Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

spnego.c

Visit:

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated trunk to 3.6.0
File size: 38.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	RFC2478 Compliant SPNEGO implementation
5
6	Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
7	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8	Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20
21	You should have received a copy of the GNU General Public License
22	along with this program. If not, see <http://www.gnu.org/licenses/>.
23	*/
24
25	#include "includes.h"
26	#include "../libcli/auth/spnego.h"
27	#include "librpc/gen_ndr/ndr_dcerpc.h"
28	#include "auth/credentials/credentials.h"
29	#include "auth/gensec/gensec.h"
30	#include "auth/gensec/gensec_proto.h"
31	#include "param/param.h"
32
33	enum spnego_state_position {
34	SPNEGO_SERVER_START,
35	SPNEGO_CLIENT_START,
36	SPNEGO_SERVER_TARG,
37	SPNEGO_CLIENT_TARG,
38	SPNEGO_FALLBACK,
39	SPNEGO_DONE
40	};
41
42	struct spnego_state {
43	enum spnego_message_type expected_packet;
44	enum spnego_state_position state_position;
45	struct gensec_security *sub_sec_security;
46	bool no_response_expected;
47
48	const char *neg_oid;
49
50	DATA_BLOB mech_types;
51	};
52
53
54	static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
55	{
56	struct spnego_state *spnego_state;
57
58	spnego_state = talloc(gensec_security, struct spnego_state);
59	if (!spnego_state) {
60	return NT_STATUS_NO_MEMORY;
61	}
62
63	spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
64	spnego_state->state_position = SPNEGO_CLIENT_START;
65	spnego_state->sub_sec_security = NULL;
66	spnego_state->no_response_expected = false;
67	spnego_state->mech_types = data_blob(NULL, 0);
68
69	gensec_security->private_data = spnego_state;
70	return NT_STATUS_OK;
71	}
72
73	static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
74	{
75	struct spnego_state *spnego_state;
76
77	spnego_state = talloc(gensec_security, struct spnego_state);
78	if (!spnego_state) {
79	return NT_STATUS_NO_MEMORY;
80	}
81
82	spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
83	spnego_state->state_position = SPNEGO_SERVER_START;
84	spnego_state->sub_sec_security = NULL;
85	spnego_state->no_response_expected = false;
86	spnego_state->mech_types = data_blob(NULL, 0);
87
88	gensec_security->private_data = spnego_state;
89	return NT_STATUS_OK;
90	}
91
92	/*
93	wrappers for the spnego_*() functions
94	*/
95	static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_security,
96	TALLOC_CTX *mem_ctx,
97	uint8_t *data, size_t length,
98	const uint8_t *whole_pdu, size_t pdu_length,
99	const DATA_BLOB *sig)
100	{
101	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
102
103	if (spnego_state->state_position != SPNEGO_DONE
104	&& spnego_state->state_position != SPNEGO_FALLBACK) {
105	return NT_STATUS_INVALID_PARAMETER;
106	}
107
108	return gensec_unseal_packet(spnego_state->sub_sec_security,
109	mem_ctx,
110	data, length,
111	whole_pdu, pdu_length,
112	sig);
113	}
114
115	static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_security,
116	TALLOC_CTX *mem_ctx,
117	const uint8_t *data, size_t length,
118	const uint8_t *whole_pdu, size_t pdu_length,
119	const DATA_BLOB *sig)
120	{
121	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
122
123	if (spnego_state->state_position != SPNEGO_DONE
124	&& spnego_state->state_position != SPNEGO_FALLBACK) {
125	return NT_STATUS_INVALID_PARAMETER;
126	}
127
128	return gensec_check_packet(spnego_state->sub_sec_security,
129	mem_ctx,
130	data, length,
131	whole_pdu, pdu_length,
132	sig);
133	}
134
135	static NTSTATUS gensec_spnego_seal_packet(struct gensec_security *gensec_security,
136	TALLOC_CTX *mem_ctx,
137	uint8_t *data, size_t length,
138	const uint8_t *whole_pdu, size_t pdu_length,
139	DATA_BLOB *sig)
140	{
141	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
142
143	if (spnego_state->state_position != SPNEGO_DONE
144	&& spnego_state->state_position != SPNEGO_FALLBACK) {
145	return NT_STATUS_INVALID_PARAMETER;
146	}
147
148	return gensec_seal_packet(spnego_state->sub_sec_security,
149	mem_ctx,
150	data, length,
151	whole_pdu, pdu_length,
152	sig);
153	}
154
155	static NTSTATUS gensec_spnego_sign_packet(struct gensec_security *gensec_security,
156	TALLOC_CTX *mem_ctx,
157	const uint8_t *data, size_t length,
158	const uint8_t *whole_pdu, size_t pdu_length,
159	DATA_BLOB *sig)
160	{
161	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
162
163	if (spnego_state->state_position != SPNEGO_DONE
164	&& spnego_state->state_position != SPNEGO_FALLBACK) {
165	return NT_STATUS_INVALID_PARAMETER;
166	}
167
168	return gensec_sign_packet(spnego_state->sub_sec_security,
169	mem_ctx,
170	data, length,
171	whole_pdu, pdu_length,
172	sig);
173	}
174
175	static NTSTATUS gensec_spnego_wrap(struct gensec_security *gensec_security,
176	TALLOC_CTX *mem_ctx,
177	const DATA_BLOB *in,
178	DATA_BLOB *out)
179	{
180	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
181
182	if (spnego_state->state_position != SPNEGO_DONE
183	&& spnego_state->state_position != SPNEGO_FALLBACK) {
184	DEBUG(1, ("gensec_spnego_wrap: wrong state for wrap\n"));
185	return NT_STATUS_INVALID_PARAMETER;
186	}
187
188	return gensec_wrap(spnego_state->sub_sec_security,
189	mem_ctx, in, out);
190	}
191
192	static NTSTATUS gensec_spnego_unwrap(struct gensec_security *gensec_security,
193	TALLOC_CTX *mem_ctx,
194	const DATA_BLOB *in,
195	DATA_BLOB *out)
196	{
197	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
198
199	if (spnego_state->state_position != SPNEGO_DONE
200	&& spnego_state->state_position != SPNEGO_FALLBACK) {
201	DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
202	return NT_STATUS_INVALID_PARAMETER;
203	}
204
205	return gensec_unwrap(spnego_state->sub_sec_security,
206	mem_ctx, in, out);
207	}
208
209	static NTSTATUS gensec_spnego_wrap_packets(struct gensec_security *gensec_security,
210	TALLOC_CTX *mem_ctx,
211	const DATA_BLOB *in,
212	DATA_BLOB *out,
213	size_t *len_processed)
214	{
215	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
216
217	if (spnego_state->state_position != SPNEGO_DONE
218	&& spnego_state->state_position != SPNEGO_FALLBACK) {
219	DEBUG(1, ("gensec_spnego_wrap: wrong state for wrap\n"));
220	return NT_STATUS_INVALID_PARAMETER;
221	}
222
223	return gensec_wrap_packets(spnego_state->sub_sec_security,
224	mem_ctx, in, out,
225	len_processed);
226	}
227
228	static NTSTATUS gensec_spnego_packet_full_request(struct gensec_security *gensec_security,
229	DATA_BLOB blob, size_t *size)
230	{
231	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
232
233	if (spnego_state->state_position != SPNEGO_DONE
234	&& spnego_state->state_position != SPNEGO_FALLBACK) {
235	DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
236	return NT_STATUS_INVALID_PARAMETER;
237	}
238
239	return gensec_packet_full_request(spnego_state->sub_sec_security,
240	blob, size);
241	}
242
243	static NTSTATUS gensec_spnego_unwrap_packets(struct gensec_security *gensec_security,
244	TALLOC_CTX *mem_ctx,
245	const DATA_BLOB *in,
246	DATA_BLOB *out,
247	size_t *len_processed)
248	{
249	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
250
251	if (spnego_state->state_position != SPNEGO_DONE
252	&& spnego_state->state_position != SPNEGO_FALLBACK) {
253	DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
254	return NT_STATUS_INVALID_PARAMETER;
255	}
256
257	return gensec_unwrap_packets(spnego_state->sub_sec_security,
258	mem_ctx, in, out,
259	len_processed);
260	}
261
262	static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security, size_t data_size)
263	{
264	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
265
266	if (spnego_state->state_position != SPNEGO_DONE
267	&& spnego_state->state_position != SPNEGO_FALLBACK) {
268	return 0;
269	}
270
271	return gensec_sig_size(spnego_state->sub_sec_security, data_size);
272	}
273
274	static size_t gensec_spnego_max_input_size(struct gensec_security *gensec_security)
275	{
276	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
277
278	if (spnego_state->state_position != SPNEGO_DONE
279	&& spnego_state->state_position != SPNEGO_FALLBACK) {
280	return 0;
281	}
282
283	return gensec_max_input_size(spnego_state->sub_sec_security);
284	}
285
286	static size_t gensec_spnego_max_wrapped_size(struct gensec_security *gensec_security)
287	{
288	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
289
290	if (spnego_state->state_position != SPNEGO_DONE
291	&& spnego_state->state_position != SPNEGO_FALLBACK) {
292	return 0;
293	}
294
295	return gensec_max_wrapped_size(spnego_state->sub_sec_security);
296	}
297
298	static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_security,
299	DATA_BLOB *session_key)
300	{
301	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
302	if (!spnego_state->sub_sec_security) {
303	return NT_STATUS_INVALID_PARAMETER;
304	}
305
306	return gensec_session_key(spnego_state->sub_sec_security,
307	session_key);
308	}
309
310	static NTSTATUS gensec_spnego_session_info(struct gensec_security *gensec_security,
311	struct auth_session_info **session_info)
312	{
313	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
314	if (!spnego_state->sub_sec_security) {
315	return NT_STATUS_INVALID_PARAMETER;
316	}
317
318	return gensec_session_info(spnego_state->sub_sec_security,
319	session_info);
320	}
321
322	/** Fallback to another GENSEC mechanism, based on magic strings
323	*
324	* This is the 'fallback' case, where we don't get SPNEGO, and have to
325	* try all the other options (and hope they all have a magic string
326	* they check)
327	*/
328
329	static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
330	struct spnego_state *spnego_state,
331	TALLOC_CTX *out_mem_ctx,
332	const DATA_BLOB in, DATA_BLOB *out)
333	{
334	int i,j;
335	struct gensec_security_ops **all_ops
336	= gensec_security_mechs(gensec_security, out_mem_ctx);
337	for (i=0; all_ops[i]; i++) {
338	bool is_spnego;
339	NTSTATUS nt_status;
340
341	if (gensec_security != NULL &&
342	!gensec_security_ops_enabled(all_ops[i], gensec_security))
343	continue;
344
345	if (!all_ops[i]->oid) {
346	continue;
347	}
348
349	is_spnego = false;
350	for (j=0; all_ops[i]->oid[j]; j++) {
351	if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
352	is_spnego = true;
353	}
354	}
355	if (is_spnego) {
356	continue;
357	}
358
359	if (!all_ops[i]->magic) {
360	continue;
361	}
362
363	nt_status = all_ops[i]->magic(gensec_security, &in);
364	if (!NT_STATUS_IS_OK(nt_status)) {
365	continue;
366	}
367
368	spnego_state->state_position = SPNEGO_FALLBACK;
369
370	nt_status = gensec_subcontext_start(spnego_state,
371	gensec_security,
372	&spnego_state->sub_sec_security);
373
374	if (!NT_STATUS_IS_OK(nt_status)) {
375	return nt_status;
376	}
377	/* select the sub context */
378	nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
379	all_ops[i]);
380	if (!NT_STATUS_IS_OK(nt_status)) {
381	return nt_status;
382	}
383	nt_status = gensec_update(spnego_state->sub_sec_security,
384	out_mem_ctx, in, out);
385	return nt_status;
386	}
387	DEBUG(1, ("Failed to parse SPNEGO request\n"));
388	return NT_STATUS_INVALID_PARAMETER;
389
390	}
391
392	/*
393	Parse the netTokenInit, either from the client, to the server, or
394	from the server to the client.
395	*/
396
397	static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_security,
398	struct spnego_state *spnego_state,
399	TALLOC_CTX *out_mem_ctx,
400	const char **mechType,
401	const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
402	{
403	int i;
404	NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
405	DATA_BLOB null_data_blob = data_blob(NULL,0);
406	bool ok;
407
408	const struct gensec_security_ops_wrapper *all_sec
409	= gensec_security_by_oid_list(gensec_security,
410	out_mem_ctx,
411	mechType,
412	GENSEC_OID_SPNEGO);
413
414	ok = spnego_write_mech_types(spnego_state,
415	mechType,
416	&spnego_state->mech_types);
417	if (!ok) {
418	DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
419	return NT_STATUS_NO_MEMORY;
420	}
421
422	if (spnego_state->state_position == SPNEGO_SERVER_START) {
423	uint32_t j;
424	for (j=0; mechType && mechType[j]; j++) {
425	for (i=0; all_sec && all_sec[i].op; i++) {
426	nt_status = gensec_subcontext_start(spnego_state,
427	gensec_security,
428	&spnego_state->sub_sec_security);
429	if (!NT_STATUS_IS_OK(nt_status)) {
430	return nt_status;
431	}
432	/* select the sub context */
433	nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
434	all_sec[i].op);
435	if (!NT_STATUS_IS_OK(nt_status)) {
436	talloc_free(spnego_state->sub_sec_security);
437	spnego_state->sub_sec_security = NULL;
438	break;
439	}
440
441	if (j > 0) {
442	/* no optimistic token */
443	spnego_state->neg_oid = all_sec[i].oid;
444	*unwrapped_out = data_blob_null;
445	nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
446	break;
447	}
448
449	nt_status = gensec_update(spnego_state->sub_sec_security,
450	out_mem_ctx,
451	unwrapped_in,
452	unwrapped_out);
453	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) \|\|
454	NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
455	/* Pretend we never started it (lets the first run find some incompatible demand) */
456
457	DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
458	spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
459	talloc_free(spnego_state->sub_sec_security);
460	spnego_state->sub_sec_security = NULL;
461	break;
462	}
463
464	spnego_state->neg_oid = all_sec[i].oid;
465	break;
466	}
467	if (spnego_state->sub_sec_security) {
468	break;
469	}
470	}
471
472	if (!spnego_state->sub_sec_security) {
473	DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
474	return NT_STATUS_INVALID_PARAMETER;
475	}
476	}
477
478	/* Having tried any optimistic token from the client (if we
479	* were the server), if we didn't get anywhere, walk our list
480	* in our preference order */
481
482	if (!spnego_state->sub_sec_security) {
483	for (i=0; all_sec && all_sec[i].op; i++) {
484	nt_status = gensec_subcontext_start(spnego_state,
485	gensec_security,
486	&spnego_state->sub_sec_security);
487	if (!NT_STATUS_IS_OK(nt_status)) {
488	return nt_status;
489	}
490	/* select the sub context */
491	nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
492	all_sec[i].op);
493	if (!NT_STATUS_IS_OK(nt_status)) {
494	talloc_free(spnego_state->sub_sec_security);
495	spnego_state->sub_sec_security = NULL;
496	continue;
497	}
498
499	spnego_state->neg_oid = all_sec[i].oid;
500
501	/* only get the helping start blob for the first OID */
502	nt_status = gensec_update(spnego_state->sub_sec_security,
503	out_mem_ctx,
504	null_data_blob,
505	unwrapped_out);
506
507	/* it is likely that a NULL input token will
508	* not be liked by most server mechs, but if
509	* we are in the client, we want the first
510	* update packet to be able to abort the use
511	* of this mech */
512	if (spnego_state->state_position != SPNEGO_SERVER_START) {
513	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) \|\|
514	NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) \|\|
515	NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) \|\|
516	NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
517	/* Pretend we never started it (lets the first run find some incompatible demand) */
518
519	DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n",
520	spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
521	talloc_free(spnego_state->sub_sec_security);
522	spnego_state->sub_sec_security = NULL;
523	continue;
524	}
525	}
526
527	break;
528	}
529	}
530
531	if (spnego_state->sub_sec_security) {
532	/* it is likely that a NULL input token will
533	* not be liked by most server mechs, but this
534	* does the right thing in the CIFS client.
535	* just push us along the merry-go-round
536	* again, and hope for better luck next
537	* time */
538
539	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
540	*unwrapped_out = data_blob(NULL, 0);
541	nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
542	}
543
544	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
545	&& !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
546	&& !NT_STATUS_IS_OK(nt_status)) {
547	DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
548	spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
549	talloc_free(spnego_state->sub_sec_security);
550	spnego_state->sub_sec_security = NULL;
551
552	/* We started the mech correctly, and the
553	* input from the other side was valid.
554	* Return the error (say bad password, invalid
555	* ticket) */
556	return nt_status;
557	}
558
559
560	return nt_status; /* OK, INVALID_PARAMETER ore MORE PROCESSING */
561	}
562
563	DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
564	/* we could re-negotiate here, but it would only work
565	* if the client or server lied about what it could
566	* support the first time. Lets keep this code to
567	* reality */
568
569	return nt_status;
570	}
571
572	/** create a negTokenInit
573	*
574	* This is the same packet, no matter if the client or server sends it first, but it is always the first packet
575	*/
576	static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security,
577	struct spnego_state *spnego_state,
578	TALLOC_CTX *out_mem_ctx,
579	const DATA_BLOB in, DATA_BLOB *out)
580	{
581	int i;
582	NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
583	DATA_BLOB null_data_blob = data_blob(NULL,0);
584	const char **mechTypes = NULL;
585	DATA_BLOB unwrapped_out = data_blob(NULL, 0);
586	const struct gensec_security_ops_wrapper *all_sec;
587
588	mechTypes = gensec_security_oids(gensec_security,
589	out_mem_ctx, GENSEC_OID_SPNEGO);
590
591	all_sec = gensec_security_by_oid_list(gensec_security,
592	out_mem_ctx,
593	mechTypes,
594	GENSEC_OID_SPNEGO);
595	for (i=0; all_sec && all_sec[i].op; i++) {
596	struct spnego_data spnego_out;
597	const char **send_mech_types;
598	bool ok;
599
600	nt_status = gensec_subcontext_start(spnego_state,
601	gensec_security,
602	&spnego_state->sub_sec_security);
603	if (!NT_STATUS_IS_OK(nt_status)) {
604	return nt_status;
605	}
606	/* select the sub context */
607	nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
608	all_sec[i].op);
609	if (!NT_STATUS_IS_OK(nt_status)) {
610	talloc_free(spnego_state->sub_sec_security);
611	spnego_state->sub_sec_security = NULL;
612	continue;
613	}
614
615	/* In the client, try and produce the first (optimistic) packet */
616	if (spnego_state->state_position == SPNEGO_CLIENT_START) {
617	nt_status = gensec_update(spnego_state->sub_sec_security,
618	out_mem_ctx,
619	null_data_blob,
620	&unwrapped_out);
621
622	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
623	&& !NT_STATUS_IS_OK(nt_status)) {
624	DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
625	spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
626	talloc_free(spnego_state->sub_sec_security);
627	spnego_state->sub_sec_security = NULL;
628	/* Pretend we never started it (lets the first run find some incompatible demand) */
629
630	continue;
631	}
632	}
633
634	spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
635
636	send_mech_types = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
637	&all_sec[i]);
638
639	ok = spnego_write_mech_types(spnego_state,
640	send_mech_types,
641	&spnego_state->mech_types);
642	if (!ok) {
643	DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
644	return NT_STATUS_NO_MEMORY;
645	}
646
647	/* List the remaining mechs as options */
648	spnego_out.negTokenInit.mechTypes = send_mech_types;
649	spnego_out.negTokenInit.reqFlags = null_data_blob;
650	spnego_out.negTokenInit.reqFlagsPadding = 0;
651
652	if (spnego_state->state_position == SPNEGO_SERVER_START) {
653	spnego_out.negTokenInit.mechListMIC
654	= data_blob_string_const(ADS_IGNORE_PRINCIPAL);
655	} else {
656	spnego_out.negTokenInit.mechListMIC = null_data_blob;
657	}
658
659	spnego_out.negTokenInit.mechToken = unwrapped_out;
660
661	if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
662	DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
663	return NT_STATUS_INVALID_PARAMETER;
664	}
665
666	/* set next state */
667	spnego_state->neg_oid = all_sec[i].oid;
668
669	if (NT_STATUS_IS_OK(nt_status)) {
670	spnego_state->no_response_expected = true;
671	}
672
673	return NT_STATUS_MORE_PROCESSING_REQUIRED;
674	}
675	talloc_free(spnego_state->sub_sec_security);
676	spnego_state->sub_sec_security = NULL;
677
678	DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
679	return NT_STATUS_INVALID_PARAMETER;
680	}
681
682
683	/** create a server negTokenTarg
684	*
685	* This is the case, where the client is the first one who sends data
686	*/
687
688	static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec_security,
689	struct spnego_state *spnego_state,
690	TALLOC_CTX *out_mem_ctx,
691	NTSTATUS nt_status,
692	const DATA_BLOB unwrapped_out,
693	DATA_BLOB mech_list_mic,
694	DATA_BLOB *out)
695	{
696	struct spnego_data spnego_out;
697	DATA_BLOB null_data_blob = data_blob(NULL, 0);
698
699	/* compose reply */
700	spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
701	spnego_out.negTokenTarg.responseToken = unwrapped_out;
702	spnego_out.negTokenTarg.mechListMIC = null_data_blob;
703	spnego_out.negTokenTarg.supportedMech = NULL;
704
705	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
706	spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
707	spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
708	spnego_state->state_position = SPNEGO_SERVER_TARG;
709	} else if (NT_STATUS_IS_OK(nt_status)) {
710	if (unwrapped_out.data) {
711	spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
712	}
713	spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
714	spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
715	spnego_state->state_position = SPNEGO_DONE;
716	} else {
717	spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
718	DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
719	spnego_state->state_position = SPNEGO_DONE;
720	}
721
722	if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
723	DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
724	return NT_STATUS_INVALID_PARAMETER;
725	}
726
727	spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
728
729	return nt_status;
730	}
731
732
733	static NTSTATUS gensec_spnego_update(struct gensec_security gensec_security, TALLOC_CTX out_mem_ctx,
734	const DATA_BLOB in, DATA_BLOB *out)
735	{
736	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
737	DATA_BLOB null_data_blob = data_blob(NULL, 0);
738	DATA_BLOB mech_list_mic = data_blob(NULL, 0);
739	DATA_BLOB unwrapped_out = data_blob(NULL, 0);
740	struct spnego_data spnego_out;
741	struct spnego_data spnego;
742
743	ssize_t len;
744
745	*out = data_blob(NULL, 0);
746
747	if (!out_mem_ctx) {
748	out_mem_ctx = spnego_state;
749	}
750
751	/* and switch into the state machine */
752
753	switch (spnego_state->state_position) {
754	case SPNEGO_FALLBACK:
755	return gensec_update(spnego_state->sub_sec_security,
756	out_mem_ctx, in, out);
757	case SPNEGO_SERVER_START:
758	{
759	NTSTATUS nt_status;
760	if (in.length) {
761
762	len = spnego_read_data(gensec_security, in, &spnego);
763	if (len == -1) {
764	return gensec_spnego_server_try_fallback(gensec_security, spnego_state,
765	out_mem_ctx, in, out);
766	}
767	/* client sent NegTargetInit, we send NegTokenTarg */
768
769	/* OK, so it's real SPNEGO, check the packet's the one we expect */
770	if (spnego.type != spnego_state->expected_packet) {
771	DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
772	spnego_state->expected_packet));
773	dump_data(1, in.data, in.length);
774	spnego_free_data(&spnego);
775	return NT_STATUS_INVALID_PARAMETER;
776	}
777
778	nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
779	spnego_state,
780	out_mem_ctx,
781	spnego.negTokenInit.mechTypes,
782	spnego.negTokenInit.mechToken,
783	&unwrapped_out);
784
785	nt_status = gensec_spnego_server_negTokenTarg(gensec_security,
786	spnego_state,
787	out_mem_ctx,
788	nt_status,
789	unwrapped_out,
790	null_data_blob,
791	out);
792
793	spnego_free_data(&spnego);
794
795	return nt_status;
796	} else {
797	nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
798	out_mem_ctx, in, out);
799	spnego_state->state_position = SPNEGO_SERVER_START;
800	spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
801	return nt_status;
802	}
803	}
804
805	case SPNEGO_CLIENT_START:
806	{
807	/* The server offers a list of mechanisms */
808
809	const char *my_mechs[] = {NULL, NULL};
810	NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
811
812	if (!in.length) {
813	/* client to produce negTokenInit */
814	nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
815	out_mem_ctx, in, out);
816	spnego_state->state_position = SPNEGO_CLIENT_TARG;
817	spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
818	return nt_status;
819	}
820
821	len = spnego_read_data(gensec_security, in, &spnego);
822
823	if (len == -1) {
824	DEBUG(1, ("Invalid SPNEGO request:\n"));
825	dump_data(1, in.data, in.length);
826	return NT_STATUS_INVALID_PARAMETER;
827	}
828
829	/* OK, so it's real SPNEGO, check the packet's the one we expect */
830	if (spnego.type != spnego_state->expected_packet) {
831	DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
832	spnego_state->expected_packet));
833	dump_data(1, in.data, in.length);
834	spnego_free_data(&spnego);
835	return NT_STATUS_INVALID_PARAMETER;
836	}
837
838	if (spnego.negTokenInit.targetPrincipal
839	&& strcmp(spnego.negTokenInit.targetPrincipal, ADS_IGNORE_PRINCIPAL) != 0) {
840	DEBUG(5, ("Server claims it's principal name is %s\n", spnego.negTokenInit.targetPrincipal));
841	if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
842	gensec_set_target_principal(gensec_security, spnego.negTokenInit.targetPrincipal);
843	}
844	}
845
846	nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
847	spnego_state,
848	out_mem_ctx,
849	spnego.negTokenInit.mechTypes,
850	spnego.negTokenInit.mechToken,
851	&unwrapped_out);
852
853	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
854	spnego_free_data(&spnego);
855	return nt_status;
856	}
857
858	my_mechs[0] = spnego_state->neg_oid;
859	/* compose reply */
860	spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
861	spnego_out.negTokenInit.mechTypes = my_mechs;
862	spnego_out.negTokenInit.reqFlags = null_data_blob;
863	spnego_out.negTokenInit.reqFlagsPadding = 0;
864	spnego_out.negTokenInit.mechListMIC = null_data_blob;
865	spnego_out.negTokenInit.mechToken = unwrapped_out;
866
867	if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
868	DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
869	return NT_STATUS_INVALID_PARAMETER;
870	}
871
872	/* set next state */
873	spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
874	spnego_state->state_position = SPNEGO_CLIENT_TARG;
875
876	if (NT_STATUS_IS_OK(nt_status)) {
877	spnego_state->no_response_expected = true;
878	}
879
880	spnego_free_data(&spnego);
881	return NT_STATUS_MORE_PROCESSING_REQUIRED;
882	}
883	case SPNEGO_SERVER_TARG:
884	{
885	NTSTATUS nt_status;
886	bool new_spnego = false;
887
888	if (!in.length) {
889	return NT_STATUS_INVALID_PARAMETER;
890	}
891
892	len = spnego_read_data(gensec_security, in, &spnego);
893
894	if (len == -1) {
895	DEBUG(1, ("Invalid SPNEGO request:\n"));
896	dump_data(1, in.data, in.length);
897	return NT_STATUS_INVALID_PARAMETER;
898	}
899
900	/* OK, so it's real SPNEGO, check the packet's the one we expect */
901	if (spnego.type != spnego_state->expected_packet) {
902	DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
903	spnego_state->expected_packet));
904	dump_data(1, in.data, in.length);
905	spnego_free_data(&spnego);
906	return NT_STATUS_INVALID_PARAMETER;
907	}
908
909	if (!spnego_state->sub_sec_security) {
910	DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
911	spnego_free_data(&spnego);
912	return NT_STATUS_INVALID_PARAMETER;
913	}
914
915	nt_status = gensec_update(spnego_state->sub_sec_security,
916	out_mem_ctx,
917	spnego.negTokenTarg.responseToken,
918	&unwrapped_out);
919	if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
920	new_spnego = true;
921	nt_status = gensec_check_packet(spnego_state->sub_sec_security,
922	out_mem_ctx,
923	spnego_state->mech_types.data,
924	spnego_state->mech_types.length,
925	spnego_state->mech_types.data,
926	spnego_state->mech_types.length,
927	&spnego.negTokenTarg.mechListMIC);
928	if (!NT_STATUS_IS_OK(nt_status)) {
929	DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
930	nt_errstr(nt_status)));
931	}
932	}
933	if (NT_STATUS_IS_OK(nt_status) && new_spnego) {
934	nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
935	out_mem_ctx,
936	spnego_state->mech_types.data,
937	spnego_state->mech_types.length,
938	spnego_state->mech_types.data,
939	spnego_state->mech_types.length,
940	&mech_list_mic);
941	if (!NT_STATUS_IS_OK(nt_status)) {
942	DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
943	nt_errstr(nt_status)));
944	}
945	}
946
947	nt_status = gensec_spnego_server_negTokenTarg(gensec_security,
948	spnego_state,
949	out_mem_ctx,
950	nt_status,
951	unwrapped_out,
952	mech_list_mic,
953	out);
954
955	spnego_free_data(&spnego);
956
957	return nt_status;
958	}
959	case SPNEGO_CLIENT_TARG:
960	{
961	NTSTATUS nt_status;
962	if (!in.length) {
963	return NT_STATUS_INVALID_PARAMETER;
964	}
965
966	len = spnego_read_data(gensec_security, in, &spnego);
967
968	if (len == -1) {
969	DEBUG(1, ("Invalid SPNEGO request:\n"));
970	dump_data(1, in.data, in.length);
971	return NT_STATUS_INVALID_PARAMETER;
972	}
973
974	/* OK, so it's real SPNEGO, check the packet's the one we expect */
975	if (spnego.type != spnego_state->expected_packet) {
976	DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
977	spnego_state->expected_packet));
978	dump_data(1, in.data, in.length);
979	spnego_free_data(&spnego);
980	return NT_STATUS_INVALID_PARAMETER;
981	}
982
983	if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
984	spnego_free_data(&spnego);
985	return NT_STATUS_ACCESS_DENIED;
986	}
987
988	/* Server didn't like our choice of mech, and chose something else */
989	if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) &&
990	spnego.negTokenTarg.supportedMech &&
991	strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) {
992	DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
993	gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech),
994	gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid)));
995
996	talloc_free(spnego_state->sub_sec_security);
997	nt_status = gensec_subcontext_start(spnego_state,
998	gensec_security,
999	&spnego_state->sub_sec_security);
1000	if (!NT_STATUS_IS_OK(nt_status)) {
1001	spnego_free_data(&spnego);
1002	return nt_status;
1003	}
1004	/* select the sub context */
1005	nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
1006	spnego.negTokenTarg.supportedMech);
1007	if (!NT_STATUS_IS_OK(nt_status)) {
1008	spnego_free_data(&spnego);
1009	return nt_status;
1010	}
1011
1012	nt_status = gensec_update(spnego_state->sub_sec_security,
1013	out_mem_ctx,
1014	spnego.negTokenTarg.responseToken,
1015	&unwrapped_out);
1016	spnego_state->neg_oid = talloc_strdup(spnego_state, spnego.negTokenTarg.supportedMech);
1017	} else if (spnego_state->no_response_expected) {
1018	if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
1019	DEBUG(3,("GENSEC SPNEGO: client GENSEC accepted, but server rejected (bad password?)\n"));
1020	nt_status = NT_STATUS_INVALID_PARAMETER;
1021	} else if (spnego.negTokenTarg.responseToken.length) {
1022	DEBUG(2,("GENSEC SPNEGO: client GENSEC accepted, but server continued negotiation!\n"));
1023	nt_status = NT_STATUS_INVALID_PARAMETER;
1024	} else {
1025	nt_status = NT_STATUS_OK;
1026	}
1027	if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
1028	nt_status = gensec_check_packet(spnego_state->sub_sec_security,
1029	out_mem_ctx,
1030	spnego_state->mech_types.data,
1031	spnego_state->mech_types.length,
1032	spnego_state->mech_types.data,
1033	spnego_state->mech_types.length,
1034	&spnego.negTokenTarg.mechListMIC);
1035	if (!NT_STATUS_IS_OK(nt_status)) {
1036	DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1037	nt_errstr(nt_status)));
1038	}
1039	}
1040	} else {
1041	bool new_spnego = false;
1042
1043	nt_status = gensec_update(spnego_state->sub_sec_security,
1044	out_mem_ctx,
1045	spnego.negTokenTarg.responseToken,
1046	&unwrapped_out);
1047
1048	if (NT_STATUS_IS_OK(nt_status)
1049	&& spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
1050	new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
1051	GENSEC_FEATURE_NEW_SPNEGO);
1052	}
1053	if (NT_STATUS_IS_OK(nt_status) && new_spnego) {
1054	nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
1055	out_mem_ctx,
1056	spnego_state->mech_types.data,
1057	spnego_state->mech_types.length,
1058	spnego_state->mech_types.data,
1059	spnego_state->mech_types.length,
1060	&mech_list_mic);
1061	if (!NT_STATUS_IS_OK(nt_status)) {
1062	DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
1063	nt_errstr(nt_status)));
1064	}
1065	}
1066	if (NT_STATUS_IS_OK(nt_status)) {
1067	spnego_state->no_response_expected = true;
1068	}
1069	}
1070
1071	spnego_free_data(&spnego);
1072
1073	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
1074	&& !NT_STATUS_IS_OK(nt_status)) {
1075	DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
1076	spnego_state->sub_sec_security->ops->name,
1077	nt_errstr(nt_status)));
1078	return nt_status;
1079	}
1080
1081	if (unwrapped_out.length \|\| mech_list_mic.length) {
1082	/* compose reply */
1083	spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
1084	spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
1085	spnego_out.negTokenTarg.supportedMech = NULL;
1086	spnego_out.negTokenTarg.responseToken = unwrapped_out;
1087	spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
1088
1089	if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
1090	DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
1091	return NT_STATUS_INVALID_PARAMETER;
1092	}
1093
1094	spnego_state->state_position = SPNEGO_CLIENT_TARG;
1095	nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1096	} else {
1097
1098	/* all done - server has accepted, and we agree */
1099	*out = null_data_blob;
1100
1101	if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
1102	/* unless of course it did not accept */
1103	DEBUG(1,("gensec_update ok but not accepted\n"));
1104	nt_status = NT_STATUS_INVALID_PARAMETER;
1105	}
1106
1107	spnego_state->state_position = SPNEGO_DONE;
1108	}
1109
1110	return nt_status;
1111	}
1112	case SPNEGO_DONE:
1113	/* We should not be called after we are 'done' */
1114	return NT_STATUS_INVALID_PARAMETER;
1115	}
1116	return NT_STATUS_INVALID_PARAMETER;
1117	}
1118
1119	static void gensec_spnego_want_feature(struct gensec_security *gensec_security,
1120	uint32_t feature)
1121	{
1122	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
1123
1124	if (!spnego_state \|\| !spnego_state->sub_sec_security) {
1125	gensec_security->want_features \|= feature;
1126	return;
1127	}
1128
1129	gensec_want_feature(spnego_state->sub_sec_security,
1130	feature);
1131	}
1132
1133	static bool gensec_spnego_have_feature(struct gensec_security *gensec_security,
1134	uint32_t feature)
1135	{
1136	struct spnego_state spnego_state = (struct spnego_state )gensec_security->private_data;
1137	if (!spnego_state->sub_sec_security) {
1138	return false;
1139	}
1140
1141	return gensec_have_feature(spnego_state->sub_sec_security,
1142	feature);
1143	}
1144
1145	static const char *gensec_spnego_oids[] = {
1146	GENSEC_OID_SPNEGO,
1147	NULL
1148	};
1149
1150	static const struct gensec_security_ops gensec_spnego_security_ops = {
1151	.name = "spnego",
1152	.sasl_name = "GSS-SPNEGO",
1153	.auth_type = DCERPC_AUTH_TYPE_SPNEGO,
1154	.oid = gensec_spnego_oids,
1155	.client_start = gensec_spnego_client_start,
1156	.server_start = gensec_spnego_server_start,
1157	.update = gensec_spnego_update,
1158	.seal_packet = gensec_spnego_seal_packet,
1159	.sign_packet = gensec_spnego_sign_packet,
1160	.sig_size = gensec_spnego_sig_size,
1161	.max_wrapped_size = gensec_spnego_max_wrapped_size,
1162	.max_input_size = gensec_spnego_max_input_size,
1163	.check_packet = gensec_spnego_check_packet,
1164	.unseal_packet = gensec_spnego_unseal_packet,
1165	.packet_full_request = gensec_spnego_packet_full_request,
1166	.wrap = gensec_spnego_wrap,
1167	.unwrap = gensec_spnego_unwrap,
1168	.wrap_packets = gensec_spnego_wrap_packets,
1169	.unwrap_packets = gensec_spnego_unwrap_packets,
1170	.session_key = gensec_spnego_session_key,
1171	.session_info = gensec_spnego_session_info,
1172	.want_feature = gensec_spnego_want_feature,
1173	.have_feature = gensec_spnego_have_feature,
1174	.enabled = true,
1175	.priority = GENSEC_SPNEGO
1176	};
1177
1178	_PUBLIC_ NTSTATUS gensec_spnego_init(void)
1179	{
1180	NTSTATUS ret;
1181	ret = gensec_register(&gensec_spnego_security_ops);
1182	if (!NT_STATUS_IS_OK(ret)) {
1183	DEBUG(0,("Failed to register '%s' gensec backend!\n",
1184	gensec_spnego_security_ops.name));
1185	return ret;
1186	}
1187
1188	return ret;
1189	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/server/source4/auth/gensec/spnego.c

Download in other formats: