
743 | if (alg.compare(c: "md5-sess" , cs: Qt::CaseInsensitive) == 0) { |
744 | hash.reset(); |
745 | // RFC 2617 contains an error, it was: |
746 | // hash.addData(ha1); |
747 | // but according to the errata page at http://www.rfc-editor.org/errata_list.php, ID 1649, it |
748 | // must be the following line: |
749 | hash.addData(data: ha1.toHex()); |
750 | hash.addData(data: ":" , length: 1); |
751 | hash.addData(data: nonce); |
752 | hash.addData(data: ":" , length: 1); |
753 | hash.addData(data: cNonce); |
754 | ha1 = hash.result(); |
755 | }; |
756 | ha1 = ha1.toHex(); |
757 | |
758 | // calculate H(A2) |
759 | hash.reset(); |
760 | hash.addData(data: method); |
761 | hash.addData(data: ":" , length: 1); |
762 | hash.addData(data: digestUri); |
763 | if (qop.compare(c: "auth-int" , cs: Qt::CaseInsensitive) == 0) { |
764 | hash.addData(data: ":" , length: 1); |
765 | hash.addData(data: hEntity); |
766 | } |
767 | QByteArray ha2hex = hash.result().toHex(); |
768 | |
769 | // calculate response |
770 | hash.reset(); |
771 | hash.addData(data: ha1); |
772 | hash.addData(data: ":" , length: 1); |
773 | hash.addData(data: nonce); |
774 | hash.addData(data: ":" , length: 1); |
775 | if (!qop.isNull()) { |
776 | hash.addData(data: nonceCount); |
777 | hash.addData(data: ":" , length: 1); |
778 | hash.addData(data: cNonce); |
779 | hash.addData(data: ":" , length: 1); |
780 | hash.addData(data: qop); |
781 | hash.addData(data: ":" , length: 1); |
782 | } |
783 | hash.addData(data: ha2hex); |
784 | return hash.result().toHex(); |
785 | } |
786 | |
787 | QByteArray QAuthenticatorPrivate::digestMd5Response(const QByteArray &challenge, const QByteArray &method, const QByteArray &path) |
788 | { |
789 | QHash<QByteArray,QByteArray> options = parseDigestAuthenticationChallenge(challenge); |
790 | |
791 | ++nonceCount; |
792 | QByteArray nonceCountString = QByteArray::number(nonceCount, base: 16); |
793 | while (nonceCountString.length() < 8) |
794 | nonceCountString.prepend(c: '0'); |
795 | |
796 | QByteArray nonce = options.value(akey: "nonce" ); |
797 | QByteArray opaque = options.value(akey: "opaque" ); |
798 | QByteArray qop = options.value(akey: "qop" ); |
799 | |
800 | // qDebug() << "calculating digest: method=" << method << "path=" << path; |
801 | QByteArray response = digestMd5ResponseHelper(alg: options.value(akey: "algorithm" ), userName: user.toLatin1(), |
802 | realm: realm.toLatin1(), password: password.toLatin1(), |
803 | nonce, nonceCount: nonceCountString, |
804 | cNonce: cnonce, qop, method, |
805 | digestUri: path, hEntity: QByteArray()); |
806 | |
807 | |
808 | QByteArray credentials; |
809 | credentials += "username=\"" + user.toLatin1() + "\", " ; |
810 | credentials += "realm=\"" + realm.toLatin1() + "\", " ; |
811 | credentials += "nonce=\"" + nonce + "\", " ; |
812 | credentials += "uri=\"" + path + "\", " ; |
813 | if (!opaque.isEmpty()) |
814 | credentials += "opaque=\"" + opaque + "\", " ; |
815 | credentials += "response=\"" + response + '"'; |
816 | if (!options.value(akey: "algorithm" ).isEmpty()) |
817 | credentials += ", algorithm=" + options.value(akey: "algorithm" ); |
818 | if (!options.value(akey: "qop" ).isEmpty()) { |
819 | credentials += ", qop=" + qop + ", " ; |
820 | credentials += "nc=" + nonceCountString + ", " ; |
821 | credentials += "cnonce=\"" + cnonce + '"'; |
822 | } |
823 | |
824 | return credentials; |
825 | } |
826 | |
827 | // ---------------------------- End of Digest Md5 code --------------------------------- |
828 | |
829 | |
830 | // ---------------------------- NTLM code ---------------------------------------------- |
831 | |
832 | /* |
833 | * NTLM message flags. |
834 | * |
835 | * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru> |
836 | * |
837 | * This software is released under the MIT license. |
838 | */ |
839 | |
840 | /* |
841 | * Indicates that Unicode strings are supported for use in security |
842 | * buffer data. |
843 | */ |
844 | #define NTLMSSP_NEGOTIATE_UNICODE 0x00000001 |
845 | |
846 | /* |
847 | * Indicates that OEM strings are supported for use in security buffer data. |
848 | */ |
849 | #define NTLMSSP_NEGOTIATE_OEM 0x00000002 |
850 | |
851 | /* |
852 | * Requests that the server's authentication realm be included in the |
853 | * Type 2 message. |
854 | */ |
855 | #define NTLMSSP_REQUEST_TARGET 0x00000004 |
856 | |
857 | /* |
858 | * Specifies that authenticated communication between the client and server |
859 | * should carry a digital signature (message integrity). |
860 | */ |
861 | #define NTLMSSP_NEGOTIATE_SIGN 0x00000010 |
862 | |
863 | /* |
864 | * Specifies that authenticated communication between the client and server |
865 | * should be encrypted (message confidentiality). |
866 | */ |
867 | #define NTLMSSP_NEGOTIATE_SEAL 0x00000020 |
868 | |
869 | /* |
870 | * Indicates that datagram authentication is being used. |
871 | */ |
872 | #define NTLMSSP_NEGOTIATE_DATAGRAM 0x00000040 |
873 | |
874 | /* |
875 | * Indicates that the LAN Manager session key should be |
876 | * used for signing and sealing authenticated communications. |
877 | */ |
878 | #define NTLMSSP_NEGOTIATE_LM_KEY 0x00000080 |
879 | |
880 | /* |
881 | * Indicates that NTLM authentication is being used. |
882 | */ |
883 | #define NTLMSSP_NEGOTIATE_NTLM 0x00000200 |
884 | |
885 | /* |
886 | * Sent by the client in the Type 1 message to indicate that the name of the |
887 | * domain in which the client workstation has membership is included in the |
888 | * message. This is used by the server to determine whether the client is |
889 | * eligible for local authentication. |
890 | */ |
891 | #define NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED 0x00001000 |
892 | |
893 | /* |
894 | * Sent by the client in the Type 1 message to indicate that the client |
895 | * workstation's name is included in the message. This is used by the server |
896 | * to determine whether the client is eligible for local authentication. |
897 | */ |
898 | #define NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED 0x00002000 |
899 | |
900 | /* |
901 | * Sent by the server to indicate that the server and client are on the same |
902 | * machine. Implies that the client may use the established local credentials |
903 | * for authentication instead of calculating a response to the challenge. |
904 | */ |
905 | #define NTLMSSP_NEGOTIATE_LOCAL_CALL 0x00004000 |
906 | |
907 | /* |
908 | * Indicates that authenticated communication between the client and server |
909 | * should be signed with a "dummy" signature. |
910 | */ |
911 | #define NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0x00008000 |
912 | |
913 | /* |
914 | * Sent by the server in the Type 2 message to indicate that the target |
915 | * authentication realm is a domain. |
916 | */ |
917 | #define NTLMSSP_TARGET_TYPE_DOMAIN 0x00010000 |
918 | |
919 | /* |
920 | * Sent by the server in the Type 2 message to indicate that the target |
921 | * authentication realm is a server. |
922 | */ |
923 | #define NTLMSSP_TARGET_TYPE_SERVER 0x00020000 |
924 | |
925 | /* |
926 | * Sent by the server in the Type 2 message to indicate that the target |
927 | * authentication realm is a share. Presumably, this is for share-level |
928 | * authentication. Usage is unclear. |
929 | */ |
930 | #define NTLMSSP_TARGET_TYPE_SHARE 0x00040000 |
931 | |
932 | /* |
933 | * Indicates that the NTLM2 signing and sealing scheme should be used for |
934 | * protecting authenticated communications. Note that this refers to a |
935 | * particular session security scheme, and is not related to the use of |
936 | * NTLMv2 authentication. |
937 | */ |
938 | #define NTLMSSP_NEGOTIATE_NTLM2 0x00080000 |
939 | |
940 | /* |
941 | * Sent by the server in the Type 2 message to indicate that it is including |
942 | * a Target Information block in the message. The Target Information block |
943 | * is used in the calculation of the NTLMv2 response. |
944 | */ |
945 | #define NTLMSSP_NEGOTIATE_TARGET_INFO 0x00800000 |
946 | |
947 | /* |
948 | * Indicates that 128-bit encryption is supported. |
949 | */ |
950 | #define NTLMSSP_NEGOTIATE_128 0x20000000 |
951 | |
952 | /* |
953 | * Indicates that the client will provide an encrypted master session key in |
954 | * the "Session Key" field of the Type 3 message. This is used in signing and |
955 | * sealing, and is RC4-encrypted using the previous session key as the |
956 | * encryption key. |
957 | */ |
958 | #define NTLMSSP_NEGOTIATE_KEY_EXCHANGE 0x40000000 |
959 | |
960 | /* |
961 | * Indicates that 56-bit encryption is supported. |
962 | */ |
963 | #define NTLMSSP_NEGOTIATE_56 0x80000000 |
964 | |
965 | /* |
966 | * AvId values |
967 | */ |
968 | #define AVTIMESTAMP 7 |
969 | |
970 | |
971 | //************************Global variables*************************** |
972 | |
973 | const int blockSize = 64; //As per RFC2104 Block-size is 512 bits |
974 | const quint8 respversion = 1; |
975 | const quint8 hirespversion = 1; |
976 | |
977 | /* usage: |
978 | // fill up ctx with what we know. |
979 | QByteArray response = qNtlmPhase1(ctx); |
980 | // send response (b64 encoded??) |
981 | // get response from server (b64 decode?) |
982 | Phase2Block pb; |
983 | qNtlmDecodePhase2(response, pb); |
984 | response = qNtlmPhase3(ctx, pb); |
985 | // send response (b64 encoded??) |
986 | */ |
987 | |
988 | /* |
989 | TODO: |
990 | - Fix unicode handling |
991 | - add v2 handling |
992 | */ |
993 | |
994 | class QNtlmBuffer { |
995 | public: |
996 | QNtlmBuffer() : len(0), maxLen(0), offset(0) {} |
997 | quint16 len; |
998 | quint16 maxLen; |
999 | quint32 offset; |
1000 | enum { Size = 8 }; |
1001 | }; |
1002 | |
1003 | class QNtlmPhase1BlockBase |
1004 | { |
1005 | public: |
1006 | char magic[8]; |
1007 | quint32 type; |
1008 | quint32 flags; |
1009 | QNtlmBuffer domain; |
1010 | QNtlmBuffer workstation; |
1011 | enum { Size = 32 }; |
1012 | }; |
1013 | |
1014 | // ################# check paddings |
1015 | class QNtlmPhase2BlockBase |
1016 | { |
1017 | public: |
1018 | char magic[8]; |
1019 | quint32 type; |
1020 | QNtlmBuffer targetName; |
1021 | quint32 flags; |
1022 | unsigned char challenge[8]; |
1023 | quint32 context[2]; |
1024 | QNtlmBuffer targetInfo; |
1025 | enum { Size = 48 }; |
1026 | }; |
1027 | |
1028 | class QNtlmPhase3BlockBase { |
1029 | public: |
1030 | char magic[8]; |
1031 | quint32 type; |
1032 | QNtlmBuffer lmResponse; |
1033 | QNtlmBuffer ntlmResponse; |
1034 | QNtlmBuffer domain; |
1035 | QNtlmBuffer user; |
1036 | QNtlmBuffer workstation; |
1037 | QNtlmBuffer sessionKey; |
1038 | quint32 flags; |
1039 | enum { Size = 64 }; |
1040 | }; |
1041 | |
1042 | static void qStreamNtlmBuffer(QDataStream& ds, const QByteArray& s) |
1043 | { |
1044 | ds.writeRawData(s.constData(), len: s.size()); |
1045 | } |
1046 | |
1047 | |
1048 | static void qStreamNtlmString(QDataStream& ds, const QString& s, bool unicode) |
1049 | { |
1050 | if (!unicode) { |
1051 | qStreamNtlmBuffer(ds, s: s.toLatin1()); |
1052 | return; |
1053 | } |
1054 | const ushort *d = s.utf16(); |
1055 | for (int i = 0; i < s.length(); ++i) |
1056 | ds << d[i]; |
1057 | } |
1058 | |
1059 | |
1060 | |
1061 | static int qEncodeNtlmBuffer(QNtlmBuffer& buf, int offset, const QByteArray& s) |
1062 | { |
1063 | buf.len = s.size(); |
1064 | buf.maxLen = buf.len; |
1065 | buf.offset = (offset + 1) & ~1; |
1066 | return buf.offset + buf.len; |
1067 | } |
1068 | |
1069 | |
1070 | static int qEncodeNtlmString(QNtlmBuffer& buf, int offset, const QString& s, bool unicode) |
1071 | { |
1072 | if (!unicode) |
1073 | return qEncodeNtlmBuffer(buf, offset, s: s.toLatin1()); |
1074 | buf.len = 2 * s.length(); |
1075 | buf.maxLen = buf.len; |
1076 | buf.offset = (offset + 1) & ~1; |
1077 | return buf.offset + buf.len; |
1078 | } |
1079 | |
1080 | |
1081 | static QDataStream& operator<<(QDataStream& s, const QNtlmBuffer& b) |
1082 | { |
1083 | s << b.len << b.maxLen << b.offset; |
1084 | return s; |
1085 | } |
1086 | |
1087 | static QDataStream& operator>>(QDataStream& s, QNtlmBuffer& b) |
1088 | { |
1089 | s >> b.len >> b.maxLen >> b.offset; |
1090 | return s; |
1091 | } |
1092 | |
1093 | |
1094 | class QNtlmPhase1Block : public QNtlmPhase1BlockBase |
1095 | { // request |
1096 | public: |
1097 | QNtlmPhase1Block() { |
1098 | qstrncpy(dst: magic, src: "NTLMSSP" , len: 8); |
1099 | type = 1; |
1100 | flags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_NTLM2; |
1101 | } |
1102 | |
1103 | // extracted |
1104 | QString domainStr, workstationStr; |
1105 | }; |
1106 | |
1107 | |
1108 | class QNtlmPhase2Block : public QNtlmPhase2BlockBase |
1109 | { // challenge |
1110 | public: |
1111 | QNtlmPhase2Block() { |
1112 | magic[0] = 0; |
1113 | type = 0xffffffff; |
1114 | } |
1115 | |
1116 | // extracted |
1117 | QString targetNameStr, targetInfoStr; |
1118 | QByteArray targetInfoBuff; |
1119 | }; |
1120 | |
1121 | |
1122 | |
1123 | class QNtlmPhase3Block : public QNtlmPhase3BlockBase { // response |
1124 | public: |
1125 | QNtlmPhase3Block() { |
1126 | qstrncpy(dst: magic, src: "NTLMSSP" , len: 8); |
1127 | type = 3; |
1128 | flags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_TARGET_INFO; |
1129 | } |
1130 | |
1131 | // extracted |
1132 | QByteArray lmResponseBuf, ntlmResponseBuf; |
1133 | QString domainStr, userStr, workstationStr, sessionKeyStr; |
1134 | QByteArray v2Hash; |
1135 | }; |
1136 | |
1137 | |
1138 | static QDataStream& operator<<(QDataStream& s, const QNtlmPhase1Block& b) { |
1139 | bool unicode = (b.flags & NTLMSSP_NEGOTIATE_UNICODE); |
1140 | |
1141 | s.writeRawData(b.magic, len: sizeof(b.magic)); |
1142 | s << b.type; |
1143 | s << b.flags; |
1144 | s << b.domain; |
1145 | s << b.workstation; |
1146 | if (!b.domainStr.isEmpty()) |
1147 | qStreamNtlmString(ds&: s, s: b.domainStr, unicode); |
1148 | if (!b.workstationStr.isEmpty()) |
1149 | qStreamNtlmString(ds&: s, s: b.workstationStr, unicode); |
1150 | return s; |
1151 | } |
1152 | |
1153 | |
1154 | static QDataStream& operator<<(QDataStream& s, const QNtlmPhase3Block& b) { |
1155 | bool unicode = (b.flags & NTLMSSP_NEGOTIATE_UNICODE); |
1156 | s.writeRawData(b.magic, len: sizeof(b.magic)); |
1157 | s << b.type; |
1158 | s << b.lmResponse; |
1159 | s << b.ntlmResponse; |
1160 | s << b.domain; |
1161 | s << b.user; |
1162 | s << b.workstation; |
1163 | s << b.sessionKey; |
1164 | s << b.flags; |
1165 | |
1166 | if (!b.domainStr.isEmpty()) |
1167 | qStreamNtlmString(ds&: s, s: b.domainStr, unicode); |
1168 | |
1169 | qStreamNtlmString(ds&: s, s: b.userStr, unicode); |
1170 | |
1171 | if (!b.workstationStr.isEmpty()) |
1172 | qStreamNtlmString(ds&: s, s: b.workstationStr, unicode); |
1173 | |
1174 | // Send auth info |
1175 | qStreamNtlmBuffer(ds&: s, s: b.lmResponseBuf); |
1176 | qStreamNtlmBuffer(ds&: s, s: b.ntlmResponseBuf); |
1177 | |
1178 | |
1179 | return s; |
1180 | } |
1181 | |
1182 | |
1183 | static QByteArray qNtlmPhase1() |
1184 | { |
1185 | QByteArray rc; |
1186 | QDataStream ds(&rc, QIODevice::WriteOnly); |
1187 | ds.setByteOrder(QDataStream::LittleEndian); |
1188 | QNtlmPhase1Block pb; |
1189 | ds << pb; |
1190 | return rc; |
1191 | } |
1192 | |
1193 | |
1194 | static QByteArray qStringAsUcs2Le(const QString& src) |
1195 | { |
1196 | QByteArray rc(2*src.length(), 0); |
1197 | const unsigned short *s = src.utf16(); |
1198 | unsigned short *d = (unsigned short*)rc.data(); |
1199 | for (int i = 0; i < src.length(); ++i) { |
1200 | d[i] = qToLittleEndian(source: s[i]); |
1201 | } |
1202 | return rc; |
1203 | } |
1204 | |
1205 | |
1206 | static QString qStringFromUcs2Le(QByteArray src) |
1207 | { |
1208 | Q_ASSERT(src.size() % 2 == 0); |
1209 | unsigned short *d = (unsigned short*)src.data(); |
1210 | for (int i = 0; i < src.length() / 2; ++i) { |
1211 | d[i] = qFromLittleEndian(source: d[i]); |
1212 | } |
1213 | return QString((const QChar *)src.data(), src.size()/2); |
1214 | } |
1215 | |
1216 | |
1217 | /********************************************************************* |
1218 | * Function Name: qEncodeHmacMd5 |
1219 | * Params: |
1220 | * key: Type - QByteArray |
1221 | * - It is the Authentication key |
1222 | * message: Type - QByteArray |
1223 | * - This is the actual message which will be encoded |
1224 | * using HMacMd5 hash algorithm |
1225 | * |
1226 | * Return Value: |
1227 | * hmacDigest: Type - QByteArray |
1228 | * |
1229 | * Description: |
1230 | * This function will be used to encode the input message using |
1231 | * HMacMd5 hash algorithm. |
1232 | * |
1233 | * As per the RFC2104 the HMacMd5 algorithm can be specified |
1234 | * --------------------------------------- |
1235 | * MD5(K XOR opad, MD5(K XOR ipad, text)) |
1236 | * --------------------------------------- |
1237 | * |
1238 | *********************************************************************/ |
1239 | QByteArray qEncodeHmacMd5(QByteArray &key, const QByteArray &message) |
1240 | { |
1241 | Q_ASSERT_X(!(message.isEmpty()),"qEncodeHmacMd5" , "Empty message check" ); |
1242 | Q_ASSERT_X(!(key.isEmpty()),"qEncodeHmacMd5" , "Empty key check" ); |
1243 | |
1244 | QCryptographicHash hash(QCryptographicHash::Md5); |
1245 | QByteArray hMsg; |
1246 | |
1247 | QByteArray iKeyPad(blockSize, 0x36); |
1248 | QByteArray oKeyPad(blockSize, 0x5c); |
1249 | |
1250 | hash.reset(); |
1251 | // Adjust the key length to blockSize |
1252 | |
1253 | if(blockSize < key.length()) { |
1254 | hash.addData(data: key); |
1255 | key = hash.result(); //MD5 will always return 16 bytes length output |
1256 | } |
1257 | |
1258 | //Key will be <= 16 or 20 bytes as hash function (MD5 or SHA hash algorithms) |
1259 | //key size can be max of Block size only |
1260 | key = key.leftJustified(width: blockSize,fill: 0,truncate: true); |
1261 | |
1262 | //iKeyPad, oKeyPad and key are all of same size "blockSize" |
1263 | |
1264 | //xor of iKeyPad with Key and store the result into iKeyPad |
1265 | for(int i = 0; i<key.size();i++) { |
1266 | iKeyPad[i] = key[i]^iKeyPad[i]; |
1267 | } |
1268 | |
1269 | //xor of oKeyPad with Key and store the result into oKeyPad |
1270 | for(int i = 0; i<key.size();i++) { |
1271 | oKeyPad[i] = key[i]^oKeyPad[i]; |
1272 | } |
1273 | |
1274 | iKeyPad.append(a: message); // (K0 xor ipad) || text |
1275 | |
1276 | hash.reset(); |
1277 | hash.addData(data: iKeyPad); |
1278 | hMsg = hash.result(); |
1279 | //Digest gen after pass-1: H((K0 xor ipad)||text) |
1280 | |
1281 | QByteArray hmacDigest; |
1282 | oKeyPad.append(a: hMsg); |
1283 | hash.reset(); |
1284 | hash.addData(data: oKeyPad); |
1285 | hmacDigest = hash.result(); |
1286 | // H((K0 xor opad )|| H((K0 xor ipad) || text)) |
1287 | |
1288 | /*hmacDigest should not be less than half the length of the HMAC output |
1289 | (to match the birthday attack bound) and not less than 80 bits |
1290 | (a suitable lower bound on the number of bits that need to be |
1291 | predicted by an attacker). |
1292 | Refer RFC 2104 for more details on truncation part */ |
1293 | |
1294 | /*MD5 hash always returns 16 byte digest only and HMAC-MD5 spec |
1295 | (RFC 2104) also says digest length should be 16 bytes*/ |
1296 | return hmacDigest; |
1297 | } |
1298 | |
1299 | static QByteArray qCreatev2Hash(const QAuthenticatorPrivate *ctx, |
1300 | QNtlmPhase3Block *phase3) |
1301 | { |
1302 | Q_ASSERT(phase3 != nullptr); |
1303 | // since v2 Hash is need for both NTLMv2 and LMv2 it is calculated |
1304 | // only once and stored and reused |
1305 | if(phase3->v2Hash.size() == 0) { |
1306 | QCryptographicHash md4(QCryptographicHash::Md4); |
1307 | QByteArray passUnicode = qStringAsUcs2Le(src: ctx->password); |
1308 | md4.addData(data: passUnicode.data(), length: passUnicode.size()); |
1309 | |
1310 | QByteArray hashKey = md4.result(); |
1311 | Q_ASSERT(hashKey.size() == 16); |
1312 | // Assuming the user and domain is always unicode in challenge |
1313 | QByteArray message = |
1314 | qStringAsUcs2Le(src: ctx->extractedUser.toUpper()) + |
1315 | qStringAsUcs2Le(src: phase3->domainStr); |
1316 | |
1317 | phase3->v2Hash = qEncodeHmacMd5(key&: hashKey, message); |
1318 | } |
1319 | return phase3->v2Hash; |
1320 | } |
1321 | |
1322 | static QByteArray clientChallenge(const QAuthenticatorPrivate *ctx) |
1323 | { |
1324 | Q_ASSERT(ctx->cnonce.size() >= 8); |
1325 | QByteArray clientCh = ctx->cnonce.right(len: 8); |
1326 | return clientCh; |
1327 | } |
1328 | |
1329 | // caller has to ensure a valid targetInfoBuff |
1330 | static QByteArray (const QByteArray& targetInfoBuff) |
1331 | { |
1332 | QByteArray timeArray; |
1333 | QDataStream ds(targetInfoBuff); |
1334 | ds.setByteOrder(QDataStream::LittleEndian); |
1335 | |
1336 | quint16 avId; |
1337 | quint16 avLen; |
1338 | |
1339 | ds >> avId; |
1340 | ds >> avLen; |
1341 | while(avId != 0) { |
1342 | if(avId == AVTIMESTAMP) { |
1343 | timeArray.resize(size: avLen); |
1344 | //avLen size of QByteArray is allocated |
1345 | ds.readRawData(timeArray.data(), len: avLen); |
1346 | break; |
1347 | } |
1348 | ds.skipRawData(len: avLen); |
1349 | ds >> avId; |
1350 | ds >> avLen; |
1351 | } |
1352 | return timeArray; |
1353 | } |
1354 | |
1355 | static QByteArray qEncodeNtlmv2Response(const QAuthenticatorPrivate *ctx, |
1356 | const QNtlmPhase2Block& ch, |
1357 | QNtlmPhase3Block *phase3) |
1358 | { |
1359 | Q_ASSERT(phase3 != nullptr); |
1360 | // return value stored in phase3 |
1361 | qCreatev2Hash(ctx, phase3); |
1362 | |
1363 | QByteArray temp; |
1364 | QDataStream ds(&temp, QIODevice::WriteOnly); |
1365 | ds.setByteOrder(QDataStream::LittleEndian); |
1366 | |
1367 | ds << respversion; |
1368 | ds << hirespversion; |
1369 | |
1370 | //Reserved |
1371 | QByteArray reserved1(6, 0); |
1372 | ds.writeRawData(reserved1.constData(), len: reserved1.size()); |
1373 | |
1374 | quint64 time = 0; |
1375 | QByteArray timeArray; |
1376 | |
1377 | if(ch.targetInfo.len) |
1378 | { |
1379 | timeArray = qExtractServerTime(targetInfoBuff: ch.targetInfoBuff); |
1380 | } |
1381 | |
1382 | //if server sends time, use it instead of current time |
1383 | if(timeArray.size()) { |
1384 | ds.writeRawData(timeArray.constData(), len: timeArray.size()); |
1385 | } else { |
1386 | // number of seconds between 1601 and the epoch (1970) |
1387 | // 369 years, 89 leap years |
1388 | // ((369 * 365) + 89) * 24 * 3600 = 11644473600 |
1389 | time = QDateTime::currentSecsSinceEpoch() + 11644473600; |
1390 | |
1391 | // represented as 100 nano seconds |
1392 | time = time * Q_UINT64_C(10000000); |
1393 | ds << time; |
1394 | } |
1395 | |
1396 | //8 byte client challenge |
1397 | QByteArray clientCh = clientChallenge(ctx); |
1398 | ds.writeRawData(clientCh.constData(), len: clientCh.size()); |
1399 | |
1400 | //Reserved |
1401 | QByteArray reserved2(4, 0); |
1402 | ds.writeRawData(reserved2.constData(), len: reserved2.size()); |
1403 | |
1404 | if (ch.targetInfo.len > 0) { |
1405 | ds.writeRawData(ch.targetInfoBuff.constData(), |
1406 | len: ch.targetInfoBuff.size()); |
1407 | } |
1408 | |
1409 | //Reserved |
1410 | QByteArray reserved3(4, 0); |
1411 | ds.writeRawData(reserved3.constData(), len: reserved3.size()); |
1412 | |
1413 | QByteArray message((const char*)ch.challenge, sizeof(ch.challenge)); |
1414 | message.append(a: temp); |
1415 | |
1416 | QByteArray ntChallengeResp = qEncodeHmacMd5(key&: phase3->v2Hash, message); |
1417 | ntChallengeResp.append(a: temp); |
1418 | |
1419 | return ntChallengeResp; |
1420 | } |
1421 | |
1422 | static QByteArray qEncodeLmv2Response(const QAuthenticatorPrivate *ctx, |
1423 | const QNtlmPhase2Block& ch, |
1424 | QNtlmPhase3Block *phase3) |
1425 | { |
1426 | Q_ASSERT(phase3 != nullptr); |
1427 | // return value stored in phase3 |
1428 | qCreatev2Hash(ctx, phase3); |
1429 | |
1430 | QByteArray message((const char*)ch.challenge, sizeof(ch.challenge)); |
1431 | QByteArray clientCh = clientChallenge(ctx); |
1432 | |
1433 | message.append(a: clientCh); |
1434 | |
1435 | QByteArray lmChallengeResp = qEncodeHmacMd5(key&: phase3->v2Hash, message); |
1436 | lmChallengeResp.append(a: clientCh); |
1437 | |
1438 | return lmChallengeResp; |
1439 | } |
1440 | |
1441 | static bool qNtlmDecodePhase2(const QByteArray& data, QNtlmPhase2Block& ch) |
1442 | { |
1443 | Q_ASSERT(QNtlmPhase2BlockBase::Size == sizeof(QNtlmPhase2BlockBase)); |
1444 | if (data.size() < QNtlmPhase2BlockBase::Size) |
1445 | return false; |
1446 | |
1447 | |
1448 | QDataStream ds(data); |
1449 | ds.setByteOrder(QDataStream::LittleEndian); |
1450 | if (ds.readRawData(ch.magic, len: 8) < 8) |
1451 | return false; |
1452 | if (strncmp(s1: ch.magic, s2: "NTLMSSP" , n: 8) != 0) |
1453 | return false; |
1454 | |
1455 | ds >> ch.type; |
1456 | if (ch.type != 2) |
1457 | return false; |
1458 | |
1459 | ds >> ch.targetName; |
1460 | ds >> ch.flags; |
1461 | if (ds.readRawData((char *)ch.challenge, len: 8) < 8) |
1462 | return false; |
1463 | ds >> ch.context[0] >> ch.context[1]; |
1464 | ds >> ch.targetInfo; |
1465 | |
1466 | if (ch.targetName.len > 0) { |
1467 | if (ch.targetName.len + ch.targetName.offset > (unsigned)data.size()) |
1468 | return false; |
1469 | |
1470 | ch.targetNameStr = qStringFromUcs2Le(src: data.mid(index: ch.targetName.offset, len: ch.targetName.len)); |
1471 | } |
1472 | |
1473 | if (ch.targetInfo.len > 0) { |
1474 | if (ch.targetInfo.len + ch.targetInfo.offset > (unsigned)data.size()) |
1475 | return false; |
1476 | |
1477 | ch.targetInfoBuff = data.mid(index: ch.targetInfo.offset, len: ch.targetInfo.len); |
1478 | } |
1479 | |
1480 | return true; |
1481 | } |
1482 | |
1483 | |
1484 | static QByteArray qNtlmPhase3(QAuthenticatorPrivate *ctx, const QByteArray& phase2data) |
1485 | { |
1486 | QNtlmPhase2Block ch; |
1487 | if (!qNtlmDecodePhase2(data: phase2data, ch)) |
1488 | return QByteArray(); |
1489 | |
1490 | QByteArray rc; |
1491 | QDataStream ds(&rc, QIODevice::WriteOnly); |
1492 | ds.setByteOrder(QDataStream::LittleEndian); |
1493 | QNtlmPhase3Block pb; |
1494 | |
1495 | // set NTLMv2 |
1496 | if (ch.flags & NTLMSSP_NEGOTIATE_NTLM2) |
1497 | pb.flags |= NTLMSSP_NEGOTIATE_NTLM2; |
1498 | |
1499 | // set Always Sign |
1500 | if (ch.flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) |
1501 | pb.flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; |
1502 | |
1503 | bool unicode = ch.flags & NTLMSSP_NEGOTIATE_UNICODE; |
1504 | |
1505 | if (unicode) |
1506 | pb.flags |= NTLMSSP_NEGOTIATE_UNICODE; |
1507 | else |
1508 | pb.flags |= NTLMSSP_NEGOTIATE_OEM; |
1509 | |
1510 | |
1511 | int offset = QNtlmPhase3BlockBase::Size; |
1512 | Q_ASSERT(QNtlmPhase3BlockBase::Size == sizeof(QNtlmPhase3BlockBase)); |
1513 | |
1514 | // for kerberos style user@domain logins, NTLM domain string should be left empty |
1515 | if (ctx->userDomain.isEmpty() && !ctx->extractedUser.contains(c: QLatin1Char('@'))) { |
1516 | offset = qEncodeNtlmString(buf&: pb.domain, offset, s: ch.targetNameStr, unicode); |
1517 | pb.domainStr = ch.targetNameStr; |
1518 | } else { |
1519 | offset = qEncodeNtlmString(buf&: pb.domain, offset, s: ctx->userDomain, unicode); |
1520 | pb.domainStr = ctx->userDomain; |
1521 | } |
1522 | |
1523 | offset = qEncodeNtlmString(buf&: pb.user, offset, s: ctx->extractedUser, unicode); |
1524 | pb.userStr = ctx->extractedUser; |
1525 | |
1526 | offset = qEncodeNtlmString(buf&: pb.workstation, offset, s: ctx->workstation, unicode); |
1527 | pb.workstationStr = ctx->workstation; |
1528 | |
1529 | // Get LM response |
1530 | if (ch.targetInfo.len > 0) { |
1531 | pb.lmResponseBuf = QByteArray(); |
1532 | } else { |
1533 | pb.lmResponseBuf = qEncodeLmv2Response(ctx, ch, phase3: &pb); |
1534 | } |
1535 | offset = qEncodeNtlmBuffer(buf&: pb.lmResponse, offset, s: pb.lmResponseBuf); |
1536 | |
1537 | // Get NTLM response |
1538 | pb.ntlmResponseBuf = qEncodeNtlmv2Response(ctx, ch, phase3: &pb); |
1539 | offset = qEncodeNtlmBuffer(buf&: pb.ntlmResponse, offset, s: pb.ntlmResponseBuf); |
1540 | |
1541 | |
1542 | // Encode and send |
1543 | ds << pb; |
1544 | |
1545 | return rc; |
1546 | } |
1547 | |
1548 | // ---------------------------- End of NTLM code --------------------------------------- |
1549 | |
1550 | #if QT_CONFIG(sspi) // SSPI |
1551 | // ---------------------------- SSPI code ---------------------------------------------- |
1552 | // See http://davenport.sourceforge.net/ntlm.html |
1553 | // and libcurl http_ntlm.c |
1554 | |
1555 | // Handle of secur32.dll |
1556 | static HMODULE securityDLLHandle = nullptr; |
1557 | // Pointer to SSPI dispatch table |
1558 | static PSecurityFunctionTable pSecurityFunctionTable = nullptr; |
1559 | |
1560 | static bool q_SSPI_library_load() |
1561 | { |
1562 | static QBasicMutex mutex; |
1563 | QMutexLocker l(&mutex); |
1564 | |
1565 | // Initialize security interface |
1566 | if (pSecurityFunctionTable == nullptr) { |
1567 | securityDLLHandle = QSystemLibrary::load(L"secur32" ); |
1568 | if (securityDLLHandle != nullptr) { |
1569 | INIT_SECURITY_INTERFACE pInitSecurityInterface = |
1570 | reinterpret_cast<INIT_SECURITY_INTERFACE>( |
1571 | reinterpret_cast<QFunctionPointer>(GetProcAddress(securityDLLHandle, "InitSecurityInterfaceW" ))); |
1572 | if (pInitSecurityInterface != nullptr) |
1573 | pSecurityFunctionTable = pInitSecurityInterface(); |
1574 | } |
1575 | } |
1576 | |
1577 | if (pSecurityFunctionTable == nullptr) |
1578 | return false; |
1579 | |
1580 | return true; |
1581 | } |
1582 | |
1583 | static QByteArray qSspiStartup(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
1584 | const QString& host) |
1585 | { |
1586 | if (!q_SSPI_library_load()) |
1587 | return QByteArray(); |
1588 | |
1589 | TimeStamp expiry; // For Windows 9x compatibility of SSPI calls |
1590 | |
1591 | if (!ctx->sspiWindowsHandles) |
1592 | ctx->sspiWindowsHandles.reset(new QSSPIWindowsHandles); |
1593 | memset(&ctx->sspiWindowsHandles->credHandle, 0, sizeof(CredHandle)); |
1594 | |
1595 | SEC_WINNT_AUTH_IDENTITY auth; |
1596 | auth.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; |
1597 | bool useAuth = false; |
1598 | if (method == QAuthenticatorPrivate::Negotiate && !ctx->user.isEmpty()) { |
1599 | auth.Domain = const_cast<ushort *>(ctx->userDomain.utf16()); |
1600 | auth.DomainLength = ctx->userDomain.size(); |
1601 | auth.User = const_cast<ushort *>(ctx->user.utf16()); |
1602 | auth.UserLength = ctx->user.size(); |
1603 | auth.Password = const_cast<ushort *>(ctx->password.utf16()); |
1604 | auth.PasswordLength = ctx->password.size(); |
1605 | useAuth = true; |
1606 | } |
1607 | |
1608 | // Acquire our credentials handle |
1609 | SECURITY_STATUS secStatus = pSecurityFunctionTable->AcquireCredentialsHandle( |
1610 | nullptr, |
1611 | (SEC_WCHAR *)(method == QAuthenticatorPrivate::Negotiate ? L"Negotiate" : L"NTLM" ), |
1612 | SECPKG_CRED_OUTBOUND, nullptr, useAuth ? &auth : nullptr, nullptr, nullptr, |
1613 | &ctx->sspiWindowsHandles->credHandle, &expiry |
1614 | ); |
1615 | if (secStatus != SEC_E_OK) { |
1616 | ctx->sspiWindowsHandles.reset(nullptr); |
1617 | return QByteArray(); |
1618 | } |
1619 | |
1620 | return qSspiContinue(ctx, method, host); |
1621 | } |
1622 | |
1623 | static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
1624 | const QString &host, const QByteArray &challenge) |
1625 | { |
1626 | QByteArray result; |
1627 | SecBuffer challengeBuf; |
1628 | SecBuffer responseBuf; |
1629 | SecBufferDesc challengeDesc; |
1630 | SecBufferDesc responseDesc; |
1631 | unsigned long attrs; |
1632 | TimeStamp expiry; // For Windows 9x compatibility of SSPI calls |
1633 | |
1634 | if (!challenge.isEmpty()) |
1635 | { |
1636 | // Setup the challenge "input" security buffer |
1637 | challengeDesc.ulVersion = SECBUFFER_VERSION; |
1638 | challengeDesc.cBuffers = 1; |
1639 | challengeDesc.pBuffers = &challengeBuf; |
1640 | challengeBuf.BufferType = SECBUFFER_TOKEN; |
1641 | challengeBuf.pvBuffer = (PVOID)(challenge.data()); |
1642 | challengeBuf.cbBuffer = challenge.length(); |
1643 | } |
1644 | |
1645 | // Setup the response "output" security buffer |
1646 | responseDesc.ulVersion = SECBUFFER_VERSION; |
1647 | responseDesc.cBuffers = 1; |
1648 | responseDesc.pBuffers = &responseBuf; |
1649 | responseBuf.BufferType = SECBUFFER_TOKEN; |
1650 | responseBuf.pvBuffer = nullptr; |
1651 | responseBuf.cbBuffer = 0; |
1652 | |
1653 | // Calculate target (SPN for Negotiate, empty for NTLM) |
1654 | std::wstring targetNameW = (method == QAuthenticatorPrivate::Negotiate |
1655 | ? QLatin1String("HTTP/" ) + host : QString()).toStdWString(); |
1656 | |
1657 | // Generate our challenge-response message |
1658 | SECURITY_STATUS secStatus = pSecurityFunctionTable->InitializeSecurityContext( |
1659 | &ctx->sspiWindowsHandles->credHandle, |
1660 | !challenge.isEmpty() ? &ctx->sspiWindowsHandles->ctxHandle : nullptr, |
1661 | const_cast<wchar_t*>(targetNameW.data()), |
1662 | ISC_REQ_ALLOCATE_MEMORY, |
1663 | 0, SECURITY_NATIVE_DREP, |
1664 | !challenge.isEmpty() ? &challengeDesc : nullptr, |
1665 | 0, &ctx->sspiWindowsHandles->ctxHandle, |
1666 | &responseDesc, &attrs, |
1667 | &expiry |
1668 | ); |
1669 | |
1670 | if (secStatus == SEC_I_COMPLETE_NEEDED || secStatus == SEC_I_COMPLETE_AND_CONTINUE) { |
1671 | secStatus = pSecurityFunctionTable->CompleteAuthToken(&ctx->sspiWindowsHandles->ctxHandle, |
1672 | &responseDesc); |
1673 | } |
1674 | |
1675 | if (secStatus != SEC_I_COMPLETE_AND_CONTINUE && secStatus != SEC_I_CONTINUE_NEEDED) { |
1676 | pSecurityFunctionTable->FreeCredentialsHandle(&ctx->sspiWindowsHandles->credHandle); |
1677 | pSecurityFunctionTable->DeleteSecurityContext(&ctx->sspiWindowsHandles->ctxHandle); |
1678 | ctx->sspiWindowsHandles.reset(nullptr); |
1679 | } |
1680 | |
1681 | result = QByteArray((const char*)responseBuf.pvBuffer, responseBuf.cbBuffer); |
1682 | pSecurityFunctionTable->FreeContextBuffer(responseBuf.pvBuffer); |
1683 | |
1684 | return result; |
1685 | } |
1686 | |
1687 | // ---------------------------- End of SSPI code --------------------------------------- |
1688 | |
1689 | #elif QT_CONFIG(gssapi) // GSSAPI |
1690 | |
1691 | // ---------------------------- GSSAPI code ---------------------------------------------- |
1692 | // See postgres src/interfaces/libpq/fe-auth.c |
1693 | |
1694 | // Fetch all errors of a specific type |
1695 | static void q_GSSAPI_error_int(const char *message, OM_uint32 stat, int type) |
1696 | { |
1697 | OM_uint32 minStat, msgCtx = 0; |
1698 | gss_buffer_desc msg; |
1699 | |
1700 | do { |
1701 | gss_display_status(&minStat, stat, type, GSS_C_NO_OID, &msgCtx, &msg); |
1702 | qCDebug(lcAuthenticator) << message << ": " << reinterpret_cast<const char*>(msg.value); |
1703 | gss_release_buffer(&minStat, &msg); |
1704 | } while (msgCtx); |
1705 | } |
1706 | |
1707 | // GSSAPI errors contain two parts; extract both |
1708 | static void q_GSSAPI_error(const char *message, OM_uint32 majStat, OM_uint32 minStat) |
1709 | { |
1710 | // Fetch major error codes |
1711 | q_GSSAPI_error_int(message, majStat, GSS_C_GSS_CODE); |
1712 | |
1713 | // Add the minor codes as well |
1714 | q_GSSAPI_error_int(message, minStat, GSS_C_MECH_CODE); |
1715 | } |
1716 | |
1717 | static gss_name_t qGSsapiGetServiceName(const QString &host) |
1718 | { |
1719 | QByteArray serviceName = "HTTPS@" + host.toLocal8Bit(); |
1720 | gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()}; |
1721 | |
1722 | gss_name_t importedName; |
1723 | OM_uint32 minStat; |
1724 | OM_uint32 majStat = gss_import_name(&minStat, &nameDesc, |
1725 | GSS_C_NT_HOSTBASED_SERVICE, &importedName); |
1726 | |
1727 | if (majStat != GSS_S_COMPLETE) { |
1728 | q_GSSAPI_error("gss_import_name error" , majStat, minStat); |
1729 | return nullptr; |
1730 | } |
1731 | return importedName; |
1732 | } |
1733 | |
1734 | // Send initial GSS authentication token |
1735 | static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, const QString &host) |
1736 | { |
1737 | if (!ctx->gssApiHandles) |
1738 | ctx->gssApiHandles.reset(new QGssApiHandles); |
1739 | |
1740 | // Convert target name to internal form |
1741 | gss_name_t name = qGSsapiGetServiceName(host); |
1742 | if (name == nullptr) { |
1743 | ctx->gssApiHandles.reset(nullptr); |
1744 | return QByteArray(); |
1745 | } |
1746 | ctx->gssApiHandles->targetName = name; |
1747 | |
1748 | // Call qGssapiContinue with GSS_C_NO_CONTEXT to get initial packet |
1749 | ctx->gssApiHandles->gssCtx = GSS_C_NO_CONTEXT; |
1750 | return qGssapiContinue(ctx); |
1751 | } |
1752 | |
1753 | // Continue GSS authentication with next token as needed |
1754 | static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, const QByteArray& challenge) |
1755 | { |
1756 | OM_uint32 majStat, minStat, ignored; |
1757 | QByteArray result; |
1758 | gss_buffer_desc inBuf = {0, nullptr}; // GSS input token |
1759 | gss_buffer_desc outBuf; // GSS output token |
1760 | |
1761 | if (!challenge.isEmpty()) { |
1762 | inBuf.value = const_cast<char*>(challenge.data()); |
1763 | inBuf.length = challenge.length(); |
1764 | } |
1765 | |
1766 | majStat = gss_init_sec_context(&minStat, |
1767 | GSS_C_NO_CREDENTIAL, |
1768 | &ctx->gssApiHandles->gssCtx, |
1769 | ctx->gssApiHandles->targetName, |
1770 | GSS_C_NO_OID, |
1771 | GSS_C_MUTUAL_FLAG, |
1772 | 0, |
1773 | GSS_C_NO_CHANNEL_BINDINGS, |
1774 | challenge.isEmpty() ? GSS_C_NO_BUFFER : &inBuf, |
1775 | nullptr, |
1776 | &outBuf, |
1777 | nullptr, |
1778 | nullptr); |
1779 | |
1780 | if (outBuf.length != 0) |
1781 | result = QByteArray(reinterpret_cast<const char*>(outBuf.value), outBuf.length); |
1782 | gss_release_buffer(&ignored, &outBuf); |
1783 | |
1784 | if (majStat != GSS_S_COMPLETE && majStat != GSS_S_CONTINUE_NEEDED) { |
1785 | q_GSSAPI_error("gss_init_sec_context error" , majStat, minStat); |
1786 | gss_release_name(&ignored, &ctx->gssApiHandles->targetName); |
1787 | if (ctx->gssApiHandles->gssCtx) |
1788 | gss_delete_sec_context(&ignored, &ctx->gssApiHandles->gssCtx, GSS_C_NO_BUFFER); |
1789 | ctx->gssApiHandles.reset(nullptr); |
1790 | } |
1791 | |
1792 | if (majStat == GSS_S_COMPLETE) { |
1793 | gss_release_name(&ignored, &ctx->gssApiHandles->targetName); |
1794 | ctx->gssApiHandles.reset(nullptr); |
1795 | } |
1796 | |
1797 | return result; |
1798 | } |
1799 | |
1800 | static bool qGssapiTestGetCredentials(const QString &host) |
1801 | { |
1802 | gss_name_t serviceName = qGSsapiGetServiceName(host); |
1803 | if (!serviceName) |
1804 | return false; // Something was wrong with the service name, so skip this |
1805 | OM_uint32 minStat; |
1806 | gss_cred_id_t cred; |
1807 | OM_uint32 majStat = gss_acquire_cred(&minStat, serviceName, GSS_C_INDEFINITE, |
1808 | GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, nullptr, |
1809 | nullptr); |
1810 | |
1811 | OM_uint32 ignored; |
1812 | gss_release_name(&ignored, &serviceName); |
1813 | gss_release_cred(&ignored, &cred); |
1814 | |
1815 | if (majStat != GSS_S_COMPLETE) { |
1816 | q_GSSAPI_error("gss_acquire_cred" , majStat, minStat); |
1817 | return false; |
1818 | } |
1819 | return true; |
1820 | } |
1821 | |
1822 | // ---------------------------- End of GSSAPI code ---------------------------------------------- |
1823 | |
1824 | #endif // gssapi |
1825 | |
1826 | QT_END_NAMESPACE |
1827 | |