[exim.git] / src / src / auths / heimdal_gssapi.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2016 */
/* See the file NOTICE for conditions of use and distribution. */

/* Copyright (c) Twitter Inc 2012
   Author: Phil Pennock <pdp@exim.org> */
/* Copyright (c) Phil Pennock 2012 */

/* Interface to Heimdal library for GSSAPI authentication. */

/* Naming and rationale

Sensibly, this integration would be deferred to a SASL library, but none
of them appear to offer keytab file selection interfaces in their APIs.  It
might be that this driver only requires minor modification to work with MIT
Kerberos.

Heimdal provides a number of interfaces for various forms of authentication.
As GS2 does not appear to provide keytab control interfaces either, we may
end up supporting that too.  It's possible that we could trivially expand to
support NTLM support via Heimdal, etc.  Rather than try to be too generic
immediately, this driver is directly only supporting GSSAPI.

Without rename, we could add an option for GS2 support in the future.
*/

/* Sources

* mailcheck-imap (Perl, client-side, written by me years ago)
* gsasl driver (GPL, server-side)
* heimdal sources and man-pages, plus http://www.h5l.org/manual/
* FreeBSD man-pages (very informative!)
* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
  semantics, that found by browsing Heimdal source to find how to set the keytab; however,
  after multiple attempts I failed to get that to work and instead switched to
  gsskrb5_register_acceptor_identity().
*/

#include "../exim.h"

#ifndef AUTH_HEIMDAL_GSSAPI
/* dummy function to satisfy compilers when we link in an "empty" file. */
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
#else

#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>

/* for the _init debugging */
#include <krb5.h>

#include "heimdal_gssapi.h"

/* Authenticator-specific options. */
optionlist auth_heimdal_gssapi_options[] = {
  { "server_hostname",      opt_stringptr,
      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
  { "server_keytab",        opt_stringptr,
      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
  { "server_service",       opt_stringptr,
      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
};

int auth_heimdal_gssapi_options_count =
  sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);

/* Defaults for the authenticator-specific options. */
auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
  US"$primary_hostname",    /* server_hostname */
  NULL,                     /* server_keytab */
  US"smtp",                 /* server_service */
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_heimdal_init(auth_instance *ablock) {}
int auth_heimdal_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_heimdal_client(auth_instance *ablock, smtp_inblock *inblock,
  smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}

#else   /*!MACRO_PREDEF*/


/* "Globals" for managing the heimdal_gssapi interface. */

/* Utility functions */
static void
  exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
static int
  exim_gssapi_error_defer(uschar *, OM_uint32, OM_uint32, const char *, ...)
    PRINTF_FUNCTION(4, 5);

#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

/* Heimdal provides a GSSAPI extension method for setting the keytab;
in the init, we mostly just use raw krb5 methods so that we can report
the keytab contents, for -D+auth debugging. */

void
auth_heimdal_gssapi_init(auth_instance *ablock)
{
  krb5_context context;
  krb5_keytab keytab;
  krb5_kt_cursor cursor;
  krb5_keytab_entry entry;
  krb5_error_code krc;
  char *principal, *enctype_s;
  const char *k_keytab_typed_name = NULL;
  auth_heimdal_gssapi_options_block *ob =
    (auth_heimdal_gssapi_options_block *)(ablock->options_block);

  ablock->server = FALSE;
  ablock->client = FALSE;

  if (!ob->server_service || !*ob->server_service) {
    HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
    return;
  }

  krc = krb5_init_context(&context);
  if (krc != 0) {
    int kerr = errno;
    HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
        strerror(kerr));
    return;
  }

  if (ob->server_keytab) {
    k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
    HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
    krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab);
    if (krc) {
      HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
      return;
    }
  } else {
    HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
    krc = krb5_kt_default(context, &keytab);
    if (krc) {
      HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
      return;
    }
  }

  HDEBUG(D_auth) {
    /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
    krc = krb5_kt_start_seq_get(context, keytab, &cursor);
    if (krc)
      exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
    else {
      while ((krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
        principal = enctype_s = NULL;
        krb5_unparse_name(context, entry.principal, &principal);
        krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
        debug_printf("heimdal: keytab principal: %s  vno=%d  type=%s\n",
            principal ? principal : "??",
            entry.vno,
            enctype_s ? enctype_s : "??");
        free(principal);
        free(enctype_s);
        krb5_kt_free_entry(context, &entry);
      }
      krc = krb5_kt_end_seq_get(context, keytab, &cursor);
      if (krc)
        exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
    }
  }

  krc = krb5_kt_close(context, keytab);
  if (krc)
    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);

  krb5_free_context(context);

  /* RFC 4121 section 5.2, SHOULD support 64K input buffers */
  if (big_buffer_size < (64 * 1024)) {
    uschar *newbuf;
    big_buffer_size = 64 * 1024;
    newbuf = store_malloc(big_buffer_size);
    store_free(big_buffer);
    big_buffer = newbuf;
  }

  ablock->server = TRUE;
}


static void
exim_heimdal_error_debug(const char *label,
    krb5_context context, krb5_error_code err)
{
  const char *kerrsc;
  kerrsc = krb5_get_error_message(context, err);
  debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
  krb5_free_error_message(context, kerrsc);
}

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

/* GSSAPI notes:
OM_uint32: portable type for unsigned int32
gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
  -- all strings/etc passed in should go through one of these
  -- when allocated by gssapi, release with gss_release_buffer()
*/

int
auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
{
  gss_name_t gclient = GSS_C_NO_NAME;
  gss_name_t gserver = GSS_C_NO_NAME;
  gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
  gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
  uschar *ex_server_str;
  gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
  gss_OID mech_type;
  OM_uint32 maj_stat, min_stat;
  int step, error_out, i;
  uschar *tmp1, *tmp2, *from_client;
  auth_heimdal_gssapi_options_block *ob =
    (auth_heimdal_gssapi_options_block *)(ablock->options_block);
  BOOL handled_empty_ir;
  uschar *store_reset_point;
  uschar *keytab;
  uschar sasl_config[4];
  uschar requested_qop;

  store_reset_point = store_get(0);

  HDEBUG(D_auth)
    debug_printf("heimdal: initialising auth context for %s\n", ablock->name);

  /* Construct our gss_name_t gserver describing ourselves */
  tmp1 = expand_string(ob->server_service);
  tmp2 = expand_string(ob->server_hostname);
  ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
  gbufdesc.value = (void *) ex_server_str;
  gbufdesc.length = Ustrlen(ex_server_str);
  maj_stat = gss_import_name(&min_stat,
      &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
  if (GSS_ERROR(maj_stat))
    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
        "gss_import_name(%s)", CS gbufdesc.value);

  /* Use a specific keytab, if specified */
  if (ob->server_keytab) {
    keytab = expand_string(ob->server_keytab);
    maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
    if (GSS_ERROR(maj_stat))
      return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
          "registering keytab \"%s\"", keytab);
    HDEBUG(D_auth)
      debug_printf("heimdal: using keytab \"%s\"\n", keytab);
  }

  /* Acquire our credentials */
  maj_stat = gss_acquire_cred(&min_stat,
      gserver,             /* desired name */
      0,                   /* time */
      GSS_C_NULL_OID_SET,  /* desired mechs */
      GSS_C_ACCEPT,        /* cred usage */
      &gcred,              /* handle */
      NULL                 /* actual mechs */,
      NULL                 /* time rec */);
  if (GSS_ERROR(maj_stat))
    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
        "gss_acquire_cred(%s)", ex_server_str);

  maj_stat = gss_release_name(&min_stat, &gserver);

  HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");

  /* Loop talking to client */
  step = 0;
  from_client = initial_data;
  handled_empty_ir = FALSE;
  error_out = OK;

  /* buffer sizes: auth_get_data() uses big_buffer, which we grow per
  GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
  (big_buffer starts life at the MUST size of 16KB). */

  /* step values
  0: getting initial data from client to feed into GSSAPI
  1: iterating for as long as GSS_S_CONTINUE_NEEDED
  2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
  3: unpick final auth message from client
  4: break/finish (non-step)
  */
  while (step < 4) {
    switch (step) {
      case 0:
        if (!from_client || *from_client == '\0') {
          if (handled_empty_ir) {
            HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
            error_out = BAD64;
            goto ERROR_OUT;
          } else {
            HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
            error_out = auth_get_data(&from_client, US"", 0);
            if (error_out != OK)
              goto ERROR_OUT;
            handled_empty_ir = TRUE;
            continue;
          }
        }
        /* We should now have the opening data from the client, base64-encoded. */
        step += 1;
        HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
        break;

      case 1:
        gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
        if (gclient) {
          maj_stat = gss_release_name(&min_stat, &gclient);
          gclient = GSS_C_NO_NAME;
        }
        maj_stat = gss_accept_sec_context(&min_stat,
            &gcontext,          /* context handle */
            gcred,              /* acceptor cred handle */
            &gbufdesc_in,       /* input from client */
            GSS_C_NO_CHANNEL_BINDINGS,  /* XXX fixme: use the channel bindings from GnuTLS */
            &gclient,           /* client identifier */
            &mech_type,         /* mechanism in use */
            &gbufdesc_out,      /* output to send to client */
            NULL,               /* return flags */
            NULL,               /* time rec */
            NULL                /* delegated cred_handle */
            );
        if (GSS_ERROR(maj_stat)) {
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_accept_sec_context()");
          error_out = FAIL;
          goto ERROR_OUT;
        }
        if (&gbufdesc_out.length != 0) {
          error_out = auth_get_data(&from_client,
              gbufdesc_out.value, gbufdesc_out.length);
          if (error_out != OK)
            goto ERROR_OUT;

          gss_release_buffer(&min_stat, &gbufdesc_out);
          EmptyBuf(gbufdesc_out);
        }
        if (maj_stat == GSS_S_COMPLETE) {
          step += 1;
          HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
        } else {
          HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
        }
        break;

      case 2:
        memset(sasl_config, 0xFF, 4);
        /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
        0x01 No security layer
        0x02 Integrity protection
        0x04 Confidentiality protection

        The remaining three octets are the maximum buffer size for wrapped
        content. */
        sasl_config[0] = 0x01;  /* Exim does not wrap/unwrap SASL layers after auth */
        gbufdesc.value = (void *) sasl_config;
        gbufdesc.length = 4;
        maj_stat = gss_wrap(&min_stat,
            gcontext,
            0,                    /* conf_req_flag: integrity only */
            GSS_C_QOP_DEFAULT,    /* qop requested */
            &gbufdesc,            /* message to protect */
            NULL,                 /* conf_state: no confidentiality applied */
            &gbufdesc_out         /* output buffer */
            );
        if (GSS_ERROR(maj_stat)) {
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_wrap(SASL state after auth)");
          error_out = FAIL;
          goto ERROR_OUT;
        }

        HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");

        error_out = auth_get_data(&from_client,
            gbufdesc_out.value, gbufdesc_out.length);
        if (error_out != OK)
          goto ERROR_OUT;

        gss_release_buffer(&min_stat, &gbufdesc_out);
        EmptyBuf(gbufdesc_out);
        step += 1;
        break;

      case 3:
        gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
        maj_stat = gss_unwrap(&min_stat,
            gcontext,
            &gbufdesc_in,       /* data from client */
            &gbufdesc_out,      /* results */
            NULL,               /* conf state */
            NULL                /* qop state */
            );
        if (GSS_ERROR(maj_stat)) {
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_unwrap(final SASL message from client)");
          error_out = FAIL;
          goto ERROR_OUT;
        }
        if (gbufdesc_out.length < 4) {
          HDEBUG(D_auth)
            debug_printf("gssapi: final message too short; "
                "need flags, buf sizes and optional authzid\n");
          error_out = FAIL;
          goto ERROR_OUT;
        }

        requested_qop = (CS gbufdesc_out.value)[0];
        if ((requested_qop & 0x01) == 0) {
          HDEBUG(D_auth)
            debug_printf("gssapi: client requested security layers (%x)\n",
                (unsigned int) requested_qop);
          error_out = FAIL;
          goto ERROR_OUT;
        }

        for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
        expand_nmax = 0;

        /* Identifiers:
        The SASL provided identifier is an unverified authzid.
        GSSAPI provides us with a verified identifier, but it might be empty
        for some clients.
        */

        /* $auth2 is authzid requested at SASL layer */
        if (gbufdesc_out.length > 4) {
          expand_nlength[2] = gbufdesc_out.length - 4;
          auth_vars[1] = expand_nstring[2] =
            string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
          expand_nmax = 2;
        }

        gss_release_buffer(&min_stat, &gbufdesc_out);
        EmptyBuf(gbufdesc_out);

        /* $auth1 is GSSAPI display name */
        maj_stat = gss_display_name(&min_stat,
            gclient,
            &gbufdesc_out,
            &mech_type);
        if (GSS_ERROR(maj_stat)) {
          auth_vars[1] = expand_nstring[2] = NULL;
          expand_nmax = 0;
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_display_name(client identifier)");
          error_out = FAIL;
          goto ERROR_OUT;
        }

        expand_nlength[1] = gbufdesc_out.length;
        auth_vars[0] = expand_nstring[1] =
          string_copyn(gbufdesc_out.value, gbufdesc_out.length);

        if (expand_nmax == 0) { /* should be: authzid was empty */
          expand_nmax = 2;
          expand_nlength[2] = expand_nlength[1];
          auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
          HDEBUG(D_auth)
            debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
        }

        HDEBUG(D_auth)
          debug_printf("heimdal SASL: happy with client request\n"
             "  auth1 (verified GSSAPI display-name): \"%s\"\n"
             "  auth2 (unverified SASL requested authzid): \"%s\"\n",
             auth_vars[0], auth_vars[1]);

        step += 1;
        break;

    } /* switch */
  } /* while step */


ERROR_OUT:
  maj_stat = gss_release_cred(&min_stat, &gcred);
  if (gclient) {
    gss_release_name(&min_stat, &gclient);
    gclient = GSS_C_NO_NAME;
  }
  if (gbufdesc_out.length) {
    gss_release_buffer(&min_stat, &gbufdesc_out);
    EmptyBuf(gbufdesc_out);
  }
  if (gcontext != GSS_C_NO_CONTEXT) {
    gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
  }

  store_reset(store_reset_point);

  if (error_out != OK)
    return error_out;

  /* Auth succeeded, check server_condition */
  return auth_check_serv_cond(ablock);
}


static int
exim_gssapi_error_defer(uschar *store_reset_point,
    OM_uint32 major, OM_uint32 minor,
    const char *format, ...)
{
  va_list ap;
  uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
  OM_uint32 maj_stat, min_stat;
  OM_uint32 msgcontext = 0;
  gss_buffer_desc status_string;

  va_start(ap, format);
  if (!string_vformat(buffer, sizeof(buffer), format, ap))
    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
        "exim_gssapi_error_defer expansion larger than %lu",
        sizeof(buffer));
  va_end(ap);

  auth_defer_msg = NULL;

  do {
    maj_stat = gss_display_status(&min_stat,
        major, GSS_C_GSS_CODE, GSS_C_NO_OID,
        &msgcontext, &status_string);

    if (auth_defer_msg == NULL) {
      auth_defer_msg = string_copy(US status_string.value);
    }

    HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
        buffer, (int)status_string.length, CS status_string.value);
    gss_release_buffer(&min_stat, &status_string);

  } while (msgcontext != 0);

  if (store_reset_point)
    store_reset(store_reset_point);
  return DEFER;
}


/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_heimdal_gssapi_client(
  auth_instance *ablock,                 /* authenticator block */
  smtp_inblock *inblock,                 /* connection inblock */
  smtp_outblock *outblock,               /* connection outblock */
  int timeout,                           /* command timeout */
  uschar *buffer,                        /* buffer for reading response */
  int buffsize)                          /* size of buffer */
{
  HDEBUG(D_auth)
    debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
  /* NOT IMPLEMENTED */
  return FAIL;
}

/*************************************************
*                Diagnostic API                  *
*************************************************/

void
auth_heimdal_gssapi_version_report(FILE *f)
{
  /* No build-time constants available unless we link against libraries at
  build-time and export the result as a string into a header ourselves. */
  fprintf(f, "Library version: Heimdal: Runtime: %s\n"
             " Build Info: %s\n",
          heimdal_version, heimdal_long_version);
}

#endif   /*!MACRO_PREDEF*/
#endif  /* AUTH_HEIMDAL_GSSAPI */

/* End of heimdal_gssapi.c */
Commit	Line	Data
dde3daac PP	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
80fea873	5	/* Copyright (c) University of Cambridge 1995 - 2016 */
dde3daac PP	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* Copyright (c) Twitter Inc 2012
	9	Author: Phil Pennock <pdp@exim.org> */
f35771fe	10	/* Copyright (c) Phil Pennock 2012 */
dde3daac	11
b245b4a5	12	/* Interface to Heimdal library for GSSAPI authentication. */
dde3daac PP	13
	14	/* Naming and rationale
	15
	16	Sensibly, this integration would be deferred to a SASL library, but none
	17	of them appear to offer keytab file selection interfaces in their APIs. It
	18	might be that this driver only requires minor modification to work with MIT
	19	Kerberos.
	20
	21	Heimdal provides a number of interfaces for various forms of authentication.
	22	As GS2 does not appear to provide keytab control interfaces either, we may
	23	end up supporting that too. It's possible that we could trivially expand to
	24	support NTLM support via Heimdal, etc. Rather than try to be too generic
	25	immediately, this driver is directly only supporting GSSAPI.
	26
	27	Without rename, we could add an option for GS2 support in the future.
	28	*/
	29
	30	/* Sources
	31
	32	* mailcheck-imap (Perl, client-side, written by me years ago)
	33	* gsasl driver (GPL, server-side)
	34	* heimdal sources and man-pages, plus http://www.h5l.org/manual/
	35	* FreeBSD man-pages (very informative!)
	36	* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
b245b4a5 PP	37	semantics, that found by browsing Heimdal source to find how to set the keytab; however,
	38	after multiple attempts I failed to get that to work and instead switched to
	39	gsskrb5_register_acceptor_identity().
dde3daac PP	40	*/
	41
	42	#include "../exim.h"
	43
	44	#ifndef AUTH_HEIMDAL_GSSAPI
	45	/* dummy function to satisfy compilers when we link in an "empty" file. */
e1d15f5e JH	46	static void dummy(int x);
	47	static void dummy2(int x) { dummy(x-1); }
	48	static void dummy(int x) { dummy2(x-1); }
dde3daac PP	49	#else
	50
	51	#include <gssapi/gssapi.h>
	52	#include <gssapi/gssapi_krb5.h>
	53
	54	/* for the _init debugging */
	55	#include <krb5.h>
	56
dde3daac PP	57	#include "heimdal_gssapi.h"
	58
	59	/* Authenticator-specific options. */
	60	optionlist auth_heimdal_gssapi_options[] = {
	61	{ "server_hostname", opt_stringptr,
	62	(void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
	63	{ "server_keytab", opt_stringptr,
	64	(void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
dde3daac PP	65	{ "server_service", opt_stringptr,
	66	(void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
	67	};
	68
	69	int auth_heimdal_gssapi_options_count =
	70	sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
	71
	72	/* Defaults for the authenticator-specific options. */
	73	auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
	74	US"$primary_hostname", /* server_hostname */
	75	NULL, /* server_keytab */
dde3daac PP	76	US"smtp", /* server_service */
	77	};
	78
d185889f JH	79
	80	#ifdef MACRO_PREDEF
	81
	82	/* Dummy values */
	83	void auth_heimdal_init(auth_instance *ablock) {}
	84	int auth_heimdal_server(auth_instance ablock, uschar data) {return 0;}
	85	int auth_heimdal_client(auth_instance ablock, smtp_inblock inblock,
	86	smtp_outblock outblock, int timeout, uschar buffer, int buffsize) {return 0;}
	87
	88	#else /!MACRO_PREDEF/
	89
	90
	91
dde3daac PP	92	/* "Globals" for managing the heimdal_gssapi interface. */
dde3daac PP	93
dde3daac PP	94	/* Utility functions */
	95	static void
	96	exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
	97	static int
	98	exim_gssapi_error_defer(uschar , OM_uint32, OM_uint32, const char , ...)
	99	PRINTF_FUNCTION(4, 5);
	100
	101	#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
	102
	103
	104	/*************************************************
	105	* Initialization entry point *
	106	*************************************************/
	107
	108	/* Called for each instance, after its options have been read, to
	109	enable consistency checks to be done, or anything else that needs
	110	to be set up. */
	111
b245b4a5 PP	112	/* Heimdal provides a GSSAPI extension method for setting the keytab;
b245b4a5 PP	113	in the init, we mostly just use raw krb5 methods so that we can report
dde3daac PP	114	the keytab contents, for -D+auth debugging. */
	115
	116	void
	117	auth_heimdal_gssapi_init(auth_instance *ablock)
	118	{
	119	krb5_context context;
	120	krb5_keytab keytab;
	121	krb5_kt_cursor cursor;
	122	krb5_keytab_entry entry;
	123	krb5_error_code krc;
	124	char principal, enctype_s;
	125	const char *k_keytab_typed_name = NULL;
	126	auth_heimdal_gssapi_options_block *ob =
	127	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
	128
	129	ablock->server = FALSE;
	130	ablock->client = FALSE;
	131
	132	if (!ob->server_service \|\| !*ob->server_service) {
	133	HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
	134	return;
	135	}
	136
	137	krc = krb5_init_context(&context);
	138	if (krc != 0) {
	139	int kerr = errno;
	140	HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
	141	strerror(kerr));
	142	return;
	143	}
	144
	145	if (ob->server_keytab) {
	146	k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
	147	HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
	148	krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab);
	149	if (krc) {
	150	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
	151	return;
	152	}
	153	} else {
	154	HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
	155	krc = krb5_kt_default(context, &keytab);
	156	if (krc) {
	157	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
	158	return;
	159	}
	160	}
	161
	162	HDEBUG(D_auth) {
	163	/* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
	164	krc = krb5_kt_start_seq_get(context, keytab, &cursor);
	165	if (krc)
	166	exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
	167	else {
	168	while ((krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
	169	principal = enctype_s = NULL;
	170	krb5_unparse_name(context, entry.principal, &principal);
	171	krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
	172	debug_printf("heimdal: keytab principal: %s vno=%d type=%s\n",
	173	principal ? principal : "??",
	174	entry.vno,
	175	enctype_s ? enctype_s : "??");
	176	free(principal);
	177	free(enctype_s);
178	krb5_kt_free_entry(context, &entry);
179	}
180	krc = krb5_kt_end_seq_get(context, keytab, &cursor);
181	if (krc)
182	exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
183	}
184	}
185
186	krc = krb5_kt_close(context, keytab);
187	if (krc)
188	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
189
190	krb5_free_context(context);
191
192	/* RFC 4121 section 5.2, SHOULD support 64K input buffers */
193	if (big_buffer_size < (64 * 1024)) {
194	uschar *newbuf;
195	big_buffer_size = 64 * 1024;
196	newbuf = store_malloc(big_buffer_size);
197	store_free(big_buffer);
198	big_buffer = newbuf;
199	}
200
201	ablock->server = TRUE;
202	}
203
204
205	static void
206	exim_heimdal_error_debug(const char *label,
207	krb5_context context, krb5_error_code err)
208	{
209	const char *kerrsc;
210	kerrsc = krb5_get_error_message(context, err);
211	debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
212	krb5_free_error_message(context, kerrsc);
213	}
214
215	/*************************************************
216	* Server entry point *
217	*************************************************/
218
219	/* For interface, see auths/README */
220
221	/* GSSAPI notes:
222	OM_uint32: portable type for unsigned int32
223	gss_buffer_desc / gss_buffer_t: hold/point-to size_t .length & void value
224	-- all strings/etc passed in should go through one of these
225	-- when allocated by gssapi, release with gss_release_buffer()
226	*/
227
228	int
229	auth_heimdal_gssapi_server(auth_instance ablock, uschar initial_data)
230	{
231	gss_name_t gclient = GSS_C_NO_NAME;
232	gss_name_t gserver = GSS_C_NO_NAME;
233	gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
234	gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
235	uschar *ex_server_str;
236	gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
237	gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
238	gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
239	gss_OID mech_type;
240	OM_uint32 maj_stat, min_stat;
241	int step, error_out, i;
242	uschar tmp1, tmp2, *from_client;
243	auth_heimdal_gssapi_options_block *ob =
244	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
245	BOOL handled_empty_ir;
246	uschar *store_reset_point;
f35771fe	247	uschar *keytab;
dde3daac PP	248	uschar sasl_config[4];
	249	uschar requested_qop;
	250
	251	store_reset_point = store_get(0);
	252
	253	HDEBUG(D_auth)
	254	debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
	255
	256	/* Construct our gss_name_t gserver describing ourselves */
	257	tmp1 = expand_string(ob->server_service);
	258	tmp2 = expand_string(ob->server_hostname);
	259	ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
	260	gbufdesc.value = (void *) ex_server_str;
	261	gbufdesc.length = Ustrlen(ex_server_str);
	262	maj_stat = gss_import_name(&min_stat,
	263	&gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
	264	if (GSS_ERROR(maj_stat))
	265	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	266	"gss_import_name(%s)", CS gbufdesc.value);
	267
	268	/* Use a specific keytab, if specified */
	269	if (ob->server_keytab) {
f35771fe PP	270	keytab = expand_string(ob->server_keytab);
f35771fe PP	271	maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
dde3daac PP	272	if (GSS_ERROR(maj_stat))
dde3daac PP	273	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
f35771fe PP	274	"registering keytab \"%s\"", keytab);
	275	HDEBUG(D_auth)
	276	debug_printf("heimdal: using keytab \"%s\"\n", keytab);
dde3daac PP	277	}
	278
	279	/* Acquire our credentials */
	280	maj_stat = gss_acquire_cred(&min_stat,
	281	gserver, /* desired name */
	282	0, /* time */
	283	GSS_C_NULL_OID_SET, /* desired mechs */
	284	GSS_C_ACCEPT, /* cred usage */
	285	&gcred, /* handle */
	286	NULL /* actual mechs */,
	287	NULL /* time rec */);
	288	if (GSS_ERROR(maj_stat))
	289	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	290	"gss_acquire_cred(%s)", ex_server_str);
	291
	292	maj_stat = gss_release_name(&min_stat, &gserver);
	293
f35771fe PP	294	HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
f35771fe PP	295
dde3daac PP	296	/* Loop talking to client */
	297	step = 0;
	298	from_client = initial_data;
	299	handled_empty_ir = FALSE;
	300	error_out = OK;
	301
	302	/* buffer sizes: auth_get_data() uses big_buffer, which we grow per
	303	GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
	304	(big_buffer starts life at the MUST size of 16KB). */
	305
	306	/* step values
	307	0: getting initial data from client to feed into GSSAPI
	308	1: iterating for as long as GSS_S_CONTINUE_NEEDED
	309	2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
	310	3: unpick final auth message from client
	311	4: break/finish (non-step)
	312	*/
	313	while (step < 4) {
	314	switch (step) {
	315	case 0:
	316	if (!from_client \|\| *from_client == '\0') {
	317	if (handled_empty_ir) {
	318	HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
	319	error_out = BAD64;
	320	goto ERROR_OUT;
	321	} else {
	322	HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
	323	error_out = auth_get_data(&from_client, US"", 0);
	324	if (error_out != OK)
	325	goto ERROR_OUT;
b245b4a5	326	handled_empty_ir = TRUE;
dde3daac PP	327	continue;
	328	}
	329	}
	330	/* We should now have the opening data from the client, base64-encoded. */
	331	step += 1;
f35771fe	332	HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
dde3daac PP	333	break;
	334
	335	case 1:
f4d091fb	336	gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
dde3daac PP	337	if (gclient) {
	338	maj_stat = gss_release_name(&min_stat, &gclient);
	339	gclient = GSS_C_NO_NAME;
	340	}
	341	maj_stat = gss_accept_sec_context(&min_stat,
	342	&gcontext, /* context handle */
	343	gcred, /* acceptor cred handle */
	344	&gbufdesc_in, /* input from client */
	345	GSS_C_NO_CHANNEL_BINDINGS, /* XXX fixme: use the channel bindings from GnuTLS */
	346	&gclient, /* client identifier */
	347	&mech_type, /* mechanism in use */
	348	&gbufdesc_out, /* output to send to client */
	349	NULL, /* return flags */
	350	NULL, /* time rec */
	351	NULL /* delegated cred_handle */
	352	);
	353	if (GSS_ERROR(maj_stat)) {
	354	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	355	"gss_accept_sec_context()");
	356	error_out = FAIL;
	357	goto ERROR_OUT;
	358	}
	359	if (&gbufdesc_out.length != 0) {
	360	error_out = auth_get_data(&from_client,
	361	gbufdesc_out.value, gbufdesc_out.length);
	362	if (error_out != OK)
	363	goto ERROR_OUT;
	364
	365	gss_release_buffer(&min_stat, &gbufdesc_out);
	366	EmptyBuf(gbufdesc_out);
	367	}
f35771fe	368	if (maj_stat == GSS_S_COMPLETE) {
dde3daac	369	step += 1;
f35771fe PP	370	HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
	371	} else {
	372	HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
	373	}
dde3daac PP	374	break;
	375
	376	case 2:
	377	memset(sasl_config, 0xFF, 4);
	378	/* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
	379	0x01 No security layer
	380	0x02 Integrity protection
	381	0x04 Confidentiality protection
	382
b245b4a5	383	The remaining three octets are the maximum buffer size for wrapped
dde3daac PP	384	content. */
	385	sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
	386	gbufdesc.value = (void *) sasl_config;
	387	gbufdesc.length = 4;
	388	maj_stat = gss_wrap(&min_stat,
	389	gcontext,
	390	0, /* conf_req_flag: integrity only */
	391	GSS_C_QOP_DEFAULT, /* qop requested */
	392	&gbufdesc, /* message to protect */
	393	NULL, /* conf_state: no confidentiality applied */
	394	&gbufdesc_out /* output buffer */
	395	);
	396	if (GSS_ERROR(maj_stat)) {
	397	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	398	"gss_wrap(SASL state after auth)");
	399	error_out = FAIL;
	400	goto ERROR_OUT;
	401	}
f35771fe PP	402
	403	HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
	404
dde3daac PP	405	error_out = auth_get_data(&from_client,
	406	gbufdesc_out.value, gbufdesc_out.length);
	407	if (error_out != OK)
	408	goto ERROR_OUT;
	409
	410	gss_release_buffer(&min_stat, &gbufdesc_out);
	411	EmptyBuf(gbufdesc_out);
	412	step += 1;
	413	break;
	414
	415	case 3:
f4d091fb	416	gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
dde3daac PP	417	maj_stat = gss_unwrap(&min_stat,
	418	gcontext,
	419	&gbufdesc_in, /* data from client */
	420	&gbufdesc_out, /* results */
	421	NULL, /* conf state */
	422	NULL /* qop state */
	423	);
	424	if (GSS_ERROR(maj_stat)) {
	425	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	426	"gss_unwrap(final SASL message from client)");
	427	error_out = FAIL;
	428	goto ERROR_OUT;
	429	}
c7955b11	430	if (gbufdesc_out.length < 4) {
dde3daac PP	431	HDEBUG(D_auth)
dde3daac PP	432	debug_printf("gssapi: final message too short; "
c7955b11	433	"need flags, buf sizes and optional authzid\n");
dde3daac PP	434	error_out = FAIL;
	435	goto ERROR_OUT;
	436	}
	437
	438	requested_qop = (CS gbufdesc_out.value)[0];
	439	if ((requested_qop & 0x01) == 0) {
	440	HDEBUG(D_auth)
	441	debug_printf("gssapi: client requested security layers (%x)\n",
	442	(unsigned int) requested_qop);
	443	error_out = FAIL;
	444	goto ERROR_OUT;
	445	}
	446
	447	for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
	448	expand_nmax = 0;
	449
	450	/* Identifiers:
	451	The SASL provided identifier is an unverified authzid.
c7955b11 PP	452	GSSAPI provides us with a verified identifier, but it might be empty
c7955b11 PP	453	for some clients.
dde3daac PP	454	*/
	455
	456	/* $auth2 is authzid requested at SASL layer */
c7955b11 PP	457	if (gbufdesc_out.length > 4) {
	458	expand_nlength[2] = gbufdesc_out.length - 4;
	459	auth_vars[1] = expand_nstring[2] =
	460	string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
	461	expand_nmax = 2;
	462	}
dde3daac PP	463
	464	gss_release_buffer(&min_stat, &gbufdesc_out);
	465	EmptyBuf(gbufdesc_out);
	466
	467	/* $auth1 is GSSAPI display name */
	468	maj_stat = gss_display_name(&min_stat,
	469	gclient,
	470	&gbufdesc_out,
	471	&mech_type);
	472	if (GSS_ERROR(maj_stat)) {
	473	auth_vars[1] = expand_nstring[2] = NULL;
	474	expand_nmax = 0;
	475	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	476	"gss_display_name(client identifier)");
	477	error_out = FAIL;
	478	goto ERROR_OUT;
	479	}
	480
	481	expand_nlength[1] = gbufdesc_out.length;
	482	auth_vars[0] = expand_nstring[1] =
	483	string_copyn(gbufdesc_out.value, gbufdesc_out.length);
	484
c7955b11 PP	485	if (expand_nmax == 0) { /* should be: authzid was empty */
	486	expand_nmax = 2;
	487	expand_nlength[2] = expand_nlength[1];
	488	auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
	489	HDEBUG(D_auth)
	490	debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
	491	}
	492
f35771fe PP	493	HDEBUG(D_auth)
	494	debug_printf("heimdal SASL: happy with client request\n"
	495	" auth1 (verified GSSAPI display-name): \"%s\"\n"
	496	" auth2 (unverified SASL requested authzid): \"%s\"\n",
	497	auth_vars[0], auth_vars[1]);
	498
dde3daac PP	499	step += 1;
	500	break;
	501
	502	} /* switch */
	503	} /* while step */
	504
	505
	506	ERROR_OUT:
	507	maj_stat = gss_release_cred(&min_stat, &gcred);
	508	if (gclient) {
	509	gss_release_name(&min_stat, &gclient);
	510	gclient = GSS_C_NO_NAME;
	511	}
	512	if (gbufdesc_out.length) {
	513	gss_release_buffer(&min_stat, &gbufdesc_out);
	514	EmptyBuf(gbufdesc_out);
	515	}
	516	if (gcontext != GSS_C_NO_CONTEXT) {
	517	gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
	518	}
	519
	520	store_reset(store_reset_point);
	521
	522	if (error_out != OK)
	523	return error_out;
	524
	525	/* Auth succeeded, check server_condition */
	526	return auth_check_serv_cond(ablock);
	527	}
	528
	529
	530	static int
	531	exim_gssapi_error_defer(uschar *store_reset_point,
	532	OM_uint32 major, OM_uint32 minor,
	533	const char *format, ...)
	534	{
	535	va_list ap;
	536	uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
	537	OM_uint32 maj_stat, min_stat;
	538	OM_uint32 msgcontext = 0;
	539	gss_buffer_desc status_string;
	540
	541	va_start(ap, format);
	542	if (!string_vformat(buffer, sizeof(buffer), format, ap))
	543	log_write(0, LOG_MAIN\|LOG_PANIC_DIE,
438257ba	544	"exim_gssapi_error_defer expansion larger than %lu",
dde3daac PP	545	sizeof(buffer));
	546	va_end(ap);
	547
	548	auth_defer_msg = NULL;
	549
	550	do {
	551	maj_stat = gss_display_status(&min_stat,
	552	major, GSS_C_GSS_CODE, GSS_C_NO_OID,
	553	&msgcontext, &status_string);
	554
	555	if (auth_defer_msg == NULL) {
	556	auth_defer_msg = string_copy(US status_string.value);
	557	}
	558
	559	HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
	560	buffer, (int)status_string.length, CS status_string.value);
	561	gss_release_buffer(&min_stat, &status_string);
	562
	563	} while (msgcontext != 0);
	564
	565	if (store_reset_point)
	566	store_reset(store_reset_point);
	567	return DEFER;
	568	}
	569
	570
	571	/*************************************************
	572	* Client entry point *
	573	*************************************************/
	574
	575	/* For interface, see auths/README */
	576
	577	int
	578	auth_heimdal_gssapi_client(
	579	auth_instance ablock, / authenticator block */
	580	smtp_inblock inblock, / connection inblock */
	581	smtp_outblock outblock, / connection outblock */
	582	int timeout, /* command timeout */
	583	uschar buffer, / buffer for reading response */
	584	int buffsize) /* size of buffer */
	585	{
	586	HDEBUG(D_auth)
	587	debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
	588	/* NOT IMPLEMENTED */
	589	return FAIL;
	590	}
	591
	592	/*************************************************
	593	* Diagnostic API *
	594	*************************************************/
	595
	596	void
	597	auth_heimdal_gssapi_version_report(FILE *f)
	598	{
	599	/* No build-time constants available unless we link against libraries at
	600	build-time and export the result as a string into a header ourselves. */
	601	fprintf(f, "Library version: Heimdal: Runtime: %s\n"
	602	" Build Info: %s\n",
	603	heimdal_version, heimdal_long_version);
	604	}
	605
d185889f	606	#endif /!MACRO_PREDEF/
dde3daac PP	607	#endif /* AUTH_HEIMDAL_GSSAPI */
	608
	609	/* End of heimdal_gssapi.c */