Context Navigation

source: branches/samba-3.5.x/source3/libads/sasl.c@ 737

Visit:

Last change on this file since 737 was 599, checked in by Herwig Bauernfeind, 14 years ago
Samba 3.5: Update trunk to 3.5.9
File size: 30.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	ads sasl code
4	Copyright (C) Andrew Tridgell 2001
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21	#include "../libcli/auth/spnego.h"
22
23	#ifdef HAVE_LDAP
24
25	static ADS_STATUS ads_sasl_ntlmssp_wrap(ADS_STRUCT ads, uint8 buf, uint32 len)
26	{
27	struct ntlmssp_state *ntlmssp_state =
28	(struct ntlmssp_state *)ads->ldap.wrap_private_data;
29	ADS_STATUS status;
30	NTSTATUS nt_status;
31	DATA_BLOB sig;
32	uint8 *dptr = ads->ldap.out.buf + (4 + NTLMSSP_SIG_SIZE);
33
34	/* copy the data to the right location */
35	memcpy(dptr, buf, len);
36
37	/* create the signature and may encrypt the data */
38	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
39	nt_status = ntlmssp_seal_packet(ntlmssp_state,
40	dptr, len,
41	dptr, len,
42	&sig);
43	} else {
44	nt_status = ntlmssp_sign_packet(ntlmssp_state,
45	dptr, len,
46	dptr, len,
47	&sig);
48	}
49	status = ADS_ERROR_NT(nt_status);
50	if (!ADS_ERR_OK(status)) return status;
51
52	/* copy the signature to the right location */
53	memcpy(ads->ldap.out.buf + 4,
54	sig.data, NTLMSSP_SIG_SIZE);
55
56	data_blob_free(&sig);
57
58	/* set how many bytes must be written to the underlying socket */
59	ads->ldap.out.left = 4 + NTLMSSP_SIG_SIZE + len;
60
61	return ADS_SUCCESS;
62	}
63
64	static ADS_STATUS ads_sasl_ntlmssp_unwrap(ADS_STRUCT *ads)
65	{
66	struct ntlmssp_state *ntlmssp_state =
67	(struct ntlmssp_state *)ads->ldap.wrap_private_data;
68	ADS_STATUS status;
69	NTSTATUS nt_status;
70	DATA_BLOB sig;
71	uint8 *dptr = ads->ldap.in.buf + (4 + NTLMSSP_SIG_SIZE);
72	uint32 dlen = ads->ldap.in.ofs - (4 + NTLMSSP_SIG_SIZE);
73
74	/* wrap the signature into a DATA_BLOB */
75	sig = data_blob_const(ads->ldap.in.buf + 4, NTLMSSP_SIG_SIZE);
76
77	/* verify the signature and maybe decrypt the data */
78	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
79	nt_status = ntlmssp_unseal_packet(ntlmssp_state,
80	dptr, dlen,
81	dptr, dlen,
82	&sig);
83	} else {
84	nt_status = ntlmssp_check_packet(ntlmssp_state,
85	dptr, dlen,
86	dptr, dlen,
87	&sig);
88	}
89	status = ADS_ERROR_NT(nt_status);
90	if (!ADS_ERR_OK(status)) return status;
91
92	/* set the amount of bytes for the upper layer and set the ofs to the data */
93	ads->ldap.in.left = dlen;
94	ads->ldap.in.ofs = 4 + NTLMSSP_SIG_SIZE;
95
96	return ADS_SUCCESS;
97	}
98
99	static void ads_sasl_ntlmssp_disconnect(ADS_STRUCT *ads)
100	{
101	struct ntlmssp_state *ntlmssp_state =
102	(struct ntlmssp_state *)ads->ldap.wrap_private_data;
103
104	ntlmssp_end(&ntlmssp_state);
105
106	ads->ldap.wrap_ops = NULL;
107	ads->ldap.wrap_private_data = NULL;
108	}
109
110	static const struct ads_saslwrap_ops ads_sasl_ntlmssp_ops = {
111	.name = "ntlmssp",
112	.wrap = ads_sasl_ntlmssp_wrap,
113	.unwrap = ads_sasl_ntlmssp_unwrap,
114	.disconnect = ads_sasl_ntlmssp_disconnect
115	};
116
117	/*
118	perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
119	we fit on one socket??)
120	*/
121	static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
122	{
123	DATA_BLOB msg1 = data_blob_null;
124	DATA_BLOB blob = data_blob_null;
125	DATA_BLOB blob_in = data_blob_null;
126	DATA_BLOB blob_out = data_blob_null;
127	struct berval cred, *scred = NULL;
128	int rc;
129	NTSTATUS nt_status;
130	ADS_STATUS status;
131	int turn = 1;
132	uint32 features = 0;
133
134	struct ntlmssp_state *ntlmssp_state;
135
136	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) {
137	return ADS_ERROR_NT(nt_status);
138	}
139	ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
140
141	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, ads->auth.user_name))) {
142	return ADS_ERROR_NT(nt_status);
143	}
144	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, ads->auth.realm))) {
145	return ADS_ERROR_NT(nt_status);
146	}
147	if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, ads->auth.password))) {
148	return ADS_ERROR_NT(nt_status);
149	}
150
151	switch (ads->ldap.wrap_type) {
152	case ADS_SASLWRAP_TYPE_SEAL:
153	features = NTLMSSP_FEATURE_SIGN \| NTLMSSP_FEATURE_SEAL;
154	break;
155	case ADS_SASLWRAP_TYPE_SIGN:
156	if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
157	features = NTLMSSP_FEATURE_SIGN;
158	} else {
159	/*
160	* windows servers are broken with sign only,
161	* so we need to use seal here too
162	*/
163	features = NTLMSSP_FEATURE_SIGN \| NTLMSSP_FEATURE_SEAL;
164	ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SEAL;
165	}
166	break;
167	case ADS_SASLWRAP_TYPE_PLAIN:
168	break;
169	}
170
171	ntlmssp_want_feature(ntlmssp_state, features);
172
173	blob_in = data_blob_null;
174
175	do {
176	nt_status = ntlmssp_update(ntlmssp_state,
177	blob_in, &blob_out);
178	data_blob_free(&blob_in);
179	if ((NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
180	\|\| NT_STATUS_IS_OK(nt_status))
181	&& blob_out.length) {
182	if (turn == 1) {
183	/* and wrap it in a SPNEGO wrapper */
184	msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out);
185	} else {
186	/* wrap it in SPNEGO */
187	msg1 = spnego_gen_auth(blob_out);
188	}
189
190	data_blob_free(&blob_out);
191
192	cred.bv_val = (char *)msg1.data;
193	cred.bv_len = msg1.length;
194	scred = NULL;
195	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
196	data_blob_free(&msg1);
197	if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) {
198	if (scred) {
199	ber_bvfree(scred);
200	}
201
202	ntlmssp_end(&ntlmssp_state);
203	return ADS_ERROR(rc);
204	}
205	if (scred) {
206	blob = data_blob(scred->bv_val, scred->bv_len);
207	ber_bvfree(scred);
208	} else {
209	blob = data_blob_null;
210	}
211
212	} else {
213
214	ntlmssp_end(&ntlmssp_state);
215	data_blob_free(&blob_out);
216	return ADS_ERROR_NT(nt_status);
217	}
218
219	if ((turn == 1) &&
220	(rc == LDAP_SASL_BIND_IN_PROGRESS)) {
221	DATA_BLOB tmp_blob = data_blob_null;
222	/* the server might give us back two challenges */
223	if (!spnego_parse_challenge(blob, &blob_in,
224	&tmp_blob)) {
225
226	ntlmssp_end(&ntlmssp_state);
227	data_blob_free(&blob);
228	DEBUG(3,("Failed to parse challenges\n"));
229	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
230	}
231	data_blob_free(&tmp_blob);
232	} else if (rc == LDAP_SASL_BIND_IN_PROGRESS) {
233	if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP,
234	&blob_in)) {
235
236	ntlmssp_end(&ntlmssp_state);
237	data_blob_free(&blob);
238	DEBUG(3,("Failed to parse auth response\n"));
239	return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
240	}
241	}
242	data_blob_free(&blob);
243	data_blob_free(&blob_out);
244	turn++;
245	} while (rc == LDAP_SASL_BIND_IN_PROGRESS && !NT_STATUS_IS_OK(nt_status));
246
247	/* we have a reference conter on ntlmssp_state, if we are signing
248	then the state will be kept by the signing engine */
249
250	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
251	ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
252	ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
253	ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
254	ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
255	status = ads_setup_sasl_wrapping(ads, &ads_sasl_ntlmssp_ops, ntlmssp_state);
256	if (!ADS_ERR_OK(status)) {
257	DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
258	ads_errstr(status)));
259	ntlmssp_end(&ntlmssp_state);
260	return status;
261	}
262	} else {
263	ntlmssp_end(&ntlmssp_state);
264	}
265
266	return ADS_ERROR(rc);
267	}
268
269	#ifdef HAVE_GSSAPI
270	static ADS_STATUS ads_sasl_gssapi_wrap(ADS_STRUCT ads, uint8 buf, uint32 len)
271	{
272	gss_ctx_id_t context_handle = (gss_ctx_id_t)ads->ldap.wrap_private_data;
273	ADS_STATUS status;
274	int gss_rc;
275	uint32 minor_status;
276	gss_buffer_desc unwrapped, wrapped;
277	int conf_req_flag, conf_state;
278
279	unwrapped.value = buf;
280	unwrapped.length = len;
281
282	/* for now request sign and seal */
283	conf_req_flag = (ads->ldap.wrap_type == ADS_SASLWRAP_TYPE_SEAL);
284
285	gss_rc = gss_wrap(&minor_status, context_handle,
286	conf_req_flag, GSS_C_QOP_DEFAULT,
287	&unwrapped, &conf_state,
288	&wrapped);
289	status = ADS_ERROR_GSS(gss_rc, minor_status);
290	if (!ADS_ERR_OK(status)) return status;
291
292	if (conf_req_flag && conf_state == 0) {
293	return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
294	}
295
296	if ((ads->ldap.out.size - 4) < wrapped.length) {
297	return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
298	}
299
300	/* copy the wrapped blob to the right location */
301	memcpy(ads->ldap.out.buf + 4, wrapped.value, wrapped.length);
302
303	/* set how many bytes must be written to the underlying socket */
304	ads->ldap.out.left = 4 + wrapped.length;
305
306	gss_release_buffer(&minor_status, &wrapped);
307
308	return ADS_SUCCESS;
309	}
310
311	static ADS_STATUS ads_sasl_gssapi_unwrap(ADS_STRUCT *ads)
312	{
313	gss_ctx_id_t context_handle = (gss_ctx_id_t)ads->ldap.wrap_private_data;
314	ADS_STATUS status;
315	int gss_rc;
316	uint32 minor_status;
317	gss_buffer_desc unwrapped, wrapped;
318	int conf_state;
319
320	wrapped.value = ads->ldap.in.buf + 4;
321	wrapped.length = ads->ldap.in.ofs - 4;
322
323	gss_rc = gss_unwrap(&minor_status, context_handle,
324	&wrapped, &unwrapped,
325	&conf_state, GSS_C_QOP_DEFAULT);
326	status = ADS_ERROR_GSS(gss_rc, minor_status);
327	if (!ADS_ERR_OK(status)) return status;
328
329	if (ads->ldap.wrap_type == ADS_SASLWRAP_TYPE_SEAL && conf_state == 0) {
330	return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
331	}
332
333	if (wrapped.length < unwrapped.length) {
334	return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
335	}
336
337	/* copy the wrapped blob to the right location */
338	memcpy(ads->ldap.in.buf + 4, unwrapped.value, unwrapped.length);
339
340	/* set how many bytes must be written to the underlying socket */
341	ads->ldap.in.left = unwrapped.length;
342	ads->ldap.in.ofs = 4;
343
344	gss_release_buffer(&minor_status, &unwrapped);
345
346	return ADS_SUCCESS;
347	}
348
349	static void ads_sasl_gssapi_disconnect(ADS_STRUCT *ads)
350	{
351	gss_ctx_id_t context_handle = (gss_ctx_id_t)ads->ldap.wrap_private_data;
352	uint32 minor_status;
353
354	gss_delete_sec_context(&minor_status, &context_handle, GSS_C_NO_BUFFER);
355
356	ads->ldap.wrap_ops = NULL;
357	ads->ldap.wrap_private_data = NULL;
358	}
359
360	static const struct ads_saslwrap_ops ads_sasl_gssapi_ops = {
361	.name = "gssapi",
362	.wrap = ads_sasl_gssapi_wrap,
363	.unwrap = ads_sasl_gssapi_unwrap,
364	.disconnect = ads_sasl_gssapi_disconnect
365	};
366
367	/*
368	perform a LDAP/SASL/SPNEGO/GSSKRB5 bind
369	*/
370	static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t serv_name)
371	{
372	ADS_STATUS status;
373	bool ok;
374	uint32 minor_status;
375	int gss_rc, rc;
376	gss_OID_desc krb5_mech_type =
377	{9, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
378	gss_OID mech_type = &krb5_mech_type;
379	gss_OID actual_mech_type = GSS_C_NULL_OID;
380	const char *spnego_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL};
381	gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT;
382	gss_buffer_desc input_token, output_token;
383	uint32 req_flags, ret_flags;
384	uint32 req_tmp, ret_tmp;
385	DATA_BLOB unwrapped;
386	DATA_BLOB wrapped;
387	struct berval cred, *scred = NULL;
388
389	input_token.value = NULL;
390	input_token.length = 0;
391
392	req_flags = GSS_C_MUTUAL_FLAG \| GSS_C_REPLAY_FLAG;
393	switch (ads->ldap.wrap_type) {
394	case ADS_SASLWRAP_TYPE_SEAL:
395	req_flags \|= GSS_C_INTEG_FLAG \| GSS_C_CONF_FLAG;
396	break;
397	case ADS_SASLWRAP_TYPE_SIGN:
398	req_flags \|= GSS_C_INTEG_FLAG;
399	break;
400	case ADS_SASLWRAP_TYPE_PLAIN:
401	break;
402	}
403
404	/* Note: here we explicit ask for the krb5 mech_type */
405	gss_rc = gss_init_sec_context(&minor_status,
406	GSS_C_NO_CREDENTIAL,
407	&context_handle,
408	serv_name,
409	mech_type,
410	req_flags,
411	0,
412	NULL,
413	&input_token,
414	&actual_mech_type,
415	&output_token,
416	&ret_flags,
417	NULL);
418	if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
419	status = ADS_ERROR_GSS(gss_rc, minor_status);
420	goto failed;
421	}
422
423	/*
424	* As some gssapi krb5 mech implementations
425	* automaticly add GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG
426	* to req_flags internaly, it's not possible to
427	* use plain or signing only connection via
428	* the gssapi interface.
429	*
430	* Because of this we need to check it the ret_flags
431	* has more flags as req_flags and correct the value
432	* of ads->ldap.wrap_type.
433	*
434	* I ads->auth.flags has ADS_AUTH_SASL_FORCE
435	* we need to give an error.
436	*/
437	req_tmp = req_flags & (GSS_C_INTEG_FLAG \| GSS_C_CONF_FLAG);
438	ret_tmp = ret_flags & (GSS_C_INTEG_FLAG \| GSS_C_CONF_FLAG);
439
440	if (req_tmp == ret_tmp) {
441	/* everythings fine... */
442
443	} else if (req_flags & GSS_C_CONF_FLAG) {
444	/*
445	* here we wanted sealing but didn't got it
446	* from the gssapi library
447	*/
448	status = ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
449	goto failed;
450
451	} else if ((req_flags & GSS_C_INTEG_FLAG) &&
452	!(ret_flags & GSS_C_INTEG_FLAG)) {
453	/*
454	* here we wanted siging but didn't got it
455	* from the gssapi library
456	*/
457	status = ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
458	goto failed;
459
460	} else if (ret_flags & GSS_C_CONF_FLAG) {
461	/*
462	* here we didn't want sealing
463	* but the gssapi library forces it
464	* so correct the needed wrap_type if
465	* the caller didn't forced siging only
466	*/
467	if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
468	status = ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
469	goto failed;
470	}
471
472	ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SEAL;
473	req_flags = ret_flags;
474
475	} else if (ret_flags & GSS_C_INTEG_FLAG) {
476	/*
477	* here we didn't want signing
478	* but the gssapi library forces it
479	* so correct the needed wrap_type if
480	* the caller didn't forced plain
481	*/
482	if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
483	status = ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
484	goto failed;
485	}
486
487	ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SIGN;
488	req_flags = ret_flags;
489	} else {
490	/*
491	* This could (should?) not happen
492	*/
493	status = ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR);
494	goto failed;
495
496	}
497
498	/* and wrap that in a shiny SPNEGO wrapper */
499	unwrapped = data_blob_const(output_token.value, output_token.length);
500	wrapped = gen_negTokenTarg(spnego_mechs, unwrapped);
501	gss_release_buffer(&minor_status, &output_token);
502	if (unwrapped.length > wrapped.length) {
503	status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
504	goto failed;
505	}
506
507	cred.bv_val = (char *)wrapped.data;
508	cred.bv_len = wrapped.length;
509
510	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL,
511	&scred);
512	data_blob_free(&wrapped);
513	if (rc != LDAP_SUCCESS) {
514	status = ADS_ERROR(rc);
515	goto failed;
516	}
517
518	if (scred) {
519	wrapped = data_blob_const(scred->bv_val, scred->bv_len);
520	} else {
521	wrapped = data_blob_null;
522	}
523
524	ok = spnego_parse_auth_response(wrapped, NT_STATUS_OK,
525	OID_KERBEROS5_OLD,
526	&unwrapped);
527	if (scred) ber_bvfree(scred);
528	if (!ok) {
529	status = ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
530	goto failed;
531	}
532
533	input_token.value = unwrapped.data;
534	input_token.length = unwrapped.length;
535
536	/*
537	* As we asked for mutal authentication
538	* we need to pass the servers response
539	* to gssapi
540	*/
541	gss_rc = gss_init_sec_context(&minor_status,
542	GSS_C_NO_CREDENTIAL,
543	&context_handle,
544	serv_name,
545	mech_type,
546	req_flags,
547	0,
548	NULL,
549	&input_token,
550	&actual_mech_type,
551	&output_token,
552	&ret_flags,
553	NULL);
554	data_blob_free(&unwrapped);
555	if (gss_rc) {
556	status = ADS_ERROR_GSS(gss_rc, minor_status);
557	goto failed;
558	}
559
560	gss_release_buffer(&minor_status, &output_token);
561
562	/*
563	* If we the sign and seal options
564	* doesn't match after getting the response
565	* from the server, we don't want to use the connection
566	*/
567	req_tmp = req_flags & (GSS_C_INTEG_FLAG \| GSS_C_CONF_FLAG);
568	ret_tmp = ret_flags & (GSS_C_INTEG_FLAG \| GSS_C_CONF_FLAG);
569
570	if (req_tmp != ret_tmp) {
571	/* everythings fine... */
572	status = ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
573	goto failed;
574	}
575
576	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
577	uint32 max_msg_size = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED;
578
579	gss_rc = gss_wrap_size_limit(&minor_status, context_handle,
580	(ads->ldap.wrap_type == ADS_SASLWRAP_TYPE_SEAL),
581	GSS_C_QOP_DEFAULT,
582	max_msg_size, &ads->ldap.out.max_unwrapped);
583	if (gss_rc) {
584	status = ADS_ERROR_GSS(gss_rc, minor_status);
585	goto failed;
586	}
587
588	ads->ldap.out.sig_size = max_msg_size - ads->ldap.out.max_unwrapped;
589	ads->ldap.in.min_wrapped = 0x2C; /* taken from a capture with LDAP unbind */
590	ads->ldap.in.max_wrapped = max_msg_size;
591	status = ads_setup_sasl_wrapping(ads, &ads_sasl_gssapi_ops, context_handle);
592	if (!ADS_ERR_OK(status)) {
593	DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
594	ads_errstr(status)));
595	goto failed;
596	}
597	/* make sure we don't free context_handle */
598	context_handle = GSS_C_NO_CONTEXT;
599	}
600
601	status = ADS_SUCCESS;
602
603	failed:
604	if (context_handle != GSS_C_NO_CONTEXT)
605	gss_delete_sec_context(&minor_status, &context_handle, GSS_C_NO_BUFFER);
606	return status;
607	}
608
609	#endif /* HAVE_GSSAPI */
610
611	#ifdef HAVE_KRB5
612	struct ads_service_principal {
613	char *string;
614	#ifdef HAVE_GSSAPI
615	gss_name_t name;
616	#endif
617	};
618
619	static void ads_free_service_principal(struct ads_service_principal *p)
620	{
621	SAFE_FREE(p->string);
622
623	#ifdef HAVE_GSSAPI
624	if (p->name) {
625	uint32 minor_status;
626	gss_release_name(&minor_status, &p->name);
627	}
628	#endif
629	ZERO_STRUCTP(p);
630	}
631
632	static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
633	const char *given_principal,
634	struct ads_service_principal *p)
635	{
636	ADS_STATUS status;
637	#ifdef HAVE_GSSAPI
638	gss_buffer_desc input_name;
639	/* GSS_KRB5_NT_PRINCIPAL_NAME */
640	gss_OID_desc nt_principal =
641	{10, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
642	uint32 minor_status;
643	int gss_rc;
644	#endif
645
646	ZERO_STRUCTP(p);
647
648	/* I've seen a child Windows 2000 domain not send
649	the principal name back in the first round of
650	the SASL bind reply. So we guess based on server
651	name and realm. --jerry */
652	/* Also try best guess when we get the w2k8 ignore principal
653	back, or when we are configured to ignore it - gd,
654	abartlet */
655
656	if (!lp_client_use_spnego_principal() \|\|
657	!given_principal \|\|
658	strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
659
660	status = ads_guess_service_principal(ads, &p->string);
661	if (!ADS_ERR_OK(status)) {
662	return status;
663	}
664	} else {
665	p->string = SMB_STRDUP(given_principal);
666	if (!p->string) {
667	return ADS_ERROR(LDAP_NO_MEMORY);
668	}
669	}
670
671	#ifdef HAVE_GSSAPI
672	input_name.value = p->string;
673	input_name.length = strlen(p->string);
674
675	gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &p->name);
676	if (gss_rc) {
677	ads_free_service_principal(p);
678	return ADS_ERROR_GSS(gss_rc, minor_status);
679	}
680	#endif
681
682	return ADS_SUCCESS;
683	}
684
685	/*
686	perform a LDAP/SASL/SPNEGO/KRB5 bind
687	*/
688	static ADS_STATUS ads_sasl_spnego_rawkrb5_bind(ADS_STRUCT ads, const char principal)
689	{
690	DATA_BLOB blob = data_blob_null;
691	struct berval cred, *scred = NULL;
692	DATA_BLOB session_key = data_blob_null;
693	int rc;
694
695	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
696	return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
697	}
698
699	rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key, 0,
700	&ads->auth.tgs_expire);
701
702	if (rc) {
703	return ADS_ERROR_KRB5(rc);
704	}
705
706	/* now send the auth packet and we should be done */
707	cred.bv_val = (char *)blob.data;
708	cred.bv_len = blob.length;
709
710	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
711
712	data_blob_free(&blob);
713	data_blob_free(&session_key);
714	if(scred)
715	ber_bvfree(scred);
716
717	return ADS_ERROR(rc);
718	}
719
720	static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads,
721	struct ads_service_principal *p)
722	{
723	#ifdef HAVE_GSSAPI
724	/*
725	* we only use the gsskrb5 based implementation
726	* when sasl sign or seal is requested.
727	*
728	* This has the following reasons:
729	* - it's likely that the gssapi krb5 mech implementation
730	* doesn't support to negotiate plain connections
731	* - the ads_sasl_spnego_rawkrb5_bind is more robust
732	* against clock skew errors
733	*/
734	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
735	return ads_sasl_spnego_gsskrb5_bind(ads, p->name);
736	}
737	#endif
738	return ads_sasl_spnego_rawkrb5_bind(ads, p->string);
739	}
740	#endif /* HAVE_KRB5 */
741
742	/*
743	this performs a SASL/SPNEGO bind
744	*/
745	static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
746	{
747	struct berval *scred=NULL;
748	int rc, i;
749	ADS_STATUS status;
750	DATA_BLOB blob;
751	char *given_principal = NULL;
752	char *OIDs[ASN1_MAX_OIDS];
753	#ifdef HAVE_KRB5
754	bool got_kerberos_mechanism = False;
755	#endif
756
757	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
758
759	if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
760	status = ADS_ERROR(rc);
761	goto failed;
762	}
763
764	blob = data_blob(scred->bv_val, scred->bv_len);
765
766	ber_bvfree(scred);
767
768	#if 0
769	file_save("sasl_spnego.dat", blob.data, blob.length);
770	#endif
771
772	/* the server sent us the first part of the SPNEGO exchange in the negprot
773	reply */
774	if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal) \|\|
775	OIDs[0] == NULL) {
776	data_blob_free(&blob);
777	status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
778	goto failed;
779	}
780	data_blob_free(&blob);
781
782	/* make sure the server understands kerberos */
783	for (i=0;OIDs[i];i++) {
784	DEBUG(3,("ads_sasl_spnego_bind: got OID=%s\n", OIDs[i]));
785	#ifdef HAVE_KRB5
786	if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 \|\|
787	strcmp(OIDs[i], OID_KERBEROS5) == 0) {
788	got_kerberos_mechanism = True;
789	}
790	#endif
791	talloc_free(OIDs[i]);
792	}
793	DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", given_principal));
794
795	#ifdef HAVE_KRB5
796	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
797	got_kerberos_mechanism)
798	{
799	struct ads_service_principal p;
800
801	status = ads_generate_service_principal(ads, given_principal, &p);
802	TALLOC_FREE(given_principal);
803	if (!ADS_ERR_OK(status)) {
804	return status;
805	}
806
807	status = ads_sasl_spnego_krb5_bind(ads, &p);
808	if (ADS_ERR_OK(status)) {
809	ads_free_service_principal(&p);
810	return status;
811	}
812
813	DEBUG(10,("ads_sasl_spnego_krb5_bind failed with: %s, "
814	"calling kinit\n", ads_errstr(status)));
815
816	status = ADS_ERROR_KRB5(ads_kinit_password(ads));
817
818	if (ADS_ERR_OK(status)) {
819	status = ads_sasl_spnego_krb5_bind(ads, &p);
820	if (!ADS_ERR_OK(status)) {
821	DEBUG(0,("kinit succeeded but "
822	"ads_sasl_spnego_krb5_bind failed: %s\n",
823	ads_errstr(status)));
824	}
825	}
826
827	ads_free_service_principal(&p);
828
829	/* only fallback to NTLMSSP if allowed */
830	if (ADS_ERR_OK(status) \|\|
831	!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
832	return status;
833	}
834	} else
835	#endif
836	{
837	TALLOC_FREE(given_principal);
838	}
839
840	/* lets do NTLMSSP ... this has the big advantage that we don't need
841	to sync clocks, and we don't rely on special versions of the krb5
842	library for HMAC_MD4 encryption */
843	return ads_sasl_spnego_ntlmssp_bind(ads);
844
845	failed:
846	return status;
847	}
848
849	#ifdef HAVE_GSSAPI
850	#define MAX_GSS_PASSES 3
851
852	/* this performs a SASL/gssapi bind
853	we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl
854	is very dependent on correctly configured DNS whereas
855	this routine is much less fragile
856	see RFC2078 and RFC2222 for details
857	*/
858	static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv_name)
859	{
860	uint32 minor_status;
861	gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT;
862	gss_OID mech_type = GSS_C_NULL_OID;
863	gss_buffer_desc output_token, input_token;
864	uint32 req_flags, ret_flags;
865	int conf_state;
866	struct berval cred;
867	struct berval *scred = NULL;
868	int i=0;
869	int gss_rc, rc;
870	uint8 *p;
871	uint32 max_msg_size = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED;
872	uint8 wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
873	ADS_STATUS status;
874
875	input_token.value = NULL;
876	input_token.length = 0;
877
878	/*
879	* Note: here we always ask the gssapi for sign and seal
880	* as this is negotiated later after the mutal
881	* authentication
882	*/
883	req_flags = GSS_C_MUTUAL_FLAG \| GSS_C_REPLAY_FLAG \| GSS_C_INTEG_FLAG \| GSS_C_CONF_FLAG;
884
885	for (i=0; i < MAX_GSS_PASSES; i++) {
886	gss_rc = gss_init_sec_context(&minor_status,
887	GSS_C_NO_CREDENTIAL,
888	&context_handle,
889	serv_name,
890	mech_type,
891	req_flags,
892	0,
893	NULL,
894	&input_token,
895	NULL,
896	&output_token,
897	&ret_flags,
898	NULL);
899	if (scred) {
900	ber_bvfree(scred);
901	scred = NULL;
902	}
903	if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
904	status = ADS_ERROR_GSS(gss_rc, minor_status);
905	goto failed;
906	}
907
908	cred.bv_val = (char *)output_token.value;
909	cred.bv_len = output_token.length;
910
911	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSSAPI", &cred, NULL, NULL,
912	&scred);
913	if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
914	status = ADS_ERROR(rc);
915	goto failed;
916	}
917
918	if (output_token.value) {
919	gss_release_buffer(&minor_status, &output_token);
920	}
921
922	if (scred) {
923	input_token.value = scred->bv_val;
924	input_token.length = scred->bv_len;
925	} else {
926	input_token.value = NULL;
927	input_token.length = 0;
928	}
929
930	if (gss_rc == 0) break;
931	}
932
933	gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token,
934	&conf_state,NULL);
935	if (scred) {
936	ber_bvfree(scred);
937	scred = NULL;
938	}
939	if (gss_rc) {
940	status = ADS_ERROR_GSS(gss_rc, minor_status);
941	goto failed;
942	}
943
944	p = (uint8 *)output_token.value;
945
946	#if 0
947	file_save("sasl_gssapi.dat", output_token.value, output_token.length);
948	#endif
949
950	if (p) {
951	wrap_type = CVAL(p,0);
952	SCVAL(p,0,0);
953	max_msg_size = RIVAL(p,0);
954	}
955
956	gss_release_buffer(&minor_status, &output_token);
957
958	if (!(wrap_type & ads->ldap.wrap_type)) {
959	/*
960	* the server doesn't supports the wrap
961	* type we want :-(
962	*/
963	DEBUG(0,("The ldap sasl wrap type doesn't match wanted[%d] server[%d]\n",
964	ads->ldap.wrap_type, wrap_type));
965	DEBUGADD(0,("You may want to set the 'client ldap sasl wrapping' option\n"));
966	status = ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
967	goto failed;
968	}
969
970	/* 0x58 is the minimum windows accepts */
971	if (max_msg_size < 0x58) {
972	max_msg_size = 0x58;
973	}
974
975	output_token.length = 4;
976	output_token.value = SMB_MALLOC(output_token.length);
977	p = (uint8 *)output_token.value;
978
979	RSIVAL(p,0,max_msg_size);
980	SCVAL(p,0,ads->ldap.wrap_type);
981
982	/*
983	* we used to add sprintf("dn:%s", ads->config.bind_path) here.
984	* but using ads->config.bind_path is the wrong! It should be
985	* the DN of the user object!
986	*
987	* w2k3 gives an error when we send an incorrect DN, but sending nothing
988	* is ok and matches the information flow used in GSS-SPNEGO.
989	*/
990
991	gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
992	&output_token, &conf_state,
993	&input_token);
994	if (gss_rc) {
995	status = ADS_ERROR_GSS(gss_rc, minor_status);
996	goto failed;
997	}
998
999	free(output_token.value);
1000
1001	cred.bv_val = (char *)input_token.value;
1002	cred.bv_len = input_token.length;
1003
1004	rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSSAPI", &cred, NULL, NULL,
1005	&scred);
1006	gss_release_buffer(&minor_status, &input_token);
1007	status = ADS_ERROR(rc);
1008	if (!ADS_ERR_OK(status)) {
1009	goto failed;
1010	}
1011
1012	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
1013	gss_rc = gss_wrap_size_limit(&minor_status, context_handle,
1014	(ads->ldap.wrap_type == ADS_SASLWRAP_TYPE_SEAL),
1015	GSS_C_QOP_DEFAULT,
1016	max_msg_size, &ads->ldap.out.max_unwrapped);
1017	if (gss_rc) {
1018	status = ADS_ERROR_GSS(gss_rc, minor_status);
1019	goto failed;
1020	}
1021
1022	ads->ldap.out.sig_size = max_msg_size - ads->ldap.out.max_unwrapped;
1023	ads->ldap.in.min_wrapped = 0x2C; /* taken from a capture with LDAP unbind */
1024	ads->ldap.in.max_wrapped = max_msg_size;
1025	status = ads_setup_sasl_wrapping(ads, &ads_sasl_gssapi_ops, context_handle);
1026	if (!ADS_ERR_OK(status)) {
1027	DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
1028	ads_errstr(status)));
1029	goto failed;
1030	}
1031	/* make sure we don't free context_handle */
1032	context_handle = GSS_C_NO_CONTEXT;
1033	}
1034
1035	failed:
1036
1037	if (context_handle != GSS_C_NO_CONTEXT)
1038	gss_delete_sec_context(&minor_status, &context_handle, GSS_C_NO_BUFFER);
1039
1040	if(scred)
1041	ber_bvfree(scred);
1042	return status;
1043	}
1044
1045	static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
1046	{
1047	ADS_STATUS status;
1048	struct ads_service_principal p;
1049
1050	status = ads_generate_service_principal(ads, NULL, &p);
1051	if (!ADS_ERR_OK(status)) {
1052	return status;
1053	}
1054
1055	status = ads_sasl_gssapi_do_bind(ads, p.name);
1056	if (ADS_ERR_OK(status)) {
1057	ads_free_service_principal(&p);
1058	return status;
1059	}
1060
1061	DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
1062	"calling kinit\n", ads_errstr(status)));
1063
1064	status = ADS_ERROR_KRB5(ads_kinit_password(ads));
1065
1066	if (ADS_ERR_OK(status)) {
1067	status = ads_sasl_gssapi_do_bind(ads, p.name);
1068	}
1069
1070	ads_free_service_principal(&p);
1071
1072	return status;
1073	}
1074
1075	#endif /* HAVE_GSSAPI */
1076
1077	/* mapping between SASL mechanisms and functions */
1078	static struct {
1079	const char *name;
1080	ADS_STATUS (fn)(ADS_STRUCT );
1081	} sasl_mechanisms[] = {
1082	{"GSS-SPNEGO", ads_sasl_spnego_bind},
1083	#ifdef HAVE_GSSAPI
1084	{"GSSAPI", ads_sasl_gssapi_bind}, /* doesn't work with .NET RC1. No idea why */
1085	#endif
1086	{NULL, NULL}
1087	};
1088
1089	ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
1090	{
1091	const char *attrs[] = {"supportedSASLMechanisms", NULL};
1092	char **values;
1093	ADS_STATUS status;
1094	int i, j;
1095	LDAPMessage *res;
1096
1097	/* get a list of supported SASL mechanisms */
1098	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
1099	if (!ADS_ERR_OK(status)) return status;
1100
1101	values = ldap_get_values(ads->ldap.ld, res, "supportedSASLMechanisms");
1102
1103	if (ads->auth.flags & ADS_AUTH_SASL_SEAL) {
1104	ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SEAL;
1105	} else if (ads->auth.flags & ADS_AUTH_SASL_SIGN) {
1106	ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_SIGN;
1107	} else {
1108	ads->ldap.wrap_type = ADS_SASLWRAP_TYPE_PLAIN;
1109	}
1110
1111	/* try our supported mechanisms in order */
1112	for (i=0;sasl_mechanisms[i].name;i++) {
1113	/* see if the server supports it */
1114	for (j=0;values && values[j];j++) {
1115	if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
1116	DEBUG(4,("Found SASL mechanism %s\n", values[j]));
1117	status = sasl_mechanisms[i].fn(ads);
1118	ldap_value_free(values);
1119	ldap_msgfree(res);
1120	return status;
1121	}
1122	}
1123	}
1124
1125	ldap_value_free(values);
1126	ldap_msgfree(res);
1127	return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
1128	}
1129
1130	#endif /* HAVE_LDAP */
1131

Note: See TracBrowser for help on using the repository browser.

Download in other formats: