1 | // Copyright (C) 2016 The Qt Company Ltd. |
---|---|
2 | // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only |
3 | |
4 | #include <qauthenticator.h> |
5 | #include <qauthenticator_p.h> |
6 | #include <qdebug.h> |
7 | #include <qloggingcategory.h> |
8 | #include <qhash.h> |
9 | #include <qbytearray.h> |
10 | #include <qcryptographichash.h> |
11 | #include <qiodevice.h> |
12 | #include <qdatastream.h> |
13 | #include <qendian.h> |
14 | #include <qstring.h> |
15 | #include <qdatetime.h> |
16 | #include <qrandom.h> |
17 | #include <QtNetwork/qhttpheaders.h> |
18 | |
19 | #ifdef Q_OS_WIN |
20 | #include <qmutex.h> |
21 | #include <rpc.h> |
22 | #endif |
23 | |
24 | #if QT_CONFIG(sspi) // SSPI |
25 | #define SECURITY_WIN32 1 |
26 | #include <security.h> |
27 | #elif QT_CONFIG(gssapi) // GSSAPI |
28 | #if defined(Q_OS_DARWIN) |
29 | #include <GSS/GSS.h> |
30 | #else |
31 | #include <gssapi/gssapi.h> |
32 | #endif // Q_OS_DARWIN |
33 | #endif // Q_CONFIG(sspi) |
34 | |
35 | QT_BEGIN_NAMESPACE |
36 | |
37 | using namespace Qt::StringLiterals; |
38 | |
39 | Q_DECLARE_LOGGING_CATEGORY(lcAuthenticator); |
40 | Q_LOGGING_CATEGORY(lcAuthenticator, "qt.network.authenticator"); |
41 | |
42 | static QByteArray qNtlmPhase1(); |
43 | static QByteArray qNtlmPhase3(QAuthenticatorPrivate *ctx, const QByteArray& phase2data); |
44 | #if QT_CONFIG(sspi) // SSPI |
45 | static bool q_SSPI_library_load(); |
46 | static QByteArray qSspiStartup(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
47 | QStringView host); |
48 | static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
49 | QStringView host, QByteArrayView challenge = {}); |
50 | #elif QT_CONFIG(gssapi) // GSSAPI |
51 | static bool qGssapiTestGetCredentials(QStringView host); |
52 | static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, QStringView host); |
53 | static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, QByteArrayView challenge = {}); |
54 | #endif // gssapi |
55 | |
56 | /*! |
57 | \class QAuthenticator |
58 | \brief The QAuthenticator class provides an authentication object. |
59 | \since 4.3 |
60 | |
61 | \reentrant |
62 | \ingroup network |
63 | \inmodule QtNetwork |
64 | |
65 | The QAuthenticator class is usually used in the |
66 | \l{QNetworkAccessManager::}{authenticationRequired()} and |
67 | \l{QNetworkAccessManager::}{proxyAuthenticationRequired()} signals of QNetworkAccessManager and |
68 | QAbstractSocket. The class provides a way to pass back the required |
69 | authentication information to the socket when accessing services that |
70 | require authentication. |
71 | |
72 | QAuthenticator supports the following authentication methods: |
73 | \list |
74 | \li Basic |
75 | \li NTLM version 2 |
76 | \li Digest-MD5 |
77 | \li SPNEGO/Negotiate |
78 | \endlist |
79 | |
80 | \target qauthenticator-options |
81 | \section1 Options |
82 | |
83 | In addition to the username and password required for authentication, a |
84 | QAuthenticator object can also contain additional options. The |
85 | options() function can be used to query incoming options sent by |
86 | the server; the setOption() function can |
87 | be used to set outgoing options, to be processed by the authenticator |
88 | calculation. The options accepted and provided depend on the authentication |
89 | type (see method()). |
90 | |
91 | The following tables list known incoming options as well as accepted |
92 | outgoing options. The list of incoming options is not exhaustive, since |
93 | servers may include additional information at any time. The list of |
94 | outgoing options is exhaustive, however, and no unknown options will be |
95 | treated or sent back to the server. |
96 | |
97 | \section2 Basic |
98 | |
99 | \table |
100 | \header \li Option \li Direction \li Type \li Description |
101 | \row \li \tt{realm} \li Incoming \li QString \li Contains the realm of the authentication, the same as realm() |
102 | \endtable |
103 | |
104 | The Basic authentication mechanism supports no outgoing options. |
105 | |
106 | \section2 NTLM version 2 |
107 | |
108 | The NTLM authentication mechanism currently supports no incoming or outgoing options. |
109 | On Windows, if no \a user has been set, domain\\user credentials will be searched for on the |
110 | local system to enable Single-Sign-On functionality. |
111 | |
112 | \section2 Digest-MD5 |
113 | |
114 | \table |
115 | \header \li Option \li Direction \li Type \li Description |
116 | \row \li \tt{realm} \li Incoming \li QString \li Contains the realm of the authentication, the same as realm() |
117 | \endtable |
118 | |
119 | The Digest-MD5 authentication mechanism supports no outgoing options. |
120 | |
121 | \section2 SPNEGO/Negotiate |
122 | |
123 | \table |
124 | \header |
125 | \li Option |
126 | \li Direction |
127 | \li Type |
128 | \li Description |
129 | \row |
130 | \li \tt{spn} |
131 | \li Outgoing |
132 | \li QString |
133 | \li Provides a custom SPN. |
134 | \endtable |
135 | |
136 | This authentication mechanism currently supports no incoming options. |
137 | |
138 | The \c{spn} property is used on Windows clients when an SSPI library is used. |
139 | If the property is not set, a default SPN will be used. The default SPN on |
140 | Windows is \c {HTTP/<hostname>}. |
141 | |
142 | Other operating systems use GSSAPI libraries. For that it is expected that |
143 | KDC is set up, and the credentials can be fetched from it. The backend always |
144 | uses \c {HTTPS@<hostname>} as an SPN. |
145 | |
146 | \sa QSslSocket |
147 | */ |
148 | |
149 | |
150 | /*! |
151 | Constructs an empty authentication object. |
152 | */ |
153 | QAuthenticator::QAuthenticator() |
154 | : d(nullptr) |
155 | { |
156 | } |
157 | |
158 | /*! |
159 | Destructs the object. |
160 | */ |
161 | QAuthenticator::~QAuthenticator() |
162 | { |
163 | if (d) |
164 | delete d; |
165 | } |
166 | |
167 | /*! |
168 | Constructs a copy of \a other. |
169 | */ |
170 | QAuthenticator::QAuthenticator(const QAuthenticator &other) |
171 | : d(nullptr) |
172 | { |
173 | if (other.d) |
174 | *this = other; |
175 | } |
176 | |
177 | /*! |
178 | Assigns the contents of \a other to this authenticator. |
179 | */ |
180 | QAuthenticator &QAuthenticator::operator=(const QAuthenticator &other) |
181 | { |
182 | if (d == other.d) |
183 | return *this; |
184 | |
185 | // Do not share the d since challenge response/based changes |
186 | // could corrupt the internal store and different network requests |
187 | // can utilize different types of proxies. |
188 | detach(); |
189 | if (other.d) { |
190 | d->user = other.d->user; |
191 | d->userDomain = other.d->userDomain; |
192 | d->workstation = other.d->workstation; |
193 | d->extractedUser = other.d->extractedUser; |
194 | d->password = other.d->password; |
195 | d->realm = other.d->realm; |
196 | d->method = other.d->method; |
197 | d->options = other.d->options; |
198 | } else if (d->phase == QAuthenticatorPrivate::Start) { |
199 | delete d; |
200 | d = nullptr; |
201 | } |
202 | return *this; |
203 | } |
204 | |
205 | /*! |
206 | Returns \c true if this authenticator is identical to \a other; otherwise |
207 | returns \c false. |
208 | */ |
209 | bool QAuthenticator::operator==(const QAuthenticator &other) const |
210 | { |
211 | if (d == other.d) |
212 | return true; |
213 | if (!d || !other.d) |
214 | return false; |
215 | return d->user == other.d->user |
216 | && d->password == other.d->password |
217 | && d->realm == other.d->realm |
218 | && d->method == other.d->method |
219 | && d->options == other.d->options; |
220 | } |
221 | |
222 | /*! |
223 | \fn bool QAuthenticator::operator!=(const QAuthenticator &other) const |
224 | |
225 | Returns \c true if this authenticator is different from \a other; otherwise |
226 | returns \c false. |
227 | */ |
228 | |
229 | /*! |
230 | Returns the user used for authentication. |
231 | */ |
232 | QString QAuthenticator::user() const |
233 | { |
234 | return d ? d->user : QString(); |
235 | } |
236 | |
237 | /*! |
238 | Sets the \a user used for authentication. |
239 | |
240 | \sa QNetworkAccessManager::authenticationRequired() |
241 | */ |
242 | void QAuthenticator::setUser(const QString &user) |
243 | { |
244 | if (!d || d->user != user) { |
245 | detach(); |
246 | d->user = user; |
247 | d->updateCredentials(); |
248 | } |
249 | } |
250 | |
251 | /*! |
252 | Returns the password used for authentication. |
253 | */ |
254 | QString QAuthenticator::password() const |
255 | { |
256 | return d ? d->password : QString(); |
257 | } |
258 | |
259 | /*! |
260 | Sets the \a password used for authentication. |
261 | |
262 | \sa QNetworkAccessManager::authenticationRequired() |
263 | */ |
264 | void QAuthenticator::setPassword(const QString &password) |
265 | { |
266 | if (!d || d->password != password) { |
267 | detach(); |
268 | d->password = password; |
269 | } |
270 | } |
271 | |
272 | /*! |
273 | \internal |
274 | */ |
275 | void QAuthenticator::detach() |
276 | { |
277 | if (!d) { |
278 | d = new QAuthenticatorPrivate; |
279 | return; |
280 | } |
281 | |
282 | if (d->phase == QAuthenticatorPrivate::Done) |
283 | d->phase = QAuthenticatorPrivate::Start; |
284 | } |
285 | |
286 | /*! |
287 | Returns the realm requiring authentication. |
288 | */ |
289 | QString QAuthenticator::realm() const |
290 | { |
291 | return d ? d->realm : QString(); |
292 | } |
293 | |
294 | /*! |
295 | \internal |
296 | */ |
297 | void QAuthenticator::setRealm(const QString &realm) |
298 | { |
299 | if (!d || d->realm != realm) { |
300 | detach(); |
301 | d->realm = realm; |
302 | } |
303 | } |
304 | |
305 | /*! |
306 | \since 4.7 |
307 | Returns the value related to option \a opt if it was set by the server. |
308 | See the \l{QAuthenticator#qauthenticator-options}{Options section} for |
309 | more information on incoming options. |
310 | If option \a opt isn't found, an invalid QVariant will be returned. |
311 | |
312 | \sa options(), {QAuthenticator#qauthenticator-options}{QAuthenticator options} |
313 | */ |
314 | QVariant QAuthenticator::option(const QString &opt) const |
315 | { |
316 | return d ? d->options.value(key: opt) : QVariant(); |
317 | } |
318 | |
319 | /*! |
320 | \since 4.7 |
321 | Returns all incoming options set in this QAuthenticator object by parsing |
322 | the server reply. See the \l{QAuthenticator#qauthenticator-options}{Options section} |
323 | for more information on incoming options. |
324 | |
325 | \sa option(), {QAuthenticator#qauthenticator-options}{QAuthenticator options} |
326 | */ |
327 | QVariantHash QAuthenticator::options() const |
328 | { |
329 | return d ? d->options : QVariantHash(); |
330 | } |
331 | |
332 | /*! |
333 | \since 4.7 |
334 | |
335 | Sets the outgoing option \a opt to value \a value. |
336 | See the \l{QAuthenticator#qauthenticator-options}{Options section} for more information on outgoing options. |
337 | |
338 | \sa options(), option(), {QAuthenticator#qauthenticator-options}{QAuthenticator options} |
339 | */ |
340 | void QAuthenticator::setOption(const QString &opt, const QVariant &value) |
341 | { |
342 | if (option(opt) != value) { |
343 | detach(); |
344 | d->options.insert(key: opt, value); |
345 | } |
346 | } |
347 | |
348 | |
349 | /*! |
350 | Returns \c true if the object has not been initialized. Returns |
351 | \c false if non-const member functions have been called, or |
352 | the content was constructed or copied from another initialized |
353 | QAuthenticator object. |
354 | */ |
355 | bool QAuthenticator::isNull() const |
356 | { |
357 | return !d; |
358 | } |
359 | |
360 | #if QT_CONFIG(sspi) // SSPI |
361 | class QSSPIWindowsHandles |
362 | { |
363 | public: |
364 | CredHandle credHandle; |
365 | CtxtHandle ctxHandle; |
366 | }; |
367 | #elif QT_CONFIG(gssapi) // GSSAPI |
368 | class QGssApiHandles |
369 | { |
370 | public: |
371 | gss_ctx_id_t gssCtx = nullptr; |
372 | gss_name_t targetName; |
373 | }; |
374 | #endif // gssapi |
375 | |
376 | |
377 | QAuthenticatorPrivate::QAuthenticatorPrivate() |
378 | : method(None) |
379 | , hasFailed(false) |
380 | , phase(Start) |
381 | , nonceCount(0) |
382 | { |
383 | cnonce = QCryptographicHash::hash(data: QByteArray::number(QRandomGenerator::system()->generate64(), base: 16), |
384 | method: QCryptographicHash::Md5).toHex(); |
385 | nonceCount = 0; |
386 | } |
387 | |
388 | QAuthenticatorPrivate::~QAuthenticatorPrivate() = default; |
389 | |
390 | void QAuthenticatorPrivate::updateCredentials() |
391 | { |
392 | int separatorPosn = 0; |
393 | |
394 | switch (method) { |
395 | case QAuthenticatorPrivate::Ntlm: |
396 | if ((separatorPosn = user.indexOf(s: "\\"_L1)) != -1) { |
397 | //domain name is present |
398 | realm.clear(); |
399 | userDomain = user.left(n: separatorPosn); |
400 | extractedUser = user.mid(position: separatorPosn + 1); |
401 | } else { |
402 | extractedUser = user; |
403 | realm.clear(); |
404 | userDomain.clear(); |
405 | } |
406 | break; |
407 | default: |
408 | userDomain.clear(); |
409 | break; |
410 | } |
411 | } |
412 | |
413 | bool QAuthenticatorPrivate::isMethodSupported(QByteArrayView method) |
414 | { |
415 | Q_ASSERT(!method.startsWith(' ')); // This should be trimmed during parsing |
416 | auto separator = method.indexOf(ch: ' '); |
417 | if (separator != -1) |
418 | method = method.first(n: separator); |
419 | const auto isSupported = [method](QByteArrayView reference) { |
420 | return method.compare(a: reference, cs: Qt::CaseInsensitive) == 0; |
421 | }; |
422 | static const char methods[][10] = { |
423 | "basic", |
424 | "ntlm", |
425 | "digest", |
426 | #if QT_CONFIG(sspi) || QT_CONFIG(gssapi) |
427 | "negotiate", |
428 | #endif |
429 | }; |
430 | return std::any_of(first: methods, last: methods + std::size(methods), pred: isSupported); |
431 | } |
432 | |
433 | static bool verifyDigestMD5(QByteArrayView value) |
434 | { |
435 | auto opts = QAuthenticatorPrivate::parseDigestAuthenticationChallenge(challenge: value); |
436 | if (auto it = opts.constFind(key: "algorithm"); it != opts.cend()) { |
437 | QByteArray alg = it.value(); |
438 | if (alg.size() < 3) |
439 | return false; |
440 | // Just compare the first 3 characters, that way we match other subvariants as well, such as |
441 | // "MD5-sess" |
442 | auto view = QByteArrayView(alg).first(n: 3); |
443 | return view.compare(a: "MD5", cs: Qt::CaseInsensitive) == 0; |
444 | } |
445 | return true; // assume it's ok if algorithm is not specified |
446 | } |
447 | |
448 | void QAuthenticatorPrivate::parseHttpResponse(const QHttpHeaders &headers, |
449 | bool isProxy, QStringView host) |
450 | { |
451 | #if !QT_CONFIG(gssapi) |
452 | Q_UNUSED(host); |
453 | #endif |
454 | const auto search = isProxy ? QHttpHeaders::WellKnownHeader::ProxyAuthenticate |
455 | : QHttpHeaders::WellKnownHeader::WWWAuthenticate; |
456 | |
457 | method = None; |
458 | /* |
459 | Fun from the HTTP 1.1 specs, that we currently ignore: |
460 | |
461 | User agents are advised to take special care in parsing the WWW- |
462 | Authenticate field value as it might contain more than one challenge, |
463 | or if more than one WWW-Authenticate header field is provided, the |
464 | contents of a challenge itself can contain a comma-separated list of |
465 | authentication parameters. |
466 | */ |
467 | |
468 | QByteArrayView headerVal; |
469 | for (const auto ¤t : headers.values(name: search)) { |
470 | const QLatin1StringView str(current); |
471 | if (method < Basic && str.startsWith(s: "basic"_L1, cs: Qt::CaseInsensitive)) { |
472 | method = Basic; |
473 | headerVal = QByteArrayView(current).mid(pos: 6); |
474 | } else if (method < Ntlm && str.startsWith(s: "ntlm"_L1, cs: Qt::CaseInsensitive)) { |
475 | method = Ntlm; |
476 | headerVal = QByteArrayView(current).mid(pos: 5); |
477 | } else if (method < DigestMd5 && str.startsWith(s: "digest"_L1, cs: Qt::CaseInsensitive)) { |
478 | // Make sure the algorithm is actually MD5 before committing to it: |
479 | if (!verifyDigestMD5(value: QByteArrayView(current).sliced(pos: 7))) |
480 | continue; |
481 | |
482 | method = DigestMd5; |
483 | headerVal = QByteArrayView(current).mid(pos: 7); |
484 | } else if (method < Negotiate && str.startsWith(s: "negotiate"_L1, cs: Qt::CaseInsensitive)) { |
485 | #if QT_CONFIG(sspi) || QT_CONFIG(gssapi) // if it's not supported then we shouldn't try to use it |
486 | #if QT_CONFIG(gssapi) |
487 | // For GSSAPI there needs to be a KDC set up for the host (afaict). |
488 | // So let's only conditionally use it if we can fetch the credentials. |
489 | // Sadly it's a bit slow because it requires a DNS lookup. |
490 | if (!qGssapiTestGetCredentials(host)) |
491 | continue; |
492 | #endif |
493 | method = Negotiate; |
494 | headerVal = QByteArrayView(current).mid(10); |
495 | #endif |
496 | } |
497 | } |
498 | |
499 | // Reparse credentials since we know the method now |
500 | updateCredentials(); |
501 | challenge = headerVal.trimmed().toByteArray(); |
502 | QHash<QByteArray, QByteArray> options = parseDigestAuthenticationChallenge(challenge); |
503 | |
504 | // Sets phase to Start if this updates our realm and sets the two locations where we store |
505 | // realm |
506 | auto privSetRealm = [this](QString newRealm) { |
507 | if (newRealm != realm) { |
508 | if (phase == Done) |
509 | phase = Start; |
510 | realm = newRealm; |
511 | this->options["realm"_L1] = realm; |
512 | } |
513 | }; |
514 | |
515 | switch(method) { |
516 | case Basic: |
517 | privSetRealm(QString::fromLatin1(ba: options.value(key: "realm"))); |
518 | if (user.isEmpty() && password.isEmpty()) |
519 | phase = Done; |
520 | break; |
521 | case Ntlm: |
522 | case Negotiate: |
523 | // work is done in calculateResponse() |
524 | break; |
525 | case DigestMd5: { |
526 | privSetRealm(QString::fromLatin1(ba: options.value(key: "realm"))); |
527 | if (options.value(key: "stale").compare(a: "true", cs: Qt::CaseInsensitive) == 0) { |
528 | phase = Start; |
529 | nonceCount = 0; |
530 | } |
531 | if (user.isEmpty() && password.isEmpty()) |
532 | phase = Done; |
533 | break; |
534 | } |
535 | default: |
536 | realm.clear(); |
537 | challenge = QByteArray(); |
538 | phase = Invalid; |
539 | } |
540 | } |
541 | |
542 | QByteArray QAuthenticatorPrivate::calculateResponse(QByteArrayView requestMethod, |
543 | QByteArrayView path, QStringView host) |
544 | { |
545 | #if !QT_CONFIG(sspi) && !QT_CONFIG(gssapi) |
546 | Q_UNUSED(host); |
547 | #endif |
548 | QByteArray response; |
549 | QByteArrayView methodString; |
550 | switch(method) { |
551 | case QAuthenticatorPrivate::None: |
552 | phase = Done; |
553 | break; |
554 | case QAuthenticatorPrivate::Basic: |
555 | methodString = "Basic"; |
556 | response = (user + ':'_L1 + password).toLatin1().toBase64(); |
557 | phase = Done; |
558 | break; |
559 | case QAuthenticatorPrivate::DigestMd5: |
560 | methodString = "Digest"; |
561 | response = digestMd5Response(challenge, method: requestMethod, path); |
562 | phase = Done; |
563 | break; |
564 | case QAuthenticatorPrivate::Ntlm: |
565 | methodString = "NTLM"; |
566 | if (challenge.isEmpty()) { |
567 | #if QT_CONFIG(sspi) // SSPI |
568 | QByteArray phase1Token; |
569 | if (user.isEmpty()) { // Only pull from system if no user was specified in authenticator |
570 | phase1Token = qSspiStartup(this, method, host); |
571 | } else if (!q_SSPI_library_load()) { |
572 | // Since we're not running qSspiStartup we have to make sure the library is loaded |
573 | qWarning("Failed to load the SSPI libraries"); |
574 | return ""; |
575 | } |
576 | if (!phase1Token.isEmpty()) { |
577 | response = phase1Token.toBase64(); |
578 | phase = Phase2; |
579 | } else |
580 | #endif |
581 | { |
582 | response = qNtlmPhase1().toBase64(); |
583 | if (user.isEmpty()) |
584 | phase = Done; |
585 | else |
586 | phase = Phase2; |
587 | } |
588 | } else { |
589 | #if QT_CONFIG(sspi) // SSPI |
590 | QByteArray phase3Token; |
591 | if (sspiWindowsHandles) |
592 | phase3Token = qSspiContinue(this, method, host, QByteArray::fromBase64(challenge)); |
593 | if (!phase3Token.isEmpty()) { |
594 | response = phase3Token.toBase64(); |
595 | phase = Done; |
596 | } else |
597 | #endif |
598 | { |
599 | response = qNtlmPhase3(ctx: this, phase2data: QByteArray::fromBase64(base64: challenge)).toBase64(); |
600 | phase = Done; |
601 | } |
602 | challenge = ""; |
603 | } |
604 | |
605 | break; |
606 | case QAuthenticatorPrivate::Negotiate: |
607 | methodString = "Negotiate"; |
608 | if (challenge.isEmpty()) { |
609 | QByteArray phase1Token; |
610 | #if QT_CONFIG(sspi) // SSPI |
611 | phase1Token = qSspiStartup(this, method, host); |
612 | #elif QT_CONFIG(gssapi) // GSSAPI |
613 | phase1Token = qGssapiStartup(this, host); |
614 | #endif |
615 | |
616 | if (!phase1Token.isEmpty()) { |
617 | response = phase1Token.toBase64(); |
618 | phase = Phase2; |
619 | } else { |
620 | phase = Done; |
621 | return ""; |
622 | } |
623 | } else { |
624 | QByteArray phase3Token; |
625 | #if QT_CONFIG(sspi) // SSPI |
626 | if (sspiWindowsHandles) |
627 | phase3Token = qSspiContinue(this, method, host, QByteArray::fromBase64(challenge)); |
628 | #elif QT_CONFIG(gssapi) // GSSAPI |
629 | if (gssApiHandles) |
630 | phase3Token = qGssapiContinue(this, QByteArray::fromBase64(challenge)); |
631 | #endif |
632 | if (!phase3Token.isEmpty()) { |
633 | response = phase3Token.toBase64(); |
634 | phase = Done; |
635 | challenge = ""; |
636 | } else { |
637 | phase = Done; |
638 | return ""; |
639 | } |
640 | } |
641 | |
642 | break; |
643 | } |
644 | |
645 | return methodString + ' ' + response; |
646 | } |
647 | |
648 | |
649 | // ---------------------------- Digest Md5 code ---------------------------------------- |
650 | |
651 | static bool containsAuth(QByteArrayView data) |
652 | { |
653 | for (auto element : QLatin1StringView(data).tokenize(needle: ','_L1)) { |
654 | if (element == "auth"_L1) |
655 | return true; |
656 | } |
657 | return false; |
658 | } |
659 | |
660 | QHash<QByteArray, QByteArray> |
661 | QAuthenticatorPrivate::parseDigestAuthenticationChallenge(QByteArrayView challenge) |
662 | { |
663 | QHash<QByteArray, QByteArray> options; |
664 | // parse the challenge |
665 | const char *d = challenge.data(); |
666 | const char *end = d + challenge.size(); |
667 | while (d < end) { |
668 | while (d < end && (*d == ' ' || *d == '\n' || *d == '\r')) |
669 | ++d; |
670 | const char *start = d; |
671 | while (d < end && *d != '=') |
672 | ++d; |
673 | QByteArrayView key = QByteArrayView(start, d - start); |
674 | ++d; |
675 | if (d >= end) |
676 | break; |
677 | bool quote = (*d == '"'); |
678 | if (quote) |
679 | ++d; |
680 | if (d >= end) |
681 | break; |
682 | QByteArray value; |
683 | while (d < end) { |
684 | bool backslash = false; |
685 | if (*d == '\\' && d < end - 1) { |
686 | ++d; |
687 | backslash = true; |
688 | } |
689 | if (!backslash) { |
690 | if (quote) { |
691 | if (*d == '"') |
692 | break; |
693 | } else { |
694 | if (*d == ',') |
695 | break; |
696 | } |
697 | } |
698 | value += *d; |
699 | ++d; |
700 | } |
701 | while (d < end && *d != ',') |
702 | ++d; |
703 | ++d; |
704 | options[key.toByteArray()] = std::move(value); |
705 | } |
706 | |
707 | QByteArray qop = options.value(key: "qop"); |
708 | if (!qop.isEmpty()) { |
709 | if (!containsAuth(data: qop)) |
710 | return QHash<QByteArray, QByteArray>(); |
711 | // #### can't do auth-int currently |
712 | // if (qop.contains("auth-int")) |
713 | // qop = "auth-int"; |
714 | // else if (qop.contains("auth")) |
715 | // qop = "auth"; |
716 | // else |
717 | // qop = QByteArray(); |
718 | options["qop"] = "auth"; |
719 | } |
720 | |
721 | return options; |
722 | } |
723 | |
724 | /* |
725 | Digest MD5 implementation |
726 | |
727 | Code taken from RFC 2617 |
728 | |
729 | Currently we don't support the full SASL authentication mechanism (which includes cyphers) |
730 | */ |
731 | |
732 | |
733 | /* calculate request-digest/response-digest as per HTTP Digest spec */ |
734 | static QByteArray digestMd5ResponseHelper( |
735 | QByteArrayView alg, |
736 | QByteArrayView userName, |
737 | QByteArrayView realm, |
738 | QByteArrayView password, |
739 | QByteArrayView nonce, /* nonce from server */ |
740 | QByteArrayView nonceCount, /* 8 hex digits */ |
741 | QByteArrayView cNonce, /* client nonce */ |
742 | QByteArrayView qop, /* qop-value: "", "auth", "auth-int" */ |
743 | QByteArrayView method, /* method from the request */ |
744 | QByteArrayView digestUri, /* requested URL */ |
745 | QByteArrayView hEntity /* H(entity body) if qop="auth-int" */ |
746 | ) |
747 | { |
748 | QCryptographicHash hash(QCryptographicHash::Md5); |
749 | hash.addData(data: userName); |
750 | hash.addData(data: ":"); |
751 | hash.addData(data: realm); |
752 | hash.addData(data: ":"); |
753 | hash.addData(data: password); |
754 | QByteArray ha1 = hash.result(); |
755 | if (alg.compare(a: "md5-sess", cs: Qt::CaseInsensitive) == 0) { |
756 | hash.reset(); |
757 | // RFC 2617 contains an error, it was: |
758 | // hash.addData(ha1); |
759 | // but according to the errata page at http://www.rfc-editor.org/errata_list.php, ID 1649, it |
760 | // must be the following line: |
761 | hash.addData(data: ha1.toHex()); |
762 | hash.addData(data: ":"); |
763 | hash.addData(data: nonce); |
764 | hash.addData(data: ":"); |
765 | hash.addData(data: cNonce); |
766 | ha1 = hash.result(); |
767 | }; |
768 | ha1 = ha1.toHex(); |
769 | |
770 | // calculate H(A2) |
771 | hash.reset(); |
772 | hash.addData(data: method); |
773 | hash.addData(data: ":"); |
774 | hash.addData(data: digestUri); |
775 | if (qop.compare(a: "auth-int", cs: Qt::CaseInsensitive) == 0) { |
776 | hash.addData(data: ":"); |
777 | hash.addData(data: hEntity); |
778 | } |
779 | QByteArray ha2hex = hash.result().toHex(); |
780 | |
781 | // calculate response |
782 | hash.reset(); |
783 | hash.addData(data: ha1); |
784 | hash.addData(data: ":"); |
785 | hash.addData(data: nonce); |
786 | hash.addData(data: ":"); |
787 | if (!qop.isNull()) { |
788 | hash.addData(data: nonceCount); |
789 | hash.addData(data: ":"); |
790 | hash.addData(data: cNonce); |
791 | hash.addData(data: ":"); |
792 | hash.addData(data: qop); |
793 | hash.addData(data: ":"); |
794 | } |
795 | hash.addData(data: ha2hex); |
796 | return hash.result().toHex(); |
797 | } |
798 | |
799 | QByteArray QAuthenticatorPrivate::digestMd5Response(QByteArrayView challenge, QByteArrayView method, |
800 | QByteArrayView path) |
801 | { |
802 | QHash<QByteArray,QByteArray> options = parseDigestAuthenticationChallenge(challenge); |
803 | |
804 | ++nonceCount; |
805 | QByteArray nonceCountString = QByteArray::number(nonceCount, base: 16); |
806 | while (nonceCountString.size() < 8) |
807 | nonceCountString.prepend(c: '0'); |
808 | |
809 | QByteArray nonce = options.value(key: "nonce"); |
810 | QByteArray opaque = options.value(key: "opaque"); |
811 | QByteArray qop = options.value(key: "qop"); |
812 | |
813 | // qDebug() << "calculating digest: method=" << method << "path=" << path; |
814 | QByteArray response = digestMd5ResponseHelper(alg: options.value(key: "algorithm"), userName: user.toLatin1(), |
815 | realm: realm.toLatin1(), password: password.toLatin1(), |
816 | nonce, nonceCount: nonceCountString, |
817 | cNonce: cnonce, qop, method, |
818 | digestUri: path, hEntity: QByteArray()); |
819 | |
820 | |
821 | QByteArray credentials; |
822 | credentials += "username=\""+ user.toLatin1() + "\", "; |
823 | credentials += "realm=\""+ realm.toLatin1() + "\", "; |
824 | credentials += "nonce=\""+ nonce + "\", "; |
825 | credentials += "uri=\""+ path + "\", "; |
826 | if (!opaque.isEmpty()) |
827 | credentials += "opaque=\""+ opaque + "\", "; |
828 | credentials += "response=\""+ response + '"'; |
829 | if (!options.value(key: "algorithm").isEmpty()) |
830 | credentials += ", algorithm="+ options.value(key: "algorithm"); |
831 | if (!options.value(key: "qop").isEmpty()) { |
832 | credentials += ", qop="+ qop + ", "; |
833 | credentials += "nc="+ nonceCountString + ", "; |
834 | credentials += "cnonce=\""+ cnonce + '"'; |
835 | } |
836 | |
837 | return credentials; |
838 | } |
839 | |
840 | // ---------------------------- End of Digest Md5 code --------------------------------- |
841 | |
842 | |
843 | // ---------------------------- NTLM code ---------------------------------------------- |
844 | |
845 | /* |
846 | * NTLM message flags. |
847 | * |
848 | * Copyright (c) 2004 Andrey Panin <pazke@donpac.ru> |
849 | * |
850 | * This software is released under the MIT license. |
851 | */ |
852 | |
853 | /* |
854 | * Indicates that Unicode strings are supported for use in security |
855 | * buffer data. |
856 | */ |
857 | #define NTLMSSP_NEGOTIATE_UNICODE 0x00000001 |
858 | |
859 | /* |
860 | * Indicates that OEM strings are supported for use in security buffer data. |
861 | */ |
862 | #define NTLMSSP_NEGOTIATE_OEM 0x00000002 |
863 | |
864 | /* |
865 | * Requests that the server's authentication realm be included in the |
866 | * Type 2 message. |
867 | */ |
868 | #define NTLMSSP_REQUEST_TARGET 0x00000004 |
869 | |
870 | /* |
871 | * Specifies that authenticated communication between the client and server |
872 | * should carry a digital signature (message integrity). |
873 | */ |
874 | #define NTLMSSP_NEGOTIATE_SIGN 0x00000010 |
875 | |
876 | /* |
877 | * Specifies that authenticated communication between the client and server |
878 | * should be encrypted (message confidentiality). |
879 | */ |
880 | #define NTLMSSP_NEGOTIATE_SEAL 0x00000020 |
881 | |
882 | /* |
883 | * Indicates that datagram authentication is being used. |
884 | */ |
885 | #define NTLMSSP_NEGOTIATE_DATAGRAM 0x00000040 |
886 | |
887 | /* |
888 | * Indicates that the LAN Manager session key should be |
889 | * used for signing and sealing authenticated communications. |
890 | */ |
891 | #define NTLMSSP_NEGOTIATE_LM_KEY 0x00000080 |
892 | |
893 | /* |
894 | * Indicates that NTLM authentication is being used. |
895 | */ |
896 | #define NTLMSSP_NEGOTIATE_NTLM 0x00000200 |
897 | |
898 | /* |
899 | * Sent by the client in the Type 1 message to indicate that the name of the |
900 | * domain in which the client workstation has membership is included in the |
901 | * message. This is used by the server to determine whether the client is |
902 | * eligible for local authentication. |
903 | */ |
904 | #define NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED 0x00001000 |
905 | |
906 | /* |
907 | * Sent by the client in the Type 1 message to indicate that the client |
908 | * workstation's name is included in the message. This is used by the server |
909 | * to determine whether the client is eligible for local authentication. |
910 | */ |
911 | #define NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED 0x00002000 |
912 | |
913 | /* |
914 | * Sent by the server to indicate that the server and client are on the same |
915 | * machine. Implies that the client may use the established local credentials |
916 | * for authentication instead of calculating a response to the challenge. |
917 | */ |
918 | #define NTLMSSP_NEGOTIATE_LOCAL_CALL 0x00004000 |
919 | |
920 | /* |
921 | * Indicates that authenticated communication between the client and server |
922 | * should be signed with a "dummy" signature. |
923 | */ |
924 | #define NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0x00008000 |
925 | |
926 | /* |
927 | * Sent by the server in the Type 2 message to indicate that the target |
928 | * authentication realm is a domain. |
929 | */ |
930 | #define NTLMSSP_TARGET_TYPE_DOMAIN 0x00010000 |
931 | |
932 | /* |
933 | * Sent by the server in the Type 2 message to indicate that the target |
934 | * authentication realm is a server. |
935 | */ |
936 | #define NTLMSSP_TARGET_TYPE_SERVER 0x00020000 |
937 | |
938 | /* |
939 | * Sent by the server in the Type 2 message to indicate that the target |
940 | * authentication realm is a share. Presumably, this is for share-level |
941 | * authentication. Usage is unclear. |
942 | */ |
943 | #define NTLMSSP_TARGET_TYPE_SHARE 0x00040000 |
944 | |
945 | /* |
946 | * Indicates that the NTLM2 signing and sealing scheme should be used for |
947 | * protecting authenticated communications. Note that this refers to a |
948 | * particular session security scheme, and is not related to the use of |
949 | * NTLMv2 authentication. |
950 | */ |
951 | #define NTLMSSP_NEGOTIATE_NTLM2 0x00080000 |
952 | |
953 | /* |
954 | * Sent by the server in the Type 2 message to indicate that it is including |
955 | * a Target Information block in the message. The Target Information block |
956 | * is used in the calculation of the NTLMv2 response. |
957 | */ |
958 | #define NTLMSSP_NEGOTIATE_TARGET_INFO 0x00800000 |
959 | |
960 | /* |
961 | * Indicates that 128-bit encryption is supported. |
962 | */ |
963 | #define NTLMSSP_NEGOTIATE_128 0x20000000 |
964 | |
965 | /* |
966 | * Indicates that the client will provide an encrypted master session key in |
967 | * the "Session Key" field of the Type 3 message. This is used in signing and |
968 | * sealing, and is RC4-encrypted using the previous session key as the |
969 | * encryption key. |
970 | */ |
971 | #define NTLMSSP_NEGOTIATE_KEY_EXCHANGE 0x40000000 |
972 | |
973 | /* |
974 | * Indicates that 56-bit encryption is supported. |
975 | */ |
976 | #define NTLMSSP_NEGOTIATE_56 0x80000000 |
977 | |
978 | /* |
979 | * AvId values |
980 | */ |
981 | #define AVTIMESTAMP 7 |
982 | |
983 | |
984 | //************************Global variables*************************** |
985 | |
986 | const int blockSize = 64; //As per RFC2104 Block-size is 512 bits |
987 | const quint8 respversion = 1; |
988 | const quint8 hirespversion = 1; |
989 | |
990 | /* usage: |
991 | // fill up ctx with what we know. |
992 | QByteArray response = qNtlmPhase1(ctx); |
993 | // send response (b64 encoded??) |
994 | // get response from server (b64 decode?) |
995 | Phase2Block pb; |
996 | qNtlmDecodePhase2(response, pb); |
997 | response = qNtlmPhase3(ctx, pb); |
998 | // send response (b64 encoded??) |
999 | */ |
1000 | |
1001 | /* |
1002 | TODO: |
1003 | - Fix unicode handling |
1004 | - add v2 handling |
1005 | */ |
1006 | |
1007 | class QNtlmBuffer { |
1008 | public: |
1009 | QNtlmBuffer() : len(0), maxLen(0), offset(0) {} |
1010 | quint16 len; |
1011 | quint16 maxLen; |
1012 | quint32 offset; |
1013 | enum { Size = 8 }; |
1014 | }; |
1015 | |
1016 | static void qStreamNtlmBuffer(QDataStream& ds, const QByteArray& s) |
1017 | { |
1018 | ds.writeRawData(s.constData(), len: s.size()); |
1019 | } |
1020 | |
1021 | |
1022 | static void qStreamNtlmString(QDataStream& ds, const QString& s, bool unicode) |
1023 | { |
1024 | if (!unicode) { |
1025 | qStreamNtlmBuffer(ds, s: s.toLatin1()); |
1026 | return; |
1027 | } |
1028 | |
1029 | for (QChar ch : s) |
1030 | ds << quint16(ch.unicode()); |
1031 | } |
1032 | |
1033 | |
1034 | |
1035 | static int qEncodeNtlmBuffer(QNtlmBuffer& buf, int offset, const QByteArray& s) |
1036 | { |
1037 | buf.len = s.size(); |
1038 | buf.maxLen = buf.len; |
1039 | buf.offset = (offset + 1) & ~1; |
1040 | return buf.offset + buf.len; |
1041 | } |
1042 | |
1043 | |
1044 | static int qEncodeNtlmString(QNtlmBuffer& buf, int offset, const QString& s, bool unicode) |
1045 | { |
1046 | if (!unicode) |
1047 | return qEncodeNtlmBuffer(buf, offset, s: s.toLatin1()); |
1048 | buf.len = 2 * s.size(); |
1049 | buf.maxLen = buf.len; |
1050 | buf.offset = (offset + 1) & ~1; |
1051 | return buf.offset + buf.len; |
1052 | } |
1053 | |
1054 | |
1055 | static QDataStream& operator<<(QDataStream& s, const QNtlmBuffer& b) |
1056 | { |
1057 | s << b.len << b.maxLen << b.offset; |
1058 | return s; |
1059 | } |
1060 | |
1061 | static QDataStream& operator>>(QDataStream& s, QNtlmBuffer& b) |
1062 | { |
1063 | s >> b.len >> b.maxLen >> b.offset; |
1064 | return s; |
1065 | } |
1066 | |
1067 | |
1068 | class QNtlmPhase1Block |
1069 | { // request |
1070 | public: |
1071 | char magic[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'}; |
1072 | quint32 type = 1; |
1073 | quint32 flags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NTLMSSP_NEGOTIATE_NTLM2; |
1074 | QNtlmBuffer domain; |
1075 | QNtlmBuffer workstation; |
1076 | |
1077 | // extracted |
1078 | QString domainStr, workstationStr; |
1079 | }; |
1080 | |
1081 | |
1082 | class QNtlmPhase2Block |
1083 | { // challenge |
1084 | public: |
1085 | char magic[8] = {0}; |
1086 | quint32 type = 0xffffffff; |
1087 | QNtlmBuffer targetName; |
1088 | quint32 flags = 0; |
1089 | unsigned char challenge[8] = {'\0'}; |
1090 | quint32 context[2] = {0, 0}; |
1091 | QNtlmBuffer targetInfo; |
1092 | enum { Size = 48 }; |
1093 | |
1094 | // extracted |
1095 | QString targetNameStr, targetInfoStr; |
1096 | QByteArray targetInfoBuff; |
1097 | }; |
1098 | |
1099 | |
1100 | |
1101 | class QNtlmPhase3Block |
1102 | { // response |
1103 | public: |
1104 | char magic[8] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', '\0'}; |
1105 | quint32 type = 3; |
1106 | QNtlmBuffer lmResponse; |
1107 | QNtlmBuffer ntlmResponse; |
1108 | QNtlmBuffer domain; |
1109 | QNtlmBuffer user; |
1110 | QNtlmBuffer workstation; |
1111 | QNtlmBuffer sessionKey; |
1112 | quint32 flags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_TARGET_INFO; |
1113 | enum { Size = 64 }; |
1114 | |
1115 | // extracted |
1116 | QByteArray lmResponseBuf, ntlmResponseBuf; |
1117 | QString domainStr, userStr, workstationStr, sessionKeyStr; |
1118 | QByteArray v2Hash; |
1119 | }; |
1120 | |
1121 | |
1122 | static QDataStream& operator<<(QDataStream& s, const QNtlmPhase1Block& b) { |
1123 | bool unicode = (b.flags & NTLMSSP_NEGOTIATE_UNICODE); |
1124 | |
1125 | s.writeRawData(b.magic, len: sizeof(b.magic)); |
1126 | s << b.type; |
1127 | s << b.flags; |
1128 | s << b.domain; |
1129 | s << b.workstation; |
1130 | if (!b.domainStr.isEmpty()) |
1131 | qStreamNtlmString(ds&: s, s: b.domainStr, unicode); |
1132 | if (!b.workstationStr.isEmpty()) |
1133 | qStreamNtlmString(ds&: s, s: b.workstationStr, unicode); |
1134 | return s; |
1135 | } |
1136 | |
1137 | |
1138 | static QDataStream& operator<<(QDataStream& s, const QNtlmPhase3Block& b) { |
1139 | bool unicode = (b.flags & NTLMSSP_NEGOTIATE_UNICODE); |
1140 | s.writeRawData(b.magic, len: sizeof(b.magic)); |
1141 | s << b.type; |
1142 | s << b.lmResponse; |
1143 | s << b.ntlmResponse; |
1144 | s << b.domain; |
1145 | s << b.user; |
1146 | s << b.workstation; |
1147 | s << b.sessionKey; |
1148 | s << b.flags; |
1149 | |
1150 | if (!b.domainStr.isEmpty()) |
1151 | qStreamNtlmString(ds&: s, s: b.domainStr, unicode); |
1152 | |
1153 | qStreamNtlmString(ds&: s, s: b.userStr, unicode); |
1154 | |
1155 | if (!b.workstationStr.isEmpty()) |
1156 | qStreamNtlmString(ds&: s, s: b.workstationStr, unicode); |
1157 | |
1158 | // Send auth info |
1159 | qStreamNtlmBuffer(ds&: s, s: b.lmResponseBuf); |
1160 | qStreamNtlmBuffer(ds&: s, s: b.ntlmResponseBuf); |
1161 | |
1162 | |
1163 | return s; |
1164 | } |
1165 | |
1166 | |
1167 | static QByteArray qNtlmPhase1() |
1168 | { |
1169 | QByteArray rc; |
1170 | QDataStream ds(&rc, QIODevice::WriteOnly); |
1171 | ds.setByteOrder(QDataStream::LittleEndian); |
1172 | QNtlmPhase1Block pb; |
1173 | ds << pb; |
1174 | return rc; |
1175 | } |
1176 | |
1177 | |
1178 | static QByteArray qStringAsUcs2Le(const QString& src) |
1179 | { |
1180 | QByteArray rc(2*src.size(), 0); |
1181 | unsigned short *d = (unsigned short*)rc.data(); |
1182 | for (QChar ch : src) |
1183 | *d++ = qToLittleEndian(source: quint16(ch.unicode())); |
1184 | |
1185 | return rc; |
1186 | } |
1187 | |
1188 | |
1189 | static QString qStringFromUcs2Le(QByteArray src) |
1190 | { |
1191 | Q_ASSERT(src.size() % 2 == 0); |
1192 | unsigned short *d = (unsigned short*)src.data(); |
1193 | for (int i = 0; i < src.size() / 2; ++i) { |
1194 | d[i] = qFromLittleEndian(source: d[i]); |
1195 | } |
1196 | return QString((const QChar *)src.data(), src.size()/2); |
1197 | } |
1198 | |
1199 | |
1200 | /********************************************************************* |
1201 | * Function Name: qEncodeHmacMd5 |
1202 | * Params: |
1203 | * key: Type - QByteArray |
1204 | * - It is the Authentication key |
1205 | * message: Type - QByteArray |
1206 | * - This is the actual message which will be encoded |
1207 | * using HMacMd5 hash algorithm |
1208 | * |
1209 | * Return Value: |
1210 | * hmacDigest: Type - QByteArray |
1211 | * |
1212 | * Description: |
1213 | * This function will be used to encode the input message using |
1214 | * HMacMd5 hash algorithm. |
1215 | * |
1216 | * As per the RFC2104 the HMacMd5 algorithm can be specified |
1217 | * --------------------------------------- |
1218 | * MD5(K XOR opad, MD5(K XOR ipad, text)) |
1219 | * --------------------------------------- |
1220 | * |
1221 | *********************************************************************/ |
1222 | QByteArray qEncodeHmacMd5(QByteArray &key, QByteArrayView message) |
1223 | { |
1224 | Q_ASSERT_X(!(message.isEmpty()),"qEncodeHmacMd5", "Empty message check"); |
1225 | Q_ASSERT_X(!(key.isEmpty()),"qEncodeHmacMd5", "Empty key check"); |
1226 | |
1227 | QCryptographicHash hash(QCryptographicHash::Md5); |
1228 | |
1229 | QByteArray iKeyPad(blockSize, 0x36); |
1230 | QByteArray oKeyPad(blockSize, 0x5c); |
1231 | |
1232 | hash.reset(); |
1233 | // Adjust the key length to blockSize |
1234 | |
1235 | if (blockSize < key.size()) { |
1236 | hash.addData(data: key); |
1237 | key = hash.result(); //MD5 will always return 16 bytes length output |
1238 | } |
1239 | |
1240 | //Key will be <= 16 or 20 bytes as hash function (MD5 or SHA hash algorithms) |
1241 | //key size can be max of Block size only |
1242 | key = key.leftJustified(width: blockSize,fill: 0,truncate: true); |
1243 | |
1244 | //iKeyPad, oKeyPad and key are all of same size "blockSize" |
1245 | |
1246 | //xor of iKeyPad with Key and store the result into iKeyPad |
1247 | for(int i = 0; i<key.size();i++) { |
1248 | iKeyPad[i] = key[i]^iKeyPad[i]; |
1249 | } |
1250 | |
1251 | //xor of oKeyPad with Key and store the result into oKeyPad |
1252 | for(int i = 0; i<key.size();i++) { |
1253 | oKeyPad[i] = key[i]^oKeyPad[i]; |
1254 | } |
1255 | |
1256 | iKeyPad.append(a: message); // (K0 xor ipad) || text |
1257 | |
1258 | hash.reset(); |
1259 | hash.addData(data: iKeyPad); |
1260 | QByteArrayView hMsg = hash.resultView(); |
1261 | //Digest gen after pass-1: H((K0 xor ipad)||text) |
1262 | |
1263 | QByteArray hmacDigest; |
1264 | oKeyPad.append(a: hMsg); |
1265 | hash.reset(); |
1266 | hash.addData(data: oKeyPad); |
1267 | hmacDigest = hash.result(); |
1268 | // H((K0 xor opad )|| H((K0 xor ipad) || text)) |
1269 | |
1270 | /*hmacDigest should not be less than half the length of the HMAC output |
1271 | (to match the birthday attack bound) and not less than 80 bits |
1272 | (a suitable lower bound on the number of bits that need to be |
1273 | predicted by an attacker). |
1274 | Refer RFC 2104 for more details on truncation part */ |
1275 | |
1276 | /*MD5 hash always returns 16 byte digest only and HMAC-MD5 spec |
1277 | (RFC 2104) also says digest length should be 16 bytes*/ |
1278 | return hmacDigest; |
1279 | } |
1280 | |
1281 | static QByteArray qCreatev2Hash(const QAuthenticatorPrivate *ctx, |
1282 | QNtlmPhase3Block *phase3) |
1283 | { |
1284 | Q_ASSERT(phase3 != nullptr); |
1285 | // since v2 Hash is need for both NTLMv2 and LMv2 it is calculated |
1286 | // only once and stored and reused |
1287 | if (phase3->v2Hash.size() == 0) { |
1288 | QCryptographicHash md4(QCryptographicHash::Md4); |
1289 | QByteArray passUnicode = qStringAsUcs2Le(src: ctx->password); |
1290 | md4.addData(data: passUnicode); |
1291 | |
1292 | QByteArray hashKey = md4.result(); |
1293 | Q_ASSERT(hashKey.size() == 16); |
1294 | // Assuming the user and domain is always unicode in challenge |
1295 | QByteArray message = |
1296 | qStringAsUcs2Le(src: ctx->extractedUser.toUpper()) + |
1297 | qStringAsUcs2Le(src: phase3->domainStr); |
1298 | |
1299 | phase3->v2Hash = qEncodeHmacMd5(key&: hashKey, message); |
1300 | } |
1301 | return phase3->v2Hash; |
1302 | } |
1303 | |
1304 | static QByteArray clientChallenge(const QAuthenticatorPrivate *ctx) |
1305 | { |
1306 | Q_ASSERT(ctx->cnonce.size() >= 8); |
1307 | QByteArray clientCh = ctx->cnonce.right(n: 8); |
1308 | return clientCh; |
1309 | } |
1310 | |
1311 | // caller has to ensure a valid targetInfoBuff |
1312 | static QByteArray qExtractServerTime(const QByteArray& targetInfoBuff) |
1313 | { |
1314 | QByteArray timeArray; |
1315 | QDataStream ds(targetInfoBuff); |
1316 | ds.setByteOrder(QDataStream::LittleEndian); |
1317 | |
1318 | quint16 avId; |
1319 | quint16 avLen; |
1320 | |
1321 | ds >> avId; |
1322 | ds >> avLen; |
1323 | while(avId != 0) { |
1324 | if (avId == AVTIMESTAMP) { |
1325 | timeArray.resize(size: avLen); |
1326 | //avLen size of QByteArray is allocated |
1327 | ds.readRawData(timeArray.data(), len: avLen); |
1328 | break; |
1329 | } |
1330 | ds.skipRawData(len: avLen); |
1331 | ds >> avId; |
1332 | ds >> avLen; |
1333 | } |
1334 | return timeArray; |
1335 | } |
1336 | |
1337 | static QByteArray qEncodeNtlmv2Response(const QAuthenticatorPrivate *ctx, |
1338 | const QNtlmPhase2Block& ch, |
1339 | QNtlmPhase3Block *phase3) |
1340 | { |
1341 | Q_ASSERT(phase3 != nullptr); |
1342 | // return value stored in phase3 |
1343 | qCreatev2Hash(ctx, phase3); |
1344 | |
1345 | QByteArray temp; |
1346 | QDataStream ds(&temp, QIODevice::WriteOnly); |
1347 | ds.setByteOrder(QDataStream::LittleEndian); |
1348 | |
1349 | ds << respversion; |
1350 | ds << hirespversion; |
1351 | |
1352 | //Reserved |
1353 | QByteArray reserved1(6, 0); |
1354 | ds.writeRawData(reserved1.constData(), len: reserved1.size()); |
1355 | |
1356 | quint64 time = 0; |
1357 | QByteArray timeArray; |
1358 | |
1359 | if (ch.targetInfo.len) |
1360 | { |
1361 | timeArray = qExtractServerTime(targetInfoBuff: ch.targetInfoBuff); |
1362 | } |
1363 | |
1364 | //if server sends time, use it instead of current time |
1365 | if (timeArray.size()) { |
1366 | ds.writeRawData(timeArray.constData(), len: timeArray.size()); |
1367 | } else { |
1368 | // number of seconds between 1601 and the epoch (1970) |
1369 | // 369 years, 89 leap years |
1370 | // ((369 * 365) + 89) * 24 * 3600 = 11644473600 |
1371 | time = QDateTime::currentSecsSinceEpoch() + 11644473600; |
1372 | |
1373 | // represented as 100 nano seconds |
1374 | time = time * Q_UINT64_C(10000000); |
1375 | ds << time; |
1376 | } |
1377 | |
1378 | //8 byte client challenge |
1379 | QByteArray clientCh = clientChallenge(ctx); |
1380 | ds.writeRawData(clientCh.constData(), len: clientCh.size()); |
1381 | |
1382 | //Reserved |
1383 | QByteArray reserved2(4, 0); |
1384 | ds.writeRawData(reserved2.constData(), len: reserved2.size()); |
1385 | |
1386 | if (ch.targetInfo.len > 0) { |
1387 | ds.writeRawData(ch.targetInfoBuff.constData(), |
1388 | len: ch.targetInfoBuff.size()); |
1389 | } |
1390 | |
1391 | //Reserved |
1392 | QByteArray reserved3(4, 0); |
1393 | ds.writeRawData(reserved3.constData(), len: reserved3.size()); |
1394 | |
1395 | QByteArray message((const char*)ch.challenge, sizeof(ch.challenge)); |
1396 | message.append(a: temp); |
1397 | |
1398 | QByteArray ntChallengeResp = qEncodeHmacMd5(key&: phase3->v2Hash, message); |
1399 | ntChallengeResp.append(a: temp); |
1400 | |
1401 | return ntChallengeResp; |
1402 | } |
1403 | |
1404 | static QByteArray qEncodeLmv2Response(const QAuthenticatorPrivate *ctx, |
1405 | const QNtlmPhase2Block& ch, |
1406 | QNtlmPhase3Block *phase3) |
1407 | { |
1408 | Q_ASSERT(phase3 != nullptr); |
1409 | // return value stored in phase3 |
1410 | qCreatev2Hash(ctx, phase3); |
1411 | |
1412 | QByteArray message((const char*)ch.challenge, sizeof(ch.challenge)); |
1413 | QByteArray clientCh = clientChallenge(ctx); |
1414 | |
1415 | message.append(a: clientCh); |
1416 | |
1417 | QByteArray lmChallengeResp = qEncodeHmacMd5(key&: phase3->v2Hash, message); |
1418 | lmChallengeResp.append(a: clientCh); |
1419 | |
1420 | return lmChallengeResp; |
1421 | } |
1422 | |
1423 | static bool qNtlmDecodePhase2(const QByteArray& data, QNtlmPhase2Block& ch) |
1424 | { |
1425 | if (data.size() < QNtlmPhase2Block::Size) |
1426 | return false; |
1427 | |
1428 | |
1429 | QDataStream ds(data); |
1430 | ds.setByteOrder(QDataStream::LittleEndian); |
1431 | if (ds.readRawData(ch.magic, len: 8) < 8) |
1432 | return false; |
1433 | if (strncmp(s1: ch.magic, s2: "NTLMSSP", n: 8) != 0) |
1434 | return false; |
1435 | |
1436 | ds >> ch.type; |
1437 | if (ch.type != 2) |
1438 | return false; |
1439 | |
1440 | ds >> ch.targetName; |
1441 | ds >> ch.flags; |
1442 | if (ds.readRawData((char *)ch.challenge, len: 8) < 8) |
1443 | return false; |
1444 | ds >> ch.context[0] >> ch.context[1]; |
1445 | ds >> ch.targetInfo; |
1446 | |
1447 | if (ch.targetName.len > 0) { |
1448 | if (qsizetype(ch.targetName.len + ch.targetName.offset) > data.size()) |
1449 | return false; |
1450 | |
1451 | ch.targetNameStr = qStringFromUcs2Le(src: data.mid(index: ch.targetName.offset, len: ch.targetName.len)); |
1452 | } |
1453 | |
1454 | if (ch.targetInfo.len > 0) { |
1455 | if (ch.targetInfo.len + ch.targetInfo.offset > (unsigned)data.size()) |
1456 | return false; |
1457 | |
1458 | ch.targetInfoBuff = data.mid(index: ch.targetInfo.offset, len: ch.targetInfo.len); |
1459 | } |
1460 | |
1461 | return true; |
1462 | } |
1463 | |
1464 | |
1465 | static QByteArray qNtlmPhase3(QAuthenticatorPrivate *ctx, const QByteArray& phase2data) |
1466 | { |
1467 | QNtlmPhase2Block ch; |
1468 | if (!qNtlmDecodePhase2(data: phase2data, ch)) |
1469 | return QByteArray(); |
1470 | |
1471 | QByteArray rc; |
1472 | QDataStream ds(&rc, QIODevice::WriteOnly); |
1473 | ds.setByteOrder(QDataStream::LittleEndian); |
1474 | QNtlmPhase3Block pb; |
1475 | |
1476 | // set NTLMv2 |
1477 | if (ch.flags & NTLMSSP_NEGOTIATE_NTLM2) |
1478 | pb.flags |= NTLMSSP_NEGOTIATE_NTLM2; |
1479 | |
1480 | // set Always Sign |
1481 | if (ch.flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN) |
1482 | pb.flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; |
1483 | |
1484 | bool unicode = ch.flags & NTLMSSP_NEGOTIATE_UNICODE; |
1485 | |
1486 | if (unicode) |
1487 | pb.flags |= NTLMSSP_NEGOTIATE_UNICODE; |
1488 | else |
1489 | pb.flags |= NTLMSSP_NEGOTIATE_OEM; |
1490 | |
1491 | |
1492 | int offset = QNtlmPhase3Block::Size; |
1493 | |
1494 | // for kerberos style user@domain logins, NTLM domain string should be left empty |
1495 | if (ctx->userDomain.isEmpty() && !ctx->extractedUser.contains(c: u'@')) { |
1496 | offset = qEncodeNtlmString(buf&: pb.domain, offset, s: ch.targetNameStr, unicode); |
1497 | pb.domainStr = ch.targetNameStr; |
1498 | } else { |
1499 | offset = qEncodeNtlmString(buf&: pb.domain, offset, s: ctx->userDomain, unicode); |
1500 | pb.domainStr = ctx->userDomain; |
1501 | } |
1502 | |
1503 | offset = qEncodeNtlmString(buf&: pb.user, offset, s: ctx->extractedUser, unicode); |
1504 | pb.userStr = ctx->extractedUser; |
1505 | |
1506 | offset = qEncodeNtlmString(buf&: pb.workstation, offset, s: ctx->workstation, unicode); |
1507 | pb.workstationStr = ctx->workstation; |
1508 | |
1509 | // Get LM response |
1510 | if (ch.targetInfo.len > 0) { |
1511 | pb.lmResponseBuf = QByteArray(); |
1512 | } else { |
1513 | pb.lmResponseBuf = qEncodeLmv2Response(ctx, ch, phase3: &pb); |
1514 | } |
1515 | offset = qEncodeNtlmBuffer(buf&: pb.lmResponse, offset, s: pb.lmResponseBuf); |
1516 | |
1517 | // Get NTLM response |
1518 | pb.ntlmResponseBuf = qEncodeNtlmv2Response(ctx, ch, phase3: &pb); |
1519 | offset = qEncodeNtlmBuffer(buf&: pb.ntlmResponse, offset, s: pb.ntlmResponseBuf); |
1520 | |
1521 | |
1522 | // Encode and send |
1523 | ds << pb; |
1524 | |
1525 | return rc; |
1526 | } |
1527 | |
1528 | // ---------------------------- End of NTLM code --------------------------------------- |
1529 | |
1530 | #if QT_CONFIG(sspi) // SSPI |
1531 | // ---------------------------- SSPI code ---------------------------------------------- |
1532 | // See http://davenport.sourceforge.net/ntlm.html |
1533 | // and libcurl http_ntlm.c |
1534 | |
1535 | // Pointer to SSPI dispatch table |
1536 | static PSecurityFunctionTableW pSecurityFunctionTable = nullptr; |
1537 | |
1538 | static bool q_SSPI_library_load() |
1539 | { |
1540 | Q_CONSTINIT static QBasicMutex mutex; |
1541 | QMutexLocker l(&mutex); |
1542 | |
1543 | if (pSecurityFunctionTable == nullptr) |
1544 | pSecurityFunctionTable = InitSecurityInterfaceW(); |
1545 | |
1546 | if (pSecurityFunctionTable == nullptr) |
1547 | return false; |
1548 | |
1549 | return true; |
1550 | } |
1551 | |
1552 | static QByteArray qSspiStartup(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
1553 | QStringView host) |
1554 | { |
1555 | if (!q_SSPI_library_load()) |
1556 | return QByteArray(); |
1557 | |
1558 | TimeStamp expiry; // For Windows 9x compatibility of SSPI calls |
1559 | |
1560 | if (!ctx->sspiWindowsHandles) |
1561 | ctx->sspiWindowsHandles.reset(new QSSPIWindowsHandles); |
1562 | SecInvalidateHandle(&ctx->sspiWindowsHandles->credHandle); |
1563 | SecInvalidateHandle(&ctx->sspiWindowsHandles->ctxHandle); |
1564 | |
1565 | SEC_WINNT_AUTH_IDENTITY auth; |
1566 | auth.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; |
1567 | bool useAuth = false; |
1568 | if (method == QAuthenticatorPrivate::Negotiate && !ctx->user.isEmpty()) { |
1569 | auth.Domain = const_cast<ushort *>(reinterpret_cast<const ushort *>(ctx->userDomain.constData())); |
1570 | auth.DomainLength = ctx->userDomain.size(); |
1571 | auth.User = const_cast<ushort *>(reinterpret_cast<const ushort *>(ctx->user.constData())); |
1572 | auth.UserLength = ctx->user.size(); |
1573 | auth.Password = const_cast<ushort *>(reinterpret_cast<const ushort *>(ctx->password.constData())); |
1574 | auth.PasswordLength = ctx->password.size(); |
1575 | useAuth = true; |
1576 | } |
1577 | |
1578 | // Acquire our credentials handle |
1579 | SECURITY_STATUS secStatus = pSecurityFunctionTable->AcquireCredentialsHandle( |
1580 | nullptr, |
1581 | (SEC_WCHAR *)(method == QAuthenticatorPrivate::Negotiate ? L"Negotiate": L "NTLM"), |
1582 | SECPKG_CRED_OUTBOUND, nullptr, useAuth ? &auth : nullptr, nullptr, nullptr, |
1583 | &ctx->sspiWindowsHandles->credHandle, &expiry |
1584 | ); |
1585 | if (secStatus != SEC_E_OK) { |
1586 | ctx->sspiWindowsHandles.reset(nullptr); |
1587 | return QByteArray(); |
1588 | } |
1589 | |
1590 | return qSspiContinue(ctx, method, host); |
1591 | } |
1592 | |
1593 | static QByteArray qSspiContinue(QAuthenticatorPrivate *ctx, QAuthenticatorPrivate::Method method, |
1594 | QStringView host, QByteArrayView challenge) |
1595 | { |
1596 | QByteArray result; |
1597 | SecBuffer challengeBuf; |
1598 | SecBuffer responseBuf; |
1599 | SecBufferDesc challengeDesc; |
1600 | SecBufferDesc responseDesc; |
1601 | unsigned long attrs; |
1602 | TimeStamp expiry; // For Windows 9x compatibility of SSPI calls |
1603 | |
1604 | if (!challenge.isEmpty()) |
1605 | { |
1606 | // Setup the challenge "input" security buffer |
1607 | challengeDesc.ulVersion = SECBUFFER_VERSION; |
1608 | challengeDesc.cBuffers = 1; |
1609 | challengeDesc.pBuffers = &challengeBuf; |
1610 | challengeBuf.BufferType = SECBUFFER_TOKEN; |
1611 | challengeBuf.pvBuffer = (PVOID)(challenge.data()); |
1612 | challengeBuf.cbBuffer = challenge.length(); |
1613 | } |
1614 | |
1615 | // Setup the response "output" security buffer |
1616 | responseDesc.ulVersion = SECBUFFER_VERSION; |
1617 | responseDesc.cBuffers = 1; |
1618 | responseDesc.pBuffers = &responseBuf; |
1619 | responseBuf.BufferType = SECBUFFER_TOKEN; |
1620 | responseBuf.pvBuffer = nullptr; |
1621 | responseBuf.cbBuffer = 0; |
1622 | |
1623 | // Calculate target (SPN for Negotiate, empty for NTLM) |
1624 | QString targetName = ctx->options.value("spn"_L1).toString(); |
1625 | if (targetName.isEmpty()) |
1626 | targetName = "HTTP/"_L1+ host; |
1627 | const std::wstring targetNameW = (method == QAuthenticatorPrivate::Negotiate |
1628 | ? targetName : QString()).toStdWString(); |
1629 | |
1630 | // Generate our challenge-response message |
1631 | SECURITY_STATUS secStatus = pSecurityFunctionTable->InitializeSecurityContext( |
1632 | &ctx->sspiWindowsHandles->credHandle, |
1633 | !challenge.isEmpty() ? &ctx->sspiWindowsHandles->ctxHandle : nullptr, |
1634 | const_cast<wchar_t*>(targetNameW.data()), |
1635 | ISC_REQ_ALLOCATE_MEMORY, |
1636 | 0, SECURITY_NATIVE_DREP, |
1637 | !challenge.isEmpty() ? &challengeDesc : nullptr, |
1638 | 0, &ctx->sspiWindowsHandles->ctxHandle, |
1639 | &responseDesc, &attrs, |
1640 | &expiry |
1641 | ); |
1642 | |
1643 | if (secStatus == SEC_I_COMPLETE_NEEDED || secStatus == SEC_I_COMPLETE_AND_CONTINUE) { |
1644 | secStatus = pSecurityFunctionTable->CompleteAuthToken(&ctx->sspiWindowsHandles->ctxHandle, |
1645 | &responseDesc); |
1646 | } |
1647 | |
1648 | if (secStatus != SEC_I_COMPLETE_AND_CONTINUE && secStatus != SEC_I_CONTINUE_NEEDED) { |
1649 | pSecurityFunctionTable->FreeCredentialsHandle(&ctx->sspiWindowsHandles->credHandle); |
1650 | pSecurityFunctionTable->DeleteSecurityContext(&ctx->sspiWindowsHandles->ctxHandle); |
1651 | ctx->sspiWindowsHandles.reset(nullptr); |
1652 | } |
1653 | |
1654 | result = QByteArray((const char*)responseBuf.pvBuffer, responseBuf.cbBuffer); |
1655 | pSecurityFunctionTable->FreeContextBuffer(responseBuf.pvBuffer); |
1656 | |
1657 | return result; |
1658 | } |
1659 | |
1660 | // ---------------------------- End of SSPI code --------------------------------------- |
1661 | |
1662 | #elif QT_CONFIG(gssapi) // GSSAPI |
1663 | |
1664 | // ---------------------------- GSSAPI code ---------------------------------------------- |
1665 | // See postgres src/interfaces/libpq/fe-auth.c |
1666 | |
1667 | // Fetch all errors of a specific type |
1668 | static void q_GSSAPI_error_int(const char *message, OM_uint32 stat, int type) |
1669 | { |
1670 | OM_uint32 minStat, msgCtx = 0; |
1671 | gss_buffer_desc msg; |
1672 | |
1673 | do { |
1674 | gss_display_status(&minStat, stat, type, GSS_C_NO_OID, &msgCtx, &msg); |
1675 | qCDebug(lcAuthenticator) << message << ": "<< reinterpret_cast<const char*>(msg.value); |
1676 | gss_release_buffer(&minStat, &msg); |
1677 | } while (msgCtx); |
1678 | } |
1679 | |
1680 | // GSSAPI errors contain two parts; extract both |
1681 | static void q_GSSAPI_error(const char *message, OM_uint32 majStat, OM_uint32 minStat) |
1682 | { |
1683 | // Fetch major error codes |
1684 | q_GSSAPI_error_int(message, majStat, GSS_C_GSS_CODE); |
1685 | |
1686 | // Add the minor codes as well |
1687 | q_GSSAPI_error_int(message, minStat, GSS_C_MECH_CODE); |
1688 | } |
1689 | |
1690 | static gss_name_t qGSsapiGetServiceName(QStringView host) |
1691 | { |
1692 | QByteArray serviceName = "HTTPS@"+ host.toLocal8Bit(); |
1693 | gss_buffer_desc nameDesc = {static_cast<std::size_t>(serviceName.size()), serviceName.data()}; |
1694 | |
1695 | gss_name_t importedName; |
1696 | OM_uint32 minStat; |
1697 | OM_uint32 majStat = gss_import_name(&minStat, &nameDesc, |
1698 | GSS_C_NT_HOSTBASED_SERVICE, &importedName); |
1699 | |
1700 | if (majStat != GSS_S_COMPLETE) { |
1701 | q_GSSAPI_error("gss_import_name error", majStat, minStat); |
1702 | return nullptr; |
1703 | } |
1704 | return importedName; |
1705 | } |
1706 | |
1707 | // Send initial GSS authentication token |
1708 | static QByteArray qGssapiStartup(QAuthenticatorPrivate *ctx, QStringView host) |
1709 | { |
1710 | if (!ctx->gssApiHandles) |
1711 | ctx->gssApiHandles.reset(new QGssApiHandles); |
1712 | |
1713 | // Convert target name to internal form |
1714 | gss_name_t name = qGSsapiGetServiceName(host); |
1715 | if (name == nullptr) { |
1716 | ctx->gssApiHandles.reset(nullptr); |
1717 | return QByteArray(); |
1718 | } |
1719 | ctx->gssApiHandles->targetName = name; |
1720 | |
1721 | // Call qGssapiContinue with GSS_C_NO_CONTEXT to get initial packet |
1722 | ctx->gssApiHandles->gssCtx = GSS_C_NO_CONTEXT; |
1723 | return qGssapiContinue(ctx); |
1724 | } |
1725 | |
1726 | // Continue GSS authentication with next token as needed |
1727 | static QByteArray qGssapiContinue(QAuthenticatorPrivate *ctx, QByteArrayView challenge) |
1728 | { |
1729 | OM_uint32 majStat, minStat, ignored; |
1730 | QByteArray result; |
1731 | gss_buffer_desc inBuf = {0, nullptr}; // GSS input token |
1732 | gss_buffer_desc outBuf; // GSS output token |
1733 | |
1734 | if (!challenge.isEmpty()) { |
1735 | inBuf.value = const_cast<char*>(challenge.data()); |
1736 | inBuf.length = challenge.size(); |
1737 | } |
1738 | |
1739 | majStat = gss_init_sec_context(&minStat, |
1740 | GSS_C_NO_CREDENTIAL, |
1741 | &ctx->gssApiHandles->gssCtx, |
1742 | ctx->gssApiHandles->targetName, |
1743 | GSS_C_NO_OID, |
1744 | GSS_C_MUTUAL_FLAG, |
1745 | 0, |
1746 | GSS_C_NO_CHANNEL_BINDINGS, |
1747 | challenge.isEmpty() ? GSS_C_NO_BUFFER : &inBuf, |
1748 | nullptr, |
1749 | &outBuf, |
1750 | nullptr, |
1751 | nullptr); |
1752 | |
1753 | if (outBuf.length != 0) |
1754 | result = QByteArray(reinterpret_cast<const char*>(outBuf.value), outBuf.length); |
1755 | gss_release_buffer(&ignored, &outBuf); |
1756 | |
1757 | if (majStat != GSS_S_COMPLETE && majStat != GSS_S_CONTINUE_NEEDED) { |
1758 | q_GSSAPI_error("gss_init_sec_context error", majStat, minStat); |
1759 | gss_release_name(&ignored, &ctx->gssApiHandles->targetName); |
1760 | if (ctx->gssApiHandles->gssCtx) |
1761 | gss_delete_sec_context(&ignored, &ctx->gssApiHandles->gssCtx, GSS_C_NO_BUFFER); |
1762 | ctx->gssApiHandles.reset(nullptr); |
1763 | } |
1764 | |
1765 | if (majStat == GSS_S_COMPLETE) { |
1766 | gss_release_name(&ignored, &ctx->gssApiHandles->targetName); |
1767 | ctx->gssApiHandles.reset(nullptr); |
1768 | } |
1769 | |
1770 | return result; |
1771 | } |
1772 | |
1773 | static bool qGssapiTestGetCredentials(QStringView host) |
1774 | { |
1775 | gss_name_t serviceName = qGSsapiGetServiceName(host); |
1776 | if (!serviceName) |
1777 | return false; // Something was wrong with the service name, so skip this |
1778 | OM_uint32 minStat; |
1779 | gss_cred_id_t cred; |
1780 | OM_uint32 majStat = gss_acquire_cred(&minStat, serviceName, GSS_C_INDEFINITE, |
1781 | GSS_C_NO_OID_SET, GSS_C_INITIATE, &cred, nullptr, |
1782 | nullptr); |
1783 | |
1784 | OM_uint32 ignored; |
1785 | gss_release_name(&ignored, &serviceName); |
1786 | gss_release_cred(&ignored, &cred); |
1787 | |
1788 | if (majStat != GSS_S_COMPLETE) { |
1789 | q_GSSAPI_error("gss_acquire_cred", majStat, minStat); |
1790 | return false; |
1791 | } |
1792 | return true; |
1793 | } |
1794 | |
1795 | // ---------------------------- End of GSSAPI code ---------------------------------------------- |
1796 | |
1797 | #endif // gssapi |
1798 | |
1799 | QT_END_NAMESPACE |
1800 | |
1801 | #include "moc_qauthenticator.cpp" |
1802 |
Definitions
- lcAuthenticator
- QAuthenticator
- ~QAuthenticator
- QAuthenticator
- operator=
- operator==
- user
- setUser
- password
- setPassword
- detach
- realm
- setRealm
- option
- options
- setOption
- isNull
- QAuthenticatorPrivate
- ~QAuthenticatorPrivate
- updateCredentials
- isMethodSupported
- verifyDigestMD5
- parseHttpResponse
- calculateResponse
- containsAuth
- parseDigestAuthenticationChallenge
- digestMd5ResponseHelper
- digestMd5Response
- blockSize
- respversion
- hirespversion
- QNtlmBuffer
- QNtlmBuffer
- qStreamNtlmBuffer
- qStreamNtlmString
- qEncodeNtlmBuffer
- qEncodeNtlmString
- operator<<
- operator>>
- QNtlmPhase1Block
- QNtlmPhase2Block
- QNtlmPhase3Block
- operator<<
- operator<<
- qNtlmPhase1
- qStringAsUcs2Le
- qStringFromUcs2Le
- qEncodeHmacMd5
- qCreatev2Hash
- clientChallenge
- qExtractServerTime
- qEncodeNtlmv2Response
- qEncodeLmv2Response
- qNtlmDecodePhase2
Start learning QML with our Intro Training
Find out more