2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #define DBGC_CLASS DBGC_AUTH
28 static bool read_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token)
32 asn1_start_tag(asn1, ASN1_CONTEXT(0));
33 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
35 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
38 switch (asn1->data[asn1->ofs]) {
41 asn1_start_tag(asn1, ASN1_CONTEXT(0));
42 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
44 token->mechTypes = TALLOC_P(talloc_autofree_context(), const char *);
45 for (i = 0; !asn1->has_error &&
46 0 < asn1_tag_remaining(asn1); i++) {
47 const char *p_oid = NULL;
49 TALLOC_REALLOC_ARRAY(talloc_autofree_context(),
50 token->mechTypes, const char *, i + 2);
51 if (!token->mechTypes) {
52 asn1->has_error = True;
55 asn1_read_OID(asn1, talloc_autofree_context(), &p_oid);
56 token->mechTypes[i] = p_oid;
58 token->mechTypes[i] = NULL;
65 asn1_start_tag(asn1, ASN1_CONTEXT(1));
66 asn1_read_Integer(asn1, &token->reqFlags);
67 token->reqFlags |= SPNEGO_REQ_FLAG;
72 asn1_start_tag(asn1, ASN1_CONTEXT(2));
73 asn1_read_OctetString(asn1,
74 talloc_autofree_context(), &token->mechToken);
79 asn1_start_tag(asn1, ASN1_CONTEXT(3));
80 if (asn1->data[asn1->ofs] == ASN1_OCTET_STRING) {
81 asn1_read_OctetString(asn1, talloc_autofree_context(),
84 /* RFC 2478 says we have an Octet String here,
85 but W2k sends something different... */
87 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
88 asn1_push_tag(asn1, ASN1_CONTEXT(0));
89 asn1_read_GeneralString(asn1,
90 talloc_autofree_context(), &mechListMIC);
95 data_blob(mechListMIC, strlen(mechListMIC));
96 TALLOC_FREE(mechListMIC);
101 asn1->has_error = True;
109 return !asn1->has_error;
112 static bool write_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token)
114 asn1_push_tag(asn1, ASN1_CONTEXT(0));
115 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
117 /* Write mechTypes */
118 if (token->mechTypes && *token->mechTypes) {
121 asn1_push_tag(asn1, ASN1_CONTEXT(0));
122 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
123 for (i = 0; token->mechTypes[i]; i++) {
124 asn1_write_OID(asn1, token->mechTypes[i]);
131 if (token->reqFlags & SPNEGO_REQ_FLAG) {
132 int flags = token->reqFlags & ~SPNEGO_REQ_FLAG;
134 asn1_push_tag(asn1, ASN1_CONTEXT(1));
135 asn1_write_Integer(asn1, flags);
139 /* write mechToken */
140 if (token->mechToken.data) {
141 asn1_push_tag(asn1, ASN1_CONTEXT(2));
142 asn1_write_OctetString(asn1, token->mechToken.data,
143 token->mechToken.length);
147 /* write mechListMIC */
148 if (token->mechListMIC.data) {
149 asn1_push_tag(asn1, ASN1_CONTEXT(3));
151 /* This is what RFC 2478 says ... */
152 asn1_write_OctetString(asn1, token->mechListMIC.data,
153 token->mechListMIC.length);
155 /* ... but unfortunately this is what Windows
157 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
158 asn1_push_tag(asn1, ASN1_CONTEXT(0));
159 asn1_push_tag(asn1, ASN1_GENERAL_STRING);
160 asn1_write(asn1, token->mechListMIC.data,
161 token->mechListMIC.length);
172 return !asn1->has_error;
175 static bool read_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token)
179 asn1_start_tag(asn1, ASN1_CONTEXT(1));
180 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
182 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
183 switch (asn1->data[asn1->ofs]) {
184 case ASN1_CONTEXT(0):
185 asn1_start_tag(asn1, ASN1_CONTEXT(0));
186 asn1_start_tag(asn1, ASN1_ENUMERATED);
187 asn1_read_uint8(asn1, &token->negResult);
191 case ASN1_CONTEXT(1): {
192 const char *mech = NULL;
193 asn1_start_tag(asn1, ASN1_CONTEXT(1));
194 asn1_read_OID(asn1, talloc_autofree_context(), &mech);
196 token->supportedMech = CONST_DISCARD(char *, mech);
199 case ASN1_CONTEXT(2):
200 asn1_start_tag(asn1, ASN1_CONTEXT(2));
201 asn1_read_OctetString(asn1,
202 talloc_autofree_context(), &token->responseToken);
205 case ASN1_CONTEXT(3):
206 asn1_start_tag(asn1, ASN1_CONTEXT(3));
207 asn1_read_OctetString(asn1,
208 talloc_autofree_context(), &token->mechListMIC);
212 asn1->has_error = True;
220 return !asn1->has_error;
223 static bool write_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token)
225 asn1_push_tag(asn1, ASN1_CONTEXT(1));
226 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
228 asn1_push_tag(asn1, ASN1_CONTEXT(0));
229 asn1_write_enumerated(asn1, token->negResult);
232 if (token->supportedMech) {
233 asn1_push_tag(asn1, ASN1_CONTEXT(1));
234 asn1_write_OID(asn1, token->supportedMech);
238 if (token->responseToken.data) {
239 asn1_push_tag(asn1, ASN1_CONTEXT(2));
240 asn1_write_OctetString(asn1, token->responseToken.data,
241 token->responseToken.length);
245 if (token->mechListMIC.data) {
246 asn1_push_tag(asn1, ASN1_CONTEXT(3));
247 asn1_write_OctetString(asn1, token->mechListMIC.data,
248 token->mechListMIC.length);
255 return !asn1->has_error;
258 ssize_t read_spnego_data(DATA_BLOB data, SPNEGO_DATA *token)
265 asn1 = asn1_init(talloc_tos());
270 asn1_load(asn1, data);
272 switch (asn1->data[asn1->ofs]) {
273 case ASN1_APPLICATION(0):
274 asn1_start_tag(asn1, ASN1_APPLICATION(0));
275 asn1_check_OID(asn1, OID_SPNEGO);
276 if (read_negTokenInit(asn1, &token->negTokenInit)) {
277 token->type = SPNEGO_NEG_TOKEN_INIT;
281 case ASN1_CONTEXT(1):
282 if (read_negTokenTarg(asn1, &token->negTokenTarg)) {
283 token->type = SPNEGO_NEG_TOKEN_TARG;
290 if (!asn1->has_error) ret = asn1->ofs;
296 ssize_t write_spnego_data(DATA_BLOB *blob, SPNEGO_DATA *spnego)
301 asn1 = asn1_init(talloc_tos());
306 switch (spnego->type) {
307 case SPNEGO_NEG_TOKEN_INIT:
308 asn1_push_tag(asn1, ASN1_APPLICATION(0));
309 asn1_write_OID(asn1, OID_SPNEGO);
310 write_negTokenInit(asn1, &spnego->negTokenInit);
313 case SPNEGO_NEG_TOKEN_TARG:
314 write_negTokenTarg(asn1, &spnego->negTokenTarg);
317 asn1->has_error = True;
321 if (!asn1->has_error) {
322 *blob = data_blob(asn1->data, asn1->length);
330 bool free_spnego_data(SPNEGO_DATA *spnego)
334 if (!spnego) goto out;
336 switch(spnego->type) {
337 case SPNEGO_NEG_TOKEN_INIT:
338 if (spnego->negTokenInit.mechTypes) {
340 for (i = 0; spnego->negTokenInit.mechTypes[i]; i++) {
341 talloc_free(CONST_DISCARD(char *,spnego->negTokenInit.mechTypes[i]));
343 talloc_free(spnego->negTokenInit.mechTypes);
345 data_blob_free(&spnego->negTokenInit.mechToken);
346 data_blob_free(&spnego->negTokenInit.mechListMIC);
348 case SPNEGO_NEG_TOKEN_TARG:
349 if (spnego->negTokenTarg.supportedMech) {
350 talloc_free(spnego->negTokenTarg.supportedMech);
352 data_blob_free(&spnego->negTokenTarg.responseToken);
353 data_blob_free(&spnego->negTokenTarg.mechListMIC);
359 ZERO_STRUCTP(spnego);