[exim.git] / src / src / auths / heimdal_gssapi.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */

/* Copyright (c) Twitter Inc 2012
   Author: Phil Pennock <pdp@exim.org> */
/* Copyright (c) Phil Pennock 2012 */

/* Interface to Heimdal library for GSSAPI authentication. */

/* Naming and rationale

Sensibly, this integration would be deferred to a SASL library, but none
of them appear to offer keytab file selection interfaces in their APIs.  It
might be that this driver only requires minor modification to work with MIT
Kerberos.

Heimdal provides a number of interfaces for various forms of authentication.
As GS2 does not appear to provide keytab control interfaces either, we may
end up supporting that too.  It's possible that we could trivially expand to
support NTLM support via Heimdal, etc.  Rather than try to be too generic
immediately, this driver is directly only supporting GSSAPI.

Without rename, we could add an option for GS2 support in the future.
*/

/* Sources

* mailcheck-imap (Perl, client-side, written by me years ago)
* gsasl driver (GPL, server-side)
* heimdal sources and man-pages, plus http://www.h5l.org/manual/
* FreeBSD man-pages (very informative!)
* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
  semantics, that found by browsing Heimdal source to find how to set the keytab; however,
  after multiple attempts I failed to get that to work and instead switched to
  gsskrb5_register_acceptor_identity().
*/

#include "../exim.h"

#ifndef AUTH_HEIMDAL_GSSAPI
/* dummy function to satisfy compilers when we link in an "empty" file. */
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
#else

#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>

/* for the _init debugging */
#include <krb5.h>

#include "heimdal_gssapi.h"

/* Authenticator-specific options. */
optionlist auth_heimdal_gssapi_options[] = {
  { "server_hostname",      opt_stringptr,
      OPT_OFF(auth_heimdal_gssapi_options_block, server_hostname) },
  { "server_keytab",        opt_stringptr,
      OPT_OFF(auth_heimdal_gssapi_options_block, server_keytab) },
  { "server_service",       opt_stringptr,
      OPT_OFF(auth_heimdal_gssapi_options_block, server_service) }
};

int auth_heimdal_gssapi_options_count =
  sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);

/* Defaults for the authenticator-specific options. */
auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
  US"$primary_hostname",    /* server_hostname */
  NULL,                     /* server_keytab */
  US"smtp",                 /* server_service */
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_heimdal_gssapi_init(auth_instance *ablock) {}
int auth_heimdal_gssapi_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_heimdal_gssapi_client(auth_instance *ablock, void * sx,
  int timeout, uschar *buffer, int buffsize) {return 0;}
void auth_heimdal_gssapi_version_report(FILE *f) {}

#else   /*!MACRO_PREDEF*/


/* "Globals" for managing the heimdal_gssapi interface. */

/* Utility functions */
static void
  exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
static int
  exim_gssapi_error_defer(rmark, OM_uint32, OM_uint32, const char *, ...)
    PRINTF_FUNCTION(4, 5);

#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

/* Heimdal provides a GSSAPI extension method for setting the keytab;
in the init, we mostly just use raw krb5 methods so that we can report
the keytab contents, for -D+auth debugging. */

void
auth_heimdal_gssapi_init(auth_instance *ablock)
{
krb5_context context;
krb5_keytab keytab;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
krb5_error_code krc;
char *principal, *enctype_s;
const char *k_keytab_typed_name = NULL;
auth_heimdal_gssapi_options_block *ob =
  (auth_heimdal_gssapi_options_block *)(ablock->options_block);

ablock->server = FALSE;
ablock->client = FALSE;

if (!ob->server_service || !*ob->server_service)
  {
  HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
  return;
  }

if ((krc = krb5_init_context(&context)))
  {
  int kerr = errno;
  HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
      strerror(kerr));
  return;
  }

if (ob->server_keytab)
  {
  k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
  HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
  if ((krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab)))
    {
    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
    return;
    }
  }
else
 {
  HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
  if ((krc = krb5_kt_default(context, &keytab)))
    {
    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
    return;
    }
  }

HDEBUG(D_auth)
  {
  /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
  if ((krc = krb5_kt_start_seq_get(context, keytab, &cursor)))
    exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
  else
    {
    while (!(krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)))
      {
      principal = enctype_s = NULL;
      krb5_unparse_name(context, entry.principal, &principal);
      krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
      debug_printf("heimdal: keytab principal: %s  vno=%d  type=%s\n",
	  principal ? principal : "??",
	  entry.vno,
	  enctype_s ? enctype_s : "??");
      free(principal);
      free(enctype_s);
      krb5_kt_free_entry(context, &entry);
      }
    if ((krc = krb5_kt_end_seq_get(context, keytab, &cursor)))
      exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
    }
  }

if ((krc = krb5_kt_close(context, keytab)))
  HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);

krb5_free_context(context);

ablock->server = TRUE;
}


static void
exim_heimdal_error_debug(const char *label,
    krb5_context context, krb5_error_code err)
{
const char *kerrsc;
kerrsc = krb5_get_error_message(context, err);
debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
krb5_free_error_message(context, kerrsc);
}

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

/* GSSAPI notes:
OM_uint32: portable type for unsigned int32
gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
  -- all strings/etc passed in should go through one of these
  -- when allocated by gssapi, release with gss_release_buffer()
*/

int
auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
{
gss_name_t gclient = GSS_C_NO_NAME;
gss_name_t gserver = GSS_C_NO_NAME;
gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
uschar *ex_server_str;
gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
gss_OID mech_type;
OM_uint32 maj_stat, min_stat;
int step, error_out;
uschar *tmp1, *tmp2, *from_client;
auth_heimdal_gssapi_options_block *ob =
  (auth_heimdal_gssapi_options_block *)(ablock->options_block);
BOOL handled_empty_ir;
rmark store_reset_point;
uschar *keytab;
uschar sasl_config[4];
uschar requested_qop;

store_reset_point = store_mark();

HDEBUG(D_auth)
  debug_printf("heimdal: initialising auth context for %s\n", ablock->name);

/* Construct our gss_name_t gserver describing ourselves */
tmp1 = expand_string(ob->server_service);
tmp2 = expand_string(ob->server_hostname);
ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
gbufdesc.value = (void *) ex_server_str;
gbufdesc.length = Ustrlen(ex_server_str);
maj_stat = gss_import_name(&min_stat,
    &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
if (GSS_ERROR(maj_stat))
  return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
      "gss_import_name(%s)", CS gbufdesc.value);

/* Use a specific keytab, if specified */
if (ob->server_keytab) 
  {
  keytab = expand_string(ob->server_keytab);
  maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
  if (GSS_ERROR(maj_stat))
    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	"registering keytab \"%s\"", keytab);
  HDEBUG(D_auth)
    debug_printf("heimdal: using keytab \"%s\"\n", keytab);
  }

/* Acquire our credentials */
maj_stat = gss_acquire_cred(&min_stat,
    gserver,             /* desired name */
    0,                   /* time */
    GSS_C_NULL_OID_SET,  /* desired mechs */
    GSS_C_ACCEPT,        /* cred usage */
    &gcred,              /* handle */
    NULL                 /* actual mechs */,
    NULL                 /* time rec */);
if (GSS_ERROR(maj_stat))
  return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
      "gss_acquire_cred(%s)", ex_server_str);

maj_stat = gss_release_name(&min_stat, &gserver);

HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");

/* Loop talking to client */
step = 0;
from_client = initial_data;
handled_empty_ir = FALSE;
error_out = OK;

/* buffer sizes: auth_get_data() uses big_buffer, which we grow per
GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
(big_buffer starts life at the MUST size of 16KB). */

/* step values
0: getting initial data from client to feed into GSSAPI
1: iterating for as long as GSS_S_CONTINUE_NEEDED
2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
3: unpick final auth message from client
4: break/finish (non-step)
*/
while (step < 4)
  switch (step)
    {
    case 0:
      if (!from_client || !*from_client)
        {
	if (handled_empty_ir)
	  {
	  HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
	  error_out = BAD64;
	  goto ERROR_OUT;
	  }

	HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
	error_out = auth_get_data(&from_client, US"", 0);
	if (error_out != OK)
	  goto ERROR_OUT;
	handled_empty_ir = TRUE;
	continue;
	}
      /* We should now have the opening data from the client, base64-encoded. */
      step += 1;
      HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
      break;

    case 1:
      gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
      if (gclient)
        {
	maj_stat = gss_release_name(&min_stat, &gclient);
	gclient = GSS_C_NO_NAME;
	}
      maj_stat = gss_accept_sec_context(&min_stat,
	  &gcontext,          /* context handle */
	  gcred,              /* acceptor cred handle */
	  &gbufdesc_in,       /* input from client */
	  GSS_C_NO_CHANNEL_BINDINGS,  /* XXX fixme: use the channel bindings from GnuTLS */
	  &gclient,           /* client identifier */
	  &mech_type,         /* mechanism in use */
	  &gbufdesc_out,      /* output to send to client */
	  NULL,               /* return flags */
	  NULL,               /* time rec */
	  NULL                /* delegated cred_handle */
	  );
      if (GSS_ERROR(maj_stat))
        {
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_accept_sec_context()");
	error_out = FAIL;
	goto ERROR_OUT;
	}
      if (gbufdesc_out.length != 0)
        {
	error_out = auth_get_data(&from_client,
	    gbufdesc_out.value, gbufdesc_out.length);
	if (error_out != OK)
	  goto ERROR_OUT;

	gss_release_buffer(&min_stat, &gbufdesc_out);
	EmptyBuf(gbufdesc_out);
	}
      if (maj_stat == GSS_S_COMPLETE)
        {
	step += 1;
	HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
	}
      else
	HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
      break;

    case 2:
      memset(sasl_config, 0xFF, 4);
      /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
      0x01 No security layer
      0x02 Integrity protection
      0x04 Confidentiality protection

      The remaining three octets are the maximum buffer size for wrapped
      content. */
      sasl_config[0] = 0x01;  /* Exim does not wrap/unwrap SASL layers after auth */
      gbufdesc.value = (void *) sasl_config;
      gbufdesc.length = 4;
      maj_stat = gss_wrap(&min_stat,
	  gcontext,
	  0,                    /* conf_req_flag: integrity only */
	  GSS_C_QOP_DEFAULT,    /* qop requested */
	  &gbufdesc,            /* message to protect */
	  NULL,                 /* conf_state: no confidentiality applied */
	  &gbufdesc_out         /* output buffer */
	  );
      if (GSS_ERROR(maj_stat))
        {
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_wrap(SASL state after auth)");
	error_out = FAIL;
	goto ERROR_OUT;
	}

      HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");

      error_out = auth_get_data(&from_client,
	  gbufdesc_out.value, gbufdesc_out.length);
      if (error_out != OK)
	goto ERROR_OUT;

      gss_release_buffer(&min_stat, &gbufdesc_out);
      EmptyBuf(gbufdesc_out);
      step += 1;
      break;

    case 3:
      gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
      maj_stat = gss_unwrap(&min_stat,
	  gcontext,
	  &gbufdesc_in,       /* data from client */
	  &gbufdesc_out,      /* results */
	  NULL,               /* conf state */
	  NULL                /* qop state */
	  );
      if (GSS_ERROR(maj_stat))
        {
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_unwrap(final SASL message from client)");
	error_out = FAIL;
	goto ERROR_OUT;
	}
      if (gbufdesc_out.length < 4)
        {
	HDEBUG(D_auth)
	  debug_printf("gssapi: final message too short; "
	      "need flags, buf sizes and optional authzid\n");
	error_out = FAIL;
	goto ERROR_OUT;
	}

      requested_qop = (CS gbufdesc_out.value)[0];
      if (!(requested_qop & 0x01))
        {
	HDEBUG(D_auth)
	  debug_printf("gssapi: client requested security layers (%x)\n",
	      (unsigned int) requested_qop);
	error_out = FAIL;
	goto ERROR_OUT;
	}

      for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
      expand_nmax = 0;

      /* Identifiers:
      The SASL provided identifier is an unverified authzid.
      GSSAPI provides us with a verified identifier, but it might be empty
      for some clients.
      */

      /* $auth2 is authzid requested at SASL layer */
      if (gbufdesc_out.length > 4)
        {
	expand_nlength[2] = gbufdesc_out.length - 4;
	auth_vars[1] = expand_nstring[2] =
	  string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
	expand_nmax = 2;
	}

      gss_release_buffer(&min_stat, &gbufdesc_out);
      EmptyBuf(gbufdesc_out);

      /* $auth1 is GSSAPI display name */
      maj_stat = gss_display_name(&min_stat,
	  gclient, &gbufdesc_out, &mech_type);
      if (GSS_ERROR(maj_stat))
        {
	auth_vars[1] = expand_nstring[2] = NULL;
	expand_nmax = 0;
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_display_name(client identifier)");
	error_out = FAIL;
	goto ERROR_OUT;
	}

      expand_nlength[1] = gbufdesc_out.length;
      auth_vars[0] = expand_nstring[1] =
	string_copyn(gbufdesc_out.value, gbufdesc_out.length);

      if (expand_nmax == 0)	/* should be: authzid was empty */
	{
	expand_nmax = 2;
	expand_nlength[2] = expand_nlength[1];
	auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
	HDEBUG(D_auth)
	  debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
	}

      HDEBUG(D_auth)
	debug_printf("heimdal SASL: happy with client request\n"
	   "  auth1 (verified GSSAPI display-name): \"%s\"\n"
	   "  auth2 (unverified SASL requested authzid): \"%s\"\n",
	   auth_vars[0], auth_vars[1]);

      step += 1;
      break;

    } /* switch */
  /* while step */


ERROR_OUT:
maj_stat = gss_release_cred(&min_stat, &gcred);
if (gclient)
  {
  gss_release_name(&min_stat, &gclient);
  gclient = GSS_C_NO_NAME;
  }
if (gbufdesc_out.length)
  {
  gss_release_buffer(&min_stat, &gbufdesc_out);
  EmptyBuf(gbufdesc_out);
  }
if (gcontext != GSS_C_NO_CONTEXT)
  gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);

store_reset(store_reset_point);

if (error_out != OK)
  return error_out;

/* Auth succeeded, check server_condition */
return auth_check_serv_cond(ablock);
}


static int
exim_gssapi_error_defer(rmark store_reset_point,
    OM_uint32 major, OM_uint32 minor,
    const char *format, ...)
{
va_list ap;
OM_uint32 maj_stat, min_stat;
OM_uint32 msgcontext = 0;
gss_buffer_desc status_string;
gstring * g;

HDEBUG(D_auth)
  {
  va_start(ap, format);
  g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
  va_end(ap);
  }

auth_defer_msg = NULL;

do {
  maj_stat = gss_display_status(&min_stat,
      major, GSS_C_GSS_CODE, GSS_C_NO_OID, &msgcontext, &status_string);

  if (!auth_defer_msg)
    auth_defer_msg = string_copy(US status_string.value);

  HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
      string_from_gstring(g), (int)status_string.length,
      CS status_string.value);
  gss_release_buffer(&min_stat, &status_string);

  } while (msgcontext != 0);

if (store_reset_point)
  store_reset(store_reset_point);
return DEFER;
}


/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_heimdal_gssapi_client(
  auth_instance *ablock,                 /* authenticator block */
  void * sx,				 /* connection */
  int timeout,                           /* command timeout */
  uschar *buffer,                        /* buffer for reading response */
  int buffsize)                          /* size of buffer */
{
HDEBUG(D_auth)
  debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
/* NOT IMPLEMENTED */
return FAIL;
}

/*************************************************
*                Diagnostic API                  *
*************************************************/

void
auth_heimdal_gssapi_version_report(FILE *f)
{
/* No build-time constants available unless we link against libraries at
build-time and export the result as a string into a header ourselves. */
fprintf(f, "Library version: Heimdal: Runtime: %s\n"
	   " Build Info: %s\n",
	heimdal_version, heimdal_long_version);
}

#endif   /*!MACRO_PREDEF*/
#endif  /* AUTH_HEIMDAL_GSSAPI */

/* End of heimdal_gssapi.c */
Commit	Line	Data
dde3daac PP	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
f9ba5e22	5	/* Copyright (c) University of Cambridge 1995 - 2018 */
dde3daac PP	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* Copyright (c) Twitter Inc 2012
	9	Author: Phil Pennock <pdp@exim.org> */
f35771fe	10	/* Copyright (c) Phil Pennock 2012 */
dde3daac	11
b245b4a5	12	/* Interface to Heimdal library for GSSAPI authentication. */
dde3daac PP	13
	14	/* Naming and rationale
	15
	16	Sensibly, this integration would be deferred to a SASL library, but none
	17	of them appear to offer keytab file selection interfaces in their APIs. It
	18	might be that this driver only requires minor modification to work with MIT
	19	Kerberos.
	20
	21	Heimdal provides a number of interfaces for various forms of authentication.
	22	As GS2 does not appear to provide keytab control interfaces either, we may
	23	end up supporting that too. It's possible that we could trivially expand to
	24	support NTLM support via Heimdal, etc. Rather than try to be too generic
	25	immediately, this driver is directly only supporting GSSAPI.
	26
	27	Without rename, we could add an option for GS2 support in the future.
	28	*/
	29
	30	/* Sources
	31
	32	* mailcheck-imap (Perl, client-side, written by me years ago)
	33	* gsasl driver (GPL, server-side)
	34	* heimdal sources and man-pages, plus http://www.h5l.org/manual/
	35	* FreeBSD man-pages (very informative!)
	36	* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
b245b4a5 PP	37	semantics, that found by browsing Heimdal source to find how to set the keytab; however,
	38	after multiple attempts I failed to get that to work and instead switched to
	39	gsskrb5_register_acceptor_identity().
dde3daac PP	40	*/
	41
	42	#include "../exim.h"
	43
	44	#ifndef AUTH_HEIMDAL_GSSAPI
	45	/* dummy function to satisfy compilers when we link in an "empty" file. */
e1d15f5e JH	46	static void dummy(int x);
	47	static void dummy2(int x) { dummy(x-1); }
	48	static void dummy(int x) { dummy2(x-1); }
dde3daac PP	49	#else
	50
	51	#include <gssapi/gssapi.h>
	52	#include <gssapi/gssapi_krb5.h>
	53
	54	/* for the _init debugging */
	55	#include <krb5.h>
	56
dde3daac PP	57	#include "heimdal_gssapi.h"
	58
	59	/* Authenticator-specific options. */
	60	optionlist auth_heimdal_gssapi_options[] = {
	61	{ "server_hostname", opt_stringptr,
13a4b4c1	62	OPT_OFF(auth_heimdal_gssapi_options_block, server_hostname) },
dde3daac	63	{ "server_keytab", opt_stringptr,
13a4b4c1	64	OPT_OFF(auth_heimdal_gssapi_options_block, server_keytab) },
dde3daac	65	{ "server_service", opt_stringptr,
13a4b4c1	66	OPT_OFF(auth_heimdal_gssapi_options_block, server_service) }
dde3daac PP	67	};
	68
	69	int auth_heimdal_gssapi_options_count =
	70	sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
	71
	72	/* Defaults for the authenticator-specific options. */
	73	auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
	74	US"$primary_hostname", /* server_hostname */
	75	NULL, /* server_keytab */
dde3daac PP	76	US"smtp", /* server_service */
	77	};
	78
d185889f JH	79
	80	#ifdef MACRO_PREDEF
	81
	82	/* Dummy values */
aab9a843 PP	83	void auth_heimdal_gssapi_init(auth_instance *ablock) {}
aab9a843 PP	84	int auth_heimdal_gssapi_server(auth_instance ablock, uschar data) {return 0;}
251b9eb4 JH	85	int auth_heimdal_gssapi_client(auth_instance ablock, void sx,
251b9eb4 JH	86	int timeout, uschar *buffer, int buffsize) {return 0;}
f9df71c0	87	void auth_heimdal_gssapi_version_report(FILE *f) {}
d185889f JH	88
	89	#else /!MACRO_PREDEF/
	90
	91
	92
dde3daac PP	93	/* "Globals" for managing the heimdal_gssapi interface. */
dde3daac PP	94
dde3daac PP	95	/* Utility functions */
	96	static void
	97	exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
	98	static int
f3ebb786	99	exim_gssapi_error_defer(rmark, OM_uint32, OM_uint32, const char *, ...)
dde3daac PP	100	PRINTF_FUNCTION(4, 5);
	101
	102	#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
	103
	104
	105	/*************************************************
	106	* Initialization entry point *
	107	*************************************************/
	108
	109	/* Called for each instance, after its options have been read, to
	110	enable consistency checks to be done, or anything else that needs
	111	to be set up. */
	112
b245b4a5 PP	113	/* Heimdal provides a GSSAPI extension method for setting the keytab;
b245b4a5 PP	114	in the init, we mostly just use raw krb5 methods so that we can report
dde3daac PP	115	the keytab contents, for -D+auth debugging. */
	116
	117	void
	118	auth_heimdal_gssapi_init(auth_instance *ablock)
	119	{
d7978c0f JH	120	krb5_context context;
	121	krb5_keytab keytab;
	122	krb5_kt_cursor cursor;
	123	krb5_keytab_entry entry;
	124	krb5_error_code krc;
	125	char principal, enctype_s;
	126	const char *k_keytab_typed_name = NULL;
	127	auth_heimdal_gssapi_options_block *ob =
	128	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
	129
	130	ablock->server = FALSE;
	131	ablock->client = FALSE;
	132
	133	if (!ob->server_service \|\| !*ob->server_service)
	134	{
	135	HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
	136	return;
870ce70e	137	}
dde3daac	138
870ce70e	139	if ((krc = krb5_init_context(&context)))
d7978c0f JH	140	{
	141	int kerr = errno;
	142	HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
	143	strerror(kerr));
	144	return;
dde3daac PP	145	}
dde3daac PP	146
d7978c0f JH	147	if (ob->server_keytab)
	148	{
	149	k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
	150	HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
870ce70e	151	if ((krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab)))
d7978c0f JH	152	{
	153	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
	154	return;
dde3daac	155	}
d7978c0f JH	156	}
	157	else
	158	{
	159	HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
870ce70e	160	if ((krc = krb5_kt_default(context, &keytab)))
d7978c0f JH	161	{
	162	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
	163	return;
dde3daac PP	164	}
	165	}
	166
d7978c0f JH	167	HDEBUG(D_auth)
	168	{
	169	/* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
870ce70e	170	if ((krc = krb5_kt_start_seq_get(context, keytab, &cursor)))
d7978c0f JH	171	exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
	172	else
	173	{
870ce70e	174	while (!(krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)))
d7978c0f JH	175	{
	176	principal = enctype_s = NULL;
	177	krb5_unparse_name(context, entry.principal, &principal);
	178	krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
	179	debug_printf("heimdal: keytab principal: %s vno=%d type=%s\n",
	180	principal ? principal : "??",
	181	entry.vno,
	182	enctype_s ? enctype_s : "??");
	183	free(principal);
	184	free(enctype_s);
	185	krb5_kt_free_entry(context, &entry);
dde3daac	186	}
870ce70e	187	if ((krc = krb5_kt_end_seq_get(context, keytab, &cursor)))
d7978c0f	188	exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
dde3daac PP	189	}
	190	}
	191
870ce70e	192	if ((krc = krb5_kt_close(context, keytab)))
d7978c0f	193	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
dde3daac	194
d7978c0f	195	krb5_free_context(context);
dde3daac	196
d7978c0f	197	ablock->server = TRUE;
dde3daac PP	198	}
	199
	200
	201	static void
	202	exim_heimdal_error_debug(const char *label,
	203	krb5_context context, krb5_error_code err)
	204	{
d7978c0f JH	205	const char *kerrsc;
	206	kerrsc = krb5_get_error_message(context, err);
	207	debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
	208	krb5_free_error_message(context, kerrsc);
dde3daac PP	209	}
	210
	211	/*************************************************
	212	* Server entry point *
	213	*************************************************/
	214
	215	/* For interface, see auths/README */
	216
	217	/* GSSAPI notes:
	218	OM_uint32: portable type for unsigned int32
	219	gss_buffer_desc / gss_buffer_t: hold/point-to size_t .length & void value
	220	-- all strings/etc passed in should go through one of these
	221	-- when allocated by gssapi, release with gss_release_buffer()
	222	*/
	223
	224	int
	225	auth_heimdal_gssapi_server(auth_instance ablock, uschar initial_data)
	226	{
d7978c0f JH	227	gss_name_t gclient = GSS_C_NO_NAME;
	228	gss_name_t gserver = GSS_C_NO_NAME;
	229	gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
	230	gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
	231	uschar *ex_server_str;
	232	gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
	233	gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
	234	gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
	235	gss_OID mech_type;
	236	OM_uint32 maj_stat, min_stat;
	237	int step, error_out;
	238	uschar tmp1, tmp2, *from_client;
	239	auth_heimdal_gssapi_options_block *ob =
	240	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
	241	BOOL handled_empty_ir;
f3ebb786	242	rmark store_reset_point;
d7978c0f JH	243	uschar *keytab;
	244	uschar sasl_config[4];
	245	uschar requested_qop;
	246
f3ebb786	247	store_reset_point = store_mark();
d7978c0f JH	248
	249	HDEBUG(D_auth)
	250	debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
	251
	252	/* Construct our gss_name_t gserver describing ourselves */
	253	tmp1 = expand_string(ob->server_service);
	254	tmp2 = expand_string(ob->server_hostname);
	255	ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
	256	gbufdesc.value = (void *) ex_server_str;
	257	gbufdesc.length = Ustrlen(ex_server_str);
	258	maj_stat = gss_import_name(&min_stat,
	259	&gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
	260	if (GSS_ERROR(maj_stat))
	261	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	262	"gss_import_name(%s)", CS gbufdesc.value);
	263
	264	/* Use a specific keytab, if specified */
	265	if (ob->server_keytab)
	266	{
	267	keytab = expand_string(ob->server_keytab);
	268	maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
dde3daac PP	269	if (GSS_ERROR(maj_stat))
dde3daac PP	270	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
d7978c0f JH	271	"registering keytab \"%s\"", keytab);
	272	HDEBUG(D_auth)
	273	debug_printf("heimdal: using keytab \"%s\"\n", keytab);
dde3daac PP	274	}
dde3daac PP	275
d7978c0f JH	276	/* Acquire our credentials */
	277	maj_stat = gss_acquire_cred(&min_stat,
	278	gserver, /* desired name */
	279	0, /* time */
	280	GSS_C_NULL_OID_SET, /* desired mechs */
	281	GSS_C_ACCEPT, /* cred usage */
	282	&gcred, /* handle */
	283	NULL /* actual mechs */,
	284	NULL /* time rec */);
	285	if (GSS_ERROR(maj_stat))
	286	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	287	"gss_acquire_cred(%s)", ex_server_str);
	288
	289	maj_stat = gss_release_name(&min_stat, &gserver);
	290
	291	HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
	292
	293	/* Loop talking to client */
	294	step = 0;
	295	from_client = initial_data;
	296	handled_empty_ir = FALSE;
	297	error_out = OK;
	298
	299	/* buffer sizes: auth_get_data() uses big_buffer, which we grow per
	300	GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
	301	(big_buffer starts life at the MUST size of 16KB). */
	302
	303	/* step values
	304	0: getting initial data from client to feed into GSSAPI
	305	1: iterating for as long as GSS_S_CONTINUE_NEEDED
	306	2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
	307	3: unpick final auth message from client
	308	4: break/finish (non-step)
	309	*/
	310	while (step < 4)
	311	switch (step)
	312	{
	313	case 0:
870ce70e	314	if (!from_client \|\| !*from_client)
d7978c0f JH	315	{
	316	if (handled_empty_ir)
	317	{
	318	HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
	319	error_out = BAD64;
	320	goto ERROR_OUT;
	321	}
870ce70e JH	322
	323	HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
	324	error_out = auth_get_data(&from_client, US"", 0);
	325	if (error_out != OK)
	326	goto ERROR_OUT;
	327	handled_empty_ir = TRUE;
	328	continue;
d7978c0f JH	329	}
	330	/* We should now have the opening data from the client, base64-encoded. */
	331	step += 1;
	332	HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
	333	break;
	334
	335	case 1:
	336	gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
	337	if (gclient)
	338	{
	339	maj_stat = gss_release_name(&min_stat, &gclient);
	340	gclient = GSS_C_NO_NAME;
	341	}
	342	maj_stat = gss_accept_sec_context(&min_stat,
	343	&gcontext, /* context handle */
	344	gcred, /* acceptor cred handle */
	345	&gbufdesc_in, /* input from client */
	346	GSS_C_NO_CHANNEL_BINDINGS, /* XXX fixme: use the channel bindings from GnuTLS */
	347	&gclient, /* client identifier */
	348	&mech_type, /* mechanism in use */
	349	&gbufdesc_out, /* output to send to client */
	350	NULL, /* return flags */
	351	NULL, /* time rec */
	352	NULL /* delegated cred_handle */
	353	);
	354	if (GSS_ERROR(maj_stat))
	355	{
	356	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	357	"gss_accept_sec_context()");
	358	error_out = FAIL;
	359	goto ERROR_OUT;
	360	}
	361	if (gbufdesc_out.length != 0)
	362	{
	363	error_out = auth_get_data(&from_client,
	364	gbufdesc_out.value, gbufdesc_out.length);
	365	if (error_out != OK)
	366	goto ERROR_OUT;
	367
	368	gss_release_buffer(&min_stat, &gbufdesc_out);
	369	EmptyBuf(gbufdesc_out);
	370	}
	371	if (maj_stat == GSS_S_COMPLETE)
	372	{
	373	step += 1;
	374	HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
	375	}
	376	else
	377	HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
	378	break;
	379
	380	case 2:
	381	memset(sasl_config, 0xFF, 4);
	382	/* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
	383	0x01 No security layer
	384	0x02 Integrity protection
	385	0x04 Confidentiality protection
	386
	387	The remaining three octets are the maximum buffer size for wrapped
	388	content. */
	389	sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
	390	gbufdesc.value = (void *) sasl_config;
	391	gbufdesc.length = 4;
	392	maj_stat = gss_wrap(&min_stat,
393	gcontext,
394	0, /* conf_req_flag: integrity only */
395	GSS_C_QOP_DEFAULT, /* qop requested */
396	&gbufdesc, /* message to protect */
397	NULL, /* conf_state: no confidentiality applied */
398	&gbufdesc_out /* output buffer */
399	);
5031095f	400	if (GSS_ERROR(maj_stat))
d7978c0f JH	401	{
	402	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	403	"gss_wrap(SASL state after auth)");
	404	error_out = FAIL;
	405	goto ERROR_OUT;
	406	}
	407
	408	HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
	409
	410	error_out = auth_get_data(&from_client,
	411	gbufdesc_out.value, gbufdesc_out.length);
	412	if (error_out != OK)
	413	goto ERROR_OUT;
	414
	415	gss_release_buffer(&min_stat, &gbufdesc_out);
	416	EmptyBuf(gbufdesc_out);
	417	step += 1;
	418	break;
	419
	420	case 3:
	421	gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
	422	maj_stat = gss_unwrap(&min_stat,
	423	gcontext,
	424	&gbufdesc_in, /* data from client */
	425	&gbufdesc_out, /* results */
	426	NULL, /* conf state */
	427	NULL /* qop state */
	428	);
	429	if (GSS_ERROR(maj_stat))
	430	{
	431	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	432	"gss_unwrap(final SASL message from client)");
	433	error_out = FAIL;
	434	goto ERROR_OUT;
	435	}
	436	if (gbufdesc_out.length < 4)
	437	{
	438	HDEBUG(D_auth)
	439	debug_printf("gssapi: final message too short; "
	440	"need flags, buf sizes and optional authzid\n");
	441	error_out = FAIL;
	442	goto ERROR_OUT;
	443	}
	444
	445	requested_qop = (CS gbufdesc_out.value)[0];
870ce70e	446	if (!(requested_qop & 0x01))
d7978c0f JH	447	{
	448	HDEBUG(D_auth)
	449	debug_printf("gssapi: client requested security layers (%x)\n",
	450	(unsigned int) requested_qop);
	451	error_out = FAIL;
	452	goto ERROR_OUT;
	453	}
	454
	455	for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
	456	expand_nmax = 0;
	457
	458	/* Identifiers:
	459	The SASL provided identifier is an unverified authzid.
	460	GSSAPI provides us with a verified identifier, but it might be empty
	461	for some clients.
	462	*/
	463
	464	/* $auth2 is authzid requested at SASL layer */
	465	if (gbufdesc_out.length > 4)
	466	{
	467	expand_nlength[2] = gbufdesc_out.length - 4;
	468	auth_vars[1] = expand_nstring[2] =
	469	string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
	470	expand_nmax = 2;
	471	}
	472
	473	gss_release_buffer(&min_stat, &gbufdesc_out);
	474	EmptyBuf(gbufdesc_out);
	475
	476	/* $auth1 is GSSAPI display name */
	477	maj_stat = gss_display_name(&min_stat,
870ce70e	478	gclient, &gbufdesc_out, &mech_type);
d7978c0f JH	479	if (GSS_ERROR(maj_stat))
	480	{
	481	auth_vars[1] = expand_nstring[2] = NULL;
	482	expand_nmax = 0;
	483	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	484	"gss_display_name(client identifier)");
	485	error_out = FAIL;
	486	goto ERROR_OUT;
	487	}
	488
	489	expand_nlength[1] = gbufdesc_out.length;
	490	auth_vars[0] = expand_nstring[1] =
	491	string_copyn(gbufdesc_out.value, gbufdesc_out.length);
	492
	493	if (expand_nmax == 0) /* should be: authzid was empty */
	494	{
	495	expand_nmax = 2;
	496	expand_nlength[2] = expand_nlength[1];
	497	auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
	498	HDEBUG(D_auth)
	499	debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
	500	}
	501
	502	HDEBUG(D_auth)
	503	debug_printf("heimdal SASL: happy with client request\n"
	504	" auth1 (verified GSSAPI display-name): \"%s\"\n"
	505	" auth2 (unverified SASL requested authzid): \"%s\"\n",
	506	auth_vars[0], auth_vars[1]);
	507
	508	step += 1;
	509	break;
dde3daac PP	510
dde3daac PP	511	} /* switch */
d7978c0f	512	/* while step */
dde3daac PP	513
	514
	515	ERROR_OUT:
d7978c0f JH	516	maj_stat = gss_release_cred(&min_stat, &gcred);
	517	if (gclient)
	518	{
	519	gss_release_name(&min_stat, &gclient);
	520	gclient = GSS_C_NO_NAME;
dde3daac	521	}
d7978c0f JH	522	if (gbufdesc_out.length)
	523	{
	524	gss_release_buffer(&min_stat, &gbufdesc_out);
	525	EmptyBuf(gbufdesc_out);
dde3daac	526	}
d7978c0f JH	527	if (gcontext != GSS_C_NO_CONTEXT)
d7978c0f JH	528	gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
dde3daac	529
d7978c0f	530	store_reset(store_reset_point);
dde3daac	531
d7978c0f JH	532	if (error_out != OK)
d7978c0f JH	533	return error_out;
dde3daac	534
d7978c0f JH	535	/* Auth succeeded, check server_condition */
d7978c0f JH	536	return auth_check_serv_cond(ablock);
dde3daac PP	537	}
	538
	539
	540	static int
f3ebb786	541	exim_gssapi_error_defer(rmark store_reset_point,
dde3daac PP	542	OM_uint32 major, OM_uint32 minor,
	543	const char *format, ...)
	544	{
d7978c0f JH	545	va_list ap;
	546	OM_uint32 maj_stat, min_stat;
	547	OM_uint32 msgcontext = 0;
	548	gss_buffer_desc status_string;
	549	gstring * g;
	550
	551	HDEBUG(D_auth)
	552	{
	553	va_start(ap, format);
f3ebb786	554	g = string_vformat(NULL, SVFMT_EXTEND\|SVFMT_REBUFFER, format, ap);
d7978c0f JH	555	va_end(ap);
d7978c0f JH	556	}
dde3daac	557
d7978c0f	558	auth_defer_msg = NULL;
dde3daac	559
d7978c0f JH	560	do {
	561	maj_stat = gss_display_status(&min_stat,
	562	major, GSS_C_GSS_CODE, GSS_C_NO_OID, &msgcontext, &status_string);
dde3daac	563
d7978c0f JH	564	if (!auth_defer_msg)
d7978c0f JH	565	auth_defer_msg = string_copy(US status_string.value);
dde3daac	566
d7978c0f JH	567	HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
	568	string_from_gstring(g), (int)status_string.length,
	569	CS status_string.value);
	570	gss_release_buffer(&min_stat, &status_string);
dde3daac PP	571
	572	} while (msgcontext != 0);
	573
d7978c0f JH	574	if (store_reset_point)
	575	store_reset(store_reset_point);
	576	return DEFER;
dde3daac PP	577	}
	578
	579
	580	/*************************************************
	581	* Client entry point *
	582	*************************************************/
	583
	584	/* For interface, see auths/README */
	585
	586	int
	587	auth_heimdal_gssapi_client(
	588	auth_instance ablock, / authenticator block */
251b9eb4	589	void * sx, /* connection */
dde3daac PP	590	int timeout, /* command timeout */
	591	uschar buffer, / buffer for reading response */
	592	int buffsize) /* size of buffer */
	593	{
d7978c0f JH	594	HDEBUG(D_auth)
	595	debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
	596	/* NOT IMPLEMENTED */
	597	return FAIL;
dde3daac PP	598	}
	599
	600	/*************************************************
	601	* Diagnostic API *
	602	*************************************************/
	603
	604	void
	605	auth_heimdal_gssapi_version_report(FILE *f)
	606	{
d7978c0f JH	607	/* No build-time constants available unless we link against libraries at
	608	build-time and export the result as a string into a header ourselves. */
	609	fprintf(f, "Library version: Heimdal: Runtime: %s\n"
	610	" Build Info: %s\n",
	611	heimdal_version, heimdal_long_version);
dde3daac PP	612	}
dde3daac PP	613
d185889f	614	#endif /!MACRO_PREDEF/
dde3daac PP	615	#endif /* AUTH_HEIMDAL_GSSAPI */
	616
	617	/* End of heimdal_gssapi.c */