Kaynağa Gözat

[http] Add support for NTLM authentication

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 7 yıl önce
ebeveyn
işleme
b5e0b50723

+ 3
- 0
src/config/config_http.c Dosyayı Görüntüle

@@ -40,6 +40,9 @@ REQUIRE_OBJECT ( httpbasic );
40 40
 #ifdef HTTP_AUTH_DIGEST
41 41
 REQUIRE_OBJECT ( httpdigest );
42 42
 #endif
43
+#ifdef HTTP_AUTH_NTLM
44
+REQUIRE_OBJECT ( httpntlm );
45
+#endif
43 46
 #ifdef HTTP_ENC_PEERDIST
44 47
 REQUIRE_OBJECT ( peerdist );
45 48
 #endif

+ 1
- 0
src/config/general.h Dosyayı Görüntüle

@@ -77,6 +77,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
77 77
  */
78 78
 #define HTTP_AUTH_BASIC		/* Basic authentication */
79 79
 #define HTTP_AUTH_DIGEST	/* Digest authentication */
80
+//#define HTTP_AUTH_NTLM	/* NTLM authentication */
80 81
 //#define HTTP_ENC_PEERDIST	/* PeerDist content encoding */
81 82
 //#define HTTP_HACK_GCE		/* Google Compute Engine hacks */
82 83
 

+ 1
- 0
src/include/ipxe/errfile.h Dosyayı Görüntüle

@@ -277,6 +277,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
277 277
 #define ERRFILE_peermux			( ERRFILE_NET | 0x00470000 )
278 278
 #define ERRFILE_xsigo			( ERRFILE_NET | 0x00480000 )
279 279
 #define ERRFILE_ntp			( ERRFILE_NET | 0x00490000 )
280
+#define ERRFILE_httpntlm		( ERRFILE_NET | 0x004a0000 )
280 281
 
281 282
 #define ERRFILE_image		      ( ERRFILE_IMAGE | 0x00000000 )
282 283
 #define ERRFILE_elf		      ( ERRFILE_IMAGE | 0x00010000 )

+ 25
- 0
src/include/ipxe/http.h Dosyayı Görüntüle

@@ -18,6 +18,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
18 18
 #include <ipxe/linebuf.h>
19 19
 #include <ipxe/pool.h>
20 20
 #include <ipxe/tables.h>
21
+#include <ipxe/ntlm.h>
21 22
 
22 23
 struct http_transaction;
23 24
 
@@ -172,6 +173,18 @@ struct http_request_auth_digest {
172 173
 	char response[ HTTP_DIGEST_RESPONSE_LEN + 1 /* NUL */ ];
173 174
 };
174 175
 
176
+/** HTTP request NTLM authentication descriptor */
177
+struct http_request_auth_ntlm {
178
+	/** Username */
179
+	const char *username;
180
+	/** LAN Manager response */
181
+	struct ntlm_lm_response lm;
182
+	/** NT response */
183
+	struct ntlm_nt_response nt;
184
+	/** Authenticate message length */
185
+	size_t len;
186
+};
187
+
175 188
 /** HTTP request authentication descriptor */
176 189
 struct http_request_auth {
177 190
 	/** Authentication scheme (if any) */
@@ -182,6 +195,8 @@ struct http_request_auth {
182 195
 		struct http_request_auth_basic basic;
183 196
 		/** Digest authentication descriptor */
184 197
 		struct http_request_auth_digest digest;
198
+		/** NTLM authentication descriptor */
199
+		struct http_request_auth_ntlm ntlm;
185 200
 	};
186 201
 };
187 202
 
@@ -270,6 +285,14 @@ struct http_response_auth_digest {
270 285
 	const char *opaque;
271 286
 };
272 287
 
288
+/** HTTP response NTLM authorization descriptor */
289
+struct http_response_auth_ntlm {
290
+	/** Challenge message */
291
+	struct ntlm_challenge *challenge;
292
+	/** Challenge information */
293
+	struct ntlm_challenge_info info;
294
+};
295
+
273 296
 /** HTTP response authorization descriptor */
274 297
 struct http_response_auth {
275 298
 	/** Authentication scheme (if any) */
@@ -280,6 +303,8 @@ struct http_response_auth {
280 303
 		struct http_response_auth_basic basic;
281 304
 		/** Digest authorization descriptor */
282 305
 		struct http_response_auth_digest digest;
306
+		/** NTLM authorization descriptor */
307
+		struct http_response_auth_ntlm ntlm;
283 308
 	};
284 309
 };
285 310
 

+ 201
- 0
src/net/tcp/httpntlm.c Dosyayı Görüntüle

@@ -0,0 +1,201 @@
1
+/*
2
+ * Copyright (C) 2017 Michael Brown <mbrown@fensystems.co.uk>.
3
+ *
4
+ * This program is free software; you can redistribute it and/or
5
+ * modify it under the terms of the GNU General Public License as
6
+ * published by the Free Software Foundation; either version 2 of the
7
+ * License, or any later version.
8
+ *
9
+ * This program is distributed in the hope that it will be useful, but
10
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
11
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
12
+ * General Public License for more details.
13
+ *
14
+ * You should have received a copy of the GNU General Public License
15
+ * along with this program; if not, write to the Free Software
16
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17
+ * 02110-1301, USA.
18
+ *
19
+ * You can also choose to distribute this program under the terms of
20
+ * the Unmodified Binary Distribution Licence (as given in the file
21
+ * COPYING.UBDL), provided that you have satisfied its requirements.
22
+ */
23
+
24
+FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
+
26
+/**
27
+ * @file
28
+ *
29
+ * Hyper Text Transfer Protocol (HTTP) NTLM authentication
30
+ *
31
+ */
32
+
33
+#include <string.h>
34
+#include <errno.h>
35
+#include <ipxe/uri.h>
36
+#include <ipxe/base64.h>
37
+#include <ipxe/ntlm.h>
38
+#include <ipxe/http.h>
39
+
40
+struct http_authentication http_ntlm_auth __http_authentication;
41
+
42
+/** Workstation name used for NTLM authentication */
43
+static const char http_ntlm_workstation[] = "iPXE";
44
+
45
+/**
46
+ * Parse HTTP "WWW-Authenticate" header for NTLM authentication
47
+ *
48
+ * @v http		HTTP transaction
49
+ * @v line		Remaining header line
50
+ * @ret rc		Return status code
51
+ */
52
+static int http_parse_ntlm_auth ( struct http_transaction *http, char *line ) {
53
+	struct http_response_auth_ntlm *rsp = &http->response.auth.ntlm;
54
+	char *copy;
55
+	int len;
56
+	int rc;
57
+
58
+	/* Create temporary copy of Base64-encoded challenge message */
59
+	copy = strdup ( line );
60
+	if ( ! copy ) {
61
+		rc = -ENOMEM;
62
+		goto err_alloc;
63
+	}
64
+
65
+	/* Decode challenge message, overwriting the original */
66
+	len = base64_decode ( copy, line, strlen ( line ) );
67
+	if ( len < 0 ) {
68
+		rc = len;
69
+		DBGC ( http, "HTTP %p could not decode NTLM challenge "
70
+		       "\"%s\": %s\n", http, copy, strerror ( rc ) );
71
+		goto err_decode;
72
+	}
73
+
74
+	/* Parse challenge, if present */
75
+	if ( len ) {
76
+		rsp->challenge = ( ( void * ) line );
77
+		if ( ( rc = ntlm_challenge ( rsp->challenge, len,
78
+					     &rsp->info ) ) != 0 ) {
79
+			DBGC ( http, "HTTP %p could not parse NTLM challenge: "
80
+			       "%s\n", http, strerror ( rc ) );
81
+			goto err_challenge;
82
+		}
83
+	}
84
+
85
+	/* Allow HTTP request to be retried if the request had not
86
+	 * already tried authentication.  Note that NTLM requires an
87
+	 * additional round trip to obtain the challenge message,
88
+	 * which is not present in the initial WWW-Authenticate.
89
+	 */
90
+	if ( ( http->request.auth.auth == NULL ) ||
91
+	     ( ( http->request.auth.auth == &http_ntlm_auth ) &&
92
+	       ( http->request.auth.ntlm.len == 0 ) && len ) ) {
93
+		http->response.flags |= HTTP_RESPONSE_RETRY;
94
+	}
95
+
96
+	/* Success */
97
+	rc = 0;
98
+
99
+ err_challenge:
100
+ err_decode:
101
+	free ( copy );
102
+ err_alloc:
103
+	return rc;
104
+}
105
+
106
+/**
107
+ * Perform HTTP NTLM authentication
108
+ *
109
+ * @v http		HTTP transaction
110
+ * @ret rc		Return status code
111
+ */
112
+static int http_ntlm_authenticate ( struct http_transaction *http ) {
113
+	struct http_request_auth_ntlm *req = &http->request.auth.ntlm;
114
+	struct http_response_auth_ntlm *rsp = &http->response.auth.ntlm;
115
+	struct ntlm_key key;
116
+	const char *password;
117
+
118
+	/* If we have no challenge yet, then just send a Negotiate message */
119
+	if ( ! rsp->challenge ) {
120
+		DBGC ( http, "HTTP %p sending NTLM Negotiate\n", http );
121
+		return 0;
122
+	}
123
+
124
+	/* Record username */
125
+	if ( ! http->uri->user ) {
126
+		DBGC ( http, "HTTP %p has no username for NTLM "
127
+		       "authentication\n", http );
128
+		return -EACCES;
129
+	}
130
+	req->username = http->uri->user;
131
+	password = ( http->uri->password ? http->uri->password : "" );
132
+
133
+	/* Generate key */
134
+	ntlm_key ( NULL, req->username, password, &key );
135
+
136
+	/* Generate responses */
137
+	ntlm_response ( &rsp->info, &key, NULL, &req->lm, &req->nt );
138
+
139
+	/* Calculate Authenticate message length */
140
+	req->len = ntlm_authenticate_len ( &rsp->info, NULL, req->username,
141
+					   http_ntlm_workstation );
142
+
143
+	return 0;
144
+}
145
+
146
+/**
147
+ * Construct HTTP "Authorization" header for NTLM authentication
148
+ *
149
+ * @v http		HTTP transaction
150
+ * @v buf		Buffer
151
+ * @v len		Length of buffer
152
+ * @ret len		Length of header value, or negative error
153
+ */
154
+static int http_format_ntlm_auth ( struct http_transaction *http,
155
+				   char *buf, size_t len ) {
156
+	struct http_request_auth_ntlm *req = &http->request.auth.ntlm;
157
+	struct http_response_auth_ntlm *rsp = &http->response.auth.ntlm;
158
+	struct ntlm_authenticate *auth;
159
+	size_t check;
160
+
161
+	/* If we have no challenge yet, then just send a Negotiate message */
162
+	if ( ! rsp->challenge ) {
163
+		return base64_encode ( &ntlm_negotiate,
164
+				       sizeof ( ntlm_negotiate ), buf, len );
165
+	}
166
+
167
+	/* Skip allocation if just calculating length */
168
+	if ( ! len )
169
+		return base64_encoded_len ( req->len );
170
+
171
+	/* Allocate temporary buffer for Authenticate message */
172
+	auth = malloc ( req->len );
173
+	if ( ! auth )
174
+		return -ENOMEM;
175
+
176
+	/* Construct raw Authenticate message */
177
+	check = ntlm_authenticate ( &rsp->info, NULL, req->username,
178
+				    http_ntlm_workstation, &req->lm,
179
+				    &req->nt, auth );
180
+	assert ( check == req->len );
181
+
182
+	/* Base64-encode Authenticate message */
183
+	len = base64_encode ( auth, req->len, buf, len );
184
+
185
+	/* Free raw Authenticate message */
186
+	free ( auth );
187
+
188
+	return len;
189
+}
190
+
191
+/** HTTP NTLM authentication scheme */
192
+struct http_authentication http_ntlm_auth __http_authentication = {
193
+	.name = "NTLM",
194
+	.parse = http_parse_ntlm_auth,
195
+	.authenticate = http_ntlm_authenticate,
196
+	.format = http_format_ntlm_auth,
197
+};
198
+
199
+/* Drag in HTTP authentication support */
200
+REQUIRING_SYMBOL ( http_ntlm_auth );
201
+REQUIRE_OBJECT ( httpauth );

Loading…
İptal
Kaydet