Context Navigation

clispnego.c@ 739

Visit:

Last change on this file since 739 was 739, checked in by Silvan Scherrer, 13 years ago
Samba Server 3.5: update branche to 3.5.19
File size: 16.5 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	simple kerberos5/SPNEGO routines
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
6	Copyright (C) Luke Howard 2003
7
8	This program is free software; you can redistribute it and/or modify
9	it under the terms of the GNU General Public License as published by
10	the Free Software Foundation; either version 3 of the License, or
11	(at your option) any later version.
12
13	This program is distributed in the hope that it will be useful,
14	but WITHOUT ANY WARRANTY; without even the implied warranty of
15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	GNU General Public License for more details.
17
18	You should have received a copy of the GNU General Public License
19	along with this program. If not, see <http://www.gnu.org/licenses/>.
20	*/
21
22	#include "includes.h"
23	#include "../libcli/auth/spnego.h"
24	#include "smb_krb5.h"
25
26	/*
27	generate a negTokenInit packet given a GUID, a list of supported
28	OIDs (the mechanisms) and a principal name string
29	*/
30	DATA_BLOB spnego_gen_negTokenInit(char guid[16],
31	const char *OIDs[],
32	const char *principal)
33	{
34	int i;
35	ASN1_DATA *data;
36	DATA_BLOB ret;
37
38	data = asn1_init(talloc_tos());
39	if (data == NULL) {
40	return data_blob_null;
41	}
42
43	asn1_write(data, guid, 16);
44	asn1_push_tag(data,ASN1_APPLICATION(0));
45	asn1_write_OID(data,OID_SPNEGO);
46	asn1_push_tag(data,ASN1_CONTEXT(0));
47	asn1_push_tag(data,ASN1_SEQUENCE(0));
48
49	asn1_push_tag(data,ASN1_CONTEXT(0));
50	asn1_push_tag(data,ASN1_SEQUENCE(0));
51	for (i=0; OIDs[i]; i++) {
52	asn1_write_OID(data,OIDs[i]);
53	}
54	asn1_pop_tag(data);
55	asn1_pop_tag(data);
56
57	asn1_push_tag(data, ASN1_CONTEXT(3));
58	asn1_push_tag(data, ASN1_SEQUENCE(0));
59	asn1_push_tag(data, ASN1_CONTEXT(0));
60	asn1_write_GeneralString(data,principal);
61	asn1_pop_tag(data);
62	asn1_pop_tag(data);
63	asn1_pop_tag(data);
64
65	asn1_pop_tag(data);
66	asn1_pop_tag(data);
67
68	asn1_pop_tag(data);
69
70	if (data->has_error) {
71	DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data->ofs));
72	}
73
74	ret = data_blob(data->data, data->length);
75	asn1_free(data);
76
77	return ret;
78	}
79
80	/*
81	Generate a negTokenInit as used by the client side ... It has a mechType
82	(OID), and a mechToken (a security blob) ...
83
84	Really, we need to break out the NTLMSSP stuff as well, because it could be
85	raw in the packets!
86	*/
87	DATA_BLOB gen_negTokenInit(const char *OID, DATA_BLOB blob)
88	{
89	ASN1_DATA *data;
90	DATA_BLOB ret;
91
92	data = asn1_init(talloc_tos());
93	if (data == NULL) {
94	return data_blob_null;
95	}
96
97	asn1_push_tag(data, ASN1_APPLICATION(0));
98	asn1_write_OID(data,OID_SPNEGO);
99	asn1_push_tag(data, ASN1_CONTEXT(0));
100	asn1_push_tag(data, ASN1_SEQUENCE(0));
101
102	asn1_push_tag(data, ASN1_CONTEXT(0));
103	asn1_push_tag(data, ASN1_SEQUENCE(0));
104	asn1_write_OID(data, OID);
105	asn1_pop_tag(data);
106	asn1_pop_tag(data);
107
108	asn1_push_tag(data, ASN1_CONTEXT(2));
109	asn1_write_OctetString(data,blob.data,blob.length);
110	asn1_pop_tag(data);
111
112	asn1_pop_tag(data);
113	asn1_pop_tag(data);
114
115	asn1_pop_tag(data);
116
117	if (data->has_error) {
118	DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data->ofs));
119	}
120
121	ret = data_blob(data->data, data->length);
122	asn1_free(data);
123
124	return ret;
125	}
126
127	/*
128	parse a negTokenInit packet giving a GUID, a list of supported
129	OIDs (the mechanisms) and a principal name string
130	*/
131	bool spnego_parse_negTokenInit(DATA_BLOB blob,
132	char *OIDs[ASN1_MAX_OIDS],
133	char **principal)
134	{
135	int i;
136	bool ret;
137	ASN1_DATA *data;
138
139	for (i = 0; i < ASN1_MAX_OIDS; i++) {
140	OIDs[i] = NULL;
141	}
142
143	data = asn1_init(talloc_tos());
144	if (data == NULL) {
145	return false;
146	}
147
148	asn1_load(data, blob);
149
150	asn1_start_tag(data,ASN1_APPLICATION(0));
151
152	asn1_check_OID(data,OID_SPNEGO);
153
154	/* negTokenInit [0] NegTokenInit */
155	asn1_start_tag(data,ASN1_CONTEXT(0));
156	asn1_start_tag(data,ASN1_SEQUENCE(0));
157
158	/* mechTypes [0] MechTypeList OPTIONAL */
159
160	/* Not really optional, we depend on this to decide
161	* what mechanisms we have to work with. */
162
163	asn1_start_tag(data,ASN1_CONTEXT(0));
164	asn1_start_tag(data,ASN1_SEQUENCE(0));
165	for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
166	const char *oid_str = NULL;
167	asn1_read_OID(data,talloc_autofree_context(),&oid_str);
168	if (data->has_error) {
169	break;
170	}
171	OIDs[i] = CONST_DISCARD(char *, oid_str);
172	}
173	OIDs[i] = NULL;
174	asn1_end_tag(data);
175	asn1_end_tag(data);
176
177	*principal = NULL;
178
179	/*
180	Win7 + Live Sign-in Assistant attaches a mechToken
181	ASN1_CONTEXT(2) to the negTokenInit packet
182	which breaks our negotiation if we just assume
183	the next tag is ASN1_CONTEXT(3).
184	*/
185
186	if (asn1_peek_tag(data, ASN1_CONTEXT(1))) {
187	uint8 flags;
188
189	/* reqFlags [1] ContextFlags OPTIONAL */
190	asn1_start_tag(data, ASN1_CONTEXT(1));
191	asn1_start_tag(data, ASN1_BIT_STRING);
192	while (asn1_tag_remaining(data) > 0) {
193	asn1_read_uint8(data, &flags);
194	}
195	asn1_end_tag(data);
196	asn1_end_tag(data);
197	}
198
199	if (asn1_peek_tag(data, ASN1_CONTEXT(2))) {
200	/* mechToken [2] OCTET STRING OPTIONAL */
201	DATA_BLOB token;
202	asn1_start_tag(data, ASN1_CONTEXT(2));
203	asn1_read_OctetString(data, talloc_autofree_context(),
204	&token);
205	asn1_end_tag(data);
206	/* Throw away the token - not used. */
207	data_blob_free(&token);
208	}
209
210	if (asn1_peek_tag(data, ASN1_CONTEXT(3))) {
211	/* mechListMIC [3] OCTET STRING OPTIONAL */
212	asn1_start_tag(data, ASN1_CONTEXT(3));
213	asn1_start_tag(data, ASN1_SEQUENCE(0));
214	asn1_start_tag(data, ASN1_CONTEXT(0));
215	asn1_read_GeneralString(data,talloc_autofree_context(),
216	principal);
217	asn1_end_tag(data);
218	asn1_end_tag(data);
219	asn1_end_tag(data);
220	}
221
222	asn1_end_tag(data);
223	asn1_end_tag(data);
224
225	asn1_end_tag(data);
226
227	ret = !data->has_error;
228	if (data->has_error) {
229	int j;
230	TALLOC_FREE(*principal);
231	for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) {
232	TALLOC_FREE(OIDs[j]);
233	}
234	}
235
236	asn1_free(data);
237	return ret;
238	}
239
240	/*
241	generate a negTokenTarg packet given a list of OIDs and a security blob
242	*/
243	DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob)
244	{
245	int i;
246	ASN1_DATA *data;
247	DATA_BLOB ret;
248
249	data = asn1_init(talloc_tos());
250	if (data == NULL) {
251	return data_blob_null;
252	}
253
254	asn1_push_tag(data, ASN1_APPLICATION(0));
255	asn1_write_OID(data,OID_SPNEGO);
256	asn1_push_tag(data, ASN1_CONTEXT(0));
257	asn1_push_tag(data, ASN1_SEQUENCE(0));
258
259	asn1_push_tag(data, ASN1_CONTEXT(0));
260	asn1_push_tag(data, ASN1_SEQUENCE(0));
261	for (i=0; OIDs[i]; i++) {
262	asn1_write_OID(data,OIDs[i]);
263	}
264	asn1_pop_tag(data);
265	asn1_pop_tag(data);
266
267	asn1_push_tag(data, ASN1_CONTEXT(2));
268	asn1_write_OctetString(data,blob.data,blob.length);
269	asn1_pop_tag(data);
270
271	asn1_pop_tag(data);
272	asn1_pop_tag(data);
273
274	asn1_pop_tag(data);
275
276	if (data->has_error) {
277	DEBUG(1,("Failed to build negTokenTarg at offset %d\n", (int)data->ofs));
278	}
279
280	ret = data_blob(data->data, data->length);
281	asn1_free(data);
282
283	return ret;
284	}
285
286	/*
287	parse a negTokenTarg packet giving a list of OIDs and a security blob
288	*/
289	bool parse_negTokenTarg(DATA_BLOB blob, char OIDs[ASN1_MAX_OIDS], DATA_BLOB secblob)
290	{
291	int i;
292	ASN1_DATA *data;
293
294	data = asn1_init(talloc_tos());
295	if (data == NULL) {
296	return false;
297	}
298
299	asn1_load(data, blob);
300	asn1_start_tag(data, ASN1_APPLICATION(0));
301	asn1_check_OID(data,OID_SPNEGO);
302	asn1_start_tag(data, ASN1_CONTEXT(0));
303	asn1_start_tag(data, ASN1_SEQUENCE(0));
304
305	asn1_start_tag(data, ASN1_CONTEXT(0));
306	asn1_start_tag(data, ASN1_SEQUENCE(0));
307	for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
308	const char *oid_str = NULL;
309	asn1_read_OID(data,talloc_autofree_context(),&oid_str);
310	OIDs[i] = CONST_DISCARD(char *, oid_str);
311	}
312	OIDs[i] = NULL;
313	asn1_end_tag(data);
314	asn1_end_tag(data);
315
316	/* Skip any optional req_flags that are sent per RFC 4178 */
317	if (asn1_peek_tag(data, ASN1_CONTEXT(1))) {
318	uint8 flags;
319
320	asn1_start_tag(data, ASN1_CONTEXT(1));
321	asn1_start_tag(data, ASN1_BIT_STRING);
322	while (asn1_tag_remaining(data) > 0)
323	asn1_read_uint8(data, &flags);
324	asn1_end_tag(data);
325	asn1_end_tag(data);
326	}
327
328	asn1_start_tag(data, ASN1_CONTEXT(2));
329	asn1_read_OctetString(data,talloc_autofree_context(),secblob);
330	asn1_end_tag(data);
331
332	asn1_end_tag(data);
333	asn1_end_tag(data);
334
335	asn1_end_tag(data);
336
337	if (data->has_error) {
338	int j;
339	data_blob_free(secblob);
340	for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) {
341	TALLOC_FREE(OIDs[j]);
342	}
343	DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data->ofs));
344	asn1_free(data);
345	return False;
346	}
347
348	asn1_free(data);
349	return True;
350	}
351
352	/*
353	generate a krb5 GSS-API wrapper packet given a ticket
354	*/
355	DATA_BLOB spnego_gen_krb5_wrap(const DATA_BLOB ticket, const uint8 tok_id[2])
356	{
357	ASN1_DATA *data;
358	DATA_BLOB ret;
359
360	data = asn1_init(talloc_tos());
361	if (data == NULL) {
362	return data_blob_null;
363	}
364
365	asn1_push_tag(data, ASN1_APPLICATION(0));
366	asn1_write_OID(data, OID_KERBEROS5);
367
368	asn1_write(data, tok_id, 2);
369	asn1_write(data, ticket.data, ticket.length);
370	asn1_pop_tag(data);
371
372	if (data->has_error) {
373	DEBUG(1,("Failed to build krb5 wrapper at offset %d\n", (int)data->ofs));
374	}
375
376	ret = data_blob(data->data, data->length);
377	asn1_free(data);
378
379	return ret;
380	}
381
382	/*
383	parse a krb5 GSS-API wrapper packet giving a ticket
384	*/
385	bool spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2])
386	{
387	bool ret;
388	ASN1_DATA *data;
389	int data_remaining;
390	*ticket = data_blob_null;
391
392	data = asn1_init(talloc_tos());
393	if (data == NULL) {
394	return false;
395	}
396
397	asn1_load(data, blob);
398	asn1_start_tag(data, ASN1_APPLICATION(0));
399	asn1_check_OID(data, OID_KERBEROS5);
400
401	data_remaining = asn1_tag_remaining(data);
402
403	if (data_remaining < 3) {
404	data->has_error = True;
405	} else {
406	asn1_read(data, tok_id, 2);
407	data_remaining -= 2;
408	*ticket = data_blob(NULL, data_remaining);
409	asn1_read(data, ticket->data, ticket->length);
410	}
411
412	asn1_end_tag(data);
413
414	ret = !data->has_error;
415
416	if (data->has_error) {
417	data_blob_free(ticket);
418	}
419
420	asn1_free(data);
421
422	return ret;
423	}
424
425
426	/*
427	generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY
428	kerberos session setup
429	*/
430	int spnego_gen_negTokenTarg(const char *principal, int time_offset,
431	DATA_BLOB *targ,
432	DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
433	time_t *expire_time)
434	{
435	int retval;
436	DATA_BLOB tkt, tkt_wrapped;
437	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL};
438
439	/* get a kerberos ticket for the service and extract the session key */
440	retval = cli_krb5_get_ticket(principal, time_offset,
441	&tkt, session_key_krb5, extra_ap_opts, NULL,
442	expire_time, NULL);
443
444	if (retval)
445	return retval;
446
447	/* wrap that up in a nice GSS-API wrapping */
448	tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ);
449
450	/* and wrap that in a shiny SPNEGO wrapper */
451	*targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);
452
453	data_blob_free(&tkt_wrapped);
454	data_blob_free(&tkt);
455
456	return retval;
457	}
458
459
460	/*
461	parse a spnego NTLMSSP challenge packet giving two security blobs
462	*/
463	bool spnego_parse_challenge(const DATA_BLOB blob,
464	DATA_BLOB chal1, DATA_BLOB chal2)
465	{
466	bool ret;
467	ASN1_DATA *data;
468
469	ZERO_STRUCTP(chal1);
470	ZERO_STRUCTP(chal2);
471
472	data = asn1_init(talloc_tos());
473	if (data == NULL) {
474	return false;
475	}
476
477	asn1_load(data, blob);
478	asn1_start_tag(data,ASN1_CONTEXT(1));
479	asn1_start_tag(data,ASN1_SEQUENCE(0));
480
481	asn1_start_tag(data,ASN1_CONTEXT(0));
482	asn1_check_enumerated(data,1);
483	asn1_end_tag(data);
484
485	asn1_start_tag(data,ASN1_CONTEXT(1));
486	asn1_check_OID(data, OID_NTLMSSP);
487	asn1_end_tag(data);
488
489	asn1_start_tag(data,ASN1_CONTEXT(2));
490	asn1_read_OctetString(data, talloc_autofree_context(), chal1);
491	asn1_end_tag(data);
492
493	/* the second challenge is optional (XP doesn't send it) */
494	if (asn1_tag_remaining(data)) {
495	asn1_start_tag(data,ASN1_CONTEXT(3));
496	asn1_read_OctetString(data, talloc_autofree_context(), chal2);
497	asn1_end_tag(data);
498	}
499
500	asn1_end_tag(data);
501	asn1_end_tag(data);
502
503	ret = !data->has_error;
504
505	if (data->has_error) {
506	data_blob_free(chal1);
507	data_blob_free(chal2);
508	}
509
510	asn1_free(data);
511	return ret;
512	}
513
514
515	/*
516	generate a SPNEGO auth packet. This will contain the encrypted passwords
517	*/
518	DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
519	{
520	ASN1_DATA *data;
521	DATA_BLOB ret;
522
523	data = asn1_init(talloc_tos());
524	if (data == NULL) {
525	return data_blob_null;
526	}
527
528	asn1_push_tag(data, ASN1_CONTEXT(1));
529	asn1_push_tag(data, ASN1_SEQUENCE(0));
530	asn1_push_tag(data, ASN1_CONTEXT(2));
531	asn1_write_OctetString(data,blob.data,blob.length);
532	asn1_pop_tag(data);
533	asn1_pop_tag(data);
534	asn1_pop_tag(data);
535
536	ret = data_blob(data->data, data->length);
537
538	asn1_free(data);
539
540	return ret;
541	}
542
543	/*
544	parse a SPNEGO auth packet. This contains the encrypted passwords
545	*/
546	bool spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth)
547	{
548	ssize_t len;
549	struct spnego_data token;
550
551	len = spnego_read_data(talloc_tos(), blob, &token);
552	if (len == -1) {
553	DEBUG(3,("spnego_parse_auth: spnego_read_data failed\n"));
554	return false;
555	}
556
557	if (token.type != SPNEGO_NEG_TOKEN_TARG) {
558	DEBUG(3,("spnego_parse_auth: wrong token type: %d\n",
559	token.type));
560	spnego_free_data(&token);
561	return false;
562	}
563
564	*auth = data_blob_talloc(talloc_tos(),
565	token.negTokenTarg.responseToken.data,
566	token.negTokenTarg.responseToken.length);
567	spnego_free_data(&token);
568
569	return true;
570	}
571
572	/*
573	generate a minimal SPNEGO response packet. Doesn't contain much.
574	*/
575	DATA_BLOB spnego_gen_auth_response(DATA_BLOB *reply, NTSTATUS nt_status,
576	const char *mechOID)
577	{
578	ASN1_DATA *data;
579	DATA_BLOB ret;
580	uint8 negResult;
581
582	if (NT_STATUS_IS_OK(nt_status)) {
583	negResult = SPNEGO_ACCEPT_COMPLETED;
584	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
585	negResult = SPNEGO_ACCEPT_INCOMPLETE;
586	} else {
587	negResult = SPNEGO_REJECT;
588	}
589
590	data = asn1_init(talloc_tos());
591	if (data == NULL) {
592	return data_blob_null;
593	}
594
595	asn1_push_tag(data, ASN1_CONTEXT(1));
596	asn1_push_tag(data, ASN1_SEQUENCE(0));
597	asn1_push_tag(data, ASN1_CONTEXT(0));
598	asn1_write_enumerated(data, negResult);
599	asn1_pop_tag(data);
600
601	if (mechOID) {
602	asn1_push_tag(data,ASN1_CONTEXT(1));
603	asn1_write_OID(data, mechOID);
604	asn1_pop_tag(data);
605	}
606
607	if (reply && reply->data != NULL) {
608	asn1_push_tag(data,ASN1_CONTEXT(2));
609	asn1_write_OctetString(data, reply->data, reply->length);
610	asn1_pop_tag(data);
611	}
612
613	asn1_pop_tag(data);
614	asn1_pop_tag(data);
615
616	ret = data_blob(data->data, data->length);
617	asn1_free(data);
618	return ret;
619	}
620
621	/*
622	parse a SPNEGO auth packet. This contains the encrypted passwords
623	*/
624	bool spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
625	const char *mechOID,
626	DATA_BLOB *auth)
627	{
628	ASN1_DATA *data;
629	uint8 negResult;
630
631	if (NT_STATUS_IS_OK(nt_status)) {
632	negResult = SPNEGO_ACCEPT_COMPLETED;
633	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
634	negResult = SPNEGO_ACCEPT_INCOMPLETE;
635	} else {
636	negResult = SPNEGO_REJECT;
637	}
638
639	data = asn1_init(talloc_tos());
640	if (data == NULL) {
641	return false;
642	}
643
644	asn1_load(data, blob);
645	asn1_start_tag(data, ASN1_CONTEXT(1));
646	asn1_start_tag(data, ASN1_SEQUENCE(0));
647	asn1_start_tag(data, ASN1_CONTEXT(0));
648	asn1_check_enumerated(data, negResult);
649	asn1_end_tag(data);
650
651	*auth = data_blob_null;
652
653	if (asn1_tag_remaining(data)) {
654	asn1_start_tag(data,ASN1_CONTEXT(1));
655	asn1_check_OID(data, mechOID);
656	asn1_end_tag(data);
657
658	if (asn1_tag_remaining(data)) {
659	asn1_start_tag(data,ASN1_CONTEXT(2));
660	asn1_read_OctetString(data, talloc_autofree_context(), auth);
661	asn1_end_tag(data);
662	}
663	} else if (negResult == SPNEGO_ACCEPT_INCOMPLETE) {
664	data->has_error = 1;
665	}
666
667	/* Binding against Win2K DC returns a duplicate of the responseToken in
668	* the optional mechListMIC field. This is a bug in Win2K. We ignore
669	* this field if it exists. Win2K8 may return a proper mechListMIC at
670	* which point we need to implement the integrity checking. */
671	if (asn1_tag_remaining(data)) {
672	DATA_BLOB mechList = data_blob_null;
673	asn1_start_tag(data, ASN1_CONTEXT(3));
674	asn1_read_OctetString(data, talloc_autofree_context(), &mechList);
675	asn1_end_tag(data);
676	data_blob_free(&mechList);
677	DEBUG(5,("spnego_parse_auth_response received mechListMIC, "
678	"ignoring.\n"));
679	}
680
681	asn1_end_tag(data);
682	asn1_end_tag(data);
683
684	if (data->has_error) {
685	DEBUG(3,("spnego_parse_auth_response failed at %d\n", (int)data->ofs));
686	asn1_free(data);
687	data_blob_free(auth);
688	return False;
689	}
690
691	asn1_free(data);
692	return True;
693	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: branches/samba-3.5.x/source3/libsmb/clispnego.c@ 739

Download in other formats: