2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_AUTH
29 static BOOL read_negTokenInit(ASN1_DATA *asn1, struct spnego_negTokenInit *token)
33 asn1_start_tag(asn1, ASN1_CONTEXT(0));
34 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
36 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
39 if (!asn1_peek_uint8(asn1, &context)) {
40 asn1->has_error = True;
47 asn1_start_tag(asn1, ASN1_CONTEXT(0));
48 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
50 token->mechTypes = malloc(sizeof(*token->mechTypes));
51 for (i = 0; !asn1->has_error &&
52 0 < asn1_tag_remaining(asn1); i++) {
54 realloc(token->mechTypes, (i + 2) *
55 sizeof(*token->mechTypes));
56 asn1_read_OID(asn1, token->mechTypes + i);
58 token->mechTypes[i] = NULL;
65 asn1_start_tag(asn1, ASN1_CONTEXT(1));
66 asn1_read_Integer(asn1, &token->reqFlags);
67 token->reqFlags |= SPNEGO_REQ_FLAG;
72 asn1_start_tag(asn1, ASN1_CONTEXT(2));
73 asn1_read_OctetString(asn1, &token->mechToken);
80 asn1_start_tag(asn1, ASN1_CONTEXT(3));
81 if (!asn1_peek_uint8(asn1, &type_peek)) {
82 asn1->has_error = True;
85 if (type_peek == ASN1_OCTET_STRING) {
86 asn1_read_OctetString(asn1,
89 /* RFC 2478 says we have an Octet String here,
90 but W2k sends something different... */
92 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
93 asn1_push_tag(asn1, ASN1_CONTEXT(0));
94 asn1_read_GeneralString(asn1, &mechListMIC);
98 token->targetPrincipal = mechListMIC;
104 asn1->has_error = True;
112 return !asn1->has_error;
115 static BOOL write_negTokenInit(ASN1_DATA *asn1, struct spnego_negTokenInit *token)
117 asn1_push_tag(asn1, ASN1_CONTEXT(0));
118 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
120 /* Write mechTypes */
121 if (token->mechTypes && *token->mechTypes) {
124 asn1_push_tag(asn1, ASN1_CONTEXT(0));
125 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
126 for (i = 0; token->mechTypes[i]; i++) {
127 asn1_write_OID(asn1, token->mechTypes[i]);
134 if (token->reqFlags & SPNEGO_REQ_FLAG) {
135 int flags = token->reqFlags & ~SPNEGO_REQ_FLAG;
137 asn1_push_tag(asn1, ASN1_CONTEXT(1));
138 asn1_write_Integer(asn1, flags);
142 /* write mechToken */
143 if (token->mechToken.data) {
144 asn1_push_tag(asn1, ASN1_CONTEXT(2));
145 asn1_write_OctetString(asn1, token->mechToken.data,
146 token->mechToken.length);
150 /* write mechListMIC */
151 if (token->mechListMIC.data) {
152 asn1_push_tag(asn1, ASN1_CONTEXT(3));
154 /* This is what RFC 2478 says ... */
155 asn1_write_OctetString(asn1, token->mechListMIC.data,
156 token->mechListMIC.length);
158 /* ... but unfortunately this is what Windows
160 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
161 asn1_push_tag(asn1, ASN1_CONTEXT(0));
162 asn1_push_tag(asn1, ASN1_GENERAL_STRING);
163 asn1_write(asn1, token->mechListMIC.data,
164 token->mechListMIC.length);
175 return !asn1->has_error;
178 static BOOL read_negTokenTarg(ASN1_DATA *asn1, struct spnego_negTokenTarg *token)
182 asn1_start_tag(asn1, ASN1_CONTEXT(1));
183 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
185 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
187 if (!asn1_peek_uint8(asn1, &context)) {
188 asn1->has_error = True;
193 case ASN1_CONTEXT(0):
194 asn1_start_tag(asn1, ASN1_CONTEXT(0));
195 asn1_start_tag(asn1, ASN1_ENUMERATED);
196 asn1_read_uint8(asn1, &token->negResult);
200 case ASN1_CONTEXT(1):
201 asn1_start_tag(asn1, ASN1_CONTEXT(1));
202 asn1_read_OID(asn1, &token->supportedMech);
205 case ASN1_CONTEXT(2):
206 asn1_start_tag(asn1, ASN1_CONTEXT(2));
207 asn1_read_OctetString(asn1, &token->responseToken);
210 case ASN1_CONTEXT(3):
211 asn1_start_tag(asn1, ASN1_CONTEXT(3));
212 asn1_read_OctetString(asn1, &token->mechListMIC);
216 asn1->has_error = True;
224 return !asn1->has_error;
227 static BOOL write_negTokenTarg(ASN1_DATA *asn1, struct spnego_negTokenTarg *token)
229 asn1_push_tag(asn1, ASN1_CONTEXT(1));
230 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
232 if (token->negResult != SPNEGO_NONE_RESULT) {
233 asn1_push_tag(asn1, ASN1_CONTEXT(0));
234 asn1_write_enumerated(asn1, token->negResult);
238 if (token->supportedMech) {
239 asn1_push_tag(asn1, ASN1_CONTEXT(1));
240 asn1_write_OID(asn1, token->supportedMech);
244 if (token->responseToken.data) {
245 asn1_push_tag(asn1, ASN1_CONTEXT(2));
246 asn1_write_OctetString(asn1, token->responseToken.data,
247 token->responseToken.length);
251 if (token->mechListMIC.data) {
252 asn1_push_tag(asn1, ASN1_CONTEXT(3));
253 asn1_write_OctetString(asn1, token->mechListMIC.data,
254 token->mechListMIC.length);
261 return !asn1->has_error;
264 ssize_t spnego_read_data(DATA_BLOB data, struct spnego_data *token)
273 if (data.length == 0) {
277 asn1_load(&asn1, data);
279 if (!asn1_peek_uint8(&asn1, &context)) {
280 asn1.has_error = True;
283 case ASN1_APPLICATION(0):
284 asn1_start_tag(&asn1, ASN1_APPLICATION(0));
285 asn1_check_OID(&asn1, OID_SPNEGO);
286 if (read_negTokenInit(&asn1, &token->negTokenInit)) {
287 token->type = SPNEGO_NEG_TOKEN_INIT;
291 case ASN1_CONTEXT(1):
292 if (read_negTokenTarg(&asn1, &token->negTokenTarg)) {
293 token->type = SPNEGO_NEG_TOKEN_TARG;
297 asn1.has_error = True;
302 if (!asn1.has_error) ret = asn1.ofs;
308 ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego)
315 switch (spnego->type) {
316 case SPNEGO_NEG_TOKEN_INIT:
317 asn1_push_tag(&asn1, ASN1_APPLICATION(0));
318 asn1_write_OID(&asn1, OID_SPNEGO);
319 write_negTokenInit(&asn1, &spnego->negTokenInit);
322 case SPNEGO_NEG_TOKEN_TARG:
323 write_negTokenTarg(&asn1, &spnego->negTokenTarg);
326 asn1.has_error = True;
330 if (!asn1.has_error) {
331 *blob = data_blob_talloc(mem_ctx, asn1.data, asn1.length);
339 BOOL spnego_free_data(struct spnego_data *spnego)
343 if (!spnego) goto out;
345 switch(spnego->type) {
346 case SPNEGO_NEG_TOKEN_INIT:
347 if (spnego->negTokenInit.mechTypes) {
349 for (i = 0; spnego->negTokenInit.mechTypes[i]; i++) {
350 free(spnego->negTokenInit.mechTypes[i]);
352 free(spnego->negTokenInit.mechTypes);
354 data_blob_free(&spnego->negTokenInit.mechToken);
355 data_blob_free(&spnego->negTokenInit.mechListMIC);
356 SAFE_FREE(spnego->negTokenInit.targetPrincipal);
358 case SPNEGO_NEG_TOKEN_TARG:
359 if (spnego->negTokenTarg.supportedMech) {
360 free(spnego->negTokenTarg.supportedMech);
362 data_blob_free(&spnego->negTokenTarg.responseToken);
363 data_blob_free(&spnego->negTokenTarg.mechListMIC);
369 ZERO_STRUCTP(spnego);