2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "auth/auth.h"
29 #define DBGC_CLASS DBGC_AUTH
31 static BOOL read_negTokenInit(struct asn1_data *asn1, struct spnego_negTokenInit *token)
35 asn1_start_tag(asn1, ASN1_CONTEXT(0));
36 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
38 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
41 if (!asn1_peek_uint8(asn1, &context)) {
42 asn1->has_error = True;
49 asn1_start_tag(asn1, ASN1_CONTEXT(0));
50 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
52 token->mechTypes = talloc(NULL, const char *);
53 for (i = 0; !asn1->has_error &&
54 0 < asn1_tag_remaining(asn1); i++) {
55 token->mechTypes = talloc_realloc(NULL,
58 asn1_read_OID(asn1, token->mechTypes + i);
59 if (token->mechTypes[i]) {
60 talloc_steal(token->mechTypes,
64 token->mechTypes[i] = NULL;
71 asn1_start_tag(asn1, ASN1_CONTEXT(1));
72 asn1_read_Integer(asn1, &token->reqFlags);
73 token->reqFlags |= SPNEGO_REQ_FLAG;
78 asn1_start_tag(asn1, ASN1_CONTEXT(2));
79 asn1_read_OctetString(asn1, &token->mechToken);
86 asn1_start_tag(asn1, ASN1_CONTEXT(3));
87 if (!asn1_peek_uint8(asn1, &type_peek)) {
88 asn1->has_error = True;
91 if (type_peek == ASN1_OCTET_STRING) {
92 asn1_read_OctetString(asn1,
95 /* RFC 2478 says we have an Octet String here,
96 but W2k sends something different... */
98 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
99 asn1_push_tag(asn1, ASN1_CONTEXT(0));
100 asn1_read_GeneralString(asn1, &mechListMIC);
104 token->targetPrincipal = mechListMIC;
110 asn1->has_error = True;
118 return !asn1->has_error;
121 static BOOL write_negTokenInit(struct asn1_data *asn1, struct spnego_negTokenInit *token)
123 asn1_push_tag(asn1, ASN1_CONTEXT(0));
124 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
126 /* Write mechTypes */
127 if (token->mechTypes && *token->mechTypes) {
130 asn1_push_tag(asn1, ASN1_CONTEXT(0));
131 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
132 for (i = 0; token->mechTypes[i]; i++) {
133 asn1_write_OID(asn1, token->mechTypes[i]);
140 if (token->reqFlags & SPNEGO_REQ_FLAG) {
141 int flags = token->reqFlags & ~SPNEGO_REQ_FLAG;
143 asn1_push_tag(asn1, ASN1_CONTEXT(1));
144 asn1_write_Integer(asn1, flags);
148 /* write mechToken */
149 if (token->mechToken.data) {
150 asn1_push_tag(asn1, ASN1_CONTEXT(2));
151 asn1_write_OctetString(asn1, token->mechToken.data,
152 token->mechToken.length);
156 /* write mechListMIC */
157 if (token->mechListMIC.data) {
158 asn1_push_tag(asn1, ASN1_CONTEXT(3));
160 /* This is what RFC 2478 says ... */
161 asn1_write_OctetString(asn1, token->mechListMIC.data,
162 token->mechListMIC.length);
164 /* ... but unfortunately this is what Windows
166 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
167 asn1_push_tag(asn1, ASN1_CONTEXT(0));
168 asn1_push_tag(asn1, ASN1_GENERAL_STRING);
169 asn1_write(asn1, token->mechListMIC.data,
170 token->mechListMIC.length);
181 return !asn1->has_error;
184 static BOOL read_negTokenTarg(struct asn1_data *asn1, struct spnego_negTokenTarg *token)
188 asn1_start_tag(asn1, ASN1_CONTEXT(1));
189 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
191 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
193 if (!asn1_peek_uint8(asn1, &context)) {
194 asn1->has_error = True;
199 case ASN1_CONTEXT(0):
200 asn1_start_tag(asn1, ASN1_CONTEXT(0));
201 asn1_start_tag(asn1, ASN1_ENUMERATED);
202 asn1_read_uint8(asn1, &token->negResult);
206 case ASN1_CONTEXT(1):
207 asn1_start_tag(asn1, ASN1_CONTEXT(1));
208 asn1_read_OID(asn1, &token->supportedMech);
211 case ASN1_CONTEXT(2):
212 asn1_start_tag(asn1, ASN1_CONTEXT(2));
213 asn1_read_OctetString(asn1, &token->responseToken);
216 case ASN1_CONTEXT(3):
217 asn1_start_tag(asn1, ASN1_CONTEXT(3));
218 asn1_read_OctetString(asn1, &token->mechListMIC);
222 asn1->has_error = True;
230 return !asn1->has_error;
233 static BOOL write_negTokenTarg(struct asn1_data *asn1, struct spnego_negTokenTarg *token)
235 asn1_push_tag(asn1, ASN1_CONTEXT(1));
236 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
238 if (token->negResult != SPNEGO_NONE_RESULT) {
239 asn1_push_tag(asn1, ASN1_CONTEXT(0));
240 asn1_write_enumerated(asn1, token->negResult);
244 if (token->supportedMech) {
245 asn1_push_tag(asn1, ASN1_CONTEXT(1));
246 asn1_write_OID(asn1, token->supportedMech);
250 if (token->responseToken.data) {
251 asn1_push_tag(asn1, ASN1_CONTEXT(2));
252 asn1_write_OctetString(asn1, token->responseToken.data,
253 token->responseToken.length);
257 if (token->mechListMIC.data) {
258 asn1_push_tag(asn1, ASN1_CONTEXT(3));
259 asn1_write_OctetString(asn1, token->mechListMIC.data,
260 token->mechListMIC.length);
267 return !asn1->has_error;
270 ssize_t spnego_read_data(DATA_BLOB data, struct spnego_data *token)
272 struct asn1_data asn1;
279 if (data.length == 0) {
283 asn1_load(&asn1, data);
285 if (!asn1_peek_uint8(&asn1, &context)) {
286 asn1.has_error = True;
289 case ASN1_APPLICATION(0):
290 asn1_start_tag(&asn1, ASN1_APPLICATION(0));
291 asn1_check_OID(&asn1, GENSEC_OID_SPNEGO);
292 if (read_negTokenInit(&asn1, &token->negTokenInit)) {
293 token->type = SPNEGO_NEG_TOKEN_INIT;
297 case ASN1_CONTEXT(1):
298 if (read_negTokenTarg(&asn1, &token->negTokenTarg)) {
299 token->type = SPNEGO_NEG_TOKEN_TARG;
303 asn1.has_error = True;
308 if (!asn1.has_error) ret = asn1.ofs;
314 ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego)
316 struct asn1_data asn1;
321 switch (spnego->type) {
322 case SPNEGO_NEG_TOKEN_INIT:
323 asn1_push_tag(&asn1, ASN1_APPLICATION(0));
324 asn1_write_OID(&asn1, GENSEC_OID_SPNEGO);
325 write_negTokenInit(&asn1, &spnego->negTokenInit);
328 case SPNEGO_NEG_TOKEN_TARG:
329 write_negTokenTarg(&asn1, &spnego->negTokenTarg);
332 asn1.has_error = True;
336 if (!asn1.has_error) {
337 *blob = data_blob_talloc(mem_ctx, asn1.data, asn1.length);
345 BOOL spnego_free_data(struct spnego_data *spnego)
349 if (!spnego) goto out;
351 switch(spnego->type) {
352 case SPNEGO_NEG_TOKEN_INIT:
353 if (spnego->negTokenInit.mechTypes) {
354 talloc_free(spnego->negTokenInit.mechTypes);
356 data_blob_free(&spnego->negTokenInit.mechToken);
357 data_blob_free(&spnego->negTokenInit.mechListMIC);
358 talloc_free(spnego->negTokenInit.targetPrincipal);
360 case SPNEGO_NEG_TOKEN_TARG:
361 if (spnego->negTokenTarg.supportedMech) {
362 talloc_free(discard_const(spnego->negTokenTarg.supportedMech));
364 data_blob_free(&spnego->negTokenTarg.responseToken);
365 data_blob_free(&spnego->negTokenTarg.mechListMIC);
371 ZERO_STRUCTP(spnego);