Context Navigation

source: branches/samba-3.5.x/source3/libsmb/clispnego.c@ 734

Visit:

Last change on this file since 734 was 590, checked in by Herwig Bauernfeind, 14 years ago
Samba 3.5: Update trunk to 3.5.6
File size: 16.4 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	simple kerberos5/SPNEGO routines
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
6	Copyright (C) Luke Howard 2003
7
8	This program is free software; you can redistribute it and/or modify
9	it under the terms of the GNU General Public License as published by
10	the Free Software Foundation; either version 3 of the License, or
11	(at your option) any later version.
12
13	This program is distributed in the hope that it will be useful,
14	but WITHOUT ANY WARRANTY; without even the implied warranty of
15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	GNU General Public License for more details.
17
18	You should have received a copy of the GNU General Public License
19	along with this program. If not, see <http://www.gnu.org/licenses/>.
20	*/
21
22	#include "includes.h"
23	#include "../libcli/auth/spnego.h"
24	#include "smb_krb5.h"
25
26	/*
27	generate a negTokenInit packet given a GUID, a list of supported
28	OIDs (the mechanisms) and a principal name string
29	*/
30	DATA_BLOB spnego_gen_negTokenInit(char guid[16],
31	const char *OIDs[],
32	const char *principal)
33	{
34	int i;
35	ASN1_DATA *data;
36	DATA_BLOB ret;
37
38	data = asn1_init(talloc_tos());
39	if (data == NULL) {
40	return data_blob_null;
41	}
42
43	asn1_write(data, guid, 16);
44	asn1_push_tag(data,ASN1_APPLICATION(0));
45	asn1_write_OID(data,OID_SPNEGO);
46	asn1_push_tag(data,ASN1_CONTEXT(0));
47	asn1_push_tag(data,ASN1_SEQUENCE(0));
48
49	asn1_push_tag(data,ASN1_CONTEXT(0));
50	asn1_push_tag(data,ASN1_SEQUENCE(0));
51	for (i=0; OIDs[i]; i++) {
52	asn1_write_OID(data,OIDs[i]);
53	}
54	asn1_pop_tag(data);
55	asn1_pop_tag(data);
56
57	asn1_push_tag(data, ASN1_CONTEXT(3));
58	asn1_push_tag(data, ASN1_SEQUENCE(0));
59	asn1_push_tag(data, ASN1_CONTEXT(0));
60	asn1_write_GeneralString(data,principal);
61	asn1_pop_tag(data);
62	asn1_pop_tag(data);
63	asn1_pop_tag(data);
64
65	asn1_pop_tag(data);
66	asn1_pop_tag(data);
67
68	asn1_pop_tag(data);
69
70	if (data->has_error) {
71	DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data->ofs));
72	}
73
74	ret = data_blob(data->data, data->length);
75	asn1_free(data);
76
77	return ret;
78	}
79
80	/*
81	Generate a negTokenInit as used by the client side ... It has a mechType
82	(OID), and a mechToken (a security blob) ...
83
84	Really, we need to break out the NTLMSSP stuff as well, because it could be
85	raw in the packets!
86	*/
87	DATA_BLOB gen_negTokenInit(const char *OID, DATA_BLOB blob)
88	{
89	ASN1_DATA *data;
90	DATA_BLOB ret;
91
92	data = asn1_init(talloc_tos());
93	if (data == NULL) {
94	return data_blob_null;
95	}
96
97	asn1_push_tag(data, ASN1_APPLICATION(0));
98	asn1_write_OID(data,OID_SPNEGO);
99	asn1_push_tag(data, ASN1_CONTEXT(0));
100	asn1_push_tag(data, ASN1_SEQUENCE(0));
101
102	asn1_push_tag(data, ASN1_CONTEXT(0));
103	asn1_push_tag(data, ASN1_SEQUENCE(0));
104	asn1_write_OID(data, OID);
105	asn1_pop_tag(data);
106	asn1_pop_tag(data);
107
108	asn1_push_tag(data, ASN1_CONTEXT(2));
109	asn1_write_OctetString(data,blob.data,blob.length);
110	asn1_pop_tag(data);
111
112	asn1_pop_tag(data);
113	asn1_pop_tag(data);
114
115	asn1_pop_tag(data);
116
117	if (data->has_error) {
118	DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data->ofs));
119	}
120
121	ret = data_blob(data->data, data->length);
122	asn1_free(data);
123
124	return ret;
125	}
126
127	/*
128	parse a negTokenInit packet giving a GUID, a list of supported
129	OIDs (the mechanisms) and a principal name string
130	*/
131	bool spnego_parse_negTokenInit(DATA_BLOB blob,
132	char *OIDs[ASN1_MAX_OIDS],
133	char **principal)
134	{
135	int i;
136	bool ret;
137	ASN1_DATA *data;
138
139	data = asn1_init(talloc_tos());
140	if (data == NULL) {
141	return false;
142	}
143
144	asn1_load(data, blob);
145
146	asn1_start_tag(data,ASN1_APPLICATION(0));
147
148	asn1_check_OID(data,OID_SPNEGO);
149
150	/* negTokenInit [0] NegTokenInit */
151	asn1_start_tag(data,ASN1_CONTEXT(0));
152	asn1_start_tag(data,ASN1_SEQUENCE(0));
153
154	/* mechTypes [0] MechTypeList OPTIONAL */
155
156	/* Not really optional, we depend on this to decide
157	* what mechanisms we have to work with. */
158
159	asn1_start_tag(data,ASN1_CONTEXT(0));
160	asn1_start_tag(data,ASN1_SEQUENCE(0));
161	for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
162	const char *oid_str = NULL;
163	asn1_read_OID(data,talloc_autofree_context(),&oid_str);
164	OIDs[i] = CONST_DISCARD(char *, oid_str);
165	}
166	OIDs[i] = NULL;
167	asn1_end_tag(data);
168	asn1_end_tag(data);
169
170	*principal = NULL;
171
172	/*
173	Win7 + Live Sign-in Assistant attaches a mechToken
174	ASN1_CONTEXT(2) to the negTokenInit packet
175	which breaks our negotiation if we just assume
176	the next tag is ASN1_CONTEXT(3).
177	*/
178
179	if (asn1_peek_tag(data, ASN1_CONTEXT(1))) {
180	uint8 flags;
181
182	/* reqFlags [1] ContextFlags OPTIONAL */
183	asn1_start_tag(data, ASN1_CONTEXT(1));
184	asn1_start_tag(data, ASN1_BIT_STRING);
185	while (asn1_tag_remaining(data) > 0) {
186	asn1_read_uint8(data, &flags);
187	}
188	asn1_end_tag(data);
189	asn1_end_tag(data);
190	}
191
192	if (asn1_peek_tag(data, ASN1_CONTEXT(2))) {
193	/* mechToken [2] OCTET STRING OPTIONAL */
194	DATA_BLOB token;
195	asn1_start_tag(data, ASN1_CONTEXT(2));
196	asn1_read_OctetString(data, talloc_autofree_context(),
197	&token);
198	asn1_end_tag(data);
199	/* Throw away the token - not used. */
200	data_blob_free(&token);
201	}
202
203	if (asn1_peek_tag(data, ASN1_CONTEXT(3))) {
204	/* mechListMIC [3] OCTET STRING OPTIONAL */
205	asn1_start_tag(data, ASN1_CONTEXT(3));
206	asn1_start_tag(data, ASN1_SEQUENCE(0));
207	asn1_start_tag(data, ASN1_CONTEXT(0));
208	asn1_read_GeneralString(data,talloc_autofree_context(),
209	principal);
210	asn1_end_tag(data);
211	asn1_end_tag(data);
212	asn1_end_tag(data);
213	}
214
215	asn1_end_tag(data);
216	asn1_end_tag(data);
217
218	asn1_end_tag(data);
219
220	ret = !data->has_error;
221	if (data->has_error) {
222	int j;
223	TALLOC_FREE(*principal);
224	for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) {
225	TALLOC_FREE(OIDs[j]);
226	}
227	}
228
229	asn1_free(data);
230	return ret;
231	}
232
233	/*
234	generate a negTokenTarg packet given a list of OIDs and a security blob
235	*/
236	DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob)
237	{
238	int i;
239	ASN1_DATA *data;
240	DATA_BLOB ret;
241
242	data = asn1_init(talloc_tos());
243	if (data == NULL) {
244	return data_blob_null;
245	}
246
247	asn1_push_tag(data, ASN1_APPLICATION(0));
248	asn1_write_OID(data,OID_SPNEGO);
249	asn1_push_tag(data, ASN1_CONTEXT(0));
250	asn1_push_tag(data, ASN1_SEQUENCE(0));
251
252	asn1_push_tag(data, ASN1_CONTEXT(0));
253	asn1_push_tag(data, ASN1_SEQUENCE(0));
254	for (i=0; OIDs[i]; i++) {
255	asn1_write_OID(data,OIDs[i]);
256	}
257	asn1_pop_tag(data);
258	asn1_pop_tag(data);
259
260	asn1_push_tag(data, ASN1_CONTEXT(2));
261	asn1_write_OctetString(data,blob.data,blob.length);
262	asn1_pop_tag(data);
263
264	asn1_pop_tag(data);
265	asn1_pop_tag(data);
266
267	asn1_pop_tag(data);
268
269	if (data->has_error) {
270	DEBUG(1,("Failed to build negTokenTarg at offset %d\n", (int)data->ofs));
271	}
272
273	ret = data_blob(data->data, data->length);
274	asn1_free(data);
275
276	return ret;
277	}
278
279	/*
280	parse a negTokenTarg packet giving a list of OIDs and a security blob
281	*/
282	bool parse_negTokenTarg(DATA_BLOB blob, char OIDs[ASN1_MAX_OIDS], DATA_BLOB secblob)
283	{
284	int i;
285	ASN1_DATA *data;
286
287	data = asn1_init(talloc_tos());
288	if (data == NULL) {
289	return false;
290	}
291
292	asn1_load(data, blob);
293	asn1_start_tag(data, ASN1_APPLICATION(0));
294	asn1_check_OID(data,OID_SPNEGO);
295	asn1_start_tag(data, ASN1_CONTEXT(0));
296	asn1_start_tag(data, ASN1_SEQUENCE(0));
297
298	asn1_start_tag(data, ASN1_CONTEXT(0));
299	asn1_start_tag(data, ASN1_SEQUENCE(0));
300	for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
301	const char *oid_str = NULL;
302	asn1_read_OID(data,talloc_autofree_context(),&oid_str);
303	OIDs[i] = CONST_DISCARD(char *, oid_str);
304	}
305	OIDs[i] = NULL;
306	asn1_end_tag(data);
307	asn1_end_tag(data);
308
309	/* Skip any optional req_flags that are sent per RFC 4178 */
310	if (asn1_peek_tag(data, ASN1_CONTEXT(1))) {
311	uint8 flags;
312
313	asn1_start_tag(data, ASN1_CONTEXT(1));
314	asn1_start_tag(data, ASN1_BIT_STRING);
315	while (asn1_tag_remaining(data) > 0)
316	asn1_read_uint8(data, &flags);
317	asn1_end_tag(data);
318	asn1_end_tag(data);
319	}
320
321	asn1_start_tag(data, ASN1_CONTEXT(2));
322	asn1_read_OctetString(data,talloc_autofree_context(),secblob);
323	asn1_end_tag(data);
324
325	asn1_end_tag(data);
326	asn1_end_tag(data);
327
328	asn1_end_tag(data);
329
330	if (data->has_error) {
331	int j;
332	data_blob_free(secblob);
333	for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) {
334	TALLOC_FREE(OIDs[j]);
335	}
336	DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data->ofs));
337	asn1_free(data);
338	return False;
339	}
340
341	asn1_free(data);
342	return True;
343	}
344
345	/*
346	generate a krb5 GSS-API wrapper packet given a ticket
347	*/
348	DATA_BLOB spnego_gen_krb5_wrap(const DATA_BLOB ticket, const uint8 tok_id[2])
349	{
350	ASN1_DATA *data;
351	DATA_BLOB ret;
352
353	data = asn1_init(talloc_tos());
354	if (data == NULL) {
355	return data_blob_null;
356	}
357
358	asn1_push_tag(data, ASN1_APPLICATION(0));
359	asn1_write_OID(data, OID_KERBEROS5);
360
361	asn1_write(data, tok_id, 2);
362	asn1_write(data, ticket.data, ticket.length);
363	asn1_pop_tag(data);
364
365	if (data->has_error) {
366	DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data->ofs));
367	}
368
369	ret = data_blob(data->data, data->length);
370	asn1_free(data);
371
372	return ret;
373	}
374
375	/*
376	parse a krb5 GSS-API wrapper packet giving a ticket
377	*/
378	bool spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2])
379	{
380	bool ret;
381	ASN1_DATA *data;
382	int data_remaining;
383
384	data = asn1_init(talloc_tos());
385	if (data == NULL) {
386	return false;
387	}
388
389	asn1_load(data, blob);
390	asn1_start_tag(data, ASN1_APPLICATION(0));
391	asn1_check_OID(data, OID_KERBEROS5);
392
393	data_remaining = asn1_tag_remaining(data);
394
395	if (data_remaining < 3) {
396	data->has_error = True;
397	} else {
398	asn1_read(data, tok_id, 2);
399	data_remaining -= 2;
400	*ticket = data_blob(NULL, data_remaining);
401	asn1_read(data, ticket->data, ticket->length);
402	}
403
404	asn1_end_tag(data);
405
406	ret = !data->has_error;
407
408	if (data->has_error) {
409	data_blob_free(ticket);
410	}
411
412	asn1_free(data);
413
414	return ret;
415	}
416
417
418	/*
419	generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY
420	kerberos session setup
421	*/
422	int spnego_gen_negTokenTarg(const char *principal, int time_offset,
423	DATA_BLOB *targ,
424	DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
425	time_t *expire_time)
426	{
427	int retval;
428	DATA_BLOB tkt, tkt_wrapped;
429	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL};
430
431	/* get a kerberos ticket for the service and extract the session key */
432	retval = cli_krb5_get_ticket(principal, time_offset,
433	&tkt, session_key_krb5, extra_ap_opts, NULL,
434	expire_time, NULL);
435
436	if (retval)
437	return retval;
438
439	/* wrap that up in a nice GSS-API wrapping */
440	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
441
442	/* and wrap that in a shiny SPNEGO wrapper */
443	*targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
444
445	data_blob_free(&tkt_wrapped);
446	data_blob_free(&tkt);
447
448	return retval;
449	}
450
451
452	/*
453	parse a spnego NTLMSSP challenge packet giving two security blobs
454	*/
455	bool spnego_parse_challenge(const DATA_BLOB blob,
456	DATA_BLOB chal1, DATA_BLOB chal2)
457	{
458	bool ret;
459	ASN1_DATA *data;
460
461	ZERO_STRUCTP(chal1);
462	ZERO_STRUCTP(chal2);
463
464	data = asn1_init(talloc_tos());
465	if (data == NULL) {
466	return false;
467	}
468
469	asn1_load(data, blob);
470	asn1_start_tag(data,ASN1_CONTEXT(1));
471	asn1_start_tag(data,ASN1_SEQUENCE(0));
472
473	asn1_start_tag(data,ASN1_CONTEXT(0));
474	asn1_check_enumerated(data,1);
475	asn1_end_tag(data);
476
477	asn1_start_tag(data,ASN1_CONTEXT(1));
478	asn1_check_OID(data, OID_NTLMSSP);
479	asn1_end_tag(data);
480
481	asn1_start_tag(data,ASN1_CONTEXT(2));
482	asn1_read_OctetString(data, talloc_autofree_context(), chal1);
483	asn1_end_tag(data);
484
485	/* the second challenge is optional (XP doesn't send it) */
486	if (asn1_tag_remaining(data)) {
487	asn1_start_tag(data,ASN1_CONTEXT(3));
488	asn1_read_OctetString(data, talloc_autofree_context(), chal2);
489	asn1_end_tag(data);
490	}
491
492	asn1_end_tag(data);
493	asn1_end_tag(data);
494
495	ret = !data->has_error;
496
497	if (data->has_error) {
498	data_blob_free(chal1);
499	data_blob_free(chal2);
500	}
501
502	asn1_free(data);
503	return ret;
504	}
505
506
507	/*
508	generate a SPNEGO auth packet. This will contain the encrypted passwords
509	*/
510	DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
511	{
512	ASN1_DATA *data;
513	DATA_BLOB ret;
514
515	data = asn1_init(talloc_tos());
516	if (data == NULL) {
517	return data_blob_null;
518	}
519
520	asn1_push_tag(data, ASN1_CONTEXT(1));
521	asn1_push_tag(data, ASN1_SEQUENCE(0));
522	asn1_push_tag(data, ASN1_CONTEXT(2));
523	asn1_write_OctetString(data,blob.data,blob.length);
524	asn1_pop_tag(data);
525	asn1_pop_tag(data);
526	asn1_pop_tag(data);
527
528	ret = data_blob(data->data, data->length);
529
530	asn1_free(data);
531
532	return ret;
533	}
534
535	/*
536	parse a SPNEGO auth packet. This contains the encrypted passwords
537	*/
538	bool spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth)
539	{
540	ssize_t len;
541	struct spnego_data token;
542
543	len = spnego_read_data(talloc_tos(), blob, &token);
544	if (len == -1) {
545	DEBUG(3,("spnego_parse_auth: spnego_read_data failed\n"));
546	return false;
547	}
548
549	if (token.type != SPNEGO_NEG_TOKEN_TARG) {
550	DEBUG(3,("spnego_parse_auth: wrong token type: %d\n",
551	token.type));
552	spnego_free_data(&token);
553	return false;
554	}
555
556	*auth = data_blob_talloc(talloc_tos(),
557	token.negTokenTarg.responseToken.data,
558	token.negTokenTarg.responseToken.length);
559	spnego_free_data(&token);
560
561	return true;
562	}
563
564	/*
565	generate a minimal SPNEGO response packet. Doesn't contain much.
566	*/
567	DATA_BLOB spnego_gen_auth_response(DATA_BLOB *reply, NTSTATUS nt_status,
568	const char *mechOID)
569	{
570	ASN1_DATA *data;
571	DATA_BLOB ret;
572	uint8 negResult;
573
574	if (NT_STATUS_IS_OK(nt_status)) {
575	negResult = SPNEGO_ACCEPT_COMPLETED;
576	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
577	negResult = SPNEGO_ACCEPT_INCOMPLETE;
578	} else {
579	negResult = SPNEGO_REJECT;
580	}
581
582	data = asn1_init(talloc_tos());
583	if (data == NULL) {
584	return data_blob_null;
585	}
586
587	asn1_push_tag(data, ASN1_CONTEXT(1));
588	asn1_push_tag(data, ASN1_SEQUENCE(0));
589	asn1_push_tag(data, ASN1_CONTEXT(0));
590	asn1_write_enumerated(data, negResult);
591	asn1_pop_tag(data);
592
593	if (mechOID) {
594	asn1_push_tag(data,ASN1_CONTEXT(1));
595	asn1_write_OID(data, mechOID);
596	asn1_pop_tag(data);
597	}
598
599	if (reply && reply->data != NULL) {
600	asn1_push_tag(data,ASN1_CONTEXT(2));
601	asn1_write_OctetString(data, reply->data, reply->length);
602	asn1_pop_tag(data);
603	}
604
605	asn1_pop_tag(data);
606	asn1_pop_tag(data);
607
608	ret = data_blob(data->data, data->length);
609	asn1_free(data);
610	return ret;
611	}
612
613	/*
614	parse a SPNEGO auth packet. This contains the encrypted passwords
615	*/
616	bool spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
617	const char *mechOID,
618	DATA_BLOB *auth)
619	{
620	ASN1_DATA *data;
621	uint8 negResult;
622
623	if (NT_STATUS_IS_OK(nt_status)) {
624	negResult = SPNEGO_ACCEPT_COMPLETED;
625	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
626	negResult = SPNEGO_ACCEPT_INCOMPLETE;
627	} else {
628	negResult = SPNEGO_REJECT;
629	}
630
631	data = asn1_init(talloc_tos());
632	if (data == NULL) {
633	return false;
634	}
635
636	asn1_load(data, blob);
637	asn1_start_tag(data, ASN1_CONTEXT(1));
638	asn1_start_tag(data, ASN1_SEQUENCE(0));
639	asn1_start_tag(data, ASN1_CONTEXT(0));
640	asn1_check_enumerated(data, negResult);
641	asn1_end_tag(data);
642
643	*auth = data_blob_null;
644
645	if (asn1_tag_remaining(data)) {
646	asn1_start_tag(data,ASN1_CONTEXT(1));
647	asn1_check_OID(data, mechOID);
648	asn1_end_tag(data);
649
650	if (asn1_tag_remaining(data)) {
651	asn1_start_tag(data,ASN1_CONTEXT(2));
652	asn1_read_OctetString(data, talloc_autofree_context(), auth);
653	asn1_end_tag(data);
654	}
655	} else if (negResult == SPNEGO_ACCEPT_INCOMPLETE) {
656	data->has_error = 1;
657	}
658
659	/* Binding against Win2K DC returns a duplicate of the responseToken in
660	* the optional mechListMIC field. This is a bug in Win2K. We ignore
661	* this field if it exists. Win2K8 may return a proper mechListMIC at
662	* which point we need to implement the integrity checking. */
663	if (asn1_tag_remaining(data)) {
664	DATA_BLOB mechList = data_blob_null;
665	asn1_start_tag(data, ASN1_CONTEXT(3));
666	asn1_read_OctetString(data, talloc_autofree_context(), &mechList);
667	asn1_end_tag(data);
668	data_blob_free(&mechList);
669	DEBUG(5,("spnego_parse_auth_response received mechListMIC, "
670	"ignoring.\n"));
671	}
672
673	asn1_end_tag(data);
674	asn1_end_tag(data);
675
676	if (data->has_error) {
677	DEBUG(3,("spnego_parse_auth_response failed at %d\n", (int)data->ofs));
678	asn1_free(data);
679	data_blob_free(auth);
680	return False;
681	}
682
683	asn1_free(data);
684	return True;
685	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: