source4/auth/gensec/spnego.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    RFC2478 Compliant SPNEGO implementation
   5
   6    Copyright (C) Jim McDonough <jmcd@us.ibm.com>      2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program; if not, write to the Free Software
  22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23 */
  24
  25 #include "includes.h"
  26 #include "auth/auth.h"
  27
  28 enum spnego_state_position {
  29         SPNEGO_SERVER_START,
  30         SPNEGO_CLIENT_START,
  31         SPNEGO_SERVER_TARG,
  32         SPNEGO_CLIENT_TARG,
  33         SPNEGO_FALLBACK,
  34         SPNEGO_DONE
  35 };
  36
  37 struct spnego_state {
  38         enum spnego_message_type expected_packet;
  39         enum spnego_state_position state_position;
  40         struct gensec_security *sub_sec_security;
  41         BOOL no_response_expected;
  42
  43         const char *neg_oid;
  44 };
  45
  46
  47 static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
  48 {
  49         struct spnego_state *spnego_state;
  50
  51         spnego_state = talloc(gensec_security, struct spnego_state);
  52         if (!spnego_state) {
  53                 return NT_STATUS_NO_MEMORY;
  54         }
  55
  56         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
  57         spnego_state->state_position = SPNEGO_CLIENT_START;
  58         spnego_state->sub_sec_security = NULL;
  59         spnego_state->no_response_expected = False;
  60
  61         gensec_security->private_data = spnego_state;
  62         return NT_STATUS_OK;
  63 }
  64
  65 static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
  66 {
  67         struct spnego_state *spnego_state;
  68
  69         spnego_state = talloc(gensec_security, struct spnego_state);
  70         if (!spnego_state) {
  71                 return NT_STATUS_NO_MEMORY;
  72         }
  73
  74         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
  75         spnego_state->state_position = SPNEGO_SERVER_START;
  76         spnego_state->sub_sec_security = NULL;
  77         spnego_state->no_response_expected = False;
  78
  79         gensec_security->private_data = spnego_state;
  80         return NT_STATUS_OK;
  81 }
  82
  83 /*
  84   wrappers for the spnego_*() functions
  85 */
  86 static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_security,
  87                                             TALLOC_CTX *mem_ctx,
  88                                             uint8_t *data, size_t length,
  89                                             const uint8_t *whole_pdu, size_t pdu_length,
  90                                             const DATA_BLOB *sig)
  91 {
  92         struct spnego_state *spnego_state = gensec_security->private_data;
  93
  94         if (spnego_state->state_position != SPNEGO_DONE
  95             && spnego_state->state_position != SPNEGO_FALLBACK) {
  96                 return NT_STATUS_INVALID_PARAMETER;
  97         }
  98
  99         return gensec_unseal_packet(spnego_state->sub_sec_security,
 100                                     mem_ctx,
 101                                     data, length,
 102                                     whole_pdu, pdu_length,
 103                                     sig);
 104 }
 105
 106 static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_security,
 107                                            TALLOC_CTX *mem_ctx,
 108                                            const uint8_t *data, size_t length,
 109                                            const uint8_t *whole_pdu, size_t pdu_length,
 110                                            const DATA_BLOB *sig)
 111 {
 112         struct spnego_state *spnego_state = gensec_security->private_data;
 113
 114         if (spnego_state->state_position != SPNEGO_DONE
 115             && spnego_state->state_position != SPNEGO_FALLBACK) {
 116                 return NT_STATUS_INVALID_PARAMETER;
 117         }
 118
 119         return gensec_check_packet(spnego_state->sub_sec_security,
 120                                    mem_ctx,
 121                                    data, length,
 122                                    whole_pdu, pdu_length,
 123                                    sig);
 124 }
 125
 126 static NTSTATUS gensec_spnego_seal_packet(struct gensec_security *gensec_security,
 127                                           TALLOC_CTX *mem_ctx,
 128                                           uint8_t *data, size_t length,
 129                                           const uint8_t *whole_pdu, size_t pdu_length,
 130                                           DATA_BLOB *sig)
 131 {
 132         struct spnego_state *spnego_state = gensec_security->private_data;
 133
 134         if (spnego_state->state_position != SPNEGO_DONE
 135             && spnego_state->state_position != SPNEGO_FALLBACK) {
 136                 return NT_STATUS_INVALID_PARAMETER;
 137         }
 138
 139         return gensec_seal_packet(spnego_state->sub_sec_security,
 140                                   mem_ctx,
 141                                   data, length,
 142                                   whole_pdu, pdu_length,
 143                                   sig);
 144 }
 145
 146 static NTSTATUS gensec_spnego_sign_packet(struct gensec_security *gensec_security,
 147                                           TALLOC_CTX *mem_ctx,
 148                                           const uint8_t *data, size_t length,
 149                                           const uint8_t *whole_pdu, size_t pdu_length,
 150                                           DATA_BLOB *sig)
 151 {
 152         struct spnego_state *spnego_state = gensec_security->private_data;
 153
 154         if (spnego_state->state_position != SPNEGO_DONE
 155             && spnego_state->state_position != SPNEGO_FALLBACK) {
 156                 return NT_STATUS_INVALID_PARAMETER;
 157         }
 158
 159         return gensec_sign_packet(spnego_state->sub_sec_security,
 160                                   mem_ctx,
 161                                   data, length,
 162                                   whole_pdu, pdu_length,
 163                                   sig);
 164 }
 165
 166 static NTSTATUS gensec_spnego_wrap(struct gensec_security *gensec_security,
 167                                    TALLOC_CTX *mem_ctx,
 168                                    const DATA_BLOB *in,
 169                                    DATA_BLOB *out)
 170 {
 171         struct spnego_state *spnego_state = gensec_security->private_data;
 172
 173         if (spnego_state->state_position != SPNEGO_DONE
 174             && spnego_state->state_position != SPNEGO_FALLBACK) {
 175                 DEBUG(1, ("gensec_spnego_wrap: wrong state for wrap\n"));
 176                 return NT_STATUS_INVALID_PARAMETER;
 177         }
 178
 179         return gensec_wrap(spnego_state->sub_sec_security,
 180                            mem_ctx, in, out);
 181 }
 182
 183 static NTSTATUS gensec_spnego_unwrap(struct gensec_security *gensec_security,
 184                                      TALLOC_CTX *mem_ctx,
 185                                      const DATA_BLOB *in,
 186                                      DATA_BLOB *out)
 187 {
 188         struct spnego_state *spnego_state = gensec_security->private_data;
 189
 190         if (spnego_state->state_position != SPNEGO_DONE
 191             && spnego_state->state_position != SPNEGO_FALLBACK) {
 192                 DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
 193                 return NT_STATUS_INVALID_PARAMETER;
 194         }
 195
 196         return gensec_unwrap(spnego_state->sub_sec_security,
 197                              mem_ctx, in, out);
 198 }
 199
 200 static size_t gensec_spnego_sig_size(struct gensec_security *gensec_security, size_t data_size)
 201 {
 202         struct spnego_state *spnego_state = gensec_security->private_data;
 203
 204         if (spnego_state->state_position != SPNEGO_DONE
 205             && spnego_state->state_position != SPNEGO_FALLBACK) {
 206                 return 0;
 207         }
 208
 209         return gensec_sig_size(spnego_state->sub_sec_security, data_size);
 210 }
 211
 212 static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_security,
 213                                           DATA_BLOB *session_key)
 214 {
 215         struct spnego_state *spnego_state = gensec_security->private_data;
 216         if (!spnego_state->sub_sec_security) {
 217                 return NT_STATUS_INVALID_PARAMETER;
 218         }
 219
 220         return gensec_session_key(spnego_state->sub_sec_security,
 221                                   session_key);
 222 }
 223
 224 static NTSTATUS gensec_spnego_session_info(struct gensec_security *gensec_security,
 225                                                                       struct auth_session_info **session_info)
 226 {
 227         struct spnego_state *spnego_state = gensec_security->private_data;
 228         if (!spnego_state->sub_sec_security) {
 229                 return NT_STATUS_INVALID_PARAMETER;
 230         }
 231
 232         return gensec_session_info(spnego_state->sub_sec_security,
 233                                    session_info);
 234 }
 235
 236 /** Fallback to another GENSEC mechanism, based on magic strings
 237  *
 238  * This is the 'fallback' case, where we don't get SPNEGO, and have to
 239  * try all the other options (and hope they all have a magic string
 240  * they check)
 241 */
 242
 243 static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
 244                                                   struct spnego_state *spnego_state,
 245                                                   TALLOC_CTX *out_mem_ctx,
 246                                                   const DATA_BLOB in, DATA_BLOB *out)
 247 {
 248         int i,j;
 249         struct gensec_security_ops **all_ops
 250                 = gensec_security_mechs(gensec_security, out_mem_ctx);
 251         for (i=0; all_ops[i]; i++) {
 252                 BOOL is_spnego;
 253                 NTSTATUS nt_status;
 254                 if (!all_ops[i]->oid) {
 255                         continue;
 256                 }
 257
 258                 is_spnego = False;
 259                 for (j=0; all_ops[i]->oid[j]; j++) {
 260                         if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
 261                                 is_spnego = True;
 262                         }
 263                 }
 264                 if (is_spnego) {
 265                         continue;
 266                 }
 267
 268                 if (!all_ops[i]->magic) {
 269                         continue;
 270                 }
 271
 272                 nt_status = all_ops[i]->magic(gensec_security, &in);
 273                 if (!NT_STATUS_IS_OK(nt_status)) {
 274                         continue;
 275                 }
 276
 277                 spnego_state->state_position = SPNEGO_FALLBACK;
 278
 279                 nt_status = gensec_subcontext_start(spnego_state,
 280                                                     gensec_security,
 281                                                     &spnego_state->sub_sec_security);
 282
 283                 if (!NT_STATUS_IS_OK(nt_status)) {
 284                         return nt_status;
 285                 }
 286                 /* select the sub context */
 287                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 288                                                      all_ops[i]);
 289                 if (!NT_STATUS_IS_OK(nt_status)) {
 290                         return nt_status;
 291                 }
 292                 nt_status = gensec_update(spnego_state->sub_sec_security,
 293                                           out_mem_ctx, in, out);
 294                 return nt_status;
 295         }
 296         DEBUG(1, ("Failed to parse SPNEGO request\n"));
 297         return NT_STATUS_INVALID_PARAMETER;
 298
 299 }
 300
 301 /*
 302    Parse the netTokenInit, either from the client, to the server, or
 303    from the server to the client.
 304 */
 305
 306 static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_security,
 307                                                  struct spnego_state *spnego_state,
 308                                                  TALLOC_CTX *out_mem_ctx,
 309                                                  const char **mechType,
 310                                                  const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
 311 {
 312         int i;
 313         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 314         DATA_BLOB null_data_blob = data_blob(NULL,0);
 315
 316         const struct gensec_security_ops_wrapper *all_sec
 317                 = gensec_security_by_oid_list(gensec_security,
 318                                               out_mem_ctx,
 319                                               mechType,
 320                                               GENSEC_OID_SPNEGO);
 321         if (spnego_state->state_position == SPNEGO_SERVER_START) {
 322                 for (i=0; all_sec && all_sec[i].op; i++) {
 323                         /* optomisitic token */
 324                         if (strcmp(all_sec[i].oid, mechType[0]) == 0) {
 325                                 nt_status = gensec_subcontext_start(spnego_state,
 326                                                                     gensec_security,
 327                                                                     &spnego_state->sub_sec_security);
 328                                 if (!NT_STATUS_IS_OK(nt_status)) {
 329                                         return nt_status;
 330                                 }
 331                                 /* select the sub context */
 332                                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 333                                                                      all_sec[i].op);
 334                                 if (!NT_STATUS_IS_OK(nt_status)) {
 335                                         talloc_free(spnego_state->sub_sec_security);
 336                                         spnego_state->sub_sec_security = NULL;
 337                                         break;
 338                                 }
 339
 340                                 nt_status = gensec_update(spnego_state->sub_sec_security,
 341                                                           out_mem_ctx,
 342                                                           unwrapped_in,
 343                                                           unwrapped_out);
 344                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
 345                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
 346                                         /* Pretend we never started it (lets the first run find some incompatible demand) */
 347
 348                                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n",
 349                                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 350                                         talloc_free(spnego_state->sub_sec_security);
 351                                         spnego_state->sub_sec_security = NULL;
 352                                         break;
 353                                 }
 354
 355                                 spnego_state->neg_oid = all_sec[i].oid;
 356                                 break;
 357                         }
 358                 }
 359         }
 360
 361         if (!spnego_state->sub_sec_security) {
 362                 for (i=0; all_sec && all_sec[i].op; i++) {
 363                         nt_status = gensec_subcontext_start(spnego_state,
 364                                                             gensec_security,
 365                                                             &spnego_state->sub_sec_security);
 366                         if (!NT_STATUS_IS_OK(nt_status)) {
 367                                 return nt_status;
 368                         }
 369                         /* select the sub context */
 370                         nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 371                                                              all_sec[i].op);
 372                         if (!NT_STATUS_IS_OK(nt_status)) {
 373                                 talloc_free(spnego_state->sub_sec_security);
 374                                 spnego_state->sub_sec_security = NULL;
 375                                 continue;
 376                         }
 377
 378                         spnego_state->neg_oid = all_sec[i].oid;
 379
 380                         /* only get the helping start blob for the first OID */
 381                         nt_status = gensec_update(spnego_state->sub_sec_security,
 382                                                   out_mem_ctx,
 383                                                   null_data_blob,
 384                                                   unwrapped_out);
 385                         break;
 386                 }
 387         }
 388
 389         if (spnego_state->sub_sec_security) {
 390                 /* it is likely that a NULL input token will
 391                  * not be liked by most server mechs, but this
 392                  * does the right thing in the CIFS client.
 393                  * just push us along the merry-go-round
 394                  * again, and hope for better luck next
 395                  * time */
 396
 397                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
 398                         *unwrapped_out = data_blob(NULL, 0);
 399                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 400                 }
 401
 402                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
 403                     && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
 404                     && !NT_STATUS_IS_OK(nt_status)) {
 405                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
 406                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 407                         talloc_free(spnego_state->sub_sec_security);
 408                         spnego_state->sub_sec_security = NULL;
 409
 410                         /* We started the mech correctly, and the
 411                          * input from the other side was valid.
 412                          * Return the error (say bad password, invalid
 413                          * ticket) */
 414                         return nt_status;
 415                 }
 416
 417
 418                 return nt_status; /* OK, INVALID_PARAMETER ore MORE PROCESSING */
 419         }
 420
 421         DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
 422         /* we could re-negotiate here, but it would only work
 423          * if the client or server lied about what it could
 424          * support the first time.  Lets keep this code to
 425          * reality */
 426
 427         return NT_STATUS_INVALID_PARAMETER;
 428 }
 429
 430 /** create a negTokenInit
 431  *
 432  * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
 433 */
 434 static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security,
 435                                                   struct spnego_state *spnego_state,
 436                                                   TALLOC_CTX *out_mem_ctx,
 437                                                   const DATA_BLOB in, DATA_BLOB *out)
 438 {
 439         int i;
 440         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 441         DATA_BLOB null_data_blob = data_blob(NULL,0);
 442         const char **mechTypes = NULL;
 443         DATA_BLOB unwrapped_out = data_blob(NULL, 0);
 444         const struct gensec_security_ops_wrapper *all_sec;
 445         const char *principal = NULL;
 446
 447         mechTypes = gensec_security_oids(gensec_security,
 448                                          out_mem_ctx, GENSEC_OID_SPNEGO);
 449
 450         all_sec = gensec_security_by_oid_list(gensec_security,
 451                                               out_mem_ctx,
 452                                               mechTypes,
 453                                               GENSEC_OID_SPNEGO);
 454         for (i=0; all_sec && all_sec[i].op; i++) {
 455                 struct spnego_data spnego_out;
 456                 nt_status = gensec_subcontext_start(spnego_state,
 457                                                     gensec_security,
 458                                                     &spnego_state->sub_sec_security);
 459                 if (!NT_STATUS_IS_OK(nt_status)) {
 460                         return nt_status;
 461                 }
 462                 /* select the sub context */
 463                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 464                                                      all_sec[i].op);
 465                 if (!NT_STATUS_IS_OK(nt_status)) {
 466                         talloc_free(spnego_state->sub_sec_security);
 467                         spnego_state->sub_sec_security = NULL;
 468                         continue;
 469                 }
 470
 471                 /* In the client, try and produce the first (optimistic) packet */
 472                 if (spnego_state->state_position == SPNEGO_CLIENT_START) {
 473                         nt_status = gensec_update(spnego_state->sub_sec_security,
 474                                                   out_mem_ctx,
 475                                                   null_data_blob,
 476                                                   &unwrapped_out);
 477
 478                         if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
 479                             && !NT_STATUS_IS_OK(nt_status)) {
 480                                 DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
 481                                           spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 482                                 talloc_free(spnego_state->sub_sec_security);
 483                                 spnego_state->sub_sec_security = NULL;
 484                                 /* Pretend we never started it (lets the first run find some incompatible demand) */
 485
 486                                 continue;
 487                         }
 488                 }
 489
 490                 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 491
 492                 /* List the remaining mechs as options */
 493                 spnego_out.negTokenInit.mechTypes = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
 494                                                                                           &all_sec[i]);
 495                 spnego_out.negTokenInit.reqFlags = 0;
 496
 497                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
 498                         /* server credentails */
 499                         struct cli_credentials *creds = gensec_get_credentials(gensec_security);
 500                         if (creds) {
 501                                 principal = cli_credentials_get_principal(creds, out_mem_ctx);
 502                         }
 503                 }
 504                 if (principal) {
 505                         spnego_out.negTokenInit.mechListMIC
 506                                 = data_blob_string_const(principal);
 507                 } else {
 508                         spnego_out.negTokenInit.mechListMIC = null_data_blob;
 509                 }
 510
 511                 spnego_out.negTokenInit.mechToken = unwrapped_out;
 512
 513                 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 514                         DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
 515                                 return NT_STATUS_INVALID_PARAMETER;
 516                 }
 517
 518                 /* set next state */
 519                 spnego_state->neg_oid = all_sec[i].oid;
 520
 521                 if (NT_STATUS_IS_OK(nt_status)) {
 522                         spnego_state->no_response_expected = True;
 523                 }
 524
 525                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 526         }
 527         talloc_free(spnego_state->sub_sec_security);
 528         spnego_state->sub_sec_security = NULL;
 529
 530         DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
 531         return NT_STATUS_INVALID_PARAMETER;
 532 }
 533
 534
 535 /** create a server negTokenTarg
 536  *
 537  * This is the case, where the client is the first one who sends data
 538 */
 539
 540 static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec_security,
 541                                                   struct spnego_state *spnego_state,
 542                                                   TALLOC_CTX *out_mem_ctx,
 543                                                   NTSTATUS nt_status,
 544                                                   const DATA_BLOB unwrapped_out, DATA_BLOB *out)
 545 {
 546         struct spnego_data spnego_out;
 547         DATA_BLOB null_data_blob = data_blob(NULL, 0);
 548
 549         /* compose reply */
 550         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 551         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 552         spnego_out.negTokenTarg.mechListMIC = null_data_blob;
 553         spnego_out.negTokenTarg.supportedMech = NULL;
 554
 555         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 556                 spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 557                 spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
 558                 spnego_state->state_position = SPNEGO_SERVER_TARG;
 559         } else if (NT_STATUS_IS_OK(nt_status)) {
 560                 if (unwrapped_out.data) {
 561                         spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 562                 }
 563                 spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
 564                 spnego_state->state_position = SPNEGO_DONE;
 565         } else {
 566                 spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
 567                 DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
 568                 spnego_state->state_position = SPNEGO_DONE;
 569         }
 570
 571         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 572                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 573                 return NT_STATUS_INVALID_PARAMETER;
 574         }
 575
 576         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 577
 578         return nt_status;
 579 }
 580
 581
 582 static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 583                                      const DATA_BLOB in, DATA_BLOB *out)
 584 {
 585         struct spnego_state *spnego_state = gensec_security->private_data;
 586         DATA_BLOB null_data_blob = data_blob(NULL, 0);
 587         DATA_BLOB unwrapped_out = data_blob(NULL, 0);
 588         struct spnego_data spnego_out;
 589         struct spnego_data spnego;
 590
 591         ssize_t len;
 592
 593         *out = data_blob(NULL, 0);
 594
 595         if (!out_mem_ctx) {
 596                 out_mem_ctx = spnego_state;
 597         }
 598
 599         /* and switch into the state machine */
 600
 601         switch (spnego_state->state_position) {
 602         case SPNEGO_FALLBACK:
 603                 return gensec_update(spnego_state->sub_sec_security,
 604                                      out_mem_ctx, in, out);
 605         case SPNEGO_SERVER_START:
 606         {
 607                 NTSTATUS nt_status;
 608                 if (in.length) {
 609
 610                         len = spnego_read_data(in, &spnego);
 611                         if (len == -1) {
 612                                 return gensec_spnego_server_try_fallback(gensec_security, spnego_state,
 613                                                                          out_mem_ctx, in, out);
 614                         }
 615                         /* client sent NegTargetInit, we send NegTokenTarg */
 616
 617                         /* OK, so it's real SPNEGO, check the packet's the one we expect */
 618                         if (spnego.type != spnego_state->expected_packet) {
 619                                 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
 620                                           spnego_state->expected_packet));
 621                                 dump_data(1, in.data, in.length);
 622                                 spnego_free_data(&spnego);
 623                                 return NT_STATUS_INVALID_PARAMETER;
 624                         }
 625
 626                         nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
 627                                                                      spnego_state,
 628                                                                      out_mem_ctx,
 629                                                                      spnego.negTokenInit.mechTypes,
 630                                                                      spnego.negTokenInit.mechToken,
 631                                                                      &unwrapped_out);
 632
 633                         nt_status = gensec_spnego_server_negTokenTarg(gensec_security,
 634                                                                       spnego_state,
 635                                                                       out_mem_ctx,
 636                                                                       nt_status,
 637                                                                       unwrapped_out,
 638                                                                       out);
 639
 640                         spnego_free_data(&spnego);
 641
 642                         return nt_status;
 643                 } else {
 644                         nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
 645                                                                       out_mem_ctx, in, out);
 646                         spnego_state->state_position = SPNEGO_SERVER_START;
 647                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
 648                         return nt_status;
 649                 }
 650         }
 651
 652         case SPNEGO_CLIENT_START:
 653         {
 654                 /* The server offers a list of mechanisms */
 655
 656                 const char *my_mechs[] = {NULL, NULL};
 657                 NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 658
 659                 if (!in.length) {
 660                         /* client to produce negTokenInit */
 661                         nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
 662                                                                  out_mem_ctx, in, out);
 663                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 664                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 665                         return nt_status;
 666                 }
 667
 668                 len = spnego_read_data(in, &spnego);
 669
 670                 if (len == -1) {
 671                         DEBUG(1, ("Invalid SPNEGO request:\n"));
 672                         dump_data(1, in.data, in.length);
 673                         return NT_STATUS_INVALID_PARAMETER;
 674                 }
 675
 676                 /* OK, so it's real SPNEGO, check the packet's the one we expect */
 677                 if (spnego.type != spnego_state->expected_packet) {
 678                         DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
 679                                   spnego_state->expected_packet));
 680                         dump_data(1, in.data, in.length);
 681                         spnego_free_data(&spnego);
 682                         return NT_STATUS_INVALID_PARAMETER;
 683                 }
 684
 685                 if (spnego.negTokenInit.targetPrincipal) {
 686                         DEBUG(5, ("Server claims it's principal name is %s\n", spnego.negTokenInit.targetPrincipal));
 687                         gensec_set_target_principal(gensec_security, spnego.negTokenInit.targetPrincipal);
 688                 }
 689
 690                 nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
 691                                                              spnego_state,
 692                                                              out_mem_ctx,
 693                                                              spnego.negTokenInit.mechTypes,
 694                                                              spnego.negTokenInit.mechToken,
 695                                                              &unwrapped_out);
 696
 697                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
 698                         spnego_free_data(&spnego);
 699                         return nt_status;
 700                 }
 701
 702                 my_mechs[0] = spnego_state->neg_oid;
 703                 /* compose reply */
 704                 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 705                 spnego_out.negTokenInit.mechTypes = my_mechs;
 706                 spnego_out.negTokenInit.reqFlags = 0;
 707                 spnego_out.negTokenInit.mechListMIC = null_data_blob;
 708                 spnego_out.negTokenInit.mechToken = unwrapped_out;
 709
 710                 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 711                         DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
 712                                 return NT_STATUS_INVALID_PARAMETER;
 713                 }
 714
 715                 /* set next state */
 716                 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 717                 spnego_state->state_position = SPNEGO_CLIENT_TARG;
 718
 719                 if (NT_STATUS_IS_OK(nt_status)) {
 720                         spnego_state->no_response_expected = True;
 721                 }
 722
 723                 spnego_free_data(&spnego);
 724                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 725         }
 726         case SPNEGO_SERVER_TARG:
 727         {
 728                 NTSTATUS nt_status;
 729                 if (!in.length) {
 730                         return NT_STATUS_INVALID_PARAMETER;
 731                 }
 732
 733                 len = spnego_read_data(in, &spnego);
 734
 735                 if (len == -1) {
 736                         DEBUG(1, ("Invalid SPNEGO request:\n"));
 737                         dump_data(1, in.data, in.length);
 738                         return NT_STATUS_INVALID_PARAMETER;
 739                 }
 740
 741                 /* OK, so it's real SPNEGO, check the packet's the one we expect */
 742                 if (spnego.type != spnego_state->expected_packet) {
 743                         DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
 744                                   spnego_state->expected_packet));
 745                         dump_data(1, in.data, in.length);
 746                         spnego_free_data(&spnego);
 747                         return NT_STATUS_INVALID_PARAMETER;
 748                 }
 749
 750                 if (!spnego_state->sub_sec_security) {
 751                         DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
 752                         spnego_free_data(&spnego);
 753                         return NT_STATUS_INVALID_PARAMETER;
 754                 }
 755
 756                 nt_status = gensec_update(spnego_state->sub_sec_security,
 757                                           out_mem_ctx,
 758                                           spnego.negTokenTarg.responseToken,
 759                                           &unwrapped_out);
 760
 761                 nt_status = gensec_spnego_server_negTokenTarg(gensec_security,
 762                                                               spnego_state,
 763                                                               out_mem_ctx,
 764                                                               nt_status,
 765                                                               unwrapped_out,
 766                                                               out);
 767
 768                 spnego_free_data(&spnego);
 769
 770                 return nt_status;
 771         }
 772         case SPNEGO_CLIENT_TARG:
 773         {
 774                 NTSTATUS nt_status;
 775                 if (!in.length) {
 776                         return NT_STATUS_INVALID_PARAMETER;
 777                 }
 778
 779                 len = spnego_read_data(in, &spnego);
 780
 781                 if (len == -1) {
 782                         DEBUG(1, ("Invalid SPNEGO request:\n"));
 783                         dump_data(1, in.data, in.length);
 784                         return NT_STATUS_INVALID_PARAMETER;
 785                 }
 786
 787                 /* OK, so it's real SPNEGO, check the packet's the one we expect */
 788                 if (spnego.type != spnego_state->expected_packet) {
 789                         DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
 790                                   spnego_state->expected_packet));
 791                         dump_data(1, in.data, in.length);
 792                         spnego_free_data(&spnego);
 793                         return NT_STATUS_INVALID_PARAMETER;
 794                 }
 795
 796                 if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
 797                         spnego_free_data(&spnego);
 798                         return NT_STATUS_ACCESS_DENIED;
 799                 }
 800
 801                 /* Server didn't like our choice of mech, and chose something else */
 802                 if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) &&
 803                     strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) {
 804                         DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
 805                                  gensec_get_name_by_oid(spnego.negTokenTarg.supportedMech),
 806                                  gensec_get_name_by_oid(spnego_state->neg_oid)));
 807
 808                         talloc_free(spnego_state->sub_sec_security);
 809                         nt_status = gensec_subcontext_start(spnego_state,
 810                                                             gensec_security,
 811                                                             &spnego_state->sub_sec_security);
 812                         if (!NT_STATUS_IS_OK(nt_status)) {
 813                                 spnego_free_data(&spnego);
 814                                 return nt_status;
 815                         }
 816                         /* select the sub context */
 817                         nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
 818                                                              spnego.negTokenTarg.supportedMech);
 819                         if (!NT_STATUS_IS_OK(nt_status)) {
 820                                 spnego_free_data(&spnego);
 821                                 return nt_status;
 822                         }
 823
 824                         nt_status = gensec_update(spnego_state->sub_sec_security,
 825                                                   out_mem_ctx,
 826                                                   spnego.negTokenTarg.responseToken,
 827                                                   &unwrapped_out);
 828                         spnego_state->neg_oid = talloc_strdup(spnego_state, spnego.negTokenTarg.supportedMech);
 829                 } else if (spnego_state->no_response_expected) {
 830                         if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
 831                                 DEBUG(3,("GENSEC SPNEGO: client GENSEC accepted, but server rejected (bad password?)\n"));
 832                                 nt_status = NT_STATUS_INVALID_PARAMETER;
 833                         } else if (spnego.negTokenTarg.responseToken.length) {
 834                                 DEBUG(2,("GENSEC SPNEGO: client GENSEC accepted, but server continued negotiation!\n"));
 835                                 nt_status = NT_STATUS_INVALID_PARAMETER;
 836                         } else {
 837                                 nt_status = NT_STATUS_OK;
 838                         }
 839                 } else {
 840                         nt_status = gensec_update(spnego_state->sub_sec_security,
 841                                                   out_mem_ctx,
 842                                                   spnego.negTokenTarg.responseToken,
 843                                                   &unwrapped_out);
 844
 845                         if (NT_STATUS_IS_OK(nt_status)) {
 846                                 spnego_state->no_response_expected = True;
 847                         }
 848                 }
 849
 850                 spnego_free_data(&spnego);
 851
 852                 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
 853                         && !NT_STATUS_IS_OK(nt_status)) {
 854                         DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
 855                                   spnego_state->sub_sec_security->ops->name,
 856                                   nt_errstr(nt_status)));
 857                         return nt_status;
 858                 }
 859
 860                 if (unwrapped_out.length) {
 861                         /* compose reply */
 862                         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 863                         spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
 864                         spnego_out.negTokenTarg.supportedMech = NULL;
 865                         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 866                         spnego_out.negTokenTarg.mechListMIC = null_data_blob;
 867
 868                         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 869                                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 870                                 return NT_STATUS_INVALID_PARAMETER;
 871                         }
 872
 873                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 874                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 875                 } else {
 876
 877                         /* all done - server has accepted, and we agree */
 878                         *out = null_data_blob;
 879
 880                         if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
 881                                 /* unless of course it did not accept */
 882                                 DEBUG(1,("gensec_update ok but not accepted\n"));
 883                                 nt_status = NT_STATUS_INVALID_PARAMETER;
 884                         }
 885
 886                         spnego_state->state_position = SPNEGO_DONE;
 887                 }
 888
 889                 return nt_status;
 890         }
 891         case SPNEGO_DONE:
 892                 /* We should not be called after we are 'done' */
 893                 return NT_STATUS_INVALID_PARAMETER;
 894         }
 895         return NT_STATUS_INVALID_PARAMETER;
 896 }
 897
 898 static BOOL gensec_spnego_have_feature(struct gensec_security *gensec_security,
 899                                        uint32_t feature)
 900 {
 901         struct spnego_state *spnego_state = gensec_security->private_data;
 902         if (!spnego_state->sub_sec_security) {
 903                 return False;
 904         }
 905
 906         return gensec_have_feature(spnego_state->sub_sec_security,
 907                                    feature);
 908 }
 909
 910 static const char *gensec_spnego_oids[] = {
 911         GENSEC_OID_SPNEGO,
 912         NULL
 913 };
 914
 915 static const struct gensec_security_ops gensec_spnego_security_ops = {
 916         .name           = "spnego",
 917         .sasl_name      = "GSS-SPNEGO",
 918         .auth_type      = DCERPC_AUTH_TYPE_SPNEGO,
 919         .oid            = gensec_spnego_oids,
 920         .client_start   = gensec_spnego_client_start,
 921         .server_start   = gensec_spnego_server_start,
 922         .update         = gensec_spnego_update,
 923         .seal_packet    = gensec_spnego_seal_packet,
 924         .sign_packet    = gensec_spnego_sign_packet,
 925         .sig_size       = gensec_spnego_sig_size,
 926         .check_packet   = gensec_spnego_check_packet,
 927         .unseal_packet  = gensec_spnego_unseal_packet,
 928         .wrap           = gensec_spnego_wrap,
 929         .unwrap         = gensec_spnego_unwrap,
 930         .session_key    = gensec_spnego_session_key,
 931         .session_info   = gensec_spnego_session_info,
 932         .have_feature   = gensec_spnego_have_feature,
 933         .enabled        = True,
 934 };
 935
 936 NTSTATUS gensec_spnego_init(void)
 937 {
 938         NTSTATUS ret;
 939         ret = gensec_register(&gensec_spnego_security_ops);
 940         if (!NT_STATUS_IS_OK(ret)) {
 941                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
 942                         gensec_spnego_security_ops.name));
 943                 return ret;
 944         }
 945
 946         return ret;
 947 }