[exim.git] / src / src / auths / heimdal_gssapi.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2012 */
/* See the file NOTICE for conditions of use and distribution. */

/* Copyright (c) Twitter Inc 2012
   Author: Phil Pennock <pdp@exim.org> */
/* Copyright (c) Phil Pennock 2012 */

/* Interface to Heimdal SASL library for GSSAPI authentication. */

/* Naming and rationale

Sensibly, this integration would be deferred to a SASL library, but none
of them appear to offer keytab file selection interfaces in their APIs.  It
might be that this driver only requires minor modification to work with MIT
Kerberos.

Heimdal provides a number of interfaces for various forms of authentication.
As GS2 does not appear to provide keytab control interfaces either, we may
end up supporting that too.  It's possible that we could trivially expand to
support NTLM support via Heimdal, etc.  Rather than try to be too generic
immediately, this driver is directly only supporting GSSAPI.

Without rename, we could add an option for GS2 support in the future.
*/

/* Sources

* mailcheck-imap (Perl, client-side, written by me years ago)
* gsasl driver (GPL, server-side)
* heimdal sources and man-pages, plus http://www.h5l.org/manual/
* FreeBSD man-pages (very informative!)
* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
  semantics, that found by browsing Heimdal source to find how to set the keytab

*/

#include "../exim.h"

#ifndef AUTH_HEIMDAL_GSSAPI
/* dummy function to satisfy compilers when we link in an "empty" file. */
static void dummy(int x) { dummy(x-1); }
#else

#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>

/* for the _init debugging */
#include <krb5.h>

/* Because __gss_krb5_register_acceptor_identity_x_oid_desc is internal */
#include <roken.h>

#include "heimdal_gssapi.h"

/* Authenticator-specific options. */
optionlist auth_heimdal_gssapi_options[] = {
  { "server_hostname",      opt_stringptr,
      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
  { "server_keytab",        opt_stringptr,
      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
  { "server_realm",         opt_stringptr,
      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_realm)) },
  { "server_service",       opt_stringptr,
      (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
};

int auth_heimdal_gssapi_options_count =
  sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);

/* Defaults for the authenticator-specific options. */
auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
  US"$primary_hostname",    /* server_hostname */
  NULL,                     /* server_keytab */
  NULL,                     /* server_realm */
  US"smtp",                 /* server_service */
};

/* "Globals" for managing the heimdal_gssapi interface. */

/* Utility functions */
static void
  exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
static int
  exim_gssapi_error_defer(uschar *, OM_uint32, OM_uint32, const char *, ...)
    PRINTF_FUNCTION(4, 5);

#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

/* Heimdal provides a GSSAPI extension method (via an OID) for setting the
keytab; in the init, we mostly just use raw krb5 methods so that we can report
the keytab contents, for -D+auth debugging. */

void
auth_heimdal_gssapi_init(auth_instance *ablock)
{
  krb5_context context;
  krb5_keytab keytab;
  krb5_kt_cursor cursor;
  krb5_keytab_entry entry;
  krb5_error_code krc;
  char *principal, *enctype_s;
  const char *k_keytab_typed_name = NULL;
  auth_heimdal_gssapi_options_block *ob =
    (auth_heimdal_gssapi_options_block *)(ablock->options_block);

  ablock->server = FALSE;
  ablock->client = FALSE;

  if (!ob->server_service || !*ob->server_service) {
    HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
    return;
  }

  krc = krb5_init_context(&context);
  if (krc != 0) {
    int kerr = errno;
    HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
        strerror(kerr));
    return;
  }

  if (ob->server_keytab) {
    k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
    HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
    krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab);
    if (krc) {
      HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
      return;
    }
  } else {
    HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
    krc = krb5_kt_default(context, &keytab);
    if (krc) {
      HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
      return;
    }
  }

  HDEBUG(D_auth) {
    /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
    krc = krb5_kt_start_seq_get(context, keytab, &cursor);
    if (krc)
      exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
    else {
      while ((krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
        principal = enctype_s = NULL;
        krb5_unparse_name(context, entry.principal, &principal);
        krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
        debug_printf("heimdal: keytab principal: %s  vno=%d  type=%s\n",
            principal ? principal : "??",
            entry.vno,
            enctype_s ? enctype_s : "??");
        free(principal);
        free(enctype_s);
        krb5_kt_free_entry(context, &entry);
      }
      krc = krb5_kt_end_seq_get(context, keytab, &cursor);
      if (krc)
        exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
    }
  }

  krc = krb5_kt_close(context, keytab);
  if (krc)
    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);

  krb5_free_context(context);

  /* RFC 4121 section 5.2, SHOULD support 64K input buffers */
  if (big_buffer_size < (64 * 1024)) {
    uschar *newbuf;
    big_buffer_size = 64 * 1024;
    newbuf = store_malloc(big_buffer_size);
    store_free(big_buffer);
    big_buffer = newbuf;
  }

  ablock->server = TRUE;
}


static void
exim_heimdal_error_debug(const char *label,
    krb5_context context, krb5_error_code err)
{
  const char *kerrsc;
  kerrsc = krb5_get_error_message(context, err);
  debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
  krb5_free_error_message(context, kerrsc);
}

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

/* GSSAPI notes:
OM_uint32: portable type for unsigned int32
gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
  -- all strings/etc passed in should go through one of these
  -- when allocated by gssapi, release with gss_release_buffer()
*/

int
auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
{
  gss_name_t gclient = GSS_C_NO_NAME;
  gss_name_t gserver = GSS_C_NO_NAME;
  gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
  gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
  uschar *ex_server_str;
  gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
  gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
  gss_OID mech_type;
  OM_uint32 maj_stat, min_stat;
  int step, error_out, i;
  uschar *tmp1, *tmp2, *from_client;
  auth_heimdal_gssapi_options_block *ob =
    (auth_heimdal_gssapi_options_block *)(ablock->options_block);
  BOOL handled_empty_ir;
  uschar *store_reset_point;
  uschar *keytab;
  uschar sasl_config[4];
  uschar requested_qop;

  store_reset_point = store_get(0);

  HDEBUG(D_auth)
    debug_printf("heimdal: initialising auth context for %s\n", ablock->name);

  /* Construct our gss_name_t gserver describing ourselves */
  tmp1 = expand_string(ob->server_service);
  tmp2 = expand_string(ob->server_hostname);
  ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
  gbufdesc.value = (void *) ex_server_str;
  gbufdesc.length = Ustrlen(ex_server_str);
  maj_stat = gss_import_name(&min_stat,
      &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
  if (GSS_ERROR(maj_stat))
    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
        "gss_import_name(%s)", CS gbufdesc.value);

  /* Use a specific keytab, if specified */
  if (ob->server_keytab) {
    keytab = expand_string(ob->server_keytab);
    maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
    if (GSS_ERROR(maj_stat))
      return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
          "registering keytab \"%s\"", keytab);
    HDEBUG(D_auth)
      debug_printf("heimdal: using keytab \"%s\"\n", keytab);
  }

  /* Acquire our credentials */
  maj_stat = gss_acquire_cred(&min_stat,
      gserver,             /* desired name */
      0,                   /* time */
      GSS_C_NULL_OID_SET,  /* desired mechs */
      GSS_C_ACCEPT,        /* cred usage */
      &gcred,              /* handle */
      NULL                 /* actual mechs */,
      NULL                 /* time rec */);
  if (GSS_ERROR(maj_stat))
    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
        "gss_acquire_cred(%s)", ex_server_str);

  maj_stat = gss_release_name(&min_stat, &gserver);

  HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");

  /* Loop talking to client */
  step = 0;
  from_client = initial_data;
  handled_empty_ir = FALSE;
  error_out = OK;

  /* buffer sizes: auth_get_data() uses big_buffer, which we grow per
  GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
  (big_buffer starts life at the MUST size of 16KB). */

  /* step values
  0: getting initial data from client to feed into GSSAPI
  1: iterating for as long as GSS_S_CONTINUE_NEEDED
  2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
  3: unpick final auth message from client
  4: break/finish (non-step)
  */
  while (step < 4) {
    switch (step) {
      case 0:
        if (!from_client || *from_client == '\0') {
          if (handled_empty_ir) {
            HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
            error_out = BAD64;
            goto ERROR_OUT;
          } else {
            HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
            error_out = auth_get_data(&from_client, US"", 0);
            if (error_out != OK)
              goto ERROR_OUT;
            continue;
          }
        }
        /* We should now have the opening data from the client, base64-encoded. */
        step += 1;
        HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
        break;

      case 1:
        gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
        if (gclient) {
          maj_stat = gss_release_name(&min_stat, &gclient);
          gclient = GSS_C_NO_NAME;
        }
        maj_stat = gss_accept_sec_context(&min_stat,
            &gcontext,          /* context handle */
            gcred,              /* acceptor cred handle */
            &gbufdesc_in,       /* input from client */
            GSS_C_NO_CHANNEL_BINDINGS,  /* XXX fixme: use the channel bindings from GnuTLS */
            &gclient,           /* client identifier */
            &mech_type,         /* mechanism in use */
            &gbufdesc_out,      /* output to send to client */
            NULL,               /* return flags */
            NULL,               /* time rec */
            NULL                /* delegated cred_handle */
            );
        if (GSS_ERROR(maj_stat)) {
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_accept_sec_context()");
          error_out = FAIL;
          goto ERROR_OUT;
        }
        if (&gbufdesc_out.length != 0) {
          error_out = auth_get_data(&from_client,
              gbufdesc_out.value, gbufdesc_out.length);
          if (error_out != OK)
            goto ERROR_OUT;

          gss_release_buffer(&min_stat, &gbufdesc_out);
          EmptyBuf(gbufdesc_out);
        }
        if (maj_stat == GSS_S_COMPLETE) {
          step += 1;
          HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
        } else {
          HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
        }
        break;

      case 2:
        memset(sasl_config, 0xFF, 4);
        /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
        0x01 No security layer
        0x02 Integrity protection
        0x04 Confidentiality protection

        The remaining three octets are the maximum buffer size for wrappe
        content. */
        sasl_config[0] = 0x01;  /* Exim does not wrap/unwrap SASL layers after auth */
        gbufdesc.value = (void *) sasl_config;
        gbufdesc.length = 4;
        maj_stat = gss_wrap(&min_stat,
            gcontext,
            0,                    /* conf_req_flag: integrity only */
            GSS_C_QOP_DEFAULT,    /* qop requested */
            &gbufdesc,            /* message to protect */
            NULL,                 /* conf_state: no confidentiality applied */
            &gbufdesc_out         /* output buffer */
            );
        if (GSS_ERROR(maj_stat)) {
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_wrap(SASL state after auth)");
          error_out = FAIL;
          goto ERROR_OUT;
        }

        HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");

        error_out = auth_get_data(&from_client,
            gbufdesc_out.value, gbufdesc_out.length);
        if (error_out != OK)
          goto ERROR_OUT;

        gss_release_buffer(&min_stat, &gbufdesc_out);
        EmptyBuf(gbufdesc_out);
        step += 1;
        break;

      case 3:
        gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
        maj_stat = gss_unwrap(&min_stat,
            gcontext,
            &gbufdesc_in,       /* data from client */
            &gbufdesc_out,      /* results */
            NULL,               /* conf state */
            NULL                /* qop state */
            );
        if (GSS_ERROR(maj_stat)) {
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_unwrap(final SASL message from client)");
          error_out = FAIL;
          goto ERROR_OUT;
        }
        if (gbufdesc_out.length < 5) {
          HDEBUG(D_auth)
            debug_printf("gssapi: final message too short; "
                "need flags, buf sizes and authzid\n");
          error_out = FAIL;
          goto ERROR_OUT;
        }

        requested_qop = (CS gbufdesc_out.value)[0];
        if ((requested_qop & 0x01) == 0) {
          HDEBUG(D_auth)
            debug_printf("gssapi: client requested security layers (%x)\n",
                (unsigned int) requested_qop);
          error_out = FAIL;
          goto ERROR_OUT;
        }

        for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
        expand_nmax = 0;

        /* Identifiers:
        The SASL provided identifier is an unverified authzid.
        GSSAPI provides us with a verified identifier.
        */

        /* $auth2 is authzid requested at SASL layer */
        expand_nlength[2] = gbufdesc_out.length - 4;
        auth_vars[1] = expand_nstring[2] =
          string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
        expand_nmax = 2;

        gss_release_buffer(&min_stat, &gbufdesc_out);
        EmptyBuf(gbufdesc_out);

        /* $auth1 is GSSAPI display name */
        maj_stat = gss_display_name(&min_stat,
            gclient,
            &gbufdesc_out,
            &mech_type);
        if (GSS_ERROR(maj_stat)) {
          auth_vars[1] = expand_nstring[2] = NULL;
          expand_nmax = 0;
          exim_gssapi_error_defer(NULL, maj_stat, min_stat,
              "gss_display_name(client identifier)");
          error_out = FAIL;
          goto ERROR_OUT;
        }

        expand_nlength[1] = gbufdesc_out.length;
        auth_vars[0] = expand_nstring[1] =
          string_copyn(gbufdesc_out.value, gbufdesc_out.length);

        HDEBUG(D_auth)
          debug_printf("heimdal SASL: happy with client request\n"
             "  auth1 (verified GSSAPI display-name): \"%s\"\n"
             "  auth2 (unverified SASL requested authzid): \"%s\"\n",
             auth_vars[0], auth_vars[1]);

        step += 1;
        break;

    } /* switch */
  } /* while step */


ERROR_OUT:
  maj_stat = gss_release_cred(&min_stat, &gcred);
  if (gclient) {
    gss_release_name(&min_stat, &gclient);
    gclient = GSS_C_NO_NAME;
  }
  if (gbufdesc_out.length) {
    gss_release_buffer(&min_stat, &gbufdesc_out);
    EmptyBuf(gbufdesc_out);
  }
  if (gcontext != GSS_C_NO_CONTEXT) {
    gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
  }

  store_reset(store_reset_point);

  if (error_out != OK)
    return error_out;

  /* Auth succeeded, check server_condition */
  return auth_check_serv_cond(ablock);
}


static int
exim_gssapi_error_defer(uschar *store_reset_point,
    OM_uint32 major, OM_uint32 minor,
    const char *format, ...)
{
  va_list ap;
  uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
  OM_uint32 maj_stat, min_stat;
  OM_uint32 msgcontext = 0;
  gss_buffer_desc status_string;

  va_start(ap, format);
  if (!string_vformat(buffer, sizeof(buffer), format, ap))
    log_write(0, LOG_MAIN|LOG_PANIC_DIE,
        "exim_gssapi_error_defer expansion larger than %d",
        sizeof(buffer));
  va_end(ap);

  auth_defer_msg = NULL;

  do {
    maj_stat = gss_display_status(&min_stat,
        major, GSS_C_GSS_CODE, GSS_C_NO_OID,
        &msgcontext, &status_string);

    if (auth_defer_msg == NULL) {
      auth_defer_msg = string_copy(US status_string.value);
    }

    HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
        buffer, (int)status_string.length, CS status_string.value);
    gss_release_buffer(&min_stat, &status_string);

  } while (msgcontext != 0);

  if (store_reset_point)
    store_reset(store_reset_point);
  return DEFER;
}


/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_heimdal_gssapi_client(
  auth_instance *ablock,                 /* authenticator block */
  smtp_inblock *inblock,                 /* connection inblock */
  smtp_outblock *outblock,               /* connection outblock */
  int timeout,                           /* command timeout */
  uschar *buffer,                        /* buffer for reading response */
  int buffsize)                          /* size of buffer */
{
  HDEBUG(D_auth)
    debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
  /* NOT IMPLEMENTED */
  return FAIL;
}

/*************************************************
*                Diagnostic API                  *
*************************************************/

void
auth_heimdal_gssapi_version_report(FILE *f)
{
  /* No build-time constants available unless we link against libraries at
  build-time and export the result as a string into a header ourselves. */
  fprintf(f, "Library version: Heimdal: Runtime: %s\n"
             " Build Info: %s\n",
          heimdal_version, heimdal_long_version);
}

#endif  /* AUTH_HEIMDAL_GSSAPI */

/* End of heimdal_gssapi.c */
Commit	Line	Data
dde3daac PP	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) University of Cambridge 1995 - 2012 */
	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* Copyright (c) Twitter Inc 2012
	9	Author: Phil Pennock <pdp@exim.org> */
f35771fe	10	/* Copyright (c) Phil Pennock 2012 */
dde3daac PP	11
	12	/* Interface to Heimdal SASL library for GSSAPI authentication. */
	13
	14	/* Naming and rationale
	15
	16	Sensibly, this integration would be deferred to a SASL library, but none
	17	of them appear to offer keytab file selection interfaces in their APIs. It
	18	might be that this driver only requires minor modification to work with MIT
	19	Kerberos.
	20
	21	Heimdal provides a number of interfaces for various forms of authentication.
	22	As GS2 does not appear to provide keytab control interfaces either, we may
	23	end up supporting that too. It's possible that we could trivially expand to
	24	support NTLM support via Heimdal, etc. Rather than try to be too generic
	25	immediately, this driver is directly only supporting GSSAPI.
	26
	27	Without rename, we could add an option for GS2 support in the future.
	28	*/
	29
	30	/* Sources
	31
	32	* mailcheck-imap (Perl, client-side, written by me years ago)
	33	* gsasl driver (GPL, server-side)
	34	* heimdal sources and man-pages, plus http://www.h5l.org/manual/
	35	* FreeBSD man-pages (very informative!)
	36	* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
	37	semantics, that found by browsing Heimdal source to find how to set the keytab
	38
	39	*/
	40
	41	#include "../exim.h"
	42
	43	#ifndef AUTH_HEIMDAL_GSSAPI
	44	/* dummy function to satisfy compilers when we link in an "empty" file. */
	45	static void dummy(int x) { dummy(x-1); }
	46	#else
	47
	48	#include <gssapi/gssapi.h>
	49	#include <gssapi/gssapi_krb5.h>
	50
	51	/* for the _init debugging */
	52	#include <krb5.h>
	53
	54	/* Because __gss_krb5_register_acceptor_identity_x_oid_desc is internal */
	55	#include <roken.h>
	56
	57	#include "heimdal_gssapi.h"
	58
	59	/* Authenticator-specific options. */
	60	optionlist auth_heimdal_gssapi_options[] = {
	61	{ "server_hostname", opt_stringptr,
	62	(void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
	63	{ "server_keytab", opt_stringptr,
	64	(void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
	65	{ "server_realm", opt_stringptr,
	66	(void *)(offsetof(auth_heimdal_gssapi_options_block, server_realm)) },
	67	{ "server_service", opt_stringptr,
	68	(void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
	69	};
	70
	71	int auth_heimdal_gssapi_options_count =
	72	sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
	73
	74	/* Defaults for the authenticator-specific options. */
75	auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
76	US"$primary_hostname", /* server_hostname */
77	NULL, /* server_keytab */
78	NULL, /* server_realm */
79	US"smtp", /* server_service */
80	};
81
82	/* "Globals" for managing the heimdal_gssapi interface. */
83
dde3daac PP	84	/* Utility functions */
	85	static void
	86	exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
	87	static int
	88	exim_gssapi_error_defer(uschar , OM_uint32, OM_uint32, const char , ...)
	89	PRINTF_FUNCTION(4, 5);
	90
	91	#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
	92
	93
	94	/*************************************************
	95	* Initialization entry point *
	96	*************************************************/
	97
	98	/* Called for each instance, after its options have been read, to
	99	enable consistency checks to be done, or anything else that needs
	100	to be set up. */
	101
	102	/* Heimdal provides a GSSAPI extension method (via an OID) for setting the
	103	keytab; in the init, we mostly just use raw krb5 methods so that we can report
	104	the keytab contents, for -D+auth debugging. */
	105
	106	void
	107	auth_heimdal_gssapi_init(auth_instance *ablock)
	108	{
	109	krb5_context context;
	110	krb5_keytab keytab;
	111	krb5_kt_cursor cursor;
	112	krb5_keytab_entry entry;
	113	krb5_error_code krc;
	114	char principal, enctype_s;
	115	const char *k_keytab_typed_name = NULL;
	116	auth_heimdal_gssapi_options_block *ob =
	117	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
	118
	119	ablock->server = FALSE;
	120	ablock->client = FALSE;
	121
	122	if (!ob->server_service \|\| !*ob->server_service) {
	123	HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
	124	return;
	125	}
	126
	127	krc = krb5_init_context(&context);
	128	if (krc != 0) {
	129	int kerr = errno;
	130	HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
	131	strerror(kerr));
	132	return;
	133	}
	134
	135	if (ob->server_keytab) {
	136	k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
	137	HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
	138	krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab);
	139	if (krc) {
	140	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
	141	return;
	142	}
	143	} else {
	144	HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
	145	krc = krb5_kt_default(context, &keytab);
	146	if (krc) {
	147	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
148	return;
149	}
150	}
151
152	HDEBUG(D_auth) {
153	/* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
154	krc = krb5_kt_start_seq_get(context, keytab, &cursor);
155	if (krc)
156	exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
157	else {
158	while ((krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
159	principal = enctype_s = NULL;
160	krb5_unparse_name(context, entry.principal, &principal);
161	krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
162	debug_printf("heimdal: keytab principal: %s vno=%d type=%s\n",
163	principal ? principal : "??",
164	entry.vno,
165	enctype_s ? enctype_s : "??");
166	free(principal);
167	free(enctype_s);
168	krb5_kt_free_entry(context, &entry);
169	}
170	krc = krb5_kt_end_seq_get(context, keytab, &cursor);
171	if (krc)
172	exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
173	}
174	}
175
176	krc = krb5_kt_close(context, keytab);
177	if (krc)
178	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
179
180	krb5_free_context(context);
181
182	/* RFC 4121 section 5.2, SHOULD support 64K input buffers */
183	if (big_buffer_size < (64 * 1024)) {
184	uschar *newbuf;
185	big_buffer_size = 64 * 1024;
186	newbuf = store_malloc(big_buffer_size);
187	store_free(big_buffer);
188	big_buffer = newbuf;
189	}
190
191	ablock->server = TRUE;
192	}
193
194
195	static void
196	exim_heimdal_error_debug(const char *label,
197	krb5_context context, krb5_error_code err)
198	{
199	const char *kerrsc;
200	kerrsc = krb5_get_error_message(context, err);
201	debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
202	krb5_free_error_message(context, kerrsc);
203	}
204
205	/*************************************************
206	* Server entry point *
207	*************************************************/
208
209	/* For interface, see auths/README */
210
211	/* GSSAPI notes:
212	OM_uint32: portable type for unsigned int32
213	gss_buffer_desc / gss_buffer_t: hold/point-to size_t .length & void value
214	-- all strings/etc passed in should go through one of these
215	-- when allocated by gssapi, release with gss_release_buffer()
216	*/
217
218	int
219	auth_heimdal_gssapi_server(auth_instance ablock, uschar initial_data)
220	{
221	gss_name_t gclient = GSS_C_NO_NAME;
222	gss_name_t gserver = GSS_C_NO_NAME;
223	gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
224	gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
225	uschar *ex_server_str;
226	gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
227	gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
228	gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
229	gss_OID mech_type;
230	OM_uint32 maj_stat, min_stat;
231	int step, error_out, i;
232	uschar tmp1, tmp2, *from_client;
233	auth_heimdal_gssapi_options_block *ob =
234	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
235	BOOL handled_empty_ir;
236	uschar *store_reset_point;
f35771fe	237	uschar *keytab;
dde3daac PP	238	uschar sasl_config[4];
	239	uschar requested_qop;
	240
	241	store_reset_point = store_get(0);
	242
	243	HDEBUG(D_auth)
	244	debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
	245
	246	/* Construct our gss_name_t gserver describing ourselves */
	247	tmp1 = expand_string(ob->server_service);
	248	tmp2 = expand_string(ob->server_hostname);
	249	ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
	250	gbufdesc.value = (void *) ex_server_str;
	251	gbufdesc.length = Ustrlen(ex_server_str);
	252	maj_stat = gss_import_name(&min_stat,
	253	&gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
	254	if (GSS_ERROR(maj_stat))
	255	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	256	"gss_import_name(%s)", CS gbufdesc.value);
	257
	258	/* Use a specific keytab, if specified */
	259	if (ob->server_keytab) {
f35771fe PP	260	keytab = expand_string(ob->server_keytab);
f35771fe PP	261	maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
dde3daac PP	262	if (GSS_ERROR(maj_stat))
dde3daac PP	263	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
f35771fe PP	264	"registering keytab \"%s\"", keytab);
	265	HDEBUG(D_auth)
	266	debug_printf("heimdal: using keytab \"%s\"\n", keytab);
dde3daac PP	267	}
	268
	269	/* Acquire our credentials */
	270	maj_stat = gss_acquire_cred(&min_stat,
	271	gserver, /* desired name */
	272	0, /* time */
	273	GSS_C_NULL_OID_SET, /* desired mechs */
	274	GSS_C_ACCEPT, /* cred usage */
	275	&gcred, /* handle */
	276	NULL /* actual mechs */,
	277	NULL /* time rec */);
	278	if (GSS_ERROR(maj_stat))
	279	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	280	"gss_acquire_cred(%s)", ex_server_str);
	281
	282	maj_stat = gss_release_name(&min_stat, &gserver);
	283
f35771fe PP	284	HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
f35771fe PP	285
dde3daac PP	286	/* Loop talking to client */
	287	step = 0;
	288	from_client = initial_data;
	289	handled_empty_ir = FALSE;
	290	error_out = OK;
	291
	292	/* buffer sizes: auth_get_data() uses big_buffer, which we grow per
	293	GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
	294	(big_buffer starts life at the MUST size of 16KB). */
	295
	296	/* step values
	297	0: getting initial data from client to feed into GSSAPI
	298	1: iterating for as long as GSS_S_CONTINUE_NEEDED
	299	2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
	300	3: unpick final auth message from client
	301	4: break/finish (non-step)
	302	*/
	303	while (step < 4) {
	304	switch (step) {
	305	case 0:
	306	if (!from_client \|\| *from_client == '\0') {
	307	if (handled_empty_ir) {
	308	HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
	309	error_out = BAD64;
	310	goto ERROR_OUT;
	311	} else {
	312	HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
	313	error_out = auth_get_data(&from_client, US"", 0);
	314	if (error_out != OK)
	315	goto ERROR_OUT;
	316	continue;
	317	}
	318	}
	319	/* We should now have the opening data from the client, base64-encoded. */
	320	step += 1;
f35771fe	321	HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
dde3daac PP	322	break;
	323
	324	case 1:
	325	gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
	326	if (gclient) {
	327	maj_stat = gss_release_name(&min_stat, &gclient);
	328	gclient = GSS_C_NO_NAME;
	329	}
	330	maj_stat = gss_accept_sec_context(&min_stat,
	331	&gcontext, /* context handle */
	332	gcred, /* acceptor cred handle */
	333	&gbufdesc_in, /* input from client */
	334	GSS_C_NO_CHANNEL_BINDINGS, /* XXX fixme: use the channel bindings from GnuTLS */
	335	&gclient, /* client identifier */
	336	&mech_type, /* mechanism in use */
	337	&gbufdesc_out, /* output to send to client */
	338	NULL, /* return flags */
	339	NULL, /* time rec */
	340	NULL /* delegated cred_handle */
	341	);
	342	if (GSS_ERROR(maj_stat)) {
	343	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	344	"gss_accept_sec_context()");
	345	error_out = FAIL;
	346	goto ERROR_OUT;
	347	}
	348	if (&gbufdesc_out.length != 0) {
	349	error_out = auth_get_data(&from_client,
	350	gbufdesc_out.value, gbufdesc_out.length);
	351	if (error_out != OK)
	352	goto ERROR_OUT;
	353
	354	gss_release_buffer(&min_stat, &gbufdesc_out);
	355	EmptyBuf(gbufdesc_out);
	356	}
f35771fe	357	if (maj_stat == GSS_S_COMPLETE) {
dde3daac	358	step += 1;
f35771fe PP	359	HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
	360	} else {
	361	HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
	362	}
dde3daac PP	363	break;
	364
	365	case 2:
	366	memset(sasl_config, 0xFF, 4);
	367	/* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
	368	0x01 No security layer
	369	0x02 Integrity protection
	370	0x04 Confidentiality protection
	371
	372	The remaining three octets are the maximum buffer size for wrappe
	373	content. */
	374	sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
	375	gbufdesc.value = (void *) sasl_config;
	376	gbufdesc.length = 4;
	377	maj_stat = gss_wrap(&min_stat,
	378	gcontext,
	379	0, /* conf_req_flag: integrity only */
	380	GSS_C_QOP_DEFAULT, /* qop requested */
	381	&gbufdesc, /* message to protect */
	382	NULL, /* conf_state: no confidentiality applied */
	383	&gbufdesc_out /* output buffer */
	384	);
	385	if (GSS_ERROR(maj_stat)) {
	386	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	387	"gss_wrap(SASL state after auth)");
	388	error_out = FAIL;
	389	goto ERROR_OUT;
	390	}
f35771fe PP	391
	392	HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
	393
dde3daac PP	394	error_out = auth_get_data(&from_client,
	395	gbufdesc_out.value, gbufdesc_out.length);
	396	if (error_out != OK)
	397	goto ERROR_OUT;
	398
	399	gss_release_buffer(&min_stat, &gbufdesc_out);
	400	EmptyBuf(gbufdesc_out);
	401	step += 1;
	402	break;
	403
	404	case 3:
	405	gbufdesc_in.length = auth_b64decode(from_client, USS &gbufdesc_in.value);
	406	maj_stat = gss_unwrap(&min_stat,
	407	gcontext,
	408	&gbufdesc_in, /* data from client */
	409	&gbufdesc_out, /* results */
	410	NULL, /* conf state */
	411	NULL /* qop state */
	412	);
	413	if (GSS_ERROR(maj_stat)) {
	414	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	415	"gss_unwrap(final SASL message from client)");
	416	error_out = FAIL;
	417	goto ERROR_OUT;
	418	}
	419	if (gbufdesc_out.length < 5) {
	420	HDEBUG(D_auth)
	421	debug_printf("gssapi: final message too short; "
	422	"need flags, buf sizes and authzid\n");
	423	error_out = FAIL;
	424	goto ERROR_OUT;
	425	}
	426
	427	requested_qop = (CS gbufdesc_out.value)[0];
	428	if ((requested_qop & 0x01) == 0) {
	429	HDEBUG(D_auth)
	430	debug_printf("gssapi: client requested security layers (%x)\n",
	431	(unsigned int) requested_qop);
	432	error_out = FAIL;
	433	goto ERROR_OUT;
	434	}
	435
	436	for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
	437	expand_nmax = 0;
	438
	439	/* Identifiers:
	440	The SASL provided identifier is an unverified authzid.
	441	GSSAPI provides us with a verified identifier.
	442	*/
	443
	444	/* $auth2 is authzid requested at SASL layer */
	445	expand_nlength[2] = gbufdesc_out.length - 4;
	446	auth_vars[1] = expand_nstring[2] =
	447	string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
	448	expand_nmax = 2;
	449
	450	gss_release_buffer(&min_stat, &gbufdesc_out);
	451	EmptyBuf(gbufdesc_out);
	452
	453	/* $auth1 is GSSAPI display name */
	454	maj_stat = gss_display_name(&min_stat,
	455	gclient,
	456	&gbufdesc_out,
	457	&mech_type);
458	if (GSS_ERROR(maj_stat)) {
459	auth_vars[1] = expand_nstring[2] = NULL;
460	expand_nmax = 0;
461	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
462	"gss_display_name(client identifier)");
463	error_out = FAIL;
464	goto ERROR_OUT;
465	}
466
467	expand_nlength[1] = gbufdesc_out.length;
468	auth_vars[0] = expand_nstring[1] =
469	string_copyn(gbufdesc_out.value, gbufdesc_out.length);
470
f35771fe PP	471	HDEBUG(D_auth)
	472	debug_printf("heimdal SASL: happy with client request\n"
	473	" auth1 (verified GSSAPI display-name): \"%s\"\n"
	474	" auth2 (unverified SASL requested authzid): \"%s\"\n",
	475	auth_vars[0], auth_vars[1]);
	476
dde3daac PP	477	step += 1;
	478	break;
	479
	480	} /* switch */
	481	} /* while step */
	482
	483
	484	ERROR_OUT:
	485	maj_stat = gss_release_cred(&min_stat, &gcred);
	486	if (gclient) {
	487	gss_release_name(&min_stat, &gclient);
	488	gclient = GSS_C_NO_NAME;
	489	}
	490	if (gbufdesc_out.length) {
	491	gss_release_buffer(&min_stat, &gbufdesc_out);
	492	EmptyBuf(gbufdesc_out);
	493	}
	494	if (gcontext != GSS_C_NO_CONTEXT) {
	495	gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
	496	}
	497
	498	store_reset(store_reset_point);
	499
	500	if (error_out != OK)
	501	return error_out;
	502
	503	/* Auth succeeded, check server_condition */
	504	return auth_check_serv_cond(ablock);
	505	}
	506
	507
	508	static int
	509	exim_gssapi_error_defer(uschar *store_reset_point,
	510	OM_uint32 major, OM_uint32 minor,
	511	const char *format, ...)
	512	{
	513	va_list ap;
	514	uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
	515	OM_uint32 maj_stat, min_stat;
	516	OM_uint32 msgcontext = 0;
	517	gss_buffer_desc status_string;
	518
	519	va_start(ap, format);
	520	if (!string_vformat(buffer, sizeof(buffer), format, ap))
	521	log_write(0, LOG_MAIN\|LOG_PANIC_DIE,
	522	"exim_gssapi_error_defer expansion larger than %d",
	523	sizeof(buffer));
	524	va_end(ap);
	525
	526	auth_defer_msg = NULL;
	527
	528	do {
	529	maj_stat = gss_display_status(&min_stat,
	530	major, GSS_C_GSS_CODE, GSS_C_NO_OID,
	531	&msgcontext, &status_string);
	532
	533	if (auth_defer_msg == NULL) {
	534	auth_defer_msg = string_copy(US status_string.value);
	535	}
	536
	537	HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
	538	buffer, (int)status_string.length, CS status_string.value);
	539	gss_release_buffer(&min_stat, &status_string);
	540
541	} while (msgcontext != 0);
542
543	if (store_reset_point)
544	store_reset(store_reset_point);
545	return DEFER;
546	}
547
548
549	/*************************************************
550	* Client entry point *
551	*************************************************/
552
553	/* For interface, see auths/README */
554
555	int
556	auth_heimdal_gssapi_client(
557	auth_instance ablock, / authenticator block */
558	smtp_inblock inblock, / connection inblock */
559	smtp_outblock outblock, / connection outblock */
560	int timeout, /* command timeout */
561	uschar buffer, / buffer for reading response */
562	int buffsize) /* size of buffer */
563	{
564	HDEBUG(D_auth)
565	debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
566	/* NOT IMPLEMENTED */
567	return FAIL;
568	}
569
570	/*************************************************
571	* Diagnostic API *
572	*************************************************/
573
574	void
575	auth_heimdal_gssapi_version_report(FILE *f)
576	{
577	/* No build-time constants available unless we link against libraries at
578	build-time and export the result as a string into a header ourselves. */
579	fprintf(f, "Library version: Heimdal: Runtime: %s\n"
580	" Build Info: %s\n",
581	heimdal_version, heimdal_long_version);
582	}
583
584	#endif /* AUTH_HEIMDAL_GSSAPI */
585
586	/* End of heimdal_gssapi.c */