Add server side anonymous authentication

simo5 · simo5 · commit e1a5f278dc45 · 2020-06-19T14:08:19.000-04:00
Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/gss_names.c b/src/gss_names.c
@@ -157,6 +157,8 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status,
     /* TODO: check mech_type == gssntlm_oid */
     if (mech_type == GSS_C_NO_OID) {
         return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ);
+    } else if (!gss_oid_equal(mech_type, &gssntlm_oid)) {
+        return GSSERRS(ERR_BADARG, GSS_S_BAD_MECH);
     }
 
     name = calloc(1, sizeof(struct gssntlm_name));
diff --git a/src/gss_ntlmssp.c b/src/gss_ntlmssp.c
@@ -193,3 +193,16 @@ int gssntlm_get_lm_compatibility_level(void)
     /* use 3 by default for better compatibility */
     return 3;
 }
+
+bool gssntlm_is_anonymous_allowed(void)
+{
+    const char *envvar;
+
+    envvar = getenv("NTLM_ALLOW_ANONYMOUS");
+    if (envvar != NULL) {
+        return (atoi(envvar) > 0);
+    }
+
+    /* Not allowed by default */
+    return false;
+}
diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h
@@ -178,6 +178,7 @@ uint32_t gssntlm_context_is_valid(struct gssntlm_ctx *ctx,
                                   time_t *time_now);
 
 int gssntlm_get_lm_compatibility_level(void);
+bool gssntlm_is_anonymous_allowed(void);
 
 void gssntlm_int_release_name(struct gssntlm_name *name);
 void gssntlm_int_release_cred(struct gssntlm_cred *cred);
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
@@ -651,7 +651,6 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
         }
 
         ctx->neg_flags = NTLMSSP_DEFAULT_SERVER_FLAGS;
-        /* Fixme: How do we allow anonymous negotition ? */
 
         if (gssntlm_sec_lm_ok(ctx)) {
             ctx->neg_flags |= NTLMSSP_REQUEST_NON_NT_SESSION_KEY;
@@ -847,9 +846,17 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
             (((lm_chal_resp.length == 1) && (lm_chal_resp.data[0] == '\0')) ||
              (lm_chal_resp.length == 0))) {
             /* Anonymous auth */
-            /* FIXME: not supported for now */
-            set_GSSERR(ERR_NOTSUPPORTED);
-            goto done;
+            if (!gssntlm_is_anonymous_allowed()) {
+                set_GSSERRS(ERR_NOUSRCRED, GSS_S_DEFECTIVE_CREDENTIAL);
+                goto done;
+            }
+
+            retmaj = gssntlm_import_name(&retmin, NULL, GSS_C_NT_ANONYMOUS,
+                                         (gss_name_t *)&ctx->source_name);
+            if (retmaj) goto done;
+
+            /* nullSession */
+            memset(key_exchange_key.data, 0, 16);
 
         } else {
 

Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,8 @@ uint32_t gssntlm_import_name_by_mech(uint32_t *minor_status,`
`157`	`157`	`/* TODO: check mech_type == gssntlm_oid */`
`158`	`158`	`if (mech_type == GSS_C_NO_OID) {`
`159`	`159`	`return GSSERRS(ERR_NOARG, GSS_S_CALL_INACCESSIBLE_READ);`
	`160`	`+ } else if (!gss_oid_equal(mech_type, &gssntlm_oid)) {`
	`161`	`+ return GSSERRS(ERR_BADARG, GSS_S_BAD_MECH);`
`160`	`162`	`}`
`161`	`163`
`162`	`164`	`name = calloc(1, sizeof(struct gssntlm_name));`