0164b0c7401c54e0e555f4f8073169577136dacb
[samba.git] / source / libads / sasl.c
1 /* 
2    Unix SMB/CIFS implementation.
3    ads sasl code
4    Copyright (C) Andrew Tridgell 2001
5    
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 2 of the License, or
9    (at your option) any later version.
10    
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15    
16    You should have received a copy of the GNU General Public License
17    along with this program; if not, write to the Free Software
18    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #ifdef HAVE_LDAP
24
25 /* 
26    perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
27    we fit on one socket??)
28 */
29 static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
30 {
31         const char *mechs[] = {OID_NTLMSSP, NULL};
32         DATA_BLOB msg1 = data_blob(NULL, 0);
33         DATA_BLOB blob, chal1, chal2, auth;
34         uint8 challenge[8];
35         uint8 nthash[24], lmhash[24], sess_key[16];
36         uint32 neg_flags;
37         struct berval cred, *scred = NULL;
38         ADS_STATUS status;
39         int rc;
40
41         if (!ads->auth.password) {
42                 /* No password, don't segfault below... */
43                 return ADS_ERROR_NT(NT_STATUS_LOGON_FAILURE);
44         }
45
46         neg_flags = NTLMSSP_NEGOTIATE_UNICODE | 
47                 NTLMSSP_NEGOTIATE_128 | 
48                 NTLMSSP_NEGOTIATE_NTLM;
49
50         memset(sess_key, 0, 16);
51
52         /* generate the ntlmssp negotiate packet */
53         msrpc_gen(&blob, "CddB",
54                   "NTLMSSP",
55                   NTLMSSP_NEGOTIATE,
56                   neg_flags,
57                   sess_key, 16);
58
59         /* and wrap it in a SPNEGO wrapper */
60         msg1 = gen_negTokenTarg(mechs, blob);
61         data_blob_free(&blob);
62
63         cred.bv_val = (char *)msg1.data;
64         cred.bv_len = msg1.length;
65
66         rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
67         if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
68                 status = ADS_ERROR(rc);
69                 goto failed;
70         }
71
72         blob = data_blob(scred->bv_val, scred->bv_len);
73         ber_bvfree(scred);
74
75         /* the server gives us back two challenges */
76         if (!spnego_parse_challenge(blob, &chal1, &chal2)) {
77                 DEBUG(3,("Failed to parse challenges\n"));
78                 status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
79                 goto failed;
80         }
81
82         data_blob_free(&blob);
83
84         /* encrypt the password with the challenge */
85         memcpy(challenge, chal1.data + 24, 8);
86         SMBencrypt(ads->auth.password, challenge,lmhash);
87         SMBNTencrypt(ads->auth.password, challenge,nthash);
88
89         data_blob_free(&chal1);
90         data_blob_free(&chal2);
91
92         /* this generates the actual auth packet */
93         msrpc_gen(&blob, "CdBBUUUBd", 
94                   "NTLMSSP", 
95                   NTLMSSP_AUTH, 
96                   lmhash, 24,
97                   nthash, 24,
98                   lp_workgroup(), 
99                   ads->auth.user_name, 
100                   global_myname(),
101                   sess_key, 16,
102                   neg_flags);
103
104         /* wrap it in SPNEGO */
105         auth = spnego_gen_auth(blob);
106
107         data_blob_free(&blob);
108
109         /* Remember to free the msg1 blob. The contents of this
110            have been copied into cred and need freeing before reassignment. */
111         data_blob_free(&msg1);
112
113         /* now send the auth packet and we should be done */
114         cred.bv_val = (char *)auth.data;
115         cred.bv_len = auth.length;
116
117         rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
118
119         ber_bvfree(scred);
120         data_blob_free(&auth);
121         
122         return ADS_ERROR(rc);
123
124 failed:
125
126         /* Remember to free the msg1 blob. The contents of this
127            have been copied into cred and need freeing. */
128         data_blob_free(&msg1);
129
130         if(scred)
131                 ber_bvfree(scred);
132         return status;
133 }
134
135 /* 
136    perform a LDAP/SASL/SPNEGO/KRB5 bind
137 */
138 static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *principal)
139 {
140         DATA_BLOB blob = data_blob(NULL, 0);
141         struct berval cred, *scred = NULL;
142         DATA_BLOB session_key = data_blob(NULL, 0);
143         int rc;
144
145         rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key);
146
147         if (rc) {
148                 return ADS_ERROR_KRB5(rc);
149         }
150
151         /* now send the auth packet and we should be done */
152         cred.bv_val = (char *)blob.data;
153         cred.bv_len = blob.length;
154
155         rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
156
157         data_blob_free(&blob);
158         data_blob_free(&session_key);
159         if(scred)
160                 ber_bvfree(scred);
161
162         return ADS_ERROR(rc);
163 }
164
165 /* 
166    this performs a SASL/SPNEGO bind
167 */
168 static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
169 {
170         struct berval *scred=NULL;
171         int rc, i;
172         ADS_STATUS status;
173         DATA_BLOB blob;
174         char *principal = NULL;
175         char *OIDs[ASN1_MAX_OIDS];
176 #ifdef HAVE_KRB5
177         BOOL got_kerberos_mechanism = False;
178 #endif
179
180         rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
181
182         if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
183                 status = ADS_ERROR(rc);
184                 goto failed;
185         }
186
187         blob = data_blob(scred->bv_val, scred->bv_len);
188
189         ber_bvfree(scred);
190
191 #if 0
192         file_save("sasl_spnego.dat", blob.data, blob.length);
193 #endif
194
195         /* the server sent us the first part of the SPNEGO exchange in the negprot 
196            reply */
197         if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
198                 data_blob_free(&blob);
199                 status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
200                 goto failed;
201         }
202         data_blob_free(&blob);
203
204         /* make sure the server understands kerberos */
205         for (i=0;OIDs[i];i++) {
206                 DEBUG(3,("ads_sasl_spnego_bind: got OID=%s\n", OIDs[i]));
207 #ifdef HAVE_KRB5
208                 if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
209                     strcmp(OIDs[i], OID_KERBEROS5) == 0) {
210                         got_kerberos_mechanism = True;
211                 }
212 #endif
213                 free(OIDs[i]);
214         }
215         DEBUG(3,("ads_sasl_spnego_bind: got server principal name =%s\n", principal));
216
217 #ifdef HAVE_KRB5
218         if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
219             got_kerberos_mechanism) {
220                 status = ads_sasl_spnego_krb5_bind(ads, principal);
221                 if (ADS_ERR_OK(status)) {
222                         SAFE_FREE(principal);
223                         return status;
224                 }
225
226                 status = ADS_ERROR_KRB5(ads_kinit_password(ads)); 
227
228                 if (ADS_ERR_OK(status)) {
229                         status = ads_sasl_spnego_krb5_bind(ads, principal);
230                 }
231
232                 /* only fallback to NTLMSSP if allowed */
233                 if (ADS_ERR_OK(status) || 
234                     !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
235                         SAFE_FREE(principal);
236                         return status;
237                 }
238         }
239 #endif
240
241         SAFE_FREE(principal);
242
243         /* lets do NTLMSSP ... this has the big advantage that we don't need
244            to sync clocks, and we don't rely on special versions of the krb5 
245            library for HMAC_MD4 encryption */
246         return ads_sasl_spnego_ntlmssp_bind(ads);
247
248 failed:
249         return status;
250 }
251
252 #ifdef HAVE_GSSAPI
253 #define MAX_GSS_PASSES 3
254
255 /* this performs a SASL/gssapi bind
256    we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl
257    is very dependent on correctly configured DNS whereas
258    this routine is much less fragile
259    see RFC2078 and RFC2222 for details
260 */
261 static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
262 {
263         uint32 minor_status;
264         gss_name_t serv_name;
265         gss_buffer_desc input_name;
266         gss_ctx_id_t context_handle;
267         gss_OID mech_type = GSS_C_NULL_OID;
268         gss_buffer_desc output_token, input_token;
269         uint32 ret_flags, conf_state;
270         struct berval cred;
271         struct berval *scred = NULL;
272         int i=0;
273         int gss_rc, rc;
274         uint8 *p;
275         uint32 max_msg_size;
276         char *sname;
277         unsigned sec_layer;
278         ADS_STATUS status;
279         krb5_principal principal;
280         krb5_context ctx = NULL;
281         krb5_enctype enc_types[] = {
282 #ifdef ENCTYPE_ARCFOUR_HMAC
283                         ENCTYPE_ARCFOUR_HMAC,
284 #endif
285                         ENCTYPE_DES_CBC_MD5,
286                         ENCTYPE_NULL};
287         gss_OID_desc nt_principal = 
288         {10, "\052\206\110\206\367\022\001\002\002\002"};
289
290         /* we need to fetch a service ticket as the ldap user in the
291            servers realm, regardless of our realm */
292         asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm);
293         krb5_init_context(&ctx);
294         krb5_set_default_tgs_ktypes(ctx, enc_types);
295         krb5_parse_name(ctx, sname, &principal);
296         free(sname);
297         krb5_free_context(ctx); 
298
299         input_name.value = &principal;
300         input_name.length = sizeof(principal);
301
302         gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name);
303         if (gss_rc) {
304                 return ADS_ERROR_GSS(gss_rc, minor_status);
305         }
306
307         context_handle = GSS_C_NO_CONTEXT;
308
309         input_token.value = NULL;
310         input_token.length = 0;
311
312         for (i=0; i < MAX_GSS_PASSES; i++) {
313                 gss_rc = gss_init_sec_context(&minor_status,
314                                           GSS_C_NO_CREDENTIAL,
315                                           &context_handle,
316                                           serv_name,
317                                           mech_type,
318                                           GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
319                                           0,
320                                           NULL,
321                                           &input_token,
322                                           NULL,
323                                           &output_token,
324                                           &ret_flags,
325                                           NULL);
326
327                 if (input_token.value) {
328                         gss_release_buffer(&minor_status, &input_token);
329                 }
330
331                 if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
332                         status = ADS_ERROR_GSS(gss_rc, minor_status);
333                         goto failed;
334                 }
335
336                 cred.bv_val = output_token.value;
337                 cred.bv_len = output_token.length;
338
339                 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, 
340                                       &scred);
341                 if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
342                         status = ADS_ERROR(rc);
343                         goto failed;
344                 }
345
346                 if (output_token.value) {
347                         gss_release_buffer(&minor_status, &output_token);
348                 }
349
350                 if (scred) {
351                         input_token.value = scred->bv_val;
352                         input_token.length = scred->bv_len;
353                 } else {
354                         input_token.value = NULL;
355                         input_token.length = 0;
356                 }
357
358                 if (gss_rc == 0) break;
359         }
360
361         gss_release_name(&minor_status, &serv_name);
362
363         gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token,
364                             (int *)&conf_state,NULL);
365         if (gss_rc) {
366                 status = ADS_ERROR_GSS(gss_rc, minor_status);
367                 goto failed;
368         }
369
370         gss_release_buffer(&minor_status, &input_token);
371
372         p = (uint8 *)output_token.value;
373
374         file_save("sasl_gssapi.dat", output_token.value, output_token.length);
375
376         max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3];
377         sec_layer = *p;
378
379         gss_release_buffer(&minor_status, &output_token);
380
381         output_token.value = SMB_MALLOC(strlen(ads->config.bind_path) + 8);
382         p = output_token.value;
383
384         *p++ = 1; /* no sign & seal selection */
385         /* choose the same size as the server gave us */
386         *p++ = max_msg_size>>16;
387         *p++ = max_msg_size>>8;
388         *p++ = max_msg_size;
389         snprintf((char *)p, strlen(ads->config.bind_path)+4, "dn:%s", ads->config.bind_path);
390         p += strlen((const char *)p);
391
392         output_token.length = PTR_DIFF(p, output_token.value);
393
394         gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
395                           &output_token, (int *)&conf_state,
396                           &input_token);
397         if (gss_rc) {
398                 status = ADS_ERROR_GSS(gss_rc, minor_status);
399                 goto failed;
400         }
401
402         free(output_token.value);
403
404         cred.bv_val = input_token.value;
405         cred.bv_len = input_token.length;
406
407         rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL, 
408                               &scred);
409         status = ADS_ERROR(rc);
410
411         gss_release_buffer(&minor_status, &input_token);
412
413 failed:
414         if(scred)
415                 ber_bvfree(scred);
416         return status;
417 }
418 #endif
419
420 /* mapping between SASL mechanisms and functions */
421 static struct {
422         const char *name;
423         ADS_STATUS (*fn)(ADS_STRUCT *);
424 } sasl_mechanisms[] = {
425         {"GSS-SPNEGO", ads_sasl_spnego_bind},
426 #ifdef HAVE_GSSAPI
427         {"GSSAPI", ads_sasl_gssapi_bind}, /* doesn't work with .NET RC1. No idea why */
428 #endif
429         {NULL, NULL}
430 };
431
432 ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
433 {
434         const char *attrs[] = {"supportedSASLMechanisms", NULL};
435         char **values;
436         ADS_STATUS status;
437         int i, j;
438         void *res;
439
440         /* get a list of supported SASL mechanisms */
441         status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
442         if (!ADS_ERR_OK(status)) return status;
443
444         values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms");
445
446         /* try our supported mechanisms in order */
447         for (i=0;sasl_mechanisms[i].name;i++) {
448                 /* see if the server supports it */
449                 for (j=0;values && values[j];j++) {
450                         if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
451                                 DEBUG(4,("Found SASL mechanism %s\n", values[j]));
452                                 status = sasl_mechanisms[i].fn(ads);
453                                 ldap_value_free(values);
454                                 ldap_msgfree(res);
455                                 return status;
456                         }
457                 }
458         }
459
460         ldap_value_free(values);
461         ldap_msgfree(res);
462         return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
463 }
464
465 #endif
466