auth/gensec/spnego.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    RFC2478 Compliant SPNEGO implementation
   5
   6    Copyright (C) Jim McDonough <jmcd@us.ibm.com>      2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Stefan Metzmacher <metze@samba.org>  2004-2008
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 #include "includes.h"
  26 #include <tevent.h>
  27 #include "lib/util/tevent_ntstatus.h"
  28 #include "../libcli/auth/spnego.h"
  29 #include "librpc/gen_ndr/ndr_dcerpc.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "auth/gensec/gensec.h"
  32 #include "auth/gensec/gensec_internal.h"
  33 #include "param/param.h"
  34 #include "lib/util/asn1.h"
  35 #include "lib/util/base64.h"
  36
  37 #undef strcasecmp
  38
  39 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
  40
  41 enum spnego_state_position {
  42         SPNEGO_SERVER_START,
  43         SPNEGO_CLIENT_START,
  44         SPNEGO_SERVER_TARG,
  45         SPNEGO_CLIENT_TARG,
  46         SPNEGO_FALLBACK,
  47         SPNEGO_DONE
  48 };
  49
  50 struct spnego_state {
  51         enum spnego_message_type expected_packet;
  52         enum spnego_state_position state_position;
  53         struct gensec_security *sub_sec_security;
  54         bool sub_sec_ready;
  55
  56         const char *neg_oid;
  57
  58         DATA_BLOB mech_types;
  59         size_t num_targs;
  60         bool downgraded;
  61         bool mic_requested;
  62         bool needs_mic_sign;
  63         bool needs_mic_check;
  64         bool may_skip_mic_check;
  65         bool done_mic_check;
  66
  67         bool simulate_w2k;
  68
  69         /*
  70          * The following is used to implement
  71          * the update token fragmentation
  72          */
  73         size_t in_needed;
  74         DATA_BLOB in_frag;
  75         size_t out_max_length;
  76         DATA_BLOB out_frag;
  77         NTSTATUS out_status;
  78 };
  79
  80 static void gensec_spnego_update_sub_abort(struct spnego_state *spnego_state)
  81 {
  82         spnego_state->sub_sec_ready = false;
  83         TALLOC_FREE(spnego_state->sub_sec_security);
  84 }
  85
  86 static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
  87 {
  88         struct spnego_state *spnego_state;
  89
  90         spnego_state = talloc_zero(gensec_security, struct spnego_state);
  91         if (!spnego_state) {
  92                 return NT_STATUS_NO_MEMORY;
  93         }
  94
  95         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
  96         spnego_state->state_position = SPNEGO_CLIENT_START;
  97         spnego_state->sub_sec_security = NULL;
  98         spnego_state->sub_sec_ready = false;
  99         spnego_state->mech_types = data_blob_null;
 100         spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 101         spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 102
 103         spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
 104                                                 "spnego", "simulate_w2k", false);
 105
 106         gensec_security->private_data = spnego_state;
 107         return NT_STATUS_OK;
 108 }
 109
 110 static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
 111 {
 112         struct spnego_state *spnego_state;
 113
 114         spnego_state = talloc_zero(gensec_security, struct spnego_state);
 115         if (!spnego_state) {
 116                 return NT_STATUS_NO_MEMORY;
 117         }
 118
 119         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
 120         spnego_state->state_position = SPNEGO_SERVER_START;
 121         spnego_state->sub_sec_security = NULL;
 122         spnego_state->sub_sec_ready = false;
 123         spnego_state->mech_types = data_blob_null;
 124         spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 125         spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 126
 127         spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
 128                                                 "spnego", "simulate_w2k", false);
 129
 130         gensec_security->private_data = spnego_state;
 131         return NT_STATUS_OK;
 132 }
 133
 134 /** Fallback to another GENSEC mechanism, based on magic strings
 135  *
 136  * This is the 'fallback' case, where we don't get SPNEGO, and have to
 137  * try all the other options (and hope they all have a magic string
 138  * they check)
 139 */
 140
 141 static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
 142                                                   struct spnego_state *spnego_state,
 143                                                   TALLOC_CTX *mem_ctx,
 144                                                   const DATA_BLOB in)
 145 {
 146         int i,j;
 147         const struct gensec_security_ops **all_ops;
 148
 149         all_ops = gensec_security_mechs(gensec_security, mem_ctx);
 150
 151         for (i=0; all_ops && all_ops[i]; i++) {
 152                 bool is_spnego;
 153                 NTSTATUS nt_status;
 154
 155                 if (gensec_security != NULL &&
 156                     !gensec_security_ops_enabled(all_ops[i], gensec_security))
 157                 {
 158                         continue;
 159                 }
 160
 161                 if (!all_ops[i]->oid) {
 162                         continue;
 163                 }
 164
 165                 is_spnego = false;
 166                 for (j=0; all_ops[i]->oid[j]; j++) {
 167                         if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
 168                                 is_spnego = true;
 169                         }
 170                 }
 171                 if (is_spnego) {
 172                         continue;
 173                 }
 174
 175                 if (!all_ops[i]->magic) {
 176                         continue;
 177                 }
 178
 179                 nt_status = all_ops[i]->magic(gensec_security, &in);
 180                 if (!NT_STATUS_IS_OK(nt_status)) {
 181                         continue;
 182                 }
 183
 184                 spnego_state->state_position = SPNEGO_FALLBACK;
 185
 186                 nt_status = gensec_subcontext_start(spnego_state,
 187                                                     gensec_security,
 188                                                     &spnego_state->sub_sec_security);
 189
 190                 if (!NT_STATUS_IS_OK(nt_status)) {
 191                         return nt_status;
 192                 }
 193                 /* select the sub context */
 194                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 195                                                      all_ops[i]);
 196                 if (!NT_STATUS_IS_OK(nt_status)) {
 197                         return nt_status;
 198                 }
 199
 200                 return NT_STATUS_OK;
 201         }
 202         DEBUG(1, ("Failed to parse SPNEGO request\n"));
 203         return NT_STATUS_INVALID_PARAMETER;
 204 }
 205
 206 /*
 207    Parse the netTokenInit, either from the client, to the server, or
 208    from the server to the client.
 209 */
 210
 211 static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_security,
 212                                                  struct spnego_state *spnego_state,
 213                                                  TALLOC_CTX *out_mem_ctx,
 214                                                  struct tevent_context *ev,
 215                                                  struct spnego_data *spnego_in,
 216                                                  DATA_BLOB *unwrapped_out)
 217 {
 218         int i;
 219         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 220         const char * const *mechType = NULL;
 221         DATA_BLOB unwrapped_in = data_blob_null;
 222         bool ok;
 223         const struct gensec_security_ops_wrapper *all_sec = NULL;
 224
 225         if (spnego_in->type != SPNEGO_NEG_TOKEN_INIT) {
 226                 return NT_STATUS_INTERNAL_ERROR;
 227         }
 228
 229         mechType = spnego_in->negTokenInit.mechTypes;
 230         unwrapped_in = spnego_in->negTokenInit.mechToken;
 231
 232         all_sec = gensec_security_by_oid_list(gensec_security,
 233                                               out_mem_ctx,
 234                                               mechType,
 235                                               GENSEC_OID_SPNEGO);
 236
 237         ok = spnego_write_mech_types(spnego_state,
 238                                      mechType,
 239                                      &spnego_state->mech_types);
 240         if (!ok) {
 241                 DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 242                 return NT_STATUS_NO_MEMORY;
 243         }
 244
 245         if (spnego_state->state_position == SPNEGO_SERVER_START) {
 246                 uint32_t j;
 247                 for (j=0; mechType && mechType[j]; j++) {
 248                         for (i=0; all_sec && all_sec[i].op; i++) {
 249                                 if (strcmp(mechType[j], all_sec[i].oid) != 0) {
 250                                         continue;
 251                                 }
 252
 253                                 nt_status = gensec_subcontext_start(spnego_state,
 254                                                                     gensec_security,
 255                                                                     &spnego_state->sub_sec_security);
 256                                 if (!NT_STATUS_IS_OK(nt_status)) {
 257                                         return nt_status;
 258                                 }
 259                                 /* select the sub context */
 260                                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 261                                                                      all_sec[i].op);
 262                                 if (!NT_STATUS_IS_OK(nt_status)) {
 263                                         /*
 264                                          * Pretend we never started it
 265                                          */
 266                                         gensec_spnego_update_sub_abort(spnego_state);
 267                                         break;
 268                                 }
 269
 270                                 if (j > 0) {
 271                                         /* no optimistic token */
 272                                         spnego_state->neg_oid = all_sec[i].oid;
 273                                         *unwrapped_out = data_blob_null;
 274                                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 275                                         /*
 276                                          * Indicate the downgrade and request a
 277                                          * mic.
 278                                          */
 279                                         spnego_state->downgraded = true;
 280                                         spnego_state->mic_requested = true;
 281                                         break;
 282                                 }
 283
 284                                 nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 285                                                           out_mem_ctx,
 286                                                           ev,
 287                                                           unwrapped_in,
 288                                                           unwrapped_out);
 289                                 if (NT_STATUS_IS_OK(nt_status)) {
 290                                         spnego_state->sub_sec_ready = true;
 291                                 }
 292                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
 293                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
 294
 295                                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
 296                                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 297
 298                                         /*
 299                                          * Pretend we never started it
 300                                          */
 301                                         gensec_spnego_update_sub_abort(spnego_state);
 302                                         break;
 303                                 }
 304
 305                                 spnego_state->neg_oid = all_sec[i].oid;
 306                                 break;
 307                         }
 308                         if (spnego_state->sub_sec_security) {
 309                                 break;
 310                         }
 311                 }
 312
 313                 if (!spnego_state->sub_sec_security) {
 314                         DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
 315                         return NT_STATUS_INVALID_PARAMETER;
 316                 }
 317         }
 318
 319         /* Having tried any optimistic token from the client (if we
 320          * were the server), if we didn't get anywhere, walk our list
 321          * in our preference order */
 322         unwrapped_in = data_blob_null;
 323
 324         if (!spnego_state->sub_sec_security) {
 325                 for (i=0; all_sec && all_sec[i].op; i++) {
 326                         nt_status = gensec_subcontext_start(spnego_state,
 327                                                             gensec_security,
 328                                                             &spnego_state->sub_sec_security);
 329                         if (!NT_STATUS_IS_OK(nt_status)) {
 330                                 return nt_status;
 331                         }
 332                         /* select the sub context */
 333                         nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 334                                                              all_sec[i].op);
 335                         if (!NT_STATUS_IS_OK(nt_status)) {
 336                                 /*
 337                                  * Pretend we never started it.
 338                                  */
 339                                 gensec_spnego_update_sub_abort(spnego_state);
 340                                 continue;
 341                         }
 342
 343                         spnego_state->neg_oid = all_sec[i].oid;
 344
 345                         /* only get the helping start blob for the first OID */
 346                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 347                                                   out_mem_ctx,
 348                                                   ev,
 349                                                   unwrapped_in,
 350                                                   unwrapped_out);
 351                         if (NT_STATUS_IS_OK(nt_status)) {
 352                                 spnego_state->sub_sec_ready = true;
 353                         }
 354
 355                         /* it is likely that a NULL input token will
 356                          * not be liked by most server mechs, but if
 357                          * we are in the client, we want the first
 358                          * update packet to be able to abort the use
 359                          * of this mech */
 360                         if (spnego_state->state_position != SPNEGO_SERVER_START) {
 361                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
 362                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
 363                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
 364                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
 365                                         const char *next = NULL;
 366                                         const char *principal = NULL;
 367                                         int dbg_level = DBGLVL_WARNING;
 368
 369                                         if (all_sec[i+1].op != NULL) {
 370                                                 next = all_sec[i+1].op->name;
 371                                                 dbg_level = DBGLVL_NOTICE;
 372                                         }
 373
 374                                         if (gensec_security->target.principal != NULL) {
 375                                                 principal = gensec_security->target.principal;
 376                                         } else if (gensec_security->target.service != NULL &&
 377                                                    gensec_security->target.hostname != NULL)
 378                                         {
 379                                                 principal = talloc_asprintf(spnego_state->sub_sec_security,
 380                                                                             "%s/%s",
 381                                                                             gensec_security->target.service,
 382                                                                             gensec_security->target.hostname);
 383                                         } else {
 384                                                 principal = gensec_security->target.hostname;
 385                                         }
 386
 387                                         DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
 388                                                           spnego_state->sub_sec_security->ops->name,
 389                                                           principal,
 390                                                           next, nt_errstr(nt_status)));
 391
 392                                         /*
 393                                          * Pretend we never started it.
 394                                          */
 395                                         gensec_spnego_update_sub_abort(spnego_state);
 396                                         continue;
 397                                 }
 398                         }
 399
 400                         break;
 401                 }
 402         }
 403
 404         if (spnego_state->sub_sec_security) {
 405                 /* it is likely that a NULL input token will
 406                  * not be liked by most server mechs, but this
 407                  * does the right thing in the CIFS client.
 408                  * just push us along the merry-go-round
 409                  * again, and hope for better luck next
 410                  * time */
 411
 412                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
 413                         *unwrapped_out = data_blob_null;
 414                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 415                 }
 416
 417                 if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 418                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
 419                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 420
 421                         /* We started the mech correctly, and the
 422                          * input from the other side was valid.
 423                          * Return the error (say bad password, invalid
 424                          * ticket) */
 425                         gensec_spnego_update_sub_abort(spnego_state);
 426                         return nt_status;
 427                 }
 428
 429                 return nt_status; /* OK or MORE PROCESSING */
 430         }
 431
 432         DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
 433         /* we could re-negotiate here, but it would only work
 434          * if the client or server lied about what it could
 435          * support the first time.  Lets keep this code to
 436          * reality */
 437
 438         return nt_status;
 439 }
 440
 441 /** create a negTokenInit
 442  *
 443  * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
 444 */
 445 static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security,
 446                                                   struct spnego_state *spnego_state,
 447                                                   TALLOC_CTX *out_mem_ctx,
 448                                                   struct tevent_context *ev,
 449                                                   DATA_BLOB *out)
 450 {
 451         int i;
 452         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 453         const char **mechTypes = NULL;
 454         DATA_BLOB unwrapped_out = data_blob_null;
 455         const struct gensec_security_ops_wrapper *all_sec;
 456
 457         mechTypes = gensec_security_oids(gensec_security,
 458                                          out_mem_ctx, GENSEC_OID_SPNEGO);
 459
 460         all_sec = gensec_security_by_oid_list(gensec_security,
 461                                               out_mem_ctx,
 462                                               mechTypes,
 463                                               GENSEC_OID_SPNEGO);
 464         for (i=0; all_sec && all_sec[i].op; i++) {
 465                 struct spnego_data spnego_out;
 466                 const char **send_mech_types;
 467                 bool ok;
 468
 469                 nt_status = gensec_subcontext_start(spnego_state,
 470                                                     gensec_security,
 471                                                     &spnego_state->sub_sec_security);
 472                 if (!NT_STATUS_IS_OK(nt_status)) {
 473                         return nt_status;
 474                 }
 475                 /* select the sub context */
 476                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 477                                                      all_sec[i].op);
 478                 if (!NT_STATUS_IS_OK(nt_status)) {
 479                         gensec_spnego_update_sub_abort(spnego_state);
 480                         continue;
 481                 }
 482
 483                 /* In the client, try and produce the first (optimistic) packet */
 484                 if (spnego_state->state_position == SPNEGO_CLIENT_START) {
 485                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 486                                                   out_mem_ctx,
 487                                                   ev,
 488                                                   data_blob_null,
 489                                                   &unwrapped_out);
 490                         if (NT_STATUS_IS_OK(nt_status)) {
 491                                 spnego_state->sub_sec_ready = true;
 492                         }
 493
 494                         if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 495                                 const char *next = NULL;
 496                                 const char *principal = NULL;
 497                                 int dbg_level = DBGLVL_WARNING;
 498
 499                                 if (all_sec[i+1].op != NULL) {
 500                                         next = all_sec[i+1].op->name;
 501                                         dbg_level = DBGLVL_NOTICE;
 502                                 }
 503
 504                                 if (gensec_security->target.principal != NULL) {
 505                                         principal = gensec_security->target.principal;
 506                                 } else if (gensec_security->target.service != NULL &&
 507                                            gensec_security->target.hostname != NULL)
 508                                 {
 509                                         principal = talloc_asprintf(spnego_state->sub_sec_security,
 510                                                                     "%s/%s",
 511                                                                     gensec_security->target.service,
 512                                                                     gensec_security->target.hostname);
 513                                 } else {
 514                                         principal = gensec_security->target.hostname;
 515                                 }
 516
 517                                 DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
 518                                           spnego_state->sub_sec_security->ops->name,
 519                                           principal,
 520                                           next, nt_errstr(nt_status)));
 521
 522                                 /*
 523                                  * Pretend we never started it
 524                                  */
 525                                 gensec_spnego_update_sub_abort(spnego_state);
 526                                 continue;
 527                         }
 528                 }
 529
 530                 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 531
 532                 send_mech_types = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
 533                                                                         &all_sec[i]);
 534
 535                 ok = spnego_write_mech_types(spnego_state,
 536                                              send_mech_types,
 537                                              &spnego_state->mech_types);
 538                 if (!ok) {
 539                         DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 540                         return NT_STATUS_NO_MEMORY;
 541                 }
 542
 543                 /* List the remaining mechs as options */
 544                 spnego_out.negTokenInit.mechTypes = send_mech_types;
 545                 spnego_out.negTokenInit.reqFlags = data_blob_null;
 546                 spnego_out.negTokenInit.reqFlagsPadding = 0;
 547
 548                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
 549                         spnego_out.negTokenInit.mechListMIC
 550                                 = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
 551                 } else {
 552                         spnego_out.negTokenInit.mechListMIC = data_blob_null;
 553                 }
 554
 555                 spnego_out.negTokenInit.mechToken = unwrapped_out;
 556
 557                 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 558                         DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
 559                                 return NT_STATUS_INVALID_PARAMETER;
 560                 }
 561
 562                 /* set next state */
 563                 spnego_state->neg_oid = all_sec[i].oid;
 564
 565                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
 566                         spnego_state->state_position = SPNEGO_SERVER_START;
 567                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
 568                 } else {
 569                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 570                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 571                 }
 572
 573                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 574         }
 575         gensec_spnego_update_sub_abort(spnego_state);
 576
 577         DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
 578         return nt_status;
 579 }
 580
 581
 582 /** create a server negTokenTarg
 583  *
 584  * This is the case, where the client is the first one who sends data
 585 */
 586
 587 static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
 588                                               TALLOC_CTX *out_mem_ctx,
 589                                               NTSTATUS nt_status,
 590                                               const DATA_BLOB unwrapped_out,
 591                                               DATA_BLOB mech_list_mic,
 592                                               DATA_BLOB *out)
 593 {
 594         struct spnego_data spnego_out;
 595
 596         /* compose reply */
 597         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 598         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 599         spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
 600         spnego_out.negTokenTarg.supportedMech = NULL;
 601
 602         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 603                 spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 604                 if (spnego_state->mic_requested) {
 605                         spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC;
 606                         spnego_state->mic_requested = false;
 607                 } else {
 608                         spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
 609                 }
 610                 spnego_state->state_position = SPNEGO_SERVER_TARG;
 611         } else if (NT_STATUS_IS_OK(nt_status)) {
 612                 if (unwrapped_out.data) {
 613                         spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 614                 }
 615                 spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
 616                 spnego_state->state_position = SPNEGO_DONE;
 617         } else {
 618                 spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
 619                 spnego_out.negTokenTarg.mechListMIC = data_blob_null;
 620                 DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
 621                 spnego_state->state_position = SPNEGO_DONE;
 622         }
 623
 624         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 625                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 626                 return NT_STATUS_INVALID_PARAMETER;
 627         }
 628
 629         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 630         spnego_state->num_targs++;
 631
 632         return nt_status;
 633 }
 634
 635 static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
 636                                             TALLOC_CTX *out_mem_ctx,
 637                                             struct tevent_context *ev,
 638                                             struct spnego_data *spnego_in,
 639                                             DATA_BLOB *out)
 640 {
 641         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
 642         DATA_BLOB mech_list_mic = data_blob_null;
 643         DATA_BLOB unwrapped_out = data_blob_null;
 644         struct spnego_data spnego_out;
 645
 646         *out = data_blob_null;
 647
 648         /* and switch into the state machine */
 649
 650         switch (spnego_state->state_position) {
 651         case SPNEGO_CLIENT_START:
 652         {
 653                 /* The server offers a list of mechanisms */
 654
 655                 const char *my_mechs[] = {NULL, NULL};
 656                 NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 657                 bool ok;
 658                 const char *tp = NULL;
 659
 660                 tp = spnego_in->negTokenInit.targetPrincipal;
 661                 if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
 662                         DEBUG(5, ("Server claims it's principal name is %s\n", tp));
 663                         if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
 664                                 gensec_set_target_principal(gensec_security, tp);
 665                         }
 666                 }
 667
 668                 nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
 669                                                              spnego_state,
 670                                                              out_mem_ctx,
 671                                                              ev,
 672                                                              spnego_in,
 673                                                              &unwrapped_out);
 674
 675                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
 676                         return nt_status;
 677                 }
 678
 679                 my_mechs[0] = spnego_state->neg_oid;
 680                 /* compose reply */
 681                 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 682                 spnego_out.negTokenInit.mechTypes = my_mechs;
 683                 spnego_out.negTokenInit.reqFlags = data_blob_null;
 684                 spnego_out.negTokenInit.reqFlagsPadding = 0;
 685                 spnego_out.negTokenInit.mechListMIC = data_blob_null;
 686                 spnego_out.negTokenInit.mechToken = unwrapped_out;
 687
 688                 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 689                         DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
 690                                 return NT_STATUS_INVALID_PARAMETER;
 691                 }
 692
 693                 ok = spnego_write_mech_types(spnego_state,
 694                                              my_mechs,
 695                                              &spnego_state->mech_types);
 696                 if (!ok) {
 697                         DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 698                         return NT_STATUS_NO_MEMORY;
 699                 }
 700
 701                 /* set next state */
 702                 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 703                 spnego_state->state_position = SPNEGO_CLIENT_TARG;
 704
 705                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 706         }
 707
 708         case SPNEGO_CLIENT_TARG:
 709         {
 710                 NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
 711                 const struct spnego_negTokenTarg *ta =
 712                         &spnego_in->negTokenTarg;
 713
 714                 spnego_state->num_targs++;
 715
 716                 if (ta->negResult == SPNEGO_REJECT) {
 717                         return NT_STATUS_LOGON_FAILURE;
 718                 }
 719
 720                 if (spnego_in->negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
 721                         spnego_state->mic_requested = true;
 722                 }
 723
 724                 /* Server didn't like our choice of mech, and chose something else */
 725                 if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
 726                      (ta->negResult == SPNEGO_REQUEST_MIC)) &&
 727                     ta->supportedMech != NULL&&
 728                     strcmp(ta->supportedMech, spnego_state->neg_oid) != 0) {
 729                         DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
 730                                  gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
 731                                  gensec_get_name_by_oid(gensec_security, ta->supportedMech)));
 732                         spnego_state->downgraded = true;
 733                         gensec_spnego_update_sub_abort(spnego_state);
 734                         nt_status = gensec_subcontext_start(spnego_state,
 735                                                             gensec_security,
 736                                                             &spnego_state->sub_sec_security);
 737                         if (!NT_STATUS_IS_OK(nt_status)) {
 738                                 return nt_status;
 739                         }
 740                         /* select the sub context */
 741                         nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
 742                                                              ta->supportedMech);
 743                         if (!NT_STATUS_IS_OK(nt_status)) {
 744                                 return nt_status;
 745                         }
 746
 747                         spnego_state->neg_oid = talloc_strdup(spnego_state,
 748                                                 ta->supportedMech);
 749                         if (spnego_state->neg_oid == NULL) {
 750                                 return NT_STATUS_NO_MEMORY;
 751                         };
 752                 }
 753
 754                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 755                         DATA_BLOB *m = &spnego_in->negTokenTarg.mechListMIC;
 756                         const DATA_BLOB *r = &spnego_in->negTokenTarg.responseToken;
 757
 758                         /*
 759                          * Windows 2000 has a bug, it repeats the
 760                          * responseToken in the mechListMIC field.
 761                          */
 762                         if (m->length == r->length) {
 763                                 int cmp;
 764
 765                                 cmp = memcmp(m->data, r->data, m->length);
 766                                 if (cmp == 0) {
 767                                         data_blob_free(m);
 768                                 }
 769                         }
 770                 }
 771
 772                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 773                         if (spnego_state->sub_sec_ready) {
 774                                 spnego_state->needs_mic_check = true;
 775                         }
 776                 }
 777
 778                 if (spnego_state->needs_mic_check) {
 779                         if (spnego_in->negTokenTarg.responseToken.length != 0) {
 780                                 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
 781                                 return NT_STATUS_INVALID_PARAMETER;
 782                         }
 783
 784                         if (spnego_in->negTokenTarg.mechListMIC.length == 0
 785                             && spnego_state->may_skip_mic_check) {
 786                                 /*
 787                                  * In this case we don't require
 788                                  * a mechListMIC from the server.
 789                                  *
 790                                  * This works around bugs in the Azure
 791                                  * and Apple spnego implementations.
 792                                  *
 793                                  * See
 794                                  * https://bugzilla.samba.org/show_bug.cgi?id=11994
 795                                  */
 796                                 spnego_state->needs_mic_check = false;
 797                                 nt_status = NT_STATUS_OK;
 798                                 goto client_response;
 799                         }
 800
 801                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 802                                                         spnego_state->mech_types.data,
 803                                                         spnego_state->mech_types.length,
 804                                                         spnego_state->mech_types.data,
 805                                                         spnego_state->mech_types.length,
 806                                                         &spnego_in->negTokenTarg.mechListMIC);
 807                         if (!NT_STATUS_IS_OK(nt_status)) {
 808                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
 809                                         nt_errstr(nt_status)));
 810                                 return nt_status;
 811                         }
 812                         spnego_state->needs_mic_check = false;
 813                         spnego_state->done_mic_check = true;
 814                         goto client_response;
 815                 }
 816
 817                 if (!spnego_state->sub_sec_ready) {
 818                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 819                                                   out_mem_ctx, ev,
 820                                                   spnego_in->negTokenTarg.responseToken,
 821                                                   &unwrapped_out);
 822                         if (NT_STATUS_IS_OK(nt_status)) {
 823                                 spnego_state->sub_sec_ready = true;
 824                         }
 825                         if (!NT_STATUS_IS_OK(nt_status)) {
 826                                 goto client_response;
 827                         }
 828                 } else {
 829                         nt_status = NT_STATUS_OK;
 830                 }
 831
 832                 if (!spnego_state->done_mic_check) {
 833                         bool have_sign = true;
 834                         bool new_spnego = false;
 835
 836                         have_sign = gensec_have_feature(spnego_state->sub_sec_security,
 837                                                         GENSEC_FEATURE_SIGN);
 838                         if (spnego_state->simulate_w2k) {
 839                                 have_sign = false;
 840                         }
 841                         new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 842                                                          GENSEC_FEATURE_NEW_SPNEGO);
 843
 844                         switch (spnego_in->negTokenTarg.negResult) {
 845                         case SPNEGO_ACCEPT_COMPLETED:
 846                         case SPNEGO_NONE_RESULT:
 847                                 if (spnego_state->num_targs == 1) {
 848                                         /*
 849                                          * the first exchange doesn't require
 850                                          * verification
 851                                          */
 852                                         new_spnego = false;
 853                                 }
 854
 855                                 break;
 856
 857                         case SPNEGO_ACCEPT_INCOMPLETE:
 858                                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 859                                         new_spnego = true;
 860                                         break;
 861                                 }
 862
 863                                 if (spnego_state->downgraded) {
 864                                         /*
 865                                          * A downgrade should be protected if
 866                                          * supported
 867                                          */
 868                                         break;
 869                                 }
 870
 871                                 /*
 872                                  * The caller may just asked for
 873                                  * GENSEC_FEATURE_SESSION_KEY, this
 874                                  * is only reflected in the want_features.
 875                                  *
 876                                  * As it will imply
 877                                  * gensec_have_features(GENSEC_FEATURE_SIGN)
 878                                  * to return true.
 879                                  */
 880                                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 881                                         break;
 882                                 }
 883                                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 884                                         break;
 885                                 }
 886                                 /*
 887                                  * Here we're sure our preferred mech was
 888                                  * selected by the server and our caller doesn't
 889                                  * need GENSEC_FEATURE_SIGN nor
 890                                  * GENSEC_FEATURE_SEAL support.
 891                                  *
 892                                  * In this case we don't require
 893                                  * a mechListMIC from the server.
 894                                  *
 895                                  * This works around bugs in the Azure
 896                                  * and Apple spnego implementations.
 897                                  *
 898                                  * See
 899                                  * https://bugzilla.samba.org/show_bug.cgi?id=11994
 900                                  */
 901                                 spnego_state->may_skip_mic_check = true;
 902                                 break;
 903
 904                         case SPNEGO_REQUEST_MIC:
 905                                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 906                                         new_spnego = true;
 907                                 }
 908                                 break;
 909                         default:
 910                                 break;
 911                         }
 912
 913                         if (spnego_state->mic_requested) {
 914                                 if (have_sign) {
 915                                         new_spnego = true;
 916                                 }
 917                         }
 918
 919                         if (have_sign && new_spnego) {
 920                                 spnego_state->needs_mic_check = true;
 921                                 spnego_state->needs_mic_sign = true;
 922                         }
 923                 }
 924
 925                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 926                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 927                                                         spnego_state->mech_types.data,
 928                                                         spnego_state->mech_types.length,
 929                                                         spnego_state->mech_types.data,
 930                                                         spnego_state->mech_types.length,
 931                                                         &spnego_in->negTokenTarg.mechListMIC);
 932                         if (!NT_STATUS_IS_OK(nt_status)) {
 933                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
 934                                         nt_errstr(nt_status)));
 935                                 return nt_status;
 936                         }
 937                         spnego_state->needs_mic_check = false;
 938                         spnego_state->done_mic_check = true;
 939                 }
 940
 941                 if (spnego_state->needs_mic_sign) {
 942                         nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
 943                                                        out_mem_ctx,
 944                                                        spnego_state->mech_types.data,
 945                                                        spnego_state->mech_types.length,
 946                                                        spnego_state->mech_types.data,
 947                                                        spnego_state->mech_types.length,
 948                                                        &mech_list_mic);
 949                         if (!NT_STATUS_IS_OK(nt_status)) {
 950                                 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
 951                                         nt_errstr(nt_status)));
 952                                 return nt_status;
 953                         }
 954                         spnego_state->needs_mic_sign = false;
 955                 }
 956
 957                 if (spnego_state->needs_mic_check) {
 958                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 959                 }
 960
 961  client_response:
 962                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
 963                         && !NT_STATUS_IS_OK(nt_status)) {
 964                         DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
 965                                   spnego_state->sub_sec_security->ops->name,
 966                                   nt_errstr(nt_status)));
 967                         return nt_status;
 968                 }
 969
 970                 if (unwrapped_out.length || mech_list_mic.length) {
 971                         /* compose reply */
 972                         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 973                         spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
 974                         spnego_out.negTokenTarg.supportedMech = NULL;
 975                         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 976                         spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
 977
 978                         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 979                                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 980                                 return NT_STATUS_INVALID_PARAMETER;
 981                         }
 982
 983                         spnego_state->num_targs++;
 984                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 985                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 986                 } else {
 987
 988                         /* all done - server has accepted, and we agree */
 989                         *out = data_blob_null;
 990
 991                         if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
 992                                 /* unless of course it did not accept */
 993                                 DEBUG(1,("gensec_update ok but not accepted\n"));
 994                                 nt_status = NT_STATUS_INVALID_PARAMETER;
 995                         }
 996
 997                         spnego_state->state_position = SPNEGO_DONE;
 998                 }
 999
1000                 return nt_status;
1001         }
1002
1003         default:
1004                 break;
1005         }
1006
1007         smb_panic(__location__);
1008         return NT_STATUS_INTERNAL_ERROR;
1009 }
1010
1011 static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
1012                                             TALLOC_CTX *out_mem_ctx,
1013                                             struct tevent_context *ev,
1014                                             struct spnego_data *spnego_in,
1015                                             DATA_BLOB *out)
1016 {
1017         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1018         DATA_BLOB mech_list_mic = data_blob_null;
1019         DATA_BLOB unwrapped_out = data_blob_null;
1020
1021         /* and switch into the state machine */
1022
1023         switch (spnego_state->state_position) {
1024         case SPNEGO_SERVER_START:
1025         {
1026                 NTSTATUS nt_status;
1027
1028                 nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
1029                                                              spnego_state,
1030                                                              out_mem_ctx,
1031                                                              ev,
1032                                                              spnego_in,
1033                                                              &unwrapped_out);
1034
1035                 if (spnego_state->simulate_w2k) {
1036                         /*
1037                          * Windows 2000 returns the unwrapped token
1038                          * also in the mech_list_mic field.
1039                          *
1040                          * In order to verify our client code,
1041                          * we need a way to have a server with this
1042                          * broken behaviour
1043                          */
1044                         mech_list_mic = unwrapped_out;
1045                 }
1046
1047                 nt_status = gensec_spnego_server_response(spnego_state,
1048                                                           out_mem_ctx,
1049                                                           nt_status,
1050                                                           unwrapped_out,
1051                                                           mech_list_mic,
1052                                                           out);
1053
1054                 return nt_status;
1055         }
1056
1057         case SPNEGO_SERVER_TARG:
1058         {
1059                 NTSTATUS nt_status;
1060                 bool have_sign = true;
1061                 bool new_spnego = false;
1062
1063                 spnego_state->num_targs++;
1064
1065                 if (!spnego_state->sub_sec_security) {
1066                         DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
1067                         return NT_STATUS_INVALID_PARAMETER;
1068                 }
1069
1070                 if (spnego_state->needs_mic_check) {
1071                         if (spnego_in->negTokenTarg.responseToken.length != 0) {
1072                                 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
1073                                 return NT_STATUS_INVALID_PARAMETER;
1074                         }
1075
1076                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
1077                                                         spnego_state->mech_types.data,
1078                                                         spnego_state->mech_types.length,
1079                                                         spnego_state->mech_types.data,
1080                                                         spnego_state->mech_types.length,
1081                                                         &spnego_in->negTokenTarg.mechListMIC);
1082                         if (NT_STATUS_IS_OK(nt_status)) {
1083                                 spnego_state->needs_mic_check = false;
1084                                 spnego_state->done_mic_check = true;
1085                         } else {
1086                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1087                                         nt_errstr(nt_status)));
1088                         }
1089                         goto server_response;
1090                 }
1091
1092                 if (!spnego_state->sub_sec_ready) {
1093                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
1094                                                      out_mem_ctx, ev,
1095                                                      spnego_in->negTokenTarg.responseToken,
1096                                                      &unwrapped_out);
1097                         if (NT_STATUS_IS_OK(nt_status)) {
1098                                 spnego_state->sub_sec_ready = true;
1099                         }
1100                         if (!NT_STATUS_IS_OK(nt_status)) {
1101                                 goto server_response;
1102                         }
1103                 } else {
1104                         nt_status = NT_STATUS_OK;
1105                 }
1106
1107                 have_sign = gensec_have_feature(spnego_state->sub_sec_security,
1108                                                 GENSEC_FEATURE_SIGN);
1109                 if (spnego_state->simulate_w2k) {
1110                         have_sign = false;
1111                 }
1112                 new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
1113                                                  GENSEC_FEATURE_NEW_SPNEGO);
1114                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
1115                         new_spnego = true;
1116                 }
1117
1118                 if (have_sign && new_spnego) {
1119                         spnego_state->needs_mic_check = true;
1120                         spnego_state->needs_mic_sign = true;
1121                 }
1122
1123                 if (have_sign && spnego_in->negTokenTarg.mechListMIC.length > 0) {
1124                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
1125                                                         spnego_state->mech_types.data,
1126                                                         spnego_state->mech_types.length,
1127                                                         spnego_state->mech_types.data,
1128                                                         spnego_state->mech_types.length,
1129                                                         &spnego_in->negTokenTarg.mechListMIC);
1130                         if (!NT_STATUS_IS_OK(nt_status)) {
1131                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1132                                         nt_errstr(nt_status)));
1133                                 goto server_response;
1134                         }
1135
1136                         spnego_state->needs_mic_check = false;
1137                         spnego_state->done_mic_check = true;
1138                 }
1139
1140                 if (spnego_state->needs_mic_sign) {
1141                         nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
1142                                                        out_mem_ctx,
1143                                                        spnego_state->mech_types.data,
1144                                                        spnego_state->mech_types.length,
1145                                                        spnego_state->mech_types.data,
1146                                                        spnego_state->mech_types.length,
1147                                                        &mech_list_mic);
1148                         if (!NT_STATUS_IS_OK(nt_status)) {
1149                                 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
1150                                         nt_errstr(nt_status)));
1151                                 goto server_response;
1152                         }
1153                         spnego_state->needs_mic_sign = false;
1154                 }
1155
1156                 if (spnego_state->needs_mic_check) {
1157                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1158                 }
1159
1160  server_response:
1161                 nt_status = gensec_spnego_server_response(spnego_state,
1162                                                           out_mem_ctx,
1163                                                           nt_status,
1164                                                           unwrapped_out,
1165                                                           mech_list_mic,
1166                                                           out);
1167
1168                 return nt_status;
1169         }
1170
1171         default:
1172                 break;
1173         }
1174
1175         smb_panic(__location__);
1176         return NT_STATUS_INTERNAL_ERROR;
1177 }
1178
1179 struct gensec_spnego_update_state {
1180         struct gensec_security *gensec;
1181         struct spnego_state *spnego;
1182         DATA_BLOB full_in;
1183         struct spnego_data _spnego_in;
1184         struct spnego_data *spnego_in;
1185         NTSTATUS status;
1186         DATA_BLOB out;
1187 };
1188
1189 static void gensec_spnego_update_cleanup(struct tevent_req *req,
1190                                          enum tevent_req_state req_state)
1191 {
1192         struct gensec_spnego_update_state *state =
1193                 tevent_req_data(req,
1194                 struct gensec_spnego_update_state);
1195
1196         switch (req_state) {
1197         case TEVENT_REQ_USER_ERROR:
1198         case TEVENT_REQ_TIMED_OUT:
1199         case TEVENT_REQ_NO_MEMORY:
1200                 /*
1201                  * A fatal error, further updates are not allowed.
1202                  */
1203                 state->spnego->state_position = SPNEGO_DONE;
1204                 break;
1205         default:
1206                 break;
1207         }
1208 }
1209
1210 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1211                                         const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1212                                         DATA_BLOB *full_in);
1213 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
1214                                          TALLOC_CTX *out_mem_ctx,
1215                                          DATA_BLOB *_out);
1216
1217 static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
1218                                                     struct tevent_context *ev,
1219                                                     struct gensec_security *gensec_security,
1220                                                     const DATA_BLOB in)
1221 {
1222         struct spnego_state *spnego_state =
1223                 talloc_get_type_abort(gensec_security->private_data,
1224                 struct spnego_state);
1225         struct tevent_req *req = NULL;
1226         struct gensec_spnego_update_state *state = NULL;
1227         NTSTATUS status;
1228         ssize_t len;
1229
1230         req = tevent_req_create(mem_ctx, &state,
1231                                 struct gensec_spnego_update_state);
1232         if (req == NULL) {
1233                 return NULL;
1234         }
1235         state->gensec = gensec_security;
1236         state->spnego = spnego_state;
1237         tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup);
1238
1239         if (spnego_state->out_frag.length > 0) {
1240                 if (in.length > 0) {
1241                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1242                         return tevent_req_post(req, ev);
1243                 }
1244
1245                 status = gensec_spnego_update_out(gensec_security,
1246                                                   state, &state->out);
1247                 if (GENSEC_UPDATE_IS_NTERROR(status)) {
1248                         tevent_req_nterror(req, status);
1249                         return tevent_req_post(req, ev);
1250                 }
1251
1252                 state->status = status;
1253                 tevent_req_done(req);
1254                 return tevent_req_post(req, ev);
1255         }
1256
1257         status = gensec_spnego_update_in(gensec_security, in,
1258                                          state, &state->full_in);
1259         state->status = status;
1260         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1261                 tevent_req_done(req);
1262                 return tevent_req_post(req, ev);
1263         }
1264         if (tevent_req_nterror(req, status)) {
1265                 return tevent_req_post(req, ev);
1266         }
1267
1268         /* Check if we got a valid SPNEGO blob... */
1269
1270         switch (spnego_state->state_position) {
1271         case SPNEGO_FALLBACK:
1272                 break;
1273
1274         case SPNEGO_CLIENT_TARG:
1275         case SPNEGO_SERVER_TARG:
1276                 if (state->full_in.length == 0) {
1277                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1278                         return tevent_req_post(req, ev);
1279                 }
1280
1281                 /* fall through */
1282         case SPNEGO_CLIENT_START:
1283         case SPNEGO_SERVER_START:
1284
1285                 if (state->full_in.length == 0) {
1286                         /* create_negTokenInit later */
1287                         break;
1288                 }
1289
1290                 len = spnego_read_data(state,
1291                                        state->full_in,
1292                                        &state->_spnego_in);
1293                 if (len == -1) {
1294                         if (spnego_state->state_position != SPNEGO_SERVER_START) {
1295                                 DEBUG(1, ("Invalid SPNEGO request:\n"));
1296                                 dump_data(1, state->full_in.data,
1297                                           state->full_in.length);
1298                                 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1299                                 return tevent_req_post(req, ev);
1300                         }
1301
1302                         /*
1303                          * This is the 'fallback' case, where we don't get
1304                          * SPNEGO, and have to try all the other options (and
1305                          * hope they all have a magic string they check)
1306                          */
1307                         status = gensec_spnego_server_try_fallback(gensec_security,
1308                                                                    spnego_state,
1309                                                                    state,
1310                                                                    state->full_in);
1311                         if (tevent_req_nterror(req, status)) {
1312                                 return tevent_req_post(req, ev);
1313                         }
1314
1315                         /*
1316                          * We'll continue with SPNEGO_FALLBACK below...
1317                          */
1318                         break;
1319                 }
1320                 state->spnego_in = &state->_spnego_in;
1321
1322                 /* OK, so it's real SPNEGO, check the packet's the one we expect */
1323                 if (state->spnego_in->type != spnego_state->expected_packet) {
1324                         DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
1325                                   state->spnego_in->type,
1326                                   spnego_state->expected_packet));
1327                         dump_data(1, state->full_in.data,
1328                                   state->full_in.length);
1329                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1330                         return tevent_req_post(req, ev);
1331                 }
1332
1333                 break;
1334
1335         default:
1336                 smb_panic(__location__);
1337                 return NULL;
1338         }
1339
1340         /* and switch into the state machine */
1341
1342         switch (spnego_state->state_position) {
1343         case SPNEGO_FALLBACK:
1344                 status = gensec_update_ev(spnego_state->sub_sec_security,
1345                                           state, ev,
1346                                           state->full_in,
1347                                           &spnego_state->out_frag);
1348                 break;
1349
1350         case SPNEGO_CLIENT_START:
1351                 if (state->spnego_in == NULL) {
1352                         /* client to produce negTokenInit */
1353                         status = gensec_spnego_create_negTokenInit(gensec_security,
1354                                                         spnego_state, state, ev,
1355                                                         &spnego_state->out_frag);
1356                         break;
1357                 }
1358
1359                 /* fall through */
1360         case SPNEGO_CLIENT_TARG:
1361                 status = gensec_spnego_update_client(gensec_security,
1362                                                      state, ev,
1363                                                      state->spnego_in,
1364                                                      &spnego_state->out_frag);
1365                 break;
1366
1367         case SPNEGO_SERVER_START:
1368                 if (state->spnego_in == NULL) {
1369                         /* server to produce negTokenInit */
1370                         status = gensec_spnego_create_negTokenInit(gensec_security,
1371                                                         spnego_state, state, ev,
1372                                                         &spnego_state->out_frag);
1373                         break;
1374                 }
1375
1376                 /* fall through */
1377         case SPNEGO_SERVER_TARG:
1378                 status = gensec_spnego_update_server(gensec_security,
1379                                                      state, ev,
1380                                                      state->spnego_in,
1381                                                      &spnego_state->out_frag);
1382                 break;
1383
1384         default:
1385                 smb_panic(__location__);
1386                 return NULL;
1387         }
1388
1389         if (GENSEC_UPDATE_IS_NTERROR(status)) {
1390                 tevent_req_nterror(req, status);
1391                 return tevent_req_post(req, ev);
1392         }
1393
1394         if (NT_STATUS_IS_OK(status)) {
1395                 bool reset_full = true;
1396
1397                 reset_full = !spnego_state->done_mic_check;
1398
1399                 status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
1400                                                  reset_full);
1401                 if (tevent_req_nterror(req, status)) {
1402                         return tevent_req_post(req, ev);
1403                 }
1404         }
1405
1406         spnego_state->out_status = status;
1407
1408         status = gensec_spnego_update_out(gensec_security,
1409                                           state, &state->out);
1410         if (GENSEC_UPDATE_IS_NTERROR(status)) {
1411                 tevent_req_nterror(req, status);
1412                 return tevent_req_post(req, ev);
1413         }
1414
1415         state->status = status;
1416         tevent_req_done(req);
1417         return tevent_req_post(req, ev);
1418 }
1419
1420 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1421                                         const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1422                                         DATA_BLOB *full_in)
1423 {
1424         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1425         size_t expected;
1426         bool ok;
1427
1428         *full_in = data_blob_null;
1429
1430         switch (spnego_state->state_position) {
1431         case SPNEGO_FALLBACK:
1432                 *full_in = in;
1433                 spnego_state->in_needed = 0;
1434                 return NT_STATUS_OK;
1435
1436         case SPNEGO_CLIENT_START:
1437         case SPNEGO_CLIENT_TARG:
1438         case SPNEGO_SERVER_START:
1439         case SPNEGO_SERVER_TARG:
1440                 break;
1441
1442         case SPNEGO_DONE:
1443         default:
1444                 return NT_STATUS_INVALID_PARAMETER;
1445         }
1446
1447         if (spnego_state->in_needed == 0) {
1448                 size_t size = 0;
1449                 int ret;
1450
1451                 /*
1452                  * try to work out the size of the full
1453                  * input token, it might be fragmented
1454                  */
1455                 ret = asn1_peek_full_tag(in,  ASN1_APPLICATION(0), &size);
1456                 if ((ret != 0) && (ret != EAGAIN)) {
1457                         ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
1458                 }
1459
1460                 if ((ret == 0) || (ret == EAGAIN)) {
1461                         spnego_state->in_needed = size;
1462                 } else {
1463                         /*
1464                          * If it is not an asn1 message
1465                          * just call the next layer.
1466                          */
1467                         spnego_state->in_needed = in.length;
1468                 }
1469         }
1470
1471         if (spnego_state->in_needed > UINT16_MAX) {
1472                 /*
1473                  * limit the incoming message to 0xFFFF
1474                  * to avoid DoS attacks.
1475                  */
1476                 return NT_STATUS_INVALID_BUFFER_SIZE;
1477         }
1478
1479         if ((spnego_state->in_needed > 0) && (in.length == 0)) {
1480                 /*
1481                  * If we reach this, we know we got at least
1482                  * part of an asn1 message, getting 0 means
1483                  * the remote peer wants us to spin.
1484                  */
1485                 return NT_STATUS_INVALID_PARAMETER;
1486         }
1487
1488         expected = spnego_state->in_needed - spnego_state->in_frag.length;
1489         if (in.length > expected) {
1490                 /*
1491                  * we got more than expected
1492                  */
1493                 return NT_STATUS_INVALID_PARAMETER;
1494         }
1495
1496         if (in.length == spnego_state->in_needed) {
1497                 /*
1498                  * if the in.length contains the full blob
1499                  * we are done.
1500                  *
1501                  * Note: this implies spnego_state->in_frag.length == 0,
1502                  *       but we do not need to check this explicitly
1503                  *       because we already know that we did not get
1504                  *       more than expected.
1505                  */
1506                 *full_in = in;
1507                 spnego_state->in_needed = 0;
1508                 return NT_STATUS_OK;
1509         }
1510
1511         ok = data_blob_append(spnego_state, &spnego_state->in_frag,
1512                               in.data, in.length);
1513         if (!ok) {
1514                 return NT_STATUS_NO_MEMORY;
1515         }
1516
1517         if (spnego_state->in_needed > spnego_state->in_frag.length) {
1518                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1519         }
1520
1521         *full_in = spnego_state->in_frag;
1522         talloc_steal(mem_ctx, full_in->data);
1523         spnego_state->in_frag = data_blob_null;
1524         spnego_state->in_needed = 0;
1525         return NT_STATUS_OK;
1526 }
1527
1528 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
1529                                          TALLOC_CTX *out_mem_ctx,
1530                                          DATA_BLOB *_out)
1531 {
1532         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1533         DATA_BLOB out = data_blob_null;
1534         bool ok;
1535
1536         *_out = data_blob_null;
1537
1538         if (spnego_state->out_frag.length <= spnego_state->out_max_length) {
1539                 /*
1540                  * Fast path, we can deliver everything
1541                  */
1542
1543                 *_out = spnego_state->out_frag;
1544                 if (spnego_state->out_frag.length > 0) {
1545                         talloc_steal(out_mem_ctx, _out->data);
1546                         spnego_state->out_frag = data_blob_null;
1547                 }
1548
1549                 if (!NT_STATUS_IS_OK(spnego_state->out_status)) {
1550                         return spnego_state->out_status;
1551                 }
1552
1553                 /*
1554                  * We're completely done, further updates are not allowed.
1555                  */
1556                 spnego_state->state_position = SPNEGO_DONE;
1557                 return gensec_child_ready(gensec_security,
1558                                           spnego_state->sub_sec_security);
1559         }
1560
1561         out = spnego_state->out_frag;
1562
1563         /*
1564          * copy the remaining bytes
1565          */
1566         spnego_state->out_frag = data_blob_talloc(spnego_state,
1567                                         out.data + spnego_state->out_max_length,
1568                                         out.length - spnego_state->out_max_length);
1569         if (spnego_state->out_frag.data == NULL) {
1570                 return NT_STATUS_NO_MEMORY;
1571         }
1572
1573         /*
1574          * truncate the buffer
1575          */
1576         ok = data_blob_realloc(spnego_state, &out,
1577                                spnego_state->out_max_length);
1578         if (!ok) {
1579                 return NT_STATUS_NO_MEMORY;
1580         }
1581
1582         talloc_steal(out_mem_ctx, out.data);
1583         *_out = out;
1584         return NT_STATUS_MORE_PROCESSING_REQUIRED;
1585 }
1586
1587 static NTSTATUS gensec_spnego_update_recv(struct tevent_req *req,
1588                                           TALLOC_CTX *out_mem_ctx,
1589                                           DATA_BLOB *out)
1590 {
1591         struct gensec_spnego_update_state *state =
1592                 tevent_req_data(req,
1593                 struct gensec_spnego_update_state);
1594         NTSTATUS status;
1595
1596         *out = data_blob_null;
1597
1598         if (tevent_req_is_nterror(req, &status)) {
1599                 tevent_req_received(req);
1600                 return status;
1601         }
1602
1603         *out = state->out;
1604         talloc_steal(out_mem_ctx, state->out.data);
1605         status = state->status;
1606         tevent_req_received(req);
1607         return status;
1608 }
1609
1610 static const char *gensec_spnego_oids[] = {
1611         GENSEC_OID_SPNEGO,
1612         NULL
1613 };
1614
1615 static const struct gensec_security_ops gensec_spnego_security_ops = {
1616         .name             = "spnego",
1617         .sasl_name        = "GSS-SPNEGO",
1618         .auth_type        = DCERPC_AUTH_TYPE_SPNEGO,
1619         .oid              = gensec_spnego_oids,
1620         .client_start     = gensec_spnego_client_start,
1621         .server_start     = gensec_spnego_server_start,
1622         .update_send      = gensec_spnego_update_send,
1623         .update_recv      = gensec_spnego_update_recv,
1624         .seal_packet      = gensec_child_seal_packet,
1625         .sign_packet      = gensec_child_sign_packet,
1626         .sig_size         = gensec_child_sig_size,
1627         .max_wrapped_size = gensec_child_max_wrapped_size,
1628         .max_input_size   = gensec_child_max_input_size,
1629         .check_packet     = gensec_child_check_packet,
1630         .unseal_packet    = gensec_child_unseal_packet,
1631         .wrap             = gensec_child_wrap,
1632         .unwrap           = gensec_child_unwrap,
1633         .session_key      = gensec_child_session_key,
1634         .session_info     = gensec_child_session_info,
1635         .want_feature     = gensec_child_want_feature,
1636         .have_feature     = gensec_child_have_feature,
1637         .expire_time      = gensec_child_expire_time,
1638         .final_auth_type  = gensec_child_final_auth_type,
1639         .enabled          = true,
1640         .priority         = GENSEC_SPNEGO
1641 };
1642
1643 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx)
1644 {
1645         NTSTATUS ret;
1646         ret = gensec_register(ctx, &gensec_spnego_security_ops);
1647         if (!NT_STATUS_IS_OK(ret)) {
1648                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1649                         gensec_spnego_security_ops.name));
1650                 return ret;
1651         }
1652
1653         return ret;
1654 }