| blob | d0b0d86d4f675447fbbc03a39be917bf74692bb7 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
22 /*
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
27 /*
28 * Security Provider glue
29 *
30 * Modeled after SSPI for now, only because we're currently
31 * using the Microsoft sample spnego code.
32 *
33 * ToDo: Port all of this to GSS-API plugins.
34 */
36 #include <errno.h>
37 #include <stdio.h>
38 #include <stdlib.h>
39 #include <unistd.h>
40 #include <strings.h>
41 #include <netdb.h>
42 #include <libintl.h>
43 #include <xti.h>
44 #include <assert.h>
46 #include <sys/types.h>
47 #include <sys/time.h>
48 #include <sys/byteorder.h>
49 #include <sys/socket.h>
50 #include <sys/fcntl.h>
52 #include <netinet/in.h>
53 #include <netinet/tcp.h>
54 #include <arpa/inet.h>
56 #include <netsmb/smb_lib.h>
57 #include <netsmb/mchain.h>
66 /*
67 * ssp_ctx_create_client
68 *
69 * This is the first function called for SMB "extended security".
70 * Here we select a security support provider (SSP), or mechanism,
71 * and build the security context used throughout authentication.
72 *
73 * Note that we receive a "hint" in the SMB Negotiate response
74 * that contains the list of mechanisms supported by the server.
75 * We use this to help us select a mechanism.
76 *
77 * With SSPI this would call:
78 * ssp->InitSecurityInterface()
79 * ssp->AcquireCredentialsHandle()
80 * ssp->InitializeSecurityContext()
81 * With GSS-API this will become:
82 * gss_import_name(... service_principal_name)
83 * gss_init_sec_context(), etc.
84 */
85 int
87 {
90 SPNEGO_MECH_OID oid;
101 /*
102 * Parse the SPNEGO "hint" to get the server's list of
103 * supported mechanisms. If the "hint" is empty,
104 * assume NTLMSSP. (Or could use "raw NTLMSSP")
105 */
114 }
116 /*
117 * Did the server offer Kerberos?
118 * Either spec. OID or legacy is OK,
119 * but have to remember what we got.
120 */
129 /*
130 * Yes! Server offers Kerberos.
131 * Try to init our krb5 mechanism.
132 * It will fail if the calling user
133 * does not have krb5 credentials.
134 */
140 }
141 /* else fall back to NTLMSSP */
142 }
144 /*
145 * Did the server offer NTLMSSP?
146 */
149 /*
150 * OK, we'll use NTLMSSP
151 */
152 use_ntlm:
158 }
159 }
161 /* No supported mechanisms! */
163 }
166 /*
167 * ssp_ctx_destroy
168 *
169 * Dispatch to the mechanism-specific destroy.
170 */
171 void
173 {
189 }
192 /*
193 * ssp_ctx_next_token
194 *
195 * This is the function called to generate the next token to send,
196 * given a token just received, using the selected back-end method.
197 * The back-end method is called a security service provider (SSP).
198 *
199 * This is also called to generate the first token to send
200 * (when called with caller_in == NULL) and to handle the last
201 * token received (when called with caller_out == NULL).
202 * See caller: smb_ssnsetup_spnego
203 *
204 * Note that if the back-end SSP "next token" function ever
205 * returns an error, the conversation ends, and there are
206 * no further calls to this function for this context.
207 *
208 * General outline of this funcion:
209 * if (caller_in)
210 * Unwrap caller_in spnego blob,
211 * store payload in body_in
212 * Call back-end SSP "next token" method (body_in, body_out)
213 * if (caller_out)
214 * Wrap returned body_out in spnego,
215 * store in caller_out
216 *
217 * With SSPI this would call:
218 * ssp->InitializeSecurityContext()
219 * With GSS-API this will become:
220 * gss_init_sec_context()
221 */
222 int
226 {
229 SPNEGO_NEGRESULT result;
232 ulong_t toklen;
240 /*
241 * If we have an spnego input token, parse it,
242 * extract the payload for the back-end SSP.
243 */
246 /*
247 * Let the spnego code parse it.
248 */
256 }
257 /* Note: Allocated stok_in */
259 /*
260 * Now get the payload. Two calls:
261 * first gets the size, 2nd the data.
262 *
263 * Expect SPNEGO_E_BUFFER_TOO_SMALL here,
264 * but if the payload is missing, we'll
265 * get SPNEGO_E_ELEMENT_UNAVAILABLE.
266 */
273 /* have toklen */
279 }
291 }
293 }
294 }
296 /*
297 * Call the back-end security provider (SSP) to
298 * handle the received token (if present) and
299 * generate an output token (if requested).
300 */
307 /*
308 * Wrap the outgoing body if requested,
309 * either negTokenInit on first call, or
310 * negTokenTarg on subsequent calls.
311 */
316 /*
317 * This is the first call, so create a
318 * negTokenInit.
319 */
324 /* Note: allocated stok_out */
326 /*
327 * Note: must pass spnego_mech_oid_NotUsed,
328 * instead of sp->sp_mech so that the spnego
329 * code will not marshal a mech OID list.
330 * The mechanism is determined at this point,
331 * and some servers won't parse an unexpected
332 * mech. OID list in a negTokenTarg
333 */
335 spnego_mech_oid_NotUsed,
336 spnego_negresult_NotUsed,
339 /* Note: allocated stok_out */
340 }
345 }
347 /*
348 * Copy binary from stok_out to caller_out
349 * Two calls: get the size, get the data.
350 */
356 }
367 }
370 /*
371 * caller_out == NULL, so this is the "final" call.
372 * Get final SPNEGO result from the INPUT token.
373 */
379 }
384 }
385 }
388 out:
395 }