search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixes to linker flags for AIX winbind client from Stephen Roylance.
[Samba/gebeck_regimport.git] / source3 / libads / sasl.c
blob29d4533a54fa056357e72184c1594114a95e63ee
1 /*
2 Unix SMB/CIFS implementation.
3 ads sasl code
4 Copyright (C) Andrew Tridgell 2001
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #ifdef HAVE_LDAP
24
25 /*
26 perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
27 we fit on one socket??)
28 */
29 static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
30 {
31 const char *mechs[] = {OID_NTLMSSP, NULL};
32 DATA_BLOB msg1;
33 DATA_BLOB blob, chal1, chal2, auth;
34 uint8 challenge[8];
35 uint8 nthash[24], lmhash[24], sess_key[16];
36 uint32 neg_flags;
37 struct berval cred, *scred;
38 ADS_STATUS status;
39 int rc;
40
41 if (!ads->auth.password) {
42 /* No password, don't segfault below... */
43 return ADS_ERROR_NT(NT_STATUS_LOGON_FAILURE);
44 }
45
46 neg_flags = NTLMSSP_NEGOTIATE_UNICODE |
47 NTLMSSP_NEGOTIATE_128 |
48 NTLMSSP_NEGOTIATE_NTLM;
49
50 memset(sess_key, 0, 16);
51
52 /* generate the ntlmssp negotiate packet */
53 msrpc_gen(&blob, "CddB",
54 "NTLMSSP",
55 NTLMSSP_NEGOTIATE,
56 neg_flags,
57 sess_key, 16);
58
59 /* and wrap it in a SPNEGO wrapper */
60 msg1 = gen_negTokenTarg(mechs, blob);
61 data_blob_free(&blob);
62
63 cred.bv_val = msg1.data;
64 cred.bv_len = msg1.length;
65
66 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
67 if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
68 status = ADS_ERROR(rc);
69 goto failed;
70 }
71
72 blob = data_blob(scred->bv_val, scred->bv_len);
73
74 /* the server gives us back two challenges */
75 if (!spnego_parse_challenge(blob, &chal1, &chal2)) {
76 DEBUG(3,("Failed to parse challenges\n"));
77 status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
78 goto failed;
79 }
80
81 data_blob_free(&blob);
82
83 /* encrypt the password with the challenge */
84 memcpy(challenge, chal1.data + 24, 8);
85 SMBencrypt(ads->auth.password, challenge,lmhash);
86 SMBNTencrypt(ads->auth.password, challenge,nthash);
87
88 data_blob_free(&chal1);
89 data_blob_free(&chal2);
90
91 /* this generates the actual auth packet */
92 msrpc_gen(&blob, "CdBBUUUBd",
93 "NTLMSSP",
94 NTLMSSP_AUTH,
95 lmhash, 24,
96 nthash, 24,
97 lp_workgroup(),
98 ads->auth.user_name,
99 global_myname(),
100 sess_key, 16,
101 neg_flags);
102
103 /* wrap it in SPNEGO */
104 auth = spnego_gen_auth(blob);
105
106 data_blob_free(&blob);
107
108 /* now send the auth packet and we should be done */
109 cred.bv_val = auth.data;
110 cred.bv_len = auth.length;
111
112 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
113
114 return ADS_ERROR(rc);
115
116 failed:
117 return status;
118 }
119
120 /*
121 perform a LDAP/SASL/SPNEGO/KRB5 bind
122 */
123 static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *principal)
124 {
125 DATA_BLOB blob;
126 struct berval cred, *scred;
127 int rc;
128
129 blob = spnego_gen_negTokenTarg(principal, ads->auth.time_offset);
130
131 if (!blob.data) {
132 return ADS_ERROR(LDAP_OPERATIONS_ERROR);
133 }
134
135 /* now send the auth packet and we should be done */
136 cred.bv_val = blob.data;
137 cred.bv_len = blob.length;
138
139 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", &cred, NULL, NULL, &scred);
140
141 data_blob_free(&blob);
142
143 return ADS_ERROR(rc);
144 }
145
146 /*
147 this performs a SASL/SPNEGO bind
148 */
149 static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
150 {
151 struct berval *scred=NULL;
152 int rc, i;
153 ADS_STATUS status;
154 DATA_BLOB blob;
155 char *principal;
156 char *OIDs[ASN1_MAX_OIDS];
157 BOOL got_kerberos_mechanism = False;
158
159 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred);
160
161 if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
162 status = ADS_ERROR(rc);
163 goto failed;
164 }
165
166 blob = data_blob(scred->bv_val, scred->bv_len);
167
168 #if 0
169 file_save("sasl_spnego.dat", blob.data, blob.length);
170 #endif
171
172 /* the server sent us the first part of the SPNEGO exchange in the negprot
173 reply */
174 if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
175 data_blob_free(&blob);
176 status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
177 goto failed;
178 }
179 data_blob_free(&blob);
180
181 /* make sure the server understands kerberos */
182 for (i=0;OIDs[i];i++) {
183 DEBUG(3,("got OID=%s\n", OIDs[i]));
184 if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
185 strcmp(OIDs[i], OID_KERBEROS5) == 0) {
186 got_kerberos_mechanism = True;
187 }
188 free(OIDs[i]);
189 }
190 DEBUG(3,("got principal=%s\n", principal));
191
192 #ifdef HAVE_KRB5
193 if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
194 got_kerberos_mechanism) {
195 status = ads_sasl_spnego_krb5_bind(ads, principal);
196 if (ADS_ERR_OK(status))
197 return status;
198 if (ads_kinit_password(ads) == 0) {
199 status = ads_sasl_spnego_krb5_bind(ads, principal);
200 }
201 if (ADS_ERR_OK(status))
202 return status;
203 }
204 #endif
205
206 /* lets do NTLMSSP ... this has the big advantage that we don't need
207 to sync clocks, and we don't rely on special versions of the krb5
208 library for HMAC_MD4 encryption */
209 return ads_sasl_spnego_ntlmssp_bind(ads);
210
211 failed:
212 return status;
213 }
214
215 #ifdef HAVE_GSSAPI
216 #define MAX_GSS_PASSES 3
217
218 /* this performs a SASL/gssapi bind
219 we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl
220 is very dependent on correctly configured DNS whereas
221 this routine is much less fragile
222 see RFC2078 and RFC2222 for details
223 */
224 static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
225 {
226 int minor_status;
227 gss_name_t serv_name;
228 gss_buffer_desc input_name;
229 gss_ctx_id_t context_handle;
230 gss_OID mech_type = GSS_C_NULL_OID;
231 gss_buffer_desc output_token, input_token;
232 OM_uint32 ret_flags, conf_state;
233 struct berval cred;
234 struct berval *scred;
235 int i=0;
236 int gss_rc, rc;
237 uint8 *p;
238 uint32 max_msg_size;
239 char *sname;
240 unsigned sec_layer;
241 ADS_STATUS status;
242 krb5_principal principal;
243 krb5_context ctx;
244 krb5_enctype enc_types[] = {
245 #ifdef ENCTYPE_ARCFOUR_HMAC
246 ENCTYPE_ARCFOUR_HMAC,
247 #endif
248 ENCTYPE_DES_CBC_MD5,
249 ENCTYPE_NULL};
250 gss_OID_desc nt_principal =
251 {10, "\052\206\110\206\367\022\001\002\002\002"};
252
253 /* we need to fetch a service ticket as the ldap user in the
254 servers realm, regardless of our realm */
255 asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm);
256 krb5_init_context(&ctx);
257 krb5_set_default_tgs_ktypes(ctx, enc_types);
258 krb5_parse_name(ctx, sname, &principal);
259 free(sname);
260 krb5_free_context(ctx);
261
262 input_name.value = &principal;
263 input_name.length = sizeof(principal);
264
265 gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name);
266 if (gss_rc) {
267 return ADS_ERROR_GSS(gss_rc, minor_status);
268 }
269
270 context_handle = GSS_C_NO_CONTEXT;
271
272 input_token.value = NULL;
273 input_token.length = 0;
274
275 for (i=0; i < MAX_GSS_PASSES; i++) {
276 gss_rc = gss_init_sec_context(&minor_status,
277 GSS_C_NO_CREDENTIAL,
278 &context_handle,
279 serv_name,
280 mech_type,
281 GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
282 0,
283 NULL,
284 &input_token,
285 NULL,
286 &output_token,
287 &ret_flags,
288 NULL);
289
290 if (input_token.value) {
291 gss_release_buffer(&minor_status, &input_token);
292 }
293
294 if (gss_rc && gss_rc != GSS_S_CONTINUE_NEEDED) {
295 status = ADS_ERROR_GSS(gss_rc, minor_status);
296 goto failed;
297 }
298
299 cred.bv_val = output_token.value;
300 cred.bv_len = output_token.length;
301
302 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
303 &scred);
304 if (rc != LDAP_SASL_BIND_IN_PROGRESS) {
305 status = ADS_ERROR(rc);
306 goto failed;
307 }
308
309 if (output_token.value) {
310 gss_release_buffer(&minor_status, &output_token);
311 }
312
313 if (scred) {
314 input_token.value = scred->bv_val;
315 input_token.length = scred->bv_len;
316 } else {
317 input_token.value = NULL;
318 input_token.length = 0;
319 }
320
321 if (gss_rc == 0) break;
322 }
323
324 gss_release_name(&minor_status, &serv_name);
325
326 gss_rc = gss_unwrap(&minor_status,context_handle,&input_token,&output_token,
327 &conf_state,NULL);
328 if (gss_rc) {
329 status = ADS_ERROR_GSS(gss_rc, minor_status);
330 goto failed;
331 }
332
333 gss_release_buffer(&minor_status, &input_token);
334
335 p = (uint8 *)output_token.value;
336
337 file_save("sasl_gssapi.dat", output_token.value, output_token.length);
338
339 max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3];
340 sec_layer = *p;
341
342 gss_release_buffer(&minor_status, &output_token);
343
344 output_token.value = malloc(strlen(ads->config.bind_path) + 8);
345 p = output_token.value;
346
347 *p++ = 1; /* no sign & seal selection */
348 /* choose the same size as the server gave us */
349 *p++ = max_msg_size>>16;
350 *p++ = max_msg_size>>8;
351 *p++ = max_msg_size;
352 snprintf(p, strlen(ads->config.bind_path)+4, "dn:%s", ads->config.bind_path);
353 p += strlen(p);
354
355 output_token.length = PTR_DIFF(p, output_token.value);
356
357 gss_rc = gss_wrap(&minor_status, context_handle,0,GSS_C_QOP_DEFAULT,
358 &output_token, &conf_state,
359 &input_token);
360 if (gss_rc) {
361 status = ADS_ERROR_GSS(gss_rc, minor_status);
362 goto failed;
363 }
364
365 free(output_token.value);
366
367 cred.bv_val = input_token.value;
368 cred.bv_len = input_token.length;
369
370 rc = ldap_sasl_bind_s(ads->ld, NULL, "GSSAPI", &cred, NULL, NULL,
371 &scred);
372 status = ADS_ERROR(rc);
373
374 gss_release_buffer(&minor_status, &input_token);
375
376 failed:
377 return status;
378 }
379 #endif
380
381 /* mapping between SASL mechanisms and functions */
382 static struct {
383 const char *name;
384 ADS_STATUS (*fn)(ADS_STRUCT *);
385 } sasl_mechanisms[] = {
386 {"GSS-SPNEGO", ads_sasl_spnego_bind},
387 #ifdef HAVE_GSSAPI
388 {"GSSAPI", ads_sasl_gssapi_bind}, /* doesn't work with .NET RC1. No idea why */
389 #endif
390 {NULL, NULL}
391 };
392
393 ADS_STATUS ads_sasl_bind(ADS_STRUCT *ads)
394 {
395 const char *attrs[] = {"supportedSASLMechanisms", NULL};
396 char **values;
397 ADS_STATUS status;
398 int i, j;
399 void *res;
400
401 /* get a list of supported SASL mechanisms */
402 status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
403 if (!ADS_ERR_OK(status)) return status;
404
405 values = ldap_get_values(ads->ld, res, "supportedSASLMechanisms");
406
407 /* try our supported mechanisms in order */
408 for (i=0;sasl_mechanisms[i].name;i++) {
409 /* see if the server supports it */
410 for (j=0;values && values[j];j++) {
411 if (strcmp(values[j], sasl_mechanisms[i].name) == 0) {
412 DEBUG(4,("Found SASL mechanism %s\n", values[j]));
413 status = sasl_mechanisms[i].fn(ads);
414 ldap_value_free(values);
415 ldap_msgfree(res);
416 return status;
417 }
418 }
419 }
420
421 ldap_value_free(values);
422 ldap_msgfree(res);
423 return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED);
424 }
425
426 #endif
427
reg import