Add ability to pass keyfile via cred store

This works both for ISC and ASC, so a user can pass their own keyfile
with a single entry or a server can be passed a keyfile with all users'
entries.

Signed-off-by: Simo Sorce <[email protected]>

Author: simo5

src/gss_creds.c

@@ -35,12 +35,23 @@ static int hex_to_key(const char *hex, struct ntlm_key *key)
     return 0;
 }
 
-static int get_user_file_creds(struct gssntlm_name *name,
+static char *get_user_file_envvar(void)
+{
+    const char *envvar;
+
+    /* use the same var used by Heimdal */
+    envvar = getenv("NTLM_USER_FILE");
+    if (envvar == NULL) return NULL;
+
+    return strdup(envvar);
+}
+
+static int get_user_file_creds(const char *filename,
+                               struct gssntlm_name *name,
                                struct gssntlm_cred *cred)
 {
     struct gssntlm_ctx *ctx;
     int lm_compat_lvl = -1;
-    const char *envvar;
     char line[1024];
     char *field1, *field2, *field3, *field4;
     char *dom, *usr, *pwd, *lm, *nt;
@@ -55,10 +66,6 @@ static int get_user_file_creds(struct gssntlm_name *name,
     lm_compat_lvl = gssntlm_get_lm_compatibility_level();
     if (!gssntlm_required_security(lm_compat_lvl, ctx)) return ERR_BADLMLVL;
 
-    /* use the same var used by Heimdal */
-    envvar = getenv("NTLM_USER_FILE");
-    if (envvar == NULL) return ENOENT;
-
     /* Use the same file format used by Heimdal in hope to achieve
      * some compatibility between implementations:
      * Each line is one entry like the following:
@@ -80,7 +87,7 @@ static int get_user_file_creds(struct gssntlm_name *name,
      * recommended.
      */
 
-    f = fopen(envvar, "r");
+    f = fopen(filename, "r");
     if (!f) return errno;
 
     while(fgets(line, 1024, f)) {
@@ -228,31 +235,33 @@ static int get_creds_from_store(struct gssntlm_name *name,
     uint32_t i;
     int ret;
 
-    cred->type = GSSNTLM_CRED_NONE;
-
-    if (name) {
-        switch (name->type) {
-        case GSSNTLM_NAME_NULL:
-            cred->type = GSSNTLM_CRED_NONE;
-            break;
-        case GSSNTLM_NAME_ANON:
-            cred->type = GSSNTLM_CRED_ANON;
-            break;
-        case GSSNTLM_NAME_USER:
-            cred->type = GSSNTLM_CRED_USER;
-            ret = gssntlm_copy_name(name, &cred->cred.user.user);
-            break;
-        case GSSNTLM_NAME_SERVER:
-            cred->type = GSSNTLM_CRED_SERVER;
-            ret = gssntlm_copy_name(name, &cred->cred.server.name);
-            break;
-        default:
-            return EINVAL;
+    /* special case to let server creds carry a keyfile */
+    if (name->type == GSSNTLM_NAME_SERVER) {
+        const char *keyfile = NULL;
+        cred->type = GSSNTLM_CRED_SERVER;
+        ret = gssntlm_copy_name(name, &cred->cred.server.name);
+        if (ret) return ret;
+        for (i = 0; i < cred_store->count; i++) {
+            if (strcmp(cred_store->elements[i].key,
+                        GSS_NTLMSSP_CS_KEYFILE) == 0) {
+                keyfile = cred_store->elements[i].value;
+            }
         }
+        if (keyfile) {
+            cred->cred.server.keyfile = strdup(keyfile);
+            if (cred->cred.server.keyfile == NULL) {
+                return errno;
+            }
+        }
+        return 0;
     }
 
     /* so far only user options can be defined in the cred_store */
-    if (cred->type != GSSNTLM_CRED_USER) return ENOENT;
+    if (name->type != GSSNTLM_NAME_USER) return ENOENT;
+
+    cred->type = GSSNTLM_CRED_USER;
+    ret = gssntlm_copy_name(name, &cred->cred.user.user);
+    if (ret) return ret;
 
     for (i = 0; i < cred_store->count; i++) {
         if (strcmp(cred_store->elements[i].key, GSS_NTLMSSP_CS_DOMAIN) == 0) {
@@ -285,12 +294,13 @@ static int get_creds_from_store(struct gssntlm_name *name,
 
             if (ret) return ret;
         }
+        if (strcmp(cred_store->elements[i].key, GSS_NTLMSSP_CS_KEYFILE) == 0) {
+            ret = get_user_file_creds(cred_store->elements[i].value,
+                                      name, cred);
+            if (ret) return ret;
+        }
     }
 
-    /* TODO: should we call get_user_file_creds/get_server_creds if values are
-     * not found ?
-     */
-
     return 0;
 }
 
@@ -363,6 +373,7 @@ void gssntlm_int_release_cred(struct gssntlm_cred *cred)
         break;
     case GSSNTLM_CRED_SERVER:
         gssntlm_int_release_name(&cred->cred.server.name);
+        safefree(cred->cred.server.keyfile);
         break;
     case GSSNTLM_CRED_EXTERNAL:
         gssntlm_int_release_name(&cred->cred.external.user);
@@ -423,10 +434,19 @@ uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status,
         if (cred_store != GSS_C_NO_CRED_STORE) {
             retmin = get_creds_from_store(name, cred, cred_store);
         } else {
-            retmin = get_user_file_creds(name, cred);
+            char *filename;
+
+            filename = get_user_file_envvar();
+            if (!filename) {
+                set_GSSERRS(ENOENT, GSS_S_CRED_UNAVAIL);
+                goto done;
+            }
+            retmin = get_user_file_creds(filename, name, cred);
             if (retmin) {
                 retmin = external_get_creds(name, cred);
             }
+
+            free(filename);
         }
         if (retmin) {
             set_GSSERR(retmin);
@@ -438,10 +458,14 @@ uint32_t gssntlm_acquire_cred_from(uint32_t *minor_status,
             goto done;
         }
 
-        retmin = get_server_creds(name, cred);
-        if (retmin) {
-            set_GSSERR(retmin);
-            goto done;
+        if (cred_store != GSS_C_NO_CRED_STORE) {
+            retmin = get_creds_from_store(name, cred, cred_store);
+        } else {
+            retmin = get_server_creds(name, cred);
+            if (retmin) {
+                set_GSSERR(retmin);
+                goto done;
+            }
         }
     } else if (cred_usage == GSS_C_BOTH) {
         set_GSSERRS(ERR_NOTSUPPORTED, GSS_S_CRED_UNAVAIL);

src/gss_ntlmssp.h

@@ -79,6 +79,7 @@ struct gssntlm_cred {
         } user;
         struct {
             struct gssntlm_name name;
+            char *keyfile;
         } server;
         struct {
             struct gssntlm_name user;

src/gss_sec_ctx.c

@@ -525,7 +525,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
                                     gss_cred_id_t *delegated_cred_handle)
 {
     struct gssntlm_ctx *ctx;
-    struct gssntlm_cred *cred;
+    struct gssntlm_cred *cred = NULL;
     int lm_compat_lvl = -1;
     struct ntlm_buffer challenge = { 0 };
     struct gssntlm_name *server_name = NULL;
@@ -844,6 +844,9 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
             char useratdom[1024];
             size_t ulen, dlen, uadlen;
             gss_buffer_desc usrname;
+            gss_const_key_value_set_t cred_store = GSS_C_NO_CRED_STORE;
+            gss_key_value_set_desc cs;
+            gss_key_value_element_desc cs_el;
 
             if (!dom_name) {
                 dom_name = strdup("");
@@ -876,13 +879,22 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
                                          (gss_name_t *)&gss_usrname);
             if (retmaj) goto done;
 
-            retmaj = gssntlm_acquire_cred(&retmin,
-                                          (gss_name_t)gss_usrname,
-                                          GSS_C_INDEFINITE,
-                                          GSS_C_NO_OID_SET,
-                                          GSS_C_INITIATE,
-                                          (gss_cred_id_t *)&usr_cred,
-                                          NULL, NULL);
+            if (cred && cred->cred.server.keyfile) {
+                cs_el.key = GSS_NTLMSSP_CS_KEYFILE;
+                cs_el.value = cred->cred.server.keyfile;
+                cs.count = 1;
+                cs.elements = &cs_el;
+                cred_store = &cs;
+            }
+
+            retmaj = gssntlm_acquire_cred_from(&retmin,
+                                               (gss_name_t)gss_usrname,
+                                                GSS_C_INDEFINITE,
+                                                GSS_C_NO_OID_SET,
+                                                GSS_C_INITIATE,
+                                                cred_store,
+                                                (gss_cred_id_t *)&usr_cred,
+                                                NULL, NULL);
             if (retmaj) goto done;
             /* We can't handle winbind credentials yet */
             if (usr_cred->type != GSSNTLM_CRED_USER &&

src/gss_serialize.c

@@ -776,6 +776,7 @@ struct export_cred {
     struct export_name name;    /* user or server name */
     struct relmem nt_hash;      /* empty for dummy or server */
     struct relmem lm_hash;      /* empty for dummy or server */
+    struct relmem keyfile;
     uint8_t ext_cached;
 
     uint8_t data[];
@@ -863,6 +864,20 @@ uint32_t gssntlm_export_cred(uint32_t *minor_status,
             set_GSSERR(ret);
             goto done;
         }
+
+        if (cred->cred.server.keyfile) {
+            ret = export_data_buffer(&state,
+                                     cred->cred.server.keyfile,
+                                     strlen(cred->cred.server.keyfile),
+                                     &ecred->keyfile);
+            if (ret) {
+                set_GSSERR(ret);
+                goto done;
+            }
+        } else {
+            ecred->keyfile.ptr = 0;
+            ecred->keyfile.len = 0;
+        }
         break;
     case GSSNTLM_CRED_EXTERNAL:
         ecred->type = EXP_CRED_EXTERNAL;
@@ -965,6 +980,12 @@ uint32_t gssntlm_import_cred(uint32_t *minor_status,
         retmaj = import_name(&retmin, &state, &ecred->name,
                           &cred->cred.server.name);
         if (retmaj != GSS_S_COMPLETE) goto done;
+        if (ecred->keyfile.len > 0) {
+            retmaj = import_data_buffer(&retmin, &state,
+                                        (uint8_t **)&cred->cred.server.keyfile,
+                                        NULL, true, &ecred->keyfile, true);
+            if (retmaj != GSS_S_COMPLETE) goto done;
+        }
         break;
     case EXP_CRED_EXTERNAL:
         cred->type = GSSNTLM_CRED_EXTERNAL;

src/gssapi_ntlmssp.h

@@ -56,6 +56,7 @@ extern "C" {
 #define GSS_NTLMSSP_CS_DOMAIN "ntlmssp_domain"
 #define GSS_NTLMSSP_CS_NTHASH "ntlmssp_nthash"
 #define GSS_NTLMSSP_CS_PASSWORD "ntlmssp_password"
+#define GSS_NTLMSSP_CS_KEYFILE "ntlmssp_keyfile"
 
 #ifdef __cplusplus
 }

tests/ntlmssptest.c

@@ -1448,7 +1448,7 @@ static void print_gss_error(const char *text, uint32_t maj, uint32_t min)
     fflush(stderr);
 }
 
-int test_gssapi_1(bool user_env_file, bool use_cb, bool no_seal)
+int test_gssapi_1(bool user_env_file, bool use_cb, bool no_seal, bool use_cs)
 {
     gss_ctx_id_t cli_ctx = GSS_C_NO_CONTEXT;
     gss_ctx_id_t srv_ctx = GSS_C_NO_CONTEXT;
@@ -1475,14 +1475,27 @@ int test_gssapi_1(bool user_env_file, bool use_cb, bool no_seal)
     gss_OID_desc sasl_ssf_oid = {
         11, discard_const("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f")
     };
+    gss_key_value_element_desc cs_el;
+    gss_key_value_set_desc cs;
+    gss_const_key_value_set_t cred_store = GSS_C_NO_CRED_STORE;
     uint32_t ssf, expect_ssf;
     uint32_t req_flags;
     int conf_state;
     int ret;
 
-    setenv("NTLM_USER_FILE", TEST_USER_FILE, 0);
+    if (use_cs) {
+        /* always use the default test file and name in this mode for now */
+        cs_el.key = GSS_NTLMSSP_CS_KEYFILE;
+        cs_el.value = TEST_USER_FILE;
+        cs.count = 1;
+        cs.elements = &cs_el;
+        cred_store = &cs;
+        username = NULL;
+    } else {
+        setenv("NTLM_USER_FILE", TEST_USER_FILE, 0);
+        username = getenv("TEST_USER_NAME");
+    }
 
-    username = getenv("TEST_USER_NAME");
     if (username == NULL) {
         username = "TESTDOM\\testuser";
     }
@@ -1497,10 +1510,11 @@ int test_gssapi_1(bool user_env_file, bool use_cb, bool no_seal)
         return EINVAL;
     }
 
-    if (user_env_file) {
-        retmaj = gssntlm_acquire_cred(&retmin, (gss_name_t)gss_username,
-                                      GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
-                                      GSS_C_INITIATE, &cli_cred, NULL, NULL);
+    if (user_env_file || use_cs) {
+        retmaj = gssntlm_acquire_cred_from(&retmin, (gss_name_t)gss_username,
+                                           GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
+                                           GSS_C_INITIATE, cred_store,
+                                           &cli_cred, NULL, NULL);
         if (retmaj != GSS_S_COMPLETE) {
             print_gss_error("gssntlm_acquire_cred(username) failed!",
                             retmaj, retmin);
@@ -1544,9 +1558,10 @@ int test_gssapi_1(bool user_env_file, bool use_cb, bool no_seal)
         return EINVAL;
     }
 
-    retmaj = gssntlm_acquire_cred(&retmin, (gss_name_t)gss_srvname,
-                                  GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
-                                  GSS_C_ACCEPT, &srv_cred, NULL, NULL);
+    retmaj = gssntlm_acquire_cred_from(&retmin, (gss_name_t)gss_srvname,
+                                       GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
+                                       GSS_C_ACCEPT, cred_store,
+                                       &srv_cred, NULL, NULL);
     if (retmaj != GSS_S_COMPLETE) {
         print_gss_error("gssntlm_acquire_cred(srvname) failed!",
                         retmaj, retmin);
@@ -2445,17 +2460,22 @@ int main(int argc, const char *argv[])
     setenv("LM_COMPAT_LEVEL", "0", 1);
 
     fprintf(stderr, "Test GSSAPI conversation (user env file)\n");
-    ret = test_gssapi_1(true, false, false);
+    ret = test_gssapi_1(true, false, false, false);
+    fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
+    if (ret) gret++;
+
+    fprintf(stderr, "Test GSSAPI conversation (cred store)\n");
+    ret = test_gssapi_1(true, false, false, true);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
     fprintf(stderr, "Test GSSAPI conversation (no SEAL)\n");
-    ret = test_gssapi_1(true, false, true);
+    ret = test_gssapi_1(true, false, true, false);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
     fprintf(stderr, "Test GSSAPI conversation (with password)\n");
-    ret = test_gssapi_1(false, false, false);
+    ret = test_gssapi_1(false, false, false, false);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
@@ -2468,22 +2488,22 @@ int main(int argc, const char *argv[])
     setenv("LM_COMPAT_LEVEL", "5", 1);
 
     fprintf(stderr, "Test GSSAPI conversation (user env file)\n");
-    ret = test_gssapi_1(true, false, false);
+    ret = test_gssapi_1(true, false, false, false);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
     fprintf(stderr, "Test GSSAPI conversation (no SEAL)\n");
-    ret = test_gssapi_1(true, false, true);
+    ret = test_gssapi_1(true, false, true, false);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
     fprintf(stderr, "Test GSSAPI conversation (with password)\n");
-    ret = test_gssapi_1(false, false, false);
+    ret = test_gssapi_1(false, false, false, false);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
     fprintf(stderr, "Test GSSAPI conversation (with CB)\n");
-    ret = test_gssapi_1(false, true, false);
+    ret = test_gssapi_1(false, true, false, false);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;