sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code
7f29caf599
samba-mirror/auth/gensec/spnego.c
Stefan Metzmacher 86808d66f3 gensec:spnego: ignore trailing bytes in SPNEGO_SERVER_START state 
This matches Windows (at least Server 2012_R2).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-10-10 14:01:04 +00:00

2243 lines
59 KiB
C
Raw Blame History

/*
Unix SMB/CIFS implementation.
RFC2478 Compliant SPNEGO implementation
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include <tevent.h>
#include "lib/util/tevent_ntstatus.h"
#include "../libcli/auth/spnego.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "param/param.h"
#include "lib/util/asn1.h"
#include "lib/util/base64.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
#undef strcasecmp
_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
enum spnego_state_position {
SPNEGO_SERVER_START,
SPNEGO_CLIENT_START,
SPNEGO_SERVER_TARG,
SPNEGO_CLIENT_TARG,
SPNEGO_FALLBACK,
SPNEGO_DONE
};
struct spnego_state;
struct spnego_neg_ops;
struct spnego_neg_state;
struct spnego_neg_state {
const struct spnego_neg_ops *ops;
const struct gensec_security_ops_wrapper *all_sec;
size_t all_idx;
const char * const *mech_types;
size_t mech_idx;
};
struct spnego_neg_ops {
const char *name;
/*
* The start hook does the initial processing on the incoming packet and
* may start the first possible subcontext. It indicates that
* gensec_update() is required on the subcontext by returning
* NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
* 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
* caller should treat 'in_next' as const and not attempt to free the
* content. NT_STATUS_OK indicates the finish hook should be invoked
* directly within the need of gensec_update() on the subcontext.
* Every other error indicates an error that's returned to the caller.
*/
NTSTATUS (*start_fn)(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next);
/*
* The step hook processes the result of a failed gensec_update() and
* can decide to ignore a failure and continue the negotiation by
* setting up the next possible subcontext. It indicates that
* gensec_update() is required on the subcontext by returning
* NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
* 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
* caller should treat 'in_next' as const and not attempt to free the
* content. NT_STATUS_OK indicates the finish hook should be invoked
* directly within the need of gensec_update() on the subcontext.
* Every other error indicates an error that's returned to the caller.
*/
NTSTATUS (*step_fn)(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next);
/*
* The finish hook processes the result of a successful gensec_update()
* (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the
* response pdu that will be returned from the toplevel gensec_update()
* together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It
* may also alter the state machine to prepare receiving the next pdu
* from the peer.
*/
NTSTATUS (*finish_fn)(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out);
};
struct spnego_state {
enum spnego_message_type expected_packet;
enum spnego_state_position state_position;
struct gensec_security *sub_sec_security;
bool sub_sec_ready;
const char *neg_oid;
DATA_BLOB mech_types;
size_t num_targs;
bool downgraded;
bool mic_requested;
bool needs_mic_sign;
bool needs_mic_check;
bool may_skip_mic_check;
bool done_mic_check;
bool simulate_w2k;
bool no_optimistic;
/*
* The following is used to implement
* the update token fragmentation
*/
size_t in_needed;
DATA_BLOB in_frag;
size_t out_max_length;
DATA_BLOB out_frag;
NTSTATUS out_status;
};
static struct spnego_neg_state *gensec_spnego_neg_state(TALLOC_CTX *mem_ctx,
const struct spnego_neg_ops *ops)
{
struct spnego_neg_state *n = NULL;
n = talloc_zero(mem_ctx, struct spnego_neg_state);
if (n == NULL) {
return NULL;
}
n->ops = ops;
return n;
}
static void gensec_spnego_reset_sub_sec(struct spnego_state *spnego_state)
{
spnego_state->sub_sec_ready = false;
TALLOC_FREE(spnego_state->sub_sec_security);
}
static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
{
struct spnego_state *spnego_state;
spnego_state = talloc_zero(gensec_security, struct spnego_state);
if (!spnego_state) {
return NT_STATUS_NO_MEMORY;
}
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
spnego_state->state_position = SPNEGO_CLIENT_START;
spnego_state->sub_sec_security = NULL;
spnego_state->sub_sec_ready = false;
spnego_state->mech_types = data_blob_null;
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k", false);
spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
"spnego",
"client_no_optimistic",
false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
{
struct spnego_state *spnego_state;
spnego_state = talloc_zero(gensec_security, struct spnego_state);
if (!spnego_state) {
return NT_STATUS_NO_MEMORY;
}
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
spnego_state->state_position = SPNEGO_SERVER_START;
spnego_state->sub_sec_security = NULL;
spnego_state->sub_sec_ready = false;
spnego_state->mech_types = data_blob_null;
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
"spnego", "simulate_w2k", false);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
/** Fallback to another GENSEC mechanism, based on magic strings
*
* This is the 'fallback' case, where we don't get SPNEGO, and have to
* try all the other options (and hope they all have a magic string
* they check)
*/
static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
TALLOC_CTX *mem_ctx,
const DATA_BLOB in)
{
int i,j;
const struct gensec_security_ops **all_ops;
all_ops = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; all_ops && all_ops[i]; i++) {
bool is_spnego;
NTSTATUS nt_status;
if (!all_ops[i]->oid) {
continue;
}
is_spnego = false;
for (j=0; all_ops[i]->oid[j]; j++) {
if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
is_spnego = true;
}
}
if (is_spnego) {
continue;
}
if (!all_ops[i]->magic) {
continue;
}
nt_status = all_ops[i]->magic(gensec_security, &in);
if (!NT_STATUS_IS_OK(nt_status)) {
continue;
}
spnego_state->state_position = SPNEGO_FALLBACK;
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
/* select the sub context */
nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
all_ops[i]);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
return NT_STATUS_OK;
}
DEBUG(1, ("Failed to parse SPNEGO request\n"));
return NT_STATUS_INVALID_PARAMETER;
}
static NTSTATUS gensec_spnego_create_negTokenInit_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
n->mech_idx = 0;
n->mech_types = gensec_security_oids(gensec_security, n,
GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
DBG_WARNING("gensec_security_oids() failed\n");
return NT_STATUS_NO_MEMORY;
}
n->all_idx = 0;
n->all_sec = gensec_security_by_oid_list(gensec_security,
n, n->mech_types,
GENSEC_OID_SPNEGO);
if (n->all_sec == NULL) {
DBG_WARNING("gensec_security_by_oid_list() failed\n");
return NT_STATUS_NO_MEMORY;
}
return n->ops->step_fn(gensec_security, spnego_state, n,
spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
}
static NTSTATUS gensec_spnego_create_negTokenInit_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (!NT_STATUS_IS_OK(last_status)) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
const struct gensec_security_ops_wrapper *next_sec = NULL;
const char *next = NULL;
const char *principal = NULL;
int dbg_level = DBGLVL_WARNING;
NTSTATUS status = last_status;
if (cur_sec[1].op != NULL) {
next_sec = &cur_sec[1];
}
if (next_sec != NULL) {
next = next_sec->op->name;
dbg_level = DBGLVL_NOTICE;
}
if (gensec_security->target.principal != NULL) {
principal = gensec_security->target.principal;
} else if (gensec_security->target.service != NULL &&
gensec_security->target.hostname != NULL)
{
principal = talloc_asprintf(spnego_state->sub_sec_security,
"%s/%s",
gensec_security->target.service,
gensec_security->target.hostname);
} else {
principal = gensec_security->target.hostname;
}
DBG_PREFIX(dbg_level, (
"%s: creating NEG_TOKEN_INIT for %s failed "
"(next[%s]): %s\n", cur_sec->op->name,
principal, next, nt_errstr(status)));
if (next == NULL) {
/*
* A hard error without a possible fallback.
*/
return status;
}
/*
* Pretend we never started it
*/
gensec_spnego_reset_sub_sec(spnego_state);
/*
* And try the next one...
*/
n->all_idx += 1;
}
for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
NTSTATUS status;
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
/* In the client, try and produce the first (optimistic) packet */
if (spnego_state->state_position == SPNEGO_CLIENT_START) {
*in_next = data_blob_null;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
*in_next = data_blob_null;
return NT_STATUS_OK;
}
DBG_WARNING("Failed to setup SPNEGO negTokenInit request\n");
return NT_STATUS_INVALID_PARAMETER;
}
static NTSTATUS gensec_spnego_create_negTokenInit_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
struct spnego_data spnego_out;
bool ok;
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
n->mech_types = gensec_security_oids_from_ops_wrapped(n, cur_sec);
if (n->mech_types == NULL) {
DBG_WARNING("gensec_security_oids_from_ops_wrapped() failed\n");
return NT_STATUS_NO_MEMORY;
}
ok = spnego_write_mech_types(spnego_state,
n->mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("Failed to write mechTypes\n");
return NT_STATUS_NO_MEMORY;
}
/* List the remaining mechs as options */
spnego_out.negTokenInit.mechTypes = n->mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
if (spnego_state->state_position == SPNEGO_SERVER_START) {
spnego_out.negTokenInit.mechListMIC
= data_blob_string_const(ADS_IGNORE_PRINCIPAL);
} else {
spnego_out.negTokenInit.mechListMIC = data_blob_null;
}
spnego_out.negTokenInit.mechToken = sub_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_ERR("Failed to write NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
* backends gensec_security_ops structure.
*/
spnego_state->neg_oid = cur_sec->oid;
/* set next state */
if (spnego_state->state_position == SPNEGO_SERVER_START) {
spnego_state->state_position = SPNEGO_SERVER_START;
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
} else {
spnego_state->state_position = SPNEGO_CLIENT_TARG;
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
}
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static const struct spnego_neg_ops gensec_spnego_create_negTokenInit_ops = {
.name = "create_negTokenInit",
.start_fn = gensec_spnego_create_negTokenInit_start,
.step_fn = gensec_spnego_create_negTokenInit_step,
.finish_fn = gensec_spnego_create_negTokenInit_finish,
};
static NTSTATUS gensec_spnego_client_negTokenInit_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
/* The server offers a list of mechanisms */
n->mech_idx = 0;
/* Do not use server mech list as it isn't protected. Instead, get all
* supported mechs (excluding SPNEGO). */
n->mech_types = gensec_security_oids(gensec_security, n,
GENSEC_OID_SPNEGO);
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
n->all_idx = 0;
n->all_sec = gensec_security_by_oid_list(gensec_security,
n, n->mech_types,
GENSEC_OID_SPNEGO);
if (n->all_sec == NULL) {
DBG_WARNING("gensec_security_by_oid_list() failed\n");
return NT_STATUS_INVALID_PARAMETER;
}
return n->ops->step_fn(gensec_security, spnego_state, n,
spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
}
static NTSTATUS gensec_spnego_client_negTokenInit_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (!NT_STATUS_IS_OK(last_status)) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
const struct gensec_security_ops_wrapper *next_sec = NULL;
const char *next = NULL;
const char *principal = NULL;
int dbg_level = DBGLVL_WARNING;
bool allow_fallback = false;
NTSTATUS status = last_status;
if (cur_sec[1].op != NULL) {
next_sec = &cur_sec[1];
}
/*
* it is likely that a NULL input token will
* not be liked by most server mechs, but if
* we are in the client, we want the first
* update packet to be able to abort the use
* of this mech
*/
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME) ||
NT_STATUS_EQUAL(status, NT_STATUS_INVALID_COMPUTER_NAME) ||
NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN) ||
NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) ||
NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
{
allow_fallback = true;
}
if (allow_fallback && next_sec != NULL) {
next = next_sec->op->name;
dbg_level = DBGLVL_NOTICE;
}
if (gensec_security->target.principal != NULL) {
principal = gensec_security->target.principal;
} else if (gensec_security->target.service != NULL &&
gensec_security->target.hostname != NULL)
{
principal = talloc_asprintf(spnego_state->sub_sec_security,
"%s/%s",
gensec_security->target.service,
gensec_security->target.hostname);
} else {
principal = gensec_security->target.hostname;
}
DBG_PREFIX(dbg_level, (
"%s: creating NEG_TOKEN_INIT for %s failed "
"(next[%s]): %s\n", cur_sec->op->name,
principal, next, nt_errstr(status)));
if (next == NULL) {
/*
* A hard error without a possible fallback.
*/
return status;
}
/*
* Pretend we never started it.
*/
gensec_spnego_reset_sub_sec(spnego_state);
/*
* And try the next one...
*/
n->all_idx += 1;
}
for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
NTSTATUS status;
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
* backends gensec_security_ops structure.
*/
spnego_state->neg_oid = cur_sec->oid;
/*
* As client we don't use an optimistic token from the server.
* But try to produce one for the server.
*/
*in_next = data_blob_null;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
static NTSTATUS gensec_spnego_client_negTokenInit_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
struct spnego_data spnego_out;
const char * const *mech_types = NULL;
bool ok;
if (n->mech_types == NULL) {
DBG_WARNING("No mech_types list\n");
return NT_STATUS_INVALID_PARAMETER;
}
for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
int cmp = strcmp(*mech_types, spnego_state->neg_oid);
if (cmp == 0) {
break;
}
}
if (*mech_types == NULL) {
DBG_ERR("Can't find selected sub mechanism in mech_types\n");
return NT_STATUS_INVALID_PARAMETER;
}
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
spnego_out.negTokenInit.mechTypes = mech_types;
spnego_out.negTokenInit.reqFlags = data_blob_null;
spnego_out.negTokenInit.reqFlagsPadding = 0;
spnego_out.negTokenInit.mechListMIC = data_blob_null;
spnego_out.negTokenInit.mechToken = sub_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
ok = spnego_write_mech_types(spnego_state,
mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
return NT_STATUS_NO_MEMORY;
}
/* set next state */
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static const struct spnego_neg_ops gensec_spnego_client_negTokenInit_ops = {
.name = "client_negTokenInit",
.start_fn = gensec_spnego_client_negTokenInit_start,
.step_fn = gensec_spnego_client_negTokenInit_step,
.finish_fn = gensec_spnego_client_negTokenInit_finish,
};
static NTSTATUS gensec_spnego_client_negTokenTarg_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
NTSTATUS status;
spnego_state->num_targs++;
if (ta->negResult == SPNEGO_REJECT) {
return NT_STATUS_LOGON_FAILURE;
}
if (ta->negResult == SPNEGO_REQUEST_MIC) {
spnego_state->mic_requested = true;
}
if (ta->mechListMIC.length > 0) {
DATA_BLOB *m = &ta->mechListMIC;
const DATA_BLOB *r = &ta->responseToken;
/*
* Windows 2000 has a bug, it repeats the
* responseToken in the mechListMIC field.
*/
if (m->length == r->length) {
int cmp;
cmp = memcmp(m->data, r->data, m->length);
if (cmp == 0) {
data_blob_free(m);
}
}
}
/* Server didn't like our choice of mech, and chose something else */
if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
(ta->negResult == SPNEGO_REQUEST_MIC)) &&
ta->supportedMech != NULL &&
strcmp(ta->supportedMech, spnego_state->neg_oid) != 0)
{
const char *client_mech = NULL;
const char *client_oid = NULL;
const char *server_mech = NULL;
const char *server_oid = NULL;
client_mech = gensec_get_name_by_oid(gensec_security,
spnego_state->neg_oid);
client_oid = spnego_state->neg_oid;
server_mech = gensec_get_name_by_oid(gensec_security,
ta->supportedMech);
server_oid = ta->supportedMech;
DBG_NOTICE("client preferred mech (%s[%s]) not accepted, "
"server wants: %s[%s]\n",
client_mech, client_oid, server_mech, server_oid);
spnego_state->downgraded = true;
gensec_spnego_reset_sub_sec(spnego_state);
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
ta->supportedMech);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
spnego_state->neg_oid = talloc_strdup(spnego_state,
ta->supportedMech);
if (spnego_state->neg_oid == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
if (ta->mechListMIC.length > 0) {
if (spnego_state->sub_sec_ready) {
spnego_state->needs_mic_check = true;
}
}
if (spnego_state->needs_mic_check) {
if (ta->responseToken.length != 0) {
DBG_WARNING("non empty response token not expected\n");
return NT_STATUS_INVALID_PARAMETER;
}
if (ta->mechListMIC.length == 0
&& spnego_state->may_skip_mic_check) {
/*
* In this case we don't require
* a mechListMIC from the server.
*
* This works around bugs in the Azure
* and Apple spnego implementations.
*
* See
* https://bugzilla.samba.org/show_bug.cgi?id=11994
*/
spnego_state->needs_mic_check = false;
return NT_STATUS_OK;
}
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
return NT_STATUS_OK;
}
if (!spnego_state->sub_sec_ready) {
*in_next = ta->responseToken;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
return NT_STATUS_OK;
}
static NTSTATUS gensec_spnego_client_negTokenTarg_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
DBG_WARNING("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(last_status));
return last_status;
}
/*
* This should never be reached!
* The step function is only called on errors!
*/
smb_panic(__location__);
return NT_STATUS_INTERNAL_ERROR;
}
static NTSTATUS gensec_spnego_client_negTokenTarg_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
const struct spnego_negTokenTarg *ta =
&spnego_in->negTokenTarg;
DATA_BLOB mech_list_mic = data_blob_null;
NTSTATUS status;
struct spnego_data spnego_out;
if (!spnego_state->sub_sec_ready) {
/*
* We're not yet ready to deal with signatures.
*/
goto client_response;
}
if (spnego_state->done_mic_check) {
/*
* We already checked the mic,
* either the in last round here
* in gensec_spnego_client_negTokenTarg_finish()
* or during this round in
* gensec_spnego_client_negTokenTarg_start().
*
* Both cases we're sure we don't have to
* call gensec_sign_packet().
*/
goto client_response;
}
if (spnego_state->may_skip_mic_check) {
/*
* This can only be set during
* the last round here in
* gensec_spnego_client_negTokenTarg_finish()
* below. And during this round
* we already passed the checks in
* gensec_spnego_client_negTokenTarg_start().
*
* So we need to skip to deal with
* any signatures now.
*/
goto client_response;
}
if (!spnego_state->done_mic_check) {
bool have_sign = true;
bool new_spnego = false;
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
if (spnego_state->simulate_w2k) {
have_sign = false;
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
switch (ta->negResult) {
case SPNEGO_ACCEPT_COMPLETED:
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
/*
* the first exchange doesn't require
* verification
*/
new_spnego = false;
}
break;
case SPNEGO_ACCEPT_INCOMPLETE:
if (ta->mechListMIC.length > 0) {
new_spnego = true;
break;
}
if (spnego_state->downgraded) {
/*
* A downgrade should be protected if
* supported
*/
break;
}
/*
* The caller may just asked for
* GENSEC_FEATURE_SESSION_KEY, this
* is only reflected in the want_features.
*
* As it will imply
* gensec_have_features(GENSEC_FEATURE_SIGN)
* to return true.
*/
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
break;
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
break;
}
/*
* Here we're sure our preferred mech was
* selected by the server and our caller doesn't
* need GENSEC_FEATURE_SIGN nor
* GENSEC_FEATURE_SEAL support.
*
* In this case we don't require
* a mechListMIC from the server.
*
* This works around bugs in the Azure
* and Apple spnego implementations.
*
* See
* https://bugzilla.samba.org/show_bug.cgi?id=11994
*/
spnego_state->may_skip_mic_check = true;
break;
case SPNEGO_REQUEST_MIC:
if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
break;
default:
break;
}
if (spnego_state->mic_requested) {
if (have_sign) {
new_spnego = true;
}
}
if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
}
if (ta->mechListMIC.length > 0) {
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
}
if (spnego_state->needs_mic_sign) {
status = gensec_sign_packet(spnego_state->sub_sec_security,
n,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&mech_list_mic);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to sign mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_sign = false;
}
client_response:
if (sub_out.length == 0 && mech_list_mic.length == 0) {
*out = data_blob_null;
if (!spnego_state->sub_sec_ready) {
/* somethings wrong here... */
DBG_ERR("gensec_update not ready without output\n");
return NT_STATUS_INTERNAL_ERROR;
}
if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
/* unless of course it did not accept */
DBG_WARNING("gensec_update ok but not accepted\n");
return NT_STATUS_INVALID_PARAMETER;
}
if (!spnego_state->needs_mic_check) {
spnego_state->state_position = SPNEGO_DONE;
return NT_STATUS_OK;
}
}
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
spnego_out.negTokenTarg.supportedMech = NULL;
spnego_out.negTokenTarg.responseToken = sub_out;
spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_WARNING("Failed to write NEG_TOKEN_TARG\n");
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->num_targs++;
/* set next state */
spnego_state->state_position = SPNEGO_CLIENT_TARG;
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static const struct spnego_neg_ops gensec_spnego_client_negTokenTarg_ops = {
.name = "client_negTokenTarg",
.start_fn = gensec_spnego_client_negTokenTarg_start,
.step_fn = gensec_spnego_client_negTokenTarg_step,
.finish_fn = gensec_spnego_client_negTokenTarg_finish,
};
/** create a server negTokenTarg
*
* This is the case, where the client is the first one who sends data
*/
static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
NTSTATUS nt_status,
const DATA_BLOB unwrapped_out,
DATA_BLOB mech_list_mic,
DATA_BLOB *out)
{
struct spnego_data spnego_out = {
.type = SPNEGO_NEG_TOKEN_TARG,
.negTokenTarg.responseToken = unwrapped_out,
.negTokenTarg.mechListMIC = mech_list_mic,
.negTokenTarg.supportedMech = NULL,
};
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
if (spnego_state->mic_requested) {
spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC;
spnego_state->mic_requested = false;
} else {
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
}
spnego_state->state_position = SPNEGO_SERVER_TARG;
} else if (NT_STATUS_IS_OK(nt_status)) {
if (unwrapped_out.data) {
spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
}
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
spnego_state->state_position = SPNEGO_DONE;
}
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
return NT_STATUS_INVALID_PARAMETER;
}
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->num_targs++;
return nt_status;
}
static NTSTATUS gensec_spnego_server_negTokenInit_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
bool ok;
n->mech_idx = 0;
n->mech_types = spnego_in->negTokenInit.mechTypes;
if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
n->all_idx = 0;
n->all_sec = gensec_security_by_oid_list(gensec_security,
n, n->mech_types,
GENSEC_OID_SPNEGO);
if (n->all_sec == NULL) {
DBG_WARNING("gensec_security_by_oid_list() failed\n");
return NT_STATUS_INVALID_PARAMETER;
}
ok = spnego_write_mech_types(spnego_state,
n->mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("Failed to write mechTypes\n");
return NT_STATUS_NO_MEMORY;
}
return n->ops->step_fn(gensec_security, spnego_state, n,
spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
}
static NTSTATUS gensec_spnego_server_negTokenInit_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (!NT_STATUS_IS_OK(last_status)) {
const struct gensec_security_ops_wrapper *cur_sec =
&n->all_sec[n->all_idx];
const char *next_mech = n->mech_types[n->mech_idx+1];
const struct gensec_security_ops_wrapper *next_sec = NULL;
const char *next = NULL;
int dbg_level = DBGLVL_WARNING;
bool allow_fallback = false;
NTSTATUS status = last_status;
size_t i;
for (i = 0; next_mech != NULL && n->all_sec[i].op != NULL; i++) {
if (strcmp(next_mech, n->all_sec[i].oid) != 0) {
continue;
}
next_sec = &n->all_sec[i];
break;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
{
allow_fallback = true;
}
if (allow_fallback && next_sec != NULL) {
next = next_sec->op->name;
dbg_level = DBGLVL_NOTICE;
}
DBG_PREFIX(dbg_level, (
"%s: parsing NEG_TOKEN_INIT content failed "
"(next[%s]): %s\n", cur_sec->op->name,
next, nt_errstr(status)));
if (next == NULL) {
/*
* A hard error without a possible fallback.
*/
return status;
}
/*
* Pretend we never started it
*/
gensec_spnego_reset_sub_sec(spnego_state);
/*
* And try the next one, based on the clients
* mech type list...
*/
n->mech_idx += 1;
}
/*
* we always reset all_idx here, as the negotiation is
* done via mech_idx!
*/
n->all_idx = 0;
for (; n->mech_types[n->mech_idx] != NULL; n->mech_idx++) {
const char *cur_mech = n->mech_types[n->mech_idx];
const struct gensec_security_ops_wrapper *cur_sec = NULL;
NTSTATUS status;
DATA_BLOB sub_in = data_blob_null;
size_t i;
for (i = 0; n->all_sec[i].op != NULL; i++) {
if (strcmp(cur_mech, n->all_sec[i].oid) != 0) {
continue;
}
cur_sec = &n->all_sec[i];
n->all_idx = i;
break;
}
if (cur_sec == NULL) {
continue;
}
status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* select the sub context */
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
/*
* Pretend we never started it
*/
gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
if (n->mech_idx == 0) {
/*
* We can use the optimistic token.
*/
sub_in = spnego_in->negTokenInit.mechToken;
} else {
/*
* Indicate the downgrade and request a
* mic.
*/
spnego_state->downgraded = true;
spnego_state->mic_requested = true;
}
if (sub_in.length == 0) {
spnego_state->no_optimistic = true;
}
/*
* Note that 'cur_sec' is temporary memory, but
* cur_sec->oid points to a const string in the
* backends gensec_security_ops structure.
*/
spnego_state->neg_oid = cur_sec->oid;
/* we need some content from the mech */
*in_next = sub_in;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
static NTSTATUS gensec_spnego_server_negTokenInit_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
DATA_BLOB mech_list_mic = data_blob_null;
if (spnego_state->simulate_w2k) {
/*
* Windows 2000 returns the unwrapped token
* also in the mech_list_mic field.
*
* In order to verify our client code,
* we need a way to have a server with this
* broken behaviour
*/
mech_list_mic = sub_out;
}
return gensec_spnego_server_response(spnego_state,
out_mem_ctx,
sub_status,
sub_out,
mech_list_mic,
out);
}
static const struct spnego_neg_ops gensec_spnego_server_negTokenInit_ops = {
.name = "server_negTokenInit",
.start_fn = gensec_spnego_server_negTokenInit_start,
.step_fn = gensec_spnego_server_negTokenInit_step,
.finish_fn = gensec_spnego_server_negTokenInit_finish,
};
static NTSTATUS gensec_spnego_server_negTokenTarg_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
NTSTATUS status;
spnego_state->num_targs++;
if (spnego_state->sub_sec_security == NULL) {
DBG_ERR("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n");
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->needs_mic_check) {
if (ta->responseToken.length != 0) {
DBG_WARNING("non empty response token not expected\n");
return NT_STATUS_INVALID_PARAMETER;
}
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
return NT_STATUS_OK;
}
if (!spnego_state->sub_sec_ready) {
*in_next = ta->responseToken;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
return NT_STATUS_OK;
}
static NTSTATUS gensec_spnego_server_negTokenTarg_step(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS last_status,
TALLOC_CTX *in_mem_ctx,
DATA_BLOB *in_next)
{
if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
DBG_NOTICE("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(last_status));
return last_status;
}
/*
* This should never be reached!
* The step function is only called on errors!
*/
smb_panic(__location__);
return NT_STATUS_INTERNAL_ERROR;
}
static NTSTATUS gensec_spnego_server_negTokenTarg_finish(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
struct spnego_neg_state *n,
struct spnego_data *spnego_in,
NTSTATUS sub_status,
const DATA_BLOB sub_out,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
DATA_BLOB mech_list_mic = data_blob_null;
NTSTATUS status;
bool have_sign = true;
bool new_spnego = false;
status = sub_status;
if (!spnego_state->sub_sec_ready) {
/*
* We're not yet ready to deal with signatures.
*/
goto server_response;
}
if (spnego_state->done_mic_check) {
/*
* We already checked the mic,
* either the in last round here
* in gensec_spnego_server_negTokenTarg_finish()
* or during this round in
* gensec_spnego_server_negTokenTarg_start().
*
* Both cases we're sure we don't have to
* call gensec_sign_packet().
*/
goto server_response;
}
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
if (spnego_state->simulate_w2k) {
have_sign = false;
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
if (have_sign && ta->mechListMIC.length > 0) {
status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&ta->mechListMIC);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to verify mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
}
if (spnego_state->needs_mic_sign) {
status = gensec_sign_packet(spnego_state->sub_sec_security,
n,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
&mech_list_mic);
if (!NT_STATUS_IS_OK(status)) {
DBG_WARNING("failed to sign mechListMIC: %s\n",
nt_errstr(status));
return status;
}
spnego_state->needs_mic_sign = false;
}
if (spnego_state->needs_mic_check) {
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
server_response:
return gensec_spnego_server_response(spnego_state,
out_mem_ctx,
status,
sub_out,
mech_list_mic,
out);
}
static const struct spnego_neg_ops gensec_spnego_server_negTokenTarg_ops = {
.name = "server_negTokenTarg",
.start_fn = gensec_spnego_server_negTokenTarg_start,
.step_fn = gensec_spnego_server_negTokenTarg_step,
.finish_fn = gensec_spnego_server_negTokenTarg_finish,
};
struct gensec_spnego_update_state {
struct tevent_context *ev;
struct gensec_security *gensec;
struct spnego_state *spnego;
DATA_BLOB full_in;
struct spnego_data _spnego_in;
struct spnego_data *spnego_in;
struct {
bool needed;
DATA_BLOB in;
NTSTATUS status;
DATA_BLOB out;
} sub;
struct spnego_neg_state *n;
NTSTATUS status;
DATA_BLOB out;
};
static void gensec_spnego_update_cleanup(struct tevent_req *req,
enum tevent_req_state req_state)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
switch (req_state) {
case TEVENT_REQ_USER_ERROR:
case TEVENT_REQ_TIMED_OUT:
case TEVENT_REQ_NO_MEMORY:
/*
* A fatal error, further updates are not allowed.
*/
state->spnego->state_position = SPNEGO_DONE;
break;
default:
break;
}
}
static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in);
static void gensec_spnego_update_pre(struct tevent_req *req);
static void gensec_spnego_update_done(struct tevent_req *subreq);
static void gensec_spnego_update_post(struct tevent_req *req);
static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *_out);
static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_security *gensec_security,
const DATA_BLOB in)
{
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
struct tevent_req *req = NULL;
struct gensec_spnego_update_state *state = NULL;
NTSTATUS status;
ssize_t len;
req = tevent_req_create(mem_ctx, &state,
struct gensec_spnego_update_state);
if (req == NULL) {
return NULL;
}
state->ev = ev;
state->gensec = gensec_security;
state->spnego = spnego_state;
tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup);
if (spnego_state->out_frag.length > 0) {
if (in.length > 0) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
status = gensec_spnego_update_out(gensec_security,
state, &state->out);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
state->status = status;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
status = gensec_spnego_update_in(gensec_security, in,
state, &state->full_in);
state->status = status;
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
tevent_req_done(req);
return tevent_req_post(req, ev);
}
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
/* Check if we got a valid SPNEGO blob... */
switch (spnego_state->state_position) {
case SPNEGO_FALLBACK:
break;
case SPNEGO_CLIENT_TARG:
case SPNEGO_SERVER_TARG:
if (state->full_in.length == 0) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
FALL_THROUGH;
case SPNEGO_CLIENT_START:
case SPNEGO_SERVER_START:
if (state->full_in.length == 0) {
/* create_negTokenInit later */
break;
}
len = spnego_read_data(state,
state->full_in,
&state->_spnego_in);
if (len == -1) {
if (spnego_state->state_position != SPNEGO_SERVER_START) {
DEBUG(1, ("Invalid SPNEGO request:\n"));
dump_data(1, state->full_in.data,
state->full_in.length);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
/*
* This is the 'fallback' case, where we don't get
* SPNEGO, and have to try all the other options (and
* hope they all have a magic string they check)
*/
status = gensec_spnego_server_try_fallback(gensec_security,
spnego_state,
state,
state->full_in);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
/*
* We'll continue with SPNEGO_FALLBACK below...
*/
break;
}
state->spnego_in = &state->_spnego_in;
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (state->spnego_in->type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
state->spnego_in->type,
spnego_state->expected_packet));
dump_data(1, state->full_in.data,
state->full_in.length);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
break;
default:
smb_panic(__location__);
return NULL;
}
gensec_spnego_update_pre(req);
if (!tevent_req_is_in_progress(req)) {
return tevent_req_post(req, ev);
}
if (state->sub.needed) {
struct tevent_req *subreq = NULL;
/*
* We may need one more roundtrip...
*/
subreq = gensec_update_send(state, state->ev,
spnego_state->sub_sec_security,
state->sub.in);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq,
gensec_spnego_update_done,
req);
state->sub.needed = false;
return req;
}
gensec_spnego_update_post(req);
if (!tevent_req_is_in_progress(req)) {
return tevent_req_post(req, ev);
}
return req;
}
static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in)
{
DATA_BLOB consume = data_blob_null;
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
size_t expected;
bool ok;
*full_in = data_blob_null;
switch (spnego_state->state_position) {
case SPNEGO_FALLBACK:
*full_in = in;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
case SPNEGO_CLIENT_START:
case SPNEGO_CLIENT_TARG:
case SPNEGO_SERVER_START:
case SPNEGO_SERVER_TARG:
break;
case SPNEGO_DONE:
default:
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->in_needed == 0) {
size_t size = 0;
int ret;
/*
* try to work out the size of the full
* input token, it might be fragmented
*/
ret = asn1_peek_full_tag(in, ASN1_APPLICATION(0), &size);
if ((ret != 0) && (ret != EAGAIN)) {
ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
}
if ((ret == 0) || (ret == EAGAIN)) {
spnego_state->in_needed = size;
} else {
/*
* If it is not an asn1 message
* just call the next layer.
*/
spnego_state->in_needed = in.length;
}
}
if (spnego_state->in_needed > UINT16_MAX) {
/*
* limit the incoming message to 0xFFFF
* to avoid DoS attacks.
*/
return NT_STATUS_INVALID_BUFFER_SIZE;
}
if ((spnego_state->in_needed > 0) && (in.length == 0)) {
/*
* If we reach this, we know we got at least
* part of an asn1 message, getting 0 means
* the remote peer wants us to spin.
*/
return NT_STATUS_INVALID_PARAMETER;
}
consume = in;
expected = spnego_state->in_needed - spnego_state->in_frag.length;
if (consume.length > expected) {
if (spnego_state->state_position != SPNEGO_SERVER_START) {
/*
* we got more than expected
*/
return NT_STATUS_INVALID_PARAMETER;
}
/*
* In SPNEGO_SERVER_START we need to ignore unexpected
* bytes at the end.
*/
consume.length = expected;
}
if (consume.length == spnego_state->in_needed) {
/*
* if the consume.length contains the full blob
* we are done.
*
* Note: this implies spnego_state->in_frag.length == 0,
* but we do not need to check this explicitly
* because we already know that we did not get
* more than expected.
*/
*full_in = consume;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
}
ok = data_blob_append(spnego_state, &spnego_state->in_frag,
consume.data, consume.length);
if (!ok) {
return NT_STATUS_NO_MEMORY;
}
if (spnego_state->in_needed > spnego_state->in_frag.length) {
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
*full_in = spnego_state->in_frag;
talloc_steal(mem_ctx, full_in->data);
spnego_state->in_frag = data_blob_null;
spnego_state->in_needed = 0;
return NT_STATUS_OK;
}
static void gensec_spnego_update_pre(struct tevent_req *req)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
struct spnego_state *spnego_state = state->spnego;
const struct spnego_neg_ops *ops = NULL;
NTSTATUS status;
state->sub.needed = false;
state->sub.in = data_blob_null;
state->sub.status = NT_STATUS_INTERNAL_ERROR;
state->sub.out = data_blob_null;
if (spnego_state->state_position == SPNEGO_FALLBACK) {
state->sub.in = state->full_in;
state->full_in = data_blob_null;
state->sub.needed = true;
return;
}
switch (spnego_state->state_position) {
case SPNEGO_CLIENT_START:
if (state->spnego_in == NULL) {
/* client to produce negTokenInit */
ops = &gensec_spnego_create_negTokenInit_ops;
break;
}
ops = &gensec_spnego_client_negTokenInit_ops;
break;
case SPNEGO_CLIENT_TARG:
ops = &gensec_spnego_client_negTokenTarg_ops;
break;
case SPNEGO_SERVER_START:
if (state->spnego_in == NULL) {
/* server to produce negTokenInit */
ops = &gensec_spnego_create_negTokenInit_ops;
break;
}
ops = &gensec_spnego_server_negTokenInit_ops;
break;
case SPNEGO_SERVER_TARG:
ops = &gensec_spnego_server_negTokenTarg_ops;
break;
default:
smb_panic(__location__);
return;
}
state->n = gensec_spnego_neg_state(state, ops);
if (tevent_req_nomem(state->n, req)) {
return;
}
status = ops->start_fn(state->gensec, spnego_state, state->n,
state->spnego_in, state, &state->sub.in);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
if (NT_STATUS_IS_OK(status)) {
/*
* Call finish_fn() with an empty
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
} else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
spnego_state->no_optimistic) {
/*
* Skip optimistic token per conf.
*/
state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else if (spnego_state->state_position == SPNEGO_SERVER_START &&
state->sub.in.length == 0 && spnego_state->no_optimistic) {
/*
* If we didn't like the mechanism for which the client sent us
* an optimistic token, or if he didn't send any, don't call
* the sub mechanism just yet.
*/
state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
spnego_state->no_optimistic = false;
} else {
/*
* MORE_PROCESSING_REQUIRED =>
* we need to call gensec_update_send().
*/
state->sub.needed = true;
}
}
static void gensec_spnego_update_done(struct tevent_req *subreq)
{
struct tevent_req *req =
tevent_req_callback_data(subreq,
struct tevent_req);
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
struct spnego_state *spnego_state = state->spnego;
state->sub.status = gensec_update_recv(subreq, state, &state->sub.out);
TALLOC_FREE(subreq);
if (NT_STATUS_IS_OK(state->sub.status)) {
spnego_state->sub_sec_ready = true;
}
gensec_spnego_update_post(req);
}
static void gensec_spnego_update_post(struct tevent_req *req)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
struct spnego_state *spnego_state = state->spnego;
const struct spnego_neg_ops *ops = NULL;
NTSTATUS status;
state->sub.in = data_blob_null;
state->sub.needed = false;
if (spnego_state->state_position == SPNEGO_FALLBACK) {
status = state->sub.status;
spnego_state->out_frag = state->sub.out;
talloc_steal(spnego_state, spnego_state->out_frag.data);
state->sub.out = data_blob_null;
goto respond;
}
ops = state->n->ops;
if (GENSEC_UPDATE_IS_NTERROR(state->sub.status)) {
/*
* gensec_update_recv() returned an error,
* let's see if the step_fn() want to
* handle it and negotiate something else.
*/
status = ops->step_fn(state->gensec,
spnego_state,
state->n,
state->spnego_in,
state->sub.status,
state,
&state->sub.in);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
state->sub.out = data_blob_null;
state->sub.status = NT_STATUS_INTERNAL_ERROR;
if (NT_STATUS_IS_OK(status)) {
/*
* Call finish_fn() with an empty
* blob and NT_STATUS_OK.
*/
state->sub.status = NT_STATUS_OK;
} else {
/*
* MORE_PROCESSING_REQUIRED...
*/
state->sub.needed = true;
}
}
if (state->sub.needed) {
struct tevent_req *subreq = NULL;
/*
* We may need one more roundtrip...
*/
subreq = gensec_update_send(state, state->ev,
spnego_state->sub_sec_security,
state->sub.in);
if (tevent_req_nomem(subreq, req)) {
return;
}
tevent_req_set_callback(subreq,
gensec_spnego_update_done,
req);
state->sub.needed = false;
return;
}
status = ops->finish_fn(state->gensec,
spnego_state,
state->n,
state->spnego_in,
state->sub.status,
state->sub.out,
spnego_state,
&spnego_state->out_frag);
TALLOC_FREE(state->n);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;
reset_full = !spnego_state->done_mic_check;
status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
reset_full);
if (tevent_req_nterror(req, status)) {
return;
}
}
respond:
spnego_state->out_status = status;
status = gensec_spnego_update_out(state->gensec,
state, &state->out);
if (GENSEC_UPDATE_IS_NTERROR(status)) {
tevent_req_nterror(req, status);
return;
}
state->status = status;
tevent_req_done(req);
return;
}
static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *_out)
{
struct spnego_state *spnego_state =
talloc_get_type_abort(gensec_security->private_data,
struct spnego_state);
DATA_BLOB out = data_blob_null;
bool ok;
*_out = data_blob_null;
if (spnego_state->out_frag.length <= spnego_state->out_max_length) {
/*
* Fast path, we can deliver everything
*/
*_out = spnego_state->out_frag;
if (spnego_state->out_frag.length > 0) {
talloc_steal(out_mem_ctx, _out->data);
spnego_state->out_frag = data_blob_null;
}
if (!NT_STATUS_IS_OK(spnego_state->out_status)) {
return spnego_state->out_status;
}
/*
* We're completely done, further updates are not allowed.
*/
spnego_state->state_position = SPNEGO_DONE;
return gensec_child_ready(gensec_security,
spnego_state->sub_sec_security);
}
out = spnego_state->out_frag;
/*
* copy the remaining bytes
*/
spnego_state->out_frag = data_blob_talloc(spnego_state,
out.data + spnego_state->out_max_length,
out.length - spnego_state->out_max_length);
if (spnego_state->out_frag.data == NULL) {
return NT_STATUS_NO_MEMORY;
}
/*
* truncate the buffer
*/
ok = data_blob_realloc(spnego_state, &out,
spnego_state->out_max_length);
if (!ok) {
return NT_STATUS_NO_MEMORY;
}
talloc_steal(out_mem_ctx, out.data);
*_out = out;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static NTSTATUS gensec_spnego_update_recv(struct tevent_req *req,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
NTSTATUS status;
*out = data_blob_null;
if (tevent_req_is_nterror(req, &status)) {
tevent_req_received(req);
return status;
}
*out = state->out;
talloc_steal(out_mem_ctx, state->out.data);
status = state->status;
tevent_req_received(req);
return status;
}
static const char *gensec_spnego_oids[] = {
GENSEC_OID_SPNEGO,
NULL
};
static const struct gensec_security_ops gensec_spnego_security_ops = {
.name = "spnego",
.sasl_name = "GSS-SPNEGO",
.auth_type = DCERPC_AUTH_TYPE_SPNEGO,
.oid = gensec_spnego_oids,
.client_start = gensec_spnego_client_start,
.server_start = gensec_spnego_server_start,
.update_send = gensec_spnego_update_send,
.update_recv = gensec_spnego_update_recv,
.seal_packet = gensec_child_seal_packet,
.sign_packet = gensec_child_sign_packet,
.sig_size = gensec_child_sig_size,
.max_wrapped_size = gensec_child_max_wrapped_size,
.max_input_size = gensec_child_max_input_size,
.check_packet = gensec_child_check_packet,
.unseal_packet = gensec_child_unseal_packet,
.wrap = gensec_child_wrap,
.unwrap = gensec_child_unwrap,
.session_key = gensec_child_session_key,
.session_info = gensec_child_session_info,
.want_feature = gensec_child_want_feature,
.have_feature = gensec_child_have_feature,
.expire_time = gensec_child_expire_time,
.final_auth_type = gensec_child_final_auth_type,
.enabled = true,
.priority = GENSEC_SPNEGO,
.glue = true,
};
_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
ret = gensec_register(ctx, &gensec_spnego_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_spnego_security_ops.name));
return ret;
}
return ret;
}
View Git Blame Copy Permalink