2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "auth/gensec/spnego.h"
26 #include "auth/gensec/gensec.h"
27 #include "libcli/util/asn_1.h"
29 static BOOL
read_negTokenInit(struct asn1_data
*asn1
, struct spnego_negTokenInit
*token
)
33 asn1_start_tag(asn1
, ASN1_CONTEXT(0));
34 asn1_start_tag(asn1
, ASN1_SEQUENCE(0));
36 while (!asn1
->has_error
&& 0 < asn1_tag_remaining(asn1
)) {
39 if (!asn1_peek_uint8(asn1
, &context
)) {
40 asn1
->has_error
= True
;
47 asn1_start_tag(asn1
, ASN1_CONTEXT(0));
48 asn1_start_tag(asn1
, ASN1_SEQUENCE(0));
50 token
->mechTypes
= talloc(NULL
, const char *);
51 for (i
= 0; !asn1
->has_error
&&
52 0 < asn1_tag_remaining(asn1
); i
++) {
53 token
->mechTypes
= talloc_realloc(NULL
,
56 asn1_read_OID(asn1
, token
->mechTypes
+ i
);
57 if (token
->mechTypes
[i
]) {
58 talloc_steal(token
->mechTypes
,
62 token
->mechTypes
[i
] = NULL
;
69 asn1_start_tag(asn1
, ASN1_CONTEXT(1));
70 asn1_read_Integer(asn1
, &token
->reqFlags
);
71 token
->reqFlags
|= SPNEGO_REQ_FLAG
;
76 asn1_start_tag(asn1
, ASN1_CONTEXT(2));
77 asn1_read_OctetString(asn1
, &token
->mechToken
);
84 asn1_start_tag(asn1
, ASN1_CONTEXT(3));
85 if (!asn1_peek_uint8(asn1
, &type_peek
)) {
86 asn1
->has_error
= True
;
89 if (type_peek
== ASN1_OCTET_STRING
) {
90 asn1_read_OctetString(asn1
,
93 /* RFC 2478 says we have an Octet String here,
94 but W2k sends something different... */
96 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
97 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
98 asn1_read_GeneralString(asn1
, &mechListMIC
);
102 token
->targetPrincipal
= mechListMIC
;
108 asn1
->has_error
= True
;
116 return !asn1
->has_error
;
119 static BOOL
write_negTokenInit(struct asn1_data
*asn1
, struct spnego_negTokenInit
*token
)
121 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
122 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
124 /* Write mechTypes */
125 if (token
->mechTypes
&& *token
->mechTypes
) {
128 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
129 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
130 for (i
= 0; token
->mechTypes
[i
]; i
++) {
131 asn1_write_OID(asn1
, token
->mechTypes
[i
]);
138 if (token
->reqFlags
& SPNEGO_REQ_FLAG
) {
139 int flags
= token
->reqFlags
& ~SPNEGO_REQ_FLAG
;
141 asn1_push_tag(asn1
, ASN1_CONTEXT(1));
142 asn1_write_Integer(asn1
, flags
);
146 /* write mechToken */
147 if (token
->mechToken
.data
) {
148 asn1_push_tag(asn1
, ASN1_CONTEXT(2));
149 asn1_write_OctetString(asn1
, token
->mechToken
.data
,
150 token
->mechToken
.length
);
154 /* write mechListMIC */
155 if (token
->mechListMIC
.data
) {
156 asn1_push_tag(asn1
, ASN1_CONTEXT(3));
158 /* This is what RFC 2478 says ... */
159 asn1_write_OctetString(asn1
, token
->mechListMIC
.data
,
160 token
->mechListMIC
.length
);
162 /* ... but unfortunately this is what Windows
164 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
165 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
166 asn1_push_tag(asn1
, ASN1_GENERAL_STRING
);
167 asn1_write(asn1
, token
->mechListMIC
.data
,
168 token
->mechListMIC
.length
);
179 return !asn1
->has_error
;
182 static BOOL
read_negTokenTarg(struct asn1_data
*asn1
, struct spnego_negTokenTarg
*token
)
186 asn1_start_tag(asn1
, ASN1_CONTEXT(1));
187 asn1_start_tag(asn1
, ASN1_SEQUENCE(0));
189 while (!asn1
->has_error
&& 0 < asn1_tag_remaining(asn1
)) {
191 if (!asn1_peek_uint8(asn1
, &context
)) {
192 asn1
->has_error
= True
;
197 case ASN1_CONTEXT(0):
198 asn1_start_tag(asn1
, ASN1_CONTEXT(0));
199 asn1_start_tag(asn1
, ASN1_ENUMERATED
);
200 asn1_read_uint8(asn1
, &token
->negResult
);
204 case ASN1_CONTEXT(1):
205 asn1_start_tag(asn1
, ASN1_CONTEXT(1));
206 asn1_read_OID(asn1
, &token
->supportedMech
);
209 case ASN1_CONTEXT(2):
210 asn1_start_tag(asn1
, ASN1_CONTEXT(2));
211 asn1_read_OctetString(asn1
, &token
->responseToken
);
214 case ASN1_CONTEXT(3):
215 asn1_start_tag(asn1
, ASN1_CONTEXT(3));
216 asn1_read_OctetString(asn1
, &token
->mechListMIC
);
220 asn1
->has_error
= True
;
228 return !asn1
->has_error
;
231 static BOOL
write_negTokenTarg(struct asn1_data
*asn1
, struct spnego_negTokenTarg
*token
)
233 asn1_push_tag(asn1
, ASN1_CONTEXT(1));
234 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
236 if (token
->negResult
!= SPNEGO_NONE_RESULT
) {
237 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
238 asn1_write_enumerated(asn1
, token
->negResult
);
242 if (token
->supportedMech
) {
243 asn1_push_tag(asn1
, ASN1_CONTEXT(1));
244 asn1_write_OID(asn1
, token
->supportedMech
);
248 if (token
->responseToken
.data
) {
249 asn1_push_tag(asn1
, ASN1_CONTEXT(2));
250 asn1_write_OctetString(asn1
, token
->responseToken
.data
,
251 token
->responseToken
.length
);
255 if (token
->mechListMIC
.data
) {
256 asn1_push_tag(asn1
, ASN1_CONTEXT(3));
257 asn1_write_OctetString(asn1
, token
->mechListMIC
.data
,
258 token
->mechListMIC
.length
);
265 return !asn1
->has_error
;
268 ssize_t
spnego_read_data(DATA_BLOB data
, struct spnego_data
*token
)
270 struct asn1_data asn1
;
277 if (data
.length
== 0) {
281 asn1_load(&asn1
, data
);
283 if (!asn1_peek_uint8(&asn1
, &context
)) {
284 asn1
.has_error
= True
;
287 case ASN1_APPLICATION(0):
288 asn1_start_tag(&asn1
, ASN1_APPLICATION(0));
289 asn1_check_OID(&asn1
, GENSEC_OID_SPNEGO
);
290 if (read_negTokenInit(&asn1
, &token
->negTokenInit
)) {
291 token
->type
= SPNEGO_NEG_TOKEN_INIT
;
295 case ASN1_CONTEXT(1):
296 if (read_negTokenTarg(&asn1
, &token
->negTokenTarg
)) {
297 token
->type
= SPNEGO_NEG_TOKEN_TARG
;
301 asn1
.has_error
= True
;
306 if (!asn1
.has_error
) ret
= asn1
.ofs
;
312 ssize_t
spnego_write_data(TALLOC_CTX
*mem_ctx
, DATA_BLOB
*blob
, struct spnego_data
*spnego
)
314 struct asn1_data asn1
;
319 switch (spnego
->type
) {
320 case SPNEGO_NEG_TOKEN_INIT
:
321 asn1_push_tag(&asn1
, ASN1_APPLICATION(0));
322 asn1_write_OID(&asn1
, GENSEC_OID_SPNEGO
);
323 write_negTokenInit(&asn1
, &spnego
->negTokenInit
);
326 case SPNEGO_NEG_TOKEN_TARG
:
327 write_negTokenTarg(&asn1
, &spnego
->negTokenTarg
);
330 asn1
.has_error
= True
;
334 if (!asn1
.has_error
) {
335 *blob
= data_blob_talloc(mem_ctx
, asn1
.data
, asn1
.length
);
343 BOOL
spnego_free_data(struct spnego_data
*spnego
)
347 if (!spnego
) goto out
;
349 switch(spnego
->type
) {
350 case SPNEGO_NEG_TOKEN_INIT
:
351 if (spnego
->negTokenInit
.mechTypes
) {
352 talloc_free(spnego
->negTokenInit
.mechTypes
);
354 data_blob_free(&spnego
->negTokenInit
.mechToken
);
355 data_blob_free(&spnego
->negTokenInit
.mechListMIC
);
356 talloc_free(spnego
->negTokenInit
.targetPrincipal
);
358 case SPNEGO_NEG_TOKEN_TARG
:
359 if (spnego
->negTokenTarg
.supportedMech
) {
360 talloc_free(discard_const(spnego
->negTokenTarg
.supportedMech
));
362 data_blob_free(&spnego
->negTokenTarg
.responseToken
);
363 data_blob_free(&spnego
->negTokenTarg
.mechListMIC
);
369 ZERO_STRUCTP(spnego
);