auth/gensec/spnego.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    RFC2478 Compliant SPNEGO implementation
   5
   6    Copyright (C) Jim McDonough <jmcd@us.ibm.com>      2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   8    Copyright (C) Stefan Metzmacher <metze@samba.org>  2004-2008
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 #include "includes.h"
  26 #include <tevent.h>
  27 #include "lib/util/tevent_ntstatus.h"
  28 #include "../libcli/auth/spnego.h"
  29 #include "librpc/gen_ndr/ndr_dcerpc.h"
  30 #include "auth/credentials/credentials.h"
  31 #include "auth/gensec/gensec.h"
  32 #include "auth/gensec/gensec_internal.h"
  33 #include "param/param.h"
  34 #include "lib/util/asn1.h"
  35 #include "lib/util/base64.h"
  36
  37 #undef strcasecmp
  38
  39 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
  40
  41 enum spnego_state_position {
  42         SPNEGO_SERVER_START,
  43         SPNEGO_CLIENT_START,
  44         SPNEGO_SERVER_TARG,
  45         SPNEGO_CLIENT_TARG,
  46         SPNEGO_FALLBACK,
  47         SPNEGO_DONE
  48 };
  49
  50 struct spnego_state {
  51         enum spnego_message_type expected_packet;
  52         enum spnego_state_position state_position;
  53         struct gensec_security *sub_sec_security;
  54         bool sub_sec_ready;
  55
  56         const char *neg_oid;
  57
  58         DATA_BLOB mech_types;
  59         size_t num_targs;
  60         bool downgraded;
  61         bool mic_requested;
  62         bool needs_mic_sign;
  63         bool needs_mic_check;
  64         bool may_skip_mic_check;
  65         bool done_mic_check;
  66
  67         bool simulate_w2k;
  68
  69         /*
  70          * The following is used to implement
  71          * the update token fragmentation
  72          */
  73         size_t in_needed;
  74         DATA_BLOB in_frag;
  75         size_t out_max_length;
  76         DATA_BLOB out_frag;
  77         NTSTATUS out_status;
  78 };
  79
  80 static void gensec_spnego_update_sub_abort(struct spnego_state *spnego_state)
  81 {
  82         spnego_state->sub_sec_ready = false;
  83         TALLOC_FREE(spnego_state->sub_sec_security);
  84 }
  85
  86 static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
  87 {
  88         struct spnego_state *spnego_state;
  89
  90         spnego_state = talloc_zero(gensec_security, struct spnego_state);
  91         if (!spnego_state) {
  92                 return NT_STATUS_NO_MEMORY;
  93         }
  94
  95         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
  96         spnego_state->state_position = SPNEGO_CLIENT_START;
  97         spnego_state->sub_sec_security = NULL;
  98         spnego_state->sub_sec_ready = false;
  99         spnego_state->mech_types = data_blob_null;
 100         spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 101         spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 102
 103         spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
 104                                                 "spnego", "simulate_w2k", false);
 105
 106         gensec_security->private_data = spnego_state;
 107         return NT_STATUS_OK;
 108 }
 109
 110 static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
 111 {
 112         struct spnego_state *spnego_state;
 113
 114         spnego_state = talloc_zero(gensec_security, struct spnego_state);
 115         if (!spnego_state) {
 116                 return NT_STATUS_NO_MEMORY;
 117         }
 118
 119         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
 120         spnego_state->state_position = SPNEGO_SERVER_START;
 121         spnego_state->sub_sec_security = NULL;
 122         spnego_state->sub_sec_ready = false;
 123         spnego_state->mech_types = data_blob_null;
 124         spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 125         spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 126
 127         spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
 128                                                 "spnego", "simulate_w2k", false);
 129
 130         gensec_security->private_data = spnego_state;
 131         return NT_STATUS_OK;
 132 }
 133
 134 /** Fallback to another GENSEC mechanism, based on magic strings
 135  *
 136  * This is the 'fallback' case, where we don't get SPNEGO, and have to
 137  * try all the other options (and hope they all have a magic string
 138  * they check)
 139 */
 140
 141 static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
 142                                                   struct spnego_state *spnego_state,
 143                                                   TALLOC_CTX *mem_ctx,
 144                                                   const DATA_BLOB in)
 145 {
 146         int i,j;
 147         const struct gensec_security_ops **all_ops;
 148
 149         all_ops = gensec_security_mechs(gensec_security, mem_ctx);
 150
 151         for (i=0; all_ops && all_ops[i]; i++) {
 152                 bool is_spnego;
 153                 NTSTATUS nt_status;
 154
 155                 if (gensec_security != NULL &&
 156                     !gensec_security_ops_enabled(all_ops[i], gensec_security))
 157                 {
 158                         continue;
 159                 }
 160
 161                 if (!all_ops[i]->oid) {
 162                         continue;
 163                 }
 164
 165                 is_spnego = false;
 166                 for (j=0; all_ops[i]->oid[j]; j++) {
 167                         if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
 168                                 is_spnego = true;
 169                         }
 170                 }
 171                 if (is_spnego) {
 172                         continue;
 173                 }
 174
 175                 if (!all_ops[i]->magic) {
 176                         continue;
 177                 }
 178
 179                 nt_status = all_ops[i]->magic(gensec_security, &in);
 180                 if (!NT_STATUS_IS_OK(nt_status)) {
 181                         continue;
 182                 }
 183
 184                 spnego_state->state_position = SPNEGO_FALLBACK;
 185
 186                 nt_status = gensec_subcontext_start(spnego_state,
 187                                                     gensec_security,
 188                                                     &spnego_state->sub_sec_security);
 189
 190                 if (!NT_STATUS_IS_OK(nt_status)) {
 191                         return nt_status;
 192                 }
 193                 /* select the sub context */
 194                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 195                                                      all_ops[i]);
 196                 if (!NT_STATUS_IS_OK(nt_status)) {
 197                         return nt_status;
 198                 }
 199
 200                 return NT_STATUS_OK;
 201         }
 202         DEBUG(1, ("Failed to parse SPNEGO request\n"));
 203         return NT_STATUS_INVALID_PARAMETER;
 204 }
 205
 206 /*
 207    Parse the netTokenInit, either from the client, to the server, or
 208    from the server to the client.
 209 */
 210
 211 static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_security,
 212                                                  struct spnego_state *spnego_state,
 213                                                  TALLOC_CTX *out_mem_ctx,
 214                                                  struct tevent_context *ev,
 215                                                  struct spnego_data *spnego_in,
 216                                                  DATA_BLOB *unwrapped_out)
 217 {
 218         int i;
 219         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 220         const char * const *mechType = NULL;
 221         DATA_BLOB unwrapped_in = data_blob_null;
 222         bool ok;
 223         const struct gensec_security_ops_wrapper *all_sec = NULL;
 224
 225         if (spnego_in->type != SPNEGO_NEG_TOKEN_INIT) {
 226                 return NT_STATUS_INTERNAL_ERROR;
 227         }
 228
 229         mechType = spnego_in->negTokenInit.mechTypes;
 230         unwrapped_in = spnego_in->negTokenInit.mechToken;
 231
 232         all_sec = gensec_security_by_oid_list(gensec_security,
 233                                               out_mem_ctx,
 234                                               mechType,
 235                                               GENSEC_OID_SPNEGO);
 236
 237         ok = spnego_write_mech_types(spnego_state,
 238                                      mechType,
 239                                      &spnego_state->mech_types);
 240         if (!ok) {
 241                 DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 242                 return NT_STATUS_NO_MEMORY;
 243         }
 244
 245         if (spnego_state->state_position == SPNEGO_SERVER_START) {
 246                 uint32_t j;
 247                 for (j=0; mechType && mechType[j]; j++) {
 248                         for (i=0; all_sec && all_sec[i].op; i++) {
 249                                 if (strcmp(mechType[j], all_sec[i].oid) != 0) {
 250                                         continue;
 251                                 }
 252
 253                                 nt_status = gensec_subcontext_start(spnego_state,
 254                                                                     gensec_security,
 255                                                                     &spnego_state->sub_sec_security);
 256                                 if (!NT_STATUS_IS_OK(nt_status)) {
 257                                         return nt_status;
 258                                 }
 259                                 /* select the sub context */
 260                                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 261                                                                      all_sec[i].op);
 262                                 if (!NT_STATUS_IS_OK(nt_status)) {
 263                                         /*
 264                                          * Pretend we never started it
 265                                          */
 266                                         gensec_spnego_update_sub_abort(spnego_state);
 267                                         break;
 268                                 }
 269
 270                                 if (j > 0) {
 271                                         /* no optimistic token */
 272                                         spnego_state->neg_oid = all_sec[i].oid;
 273                                         *unwrapped_out = data_blob_null;
 274                                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 275                                         /*
 276                                          * Indicate the downgrade and request a
 277                                          * mic.
 278                                          */
 279                                         spnego_state->downgraded = true;
 280                                         spnego_state->mic_requested = true;
 281                                         break;
 282                                 }
 283
 284                                 nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 285                                                           out_mem_ctx,
 286                                                           ev,
 287                                                           unwrapped_in,
 288                                                           unwrapped_out);
 289                                 if (NT_STATUS_IS_OK(nt_status)) {
 290                                         spnego_state->sub_sec_ready = true;
 291                                 }
 292                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
 293                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
 294
 295                                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
 296                                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 297
 298                                         /*
 299                                          * Pretend we never started it
 300                                          */
 301                                         gensec_spnego_update_sub_abort(spnego_state);
 302                                         break;
 303                                 }
 304
 305                                 spnego_state->neg_oid = all_sec[i].oid;
 306                                 break;
 307                         }
 308                         if (spnego_state->sub_sec_security) {
 309                                 break;
 310                         }
 311                 }
 312
 313                 if (!spnego_state->sub_sec_security) {
 314                         DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
 315                         return NT_STATUS_INVALID_PARAMETER;
 316                 }
 317         }
 318
 319         /* Having tried any optimistic token from the client (if we
 320          * were the server), if we didn't get anywhere, walk our list
 321          * in our preference order */
 322         unwrapped_in = data_blob_null;
 323
 324         if (!spnego_state->sub_sec_security) {
 325                 for (i=0; all_sec && all_sec[i].op; i++) {
 326                         nt_status = gensec_subcontext_start(spnego_state,
 327                                                             gensec_security,
 328                                                             &spnego_state->sub_sec_security);
 329                         if (!NT_STATUS_IS_OK(nt_status)) {
 330                                 return nt_status;
 331                         }
 332                         /* select the sub context */
 333                         nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 334                                                              all_sec[i].op);
 335                         if (!NT_STATUS_IS_OK(nt_status)) {
 336                                 /*
 337                                  * Pretend we never started it.
 338                                  */
 339                                 gensec_spnego_update_sub_abort(spnego_state);
 340                                 continue;
 341                         }
 342
 343                         spnego_state->neg_oid = all_sec[i].oid;
 344
 345                         /* only get the helping start blob for the first OID */
 346                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 347                                                   out_mem_ctx,
 348                                                   ev,
 349                                                   unwrapped_in,
 350                                                   unwrapped_out);
 351                         if (NT_STATUS_IS_OK(nt_status)) {
 352                                 spnego_state->sub_sec_ready = true;
 353                         }
 354
 355                         /* it is likely that a NULL input token will
 356                          * not be liked by most server mechs, but if
 357                          * we are in the client, we want the first
 358                          * update packet to be able to abort the use
 359                          * of this mech */
 360                         if (spnego_state->state_position != SPNEGO_SERVER_START) {
 361                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
 362                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
 363                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
 364                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
 365                                         const char *next = NULL;
 366                                         const char *principal = NULL;
 367                                         int dbg_level = DBGLVL_WARNING;
 368
 369                                         if (all_sec[i+1].op != NULL) {
 370                                                 next = all_sec[i+1].op->name;
 371                                                 dbg_level = DBGLVL_NOTICE;
 372                                         }
 373
 374                                         if (gensec_security->target.principal != NULL) {
 375                                                 principal = gensec_security->target.principal;
 376                                         } else if (gensec_security->target.service != NULL &&
 377                                                    gensec_security->target.hostname != NULL)
 378                                         {
 379                                                 principal = talloc_asprintf(spnego_state->sub_sec_security,
 380                                                                             "%s/%s",
 381                                                                             gensec_security->target.service,
 382                                                                             gensec_security->target.hostname);
 383                                         } else {
 384                                                 principal = gensec_security->target.hostname;
 385                                         }
 386
 387                                         DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
 388                                                           spnego_state->sub_sec_security->ops->name,
 389                                                           principal,
 390                                                           next, nt_errstr(nt_status)));
 391
 392                                         /*
 393                                          * Pretend we never started it.
 394                                          */
 395                                         gensec_spnego_update_sub_abort(spnego_state);
 396                                         continue;
 397                                 }
 398                         }
 399
 400                         break;
 401                 }
 402         }
 403
 404         if (spnego_state->sub_sec_security) {
 405                 /* it is likely that a NULL input token will
 406                  * not be liked by most server mechs, but this
 407                  * does the right thing in the CIFS client.
 408                  * just push us along the merry-go-round
 409                  * again, and hope for better luck next
 410                  * time */
 411
 412                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
 413                         *unwrapped_out = data_blob_null;
 414                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 415                 }
 416
 417                 if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 418                         DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
 419                                   spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
 420
 421                         /* We started the mech correctly, and the
 422                          * input from the other side was valid.
 423                          * Return the error (say bad password, invalid
 424                          * ticket) */
 425                         gensec_spnego_update_sub_abort(spnego_state);
 426                         return nt_status;
 427                 }
 428
 429                 return nt_status; /* OK or MORE PROCESSING */
 430         }
 431
 432         DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
 433         /* we could re-negotiate here, but it would only work
 434          * if the client or server lied about what it could
 435          * support the first time.  Lets keep this code to
 436          * reality */
 437
 438         return nt_status;
 439 }
 440
 441 /** create a negTokenInit
 442  *
 443  * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
 444 */
 445 static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security,
 446                                                   struct spnego_state *spnego_state,
 447                                                   TALLOC_CTX *out_mem_ctx,
 448                                                   struct tevent_context *ev,
 449                                                   DATA_BLOB *out)
 450 {
 451         int i;
 452         NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 453         const char **mechTypes = NULL;
 454         DATA_BLOB unwrapped_out = data_blob_null;
 455         const struct gensec_security_ops_wrapper *all_sec;
 456
 457         mechTypes = gensec_security_oids(gensec_security,
 458                                          out_mem_ctx, GENSEC_OID_SPNEGO);
 459
 460         all_sec = gensec_security_by_oid_list(gensec_security,
 461                                               out_mem_ctx,
 462                                               mechTypes,
 463                                               GENSEC_OID_SPNEGO);
 464         for (i=0; all_sec && all_sec[i].op; i++) {
 465                 struct spnego_data spnego_out;
 466                 const char **send_mech_types;
 467                 bool ok;
 468
 469                 nt_status = gensec_subcontext_start(spnego_state,
 470                                                     gensec_security,
 471                                                     &spnego_state->sub_sec_security);
 472                 if (!NT_STATUS_IS_OK(nt_status)) {
 473                         return nt_status;
 474                 }
 475                 /* select the sub context */
 476                 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
 477                                                      all_sec[i].op);
 478                 if (!NT_STATUS_IS_OK(nt_status)) {
 479                         gensec_spnego_update_sub_abort(spnego_state);
 480                         continue;
 481                 }
 482
 483                 /* In the client, try and produce the first (optimistic) packet */
 484                 if (spnego_state->state_position == SPNEGO_CLIENT_START) {
 485                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 486                                                   out_mem_ctx,
 487                                                   ev,
 488                                                   data_blob_null,
 489                                                   &unwrapped_out);
 490                         if (NT_STATUS_IS_OK(nt_status)) {
 491                                 spnego_state->sub_sec_ready = true;
 492                         }
 493
 494                         if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 495                                 const char *next = NULL;
 496                                 const char *principal = NULL;
 497                                 int dbg_level = DBGLVL_WARNING;
 498
 499                                 if (all_sec[i+1].op != NULL) {
 500                                         next = all_sec[i+1].op->name;
 501                                         dbg_level = DBGLVL_NOTICE;
 502                                 }
 503
 504                                 if (gensec_security->target.principal != NULL) {
 505                                         principal = gensec_security->target.principal;
 506                                 } else if (gensec_security->target.service != NULL &&
 507                                            gensec_security->target.hostname != NULL)
 508                                 {
 509                                         principal = talloc_asprintf(spnego_state->sub_sec_security,
 510                                                                     "%s/%s",
 511                                                                     gensec_security->target.service,
 512                                                                     gensec_security->target.hostname);
 513                                 } else {
 514                                         principal = gensec_security->target.hostname;
 515                                 }
 516
 517                                 DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
 518                                           spnego_state->sub_sec_security->ops->name,
 519                                           principal,
 520                                           next, nt_errstr(nt_status)));
 521
 522                                 /*
 523                                  * Pretend we never started it
 524                                  */
 525                                 gensec_spnego_update_sub_abort(spnego_state);
 526                                 continue;
 527                         }
 528                 }
 529
 530                 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 531
 532                 send_mech_types = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
 533                                                                         &all_sec[i]);
 534
 535                 ok = spnego_write_mech_types(spnego_state,
 536                                              send_mech_types,
 537                                              &spnego_state->mech_types);
 538                 if (!ok) {
 539                         DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 540                         return NT_STATUS_NO_MEMORY;
 541                 }
 542
 543                 /* List the remaining mechs as options */
 544                 spnego_out.negTokenInit.mechTypes = send_mech_types;
 545                 spnego_out.negTokenInit.reqFlags = data_blob_null;
 546                 spnego_out.negTokenInit.reqFlagsPadding = 0;
 547
 548                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
 549                         spnego_out.negTokenInit.mechListMIC
 550                                 = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
 551                 } else {
 552                         spnego_out.negTokenInit.mechListMIC = data_blob_null;
 553                 }
 554
 555                 spnego_out.negTokenInit.mechToken = unwrapped_out;
 556
 557                 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 558                         DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
 559                                 return NT_STATUS_INVALID_PARAMETER;
 560                 }
 561
 562                 /* set next state */
 563                 spnego_state->neg_oid = all_sec[i].oid;
 564
 565                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
 566                         spnego_state->state_position = SPNEGO_SERVER_START;
 567                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
 568                 } else {
 569                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 570                         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 571                 }
 572
 573                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 574         }
 575         gensec_spnego_update_sub_abort(spnego_state);
 576
 577         DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
 578         return nt_status;
 579 }
 580
 581
 582 /** create a server negTokenTarg
 583  *
 584  * This is the case, where the client is the first one who sends data
 585 */
 586
 587 static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
 588                                               TALLOC_CTX *out_mem_ctx,
 589                                               NTSTATUS nt_status,
 590                                               const DATA_BLOB unwrapped_out,
 591                                               DATA_BLOB mech_list_mic,
 592                                               DATA_BLOB *out)
 593 {
 594         struct spnego_data spnego_out;
 595
 596         /* compose reply */
 597         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 598         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 599         spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
 600         spnego_out.negTokenTarg.supportedMech = NULL;
 601
 602         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 603                 spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 604                 if (spnego_state->mic_requested) {
 605                         spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC;
 606                         spnego_state->mic_requested = false;
 607                 } else {
 608                         spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
 609                 }
 610                 spnego_state->state_position = SPNEGO_SERVER_TARG;
 611         } else if (NT_STATUS_IS_OK(nt_status)) {
 612                 if (unwrapped_out.data) {
 613                         spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
 614                 }
 615                 spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
 616                 spnego_state->state_position = SPNEGO_DONE;
 617         } else {
 618                 spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
 619                 spnego_out.negTokenTarg.mechListMIC = data_blob_null;
 620                 DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
 621                 spnego_state->state_position = SPNEGO_DONE;
 622         }
 623
 624         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 625                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 626                 return NT_STATUS_INVALID_PARAMETER;
 627         }
 628
 629         spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 630         spnego_state->num_targs++;
 631
 632         return nt_status;
 633 }
 634
 635 static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
 636                                             TALLOC_CTX *out_mem_ctx,
 637                                             struct tevent_context *ev,
 638                                             struct spnego_data *spnego_in,
 639                                             DATA_BLOB *out)
 640 {
 641         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
 642         DATA_BLOB mech_list_mic = data_blob_null;
 643         DATA_BLOB unwrapped_out = data_blob_null;
 644         struct spnego_data spnego_out;
 645
 646         *out = data_blob_null;
 647
 648         /* and switch into the state machine */
 649
 650         switch (spnego_state->state_position) {
 651         case SPNEGO_CLIENT_START:
 652         {
 653                 /* The server offers a list of mechanisms */
 654
 655                 const char *my_mechs[] = {NULL, NULL};
 656                 NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 657                 bool ok;
 658                 const char *tp = NULL;
 659
 660                 tp = spnego_in->negTokenInit.targetPrincipal;
 661                 if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
 662                         DEBUG(5, ("Server claims it's principal name is %s\n", tp));
 663                         if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
 664                                 gensec_set_target_principal(gensec_security, tp);
 665                         }
 666                 }
 667
 668                 nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
 669                                                              spnego_state,
 670                                                              out_mem_ctx,
 671                                                              ev,
 672                                                              spnego_in,
 673                                                              &unwrapped_out);
 674
 675                 if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 676                         return nt_status;
 677                 }
 678
 679                 my_mechs[0] = spnego_state->neg_oid;
 680                 /* compose reply */
 681                 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
 682                 spnego_out.negTokenInit.mechTypes = my_mechs;
 683                 spnego_out.negTokenInit.reqFlags = data_blob_null;
 684                 spnego_out.negTokenInit.reqFlagsPadding = 0;
 685                 spnego_out.negTokenInit.mechListMIC = data_blob_null;
 686                 spnego_out.negTokenInit.mechToken = unwrapped_out;
 687
 688                 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 689                         DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
 690                                 return NT_STATUS_INVALID_PARAMETER;
 691                 }
 692
 693                 ok = spnego_write_mech_types(spnego_state,
 694                                              my_mechs,
 695                                              &spnego_state->mech_types);
 696                 if (!ok) {
 697                         DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
 698                         return NT_STATUS_NO_MEMORY;
 699                 }
 700
 701                 /* set next state */
 702                 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
 703                 spnego_state->state_position = SPNEGO_CLIENT_TARG;
 704
 705                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 706         }
 707
 708         case SPNEGO_CLIENT_TARG:
 709         {
 710                 NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
 711                 const struct spnego_negTokenTarg *ta =
 712                         &spnego_in->negTokenTarg;
 713
 714                 spnego_state->num_targs++;
 715
 716                 if (ta->negResult == SPNEGO_REJECT) {
 717                         return NT_STATUS_LOGON_FAILURE;
 718                 }
 719
 720                 if (spnego_in->negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
 721                         spnego_state->mic_requested = true;
 722                 }
 723
 724                 /* Server didn't like our choice of mech, and chose something else */
 725                 if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
 726                      (ta->negResult == SPNEGO_REQUEST_MIC)) &&
 727                     ta->supportedMech != NULL&&
 728                     strcmp(ta->supportedMech, spnego_state->neg_oid) != 0) {
 729                         DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
 730                                  gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
 731                                  gensec_get_name_by_oid(gensec_security, ta->supportedMech)));
 732                         spnego_state->downgraded = true;
 733                         gensec_spnego_update_sub_abort(spnego_state);
 734                         nt_status = gensec_subcontext_start(spnego_state,
 735                                                             gensec_security,
 736                                                             &spnego_state->sub_sec_security);
 737                         if (!NT_STATUS_IS_OK(nt_status)) {
 738                                 return nt_status;
 739                         }
 740                         /* select the sub context */
 741                         nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
 742                                                              ta->supportedMech);
 743                         if (!NT_STATUS_IS_OK(nt_status)) {
 744                                 return nt_status;
 745                         }
 746
 747                         spnego_state->neg_oid = talloc_strdup(spnego_state,
 748                                                 ta->supportedMech);
 749                         if (spnego_state->neg_oid == NULL) {
 750                                 return NT_STATUS_NO_MEMORY;
 751                         };
 752                 }
 753
 754                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 755                         DATA_BLOB *m = &spnego_in->negTokenTarg.mechListMIC;
 756                         const DATA_BLOB *r = &spnego_in->negTokenTarg.responseToken;
 757
 758                         /*
 759                          * Windows 2000 has a bug, it repeats the
 760                          * responseToken in the mechListMIC field.
 761                          */
 762                         if (m->length == r->length) {
 763                                 int cmp;
 764
 765                                 cmp = memcmp(m->data, r->data, m->length);
 766                                 if (cmp == 0) {
 767                                         data_blob_free(m);
 768                                 }
 769                         }
 770                 }
 771
 772                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 773                         if (spnego_state->sub_sec_ready) {
 774                                 spnego_state->needs_mic_check = true;
 775                         }
 776                 }
 777
 778                 if (spnego_state->needs_mic_check) {
 779                         if (spnego_in->negTokenTarg.responseToken.length != 0) {
 780                                 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
 781                                 return NT_STATUS_INVALID_PARAMETER;
 782                         }
 783
 784                         if (spnego_in->negTokenTarg.mechListMIC.length == 0
 785                             && spnego_state->may_skip_mic_check) {
 786                                 /*
 787                                  * In this case we don't require
 788                                  * a mechListMIC from the server.
 789                                  *
 790                                  * This works around bugs in the Azure
 791                                  * and Apple spnego implementations.
 792                                  *
 793                                  * See
 794                                  * https://bugzilla.samba.org/show_bug.cgi?id=11994
 795                                  */
 796                                 spnego_state->needs_mic_check = false;
 797                                 nt_status = NT_STATUS_OK;
 798                                 goto client_response;
 799                         }
 800
 801                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 802                                                         spnego_state->mech_types.data,
 803                                                         spnego_state->mech_types.length,
 804                                                         spnego_state->mech_types.data,
 805                                                         spnego_state->mech_types.length,
 806                                                         &spnego_in->negTokenTarg.mechListMIC);
 807                         if (!NT_STATUS_IS_OK(nt_status)) {
 808                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
 809                                         nt_errstr(nt_status)));
 810                                 return nt_status;
 811                         }
 812                         spnego_state->needs_mic_check = false;
 813                         spnego_state->done_mic_check = true;
 814                         goto client_response;
 815                 }
 816
 817                 if (!spnego_state->sub_sec_ready) {
 818                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
 819                                                   out_mem_ctx, ev,
 820                                                   spnego_in->negTokenTarg.responseToken,
 821                                                   &unwrapped_out);
 822                         if (NT_STATUS_IS_OK(nt_status)) {
 823                                 spnego_state->sub_sec_ready = true;
 824                         }
 825                         if (!NT_STATUS_IS_OK(nt_status)) {
 826                                 goto client_response;
 827                         }
 828                 } else {
 829                         nt_status = NT_STATUS_OK;
 830                 }
 831
 832                 if (!spnego_state->done_mic_check) {
 833                         bool have_sign = true;
 834                         bool new_spnego = false;
 835
 836                         have_sign = gensec_have_feature(spnego_state->sub_sec_security,
 837                                                         GENSEC_FEATURE_SIGN);
 838                         if (spnego_state->simulate_w2k) {
 839                                 have_sign = false;
 840                         }
 841                         new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 842                                                          GENSEC_FEATURE_NEW_SPNEGO);
 843
 844                         switch (spnego_in->negTokenTarg.negResult) {
 845                         case SPNEGO_ACCEPT_COMPLETED:
 846                         case SPNEGO_NONE_RESULT:
 847                                 if (spnego_state->num_targs == 1) {
 848                                         /*
 849                                          * the first exchange doesn't require
 850                                          * verification
 851                                          */
 852                                         new_spnego = false;
 853                                 }
 854
 855                                 break;
 856
 857                         case SPNEGO_ACCEPT_INCOMPLETE:
 858                                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 859                                         new_spnego = true;
 860                                         break;
 861                                 }
 862
 863                                 if (spnego_state->downgraded) {
 864                                         /*
 865                                          * A downgrade should be protected if
 866                                          * supported
 867                                          */
 868                                         break;
 869                                 }
 870
 871                                 /*
 872                                  * The caller may just asked for
 873                                  * GENSEC_FEATURE_SESSION_KEY, this
 874                                  * is only reflected in the want_features.
 875                                  *
 876                                  * As it will imply
 877                                  * gensec_have_features(GENSEC_FEATURE_SIGN)
 878                                  * to return true.
 879                                  */
 880                                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 881                                         break;
 882                                 }
 883                                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
 884                                         break;
 885                                 }
 886                                 /*
 887                                  * Here we're sure our preferred mech was
 888                                  * selected by the server and our caller doesn't
 889                                  * need GENSEC_FEATURE_SIGN nor
 890                                  * GENSEC_FEATURE_SEAL support.
 891                                  *
 892                                  * In this case we don't require
 893                                  * a mechListMIC from the server.
 894                                  *
 895                                  * This works around bugs in the Azure
 896                                  * and Apple spnego implementations.
 897                                  *
 898                                  * See
 899                                  * https://bugzilla.samba.org/show_bug.cgi?id=11994
 900                                  */
 901                                 spnego_state->may_skip_mic_check = true;
 902                                 break;
 903
 904                         case SPNEGO_REQUEST_MIC:
 905                                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 906                                         new_spnego = true;
 907                                 }
 908                                 break;
 909                         default:
 910                                 break;
 911                         }
 912
 913                         if (spnego_state->mic_requested) {
 914                                 if (have_sign) {
 915                                         new_spnego = true;
 916                                 }
 917                         }
 918
 919                         if (have_sign && new_spnego) {
 920                                 spnego_state->needs_mic_check = true;
 921                                 spnego_state->needs_mic_sign = true;
 922                         }
 923                 }
 924
 925                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
 926                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 927                                                         spnego_state->mech_types.data,
 928                                                         spnego_state->mech_types.length,
 929                                                         spnego_state->mech_types.data,
 930                                                         spnego_state->mech_types.length,
 931                                                         &spnego_in->negTokenTarg.mechListMIC);
 932                         if (!NT_STATUS_IS_OK(nt_status)) {
 933                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
 934                                         nt_errstr(nt_status)));
 935                                 return nt_status;
 936                         }
 937                         spnego_state->needs_mic_check = false;
 938                         spnego_state->done_mic_check = true;
 939                 }
 940
 941                 if (spnego_state->needs_mic_sign) {
 942                         nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
 943                                                        out_mem_ctx,
 944                                                        spnego_state->mech_types.data,
 945                                                        spnego_state->mech_types.length,
 946                                                        spnego_state->mech_types.data,
 947                                                        spnego_state->mech_types.length,
 948                                                        &mech_list_mic);
 949                         if (!NT_STATUS_IS_OK(nt_status)) {
 950                                 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
 951                                         nt_errstr(nt_status)));
 952                                 return nt_status;
 953                         }
 954                         spnego_state->needs_mic_sign = false;
 955                 }
 956
 957                 if (spnego_state->needs_mic_check) {
 958                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 959                 }
 960
 961  client_response:
 962                 if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
 963                         DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
 964                                   spnego_state->sub_sec_security->ops->name,
 965                                   nt_errstr(nt_status)));
 966                         return nt_status;
 967                 }
 968
 969                 if (unwrapped_out.length || mech_list_mic.length) {
 970                         /* compose reply */
 971                         spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
 972                         spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
 973                         spnego_out.negTokenTarg.supportedMech = NULL;
 974                         spnego_out.negTokenTarg.responseToken = unwrapped_out;
 975                         spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
 976
 977                         if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
 978                                 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
 979                                 return NT_STATUS_INVALID_PARAMETER;
 980                         }
 981
 982                         spnego_state->num_targs++;
 983                         spnego_state->state_position = SPNEGO_CLIENT_TARG;
 984                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 985                 } else {
 986
 987                         /* all done - server has accepted, and we agree */
 988                         *out = data_blob_null;
 989
 990                         if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
 991                                 /* unless of course it did not accept */
 992                                 DEBUG(1,("gensec_update ok but not accepted\n"));
 993                                 nt_status = NT_STATUS_INVALID_PARAMETER;
 994                         }
 995
 996                         spnego_state->state_position = SPNEGO_DONE;
 997                 }
 998
 999                 return nt_status;
1000         }
1001
1002         default:
1003                 break;
1004         }
1005
1006         smb_panic(__location__);
1007         return NT_STATUS_INTERNAL_ERROR;
1008 }
1009
1010 static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
1011                                             TALLOC_CTX *out_mem_ctx,
1012                                             struct tevent_context *ev,
1013                                             struct spnego_data *spnego_in,
1014                                             DATA_BLOB *out)
1015 {
1016         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1017         DATA_BLOB mech_list_mic = data_blob_null;
1018         DATA_BLOB unwrapped_out = data_blob_null;
1019
1020         /* and switch into the state machine */
1021
1022         switch (spnego_state->state_position) {
1023         case SPNEGO_SERVER_START:
1024         {
1025                 NTSTATUS nt_status;
1026
1027                 nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
1028                                                              spnego_state,
1029                                                              out_mem_ctx,
1030                                                              ev,
1031                                                              spnego_in,
1032                                                              &unwrapped_out);
1033
1034                 if (spnego_state->simulate_w2k) {
1035                         /*
1036                          * Windows 2000 returns the unwrapped token
1037                          * also in the mech_list_mic field.
1038                          *
1039                          * In order to verify our client code,
1040                          * we need a way to have a server with this
1041                          * broken behaviour
1042                          */
1043                         mech_list_mic = unwrapped_out;
1044                 }
1045
1046                 nt_status = gensec_spnego_server_response(spnego_state,
1047                                                           out_mem_ctx,
1048                                                           nt_status,
1049                                                           unwrapped_out,
1050                                                           mech_list_mic,
1051                                                           out);
1052
1053                 return nt_status;
1054         }
1055
1056         case SPNEGO_SERVER_TARG:
1057         {
1058                 NTSTATUS nt_status;
1059                 bool have_sign = true;
1060                 bool new_spnego = false;
1061
1062                 spnego_state->num_targs++;
1063
1064                 if (!spnego_state->sub_sec_security) {
1065                         DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
1066                         return NT_STATUS_INVALID_PARAMETER;
1067                 }
1068
1069                 if (spnego_state->needs_mic_check) {
1070                         if (spnego_in->negTokenTarg.responseToken.length != 0) {
1071                                 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
1072                                 return NT_STATUS_INVALID_PARAMETER;
1073                         }
1074
1075                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
1076                                                         spnego_state->mech_types.data,
1077                                                         spnego_state->mech_types.length,
1078                                                         spnego_state->mech_types.data,
1079                                                         spnego_state->mech_types.length,
1080                                                         &spnego_in->negTokenTarg.mechListMIC);
1081                         if (NT_STATUS_IS_OK(nt_status)) {
1082                                 spnego_state->needs_mic_check = false;
1083                                 spnego_state->done_mic_check = true;
1084                         } else {
1085                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1086                                         nt_errstr(nt_status)));
1087                         }
1088                         goto server_response;
1089                 }
1090
1091                 if (!spnego_state->sub_sec_ready) {
1092                         nt_status = gensec_update_ev(spnego_state->sub_sec_security,
1093                                                      out_mem_ctx, ev,
1094                                                      spnego_in->negTokenTarg.responseToken,
1095                                                      &unwrapped_out);
1096                         if (NT_STATUS_IS_OK(nt_status)) {
1097                                 spnego_state->sub_sec_ready = true;
1098                         }
1099                         if (!NT_STATUS_IS_OK(nt_status)) {
1100                                 goto server_response;
1101                         }
1102                 } else {
1103                         nt_status = NT_STATUS_OK;
1104                 }
1105
1106                 have_sign = gensec_have_feature(spnego_state->sub_sec_security,
1107                                                 GENSEC_FEATURE_SIGN);
1108                 if (spnego_state->simulate_w2k) {
1109                         have_sign = false;
1110                 }
1111                 new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
1112                                                  GENSEC_FEATURE_NEW_SPNEGO);
1113                 if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
1114                         new_spnego = true;
1115                 }
1116
1117                 if (have_sign && new_spnego) {
1118                         spnego_state->needs_mic_check = true;
1119                         spnego_state->needs_mic_sign = true;
1120                 }
1121
1122                 if (have_sign && spnego_in->negTokenTarg.mechListMIC.length > 0) {
1123                         nt_status = gensec_check_packet(spnego_state->sub_sec_security,
1124                                                         spnego_state->mech_types.data,
1125                                                         spnego_state->mech_types.length,
1126                                                         spnego_state->mech_types.data,
1127                                                         spnego_state->mech_types.length,
1128                                                         &spnego_in->negTokenTarg.mechListMIC);
1129                         if (!NT_STATUS_IS_OK(nt_status)) {
1130                                 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1131                                         nt_errstr(nt_status)));
1132                                 goto server_response;
1133                         }
1134
1135                         spnego_state->needs_mic_check = false;
1136                         spnego_state->done_mic_check = true;
1137                 }
1138
1139                 if (spnego_state->needs_mic_sign) {
1140                         nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
1141                                                        out_mem_ctx,
1142                                                        spnego_state->mech_types.data,
1143                                                        spnego_state->mech_types.length,
1144                                                        spnego_state->mech_types.data,
1145                                                        spnego_state->mech_types.length,
1146                                                        &mech_list_mic);
1147                         if (!NT_STATUS_IS_OK(nt_status)) {
1148                                 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
1149                                         nt_errstr(nt_status)));
1150                                 goto server_response;
1151                         }
1152                         spnego_state->needs_mic_sign = false;
1153                 }
1154
1155                 if (spnego_state->needs_mic_check) {
1156                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1157                 }
1158
1159  server_response:
1160                 nt_status = gensec_spnego_server_response(spnego_state,
1161                                                           out_mem_ctx,
1162                                                           nt_status,
1163                                                           unwrapped_out,
1164                                                           mech_list_mic,
1165                                                           out);
1166
1167                 return nt_status;
1168         }
1169
1170         default:
1171                 break;
1172         }
1173
1174         smb_panic(__location__);
1175         return NT_STATUS_INTERNAL_ERROR;
1176 }
1177
1178 struct gensec_spnego_update_state {
1179         struct gensec_security *gensec;
1180         struct spnego_state *spnego;
1181         DATA_BLOB full_in;
1182         struct spnego_data _spnego_in;
1183         struct spnego_data *spnego_in;
1184         NTSTATUS status;
1185         DATA_BLOB out;
1186 };
1187
1188 static void gensec_spnego_update_cleanup(struct tevent_req *req,
1189                                          enum tevent_req_state req_state)
1190 {
1191         struct gensec_spnego_update_state *state =
1192                 tevent_req_data(req,
1193                 struct gensec_spnego_update_state);
1194
1195         switch (req_state) {
1196         case TEVENT_REQ_USER_ERROR:
1197         case TEVENT_REQ_TIMED_OUT:
1198         case TEVENT_REQ_NO_MEMORY:
1199                 /*
1200                  * A fatal error, further updates are not allowed.
1201                  */
1202                 state->spnego->state_position = SPNEGO_DONE;
1203                 break;
1204         default:
1205                 break;
1206         }
1207 }
1208
1209 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1210                                         const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1211                                         DATA_BLOB *full_in);
1212 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
1213                                          TALLOC_CTX *out_mem_ctx,
1214                                          DATA_BLOB *_out);
1215
1216 static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
1217                                                     struct tevent_context *ev,
1218                                                     struct gensec_security *gensec_security,
1219                                                     const DATA_BLOB in)
1220 {
1221         struct spnego_state *spnego_state =
1222                 talloc_get_type_abort(gensec_security->private_data,
1223                 struct spnego_state);
1224         struct tevent_req *req = NULL;
1225         struct gensec_spnego_update_state *state = NULL;
1226         NTSTATUS status;
1227         ssize_t len;
1228
1229         req = tevent_req_create(mem_ctx, &state,
1230                                 struct gensec_spnego_update_state);
1231         if (req == NULL) {
1232                 return NULL;
1233         }
1234         state->gensec = gensec_security;
1235         state->spnego = spnego_state;
1236         tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup);
1237
1238         if (spnego_state->out_frag.length > 0) {
1239                 if (in.length > 0) {
1240                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1241                         return tevent_req_post(req, ev);
1242                 }
1243
1244                 status = gensec_spnego_update_out(gensec_security,
1245                                                   state, &state->out);
1246                 if (GENSEC_UPDATE_IS_NTERROR(status)) {
1247                         tevent_req_nterror(req, status);
1248                         return tevent_req_post(req, ev);
1249                 }
1250
1251                 state->status = status;
1252                 tevent_req_done(req);
1253                 return tevent_req_post(req, ev);
1254         }
1255
1256         status = gensec_spnego_update_in(gensec_security, in,
1257                                          state, &state->full_in);
1258         state->status = status;
1259         if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1260                 tevent_req_done(req);
1261                 return tevent_req_post(req, ev);
1262         }
1263         if (tevent_req_nterror(req, status)) {
1264                 return tevent_req_post(req, ev);
1265         }
1266
1267         /* Check if we got a valid SPNEGO blob... */
1268
1269         switch (spnego_state->state_position) {
1270         case SPNEGO_FALLBACK:
1271                 break;
1272
1273         case SPNEGO_CLIENT_TARG:
1274         case SPNEGO_SERVER_TARG:
1275                 if (state->full_in.length == 0) {
1276                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1277                         return tevent_req_post(req, ev);
1278                 }
1279
1280                 /* fall through */
1281         case SPNEGO_CLIENT_START:
1282         case SPNEGO_SERVER_START:
1283
1284                 if (state->full_in.length == 0) {
1285                         /* create_negTokenInit later */
1286                         break;
1287                 }
1288
1289                 len = spnego_read_data(state,
1290                                        state->full_in,
1291                                        &state->_spnego_in);
1292                 if (len == -1) {
1293                         if (spnego_state->state_position != SPNEGO_SERVER_START) {
1294                                 DEBUG(1, ("Invalid SPNEGO request:\n"));
1295                                 dump_data(1, state->full_in.data,
1296                                           state->full_in.length);
1297                                 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1298                                 return tevent_req_post(req, ev);
1299                         }
1300
1301                         /*
1302                          * This is the 'fallback' case, where we don't get
1303                          * SPNEGO, and have to try all the other options (and
1304                          * hope they all have a magic string they check)
1305                          */
1306                         status = gensec_spnego_server_try_fallback(gensec_security,
1307                                                                    spnego_state,
1308                                                                    state,
1309                                                                    state->full_in);
1310                         if (tevent_req_nterror(req, status)) {
1311                                 return tevent_req_post(req, ev);
1312                         }
1313
1314                         /*
1315                          * We'll continue with SPNEGO_FALLBACK below...
1316                          */
1317                         break;
1318                 }
1319                 state->spnego_in = &state->_spnego_in;
1320
1321                 /* OK, so it's real SPNEGO, check the packet's the one we expect */
1322                 if (state->spnego_in->type != spnego_state->expected_packet) {
1323                         DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
1324                                   state->spnego_in->type,
1325                                   spnego_state->expected_packet));
1326                         dump_data(1, state->full_in.data,
1327                                   state->full_in.length);
1328                         tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1329                         return tevent_req_post(req, ev);
1330                 }
1331
1332                 break;
1333
1334         default:
1335                 smb_panic(__location__);
1336                 return NULL;
1337         }
1338
1339         /* and switch into the state machine */
1340
1341         switch (spnego_state->state_position) {
1342         case SPNEGO_FALLBACK:
1343                 status = gensec_update_ev(spnego_state->sub_sec_security,
1344                                           state, ev,
1345                                           state->full_in,
1346                                           &spnego_state->out_frag);
1347                 break;
1348
1349         case SPNEGO_CLIENT_START:
1350                 if (state->spnego_in == NULL) {
1351                         /* client to produce negTokenInit */
1352                         status = gensec_spnego_create_negTokenInit(gensec_security,
1353                                                         spnego_state, state, ev,
1354                                                         &spnego_state->out_frag);
1355                         break;
1356                 }
1357
1358                 /* fall through */
1359         case SPNEGO_CLIENT_TARG:
1360                 status = gensec_spnego_update_client(gensec_security,
1361                                                      state, ev,
1362                                                      state->spnego_in,
1363                                                      &spnego_state->out_frag);
1364                 break;
1365
1366         case SPNEGO_SERVER_START:
1367                 if (state->spnego_in == NULL) {
1368                         /* server to produce negTokenInit */
1369                         status = gensec_spnego_create_negTokenInit(gensec_security,
1370                                                         spnego_state, state, ev,
1371                                                         &spnego_state->out_frag);
1372                         break;
1373                 }
1374
1375                 /* fall through */
1376         case SPNEGO_SERVER_TARG:
1377                 status = gensec_spnego_update_server(gensec_security,
1378                                                      state, ev,
1379                                                      state->spnego_in,
1380                                                      &spnego_state->out_frag);
1381                 break;
1382
1383         default:
1384                 smb_panic(__location__);
1385                 return NULL;
1386         }
1387
1388         if (GENSEC_UPDATE_IS_NTERROR(status)) {
1389                 tevent_req_nterror(req, status);
1390                 return tevent_req_post(req, ev);
1391         }
1392
1393         if (NT_STATUS_IS_OK(status)) {
1394                 bool reset_full = true;
1395
1396                 reset_full = !spnego_state->done_mic_check;
1397
1398                 status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
1399                                                  reset_full);
1400                 if (tevent_req_nterror(req, status)) {
1401                         return tevent_req_post(req, ev);
1402                 }
1403         }
1404
1405         spnego_state->out_status = status;
1406
1407         status = gensec_spnego_update_out(gensec_security,
1408                                           state, &state->out);
1409         if (GENSEC_UPDATE_IS_NTERROR(status)) {
1410                 tevent_req_nterror(req, status);
1411                 return tevent_req_post(req, ev);
1412         }
1413
1414         state->status = status;
1415         tevent_req_done(req);
1416         return tevent_req_post(req, ev);
1417 }
1418
1419 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1420                                         const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1421                                         DATA_BLOB *full_in)
1422 {
1423         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1424         size_t expected;
1425         bool ok;
1426
1427         *full_in = data_blob_null;
1428
1429         switch (spnego_state->state_position) {
1430         case SPNEGO_FALLBACK:
1431                 *full_in = in;
1432                 spnego_state->in_needed = 0;
1433                 return NT_STATUS_OK;
1434
1435         case SPNEGO_CLIENT_START:
1436         case SPNEGO_CLIENT_TARG:
1437         case SPNEGO_SERVER_START:
1438         case SPNEGO_SERVER_TARG:
1439                 break;
1440
1441         case SPNEGO_DONE:
1442         default:
1443                 return NT_STATUS_INVALID_PARAMETER;
1444         }
1445
1446         if (spnego_state->in_needed == 0) {
1447                 size_t size = 0;
1448                 int ret;
1449
1450                 /*
1451                  * try to work out the size of the full
1452                  * input token, it might be fragmented
1453                  */
1454                 ret = asn1_peek_full_tag(in,  ASN1_APPLICATION(0), &size);
1455                 if ((ret != 0) && (ret != EAGAIN)) {
1456                         ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
1457                 }
1458
1459                 if ((ret == 0) || (ret == EAGAIN)) {
1460                         spnego_state->in_needed = size;
1461                 } else {
1462                         /*
1463                          * If it is not an asn1 message
1464                          * just call the next layer.
1465                          */
1466                         spnego_state->in_needed = in.length;
1467                 }
1468         }
1469
1470         if (spnego_state->in_needed > UINT16_MAX) {
1471                 /*
1472                  * limit the incoming message to 0xFFFF
1473                  * to avoid DoS attacks.
1474                  */
1475                 return NT_STATUS_INVALID_BUFFER_SIZE;
1476         }
1477
1478         if ((spnego_state->in_needed > 0) && (in.length == 0)) {
1479                 /*
1480                  * If we reach this, we know we got at least
1481                  * part of an asn1 message, getting 0 means
1482                  * the remote peer wants us to spin.
1483                  */
1484                 return NT_STATUS_INVALID_PARAMETER;
1485         }
1486
1487         expected = spnego_state->in_needed - spnego_state->in_frag.length;
1488         if (in.length > expected) {
1489                 /*
1490                  * we got more than expected
1491                  */
1492                 return NT_STATUS_INVALID_PARAMETER;
1493         }
1494
1495         if (in.length == spnego_state->in_needed) {
1496                 /*
1497                  * if the in.length contains the full blob
1498                  * we are done.
1499                  *
1500                  * Note: this implies spnego_state->in_frag.length == 0,
1501                  *       but we do not need to check this explicitly
1502                  *       because we already know that we did not get
1503                  *       more than expected.
1504                  */
1505                 *full_in = in;
1506                 spnego_state->in_needed = 0;
1507                 return NT_STATUS_OK;
1508         }
1509
1510         ok = data_blob_append(spnego_state, &spnego_state->in_frag,
1511                               in.data, in.length);
1512         if (!ok) {
1513                 return NT_STATUS_NO_MEMORY;
1514         }
1515
1516         if (spnego_state->in_needed > spnego_state->in_frag.length) {
1517                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1518         }
1519
1520         *full_in = spnego_state->in_frag;
1521         talloc_steal(mem_ctx, full_in->data);
1522         spnego_state->in_frag = data_blob_null;
1523         spnego_state->in_needed = 0;
1524         return NT_STATUS_OK;
1525 }
1526
1527 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
1528                                          TALLOC_CTX *out_mem_ctx,
1529                                          DATA_BLOB *_out)
1530 {
1531         struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
1532         DATA_BLOB out = data_blob_null;
1533         bool ok;
1534
1535         *_out = data_blob_null;
1536
1537         if (spnego_state->out_frag.length <= spnego_state->out_max_length) {
1538                 /*
1539                  * Fast path, we can deliver everything
1540                  */
1541
1542                 *_out = spnego_state->out_frag;
1543                 if (spnego_state->out_frag.length > 0) {
1544                         talloc_steal(out_mem_ctx, _out->data);
1545                         spnego_state->out_frag = data_blob_null;
1546                 }
1547
1548                 if (!NT_STATUS_IS_OK(spnego_state->out_status)) {
1549                         return spnego_state->out_status;
1550                 }
1551
1552                 /*
1553                  * We're completely done, further updates are not allowed.
1554                  */
1555                 spnego_state->state_position = SPNEGO_DONE;
1556                 return gensec_child_ready(gensec_security,
1557                                           spnego_state->sub_sec_security);
1558         }
1559
1560         out = spnego_state->out_frag;
1561
1562         /*
1563          * copy the remaining bytes
1564          */
1565         spnego_state->out_frag = data_blob_talloc(spnego_state,
1566                                         out.data + spnego_state->out_max_length,
1567                                         out.length - spnego_state->out_max_length);
1568         if (spnego_state->out_frag.data == NULL) {
1569                 return NT_STATUS_NO_MEMORY;
1570         }
1571
1572         /*
1573          * truncate the buffer
1574          */
1575         ok = data_blob_realloc(spnego_state, &out,
1576                                spnego_state->out_max_length);
1577         if (!ok) {
1578                 return NT_STATUS_NO_MEMORY;
1579         }
1580
1581         talloc_steal(out_mem_ctx, out.data);
1582         *_out = out;
1583         return NT_STATUS_MORE_PROCESSING_REQUIRED;
1584 }
1585
1586 static NTSTATUS gensec_spnego_update_recv(struct tevent_req *req,
1587                                           TALLOC_CTX *out_mem_ctx,
1588                                           DATA_BLOB *out)
1589 {
1590         struct gensec_spnego_update_state *state =
1591                 tevent_req_data(req,
1592                 struct gensec_spnego_update_state);
1593         NTSTATUS status;
1594
1595         *out = data_blob_null;
1596
1597         if (tevent_req_is_nterror(req, &status)) {
1598                 tevent_req_received(req);
1599                 return status;
1600         }
1601
1602         *out = state->out;
1603         talloc_steal(out_mem_ctx, state->out.data);
1604         status = state->status;
1605         tevent_req_received(req);
1606         return status;
1607 }
1608
1609 static const char *gensec_spnego_oids[] = {
1610         GENSEC_OID_SPNEGO,
1611         NULL
1612 };
1613
1614 static const struct gensec_security_ops gensec_spnego_security_ops = {
1615         .name             = "spnego",
1616         .sasl_name        = "GSS-SPNEGO",
1617         .auth_type        = DCERPC_AUTH_TYPE_SPNEGO,
1618         .oid              = gensec_spnego_oids,
1619         .client_start     = gensec_spnego_client_start,
1620         .server_start     = gensec_spnego_server_start,
1621         .update_send      = gensec_spnego_update_send,
1622         .update_recv      = gensec_spnego_update_recv,
1623         .seal_packet      = gensec_child_seal_packet,
1624         .sign_packet      = gensec_child_sign_packet,
1625         .sig_size         = gensec_child_sig_size,
1626         .max_wrapped_size = gensec_child_max_wrapped_size,
1627         .max_input_size   = gensec_child_max_input_size,
1628         .check_packet     = gensec_child_check_packet,
1629         .unseal_packet    = gensec_child_unseal_packet,
1630         .wrap             = gensec_child_wrap,
1631         .unwrap           = gensec_child_unwrap,
1632         .session_key      = gensec_child_session_key,
1633         .session_info     = gensec_child_session_info,
1634         .want_feature     = gensec_child_want_feature,
1635         .have_feature     = gensec_child_have_feature,
1636         .expire_time      = gensec_child_expire_time,
1637         .final_auth_type  = gensec_child_final_auth_type,
1638         .enabled          = true,
1639         .priority         = GENSEC_SPNEGO
1640 };
1641
1642 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx)
1643 {
1644         NTSTATUS ret;
1645         ret = gensec_register(ctx, &gensec_spnego_security_ops);
1646         if (!NT_STATUS_IS_OK(ret)) {
1647                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1648                         gensec_spnego_security_ops.name));
1649                 return ret;
1650         }
1651
1652         return ret;
1653 }