summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/gensec/gensec.h1
-rw-r--r--source4/auth/gensec/gensec_gssapi.c88
-rw-r--r--source4/auth/gensec/spnego.c109
-rw-r--r--source4/auth/gensec/spnego_parse.c32
4 files changed, 206 insertions, 24 deletions
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 2a89e67ed2..2830297ffe 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -53,6 +53,7 @@ struct gensec_target {
#define GENSEC_FEATURE_ASYNC_REPLIES 0x00000010
#define GENSEC_FEATURE_DATAGRAM_MODE 0x00000020
#define GENSEC_FEATURE_SIGN_PKT_HEADER 0x00000040
+#define GENSEC_FEATURE_NEW_SPNEGO 0x00000080
/* GENSEC mode */
enum gensec_role
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index ff4a23e7fc..0df40dc82f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -65,6 +65,7 @@ struct gensec_gssapi_state {
struct smb_krb5_context *smb_krb5_context;
struct gssapi_creds_container *client_cred;
struct gssapi_creds_container *server_cred;
+ gss_krb5_lucid_context_v1_t *lucid;
gss_cred_id_t delegated_cred_handle;
@@ -143,9 +144,45 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st
if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
}
+
+ if (gensec_gssapi_state->lucid) {
+ gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
+ }
+
return 0;
}
+static NTSTATUS gensec_gssapi_init_lucid(struct gensec_gssapi_state *gensec_gssapi_state)
+{
+ OM_uint32 maj_stat, min_stat;
+
+ if (gensec_gssapi_state->lucid) {
+ return NT_STATUS_OK;
+ }
+
+ maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
+ &gensec_gssapi_state->gssapi_context,
+ 1,
+ (void **)&gensec_gssapi_state->lucid);
+ if (maj_stat != GSS_S_COMPLETE) {
+ DEBUG(0,("gensec_gssapi_init_lucid: %s\n",
+ gssapi_error_string(gensec_gssapi_state,
+ maj_stat, min_stat,
+ gensec_gssapi_state->gss_oid)));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (gensec_gssapi_state->lucid->version != 1) {
+ DEBUG(0,("gensec_gssapi_init_lucid: lucid version[%d] != 1\n",
+ gensec_gssapi_state->lucid->version));
+ gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
+ gensec_gssapi_state->lucid = NULL;
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
{
struct gensec_gssapi_state *gensec_gssapi_state;
@@ -169,6 +206,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
gensec_gssapi_state->server_name = GSS_C_NO_NAME;
gensec_gssapi_state->client_name = GSS_C_NO_NAME;
+ gensec_gssapi_state->lucid = NULL;
/* TODO: Fill in channel bindings */
gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
@@ -1083,10 +1121,10 @@ static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_securi
if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
input_message.length = pdu_length;
- input_message.value = whole_pdu;
+ input_message.value = discard_const(whole_pdu);
} else {
input_message.length = length;
- input_message.value = data;
+ input_message.value = discard_const(data);
}
input_token.length = sig->length;
@@ -1139,6 +1177,31 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
if (feature & GENSEC_FEATURE_DCE_STYLE) {
return gensec_gssapi_state->got_flags & GSS_C_DCE_STYLE;
}
+ if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
+ NTSTATUS status;
+
+ if (!(gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG)) {
+ return false;
+ }
+
+ if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "force_new_spnego", false)) {
+ return true;
+ }
+ if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "disable_new_spnego", false)) {
+ return false;
+ }
+
+ status = gensec_gssapi_init_lucid(gensec_gssapi_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ if (gensec_gssapi_state->lucid->protocol == 1) {
+ return true;
+ }
+
+ return false;
+ }
/* We can always do async (rather than strict request/reply) packets. */
if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
return true;
@@ -1386,8 +1449,7 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da
{
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- OM_uint32 maj_stat, min_stat;
- gss_krb5_lucid_context_v1_t *lucid = NULL;
+ NTSTATUS status;
if (gensec_gssapi_state->sig_size) {
return gensec_gssapi_state->sig_size;
@@ -1399,18 +1461,12 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da
gensec_gssapi_state->sig_size = 37;
}
- maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
- &gensec_gssapi_state->gssapi_context,
- 1, (void **)&lucid);
- if (maj_stat != GSS_S_COMPLETE) {
- return gensec_gssapi_state->sig_size;
- }
-
- if (lucid->version != 1) {
+ status = gensec_gssapi_init_lucid(gensec_gssapi_state);
+ if (!NT_STATUS_IS_OK(status)) {
return gensec_gssapi_state->sig_size;
}
- if (lucid->protocol == 1) {
+ if (gensec_gssapi_state->lucid->protocol == 1) {
if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
/*
* TODO: windows uses 76 here, but we don't know
@@ -1420,8 +1476,8 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da
} else {
gensec_gssapi_state->sig_size = 28;
}
- } else if (lucid->protocol == 0) {
- switch (lucid->rfc1964_kd.ctx_key.type) {
+ } else if (gensec_gssapi_state->lucid->protocol == 0) {
+ switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
case KEYTYPE_DES:
case KEYTYPE_ARCFOUR:
case KEYTYPE_ARCFOUR_56:
@@ -1441,8 +1497,6 @@ size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t da
}
}
- gss_krb5_free_lucid_sec_context(&min_stat, lucid);
-
return gensec_gssapi_state->sig_size;
}
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 1544326bb1..1855e0583d 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -5,6 +5,7 @@
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+ Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -44,6 +45,8 @@ struct spnego_state {
bool no_response_expected;
const char *neg_oid;
+
+ DATA_BLOB mech_types;
};
@@ -60,6 +63,7 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->state_position = SPNEGO_CLIENT_START;
spnego_state->sub_sec_security = NULL;
spnego_state->no_response_expected = false;
+ spnego_state->mech_types = data_blob(NULL, 0);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
@@ -78,6 +82,7 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
spnego_state->state_position = SPNEGO_SERVER_START;
spnego_state->sub_sec_security = NULL;
spnego_state->no_response_expected = false;
+ spnego_state->mech_types = data_blob(NULL, 0);
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
@@ -392,12 +397,22 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
int i;
NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB null_data_blob = data_blob(NULL,0);
+ bool ok;
const struct gensec_security_ops_wrapper *all_sec
= gensec_security_by_oid_list(gensec_security,
out_mem_ctx,
mechType,
GENSEC_OID_SPNEGO);
+
+ ok = spnego_write_mech_types(spnego_state,
+ mechType,
+ &spnego_state->mech_types);
+ if (!ok) {
+ DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (spnego_state->state_position == SPNEGO_SERVER_START) {
for (i=0; all_sec && all_sec[i].op; i++) {
/* optomisitic token */
@@ -556,6 +571,9 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
GENSEC_OID_SPNEGO);
for (i=0; all_sec && all_sec[i].op; i++) {
struct spnego_data spnego_out;
+ const char **send_mech_types;
+ bool ok;
+
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
@@ -591,10 +609,20 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
}
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
-
+
+ send_mech_types = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
+ &all_sec[i]);
+
+ ok = spnego_write_mech_types(spnego_state,
+ send_mech_types,
+ &spnego_state->mech_types);
+ if (!ok) {
+ DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* List the remaining mechs as options */
- spnego_out.negTokenInit.mechTypes = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
- &all_sec[i]);
+ spnego_out.negTokenInit.mechTypes = send_mech_types;
spnego_out.negTokenInit.reqFlags = 0;
if (spnego_state->state_position == SPNEGO_SERVER_START) {
@@ -644,7 +672,9 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
NTSTATUS nt_status,
- const DATA_BLOB unwrapped_out, DATA_BLOB *out)
+ const DATA_BLOB unwrapped_out,
+ DATA_BLOB mech_list_mic,
+ DATA_BLOB *out)
{
struct spnego_data spnego_out;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
@@ -664,6 +694,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
}
spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
+ spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
spnego_state->state_position = SPNEGO_DONE;
} else {
spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
@@ -687,6 +718,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
+ DATA_BLOB mech_list_mic = data_blob(NULL, 0);
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
struct spnego_data spnego_out;
struct spnego_data spnego;
@@ -737,7 +769,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_state,
out_mem_ctx,
nt_status,
- unwrapped_out,
+ unwrapped_out,
+ null_data_blob,
out);
spnego_free_data(&spnego);
@@ -829,6 +862,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool new_spnego = false;
+
if (!in.length) {
return NT_STATUS_INVALID_PARAMETER;
}
@@ -860,12 +895,40 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
+ new_spnego = true;
+ nt_status = gensec_check_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &spnego.negTokenTarg.mechListMIC);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
+ nt_errstr(nt_status)));
+ }
+ }
+ if (NT_STATUS_IS_OK(nt_status) && new_spnego) {
+ nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &mech_list_mic);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
+ nt_errstr(nt_status)));
+ }
+ }
nt_status = gensec_spnego_server_negTokenTarg(gensec_security,
spnego_state,
out_mem_ctx,
nt_status,
- unwrapped_out,
+ unwrapped_out,
+ mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -940,13 +1003,45 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
} else {
nt_status = NT_STATUS_OK;
}
+ if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
+ nt_status = gensec_check_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &spnego.negTokenTarg.mechListMIC);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
+ nt_errstr(nt_status)));
+ }
+ }
} else {
+ bool new_spnego = false;
+
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
+ new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_NEW_SPNEGO);
+ }
+ if (NT_STATUS_IS_OK(nt_status) && new_spnego) {
+ nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &mech_list_mic);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
+ nt_errstr(nt_status)));
+ }
+ }
+ if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->no_response_expected = true;
}
}
@@ -967,7 +1062,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
spnego_out.negTokenTarg.supportedMech = NULL;
spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+ spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
diff --git a/source4/auth/gensec/spnego_parse.c b/source4/auth/gensec/spnego_parse.c
index 8012a83ba8..5ea8cf7100 100644
--- a/source4/auth/gensec/spnego_parse.c
+++ b/source4/auth/gensec/spnego_parse.c
@@ -374,3 +374,35 @@ out:
return ret;
}
+bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
+ const char **mech_types,
+ DATA_BLOB *blob)
+{
+ struct asn1_data *asn1 = asn1_init(mem_ctx);
+
+ /* Write mechTypes */
+ if (mech_types && *mech_types) {
+ int i;
+
+ asn1_push_tag(asn1, ASN1_SEQUENCE(0));
+ for (i = 0; mech_types[i]; i++) {
+ asn1_write_OID(asn1, mech_types[i]);
+ }
+ asn1_pop_tag(asn1);
+ }
+
+ if (asn1->has_error) {
+ asn1_free(asn1);
+ return false;
+ }
+
+ *blob = data_blob_talloc(mem_ctx, asn1->data, asn1->length);
+ if (blob->length != asn1->length) {
+ asn1_free(asn1);
+ return false;
+ }
+
+ asn1_free(asn1);
+
+ return true;
+}