2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #define DBGC_CLASS DBGC_AUTH
28 static bool read_negTokenInit(ASN1_DATA
*asn1
, negTokenInit_t
*token
)
32 asn1_start_tag(asn1
, ASN1_CONTEXT(0));
33 asn1_start_tag(asn1
, ASN1_SEQUENCE(0));
35 while (!asn1
->has_error
&& 0 < asn1_tag_remaining(asn1
)) {
38 switch (asn1
->data
[asn1
->ofs
]) {
41 asn1_start_tag(asn1
, ASN1_CONTEXT(0));
42 asn1_start_tag(asn1
, ASN1_SEQUENCE(0));
44 token
->mechTypes
= TALLOC_P(talloc_autofree_context(), const char *);
45 for (i
= 0; !asn1
->has_error
&&
46 0 < asn1_tag_remaining(asn1
); i
++) {
47 const char *p_oid
= NULL
;
49 TALLOC_REALLOC_ARRAY(talloc_autofree_context(),
50 token
->mechTypes
, const char *, i
+ 2);
51 if (!token
->mechTypes
) {
52 asn1
->has_error
= True
;
55 asn1_read_OID(asn1
, talloc_autofree_context(), &p_oid
);
56 token
->mechTypes
[i
] = p_oid
;
58 token
->mechTypes
[i
] = NULL
;
65 asn1_start_tag(asn1
, ASN1_CONTEXT(1));
66 asn1_read_Integer(asn1
, &token
->reqFlags
);
67 token
->reqFlags
|= SPNEGO_REQ_FLAG
;
72 asn1_start_tag(asn1
, ASN1_CONTEXT(2));
73 asn1_read_OctetString(asn1
,
74 talloc_autofree_context(), &token
->mechToken
);
79 asn1_start_tag(asn1
, ASN1_CONTEXT(3));
80 if (asn1
->data
[asn1
->ofs
] == ASN1_OCTET_STRING
) {
81 asn1_read_OctetString(asn1
, talloc_autofree_context(),
84 /* RFC 2478 says we have an Octet String here,
85 but W2k sends something different... */
87 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
88 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
89 asn1_read_GeneralString(asn1
,
90 talloc_autofree_context(), &mechListMIC
);
95 data_blob(mechListMIC
, strlen(mechListMIC
));
96 TALLOC_FREE(mechListMIC
);
101 asn1
->has_error
= True
;
109 return !asn1
->has_error
;
112 static bool write_negTokenInit(ASN1_DATA
*asn1
, negTokenInit_t
*token
)
114 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
115 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
117 /* Write mechTypes */
118 if (token
->mechTypes
&& *token
->mechTypes
) {
121 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
122 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
123 for (i
= 0; token
->mechTypes
[i
]; i
++) {
124 asn1_write_OID(asn1
, token
->mechTypes
[i
]);
131 if (token
->reqFlags
& SPNEGO_REQ_FLAG
) {
132 int flags
= token
->reqFlags
& ~SPNEGO_REQ_FLAG
;
134 asn1_push_tag(asn1
, ASN1_CONTEXT(1));
135 asn1_write_Integer(asn1
, flags
);
139 /* write mechToken */
140 if (token
->mechToken
.data
) {
141 asn1_push_tag(asn1
, ASN1_CONTEXT(2));
142 asn1_write_OctetString(asn1
, token
->mechToken
.data
,
143 token
->mechToken
.length
);
147 /* write mechListMIC */
148 if (token
->mechListMIC
.data
) {
149 asn1_push_tag(asn1
, ASN1_CONTEXT(3));
151 /* This is what RFC 2478 says ... */
152 asn1_write_OctetString(asn1
, token
->mechListMIC
.data
,
153 token
->mechListMIC
.length
);
155 /* ... but unfortunately this is what Windows
157 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
158 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
159 asn1_push_tag(asn1
, ASN1_GENERAL_STRING
);
160 asn1_write(asn1
, token
->mechListMIC
.data
,
161 token
->mechListMIC
.length
);
172 return !asn1
->has_error
;
175 static bool read_negTokenTarg(ASN1_DATA
*asn1
, negTokenTarg_t
*token
)
179 asn1_start_tag(asn1
, ASN1_CONTEXT(1));
180 asn1_start_tag(asn1
, ASN1_SEQUENCE(0));
182 while (!asn1
->has_error
&& 0 < asn1_tag_remaining(asn1
)) {
183 switch (asn1
->data
[asn1
->ofs
]) {
184 case ASN1_CONTEXT(0):
185 asn1_start_tag(asn1
, ASN1_CONTEXT(0));
186 asn1_start_tag(asn1
, ASN1_ENUMERATED
);
187 asn1_read_uint8(asn1
, &token
->negResult
);
191 case ASN1_CONTEXT(1): {
192 const char *mech
= NULL
;
193 asn1_start_tag(asn1
, ASN1_CONTEXT(1));
194 asn1_read_OID(asn1
, talloc_autofree_context(), &mech
);
196 token
->supportedMech
= CONST_DISCARD(char *, mech
);
199 case ASN1_CONTEXT(2):
200 asn1_start_tag(asn1
, ASN1_CONTEXT(2));
201 asn1_read_OctetString(asn1
,
202 talloc_autofree_context(), &token
->responseToken
);
205 case ASN1_CONTEXT(3):
206 asn1_start_tag(asn1
, ASN1_CONTEXT(3));
207 asn1_read_OctetString(asn1
,
208 talloc_autofree_context(), &token
->mechListMIC
);
212 asn1
->has_error
= True
;
220 return !asn1
->has_error
;
223 static bool write_negTokenTarg(ASN1_DATA
*asn1
, negTokenTarg_t
*token
)
225 asn1_push_tag(asn1
, ASN1_CONTEXT(1));
226 asn1_push_tag(asn1
, ASN1_SEQUENCE(0));
228 asn1_push_tag(asn1
, ASN1_CONTEXT(0));
229 asn1_write_enumerated(asn1
, token
->negResult
);
232 if (token
->supportedMech
) {
233 asn1_push_tag(asn1
, ASN1_CONTEXT(1));
234 asn1_write_OID(asn1
, token
->supportedMech
);
238 if (token
->responseToken
.data
) {
239 asn1_push_tag(asn1
, ASN1_CONTEXT(2));
240 asn1_write_OctetString(asn1
, token
->responseToken
.data
,
241 token
->responseToken
.length
);
245 if (token
->mechListMIC
.data
) {
246 asn1_push_tag(asn1
, ASN1_CONTEXT(3));
247 asn1_write_OctetString(asn1
, token
->mechListMIC
.data
,
248 token
->mechListMIC
.length
);
255 return !asn1
->has_error
;
258 ssize_t
read_spnego_data(DATA_BLOB data
, SPNEGO_DATA
*token
)
265 asn1
= asn1_init(talloc_tos());
270 asn1_load(asn1
, data
);
272 switch (asn1
->data
[asn1
->ofs
]) {
273 case ASN1_APPLICATION(0):
274 asn1_start_tag(asn1
, ASN1_APPLICATION(0));
275 asn1_check_OID(asn1
, OID_SPNEGO
);
276 if (read_negTokenInit(asn1
, &token
->negTokenInit
)) {
277 token
->type
= SPNEGO_NEG_TOKEN_INIT
;
281 case ASN1_CONTEXT(1):
282 if (read_negTokenTarg(asn1
, &token
->negTokenTarg
)) {
283 token
->type
= SPNEGO_NEG_TOKEN_TARG
;
290 if (!asn1
->has_error
) ret
= asn1
->ofs
;
296 ssize_t
write_spnego_data(DATA_BLOB
*blob
, SPNEGO_DATA
*spnego
)
301 asn1
= asn1_init(talloc_tos());
306 switch (spnego
->type
) {
307 case SPNEGO_NEG_TOKEN_INIT
:
308 asn1_push_tag(asn1
, ASN1_APPLICATION(0));
309 asn1_write_OID(asn1
, OID_SPNEGO
);
310 write_negTokenInit(asn1
, &spnego
->negTokenInit
);
313 case SPNEGO_NEG_TOKEN_TARG
:
314 write_negTokenTarg(asn1
, &spnego
->negTokenTarg
);
317 asn1
->has_error
= True
;
321 if (!asn1
->has_error
) {
322 *blob
= data_blob(asn1
->data
, asn1
->length
);
330 bool free_spnego_data(SPNEGO_DATA
*spnego
)
334 if (!spnego
) goto out
;
336 switch(spnego
->type
) {
337 case SPNEGO_NEG_TOKEN_INIT
:
338 if (spnego
->negTokenInit
.mechTypes
) {
340 for (i
= 0; spnego
->negTokenInit
.mechTypes
[i
]; i
++) {
341 talloc_free(CONST_DISCARD(char *,spnego
->negTokenInit
.mechTypes
[i
]));
343 talloc_free(spnego
->negTokenInit
.mechTypes
);
345 data_blob_free(&spnego
->negTokenInit
.mechToken
);
346 data_blob_free(&spnego
->negTokenInit
.mechListMIC
);
348 case SPNEGO_NEG_TOKEN_TARG
:
349 if (spnego
->negTokenTarg
.supportedMech
) {
350 talloc_free(spnego
->negTokenTarg
.supportedMech
);
352 data_blob_free(&spnego
->negTokenTarg
.responseToken
);
353 data_blob_free(&spnego
->negTokenTarg
.mechListMIC
);
359 ZERO_STRUCTP(spnego
);