search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix Windows 2008 (Longhorn) join.
[Samba/bb.git] / source3 / libsmb / spnego.c
blob57b2d8060bd1909004bfd640f5d4b9b1034d0a98
1 /*
2 Unix SMB/CIFS implementation.
3
4 RFC2478 Compliant SPNEGO implementation
5
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24
25 #undef DBGC_CLASS
26 #define DBGC_CLASS DBGC_AUTH
27
28 static bool read_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token)
29 {
30 ZERO_STRUCTP(token);
31
32 asn1_start_tag(asn1, ASN1_CONTEXT(0));
33 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
34
35 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
36 int i;
37
38 switch (asn1->data[asn1->ofs]) {
39 /* Read mechTypes */
40 case ASN1_CONTEXT(0):
41 asn1_start_tag(asn1, ASN1_CONTEXT(0));
42 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
43
44 token->mechTypes = SMB_MALLOC_P(const char *);
45 for (i = 0; !asn1->has_error &&
46 0 < asn1_tag_remaining(asn1); i++) {
47 char *p_oid = NULL;
48 token->mechTypes =
49 SMB_REALLOC_ARRAY(token->mechTypes, const char *, i + 2);
50 if (!token->mechTypes) {
51 asn1->has_error = True;
52 return False;
53 }
54 asn1_read_OID(asn1, &p_oid);
55 token->mechTypes[i] = p_oid;
56 }
57 token->mechTypes[i] = NULL;
58
59 asn1_end_tag(asn1);
60 asn1_end_tag(asn1);
61 break;
62 /* Read reqFlags */
63 case ASN1_CONTEXT(1):
64 asn1_start_tag(asn1, ASN1_CONTEXT(1));
65 asn1_read_Integer(asn1, &token->reqFlags);
66 token->reqFlags |= SPNEGO_REQ_FLAG;
67 asn1_end_tag(asn1);
68 break;
69 /* Read mechToken */
70 case ASN1_CONTEXT(2):
71 asn1_start_tag(asn1, ASN1_CONTEXT(2));
72 asn1_read_OctetString(asn1, &token->mechToken);
73 asn1_end_tag(asn1);
74 break;
75 /* Read mecListMIC */
76 case ASN1_CONTEXT(3):
77 asn1_start_tag(asn1, ASN1_CONTEXT(3));
78 if (asn1->data[asn1->ofs] == ASN1_OCTET_STRING) {
79 asn1_read_OctetString(asn1,
80 &token->mechListMIC);
81 } else {
82 /* RFC 2478 says we have an Octet String here,
83 but W2k sends something different... */
84 char *mechListMIC;
85 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
86 asn1_push_tag(asn1, ASN1_CONTEXT(0));
87 asn1_read_GeneralString(asn1, &mechListMIC);
88 asn1_pop_tag(asn1);
89 asn1_pop_tag(asn1);
90
91 token->mechListMIC =
92 data_blob(mechListMIC, strlen(mechListMIC));
93 SAFE_FREE(mechListMIC);
94 }
95 asn1_end_tag(asn1);
96 break;
97 default:
98 asn1->has_error = True;
99 break;
100 }
101 }
102
103 asn1_end_tag(asn1);
104 asn1_end_tag(asn1);
105
106 return !asn1->has_error;
107 }
108
109 static bool write_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token)
110 {
111 asn1_push_tag(asn1, ASN1_CONTEXT(0));
112 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
113
114 /* Write mechTypes */
115 if (token->mechTypes && *token->mechTypes) {
116 int i;
117
118 asn1_push_tag(asn1, ASN1_CONTEXT(0));
119 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
120 for (i = 0; token->mechTypes[i]; i++) {
121 asn1_write_OID(asn1, token->mechTypes[i]);
122 }
123 asn1_pop_tag(asn1);
124 asn1_pop_tag(asn1);
125 }
126
127 /* write reqFlags */
128 if (token->reqFlags & SPNEGO_REQ_FLAG) {
129 int flags = token->reqFlags & ~SPNEGO_REQ_FLAG;
130
131 asn1_push_tag(asn1, ASN1_CONTEXT(1));
132 asn1_write_Integer(asn1, flags);
133 asn1_pop_tag(asn1);
134 }
135
136 /* write mechToken */
137 if (token->mechToken.data) {
138 asn1_push_tag(asn1, ASN1_CONTEXT(2));
139 asn1_write_OctetString(asn1, token->mechToken.data,
140 token->mechToken.length);
141 asn1_pop_tag(asn1);
142 }
143
144 /* write mechListMIC */
145 if (token->mechListMIC.data) {
146 asn1_push_tag(asn1, ASN1_CONTEXT(3));
147 #if 0
148 /* This is what RFC 2478 says ... */
149 asn1_write_OctetString(asn1, token->mechListMIC.data,
150 token->mechListMIC.length);
151 #else
152 /* ... but unfortunately this is what Windows
153 sends/expects */
154 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
155 asn1_push_tag(asn1, ASN1_CONTEXT(0));
156 asn1_push_tag(asn1, ASN1_GENERAL_STRING);
157 asn1_write(asn1, token->mechListMIC.data,
158 token->mechListMIC.length);
159 asn1_pop_tag(asn1);
160 asn1_pop_tag(asn1);
161 asn1_pop_tag(asn1);
162 #endif
163 asn1_pop_tag(asn1);
164 }
165
166 asn1_pop_tag(asn1);
167 asn1_pop_tag(asn1);
168
169 return !asn1->has_error;
170 }
171
172 static bool read_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token)
173 {
174 ZERO_STRUCTP(token);
175
176 asn1_start_tag(asn1, ASN1_CONTEXT(1));
177 asn1_start_tag(asn1, ASN1_SEQUENCE(0));
178
179 while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
180 switch (asn1->data[asn1->ofs]) {
181 case ASN1_CONTEXT(0):
182 asn1_start_tag(asn1, ASN1_CONTEXT(0));
183 asn1_start_tag(asn1, ASN1_ENUMERATED);
184 asn1_read_uint8(asn1, &token->negResult);
185 asn1_end_tag(asn1);
186 asn1_end_tag(asn1);
187 break;
188 case ASN1_CONTEXT(1):
189 asn1_start_tag(asn1, ASN1_CONTEXT(1));
190 asn1_read_OID(asn1, &token->supportedMech);
191 asn1_end_tag(asn1);
192 break;
193 case ASN1_CONTEXT(2):
194 asn1_start_tag(asn1, ASN1_CONTEXT(2));
195 asn1_read_OctetString(asn1, &token->responseToken);
196 asn1_end_tag(asn1);
197 break;
198 case ASN1_CONTEXT(3):
199 asn1_start_tag(asn1, ASN1_CONTEXT(3));
200 asn1_read_OctetString(asn1, &token->mechListMIC);
201 asn1_end_tag(asn1);
202 break;
203 default:
204 asn1->has_error = True;
205 break;
206 }
207 }
208
209 asn1_end_tag(asn1);
210 asn1_end_tag(asn1);
211
212 return !asn1->has_error;
213 }
214
215 static bool write_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token)
216 {
217 asn1_push_tag(asn1, ASN1_CONTEXT(1));
218 asn1_push_tag(asn1, ASN1_SEQUENCE(0));
219
220 asn1_push_tag(asn1, ASN1_CONTEXT(0));
221 asn1_write_enumerated(asn1, token->negResult);
222 asn1_pop_tag(asn1);
223
224 if (token->supportedMech) {
225 asn1_push_tag(asn1, ASN1_CONTEXT(1));
226 asn1_write_OID(asn1, token->supportedMech);
227 asn1_pop_tag(asn1);
228 }
229
230 if (token->responseToken.data) {
231 asn1_push_tag(asn1, ASN1_CONTEXT(2));
232 asn1_write_OctetString(asn1, token->responseToken.data,
233 token->responseToken.length);
234 asn1_pop_tag(asn1);
235 }
236
237 if (token->mechListMIC.data) {
238 asn1_push_tag(asn1, ASN1_CONTEXT(3));
239 asn1_write_OctetString(asn1, token->mechListMIC.data,
240 token->mechListMIC.length);
241 asn1_pop_tag(asn1);
242 }
243
244 asn1_pop_tag(asn1);
245 asn1_pop_tag(asn1);
246
247 return !asn1->has_error;
248 }
249
250 ssize_t read_spnego_data(DATA_BLOB data, SPNEGO_DATA *token)
251 {
252 ASN1_DATA asn1;
253 ssize_t ret = -1;
254
255 ZERO_STRUCTP(token);
256 ZERO_STRUCT(asn1);
257 asn1_load(&asn1, data);
258
259 switch (asn1.data[asn1.ofs]) {
260 case ASN1_APPLICATION(0):
261 asn1_start_tag(&asn1, ASN1_APPLICATION(0));
262 asn1_check_OID(&asn1, OID_SPNEGO);
263 if (read_negTokenInit(&asn1, &token->negTokenInit)) {
264 token->type = SPNEGO_NEG_TOKEN_INIT;
265 }
266 asn1_end_tag(&asn1);
267 break;
268 case ASN1_CONTEXT(1):
269 if (read_negTokenTarg(&asn1, &token->negTokenTarg)) {
270 token->type = SPNEGO_NEG_TOKEN_TARG;
271 }
272 break;
273 default:
274 break;
275 }
276
277 if (!asn1.has_error) ret = asn1.ofs;
278 asn1_free(&asn1);
279
280 return ret;
281 }
282
283 ssize_t write_spnego_data(DATA_BLOB *blob, SPNEGO_DATA *spnego)
284 {
285 ASN1_DATA asn1;
286 ssize_t ret = -1;
287
288 ZERO_STRUCT(asn1);
289
290 switch (spnego->type) {
291 case SPNEGO_NEG_TOKEN_INIT:
292 asn1_push_tag(&asn1, ASN1_APPLICATION(0));
293 asn1_write_OID(&asn1, OID_SPNEGO);
294 write_negTokenInit(&asn1, &spnego->negTokenInit);
295 asn1_pop_tag(&asn1);
296 break;
297 case SPNEGO_NEG_TOKEN_TARG:
298 write_negTokenTarg(&asn1, &spnego->negTokenTarg);
299 break;
300 default:
301 asn1.has_error = True;
302 break;
303 }
304
305 if (!asn1.has_error) {
306 *blob = data_blob(asn1.data, asn1.length);
307 ret = asn1.ofs;
308 }
309 asn1_free(&asn1);
310
311 return ret;
312 }
313
314 bool free_spnego_data(SPNEGO_DATA *spnego)
315 {
316 bool ret = True;
317
318 if (!spnego) goto out;
319
320 switch(spnego->type) {
321 case SPNEGO_NEG_TOKEN_INIT:
322 if (spnego->negTokenInit.mechTypes) {
323 int i;
324 for (i = 0; spnego->negTokenInit.mechTypes[i]; i++) {
325 free(CONST_DISCARD(char *,spnego->negTokenInit.mechTypes[i]));
326 }
327 free(spnego->negTokenInit.mechTypes);
328 }
329 data_blob_free(&spnego->negTokenInit.mechToken);
330 data_blob_free(&spnego->negTokenInit.mechListMIC);
331 break;
332 case SPNEGO_NEG_TOKEN_TARG:
333 if (spnego->negTokenTarg.supportedMech) {
334 free(spnego->negTokenTarg.supportedMech);
335 }
336 data_blob_free(&spnego->negTokenTarg.responseToken);
337 data_blob_free(&spnego->negTokenTarg.mechListMIC);
338 break;
339 default:
340 ret = False;
341 break;
342 }
343 ZERO_STRUCTP(spnego);
344 out:
345 return ret;
346 }