1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
samba-mirror/auth/gensec/spnego.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

2250 lines
59 KiB
C
Raw Normal View History

/*
Unix SMB/CIFS implementation.
RFC2478 Compliant SPNEGO implementation
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include <tevent.h>
#include "lib/util/tevent_ntstatus.h"
2009-09-17 02:21:01 +04:00
#include "../libcli/auth/spnego.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "param/param.h"
#include "lib/util/asn1.h"
#include "lib/util/base64.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
#undef strcasecmp
_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
enum spnego_state_position {
SPNEGO_SERVER_START,
SPNEGO_CLIENT_START,
SPNEGO_SERVER_TARG,
SPNEGO_CLIENT_TARG,
SPNEGO_FALLBACK,
SPNEGO_DONE
};
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
struct spnego_state;
struct spnego_neg_ops;
struct spnego_neg_state;
struct spnego_neg_state {
const struct spnego_neg_ops *ops;
const struct gensec_security_ops_wrapper *all_sec;
size_t all_idx;
const char * const *mech_types;
size_t mech_idx;
};
struct spnego_neg_ops {
const char *name;
/*
* The start hook does the initial processing on the incoming packet and
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
* may starts the first possible subcontext. It indicates that
* gensec_update() is required on the subcontext by returning
* NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
* 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
* caller should treat 'in_next' as const and don't attempt to free the
* content. NT_STATUS_OK indicates the finish hook should be invoked
* directly within the need of gensec_update() on the subcontext.
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
* Every other error indicates an error that's returned to the caller.
*/
NTSTATUS (*start_fn)(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next);
/*
* The step hook processes the result of a failed gensec_update() and
* can decide to ignore a failure and continue the negotiation by
* setting up the next possible subcontext. It indicates that
* gensec_update() is required on the subcontext by returning
* NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
* 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
* caller should treat 'in_next' as const and don't attempt to free the
* content. NT_STATUS_OK indicates the finish hook should be invoked
* directly within the need of gensec_update() on the subcontext.
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
* Every other error indicates an error that's returned to the caller.
*/
NTSTATUS (*step_fn)(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next);
/*
* The finish hook processes the result of a successful gensec_update()
* (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the
* response pdu that will be returned from the toplevel gensec_update()
* together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It
* may also alter the state machine to prepare receiving the next pdu
* from the peer.
*/
NTSTATUS (*finish_fn)(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out);
};
struct spnego_state {
enum spnego_message_type expected_packet;
enum spnego_state_position state_position;
struct gensec_security *sub_sec_security;
bool sub_sec_ready;
const char *neg_oid;
DATA_BLOB mech_types;
size_t num_targs;
bool downgraded;
bool mic_requested;
bool needs_mic_sign;
bool needs_mic_check;
bool may_skip_mic_check;
bool done_mic_check;
bool simulate_w2k;
bool no_optimistic;
/*
* The following is used to implement
* the update token fragmentation
*/
size_t in_needed;
DATA_BLOB in_frag;
size_t out_max_length;
DATA_BLOB out_frag;
NTSTATUS out_status;
};
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
static struct spnego_neg_state *gensec_spnego_neg_state(TALLOC_CTX *mem_ctx,
const struct spnego_neg_ops *ops)
{
struct spnego_neg_state *n = NULL;
n = talloc_zero(mem_ctx, struct spnego_neg_state);
if (n == NULL) {
return NULL;
}
n->ops = ops;
return n;
}
static void gensec_spnego_reset_sub_sec(struct spnego_state *spnego_state)
{
spnego_state->sub_sec_ready = false;
TALLOC_FREE(spnego_state->sub_sec_security);
}
static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
{
struct spnego_state *spnego_state;
spnego_state = talloc_zero(gensec_security, struct spnego_state);
if (!spnego_state) {
return NT_STATUS_NO_MEMORY;
}
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
spnego_state->state_position = SPNEGO_CLIENT_START;
spnego_state->sub_sec_security = NULL;
spnego_state->sub_sec_ready = false;
spnego_state->mech_types = data_blob_null;
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k", false);
spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
"spnego",
"client_no_optimistic",
false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
{
struct spnego_state *spnego_state;
spnego_state = talloc_zero(gensec_security, struct spnego_state);
if (!spnego_state) {
return NT_STATUS_NO_MEMORY;
}
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
spnego_state->state_position = SPNEGO_SERVER_START;
spnego_state->sub_sec_security = NULL;
spnego_state->sub_sec_ready = false;
spnego_state->mech_types = data_blob_null;
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k", false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
/** Fallback to another GENSEC mechanism, based on magic strings
*
* This is the 'fallback' case, where we don't get SPNEGO, and have to
* try all the other options (and hope they all have a magic string
* they check)
*/
static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *mem_ctx,
const DATA_BLOB in)
{
int i,j;
const struct gensec_security_ops **all_ops;
all_ops = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; all_ops && all_ops[i]; i++) {
bool is_spnego;
NTSTATUS nt_status;
if (gensec_security != NULL &&
!gensec_security_ops_enabled(all_ops[i], gensec_security))
{
continue;
}
if (!all_ops[i]->oid) {
continue;
}
is_spnego = false;
for (j=0; all_ops[i]->oid[j]; j++) {
if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
is_spnego = true;
}
}
if (is_spnego) {
continue;
}
if (!all_ops[i]->magic) {
continue;
}
nt_status = all_ops[i]->magic(gensec_security, &in);
if (!NT_STATUS_IS_OK(nt_status)) {
continue;
}
spnego_state->state_position = SPNEGO_FALLBACK;
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
/* select the sub context */
nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
all_ops[i]);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
return NT_STATUS_OK;
}
DEBUG(1, ("Failed to parse SPNEGO request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
static NTSTATUS gensec_spnego_create_negTokenInit_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
n->mech_idx = 0;
n->mech_types = gensec_security_oids(gensec_security, n,
GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
DBG_WARNING("gensec_security_oids() failed\n");
return NT_STATUS_NO_MEMORY;
}
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
n->all_idx = 0;
n->all_sec = gensec_security_by_oid_list(gensec_security,
n, n->mech_types,
GENSEC_OID_SPNEGO);
if (n->all_sec == NULL) {
DBG_WARNING("gensec_security_by_oid_list() failed\n");
return NT_STATUS_NO_MEMORY;
}
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
return n->ops->step_fn(gensec_security, spnego_state, n,
spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
}
static NTSTATUS gensec_spnego_create_negTokenInit_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (!NT_STATUS_IS_OK(last_status)) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
const struct gensec_security_ops_wrapper *next_sec = NULL;
const char *next = NULL;
const char *principal = NULL;
int dbg_level = DBGLVL_WARNING;
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
NTSTATUS status = last_status;
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
if (cur_sec[1].op != NULL) {
next_sec = &cur_sec[1];
}
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
if (next_sec != NULL) {
next = next_sec->op->name;
dbg_level = DBGLVL_NOTICE;
}
if (gensec_security->target.principal != NULL) {
principal = gensec_security->target.principal;
} else if (gensec_security->target.service != NULL &&
gensec_security->target.hostname != NULL)
{
principal = talloc_asprintf(spnego_state->sub_sec_security,
"%s/%s",
gensec_security->target.service,
gensec_security->target.hostname);
} else {
principal = gensec_security->target.hostname;
}
DBG_PREFIX(dbg_level, (
"%s: creating NEG_TOKEN_INIT for %s failed "
"(next[%s]): %s\n", cur_sec->op->name,
principal, next, nt_errstr(status)));
if (next == NULL) {
/*
* A hard error without a possible fallback.
*/
return status;
}
/*
* Pretend we never started it
*/
gensec_spnego_reset_sub_sec(spnego_state);
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
/*
* And try the next one...
*/
n->all_idx += 1;
}
for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
NTSTATUS status;
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
gensec_spnego_reset_sub_sec(spnego_state);
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
continue;
}
/* In the client, try and produce the first (optimistic) packet */
if (spnego_state->state_position == SPNEGO_CLIENT_START) {
*in_next = data_blob_null;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
*in_next = data_blob_null;
return NT_STATUS_OK;
}
DBG_WARNING("Failed to setup SPNEGO negTokenInit request\n");
return NT_STATUS_INVALID_PARAMETER;
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
}
static NTSTATUS gensec_spnego_create_negTokenInit_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
struct spnego_data spnego_out;
bool ok;
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
n->mech_types = gensec_security_oids_from_ops_wrapped(n, cur_sec);
if (n->mech_types == NULL) {
DBG_WARNING("gensec_security_oids_from_ops_wrapped() failed\n");
return NT_STATUS_NO_MEMORY;
}
ok = spnego_write_mech_types(spnego_state,
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
n->mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("Failed to write mechTypes\n");
return NT_STATUS_NO_MEMORY;
}
/* List the remaining mechs as options */
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
spnego_out.negTokenInit.mechTypes = n->mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
if (spnego_state->state_position == SPNEGO_SERVER_START) {
spnego_out.negTokenInit.mechListMIC
= data_blob_string_const(ADS_IGNORE_PRINCIPAL);
} else {
spnego_out.negTokenInit.mechListMIC = data_blob_null;
}
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
spnego_out.negTokenInit.mechToken = sub_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_ERR("Failed to write NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
* backends gensec_security_ops structure.
*/
spnego_state->neg_oid = cur_sec->oid;
/* set next state */
if (spnego_state->state_position == SPNEGO_SERVER_START) {
spnego_state->state_position = SPNEGO_SERVER_START;
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
} else {
spnego_state->state_position = SPNEGO_CLIENT_TARG;
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
}
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions This adds and uses the gensec_spnego_neg_loop() abstraction, which abstracts start, step and finish hooks. The start hook does the initial processing on the incoming paket and may start the first possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoked directly withing the need of gensec_update() on the subcontext. Every other error indicates an error that's returned to the caller. The step hook processes the result of a failed gensec_update() and can decide to ignore a failure or continue the negotiation by setting up the next possible subcontext. It indicates that gensec_update() is required on the subcontext by returning NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the caller should treat 'in_next' as const and don't attempt to free the content. NT_STATUS_OK indicates the finish hook should be invoced directly withing the need of gensec_update() on the subcontext. Every other error indicated an error that's returned to the caller. The finish hook processes the result of a successful gensec_update() (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the response pdu that will be returned from the toplevel gensec_update() together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It may also alter the state machine to prepare receiving the next pdu from the peer. This is the start of using this abstraction for the initial client or server start with on empty input token from the peer. This abstraction will be applied to all four other spnego states, gensec_spnego_{client,server}_negToken{Init,Targ}() in the following commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-14 02:52:09 +03:00
static const struct spnego_neg_ops gensec_spnego_create_negTokenInit_ops = {
.name = "create_negTokenInit",
.start_fn = gensec_spnego_create_negTokenInit_start,
.step_fn = gensec_spnego_create_negTokenInit_step,
.finish_fn = gensec_spnego_create_negTokenInit_finish,
};
static NTSTATUS gensec_spnego_client_negTokenInit_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
const char *tp = NULL;
/* The server offers a list of mechanisms */
tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DBG_INFO("Server claims it's principal name is %s\n", tp);
if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
gensec_set_target_principal(gensec_security, tp);
}
}
n->mech_idx = 0;
/* Do not use server mech list as it isn't protected. Instead, get all
* supported mechs (excluding SPNEGO). */
n->mech_types = gensec_security_oids(gensec_security, n,
GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
n->all_idx = 0;
n->all_sec = gensec_security_by_oid_list(gensec_security,
n, n->mech_types,
GENSEC_OID_SPNEGO);
if (n->all_sec == NULL) {
DBG_WARNING("gensec_security_by_oid_list() failed\n");
return NT_STATUS_INVALID_PARAMETER;
}
return n->ops->step_fn(gensec_security, spnego_state, n,
spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
}
static NTSTATUS gensec_spnego_client_negTokenInit_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (!NT_STATUS_IS_OK(last_status)) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
const struct gensec_security_ops_wrapper *next_sec = NULL;
const char *next = NULL;
const char *principal = NULL;
int dbg_level = DBGLVL_WARNING;
bool allow_fallback = false;
NTSTATUS status = last_status;
if (cur_sec[1].op != NULL) {
next_sec = &cur_sec[1];
}
/*
* it is likely that a NULL input token will
* not be liked by most server mechs, but if
* we are in the client, we want the first
* update packet to be able to abort the use
* of this mech
*/
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME) ||
NT_STATUS_EQUAL(status, NT_STATUS_INVALID_COMPUTER_NAME) ||
NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN) ||
NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) ||
NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
{
allow_fallback = true;
}
if (allow_fallback && next_sec != NULL) {
next = next_sec->op->name;
dbg_level = DBGLVL_NOTICE;
}
if (gensec_security->target.principal != NULL) {
principal = gensec_security->target.principal;
} else if (gensec_security->target.service != NULL &&
gensec_security->target.hostname != NULL)
{
principal = talloc_asprintf(spnego_state->sub_sec_security,
"%s/%s",
gensec_security->target.service,
gensec_security->target.hostname);
} else {
principal = gensec_security->target.hostname;
}
DBG_PREFIX(dbg_level, (
"%s: creating NEG_TOKEN_INIT for %s failed "
"(next[%s]): %s\n", cur_sec->op->name,
principal, next, nt_errstr(status)));
if (next == NULL) {
/*
* A hard error without a possible fallback.
*/
return status;
}
/*
* Pretend we never started it.
*/
gensec_spnego_reset_sub_sec(spnego_state);
/*
* And try the next one...
*/
n->all_idx += 1;
}
for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
NTSTATUS status;
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
* backends gensec_security_ops structure.
*/
spnego_state->neg_oid = cur_sec->oid;
/*
* As client we don't use an optimistic token from the server.
* But try to produce one for the server.
*/
*in_next = data_blob_null;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
static NTSTATUS gensec_spnego_client_negTokenInit_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
struct spnego_data spnego_out;
const char * const *mech_types = NULL;
bool ok;
if (n->mech_types == NULL) {
DBG_WARNING("No mech_types list\n");
return NT_STATUS_INVALID_PARAMETER;
}
for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
int cmp = strcmp(*mech_types, spnego_state->neg_oid);
if (cmp == 0) {
break;
}
}
if (*mech_types == NULL) {
DBG_ERR("Can't find selected sub mechanism in mech_types\n");
return NT_STATUS_INVALID_PARAMETER;
}
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
spnego_out.negTokenInit.mechTypes = mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
spnego_out.negTokenInit.mechListMIC = data_blob_null;
spnego_out.negTokenInit.mechToken = sub_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
ok = spnego_write_mech_types(spnego_state,
mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
return NT_STATUS_NO_MEMORY;
}
/* set next state */
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static const struct spnego_neg_ops gensec_spnego_client_negTokenInit_ops = {
.name = "client_negTokenInit",
.start_fn = gensec_spnego_client_negTokenInit_start,
.step_fn = gensec_spnego_client_negTokenInit_step,
.finish_fn = gensec_spnego_client_negTokenInit_finish,
};
static NTSTATUS gensec_spnego_client_negTokenTarg_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
NTSTATUS status;
spnego_state->num_targs++;
if (ta->negResult == SPNEGO_REJECT) {
return NT_STATUS_LOGON_FAILURE;
}
if (ta->negResult == SPNEGO_REQUEST_MIC) {
spnego_state->mic_requested = true;
}
if (ta->mechListMIC.length > 0) {
DATA_BLOB *m = &ta->mechListMIC;
const DATA_BLOB *r = &ta->responseToken;
/*
* Windows 2000 has a bug, it repeats the
* responseToken in the mechListMIC field.
*/
if (m->length == r->length) {
int cmp;
cmp = memcmp(m->data, r->data, m->length);
if (cmp == 0) {
data_blob_free(m);
}
}
}
/* Server didn't like our choice of mech, and chose something else */
if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
(ta->negResult == SPNEGO_REQUEST_MIC)) &&
ta->supportedMech != NULL &&
strcmp(ta->supportedMech, spnego_state->neg_oid) != 0)
{
const char *client_mech = NULL;
const char *client_oid = NULL;
const char *server_mech = NULL;
const char *server_oid = NULL;
client_mech = gensec_get_name_by_oid(gensec_security,
spnego_state->neg_oid);
client_oid = spnego_state->neg_oid;
server_mech = gensec_get_name_by_oid(gensec_security,
ta->supportedMech);
server_oid = ta->supportedMech;
DBG_NOTICE("client preferred mech (%s[%s]) not accepted, "
"server wants: %s[%s]\n",
client_mech, client_oid, server_mech, server_oid);
spnego_state->downgraded = true;
gensec_spnego_reset_sub_sec(spnego_state);
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
ta->supportedMech);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
spnego_state->neg_oid = talloc_strdup(spnego_state,
ta->supportedMech);
if (spnego_state->neg_oid == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
if (ta->mechListMIC.length > 0) {
if (spnego_state->sub_sec_ready) {
spnego_state->needs_mic_check = true;
}
}
if (spnego_state->needs_mic_check) {
if (ta->responseToken.length != 0) {
DBG_WARNING("non empty response token not expected\n");
return NT_STATUS_INVALID_PARAMETER;
}
if (ta->mechListMIC.length == 0
&& spnego_state->may_skip_mic_check) {
/*
* In this case we don't require
* a mechListMIC from the server.
*
* This works around bugs in the Azure
* and Apple spnego implementations.
*
* See
* https://bugzilla.samba.org/show_bug.cgi?id=11994
*/
spnego_state->needs_mic_check = false;
return NT_STATUS_OK;
}
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
return NT_STATUS_OK;
}
if (!spnego_state->sub_sec_ready) {
*in_next = ta->responseToken;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
return NT_STATUS_OK;
}
static NTSTATUS gensec_spnego_client_negTokenTarg_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
DBG_WARNING("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(last_status));
return last_status;
}
/*
* This should never be reached!
* The step function is only called on errors!
*/
smb_panic(__location__);
return NT_STATUS_INTERNAL_ERROR;
}
static NTSTATUS gensec_spnego_client_negTokenTarg_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
const struct spnego_negTokenTarg *ta =
&spnego_in->negTokenTarg;
DATA_BLOB mech_list_mic = data_blob_null;
NTSTATUS status;
struct spnego_data spnego_out;
if (!spnego_state->sub_sec_ready) {
/*
* We're not yet ready to deal with signatures.
*/
goto client_response;
}
if (spnego_state->done_mic_check) {
/*
* We already checked the mic,
* either the in last round here
* in gensec_spnego_client_negTokenTarg_finish()
* or during this round in
* gensec_spnego_client_negTokenTarg_start().
*
* Both cases we're sure we don't have to
* call gensec_sign_packet().
*/
goto client_response;
}
if (spnego_state->may_skip_mic_check) {
/*
* This can only be set during
* the last round here in
* gensec_spnego_client_negTokenTarg_finish()
* below. And during this round
* we already passed the checks in
* gensec_spnego_client_negTokenTarg_start().
*
* So we need to skip to deal with
* any signatures now.
*/
goto client_response;
}
if (!spnego_state->done_mic_check) {
bool have_sign = true;
bool new_spnego = false;
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
if (spnego_state->simulate_w2k) {
have_sign = false;
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
switch (ta->negResult) {
case SPNEGO_ACCEPT_COMPLETED:
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
/*
* the first exchange doesn't require
* verification
*/
new_spnego = false;
}
break;
case SPNEGO_ACCEPT_INCOMPLETE:
if (ta->mechListMIC.length > 0) {
new_spnego = true;
break;
}
if (spnego_state->downgraded) {
/*
* A downgrade should be protected if
* supported
*/
break;
}
/*
* The caller may just asked for
* GENSEC_FEATURE_SESSION_KEY, this
* is only reflected in the want_features.
*
* As it will imply
* gensec_have_features(GENSEC_FEATURE_SIGN)
* to return true.
*/
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
break;
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
break;
}
/*
* Here we're sure our preferred mech was
* selected by the server and our caller doesn't
* need GENSEC_FEATURE_SIGN nor
* GENSEC_FEATURE_SEAL support.
*
* In this case we don't require
* a mechListMIC from the server.
*
* This works around bugs in the Azure
* and Apple spnego implementations.
*
* See
* https://bugzilla.samba.org/show_bug.cgi?id=11994
*/
spnego_state->may_skip_mic_check = true;
break;
case SPNEGO_REQUEST_MIC:
if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
break;
default:
break;
}
if (spnego_state->mic_requested) {
if (have_sign) {
new_spnego = true;
}
}
if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
}
if (ta->mechListMIC.length > 0) {
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
}
if (spnego_state->needs_mic_sign) {
status = gensec_sign_packet(spnego_state->sub_sec_security,
n,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&mech_list_mic);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to sign mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_sign = false;
}
client_response:
if (sub_out.length == 0 && mech_list_mic.length == 0) {
*out = data_blob_null;
if (!spnego_state->sub_sec_ready) {
/* somethings wrong here... */
DBG_ERR("gensec_update not ready without output\n");
return NT_STATUS_INTERNAL_ERROR;
}
if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
/* unless of course it did not accept */
DBG_WARNING("gensec_update ok but not accepted\n");
return NT_STATUS_INVALID_PARAMETER;
}
if (!spnego_state->needs_mic_check) {
spnego_state->state_position = SPNEGO_DONE;
return NT_STATUS_OK;
}
}
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
spnego_out.negTokenTarg.supportedMech = NULL;
spnego_out.negTokenTarg.responseToken = sub_out;
spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_WARNING("Failed to write NEG_TOKEN_TARG\n");
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->num_targs++;
/* set next state */
spnego_state->state_position = SPNEGO_CLIENT_TARG;
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static const struct spnego_neg_ops gensec_spnego_client_negTokenTarg_ops = {
.name = "client_negTokenTarg",
.start_fn = gensec_spnego_client_negTokenTarg_start,
.step_fn = gensec_spnego_client_negTokenTarg_step,
.finish_fn = gensec_spnego_client_negTokenTarg_finish,
};
/** create a server negTokenTarg
*
* This is the case, where the client is the first one who sends data
*/
static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
NTSTATUS nt_status,
const DATA_BLOB unwrapped_out,
DATA_BLOB mech_list_mic,
DATA_BLOB *out)
{
struct spnego_data spnego_out;
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
spnego_out.negTokenTarg.supportedMech = NULL;
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
if (spnego_state->mic_requested) {
spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC;
spnego_state->mic_requested = false;
} else {
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
}
spnego_state->state_position = SPNEGO_SERVER_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
if (unwrapped_out.data) {
spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
}
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
spnego_state->state_position = SPNEGO_DONE;
}
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->num_targs++;
return nt_status;
}
static NTSTATUS gensec_spnego_server_negTokenInit_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
bool ok;
n->mech_idx = 0;
n->mech_types = spnego_in->negTokenInit.mechTypes;
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
n->all_idx = 0;
n->all_sec = gensec_security_by_oid_list(gensec_security,
n, n->mech_types,
GENSEC_OID_SPNEGO);
if (n->all_sec == NULL) {
DBG_WARNING("gensec_security_by_oid_list() failed\n");
return NT_STATUS_INVALID_PARAMETER;
}
ok = spnego_write_mech_types(spnego_state,
n->mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("Failed to write mechTypes\n");
return NT_STATUS_NO_MEMORY;
}
return n->ops->step_fn(gensec_security, spnego_state, n,
spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
}
static NTSTATUS gensec_spnego_server_negTokenInit_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (!NT_STATUS_IS_OK(last_status)) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
const char *next_mech = n->mech_types[n->mech_idx+1];
const struct gensec_security_ops_wrapper *next_sec = NULL;
const char *next = NULL;
int dbg_level = DBGLVL_WARNING;
bool allow_fallback = false;
NTSTATUS status = last_status;
size_t i;
for (i = 0; next_mech != NULL && n->all_sec[i].op != NULL; i++) {
if (strcmp(next_mech, n->all_sec[i].oid) != 0) {
continue;
}
next_sec = &n->all_sec[i];
break;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
{
allow_fallback = true;
}
if (allow_fallback && next_sec != NULL) {
next = next_sec->op->name;
dbg_level = DBGLVL_NOTICE;
}
DBG_PREFIX(dbg_level, (
"%s: parsing NEG_TOKEN_INIT content failed "
"(next[%s]): %s\n", cur_sec->op->name,
next, nt_errstr(status)));
if (next == NULL) {
/*
* A hard error without a possible fallback.
*/
return status;
}
/*
* Pretend we never started it
*/
gensec_spnego_reset_sub_sec(spnego_state);
/*
* And try the next one, based on the clients
* mech type list...
*/
n->mech_idx += 1;
}
/*
* we always reset all_idx here, as the negotiation is
* done via mech_idx!
*/
n->all_idx = 0;
for (; n->mech_types[n->mech_idx] != NULL; n->mech_idx++) {
const char *cur_mech = n->mech_types[n->mech_idx];
const struct gensec_security_ops_wrapper *cur_sec = NULL;
NTSTATUS status;
DATA_BLOB sub_in = data_blob_null;
size_t i;
for (i = 0; n->all_sec[i].op != NULL; i++) {
if (strcmp(cur_mech, n->all_sec[i].oid) != 0) {
continue;
}
cur_sec = &n->all_sec[i];
n->all_idx = i;
break;
}
if (cur_sec == NULL) {
continue;
}
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
/*
* Pretend we never started it
*/
gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
if (n->mech_idx == 0) {
/*
* We can use the optimistic token.
*/
sub_in = spnego_in->negTokenInit.mechToken;
} else {
/*
* Indicate the downgrade and request a
* mic.
*/
spnego_state->downgraded = true;
spnego_state->mic_requested = true;
}
if (sub_in.length == 0) {
spnego_state->no_optimistic = true;
}
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
* backends gensec_security_ops structure.
*/
spnego_state->neg_oid = cur_sec->oid;
/* we need some content from the mech */
*in_next = sub_in;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
static NTSTATUS gensec_spnego_server_negTokenInit_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
DATA_BLOB mech_list_mic = data_blob_null;
if (spnego_state->simulate_w2k) {
/*
* Windows 2000 returns the unwrapped token
* also in the mech_list_mic field.
*
* In order to verify our client code,
* we need a way to have a server with this
* broken behaviour
*/
mech_list_mic = sub_out;
}
return gensec_spnego_server_response(spnego_state,
out_mem_ctx,
sub_status,
sub_out,
mech_list_mic,
out);
}
static const struct spnego_neg_ops gensec_spnego_server_negTokenInit_ops = {
.name = "server_negTokenInit",
.start_fn = gensec_spnego_server_negTokenInit_start,
.step_fn = gensec_spnego_server_negTokenInit_step,
.finish_fn = gensec_spnego_server_negTokenInit_finish,
};
static NTSTATUS gensec_spnego_server_negTokenTarg_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
NTSTATUS status;
spnego_state->num_targs++;
if (spnego_state->sub_sec_security == NULL) {
DBG_ERR("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->needs_mic_check) {
if (ta->responseToken.length != 0) {
DBG_WARNING("non empty response token not expected\n");
return NT_STATUS_INVALID_PARAMETER;
}
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
return NT_STATUS_OK;
}
if (!spnego_state->sub_sec_ready) {
*in_next = ta->responseToken;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
return NT_STATUS_OK;
}
static NTSTATUS gensec_spnego_server_negTokenTarg_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
DBG_NOTICE("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(last_status));
return last_status;
}
/*
* This should never be reached!
* The step function is only called on errors!
*/
smb_panic(__location__);
return NT_STATUS_INTERNAL_ERROR;
}
static NTSTATUS gensec_spnego_server_negTokenTarg_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
DATA_BLOB mech_list_mic = data_blob_null;
NTSTATUS status;
bool have_sign = true;
bool new_spnego = false;
status = sub_status;
if (!spnego_state->sub_sec_ready) {
/*
* We're not yet ready to deal with signatures.
*/
goto server_response;
}
if (spnego_state->done_mic_check) {
/*
* We already checked the mic,
* either the in last round here
* in gensec_spnego_server_negTokenTarg_finish()
* or during this round in
* gensec_spnego_server_negTokenTarg_start().
*
* Both cases we're sure we don't have to
* call gensec_sign_packet().
*/
goto server_response;
}
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
if (spnego_state->simulate_w2k) {
have_sign = false;
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
if (have_sign && ta->mechListMIC.length > 0) {
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
}
if (spnego_state->needs_mic_sign) {
status = gensec_sign_packet(spnego_state->sub_sec_security,
n,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&mech_list_mic);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to sign mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_sign = false;
}
if (spnego_state->needs_mic_check) {
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
server_response:
return gensec_spnego_server_response(spnego_state,
out_mem_ctx,
status,
sub_out,
mech_list_mic,
out);
}
static const struct spnego_neg_ops gensec_spnego_server_negTokenTarg_ops = {
.name = "server_negTokenTarg",
.start_fn = gensec_spnego_server_negTokenTarg_start,
.step_fn = gensec_spnego_server_negTokenTarg_step,
.finish_fn = gensec_spnego_server_negTokenTarg_finish,
};
struct gensec_spnego_update_state {
struct tevent_context *ev;
struct gensec_security *gensec;
struct spnego_state *spnego;
DATA_BLOB full_in;
struct spnego_data _spnego_in;
struct spnego_data *spnego_in;
struct {
bool needed;
DATA_BLOB in;
NTSTATUS status;
DATA_BLOB out;
} sub;
struct spnego_neg_state *n;
NTSTATUS status;
DATA_BLOB out;
};
static void gensec_spnego_update_cleanup(struct tevent_req *req,
enum tevent_req_state req_state)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
switch (req_state) {
case TEVENT_REQ_USER_ERROR:
case TEVENT_REQ_TIMED_OUT:
case TEVENT_REQ_NO_MEMORY:
/*
* A fatal error, further updates are not allowed.
*/
state->spnego->state_position = SPNEGO_DONE;
break;
default:
break;
}
}
static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in);
static void gensec_spnego_update_pre(struct tevent_req *req);
static void gensec_spnego_update_done(struct tevent_req *subreq);
static void gensec_spnego_update_post(struct tevent_req *req);
static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *_out);
static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_security *gensec_security,
const DATA_BLOB in)
{
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
struct tevent_req *req = NULL;
struct gensec_spnego_update_state *state = NULL;
NTSTATUS status;
ssize_t len;
req = tevent_req_create(mem_ctx, &state,
struct gensec_spnego_update_state);
if (req == NULL) {
return NULL;
}
state->ev = ev;
state->gensec = gensec_security;
state->spnego = spnego_state;
tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup);
if (spnego_state->out_frag.length > 0) {
if (in.length > 0) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
status = gensec_spnego_update_out(gensec_security,
state, &state->out);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
state->status = status;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
status = gensec_spnego_update_in(gensec_security, in,
state, &state->full_in);
state->status = status;
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
tevent_req_done(req);
return tevent_req_post(req, ev);
}
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
/* Check if we got a valid SPNEGO blob... */
switch (spnego_state->state_position) {
case SPNEGO_FALLBACK:
break;
case SPNEGO_CLIENT_TARG:
case SPNEGO_SERVER_TARG:
if (state->full_in.length == 0) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
FALL_THROUGH;
case SPNEGO_CLIENT_START:
case SPNEGO_SERVER_START:
if (state->full_in.length == 0) {
/* create_negTokenInit later */
break;
}
len = spnego_read_data(state,
state->full_in,
&state->_spnego_in);
if (len == -1) {
if (spnego_state->state_position != SPNEGO_SERVER_START) {
DEBUG(1, ("Invalid SPNEGO request:\n"));
dump_data(1, state->full_in.data,
state->full_in.length);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
/*
* This is the 'fallback' case, where we don't get
* SPNEGO, and have to try all the other options (and
* hope they all have a magic string they check)
*/
status = gensec_spnego_server_try_fallback(gensec_security,
spnego_state,
state,
state->full_in);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
/*
* We'll continue with SPNEGO_FALLBACK below...
*/
break;
}
state->spnego_in = &state->_spnego_in;
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (state->spnego_in->type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
state->spnego_in->type,
spnego_state->expected_packet));
dump_data(1, state->full_in.data,
state->full_in.length);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
break;
default:
smb_panic(__location__);
return NULL;
}
gensec_spnego_update_pre(req);
if (!tevent_req_is_in_progress(req)) {
return tevent_req_post(req, ev);
}
if (state->sub.needed) {
struct tevent_req *subreq = NULL;
/*
* We may need one more roundtrip...
*/
subreq = gensec_update_send(state, state->ev,
spnego_state->sub_sec_security,
state->sub.in);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq,
gensec_spnego_update_done,
req);
state->sub.needed = false;
return req;
}
gensec_spnego_update_post(req);
if (!tevent_req_is_in_progress(req)) {
return tevent_req_post(req, ev);
}
return req;
}
static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in)
{
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
size_t expected;
bool ok;
*full_in = data_blob_null;
switch (spnego_state->state_position) {
case SPNEGO_FALLBACK:
*full_in = in;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
case SPNEGO_CLIENT_START:
case SPNEGO_CLIENT_TARG:
case SPNEGO_SERVER_START:
case SPNEGO_SERVER_TARG:
break;
case SPNEGO_DONE:
default:
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->in_needed == 0) {
size_t size = 0;
int ret;
/*
* try to work out the size of the full
* input token, it might be fragmented
*/
ret = asn1_peek_full_tag(in, ASN1_APPLICATION(0), &size);
if ((ret != 0) && (ret != EAGAIN)) {
ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
}
if ((ret == 0) || (ret == EAGAIN)) {
spnego_state->in_needed = size;
} else {
/*
* If it is not an asn1 message
* just call the next layer.
*/
spnego_state->in_needed = in.length;
}
}
if (spnego_state->in_needed > UINT16_MAX) {
/*
* limit the incoming message to 0xFFFF
* to avoid DoS attacks.
*/
return NT_STATUS_INVALID_BUFFER_SIZE;
}
if ((spnego_state->in_needed > 0) && (in.length == 0)) {
/*
* If we reach this, we know we got at least
* part of an asn1 message, getting 0 means
* the remote peer wants us to spin.
*/
return NT_STATUS_INVALID_PARAMETER;
}
expected = spnego_state->in_needed - spnego_state->in_frag.length;
if (in.length > expected) {
/*
* we got more than expected
*/
return NT_STATUS_INVALID_PARAMETER;
}
if (in.length == spnego_state->in_needed) {
/*
* if the in.length contains the full blob
* we are done.
*
* Note: this implies spnego_state->in_frag.length == 0,
* but we do not need to check this explicitly
* because we already know that we did not get
* more than expected.
*/
*full_in = in;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
}
ok = data_blob_append(spnego_state, &spnego_state->in_frag,
in.data, in.length);
if (!ok) {
return NT_STATUS_NO_MEMORY;
}
if (spnego_state->in_needed > spnego_state->in_frag.length) {
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
*full_in = spnego_state->in_frag;
talloc_steal(mem_ctx, full_in->data);
spnego_state->in_frag = data_blob_null;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
}
static void gensec_spnego_update_pre(struct tevent_req *req)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
struct spnego_state *spnego_state = state->spnego;
const struct spnego_neg_ops *ops = NULL;
NTSTATUS status;
state->sub.needed = false;
state->sub.in = data_blob_null;
state->sub.status = NT_STATUS_INTERNAL_ERROR;
state->sub.out = data_blob_null;
if (spnego_state->state_position == SPNEGO_FALLBACK) {
state->sub.in = state->full_in;
state->full_in = data_blob_null;
state->sub.needed = true;
return;
}
switch (spnego_state->state_position) {
case SPNEGO_CLIENT_START:
if (state->spnego_in == NULL) {
/* client to produce negTokenInit */
ops = &gensec_spnego_create_negTokenInit_ops;
break;
}
ops = &gensec_spnego_client_negTokenInit_ops;
break;
case SPNEGO_CLIENT_TARG:
ops = &gensec_spnego_client_negTokenTarg_ops;
break;
case SPNEGO_SERVER_START:
if (state->spnego_in == NULL) {
/* server to produce negTokenInit */
ops = &gensec_spnego_create_negTokenInit_ops;
break;
}
ops = &gensec_spnego_server_negTokenInit_ops;
break;
case SPNEGO_SERVER_TARG:
ops = &gensec_spnego_server_negTokenTarg_ops;
break;
default:
smb_panic(__location__);
return;
}
state->n = gensec_spnego_neg_state(state, ops);
if (tevent_req_nomem(state->n, req)) {
return;
}
status = ops->start_fn(state->gensec, spnego_state, state->n,
state->spnego_in, state, &state->sub.in);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
if (NT_STATUS_IS_OK(status)) {
/*
* Call finish_fn() with an empty
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
} else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
spnego_state->no_optimistic) {
/*
* Skip optimistic token per conf.
*/
state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else if (spnego_state->state_position == SPNEGO_SERVER_START &&
state->sub.in.length == 0 && spnego_state->no_optimistic) {
/*
* If we didn't like the mechanism for which the client sent us
* an optimistic token, or if he didn't send any, don't call
* the sub mechanism just yet.
*/
state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
spnego_state->no_optimistic = false;
} else {
/*
* MORE_PROCESSING_REQUIRED =>
* we need to call gensec_update_send().
*/
state->sub.needed = true;
}
}
static void gensec_spnego_update_done(struct tevent_req *subreq)
{
struct tevent_req *req =
tevent_req_callback_data(subreq,
struct tevent_req);
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
struct spnego_state *spnego_state = state->spnego;
state->sub.status = gensec_update_recv(subreq, state, &state->sub.out);
TALLOC_FREE(subreq);
if (NT_STATUS_IS_OK(state->sub.status)) {
spnego_state->sub_sec_ready = true;
}
gensec_spnego_update_post(req);
}
static void gensec_spnego_update_post(struct tevent_req *req)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
struct spnego_state *spnego_state = state->spnego;
const struct spnego_neg_ops *ops = NULL;
NTSTATUS status;
state->sub.in = data_blob_null;
state->sub.needed = false;
if (spnego_state->state_position == SPNEGO_FALLBACK) {
status = state->sub.status;
spnego_state->out_frag = state->sub.out;
talloc_steal(spnego_state, spnego_state->out_frag.data);
state->sub.out = data_blob_null;
goto respond;
}
ops = state->n->ops;
if (GENSEC_UPDATE_IS_NTERROR(state->sub.status)) {
/*
* gensec_update_recv() returned an error,
* let's see if the step_fn() want to
* handle it and negotiate something else.
*/
status = ops->step_fn(state->gensec,
spnego_state,
state->n,
state->spnego_in,
state->sub.status,
state,
&state->sub.in);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
state->sub.out = data_blob_null;
state->sub.status = NT_STATUS_INTERNAL_ERROR;
if (NT_STATUS_IS_OK(status)) {
/*
* Call finish_fn() with an empty
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
} else {
/*
* MORE_PROCESSING_REQUIRED...
*/
state->sub.needed = true;
}
}
if (state->sub.needed) {
struct tevent_req *subreq = NULL;
/*
* We may need one more roundtrip...
*/
subreq = gensec_update_send(state, state->ev,
spnego_state->sub_sec_security,
state->sub.in);
if (tevent_req_nomem(subreq, req)) {
return;
}
tevent_req_set_callback(subreq,
gensec_spnego_update_done,
req);
state->sub.needed = false;
return;
}
status = ops->finish_fn(state->gensec,
spnego_state,
state->n,
state->spnego_in,
state->sub.status,
state->sub.out,
spnego_state,
&spnego_state->out_frag);
TALLOC_FREE(state->n);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;
reset_full = !spnego_state->done_mic_check;
status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
reset_full);
if (tevent_req_nterror(req, status)) {
return;
}
}
respond:
spnego_state->out_status = status;
status = gensec_spnego_update_out(state->gensec,
state, &state->out);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
state->status = status;
tevent_req_done(req);
return;
}
static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *_out)
{
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
DATA_BLOB out = data_blob_null;
bool ok;
*_out = data_blob_null;
if (spnego_state->out_frag.length <= spnego_state->out_max_length) {
/*
* Fast path, we can deliver everything
*/
*_out = spnego_state->out_frag;
if (spnego_state->out_frag.length > 0) {
talloc_steal(out_mem_ctx, _out->data);
spnego_state->out_frag = data_blob_null;
}
if (!NT_STATUS_IS_OK(spnego_state->out_status)) {
return spnego_state->out_status;
}
/*
* We're completely done, further updates are not allowed.
*/
spnego_state->state_position = SPNEGO_DONE;
return gensec_child_ready(gensec_security,
spnego_state->sub_sec_security);
}
out = spnego_state->out_frag;
/*
* copy the remaining bytes
*/
spnego_state->out_frag = data_blob_talloc(spnego_state,
out.data + spnego_state->out_max_length,
out.length - spnego_state->out_max_length);
if (spnego_state->out_frag.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
/*
* truncate the buffer
*/
ok = data_blob_realloc(spnego_state, &out,
spnego_state->out_max_length);
if (!ok) {
return NT_STATUS_NO_MEMORY;
}
talloc_steal(out_mem_ctx, out.data);
*_out = out;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static NTSTATUS gensec_spnego_update_recv(struct tevent_req *req,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
NTSTATUS status;
*out = data_blob_null;
if (tevent_req_is_nterror(req, &status)) {
tevent_req_received(req);
return status;
}
*out = state->out;
talloc_steal(out_mem_ctx, state->out.data);
status = state->status;
tevent_req_received(req);
return status;
}
static const char *gensec_spnego_oids[] = {
GENSEC_OID_SPNEGO,
NULL
};
static const struct gensec_security_ops gensec_spnego_security_ops = {
r17197: This patch moves the encryption of bulk data on SASL negotiated security contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2006-07-23 06:50:08 +04:00
.name = "spnego",
.sasl_name = "GSS-SPNEGO",
.auth_type = DCERPC_AUTH_TYPE_SPNEGO,
.oid = gensec_spnego_oids,
.client_start = gensec_spnego_client_start,
.server_start = gensec_spnego_server_start,
.update_send = gensec_spnego_update_send,
.update_recv = gensec_spnego_update_recv,
.seal_packet = gensec_child_seal_packet,
.sign_packet = gensec_child_sign_packet,
.sig_size = gensec_child_sig_size,
.max_wrapped_size = gensec_child_max_wrapped_size,
.max_input_size = gensec_child_max_input_size,
.check_packet = gensec_child_check_packet,
.unseal_packet = gensec_child_unseal_packet,
.wrap = gensec_child_wrap,
.unwrap = gensec_child_unwrap,
.session_key = gensec_child_session_key,
.session_info = gensec_child_session_info,
.want_feature = gensec_child_want_feature,
.have_feature = gensec_child_have_feature,
.expire_time = gensec_child_expire_time,
.final_auth_type = gensec_child_final_auth_type,
.enabled = true,
.priority = GENSEC_SPNEGO,
.glue = true,
};
_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
ret = gensec_register(ctx, &gensec_spnego_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_spnego_security_ops.name));
return ret;
}
return ret;
}