2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/auth/spnego.h"
27 #include "librpc/gen_ndr/ndr_dcerpc.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/gensec_proto.h"
31 #include "auth/gensec/gensec_toplevel_proto.h"
32 #include "param/param.h"
34 _PUBLIC_ NTSTATUS
gensec_spnego_init(void);
36 enum spnego_state_position
{
46 enum spnego_message_type expected_packet
;
47 enum spnego_state_position state_position
;
48 struct gensec_security
*sub_sec_security
;
49 bool no_response_expected
;
57 static NTSTATUS
gensec_spnego_client_start(struct gensec_security
*gensec_security
)
59 struct spnego_state
*spnego_state
;
61 spnego_state
= talloc(gensec_security
, struct spnego_state
);
63 return NT_STATUS_NO_MEMORY
;
66 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_INIT
;
67 spnego_state
->state_position
= SPNEGO_CLIENT_START
;
68 spnego_state
->sub_sec_security
= NULL
;
69 spnego_state
->no_response_expected
= false;
70 spnego_state
->mech_types
= data_blob(NULL
, 0);
72 gensec_security
->private_data
= spnego_state
;
76 static NTSTATUS
gensec_spnego_server_start(struct gensec_security
*gensec_security
)
78 struct spnego_state
*spnego_state
;
80 spnego_state
= talloc(gensec_security
, struct spnego_state
);
82 return NT_STATUS_NO_MEMORY
;
85 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_INIT
;
86 spnego_state
->state_position
= SPNEGO_SERVER_START
;
87 spnego_state
->sub_sec_security
= NULL
;
88 spnego_state
->no_response_expected
= false;
89 spnego_state
->mech_types
= data_blob(NULL
, 0);
91 gensec_security
->private_data
= spnego_state
;
96 wrappers for the spnego_*() functions
98 static NTSTATUS
gensec_spnego_unseal_packet(struct gensec_security
*gensec_security
,
99 uint8_t *data
, size_t length
,
100 const uint8_t *whole_pdu
, size_t pdu_length
,
101 const DATA_BLOB
*sig
)
103 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
105 if (spnego_state
->state_position
!= SPNEGO_DONE
106 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
107 return NT_STATUS_INVALID_PARAMETER
;
110 return gensec_unseal_packet(spnego_state
->sub_sec_security
,
112 whole_pdu
, pdu_length
,
116 static NTSTATUS
gensec_spnego_check_packet(struct gensec_security
*gensec_security
,
117 const uint8_t *data
, size_t length
,
118 const uint8_t *whole_pdu
, size_t pdu_length
,
119 const DATA_BLOB
*sig
)
121 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
123 if (spnego_state
->state_position
!= SPNEGO_DONE
124 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
125 return NT_STATUS_INVALID_PARAMETER
;
128 return gensec_check_packet(spnego_state
->sub_sec_security
,
130 whole_pdu
, pdu_length
,
134 static NTSTATUS
gensec_spnego_seal_packet(struct gensec_security
*gensec_security
,
136 uint8_t *data
, size_t length
,
137 const uint8_t *whole_pdu
, size_t pdu_length
,
140 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
142 if (spnego_state
->state_position
!= SPNEGO_DONE
143 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
144 return NT_STATUS_INVALID_PARAMETER
;
147 return gensec_seal_packet(spnego_state
->sub_sec_security
,
150 whole_pdu
, pdu_length
,
154 static NTSTATUS
gensec_spnego_sign_packet(struct gensec_security
*gensec_security
,
156 const uint8_t *data
, size_t length
,
157 const uint8_t *whole_pdu
, size_t pdu_length
,
160 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
162 if (spnego_state
->state_position
!= SPNEGO_DONE
163 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
164 return NT_STATUS_INVALID_PARAMETER
;
167 return gensec_sign_packet(spnego_state
->sub_sec_security
,
170 whole_pdu
, pdu_length
,
174 static NTSTATUS
gensec_spnego_wrap(struct gensec_security
*gensec_security
,
179 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
181 if (spnego_state
->state_position
!= SPNEGO_DONE
182 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
183 DEBUG(1, ("gensec_spnego_wrap: wrong state for wrap\n"));
184 return NT_STATUS_INVALID_PARAMETER
;
187 return gensec_wrap(spnego_state
->sub_sec_security
,
191 static NTSTATUS
gensec_spnego_unwrap(struct gensec_security
*gensec_security
,
196 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
198 if (spnego_state
->state_position
!= SPNEGO_DONE
199 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
200 DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
201 return NT_STATUS_INVALID_PARAMETER
;
204 return gensec_unwrap(spnego_state
->sub_sec_security
,
208 static NTSTATUS
gensec_spnego_wrap_packets(struct gensec_security
*gensec_security
,
212 size_t *len_processed
)
214 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
216 if (spnego_state
->state_position
!= SPNEGO_DONE
217 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
218 DEBUG(1, ("gensec_spnego_wrap: wrong state for wrap\n"));
219 return NT_STATUS_INVALID_PARAMETER
;
222 return gensec_wrap_packets(spnego_state
->sub_sec_security
,
227 static NTSTATUS
gensec_spnego_packet_full_request(struct gensec_security
*gensec_security
,
228 DATA_BLOB blob
, size_t *size
)
230 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
232 if (spnego_state
->state_position
!= SPNEGO_DONE
233 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
234 DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
235 return NT_STATUS_INVALID_PARAMETER
;
238 return gensec_packet_full_request(spnego_state
->sub_sec_security
,
242 static NTSTATUS
gensec_spnego_unwrap_packets(struct gensec_security
*gensec_security
,
246 size_t *len_processed
)
248 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
250 if (spnego_state
->state_position
!= SPNEGO_DONE
251 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
252 DEBUG(1, ("gensec_spnego_unwrap: wrong state for unwrap\n"));
253 return NT_STATUS_INVALID_PARAMETER
;
256 return gensec_unwrap_packets(spnego_state
->sub_sec_security
,
261 static size_t gensec_spnego_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
263 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
265 if (spnego_state
->state_position
!= SPNEGO_DONE
266 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
270 return gensec_sig_size(spnego_state
->sub_sec_security
, data_size
);
273 static size_t gensec_spnego_max_input_size(struct gensec_security
*gensec_security
)
275 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
277 if (spnego_state
->state_position
!= SPNEGO_DONE
278 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
282 return gensec_max_input_size(spnego_state
->sub_sec_security
);
285 static size_t gensec_spnego_max_wrapped_size(struct gensec_security
*gensec_security
)
287 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
289 if (spnego_state
->state_position
!= SPNEGO_DONE
290 && spnego_state
->state_position
!= SPNEGO_FALLBACK
) {
294 return gensec_max_wrapped_size(spnego_state
->sub_sec_security
);
297 static NTSTATUS
gensec_spnego_session_key(struct gensec_security
*gensec_security
,
299 DATA_BLOB
*session_key
)
301 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
302 if (!spnego_state
->sub_sec_security
) {
303 return NT_STATUS_INVALID_PARAMETER
;
306 return gensec_session_key(spnego_state
->sub_sec_security
,
311 static NTSTATUS
gensec_spnego_session_info(struct gensec_security
*gensec_security
,
313 struct auth_session_info
**session_info
)
315 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
316 if (!spnego_state
->sub_sec_security
) {
317 return NT_STATUS_INVALID_PARAMETER
;
320 return gensec_session_info(spnego_state
->sub_sec_security
,
325 /** Fallback to another GENSEC mechanism, based on magic strings
327 * This is the 'fallback' case, where we don't get SPNEGO, and have to
328 * try all the other options (and hope they all have a magic string
332 static NTSTATUS
gensec_spnego_server_try_fallback(struct gensec_security
*gensec_security
,
333 struct spnego_state
*spnego_state
,
334 struct tevent_context
*ev
,
335 TALLOC_CTX
*out_mem_ctx
,
336 const DATA_BLOB in
, DATA_BLOB
*out
)
339 struct gensec_security_ops
**all_ops
340 = gensec_security_mechs(gensec_security
, out_mem_ctx
);
341 for (i
=0; all_ops
[i
]; i
++) {
345 if (gensec_security
!= NULL
&&
346 !gensec_security_ops_enabled(all_ops
[i
], gensec_security
))
349 if (!all_ops
[i
]->oid
) {
354 for (j
=0; all_ops
[i
]->oid
[j
]; j
++) {
355 if (strcasecmp(GENSEC_OID_SPNEGO
,all_ops
[i
]->oid
[j
]) == 0) {
363 if (!all_ops
[i
]->magic
) {
367 nt_status
= all_ops
[i
]->magic(gensec_security
, &in
);
368 if (!NT_STATUS_IS_OK(nt_status
)) {
372 spnego_state
->state_position
= SPNEGO_FALLBACK
;
374 nt_status
= gensec_subcontext_start(spnego_state
,
376 &spnego_state
->sub_sec_security
);
378 if (!NT_STATUS_IS_OK(nt_status
)) {
381 /* select the sub context */
382 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
384 if (!NT_STATUS_IS_OK(nt_status
)) {
387 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
388 ev
, out_mem_ctx
, in
, out
);
391 DEBUG(1, ("Failed to parse SPNEGO request\n"));
392 return NT_STATUS_INVALID_PARAMETER
;
397 Parse the netTokenInit, either from the client, to the server, or
398 from the server to the client.
401 static NTSTATUS
gensec_spnego_parse_negTokenInit(struct gensec_security
*gensec_security
,
402 struct spnego_state
*spnego_state
,
403 TALLOC_CTX
*out_mem_ctx
,
404 struct tevent_context
*ev
,
405 const char **mechType
,
406 const DATA_BLOB unwrapped_in
, DATA_BLOB
*unwrapped_out
)
409 NTSTATUS nt_status
= NT_STATUS_INVALID_PARAMETER
;
410 DATA_BLOB null_data_blob
= data_blob(NULL
,0);
413 const struct gensec_security_ops_wrapper
*all_sec
414 = gensec_security_by_oid_list(gensec_security
,
419 ok
= spnego_write_mech_types(spnego_state
,
421 &spnego_state
->mech_types
);
423 DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
424 return NT_STATUS_NO_MEMORY
;
427 if (spnego_state
->state_position
== SPNEGO_SERVER_START
) {
429 for (j
=0; mechType
&& mechType
[j
]; j
++) {
430 for (i
=0; all_sec
&& all_sec
[i
].op
; i
++) {
431 if (strcmp(mechType
[j
], all_sec
[i
].oid
) != 0) {
435 nt_status
= gensec_subcontext_start(spnego_state
,
437 &spnego_state
->sub_sec_security
);
438 if (!NT_STATUS_IS_OK(nt_status
)) {
441 /* select the sub context */
442 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
444 if (!NT_STATUS_IS_OK(nt_status
)) {
445 talloc_free(spnego_state
->sub_sec_security
);
446 spnego_state
->sub_sec_security
= NULL
;
451 /* no optimistic token */
452 spnego_state
->neg_oid
= all_sec
[i
].oid
;
453 *unwrapped_out
= data_blob_null
;
454 nt_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
458 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
463 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
) ||
464 NT_STATUS_EQUAL(nt_status
, NT_STATUS_CANT_ACCESS_DOMAIN_INFO
)) {
465 /* Pretend we never started it (lets the first run find some incompatible demand) */
467 DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
468 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
469 talloc_free(spnego_state
->sub_sec_security
);
470 spnego_state
->sub_sec_security
= NULL
;
474 spnego_state
->neg_oid
= all_sec
[i
].oid
;
477 if (spnego_state
->sub_sec_security
) {
482 if (!spnego_state
->sub_sec_security
) {
483 DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
484 return NT_STATUS_INVALID_PARAMETER
;
488 /* Having tried any optimistic token from the client (if we
489 * were the server), if we didn't get anywhere, walk our list
490 * in our preference order */
492 if (!spnego_state
->sub_sec_security
) {
493 for (i
=0; all_sec
&& all_sec
[i
].op
; i
++) {
494 nt_status
= gensec_subcontext_start(spnego_state
,
496 &spnego_state
->sub_sec_security
);
497 if (!NT_STATUS_IS_OK(nt_status
)) {
500 /* select the sub context */
501 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
503 if (!NT_STATUS_IS_OK(nt_status
)) {
504 talloc_free(spnego_state
->sub_sec_security
);
505 spnego_state
->sub_sec_security
= NULL
;
509 spnego_state
->neg_oid
= all_sec
[i
].oid
;
511 /* only get the helping start blob for the first OID */
512 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
518 /* it is likely that a NULL input token will
519 * not be liked by most server mechs, but if
520 * we are in the client, we want the first
521 * update packet to be able to abort the use
523 if (spnego_state
->state_position
!= SPNEGO_SERVER_START
) {
524 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
) ||
525 NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_LOGON_SERVERS
) ||
526 NT_STATUS_EQUAL(nt_status
, NT_STATUS_TIME_DIFFERENCE_AT_DC
) ||
527 NT_STATUS_EQUAL(nt_status
, NT_STATUS_CANT_ACCESS_DOMAIN_INFO
)) {
528 /* Pretend we never started it (lets the first run find some incompatible demand) */
530 DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
531 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
532 talloc_free(spnego_state
->sub_sec_security
);
533 spnego_state
->sub_sec_security
= NULL
;
542 if (spnego_state
->sub_sec_security
) {
543 /* it is likely that a NULL input token will
544 * not be liked by most server mechs, but this
545 * does the right thing in the CIFS client.
546 * just push us along the merry-go-round
547 * again, and hope for better luck next
550 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
)) {
551 *unwrapped_out
= data_blob(NULL
, 0);
552 nt_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
555 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_PARAMETER
)
556 && !NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)
557 && !NT_STATUS_IS_OK(nt_status
)) {
558 DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
559 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
560 talloc_free(spnego_state
->sub_sec_security
);
561 spnego_state
->sub_sec_security
= NULL
;
563 /* We started the mech correctly, and the
564 * input from the other side was valid.
565 * Return the error (say bad password, invalid
571 return nt_status
; /* OK, INVALID_PARAMETER ore MORE PROCESSING */
574 DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
575 /* we could re-negotiate here, but it would only work
576 * if the client or server lied about what it could
577 * support the first time. Lets keep this code to
583 /** create a negTokenInit
585 * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
587 static NTSTATUS
gensec_spnego_create_negTokenInit(struct gensec_security
*gensec_security
,
588 struct spnego_state
*spnego_state
,
589 TALLOC_CTX
*out_mem_ctx
,
590 struct tevent_context
*ev
,
591 const DATA_BLOB in
, DATA_BLOB
*out
)
594 NTSTATUS nt_status
= NT_STATUS_INVALID_PARAMETER
;
595 DATA_BLOB null_data_blob
= data_blob(NULL
,0);
596 const char **mechTypes
= NULL
;
597 DATA_BLOB unwrapped_out
= data_blob(NULL
, 0);
598 const struct gensec_security_ops_wrapper
*all_sec
;
600 mechTypes
= gensec_security_oids(gensec_security
,
601 out_mem_ctx
, GENSEC_OID_SPNEGO
);
603 all_sec
= gensec_security_by_oid_list(gensec_security
,
607 for (i
=0; all_sec
&& all_sec
[i
].op
; i
++) {
608 struct spnego_data spnego_out
;
609 const char **send_mech_types
;
612 nt_status
= gensec_subcontext_start(spnego_state
,
614 &spnego_state
->sub_sec_security
);
615 if (!NT_STATUS_IS_OK(nt_status
)) {
618 /* select the sub context */
619 nt_status
= gensec_start_mech_by_ops(spnego_state
->sub_sec_security
,
621 if (!NT_STATUS_IS_OK(nt_status
)) {
622 talloc_free(spnego_state
->sub_sec_security
);
623 spnego_state
->sub_sec_security
= NULL
;
627 /* In the client, try and produce the first (optimistic) packet */
628 if (spnego_state
->state_position
== SPNEGO_CLIENT_START
) {
629 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
635 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)
636 && !NT_STATUS_IS_OK(nt_status
)) {
637 DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
638 spnego_state
->sub_sec_security
->ops
->name
, nt_errstr(nt_status
)));
639 talloc_free(spnego_state
->sub_sec_security
);
640 spnego_state
->sub_sec_security
= NULL
;
641 /* Pretend we never started it (lets the first run find some incompatible demand) */
647 spnego_out
.type
= SPNEGO_NEG_TOKEN_INIT
;
649 send_mech_types
= gensec_security_oids_from_ops_wrapped(out_mem_ctx
,
652 ok
= spnego_write_mech_types(spnego_state
,
654 &spnego_state
->mech_types
);
656 DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
657 return NT_STATUS_NO_MEMORY
;
660 /* List the remaining mechs as options */
661 spnego_out
.negTokenInit
.mechTypes
= send_mech_types
;
662 spnego_out
.negTokenInit
.reqFlags
= null_data_blob
;
663 spnego_out
.negTokenInit
.reqFlagsPadding
= 0;
665 if (spnego_state
->state_position
== SPNEGO_SERVER_START
) {
666 spnego_out
.negTokenInit
.mechListMIC
667 = data_blob_string_const(ADS_IGNORE_PRINCIPAL
);
669 spnego_out
.negTokenInit
.mechListMIC
= null_data_blob
;
672 spnego_out
.negTokenInit
.mechToken
= unwrapped_out
;
674 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
675 DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
676 return NT_STATUS_INVALID_PARAMETER
;
680 spnego_state
->neg_oid
= all_sec
[i
].oid
;
682 if (NT_STATUS_IS_OK(nt_status
)) {
683 spnego_state
->no_response_expected
= true;
686 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
688 talloc_free(spnego_state
->sub_sec_security
);
689 spnego_state
->sub_sec_security
= NULL
;
691 DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status
)));
692 return NT_STATUS_INVALID_PARAMETER
;
696 /** create a server negTokenTarg
698 * This is the case, where the client is the first one who sends data
701 static NTSTATUS
gensec_spnego_server_negTokenTarg(struct gensec_security
*gensec_security
,
702 struct spnego_state
*spnego_state
,
703 TALLOC_CTX
*out_mem_ctx
,
705 const DATA_BLOB unwrapped_out
,
706 DATA_BLOB mech_list_mic
,
709 struct spnego_data spnego_out
;
710 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
713 spnego_out
.type
= SPNEGO_NEG_TOKEN_TARG
;
714 spnego_out
.negTokenTarg
.responseToken
= unwrapped_out
;
715 spnego_out
.negTokenTarg
.mechListMIC
= null_data_blob
;
716 spnego_out
.negTokenTarg
.supportedMech
= NULL
;
718 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
719 spnego_out
.negTokenTarg
.supportedMech
= spnego_state
->neg_oid
;
720 spnego_out
.negTokenTarg
.negResult
= SPNEGO_ACCEPT_INCOMPLETE
;
721 spnego_state
->state_position
= SPNEGO_SERVER_TARG
;
722 } else if (NT_STATUS_IS_OK(nt_status
)) {
723 if (unwrapped_out
.data
) {
724 spnego_out
.negTokenTarg
.supportedMech
= spnego_state
->neg_oid
;
726 spnego_out
.negTokenTarg
.negResult
= SPNEGO_ACCEPT_COMPLETED
;
727 spnego_out
.negTokenTarg
.mechListMIC
= mech_list_mic
;
728 spnego_state
->state_position
= SPNEGO_DONE
;
730 spnego_out
.negTokenTarg
.negResult
= SPNEGO_REJECT
;
731 DEBUG(2, ("SPNEGO login failed: %s\n", nt_errstr(nt_status
)));
732 spnego_state
->state_position
= SPNEGO_DONE
;
735 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
736 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
737 return NT_STATUS_INVALID_PARAMETER
;
740 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_TARG
;
746 static NTSTATUS
gensec_spnego_update(struct gensec_security
*gensec_security
, TALLOC_CTX
*out_mem_ctx
,
747 struct tevent_context
*ev
,
748 const DATA_BLOB in
, DATA_BLOB
*out
)
750 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
751 DATA_BLOB null_data_blob
= data_blob(NULL
, 0);
752 DATA_BLOB mech_list_mic
= data_blob(NULL
, 0);
753 DATA_BLOB unwrapped_out
= data_blob(NULL
, 0);
754 struct spnego_data spnego_out
;
755 struct spnego_data spnego
;
759 *out
= data_blob(NULL
, 0);
762 out_mem_ctx
= spnego_state
;
765 /* and switch into the state machine */
767 switch (spnego_state
->state_position
) {
768 case SPNEGO_FALLBACK
:
769 return gensec_update(spnego_state
->sub_sec_security
, ev
,
770 out_mem_ctx
, in
, out
);
771 case SPNEGO_SERVER_START
:
776 len
= spnego_read_data(gensec_security
, in
, &spnego
);
778 return gensec_spnego_server_try_fallback(gensec_security
, spnego_state
,
779 out_mem_ctx
, ev
, in
, out
);
781 /* client sent NegTargetInit, we send NegTokenTarg */
783 /* OK, so it's real SPNEGO, check the packet's the one we expect */
784 if (spnego
.type
!= spnego_state
->expected_packet
) {
785 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
786 spnego_state
->expected_packet
));
787 dump_data(1, in
.data
, in
.length
);
788 spnego_free_data(&spnego
);
789 return NT_STATUS_INVALID_PARAMETER
;
792 nt_status
= gensec_spnego_parse_negTokenInit(gensec_security
,
796 spnego
.negTokenInit
.mechTypes
,
797 spnego
.negTokenInit
.mechToken
,
800 nt_status
= gensec_spnego_server_negTokenTarg(gensec_security
,
808 spnego_free_data(&spnego
);
812 nt_status
= gensec_spnego_create_negTokenInit(gensec_security
, spnego_state
,
813 out_mem_ctx
, ev
, in
, out
);
814 spnego_state
->state_position
= SPNEGO_SERVER_START
;
815 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_INIT
;
820 case SPNEGO_CLIENT_START
:
822 /* The server offers a list of mechanisms */
824 const char *my_mechs
[] = {NULL
, NULL
};
825 NTSTATUS nt_status
= NT_STATUS_INVALID_PARAMETER
;
828 /* client to produce negTokenInit */
829 nt_status
= gensec_spnego_create_negTokenInit(gensec_security
, spnego_state
,
830 out_mem_ctx
, ev
, in
, out
);
831 spnego_state
->state_position
= SPNEGO_CLIENT_TARG
;
832 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_TARG
;
836 len
= spnego_read_data(gensec_security
, in
, &spnego
);
839 DEBUG(1, ("Invalid SPNEGO request:\n"));
840 dump_data(1, in
.data
, in
.length
);
841 return NT_STATUS_INVALID_PARAMETER
;
844 /* OK, so it's real SPNEGO, check the packet's the one we expect */
845 if (spnego
.type
!= spnego_state
->expected_packet
) {
846 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
847 spnego_state
->expected_packet
));
848 dump_data(1, in
.data
, in
.length
);
849 spnego_free_data(&spnego
);
850 return NT_STATUS_INVALID_PARAMETER
;
853 if (spnego
.negTokenInit
.targetPrincipal
854 && strcmp(spnego
.negTokenInit
.targetPrincipal
, ADS_IGNORE_PRINCIPAL
) != 0) {
855 DEBUG(5, ("Server claims it's principal name is %s\n", spnego
.negTokenInit
.targetPrincipal
));
856 if (lpcfg_client_use_spnego_principal(gensec_security
->settings
->lp_ctx
)) {
857 gensec_set_target_principal(gensec_security
, spnego
.negTokenInit
.targetPrincipal
);
861 nt_status
= gensec_spnego_parse_negTokenInit(gensec_security
,
865 spnego
.negTokenInit
.mechTypes
,
866 spnego
.negTokenInit
.mechToken
,
869 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
) && !NT_STATUS_IS_OK(nt_status
)) {
870 spnego_free_data(&spnego
);
874 my_mechs
[0] = spnego_state
->neg_oid
;
876 spnego_out
.type
= SPNEGO_NEG_TOKEN_INIT
;
877 spnego_out
.negTokenInit
.mechTypes
= my_mechs
;
878 spnego_out
.negTokenInit
.reqFlags
= null_data_blob
;
879 spnego_out
.negTokenInit
.reqFlagsPadding
= 0;
880 spnego_out
.negTokenInit
.mechListMIC
= null_data_blob
;
881 spnego_out
.negTokenInit
.mechToken
= unwrapped_out
;
883 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
884 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
885 return NT_STATUS_INVALID_PARAMETER
;
889 spnego_state
->expected_packet
= SPNEGO_NEG_TOKEN_TARG
;
890 spnego_state
->state_position
= SPNEGO_CLIENT_TARG
;
892 if (NT_STATUS_IS_OK(nt_status
)) {
893 spnego_state
->no_response_expected
= true;
896 spnego_free_data(&spnego
);
897 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
899 case SPNEGO_SERVER_TARG
:
902 bool new_spnego
= false;
905 return NT_STATUS_INVALID_PARAMETER
;
908 len
= spnego_read_data(gensec_security
, in
, &spnego
);
911 DEBUG(1, ("Invalid SPNEGO request:\n"));
912 dump_data(1, in
.data
, in
.length
);
913 return NT_STATUS_INVALID_PARAMETER
;
916 /* OK, so it's real SPNEGO, check the packet's the one we expect */
917 if (spnego
.type
!= spnego_state
->expected_packet
) {
918 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
919 spnego_state
->expected_packet
));
920 dump_data(1, in
.data
, in
.length
);
921 spnego_free_data(&spnego
);
922 return NT_STATUS_INVALID_PARAMETER
;
925 if (!spnego_state
->sub_sec_security
) {
926 DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
927 spnego_free_data(&spnego
);
928 return NT_STATUS_INVALID_PARAMETER
;
931 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
933 spnego
.negTokenTarg
.responseToken
,
935 if (NT_STATUS_IS_OK(nt_status
) && spnego
.negTokenTarg
.mechListMIC
.length
> 0) {
937 nt_status
= gensec_check_packet(spnego_state
->sub_sec_security
,
938 spnego_state
->mech_types
.data
,
939 spnego_state
->mech_types
.length
,
940 spnego_state
->mech_types
.data
,
941 spnego_state
->mech_types
.length
,
942 &spnego
.negTokenTarg
.mechListMIC
);
943 if (!NT_STATUS_IS_OK(nt_status
)) {
944 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
945 nt_errstr(nt_status
)));
948 if (NT_STATUS_IS_OK(nt_status
) && new_spnego
) {
949 nt_status
= gensec_sign_packet(spnego_state
->sub_sec_security
,
951 spnego_state
->mech_types
.data
,
952 spnego_state
->mech_types
.length
,
953 spnego_state
->mech_types
.data
,
954 spnego_state
->mech_types
.length
,
956 if (!NT_STATUS_IS_OK(nt_status
)) {
957 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
958 nt_errstr(nt_status
)));
962 nt_status
= gensec_spnego_server_negTokenTarg(gensec_security
,
970 spnego_free_data(&spnego
);
974 case SPNEGO_CLIENT_TARG
:
978 return NT_STATUS_INVALID_PARAMETER
;
981 len
= spnego_read_data(gensec_security
, in
, &spnego
);
984 DEBUG(1, ("Invalid SPNEGO request:\n"));
985 dump_data(1, in
.data
, in
.length
);
986 return NT_STATUS_INVALID_PARAMETER
;
989 /* OK, so it's real SPNEGO, check the packet's the one we expect */
990 if (spnego
.type
!= spnego_state
->expected_packet
) {
991 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego
.type
,
992 spnego_state
->expected_packet
));
993 dump_data(1, in
.data
, in
.length
);
994 spnego_free_data(&spnego
);
995 return NT_STATUS_INVALID_PARAMETER
;
998 if (spnego
.negTokenTarg
.negResult
== SPNEGO_REJECT
) {
999 spnego_free_data(&spnego
);
1000 return NT_STATUS_ACCESS_DENIED
;
1003 /* Server didn't like our choice of mech, and chose something else */
1004 if ((spnego
.negTokenTarg
.negResult
== SPNEGO_ACCEPT_INCOMPLETE
) &&
1005 spnego
.negTokenTarg
.supportedMech
&&
1006 strcmp(spnego
.negTokenTarg
.supportedMech
, spnego_state
->neg_oid
) != 0) {
1007 DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
1008 gensec_get_name_by_oid(gensec_security
, spnego
.negTokenTarg
.supportedMech
),
1009 gensec_get_name_by_oid(gensec_security
, spnego_state
->neg_oid
)));
1011 talloc_free(spnego_state
->sub_sec_security
);
1012 nt_status
= gensec_subcontext_start(spnego_state
,
1014 &spnego_state
->sub_sec_security
);
1015 if (!NT_STATUS_IS_OK(nt_status
)) {
1016 spnego_free_data(&spnego
);
1019 /* select the sub context */
1020 nt_status
= gensec_start_mech_by_oid(spnego_state
->sub_sec_security
,
1021 spnego
.negTokenTarg
.supportedMech
);
1022 if (!NT_STATUS_IS_OK(nt_status
)) {
1023 spnego_free_data(&spnego
);
1027 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
1029 spnego
.negTokenTarg
.responseToken
,
1031 spnego_state
->neg_oid
= talloc_strdup(spnego_state
, spnego
.negTokenTarg
.supportedMech
);
1032 } else if (spnego_state
->no_response_expected
) {
1033 if (spnego
.negTokenTarg
.negResult
!= SPNEGO_ACCEPT_COMPLETED
) {
1034 DEBUG(3,("GENSEC SPNEGO: client GENSEC accepted, but server rejected (bad password?)\n"));
1035 nt_status
= NT_STATUS_INVALID_PARAMETER
;
1036 } else if (spnego
.negTokenTarg
.responseToken
.length
) {
1037 DEBUG(2,("GENSEC SPNEGO: client GENSEC accepted, but server continued negotiation!\n"));
1038 nt_status
= NT_STATUS_INVALID_PARAMETER
;
1040 nt_status
= NT_STATUS_OK
;
1042 if (NT_STATUS_IS_OK(nt_status
) && spnego
.negTokenTarg
.mechListMIC
.length
> 0) {
1043 nt_status
= gensec_check_packet(spnego_state
->sub_sec_security
,
1044 spnego_state
->mech_types
.data
,
1045 spnego_state
->mech_types
.length
,
1046 spnego_state
->mech_types
.data
,
1047 spnego_state
->mech_types
.length
,
1048 &spnego
.negTokenTarg
.mechListMIC
);
1049 if (!NT_STATUS_IS_OK(nt_status
)) {
1050 DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
1051 nt_errstr(nt_status
)));
1055 bool new_spnego
= false;
1057 nt_status
= gensec_update(spnego_state
->sub_sec_security
,
1059 spnego
.negTokenTarg
.responseToken
,
1062 if (NT_STATUS_IS_OK(nt_status
)
1063 && spnego
.negTokenTarg
.negResult
!= SPNEGO_ACCEPT_COMPLETED
) {
1064 new_spnego
= gensec_have_feature(spnego_state
->sub_sec_security
,
1065 GENSEC_FEATURE_NEW_SPNEGO
);
1067 if (NT_STATUS_IS_OK(nt_status
) && new_spnego
) {
1068 nt_status
= gensec_sign_packet(spnego_state
->sub_sec_security
,
1070 spnego_state
->mech_types
.data
,
1071 spnego_state
->mech_types
.length
,
1072 spnego_state
->mech_types
.data
,
1073 spnego_state
->mech_types
.length
,
1075 if (!NT_STATUS_IS_OK(nt_status
)) {
1076 DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
1077 nt_errstr(nt_status
)));
1080 if (NT_STATUS_IS_OK(nt_status
)) {
1081 spnego_state
->no_response_expected
= true;
1085 spnego_free_data(&spnego
);
1087 if (!NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)
1088 && !NT_STATUS_IS_OK(nt_status
)) {
1089 DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
1090 spnego_state
->sub_sec_security
->ops
->name
,
1091 nt_errstr(nt_status
)));
1095 if (unwrapped_out
.length
|| mech_list_mic
.length
) {
1097 spnego_out
.type
= SPNEGO_NEG_TOKEN_TARG
;
1098 spnego_out
.negTokenTarg
.negResult
= SPNEGO_NONE_RESULT
;
1099 spnego_out
.negTokenTarg
.supportedMech
= NULL
;
1100 spnego_out
.negTokenTarg
.responseToken
= unwrapped_out
;
1101 spnego_out
.negTokenTarg
.mechListMIC
= mech_list_mic
;
1103 if (spnego_write_data(out_mem_ctx
, out
, &spnego_out
) == -1) {
1104 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
1105 return NT_STATUS_INVALID_PARAMETER
;
1108 spnego_state
->state_position
= SPNEGO_CLIENT_TARG
;
1109 nt_status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
1112 /* all done - server has accepted, and we agree */
1113 *out
= null_data_blob
;
1115 if (spnego
.negTokenTarg
.negResult
!= SPNEGO_ACCEPT_COMPLETED
) {
1116 /* unless of course it did not accept */
1117 DEBUG(1,("gensec_update ok but not accepted\n"));
1118 nt_status
= NT_STATUS_INVALID_PARAMETER
;
1121 spnego_state
->state_position
= SPNEGO_DONE
;
1127 /* We should not be called after we are 'done' */
1128 return NT_STATUS_INVALID_PARAMETER
;
1130 return NT_STATUS_INVALID_PARAMETER
;
1133 static void gensec_spnego_want_feature(struct gensec_security
*gensec_security
,
1136 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1138 if (!spnego_state
|| !spnego_state
->sub_sec_security
) {
1139 gensec_security
->want_features
|= feature
;
1143 gensec_want_feature(spnego_state
->sub_sec_security
,
1147 static bool gensec_spnego_have_feature(struct gensec_security
*gensec_security
,
1150 struct spnego_state
*spnego_state
= (struct spnego_state
*)gensec_security
->private_data
;
1151 if (!spnego_state
->sub_sec_security
) {
1155 return gensec_have_feature(spnego_state
->sub_sec_security
,
1159 static const char *gensec_spnego_oids
[] = {
1164 static const struct gensec_security_ops gensec_spnego_security_ops
= {
1166 .sasl_name
= "GSS-SPNEGO",
1167 .auth_type
= DCERPC_AUTH_TYPE_SPNEGO
,
1168 .oid
= gensec_spnego_oids
,
1169 .client_start
= gensec_spnego_client_start
,
1170 .server_start
= gensec_spnego_server_start
,
1171 .update
= gensec_spnego_update
,
1172 .seal_packet
= gensec_spnego_seal_packet
,
1173 .sign_packet
= gensec_spnego_sign_packet
,
1174 .sig_size
= gensec_spnego_sig_size
,
1175 .max_wrapped_size
= gensec_spnego_max_wrapped_size
,
1176 .max_input_size
= gensec_spnego_max_input_size
,
1177 .check_packet
= gensec_spnego_check_packet
,
1178 .unseal_packet
= gensec_spnego_unseal_packet
,
1179 .packet_full_request
= gensec_spnego_packet_full_request
,
1180 .wrap
= gensec_spnego_wrap
,
1181 .unwrap
= gensec_spnego_unwrap
,
1182 .wrap_packets
= gensec_spnego_wrap_packets
,
1183 .unwrap_packets
= gensec_spnego_unwrap_packets
,
1184 .session_key
= gensec_spnego_session_key
,
1185 .session_info
= gensec_spnego_session_info
,
1186 .want_feature
= gensec_spnego_want_feature
,
1187 .have_feature
= gensec_spnego_have_feature
,
1189 .priority
= GENSEC_SPNEGO
1192 _PUBLIC_ NTSTATUS
gensec_spnego_init(void)
1195 ret
= gensec_register(&gensec_spnego_security_ops
);
1196 if (!NT_STATUS_IS_OK(ret
)) {
1197 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1198 gensec_spnego_security_ops
.name
));