auth/gensec/spnego.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    RFC2478 Compliant SPNEGO implementation
   5
   6    Copyright (C) Jim McDonough <jmcd@us.ibm.com>      2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Stefan Metzmacher <metze@samba.org>  2004-2008
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 #include "includes.h"
  26 #include <tevent.h>
  27 #include "lib/util/tevent_ntstatus.h"
  28 #include "../libcli/auth/spnego.h"
  29 #include "librpc/gen_ndr/ndr_dcerpc.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "auth/gensec/gensec.h"
  32 #include "auth/gensec/gensec_internal.h"
  33 #include "param/param.h"
  34 #include "lib/util/asn1.h"
  35 #include "lib/util/base64.h"
  36
  37 #undef strcasecmp
  38
  39 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
  40
  41 enum spnego_state_position {
  42         SPNEGO_SERVER_START,
  43         SPNEGO_CLIENT_START,
  44         SPNEGO_SERVER_TARG,
  45         SPNEGO_CLIENT_TARG,
  46         SPNEGO_FALLBACK,
  47         SPNEGO_DONE
  48 };
  49
  50 struct spnego_state {
  51         enum spnego_message_type expected_packet;
  52         enum spnego_state_position state_position;
  53         struct gensec_security *sub_sec_security;
  54         bool sub_sec_ready;
  55
  56         const char *neg_oid;
  57
  58         DATA_BLOB mech_types;
  59         size_t num_targs;
  60         bool downgraded;
  61         bool mic_requested;
  62         bool needs_mic_sign;
  63         bool needs_mic_check;
  64         bool may_skip_mic_check;
  65         bool done_mic_check;
  66
  67         bool simulate_w2k;
  68
  69         /*
  70          * The following is used to implement
  71          * the update token fragmentation
  72          */
  73         size_t in_needed;
  74         DATA_BLOB in_frag;
  75         size_t out_max_length;
  76         DATA_BLOB out_frag;
  77         NTSTATUS out_status;
  78 };
  79
  80 static void gensec_spnego_update_sub_abort(struct spnego_state *spnego_state)
  81 {
  82         spnego_state->sub_sec_ready = false;
  83         TALLOC_FREE(spnego_state->sub_sec_security);
  84 }
  85
  86 static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
  87 {
  88         struct spnego_state *spnego_state;
  89
  90         spnego_state = talloc_zero(gensec_security, struct spnego_state);
  91         if (!spnego_state) {
  92                 return NT_STATUS_NO_MEMORY;
  93         }
  94
  95         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
  96         spnego_state->state_position = SPNEGO_CLIENT_START;
  97         spnego_state->sub_sec_security = NULL;
  98         spnego_state->sub_sec_ready = false;
  99         spnego_state->mech_types = data_blob_null;
 100         spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 101         spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 102
 103         spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
 104                                                 "spnego", "simulate_w2k", false);
 105
 106         gensec_security->private_data = spnego_state;
 107         return NT_STATUS_OK;
 108 }
 109
 110 static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
 111 {
 112         struct spnego_state *spnego_state;
 113
 114         spnego_state = talloc_zero(gensec_security, struct spnego_state);
 115         if (!spnego_state) {
 116                 return NT_STATUS_NO_MEMORY;
 117         }
 118
 119         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
 120         spnego_state->state_position = SPNEGO_SERVER_START;
 121         spnego_state->sub_sec_security = NULL;
 122         spnego_state->sub_sec_ready = false;
 123         spnego_state->mech_types = data_blob_null;
 124         spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 125         spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 126
 127         spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
 128                                                 "spnego", "simulate_w2k", false);
 129
 130         gensec_security->private_data = spnego_state;
 131         return NT_STATUS_OK;
 132 }
 133
 134 /** Fallback to another GENSEC mechanism, based on magic strings
 135  *
 136  * This is the 'fallback' case, where we don't get SPNEGO, and have to
 137  * try all the other options (and hope they all have a magic string
 138  * they check)
 139 */
 140
 141 static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
 142                                                   struct spnego_state *spnego_state,
 143                                                   TALLOC_CTX *mem_ctx,
 144                                                   const DATA_BLOB in)
 145 {
 146         int i,j;
 147         const struct gensec_security_ops **all_ops;
 148
 149         all_ops = gensec_security_mechs(gensec_security, mem_ctx);
 150
 151         for (i=0; all_ops && all_ops[i]; i++) {
 152                 bool is_spnego;
 153                 NTSTATUS nt_status;
 154
 155                 if (gensec_security != NULL &&
 156                     !gensec_security_ops_enabled(all_ops[i], gensec_security))
 157                 {
 158                         continue;
 159                 }
 160
 161                 if (!all_ops[i]->oid) {
 162                         continue;
 163                 }
 164
 165                 is_spnego = false;
 166                 for (j=0; all_ops[i]->oid[j]; j++) {
 167                         if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
 168                                 is_spnego = true;
 169                         }
 170                 }
 171                 if (is_spnego) {
 172                         continue;
 173                 }
 174
 175                 if (!all_ops[i]->magic) {
 176                         continue;
 177                 }
 178
 179                 nt_status = all_ops[i]->magic(gensec_security, &in);
 180                 if (!NT_STATUS_IS_OK(nt_status)) {
 181                         continue;
 182                 }
 183
 184                 spnego_state->state_position = SPNEGO_FALLBACK;
 185
 186                 nt_status = gensec_subcontext_start(spnego_state,
 187                                                     gensec_security,
 188                                                     &spnego_state->sub_sec_security);
 189
 190                 if (!NT_STATUS_IS_OK(nt_status)) {
 191                         return nt_status;
 192                 }
 193                 /* select the sub context */
 194                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 195                                                      all_ops[i]);
 196                 if (!NT_STATUS_IS_OK(nt_status)) {
 197                         return nt_status;
 198                 }
 199
 200                 return NT_STATUS_OK;
 201         }
 202         DEBUG(1, ("Failed to parse SPNEGO request\n"));
 203         return NT_STATUS_INVALID_PARAMETER;
 204 }
 205
 206 /*
 207    Parse the netTokenInit, either from the client, to the server, or
 208    from the server to the client.
 209 */
 210
 211 static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_security,
 212                                                  struct spnego_state *spnego_state,
 213                                                  TALLOC_CTX *out_mem_ctx,
 214                                                  struct tevent_context *ev,
 215                                                  struct spnego_data *spnego_in,
 216                                                  DATA_BLOB *unwrapped_out)
 217 {
 218         int i;
 219         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 220         const char * const *mechType = NULL;
 221         DATA_BLOB unwrapped_in = data_blob_null;
 222         bool ok;
 223         const struct gensec_security_ops_wrapper *all_sec = NULL;
 224
 225         if (spnego_in->type != SPNEGO_NEG_TOKEN_INIT) {
 226                 return NT_STATUS_INTERNAL_ERROR;
 227         }
 228
 229         mechType = spnego_in->negTokenInit.mechTypes;
 230         unwrapped_in = spnego_in->negTokenInit.mechToken;
 231
 232         all_sec = gensec_security_by_oid_list(gensec_security,
 233                                               out_mem_ctx,
 234                                               mechType,
 235                                               GENSEC_OID_SPNEGO);
 236
 237         ok = spnego_write_mech_types(spnego_state,
 238                                      mechType,
 239                                      &spnego_state->mech_types);
 240         if (!ok) {
 241                 DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 242                 return NT_STATUS_NO_MEMORY;
 243         }
 244
 245         if (spnego_state->state_position == SPNEGO_SERVER_START) {
 246                 uint32_t j;
 247                 for (j=0; mechType && mechType[j]; j++) {
 248                         for (i=0; all_sec && all_sec[i].op; i++) {
 249                                 if (strcmp(mechType[j], all_sec[i].oid) != 0) {
 250                                         continue;
 251                                 }
 252
 253                                 nt_status = gensec_subcontext_start(spnego_state,
 254                                                                     gensec_security,
 255                                                                     &spnego_state->sub_sec_security);
 256                                 if (!NT_STATUS_IS_OK(nt_status)) {
 257                                         return nt_status;
 258                                 }
 259                                 /* select the sub context */
 260                                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 261                                                                      all_sec[i].op);
 262                                 if (!NT_STATUS_IS_OK(nt_status)) {
 263                                         /*
 264                                          * Pretend we never started it
 265                                          */
 266                                         gensec_spnego_update_sub_abort(spnego_state);
 267                                         break;
 268                                 }
 269
 270                                 if (j > 0) {
 271                                         /* no optimistic token */
 272                                         spnego_state->neg_oid = all_sec[i].oid;
 273                                         *unwrapped_out = data_blob_null;
 274                                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 275                                         /*
 276                                          * Indicate the downgrade and request a
 277                                          * mic.
 278                                          */
 279                                         spnego_state->downgraded = true;
 280                                         spnego_state->mic_requested = true;
 281                                         break;
 282                                 }
 283
 284                                 nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 285                                                           out_mem_ctx,
 286                                                           ev,
 287                                                           unwrapped_in,
 288                                                           unwrapped_out);
 289                                 if (NT_STATUS_IS_OK(nt_status)) {
 290                                         spnego_state->sub_sec_ready = true;
 291                                 }
 292                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
 293                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
 294
 295                                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
 296                                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 297
 298                                         /*
 299                                          * Pretend we never started it
 300                                          */
 301                                         gensec_spnego_update_sub_abort(spnego_state);
 302                                         break;
 303                                 }
 304
 305                                 spnego_state->neg_oid = all_sec[i].oid;
 306                                 break;
 307                         }
 308                         if (spnego_state->sub_sec_security) {
 309                                 break;
 310                         }
 311                 }
 312
 313                 if (!spnego_state->sub_sec_security) {
 314                         DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
 315                         return NT_STATUS_INVALID_PARAMETER;
 316                 }
 317         }
 318
 319         /* Having tried any optimistic token from the client (if we
 320          * were the server), if we didn't get anywhere, walk our list
 321          * in our preference order */
 322         unwrapped_in = data_blob_null;
 323
 324         if (!spnego_state->sub_sec_security) {
 325                 for (i=0; all_sec && all_sec[i].op; i++) {
 326                         nt_status = gensec_subcontext_start(spnego_state,
 327                                                             gensec_security,
 328                                                             &spnego_state->sub_sec_security);
 329                         if (!NT_STATUS_IS_OK(nt_status)) {
 330                                 return nt_status;
 331                         }
 332                         /* select the sub context */
 333                         nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 334                                                              all_sec[i].op);
 335                         if (!NT_STATUS_IS_OK(nt_status)) {
 336                                 /*
 337                                  * Pretend we never started it.
 338                                  */
 339                                 gensec_spnego_update_sub_abort(spnego_state);
 340                                 continue;
 341                         }
 342
 343                         spnego_state->neg_oid = all_sec[i].oid;
 344
 345                         /* only get the helping start blob for the first OID */
 346                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 347                                                   out_mem_ctx,
 348                                                   ev,
 349                                                   unwrapped_in,
 350                                                   unwrapped_out);
 351                         if (NT_STATUS_IS_OK(nt_status)) {
 352                                 spnego_state->sub_sec_ready = true;
 353                         }
 354
 355                         /* it is likely that a NULL input token will
 356                          * not be liked by most server mechs, but if
 357                          * we are in the client, we want the first
 358                          * update packet to be able to abort the use
 359                          * of this mech */
 360                         if (spnego_state->state_position != SPNEGO_SERVER_START) {
 361                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
 362                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
 363                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
 364                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
 365                                         const char *next = NULL;
 366                                         const char *principal = NULL;
 367                                         int dbg_level = DBGLVL_WARNING;
 368
 369                                         if (all_sec[i+1].op != NULL) {
 370                                                 next = all_sec[i+1].op->name;
 371                                                 dbg_level = DBGLVL_NOTICE;
 372                                         }
 373
 374                                         if (gensec_security->target.principal != NULL) {
 375                                                 principal = gensec_security->target.principal;
 376                                         } else if (gensec_security->target.service != NULL &&
 377                                                    gensec_security->target.hostname != NULL)
 378                                         {
 379                                                 principal = talloc_asprintf(spnego_state->sub_sec_security,
 380                                                                             "%s/%s",
 381                                                                             gensec_security->target.service,
 382                                                                             gensec_security->target.hostname);
 383                                         } else {
 384                                                 principal = gensec_security->target.hostname;
 385                                         }
 386
 387                                         DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
 388                                                           spnego_state->sub_sec_security->ops->name,
 389                                                           principal,
 390                                                           next, nt_errstr(nt_status)));
 391
 392                                         /*
 393                                          * Pretend we never started it.
 394                                          */
 395                                         gensec_spnego_update_sub_abort(spnego_state);
 396                                         continue;
 397                                 }
 398                         }
 399
 400                         break;
 401                 }
 402         }
 403
 404         if (spnego_state->sub_sec_security) {
 405                 /* it is likely that a NULL input token will
 406                  * not be liked by most server mechs, but this
 407                  * does the right thing in the CIFS client.
 408                  * just push us along the merry-go-round
 409                  * again, and hope for better luck next
 410                  * time */
 411
 412                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
 413                         *unwrapped_out = data_blob_null;
 414                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 415                 }
 416
 417                 if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 418                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
 419                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 420
 421                         /* We started the mech correctly, and the
 422                          * input from the other side was valid.
 423                          * Return the error (say bad password, invalid
 424                          * ticket) */
 425                         gensec_spnego_update_sub_abort(spnego_state);
 426                         return nt_status;
 427                 }
 428
 429                 return nt_status; /* OK or MORE PROCESSING */
 430         }
 431
 432         DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
 433         /* we could re-negotiate here, but it would only work
 434          * if the client or server lied about what it could
 435          * support the first time.  Lets keep this code to
 436          * reality */
 437
 438         return nt_status;
 439 }
 440
 441 /** create a negTokenInit
 442  *
 443  * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
 444 */
 445 static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security,
 446                                                   struct spnego_state *spnego_state,
 447                                                   TALLOC_CTX *out_mem_ctx,
 448                                                   struct tevent_context *ev,
 449                                                   DATA_BLOB *out)
 450 {
 451         int i;
 452         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 453         const char **mechTypes = NULL;
 454         DATA_BLOB unwrapped_out = data_blob_null;
 455         const struct gensec_security_ops_wrapper *all_sec;
 456
 457         mechTypes = gensec_security_oids(gensec_security,
 458                                          out_mem_ctx, GENSEC_OID_SPNEGO);
 459
 460         all_sec = gensec_security_by_oid_list(gensec_security,
 461                                               out_mem_ctx,
 462                                               mechTypes,
 463                                               GENSEC_OID_SPNEGO);
 464         for (i=0; all_sec && all_sec[i].op; i++) {
 465                 struct spnego_data spnego_out;
 466                 const char **send_mech_types;
 467                 bool ok;
 468
 469                 nt_status = gensec_subcontext_start(spnego_state,
 470                                                     gensec_security,
 471                                                     &spnego_state->sub_sec_security);
 472                 if (!NT_STATUS_IS_OK(nt_status)) {
 473                         return nt_status;
 474                 }
 475                 /* select the sub context */
 476                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 477                                                      all_sec[i].op);
 478                 if (!NT_STATUS_IS_OK(nt_status)) {
 479                         gensec_spnego_update_sub_abort(spnego_state);
 480                         continue;
 481                 }
 482
 483                 /* In the client, try and produce the first (optimistic) packet */
 484                 if (spnego_state->state_position == SPNEGO_CLIENT_START) {
 485                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 486                                                   out_mem_ctx,
 487                                                   ev,
 488                                                   data_blob_null,
 489                                                   &unwrapped_out);
 490                         if (NT_STATUS_IS_OK(nt_status)) {
 491                                 spnego_state->sub_sec_ready = true;
 492                         }
 493
 494                         if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 495                                 const char *next = NULL;
 496                                 const char *principal = NULL;
 497                                 int dbg_level = DBGLVL_WARNING;
 498
 499                                 if (all_sec[i+1].op != NULL) {
 500                                         next = all_sec[i+1].op->name;
 501                                         dbg_level = DBGLVL_NOTICE;
 502                                 }
 503
 504                                 if (gensec_security->target.principal != NULL) {
 505                                         principal = gensec_security->target.principal;
 506                                 } else if (gensec_security->target.service != NULL &&
 507                                            gensec_security->target.hostname != NULL)
 508                                 {
 509                                         principal = talloc_asprintf(spnego_state->sub_sec_security,
 510                                                                     "%s/%s",
 511                                                                     gensec_security->target.service,
 512                                                                     gensec_security->target.hostname);
 513                                 } else {
 514                                         principal = gensec_security->target.hostname;
 515                                 }
 516
 517                                 DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
 518                                           spnego_state->sub_sec_security->ops->name,
 519                                           principal,
 520                                           next, nt_errstr(nt_status)));
 521
 522                                 /*
 523                                  * Pretend we never started it
 524                                  */
 525                                 gensec_spnego_update_sub_abort(spnego_state);
 526                                 continue;
 527                         }
 528                 }
 529
 530                 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 531
 532                 send_mech_types = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
 533                                                                         &all_sec[i]);
 534
 535                 ok = spnego_write_mech_types(spnego_state,
 536                                              send_mech_types,
 537                                              &spnego_state->mech_types);
 538                 if (!ok) {
 539                         DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 540                         return NT_STATUS_NO_MEMORY;
 541                 }
 542
 543                 /* List the remaining mechs as options */
 544                 spnego_out.negTokenInit.mechTypes = send_mech_types;
 545                 spnego_out.negTokenInit.reqFlags = data_blob_null;
 546                 spnego_out.negTokenInit.reqFlagsPadding = 0;
 547
 548                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
 549                         spnego_out.negTokenInit.mechListMIC
 550                                 = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
 551                 } else {
 552                         spnego_out.negTokenInit.mechListMIC = data_blob_null;
 553                 }
 554
 555                 spnego_out.negTokenInit.mechToken = unwrapped_out;
 556
 557                 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 558                         DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
 559                                 return NT_STATUS_INVALID_PARAMETER;
 560                 }
 561
 562                 /* set next state */
 563                 spnego_state->neg_oid = all_sec[i].oid;
 564
 565                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
 566                         spnego_state->state_position = SPNEGO_SERVER_START;
 567                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
 568                 } else {
 569                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 570                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 571                 }
 572
 573                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 574         }
 575         gensec_spnego_update_sub_abort(spnego_state);
 576
 577         DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
 578         return nt_status;
 579 }
 580
 581 static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec_security,
 582                                                   struct spnego_state *spnego_state,
 583                                                   struct tevent_context *ev,
 584                                                   struct spnego_data *spnego_in,
 585                                                   TALLOC_CTX *out_mem_ctx,
 586                                                   DATA_BLOB *out)
 587 {
 588         DATA_BLOB sub_out = data_blob_null;
 589         const char *tp = NULL;
 590         struct spnego_data spnego_out;
 591         const char *my_mechs[] = {NULL, NULL};
 592         NTSTATUS status;
 593         bool ok;
 594
 595         *out = data_blob_null;
 596
 597         /* The server offers a list of mechanisms */
 598
 599         tp = spnego_in->negTokenInit.targetPrincipal;
 600         if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
 601                 DBG_INFO("Server claims it's principal name is %s\n", tp);
 602                 if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
 603                         gensec_set_target_principal(gensec_security, tp);
 604                 }
 605         }
 606
 607         status = gensec_spnego_parse_negTokenInit(gensec_security,
 608                                                   spnego_state,
 609                                                   out_mem_ctx,
 610                                                   ev,
 611                                                   spnego_in,
 612                                                   &sub_out);
 613         if (GENSEC_UPDATE_IS_NTERROR(status)) {
 614                 return status;
 615         }
 616
 617         my_mechs[0] = spnego_state->neg_oid;
 618         /* compose reply */
 619         spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 620         spnego_out.negTokenInit.mechTypes = my_mechs;
 621         spnego_out.negTokenInit.reqFlags = data_blob_null;
 622         spnego_out.negTokenInit.reqFlagsPadding = 0;
 623         spnego_out.negTokenInit.mechListMIC = data_blob_null;
 624         spnego_out.negTokenInit.mechToken = sub_out;
 625
 626         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 627                 DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
 628                 return NT_STATUS_INVALID_PARAMETER;
 629         }
 630
 631         ok = spnego_write_mech_types(spnego_state,
 632                                      my_mechs,
 633                                      &spnego_state->mech_types);
 634         if (!ok) {
 635                 DBG_ERR("failed to write mechTypes\n");
 636                 return NT_STATUS_NO_MEMORY;
 637         }
 638
 639         /* set next state */
 640         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 641         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 642
 643         return NT_STATUS_MORE_PROCESSING_REQUIRED;
 644 }
 645
 646 /** create a server negTokenTarg
 647  *
 648  * This is the case, where the client is the first one who sends data
 649 */
 650
 651 static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
 652                                               TALLOC_CTX *out_mem_ctx,
 653                                               NTSTATUS nt_status,
 654                                               const DATA_BLOB unwrapped_out,
 655                                               DATA_BLOB mech_list_mic,
 656                                               DATA_BLOB *out)
 657 {
 658         struct spnego_data spnego_out;
 659
 660         /* compose reply */
 661         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 662         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 663         spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
 664         spnego_out.negTokenTarg.supportedMech = NULL;
 665
 666         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 667                 spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 668                 if (spnego_state->mic_requested) {
 669                         spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC;
 670                         spnego_state->mic_requested = false;
 671                 } else {
 672                         spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
 673                 }
 674                 spnego_state->state_position = SPNEGO_SERVER_TARG;
 675         } else if (NT_STATUS_IS_OK(nt_status)) {
 676                 if (unwrapped_out.data) {
 677                         spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 678                 }
 679                 spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
 680                 spnego_state->state_position = SPNEGO_DONE;
 681         } else {
 682                 spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
 683                 spnego_out.negTokenTarg.mechListMIC = data_blob_null;
 684                 DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
 685                 spnego_state->state_position = SPNEGO_DONE;
 686         }
 687
 688         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 689                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 690                 return NT_STATUS_INVALID_PARAMETER;
 691         }
 692
 693         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 694         spnego_state->num_targs++;
 695
 696         return nt_status;
 697 }
 698
 699 static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
 700                                             TALLOC_CTX *out_mem_ctx,
 701                                             struct tevent_context *ev,
 702                                             struct spnego_data *spnego_in,
 703                                             DATA_BLOB *out)
 704 {
 705         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
 706         DATA_BLOB mech_list_mic = data_blob_null;
 707         DATA_BLOB unwrapped_out = data_blob_null;
 708         struct spnego_data spnego_out;
 709
 710         *out = data_blob_null;
 711
 712         /* and switch into the state machine */
 713
 714         switch (spnego_state->state_position) {
 715         case SPNEGO_CLIENT_START:
 716                 return gensec_spnego_client_negTokenInit(gensec_security,
 717                                                          spnego_state,
 718                                                          ev, spnego_in,
 719                                                          out_mem_ctx, out);
 720
 721         case SPNEGO_CLIENT_TARG:
 722         {
 723                 NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
 724                 const struct spnego_negTokenTarg *ta =
 725                         &spnego_in->negTokenTarg;
 726
 727                 spnego_state->num_targs++;
 728
 729                 if (ta->negResult == SPNEGO_REJECT) {
 730                         return NT_STATUS_LOGON_FAILURE;
 731                 }
 732
 733                 if (spnego_in->negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
 734                         spnego_state->mic_requested = true;
 735                 }
 736
 737                 /* Server didn't like our choice of mech, and chose something else */
 738                 if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
 739                      (ta->negResult == SPNEGO_REQUEST_MIC)) &&
 740                     ta->supportedMech != NULL&&
 741                     strcmp(ta->supportedMech, spnego_state->neg_oid) != 0) {
 742                         DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
 743                                  gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
 744                                  gensec_get_name_by_oid(gensec_security, ta->supportedMech)));
 745                         spnego_state->downgraded = true;
 746                         gensec_spnego_update_sub_abort(spnego_state);
 747                         nt_status = gensec_subcontext_start(spnego_state,
 748                                                             gensec_security,
 749                                                             &spnego_state->sub_sec_security);
 750                         if (!NT_STATUS_IS_OK(nt_status)) {
 751                                 return nt_status;
 752                         }
 753                         /* select the sub context */
 754                         nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
 755                                                              ta->supportedMech);
 756                         if (!NT_STATUS_IS_OK(nt_status)) {
 757                                 return nt_status;
 758                         }
 759
 760                         spnego_state->neg_oid = talloc_strdup(spnego_state,
 761                                                 ta->supportedMech);
 762                         if (spnego_state->neg_oid == NULL) {
 763                                 return NT_STATUS_NO_MEMORY;
 764                         };
 765                 }
 766
 767                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 768                         DATA_BLOB *m = &spnego_in->negTokenTarg.mechListMIC;
 769                         const DATA_BLOB *r = &spnego_in->negTokenTarg.responseToken;
 770
 771                         /*
 772                          * Windows 2000 has a bug, it repeats the
 773                          * responseToken in the mechListMIC field.
 774                          */
 775                         if (m->length == r->length) {
 776                                 int cmp;
 777
 778                                 cmp = memcmp(m->data, r->data, m->length);
 779                                 if (cmp == 0) {
 780                                         data_blob_free(m);
 781                                 }
 782                         }
 783                 }
 784
 785                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 786                         if (spnego_state->sub_sec_ready) {
 787                                 spnego_state->needs_mic_check = true;
 788                         }
 789                 }
 790
 791                 if (spnego_state->needs_mic_check) {
 792                         if (spnego_in->negTokenTarg.responseToken.length != 0) {
 793                                 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
 794                                 return NT_STATUS_INVALID_PARAMETER;
 795                         }
 796
 797                         if (spnego_in->negTokenTarg.mechListMIC.length == 0
 798                             && spnego_state->may_skip_mic_check) {
 799                                 /*
 800                                  * In this case we don't require
 801                                  * a mechListMIC from the server.
 802                                  *
 803                                  * This works around bugs in the Azure
 804                                  * and Apple spnego implementations.
 805                                  *
 806                                  * See
 807                                  * https://bugzilla.samba.org/show_bug.cgi?id=11994
 808                                  */
 809                                 spnego_state->needs_mic_check = false;
 810                                 nt_status = NT_STATUS_OK;
 811                                 goto client_response;
 812                         }
 813
 814                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 815                                                         spnego_state->mech_types.data,
 816                                                         spnego_state->mech_types.length,
 817                                                         spnego_state->mech_types.data,
 818                                                         spnego_state->mech_types.length,
 819                                                         &spnego_in->negTokenTarg.mechListMIC);
 820                         if (!NT_STATUS_IS_OK(nt_status)) {
 821                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
 822                                         nt_errstr(nt_status)));
 823                                 return nt_status;
 824                         }
 825                         spnego_state->needs_mic_check = false;
 826                         spnego_state->done_mic_check = true;
 827                         goto client_response;
 828                 }
 829
 830                 if (!spnego_state->sub_sec_ready) {
 831                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 832                                                   out_mem_ctx, ev,
 833                                                   spnego_in->negTokenTarg.responseToken,
 834                                                   &unwrapped_out);
 835                         if (NT_STATUS_IS_OK(nt_status)) {
 836                                 spnego_state->sub_sec_ready = true;
 837                         }
 838                         if (!NT_STATUS_IS_OK(nt_status)) {
 839                                 goto client_response;
 840                         }
 841                 } else {
 842                         nt_status = NT_STATUS_OK;
 843                 }
 844
 845                 if (!spnego_state->done_mic_check) {
 846                         bool have_sign = true;
 847                         bool new_spnego = false;
 848
 849                         have_sign = gensec_have_feature(spnego_state->sub_sec_security,
 850                                                         GENSEC_FEATURE_SIGN);
 851                         if (spnego_state->simulate_w2k) {
 852                                 have_sign = false;
 853                         }
 854                         new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 855                                                          GENSEC_FEATURE_NEW_SPNEGO);
 856
 857                         switch (spnego_in->negTokenTarg.negResult) {
 858                         case SPNEGO_ACCEPT_COMPLETED:
 859                         case SPNEGO_NONE_RESULT:
 860                                 if (spnego_state->num_targs == 1) {
 861                                         /*
 862                                          * the first exchange doesn't require
 863                                          * verification
 864                                          */
 865                                         new_spnego = false;
 866                                 }
 867
 868                                 break;
 869
 870                         case SPNEGO_ACCEPT_INCOMPLETE:
 871                                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 872                                         new_spnego = true;
 873                                         break;
 874                                 }
 875
 876                                 if (spnego_state->downgraded) {
 877                                         /*
 878                                          * A downgrade should be protected if
 879                                          * supported
 880                                          */
 881                                         break;
 882                                 }
 883
 884                                 /*
 885                                  * The caller may just asked for
 886                                  * GENSEC_FEATURE_SESSION_KEY, this
 887                                  * is only reflected in the want_features.
 888                                  *
 889                                  * As it will imply
 890                                  * gensec_have_features(GENSEC_FEATURE_SIGN)
 891                                  * to return true.
 892                                  */
 893                                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 894                                         break;
 895                                 }
 896                                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 897                                         break;
 898                                 }
 899                                 /*
 900                                  * Here we're sure our preferred mech was
 901                                  * selected by the server and our caller doesn't
 902                                  * need GENSEC_FEATURE_SIGN nor
 903                                  * GENSEC_FEATURE_SEAL support.
 904                                  *
 905                                  * In this case we don't require
 906                                  * a mechListMIC from the server.
 907                                  *
 908                                  * This works around bugs in the Azure
 909                                  * and Apple spnego implementations.
 910                                  *
 911                                  * See
 912                                  * https://bugzilla.samba.org/show_bug.cgi?id=11994
 913                                  */
 914                                 spnego_state->may_skip_mic_check = true;
 915                                 break;
 916
 917                         case SPNEGO_REQUEST_MIC:
 918                                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 919                                         new_spnego = true;
 920                                 }
 921                                 break;
 922                         default:
 923                                 break;
 924                         }
 925
 926                         if (spnego_state->mic_requested) {
 927                                 if (have_sign) {
 928                                         new_spnego = true;
 929                                 }
 930                         }
 931
 932                         if (have_sign && new_spnego) {
 933                                 spnego_state->needs_mic_check = true;
 934                                 spnego_state->needs_mic_sign = true;
 935                         }
 936                 }
 937
 938                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 939                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 940                                                         spnego_state->mech_types.data,
 941                                                         spnego_state->mech_types.length,
 942                                                         spnego_state->mech_types.data,
 943                                                         spnego_state->mech_types.length,
 944                                                         &spnego_in->negTokenTarg.mechListMIC);
 945                         if (!NT_STATUS_IS_OK(nt_status)) {
 946                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
 947                                         nt_errstr(nt_status)));
 948                                 return nt_status;
 949                         }
 950                         spnego_state->needs_mic_check = false;
 951                         spnego_state->done_mic_check = true;
 952                 }
 953
 954                 if (spnego_state->needs_mic_sign) {
 955                         nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
 956                                                        out_mem_ctx,
 957                                                        spnego_state->mech_types.data,
 958                                                        spnego_state->mech_types.length,
 959                                                        spnego_state->mech_types.data,
 960                                                        spnego_state->mech_types.length,
 961                                                        &mech_list_mic);
 962                         if (!NT_STATUS_IS_OK(nt_status)) {
 963                                 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
 964                                         nt_errstr(nt_status)));
 965                                 return nt_status;
 966                         }
 967                         spnego_state->needs_mic_sign = false;
 968                 }
 969
 970                 if (spnego_state->needs_mic_check) {
 971                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 972                 }
 973
 974  client_response:
 975                 if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 976                         DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
 977                                   spnego_state->sub_sec_security->ops->name,
 978                                   nt_errstr(nt_status)));
 979                         return nt_status;
 980                 }
 981
 982                 if (unwrapped_out.length || mech_list_mic.length) {
 983                         /* compose reply */
 984                         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 985                         spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
 986                         spnego_out.negTokenTarg.supportedMech = NULL;
 987                         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 988                         spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
 989
 990                         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 991                                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 992                                 return NT_STATUS_INVALID_PARAMETER;
 993                         }
 994
 995                         spnego_state->num_targs++;
 996                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 997                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 998                 } else {
 999
1000                         /* all done - server has accepted, and we agree */
1001                         *out = data_blob_null;
1002
1003                         if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
1004                                 /* unless of course it did not accept */
1005                                 DEBUG(1,("gensec_update ok but not accepted\n"));
1006                                 nt_status = NT_STATUS_INVALID_PARAMETER;
1007                         }
1008
1009                         spnego_state->state_position = SPNEGO_DONE;
1010                 }
1011
1012                 return nt_status;
1013         }
1014
1015         default:
1016                 break;
1017         }
1018
1019         smb_panic(__location__);
1020         return NT_STATUS_INTERNAL_ERROR;
1021 }
1022
1023 static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
1024                                             TALLOC_CTX *out_mem_ctx,
1025                                             struct tevent_context *ev,
1026                                             struct spnego_data *spnego_in,
1027                                             DATA_BLOB *out)
1028 {
1029         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1030         DATA_BLOB mech_list_mic = data_blob_null;
1031         DATA_BLOB unwrapped_out = data_blob_null;
1032
1033         /* and switch into the state machine */
1034
1035         switch (spnego_state->state_position) {
1036         case SPNEGO_SERVER_START:
1037         {
1038                 NTSTATUS nt_status;
1039
1040                 nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
1041                                                              spnego_state,
1042                                                              out_mem_ctx,
1043                                                              ev,
1044                                                              spnego_in,
1045                                                              &unwrapped_out);
1046
1047                 if (spnego_state->simulate_w2k) {
1048                         /*
1049                          * Windows 2000 returns the unwrapped token
1050                          * also in the mech_list_mic field.
1051                          *
1052                          * In order to verify our client code,
1053                          * we need a way to have a server with this
1054                          * broken behaviour
1055                          */
1056                         mech_list_mic = unwrapped_out;
1057                 }
1058
1059                 nt_status = gensec_spnego_server_response(spnego_state,
1060                                                           out_mem_ctx,
1061                                                           nt_status,
1062                                                           unwrapped_out,
1063                                                           mech_list_mic,
1064                                                           out);
1065
1066                 return nt_status;
1067         }
1068
1069         case SPNEGO_SERVER_TARG:
1070         {
1071                 NTSTATUS nt_status;
1072                 bool have_sign = true;
1073                 bool new_spnego = false;
1074
1075                 spnego_state->num_targs++;
1076
1077                 if (!spnego_state->sub_sec_security) {
1078                         DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
1079                         return NT_STATUS_INVALID_PARAMETER;
1080                 }
1081
1082                 if (spnego_state->needs_mic_check) {
1083                         if (spnego_in->negTokenTarg.responseToken.length != 0) {
1084                                 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
1085                                 return NT_STATUS_INVALID_PARAMETER;
1086                         }
1087
1088                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
1089                                                         spnego_state->mech_types.data,
1090                                                         spnego_state->mech_types.length,
1091                                                         spnego_state->mech_types.data,
1092                                                         spnego_state->mech_types.length,
1093                                                         &spnego_in->negTokenTarg.mechListMIC);
1094                         if (NT_STATUS_IS_OK(nt_status)) {
1095                                 spnego_state->needs_mic_check = false;
1096                                 spnego_state->done_mic_check = true;
1097                         } else {
1098                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1099                                         nt_errstr(nt_status)));
1100                         }
1101                         goto server_response;
1102                 }
1103
1104                 if (!spnego_state->sub_sec_ready) {
1105                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
1106                                                      out_mem_ctx, ev,
1107                                                      spnego_in->negTokenTarg.responseToken,
1108                                                      &unwrapped_out);
1109                         if (NT_STATUS_IS_OK(nt_status)) {
1110                                 spnego_state->sub_sec_ready = true;
1111                         }
1112                         if (!NT_STATUS_IS_OK(nt_status)) {
1113                                 goto server_response;
1114                         }
1115                 } else {
1116                         nt_status = NT_STATUS_OK;
1117                 }
1118
1119                 have_sign = gensec_have_feature(spnego_state->sub_sec_security,
1120                                                 GENSEC_FEATURE_SIGN);
1121                 if (spnego_state->simulate_w2k) {
1122                         have_sign = false;
1123                 }
1124                 new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
1125                                                  GENSEC_FEATURE_NEW_SPNEGO);
1126                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
1127                         new_spnego = true;
1128                 }
1129
1130                 if (have_sign && new_spnego) {
1131                         spnego_state->needs_mic_check = true;
1132                         spnego_state->needs_mic_sign = true;
1133                 }
1134
1135                 if (have_sign && spnego_in->negTokenTarg.mechListMIC.length > 0) {
1136                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
1137                                                         spnego_state->mech_types.data,
1138                                                         spnego_state->mech_types.length,
1139                                                         spnego_state->mech_types.data,
1140                                                         spnego_state->mech_types.length,
1141                                                         &spnego_in->negTokenTarg.mechListMIC);
1142                         if (!NT_STATUS_IS_OK(nt_status)) {
1143                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1144                                         nt_errstr(nt_status)));
1145                                 goto server_response;
1146                         }
1147
1148                         spnego_state->needs_mic_check = false;
1149                         spnego_state->done_mic_check = true;
1150                 }
1151
1152                 if (spnego_state->needs_mic_sign) {
1153                         nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
1154                                                        out_mem_ctx,
1155                                                        spnego_state->mech_types.data,
1156                                                        spnego_state->mech_types.length,
1157                                                        spnego_state->mech_types.data,
1158                                                        spnego_state->mech_types.length,
1159                                                        &mech_list_mic);
1160                         if (!NT_STATUS_IS_OK(nt_status)) {
1161                                 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
1162                                         nt_errstr(nt_status)));
1163                                 goto server_response;
1164                         }
1165                         spnego_state->needs_mic_sign = false;
1166                 }
1167
1168                 if (spnego_state->needs_mic_check) {
1169                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1170                 }
1171
1172  server_response:
1173                 nt_status = gensec_spnego_server_response(spnego_state,
1174                                                           out_mem_ctx,
1175                                                           nt_status,
1176                                                           unwrapped_out,
1177                                                           mech_list_mic,
1178                                                           out);
1179
1180                 return nt_status;
1181         }
1182
1183         default:
1184                 break;
1185         }
1186
1187         smb_panic(__location__);
1188         return NT_STATUS_INTERNAL_ERROR;
1189 }
1190
1191 struct gensec_spnego_update_state {
1192         struct gensec_security *gensec;
1193         struct spnego_state *spnego;
1194         DATA_BLOB full_in;
1195         struct spnego_data _spnego_in;
1196         struct spnego_data *spnego_in;
1197         NTSTATUS status;
1198         DATA_BLOB out;
1199 };
1200
1201 static void gensec_spnego_update_cleanup(struct tevent_req *req,
1202                                          enum tevent_req_state req_state)
1203 {
1204         struct gensec_spnego_update_state *state =
1205                 tevent_req_data(req,
1206                 struct gensec_spnego_update_state);
1207
1208         switch (req_state) {
1209         case TEVENT_REQ_USER_ERROR:
1210         case TEVENT_REQ_TIMED_OUT:
1211         case TEVENT_REQ_NO_MEMORY:
1212                 /*
1213                  * A fatal error, further updates are not allowed.
1214                  */
1215                 state->spnego->state_position = SPNEGO_DONE;
1216                 break;
1217         default:
1218                 break;
1219         }
1220 }
1221
1222 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1223                                         const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1224                                         DATA_BLOB *full_in);
1225 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
1226                                          TALLOC_CTX *out_mem_ctx,
1227                                          DATA_BLOB *_out);
1228
1229 static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
1230                                                     struct tevent_context *ev,
1231                                                     struct gensec_security *gensec_security,
1232                                                     const DATA_BLOB in)
1233 {
1234         struct spnego_state *spnego_state =
1235                 talloc_get_type_abort(gensec_security->private_data,
1236                 struct spnego_state);
1237         struct tevent_req *req = NULL;
1238         struct gensec_spnego_update_state *state = NULL;
1239         NTSTATUS status;
1240         ssize_t len;
1241
1242         req = tevent_req_create(mem_ctx, &state,
1243                                 struct gensec_spnego_update_state);
1244         if (req == NULL) {
1245                 return NULL;
1246         }
1247         state->gensec = gensec_security;
1248         state->spnego = spnego_state;
1249         tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup);
1250
1251         if (spnego_state->out_frag.length > 0) {
1252                 if (in.length > 0) {
1253                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1254                         return tevent_req_post(req, ev);
1255                 }
1256
1257                 status = gensec_spnego_update_out(gensec_security,
1258                                                   state, &state->out);
1259                 if (GENSEC_UPDATE_IS_NTERROR(status)) {
1260                         tevent_req_nterror(req, status);
1261                         return tevent_req_post(req, ev);
1262                 }
1263
1264                 state->status = status;
1265                 tevent_req_done(req);
1266                 return tevent_req_post(req, ev);
1267         }
1268
1269         status = gensec_spnego_update_in(gensec_security, in,
1270                                          state, &state->full_in);
1271         state->status = status;
1272         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1273                 tevent_req_done(req);
1274                 return tevent_req_post(req, ev);
1275         }
1276         if (tevent_req_nterror(req, status)) {
1277                 return tevent_req_post(req, ev);
1278         }
1279
1280         /* Check if we got a valid SPNEGO blob... */
1281
1282         switch (spnego_state->state_position) {
1283         case SPNEGO_FALLBACK:
1284                 break;
1285
1286         case SPNEGO_CLIENT_TARG:
1287         case SPNEGO_SERVER_TARG:
1288                 if (state->full_in.length == 0) {
1289                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1290                         return tevent_req_post(req, ev);
1291                 }
1292
1293                 /* fall through */
1294         case SPNEGO_CLIENT_START:
1295         case SPNEGO_SERVER_START:
1296
1297                 if (state->full_in.length == 0) {
1298                         /* create_negTokenInit later */
1299                         break;
1300                 }
1301
1302                 len = spnego_read_data(state,
1303                                        state->full_in,
1304                                        &state->_spnego_in);
1305                 if (len == -1) {
1306                         if (spnego_state->state_position != SPNEGO_SERVER_START) {
1307                                 DEBUG(1, ("Invalid SPNEGO request:\n"));
1308                                 dump_data(1, state->full_in.data,
1309                                           state->full_in.length);
1310                                 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1311                                 return tevent_req_post(req, ev);
1312                         }
1313
1314                         /*
1315                          * This is the 'fallback' case, where we don't get
1316                          * SPNEGO, and have to try all the other options (and
1317                          * hope they all have a magic string they check)
1318                          */
1319                         status = gensec_spnego_server_try_fallback(gensec_security,
1320                                                                    spnego_state,
1321                                                                    state,
1322                                                                    state->full_in);
1323                         if (tevent_req_nterror(req, status)) {
1324                                 return tevent_req_post(req, ev);
1325                         }
1326
1327                         /*
1328                          * We'll continue with SPNEGO_FALLBACK below...
1329                          */
1330                         break;
1331                 }
1332                 state->spnego_in = &state->_spnego_in;
1333
1334                 /* OK, so it's real SPNEGO, check the packet's the one we expect */
1335                 if (state->spnego_in->type != spnego_state->expected_packet) {
1336                         DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
1337                                   state->spnego_in->type,
1338                                   spnego_state->expected_packet));
1339                         dump_data(1, state->full_in.data,
1340                                   state->full_in.length);
1341                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1342                         return tevent_req_post(req, ev);
1343                 }
1344
1345                 break;
1346
1347         default:
1348                 smb_panic(__location__);
1349                 return NULL;
1350         }
1351
1352         /* and switch into the state machine */
1353
1354         switch (spnego_state->state_position) {
1355         case SPNEGO_FALLBACK:
1356                 status = gensec_update_ev(spnego_state->sub_sec_security,
1357                                           state, ev,
1358                                           state->full_in,
1359                                           &spnego_state->out_frag);
1360                 break;
1361
1362         case SPNEGO_CLIENT_START:
1363                 if (state->spnego_in == NULL) {
1364                         /* client to produce negTokenInit */
1365                         status = gensec_spnego_create_negTokenInit(gensec_security,
1366                                                         spnego_state, state, ev,
1367                                                         &spnego_state->out_frag);
1368                         break;
1369                 }
1370
1371                 /* fall through */
1372         case SPNEGO_CLIENT_TARG:
1373                 status = gensec_spnego_update_client(gensec_security,
1374                                                      state, ev,
1375                                                      state->spnego_in,
1376                                                      &spnego_state->out_frag);
1377                 break;
1378
1379         case SPNEGO_SERVER_START:
1380                 if (state->spnego_in == NULL) {
1381                         /* server to produce negTokenInit */
1382                         status = gensec_spnego_create_negTokenInit(gensec_security,
1383                                                         spnego_state, state, ev,
1384                                                         &spnego_state->out_frag);
1385                         break;
1386                 }
1387
1388                 /* fall through */
1389         case SPNEGO_SERVER_TARG:
1390                 status = gensec_spnego_update_server(gensec_security,
1391                                                      state, ev,
1392                                                      state->spnego_in,
1393                                                      &spnego_state->out_frag);
1394                 break;
1395
1396         default:
1397                 smb_panic(__location__);
1398                 return NULL;
1399         }
1400
1401         if (GENSEC_UPDATE_IS_NTERROR(status)) {
1402                 tevent_req_nterror(req, status);
1403                 return tevent_req_post(req, ev);
1404         }
1405
1406         if (NT_STATUS_IS_OK(status)) {
1407                 bool reset_full = true;
1408
1409                 reset_full = !spnego_state->done_mic_check;
1410
1411                 status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
1412                                                  reset_full);
1413                 if (tevent_req_nterror(req, status)) {
1414                         return tevent_req_post(req, ev);
1415                 }
1416         }
1417
1418         spnego_state->out_status = status;
1419
1420         status = gensec_spnego_update_out(gensec_security,
1421                                           state, &state->out);
1422         if (GENSEC_UPDATE_IS_NTERROR(status)) {
1423                 tevent_req_nterror(req, status);
1424                 return tevent_req_post(req, ev);
1425         }
1426
1427         state->status = status;
1428         tevent_req_done(req);
1429         return tevent_req_post(req, ev);
1430 }
1431
1432 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1433                                         const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1434                                         DATA_BLOB *full_in)
1435 {
1436         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1437         size_t expected;
1438         bool ok;
1439
1440         *full_in = data_blob_null;
1441
1442         switch (spnego_state->state_position) {
1443         case SPNEGO_FALLBACK:
1444                 *full_in = in;
1445                 spnego_state->in_needed = 0;
1446                 return NT_STATUS_OK;
1447
1448         case SPNEGO_CLIENT_START:
1449         case SPNEGO_CLIENT_TARG:
1450         case SPNEGO_SERVER_START:
1451         case SPNEGO_SERVER_TARG:
1452                 break;
1453
1454         case SPNEGO_DONE:
1455         default:
1456                 return NT_STATUS_INVALID_PARAMETER;
1457         }
1458
1459         if (spnego_state->in_needed == 0) {
1460                 size_t size = 0;
1461                 int ret;
1462
1463                 /*
1464                  * try to work out the size of the full
1465                  * input token, it might be fragmented
1466                  */
1467                 ret = asn1_peek_full_tag(in,  ASN1_APPLICATION(0), &size);
1468                 if ((ret != 0) && (ret != EAGAIN)) {
1469                         ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
1470                 }
1471
1472                 if ((ret == 0) || (ret == EAGAIN)) {
1473                         spnego_state->in_needed = size;
1474                 } else {
1475                         /*
1476                          * If it is not an asn1 message
1477                          * just call the next layer.
1478                          */
1479                         spnego_state->in_needed = in.length;
1480                 }
1481         }
1482
1483         if (spnego_state->in_needed > UINT16_MAX) {
1484                 /*
1485                  * limit the incoming message to 0xFFFF
1486                  * to avoid DoS attacks.
1487                  */
1488                 return NT_STATUS_INVALID_BUFFER_SIZE;
1489         }
1490
1491         if ((spnego_state->in_needed > 0) && (in.length == 0)) {
1492                 /*
1493                  * If we reach this, we know we got at least
1494                  * part of an asn1 message, getting 0 means
1495                  * the remote peer wants us to spin.
1496                  */
1497                 return NT_STATUS_INVALID_PARAMETER;
1498         }
1499
1500         expected = spnego_state->in_needed - spnego_state->in_frag.length;
1501         if (in.length > expected) {
1502                 /*
1503                  * we got more than expected
1504                  */
1505                 return NT_STATUS_INVALID_PARAMETER;
1506         }
1507
1508         if (in.length == spnego_state->in_needed) {
1509                 /*
1510                  * if the in.length contains the full blob
1511                  * we are done.
1512                  *
1513                  * Note: this implies spnego_state->in_frag.length == 0,
1514                  *       but we do not need to check this explicitly
1515                  *       because we already know that we did not get
1516                  *       more than expected.
1517                  */
1518                 *full_in = in;
1519                 spnego_state->in_needed = 0;
1520                 return NT_STATUS_OK;
1521         }
1522
1523         ok = data_blob_append(spnego_state, &spnego_state->in_frag,
1524                               in.data, in.length);
1525         if (!ok) {
1526                 return NT_STATUS_NO_MEMORY;
1527         }
1528
1529         if (spnego_state->in_needed > spnego_state->in_frag.length) {
1530                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1531         }
1532
1533         *full_in = spnego_state->in_frag;
1534         talloc_steal(mem_ctx, full_in->data);
1535         spnego_state->in_frag = data_blob_null;
1536         spnego_state->in_needed = 0;
1537         return NT_STATUS_OK;
1538 }
1539
1540 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
1541                                          TALLOC_CTX *out_mem_ctx,
1542                                          DATA_BLOB *_out)
1543 {
1544         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1545         DATA_BLOB out = data_blob_null;
1546         bool ok;
1547
1548         *_out = data_blob_null;
1549
1550         if (spnego_state->out_frag.length <= spnego_state->out_max_length) {
1551                 /*
1552                  * Fast path, we can deliver everything
1553                  */
1554
1555                 *_out = spnego_state->out_frag;
1556                 if (spnego_state->out_frag.length > 0) {
1557                         talloc_steal(out_mem_ctx, _out->data);
1558                         spnego_state->out_frag = data_blob_null;
1559                 }
1560
1561                 if (!NT_STATUS_IS_OK(spnego_state->out_status)) {
1562                         return spnego_state->out_status;
1563                 }
1564
1565                 /*
1566                  * We're completely done, further updates are not allowed.
1567                  */
1568                 spnego_state->state_position = SPNEGO_DONE;
1569                 return gensec_child_ready(gensec_security,
1570                                           spnego_state->sub_sec_security);
1571         }
1572
1573         out = spnego_state->out_frag;
1574
1575         /*
1576          * copy the remaining bytes
1577          */
1578         spnego_state->out_frag = data_blob_talloc(spnego_state,
1579                                         out.data + spnego_state->out_max_length,
1580                                         out.length - spnego_state->out_max_length);
1581         if (spnego_state->out_frag.data == NULL) {
1582                 return NT_STATUS_NO_MEMORY;
1583         }
1584
1585         /*
1586          * truncate the buffer
1587          */
1588         ok = data_blob_realloc(spnego_state, &out,
1589                                spnego_state->out_max_length);
1590         if (!ok) {
1591                 return NT_STATUS_NO_MEMORY;
1592         }
1593
1594         talloc_steal(out_mem_ctx, out.data);
1595         *_out = out;
1596         return NT_STATUS_MORE_PROCESSING_REQUIRED;
1597 }
1598
1599 static NTSTATUS gensec_spnego_update_recv(struct tevent_req *req,
1600                                           TALLOC_CTX *out_mem_ctx,
1601                                           DATA_BLOB *out)
1602 {
1603         struct gensec_spnego_update_state *state =
1604                 tevent_req_data(req,
1605                 struct gensec_spnego_update_state);
1606         NTSTATUS status;
1607
1608         *out = data_blob_null;
1609
1610         if (tevent_req_is_nterror(req, &status)) {
1611                 tevent_req_received(req);
1612                 return status;
1613         }
1614
1615         *out = state->out;
1616         talloc_steal(out_mem_ctx, state->out.data);
1617         status = state->status;
1618         tevent_req_received(req);
1619         return status;
1620 }
1621
1622 static const char *gensec_spnego_oids[] = {
1623         GENSEC_OID_SPNEGO,
1624         NULL
1625 };
1626
1627 static const struct gensec_security_ops gensec_spnego_security_ops = {
1628         .name             = "spnego",
1629         .sasl_name        = "GSS-SPNEGO",
1630         .auth_type        = DCERPC_AUTH_TYPE_SPNEGO,
1631         .oid              = gensec_spnego_oids,
1632         .client_start     = gensec_spnego_client_start,
1633         .server_start     = gensec_spnego_server_start,
1634         .update_send      = gensec_spnego_update_send,
1635         .update_recv      = gensec_spnego_update_recv,
1636         .seal_packet      = gensec_child_seal_packet,
1637         .sign_packet      = gensec_child_sign_packet,
1638         .sig_size         = gensec_child_sig_size,
1639         .max_wrapped_size = gensec_child_max_wrapped_size,
1640         .max_input_size   = gensec_child_max_input_size,
1641         .check_packet     = gensec_child_check_packet,
1642         .unseal_packet    = gensec_child_unseal_packet,
1643         .wrap             = gensec_child_wrap,
1644         .unwrap           = gensec_child_unwrap,
1645         .session_key      = gensec_child_session_key,
1646         .session_info     = gensec_child_session_info,
1647         .want_feature     = gensec_child_want_feature,
1648         .have_feature     = gensec_child_have_feature,
1649         .expire_time      = gensec_child_expire_time,
1650         .final_auth_type  = gensec_child_final_auth_type,
1651         .enabled          = true,
1652         .priority         = GENSEC_SPNEGO
1653 };
1654
1655 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx)
1656 {
1657         NTSTATUS ret;
1658         ret = gensec_register(ctx, &gensec_spnego_security_ops);
1659         if (!NT_STATUS_IS_OK(ret)) {
1660                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1661                         gensec_spnego_security_ops.name));
1662                 return ret;
1663         }
1664
1665         return ret;
1666 }