iPXE
Functions | Variables
httpntlm.c File Reference

Hyper Text Transfer Protocol (HTTP) NTLM authentication. More...

#include <string.h>
#include <errno.h>
#include <ipxe/uri.h>
#include <ipxe/base64.h>
#include <ipxe/ntlm.h>
#include <ipxe/netbios.h>
#include <ipxe/http.h>

Go to the source code of this file.

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 FILE_SECBOOT (PERMITTED)
static int http_parse_ntlm_auth (struct http_transaction *http, char *line)
 Parse HTTP "WWW-Authenticate" header for NTLM authentication.
static int http_ntlm_authenticate (struct http_transaction *http)
 Perform HTTP NTLM authentication.
static int http_format_ntlm_auth (struct http_transaction *http, char *buf, size_t len)
 Construct HTTP "Authorization" header for NTLM authentication.
 REQUIRING_SYMBOL (http_ntlm_auth)
 REQUIRE_OBJECT (httpauth)

Variables

struct http_authentication http_ntlm_auth __http_authentication
 HTTP NTLM authentication scheme.
static const char http_ntlm_workstation [] = "iPXE"
 Workstation name used for NTLM authentication.

Detailed Description

Hyper Text Transfer Protocol (HTTP) NTLM authentication.

Definition in file httpntlm.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL )

◆ FILE_SECBOOT()

FILE_SECBOOT ( PERMITTED )

◆ http_parse_ntlm_auth()

int http_parse_ntlm_auth ( struct http_transaction * http,
char * line )
static

Parse HTTP "WWW-Authenticate" header for NTLM authentication.

Parameters
httpHTTP transaction
lineRemaining header line
Return values
rcReturn status code

Definition at line 54 of file httpntlm.c.

54 {
55 struct http_response_auth_ntlm *rsp = &http->response.auth.ntlm;
56 char *copy;
57 int len;
58 int rc;
59
60 /* Create temporary copy of Base64-encoded challenge message */
61 copy = strdup ( line );
62 if ( ! copy ) {
63 rc = -ENOMEM;
64 goto err_alloc;
65 }
66
67 /* Decode challenge message, overwriting the original */
68 len = base64_decode ( copy, line, strlen ( line ) );
69 if ( len < 0 ) {
70 rc = len;
71 DBGC ( http, "HTTP %p could not decode NTLM challenge "
72 "\"%s\": %s\n", http, copy, strerror ( rc ) );
73 goto err_decode;
74 }
75
76 /* Parse challenge, if present */
77 if ( len ) {
78 rsp->challenge = ( ( void * ) line );
79 if ( ( rc = ntlm_challenge ( rsp->challenge, len,
80 &rsp->info ) ) != 0 ) {
81 DBGC ( http, "HTTP %p could not parse NTLM challenge: "
82 "%s\n", http, strerror ( rc ) );
83 goto err_challenge;
84 }
85 }
86
87 /* Allow HTTP request to be retried if the request had not
88 * already tried authentication. Note that NTLM requires an
89 * additional round trip to obtain the challenge message,
90 * which is not present in the initial WWW-Authenticate.
91 */
92 if ( ( http->request.auth.auth == NULL ) ||
93 ( ( http->request.auth.auth == &http_ntlm_auth ) &&
94 ( http->request.auth.ntlm.len == 0 ) && len ) ) {
95 http->response.flags |= HTTP_RESPONSE_RETRY;
96 }
97
98 /* Success */
99 rc = 0;
100
101 err_challenge:
102 err_decode:
103 free ( copy );
104 err_alloc:
105 return rc;
106}
NULL
#define NULL
NULL pointer (VOID *)
Definition Base.h:322
rc
struct arbelprm_rc_send_wqe rc
Definition arbel.h:3
base64_decode
int base64_decode(const char *encoded, void *data, size_t len)
Base64-decode string.
Definition base64.c:92
len
ring len
Length.
Definition dwmac.h:226
DBGC
#define DBGC(...)
Definition compiler.h:505
ENOMEM
#define ENOMEM
Not enough space.
Definition errno.h:535
HTTP_RESPONSE_RETRY
@ HTTP_RESPONSE_RETRY
Transaction may be retried on failure.
Definition http.h:361
rsp
uint64_t rsp
Definition librm.h:18
free
static void(* free)(struct refcnt *refcnt))
Definition refcnt.h:55
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition strerror.c:79
strdup
char * strdup(const char *src)
Duplicate string.
Definition string.c:394
strlen
size_t strlen(const char *src)
Get length of string.
Definition string.c:244
http_request_auth_ntlm::len
size_t len
Authenticate message length.
Definition http.h:184
http_request_auth::auth
struct http_authentication * auth
Authentication scheme (if any)
Definition http.h:190
http_request_auth::ntlm
struct http_request_auth_ntlm ntlm
NTLM authentication descriptor.
Definition http.h:198
http_request::auth
struct http_request_auth auth
Authentication descriptor.
Definition http.h:223
http_response_auth_ntlm
HTTP response NTLM authorization descriptor.
Definition http.h:288
http_response_auth::ntlm
struct http_response_auth_ntlm ntlm
NTLM authorization descriptor.
Definition http.h:306
http_response::flags
unsigned int flags
Flags.
Definition http.h:351
http_response::auth
struct http_response_auth auth
Authorization descriptor.
Definition http.h:347
http_transaction::response
struct http_response response
Response.
Definition http.h:439
http_transaction::request
struct http_request request
Request.
Definition http.h:437
ntlm_challenge
A Challenge message.
Definition ntlm.h:101

References http_request::auth, http_request_auth::auth, http_response::auth, base64_decode(), DBGC, ENOMEM, http_response::flags, free, HTTP_RESPONSE_RETRY, http_request_auth_ntlm::len, len, http_request_auth::ntlm, http_response_auth::ntlm, NULL, rc, http_transaction::request, http_transaction::response, rsp, strdup(), strerror(), and strlen().

◆ http_ntlm_authenticate()

int http_ntlm_authenticate ( struct http_transaction * http)
static

Perform HTTP NTLM authentication.

Parameters
httpHTTP transaction
Return values
rcReturn status code

Definition at line 114 of file httpntlm.c.

114 {
115 struct http_request_auth_ntlm *req = &http->request.auth.ntlm;
116 struct http_response_auth_ntlm *rsp = &http->response.auth.ntlm;
117 struct ntlm_key key;
118 const char *domain;
119 char *username;
120 const char *password;
121
122 /* If we have no challenge yet, then just send a Negotiate message */
123 if ( ! rsp->challenge ) {
124 DBGC ( http, "HTTP %p sending NTLM Negotiate\n", http );
125 return 0;
126 }
127
128 /* Record username */
129 if ( ! http->uri->user ) {
130 DBGC ( http, "HTTP %p has no username for NTLM "
131 "authentication\n", http );
132 return -EACCES;
133 }
134 req->username = http->uri->user;
135 password = ( http->uri->password ? http->uri->password : "" );
136
137 /* Split NetBIOS [domain\]username */
138 username = ( ( char * ) req->username );
139 domain = netbios_domain ( &username );
140
141 /* Generate key */
142 ntlm_key ( domain, username, password, &key );
143
144 /* Generate responses */
145 ntlm_response ( &rsp->info, &key, NULL, &req->lm, &req->nt );
146
147 /* Calculate Authenticate message length */
148 req->len = ntlm_authenticate_len ( &rsp->info, domain, username,
149 http_ntlm_workstation );
150
151 /* Restore NetBIOS [domain\]username */
152 netbios_domain_undo ( domain, username );
153
154 return 0;
155}
key
union @162305117151260234136356364136041353210355154177 key
Sense key.
Definition scsi.h:3
EACCES
#define EACCES
Permission denied.
Definition errno.h:299
http_ntlm_workstation
static const char http_ntlm_workstation[]
Workstation name used for NTLM authentication.
Definition httpntlm.c:45
username
static struct dynamic_item username
Definition login_ui.c:36
password
static struct dynamic_item password
Definition login_ui.c:37
netbios_domain
const char * netbios_domain(char **username)
Split NetBIOS [domain]username into separate domain and username fields.
Definition netbios.c:47
netbios_domain_undo
static void netbios_domain_undo(const char *domain, char *username)
Restore NetBIOS [domain]username.
Definition netbios.h:24
ntlm_response
void ntlm_response(struct ntlm_challenge_info *info, struct ntlm_key *key, struct ntlm_nonce *nonce, struct ntlm_lm_response *lm, struct ntlm_nt_response *nt)
Construct NTLM responses.
Definition ntlm.c:167
ntlm_authenticate_len
size_t ntlm_authenticate_len(struct ntlm_challenge_info *info, const char *domain, const char *username, const char *workstation)
Calculate NTLM Authenticate message length.
Definition ntlm.c:326
ntlm_key
void ntlm_key(const char *domain, const char *username, const char *password, struct ntlm_key *key)
Calculate NTLM verification key.
Definition ntlm.c:115
http_request_auth_ntlm
HTTP request NTLM authentication descriptor.
Definition http.h:176
http_request_auth_ntlm::lm
struct ntlm_lm_response lm
LAN Manager response.
Definition http.h:180
http_request_auth_ntlm::nt
struct ntlm_nt_response nt
NT response.
Definition http.h:182
http_request_auth_ntlm::username
const char * username
Username.
Definition http.h:178
http_transaction::uri
struct uri * uri
Request URI.
Definition http.h:435
ntlm_key
An NTLM verification key.
Definition ntlm.h:176
uri::user
const char * user
User name.
Definition uri.h:73
uri::password
const char * password
Password.
Definition uri.h:75

References http_request::auth, http_response::auth, DBGC, EACCES, http_ntlm_workstation, key, http_request_auth_ntlm::len, http_request_auth_ntlm::lm, netbios_domain(), netbios_domain_undo(), http_request_auth_ntlm::nt, http_request_auth::ntlm, http_response_auth::ntlm, ntlm_authenticate_len(), ntlm_key(), ntlm_response(), NULL, password, uri::password, http_transaction::request, http_transaction::response, rsp, http_transaction::uri, uri::user, http_request_auth_ntlm::username, and username.

◆ http_format_ntlm_auth()

int http_format_ntlm_auth ( struct http_transaction * http,
char * buf,
size_t len )
static

Construct HTTP "Authorization" header for NTLM authentication.

Parameters
httpHTTP transaction
bufBuffer
lenLength of buffer
Return values
lenLength of header value, or negative error

Definition at line 165 of file httpntlm.c.

166 {
167 struct http_request_auth_ntlm *req = &http->request.auth.ntlm;
168 struct http_response_auth_ntlm *rsp = &http->response.auth.ntlm;
169 struct ntlm_authenticate *auth;
170 const char *domain;
171 char *username;
172 size_t check;
173
174 /* If we have no challenge yet, then just send a Negotiate message */
175 if ( ! rsp->challenge ) {
176 return base64_encode ( &ntlm_negotiate,
177 sizeof ( ntlm_negotiate ), buf, len );
178 }
179
180 /* Skip allocation if just calculating length */
181 if ( ! len )
182 return base64_encoded_len ( req->len );
183
184 /* Allocate temporary buffer for Authenticate message */
185 auth = malloc ( req->len );
186 if ( ! auth )
187 return -ENOMEM;
188
189 /* Split NetBIOS [domain\]username */
190 username = ( ( char * ) req->username );
191 domain = netbios_domain ( &username );
192
193 /* Construct raw Authenticate message */
194 check = ntlm_authenticate ( &rsp->info, domain, username,
195 http_ntlm_workstation, &req->lm,
196 &req->nt, auth );
197 assert ( check == req->len );
198
199 /* Restore NetBIOS [domain\]username */
200 netbios_domain_undo ( domain, username );
201
202 /* Base64-encode Authenticate message */
203 len = base64_encode ( auth, req->len, buf, len );
204
205 /* Free raw Authenticate message */
206 free ( auth );
207
208 return len;
209}
assert
#define assert(condition)
Assert a condition at run-time.
Definition assert.h:50
base64_encode
size_t base64_encode(const void *raw, size_t raw_len, char *data, size_t len)
Base64-encode data.
Definition base64.c:52
base64_encoded_len
static size_t base64_encoded_len(size_t raw_len)
Calculate length of base64-encoded data.
Definition base64.h:22
malloc
void * malloc(size_t size)
Allocate memory.
Definition malloc.c:621
ntlm_authenticate
size_t ntlm_authenticate(struct ntlm_challenge_info *info, const char *domain, const char *username, const char *workstation, struct ntlm_lm_response *lm, struct ntlm_nt_response *nt, struct ntlm_authenticate *auth)
Construct NTLM Authenticate message.
Definition ntlm.c:267
ntlm_authenticate
An Authenticate message.
Definition ntlm.h:117
ntlm_authenticate::domain
struct ntlm_data domain
Domain name.
Definition ntlm.h:125
ntlm_negotiate
A Negotiate message.
Definition ntlm.h:89

References assert, http_request::auth, http_response::auth, base64_encode(), base64_encoded_len(), ntlm_authenticate::domain, ENOMEM, free, http_ntlm_workstation, http_request_auth_ntlm::len, len, http_request_auth_ntlm::lm, malloc(), netbios_domain(), netbios_domain_undo(), http_request_auth_ntlm::nt, http_request_auth::ntlm, http_response_auth::ntlm, ntlm_authenticate(), http_transaction::request, http_transaction::response, rsp, http_request_auth_ntlm::username, and username.

◆ REQUIRING_SYMBOL()

REQUIRING_SYMBOL ( http_ntlm_auth )

◆ REQUIRE_OBJECT()

REQUIRE_OBJECT ( httpauth )

Variable Documentation

◆ __http_authentication

struct http_authentication http_ntlm_auth __http_authentication
Initial value:
= {
.name = "NTLM",
.parse = http_parse_ntlm_auth,
.authenticate = http_ntlm_authenticate,
.format = http_format_ntlm_auth,
}
http_ntlm_authenticate
static int http_ntlm_authenticate(struct http_transaction *http)
Perform HTTP NTLM authentication.
Definition httpntlm.c:114
http_parse_ntlm_auth
static int http_parse_ntlm_auth(struct http_transaction *http, char *line)
Parse HTTP "WWW-Authenticate" header for NTLM authentication.
Definition httpntlm.c:54
http_format_ntlm_auth
static int http_format_ntlm_auth(struct http_transaction *http, char *buf, size_t len)
Construct HTTP "Authorization" header for NTLM authentication.
Definition httpntlm.c:165

HTTP NTLM authentication scheme.

Definition at line 42 of file httpntlm.c.

◆ http_ntlm_workstation

const char http_ntlm_workstation[] = "iPXE"
static

Workstation name used for NTLM authentication.

Definition at line 45 of file httpntlm.c.

Referenced by http_format_ntlm_auth(), and http_ntlm_authenticate().

Generated by doxygen 1.14.0