[exim.git] / src / src / auths / heimdal_gssapi.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */

/* Copyright (c) Twitter Inc 2012
   Author: Phil Pennock <pdp@exim.org> */
/* Copyright (c) Phil Pennock 2012 */

/* Interface to Heimdal library for GSSAPI authentication. */

/* Naming and rationale

Sensibly, this integration would be deferred to a SASL library, but none
of them appear to offer keytab file selection interfaces in their APIs.  It
might be that this driver only requires minor modification to work with MIT
Kerberos.

Heimdal provides a number of interfaces for various forms of authentication.
As GS2 does not appear to provide keytab control interfaces either, we may
end up supporting that too.  It's possible that we could trivially expand to
support NTLM support via Heimdal, etc.  Rather than try to be too generic
immediately, this driver is directly only supporting GSSAPI.

Without rename, we could add an option for GS2 support in the future.
*/

/* Sources

* mailcheck-imap (Perl, client-side, written by me years ago)
* gsasl driver (GPL, server-side)
* heimdal sources and man-pages, plus http://www.h5l.org/manual/
* FreeBSD man-pages (very informative!)
* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
  semantics, that found by browsing Heimdal source to find how to set the keytab; however,
  after multiple attempts I failed to get that to work and instead switched to
  gsskrb5_register_acceptor_identity().
*/

#include "../exim.h"

#ifndef AUTH_HEIMDAL_GSSAPI
/* dummy function to satisfy compilers when we link in an "empty" file. */
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
#else

#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>

/* for the _init debugging */
#include <krb5.h>

#include "heimdal_gssapi.h"

/* Authenticator-specific options. */
optionlist auth_heimdal_gssapi_options[] = {
  { "server_hostname",      opt_stringptr,
      OPT_OFF(auth_heimdal_gssapi_options_block, server_hostname) },
  { "server_keytab",        opt_stringptr,
      OPT_OFF(auth_heimdal_gssapi_options_block, server_keytab) },
  { "server_service",       opt_stringptr,
      OPT_OFF(auth_heimdal_gssapi_options_block, server_service) }
};

int auth_heimdal_gssapi_options_count =
  sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);

/* Defaults for the authenticator-specific options. */
auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
  US"$primary_hostname",    /* server_hostname */
  NULL,                     /* server_keytab */
  US"smtp",                 /* server_service */
};


#ifdef MACRO_PREDEF

/* Dummy values */
void auth_heimdal_gssapi_init(auth_instance *ablock) {}
int auth_heimdal_gssapi_server(auth_instance *ablock, uschar *data) {return 0;}
int auth_heimdal_gssapi_client(auth_instance *ablock, void * sx,
  int timeout, uschar *buffer, int buffsize) {return 0;}
void auth_heimdal_gssapi_version_report(FILE *f) {}

#else   /*!MACRO_PREDEF*/


/* "Globals" for managing the heimdal_gssapi interface. */

/* Utility functions */
static void
  exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
static int
  exim_gssapi_error_defer(rmark, OM_uint32, OM_uint32, const char *, ...)
    PRINTF_FUNCTION(4, 5);

#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)


/*************************************************
*          Initialization entry point            *
*************************************************/

/* Called for each instance, after its options have been read, to
enable consistency checks to be done, or anything else that needs
to be set up. */

/* Heimdal provides a GSSAPI extension method for setting the keytab;
in the init, we mostly just use raw krb5 methods so that we can report
the keytab contents, for -D+auth debugging. */

void
auth_heimdal_gssapi_init(auth_instance *ablock)
{
krb5_context context;
krb5_keytab keytab;
krb5_kt_cursor cursor;
krb5_keytab_entry entry;
krb5_error_code krc;
char *principal, *enctype_s;
const char *k_keytab_typed_name = NULL;
auth_heimdal_gssapi_options_block *ob =
  (auth_heimdal_gssapi_options_block *)(ablock->options_block);

ablock->server = FALSE;
ablock->client = FALSE;

if (!ob->server_service || !*ob->server_service)
  {
  HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
  return;
  }

if ((krc = krb5_init_context(&context)))
  {
  int kerr = errno;
  HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
      strerror(kerr));
  return;
  }

if (ob->server_keytab)
  {
  k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
  HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
  if ((krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab)))
    {
    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
    return;
    }
  }
else
 {
  HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
  if ((krc = krb5_kt_default(context, &keytab)))
    {
    HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
    return;
    }
  }

HDEBUG(D_auth)
  {
  /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
  if ((krc = krb5_kt_start_seq_get(context, keytab, &cursor)))
    exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
  else
    {
    while (!(krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)))
      {
      principal = enctype_s = NULL;
      krb5_unparse_name(context, entry.principal, &principal);
      krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
      debug_printf("heimdal: keytab principal: %s  vno=%d  type=%s\n",
	  principal ? principal : "??",
	  entry.vno,
	  enctype_s ? enctype_s : "??");
      free(principal);
      free(enctype_s);
      krb5_kt_free_entry(context, &entry);
      }
    if ((krc = krb5_kt_end_seq_get(context, keytab, &cursor)))
      exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
    }
  }

if ((krc = krb5_kt_close(context, keytab)))
  HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);

krb5_free_context(context);

ablock->server = TRUE;
}


static void
exim_heimdal_error_debug(const char *label,
    krb5_context context, krb5_error_code err)
{
const char *kerrsc;
kerrsc = krb5_get_error_message(context, err);
debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
krb5_free_error_message(context, kerrsc);
}

/*************************************************
*             Server entry point                 *
*************************************************/

/* For interface, see auths/README */

/* GSSAPI notes:
OM_uint32: portable type for unsigned int32
gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
  -- all strings/etc passed in should go through one of these
  -- when allocated by gssapi, release with gss_release_buffer()
*/

int
auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
{
gss_name_t gclient = GSS_C_NO_NAME;
gss_name_t gserver = GSS_C_NO_NAME;
gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
uschar *ex_server_str;
gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
gss_OID mech_type;
OM_uint32 maj_stat, min_stat;
int step, error_out;
uschar *tmp1, *tmp2, *from_client;
auth_heimdal_gssapi_options_block *ob =
  (auth_heimdal_gssapi_options_block *)(ablock->options_block);
BOOL handled_empty_ir;
rmark store_reset_point;
uschar *keytab;
uschar sasl_config[4];
uschar requested_qop;

store_reset_point = store_mark();

HDEBUG(D_auth)
  debug_printf("heimdal: initialising auth context for %s\n", ablock->name);

/* Construct our gss_name_t gserver describing ourselves */
tmp1 = expand_string(ob->server_service);
tmp2 = expand_string(ob->server_hostname);
ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
gbufdesc.value = (void *) ex_server_str;
gbufdesc.length = Ustrlen(ex_server_str);
maj_stat = gss_import_name(&min_stat,
    &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
if (GSS_ERROR(maj_stat))
  return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
      "gss_import_name(%s)", CS gbufdesc.value);

/* Use a specific keytab, if specified */
if (ob->server_keytab) 
  {
  keytab = expand_string(ob->server_keytab);
  maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
  if (GSS_ERROR(maj_stat))
    return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	"registering keytab \"%s\"", keytab);
  HDEBUG(D_auth)
    debug_printf("heimdal: using keytab \"%s\"\n", keytab);
  }

/* Acquire our credentials */
maj_stat = gss_acquire_cred(&min_stat,
    gserver,             /* desired name */
    0,                   /* time */
    GSS_C_NULL_OID_SET,  /* desired mechs */
    GSS_C_ACCEPT,        /* cred usage */
    &gcred,              /* handle */
    NULL                 /* actual mechs */,
    NULL                 /* time rec */);
if (GSS_ERROR(maj_stat))
  return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
      "gss_acquire_cred(%s)", ex_server_str);

maj_stat = gss_release_name(&min_stat, &gserver);

HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");

/* Loop talking to client */
step = 0;
from_client = initial_data;
handled_empty_ir = FALSE;
error_out = OK;

/* buffer sizes: auth_get_data() uses big_buffer, which we grow per
GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
(big_buffer starts life at the MUST size of 16KB). */

/* step values
0: getting initial data from client to feed into GSSAPI
1: iterating for as long as GSS_S_CONTINUE_NEEDED
2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
3: unpick final auth message from client
4: break/finish (non-step)
*/
while (step < 4)
  switch (step)
    {
    case 0:
      if (!from_client || !*from_client)
        {
	if (handled_empty_ir)
	  {
	  HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
	  error_out = BAD64;
	  goto ERROR_OUT;
	  }

	HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
	if ((error_out = auth_get_data(&from_client, US"", 0)) != OK)
	  goto ERROR_OUT;
	handled_empty_ir = TRUE;
	continue;
	}
      /* We should now have the opening data from the client, base64-encoded. */
      step += 1;
      HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
      break;

    case 1:
      gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
      if (gclient)
        {
	maj_stat = gss_release_name(&min_stat, &gclient);
	gclient = GSS_C_NO_NAME;
	}
      maj_stat = gss_accept_sec_context(&min_stat,
	  &gcontext,          /* context handle */
	  gcred,              /* acceptor cred handle */
	  &gbufdesc_in,       /* input from client */
	  GSS_C_NO_CHANNEL_BINDINGS,  /* XXX fixme: use the channel bindings from GnuTLS */
	  &gclient,           /* client identifier */
	  &mech_type,         /* mechanism in use */
	  &gbufdesc_out,      /* output to send to client */
	  NULL,               /* return flags */
	  NULL,               /* time rec */
	  NULL                /* delegated cred_handle */
	  );
      if (GSS_ERROR(maj_stat))
        {
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_accept_sec_context()");
	error_out = FAIL;
	goto ERROR_OUT;
	}
      if (gbufdesc_out.length != 0)
        {
	error_out = auth_get_data(&from_client,
	    gbufdesc_out.value, gbufdesc_out.length);
	if (error_out != OK)
	  goto ERROR_OUT;

	gss_release_buffer(&min_stat, &gbufdesc_out);
	EmptyBuf(gbufdesc_out);
	}
      if (maj_stat == GSS_S_COMPLETE)
        {
	step += 1;
	HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
	}
      else
	HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
      break;

    case 2:
      memset(sasl_config, 0xFF, 4);
      /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
      0x01 No security layer
      0x02 Integrity protection
      0x04 Confidentiality protection

      The remaining three octets are the maximum buffer size for wrapped
      content. */
      sasl_config[0] = 0x01;  /* Exim does not wrap/unwrap SASL layers after auth */
      gbufdesc.value = (void *) sasl_config;
      gbufdesc.length = 4;
      maj_stat = gss_wrap(&min_stat,
	  gcontext,
	  0,                    /* conf_req_flag: integrity only */
	  GSS_C_QOP_DEFAULT,    /* qop requested */
	  &gbufdesc,            /* message to protect */
	  NULL,                 /* conf_state: no confidentiality applied */
	  &gbufdesc_out         /* output buffer */
	  );
      if (GSS_ERROR(maj_stat))
        {
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_wrap(SASL state after auth)");
	error_out = FAIL;
	goto ERROR_OUT;
	}

      HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");

      error_out = auth_get_data(&from_client,
	  gbufdesc_out.value, gbufdesc_out.length);
      if (error_out != OK)
	goto ERROR_OUT;

      gss_release_buffer(&min_stat, &gbufdesc_out);
      EmptyBuf(gbufdesc_out);
      step += 1;
      break;

    case 3:
      gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
      maj_stat = gss_unwrap(&min_stat,
	  gcontext,
	  &gbufdesc_in,       /* data from client */
	  &gbufdesc_out,      /* results */
	  NULL,               /* conf state */
	  NULL                /* qop state */
	  );
      if (GSS_ERROR(maj_stat))
        {
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_unwrap(final SASL message from client)");
	error_out = FAIL;
	goto ERROR_OUT;
	}
      if (gbufdesc_out.length < 4)
        {
	HDEBUG(D_auth)
	  debug_printf("gssapi: final message too short; "
	      "need flags, buf sizes and optional authzid\n");
	error_out = FAIL;
	goto ERROR_OUT;
	}

      requested_qop = (CS gbufdesc_out.value)[0];
      if (!(requested_qop & 0x01))
        {
	HDEBUG(D_auth)
	  debug_printf("gssapi: client requested security layers (%x)\n",
	      (unsigned int) requested_qop);
	error_out = FAIL;
	goto ERROR_OUT;
	}

      for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
      expand_nmax = 0;

      /* Identifiers:
      The SASL provided identifier is an unverified authzid.
      GSSAPI provides us with a verified identifier, but it might be empty
      for some clients.
      */

      /* $auth2 is authzid requested at SASL layer */
      if (gbufdesc_out.length > 4)
        {
	expand_nlength[2] = gbufdesc_out.length - 4;
	auth_vars[1] = expand_nstring[2] =
	  string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
	expand_nmax = 2;
	}

      gss_release_buffer(&min_stat, &gbufdesc_out);
      EmptyBuf(gbufdesc_out);

      /* $auth1 is GSSAPI display name */
      maj_stat = gss_display_name(&min_stat,
	  gclient, &gbufdesc_out, &mech_type);
      if (GSS_ERROR(maj_stat))
        {
	auth_vars[1] = expand_nstring[2] = NULL;
	expand_nmax = 0;
	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	    "gss_display_name(client identifier)");
	error_out = FAIL;
	goto ERROR_OUT;
	}

      expand_nlength[1] = gbufdesc_out.length;
      auth_vars[0] = expand_nstring[1] =
	string_copyn(gbufdesc_out.value, gbufdesc_out.length);

      if (expand_nmax == 0)	/* should be: authzid was empty */
	{
	expand_nmax = 2;
	expand_nlength[2] = expand_nlength[1];
	auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
	HDEBUG(D_auth)
	  debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
	}

      HDEBUG(D_auth)
	debug_printf("heimdal SASL: happy with client request\n"
	   "  auth1 (verified GSSAPI display-name): \"%s\"\n"
	   "  auth2 (unverified SASL requested authzid): \"%s\"\n",
	   auth_vars[0], auth_vars[1]);

      step += 1;
      break;

    } /* switch */
  /* while step */


ERROR_OUT:
maj_stat = gss_release_cred(&min_stat, &gcred);
if (gclient)
  {
  gss_release_name(&min_stat, &gclient);
  gclient = GSS_C_NO_NAME;
  }
if (gbufdesc_out.length)
  {
  gss_release_buffer(&min_stat, &gbufdesc_out);
  EmptyBuf(gbufdesc_out);
  }
if (gcontext != GSS_C_NO_CONTEXT)
  gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);

store_reset(store_reset_point);

if (error_out != OK)
  return error_out;

/* Auth succeeded, check server_condition */
return auth_check_serv_cond(ablock);
}


static int
exim_gssapi_error_defer(rmark store_reset_point,
    OM_uint32 major, OM_uint32 minor,
    const char *format, ...)
{
va_list ap;
OM_uint32 maj_stat, min_stat;
OM_uint32 msgcontext = 0;
gss_buffer_desc status_string;
gstring * g;

HDEBUG(D_auth)
  {
  va_start(ap, format);
  g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, format, ap);
  va_end(ap);
  }

auth_defer_msg = NULL;

do {
  maj_stat = gss_display_status(&min_stat,
      major, GSS_C_GSS_CODE, GSS_C_NO_OID, &msgcontext, &status_string);

  if (!auth_defer_msg)
    auth_defer_msg = string_copy(US status_string.value);

  HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
      string_from_gstring(g), (int)status_string.length,
      CS status_string.value);
  gss_release_buffer(&min_stat, &status_string);

  } while (msgcontext != 0);

if (store_reset_point)
  store_reset(store_reset_point);
return DEFER;
}


/*************************************************
*              Client entry point                *
*************************************************/

/* For interface, see auths/README */

int
auth_heimdal_gssapi_client(
  auth_instance *ablock,                 /* authenticator block */
  void * sx,				 /* connection */
  int timeout,                           /* command timeout */
  uschar *buffer,                        /* buffer for reading response */
  int buffsize)                          /* size of buffer */
{
HDEBUG(D_auth)
  debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
/* NOT IMPLEMENTED */
return FAIL;
}

/*************************************************
*                Diagnostic API                  *
*************************************************/

void
auth_heimdal_gssapi_version_report(FILE *f)
{
/* No build-time constants available unless we link against libraries at
build-time and export the result as a string into a header ourselves. */
fprintf(f, "Library version: Heimdal: Runtime: %s\n"
	   " Build Info: %s\n",
	heimdal_version, heimdal_long_version);
}

#endif   /*!MACRO_PREDEF*/
#endif  /* AUTH_HEIMDAL_GSSAPI */

/* End of heimdal_gssapi.c */
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) University of Cambridge 1995 - 2018 */
	6	/* See the file NOTICE for conditions of use and distribution. */
	7
	8	/* Copyright (c) Twitter Inc 2012
	9	Author: Phil Pennock <pdp@exim.org> */
	10	/* Copyright (c) Phil Pennock 2012 */
	11
	12	/* Interface to Heimdal library for GSSAPI authentication. */
	13
	14	/* Naming and rationale
	15
	16	Sensibly, this integration would be deferred to a SASL library, but none
	17	of them appear to offer keytab file selection interfaces in their APIs. It
	18	might be that this driver only requires minor modification to work with MIT
	19	Kerberos.
	20
	21	Heimdal provides a number of interfaces for various forms of authentication.
	22	As GS2 does not appear to provide keytab control interfaces either, we may
	23	end up supporting that too. It's possible that we could trivially expand to
	24	support NTLM support via Heimdal, etc. Rather than try to be too generic
	25	immediately, this driver is directly only supporting GSSAPI.
	26
	27	Without rename, we could add an option for GS2 support in the future.
	28	*/
	29
	30	/* Sources
	31
	32	* mailcheck-imap (Perl, client-side, written by me years ago)
	33	* gsasl driver (GPL, server-side)
	34	* heimdal sources and man-pages, plus http://www.h5l.org/manual/
	35	* FreeBSD man-pages (very informative!)
	36	* http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
	37	semantics, that found by browsing Heimdal source to find how to set the keytab; however,
	38	after multiple attempts I failed to get that to work and instead switched to
	39	gsskrb5_register_acceptor_identity().
	40	*/
	41
	42	#include "../exim.h"
	43
	44	#ifndef AUTH_HEIMDAL_GSSAPI
	45	/* dummy function to satisfy compilers when we link in an "empty" file. */
	46	static void dummy(int x);
	47	static void dummy2(int x) { dummy(x-1); }
	48	static void dummy(int x) { dummy2(x-1); }
	49	#else
	50
	51	#include <gssapi/gssapi.h>
	52	#include <gssapi/gssapi_krb5.h>
	53
	54	/* for the _init debugging */
	55	#include <krb5.h>
	56
	57	#include "heimdal_gssapi.h"
	58
	59	/* Authenticator-specific options. */
	60	optionlist auth_heimdal_gssapi_options[] = {
	61	{ "server_hostname", opt_stringptr,
	62	OPT_OFF(auth_heimdal_gssapi_options_block, server_hostname) },
	63	{ "server_keytab", opt_stringptr,
	64	OPT_OFF(auth_heimdal_gssapi_options_block, server_keytab) },
	65	{ "server_service", opt_stringptr,
	66	OPT_OFF(auth_heimdal_gssapi_options_block, server_service) }
	67	};
	68
	69	int auth_heimdal_gssapi_options_count =
	70	sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
	71
	72	/* Defaults for the authenticator-specific options. */
	73	auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
	74	US"$primary_hostname", /* server_hostname */
	75	NULL, /* server_keytab */
	76	US"smtp", /* server_service */
	77	};
	78
	79
	80	#ifdef MACRO_PREDEF
	81
	82	/* Dummy values */
	83	void auth_heimdal_gssapi_init(auth_instance *ablock) {}
	84	int auth_heimdal_gssapi_server(auth_instance ablock, uschar data) {return 0;}
	85	int auth_heimdal_gssapi_client(auth_instance ablock, void sx,
	86	int timeout, uschar *buffer, int buffsize) {return 0;}
	87	void auth_heimdal_gssapi_version_report(FILE *f) {}
	88
	89	#else /!MACRO_PREDEF/
	90
	91
	92
	93	/* "Globals" for managing the heimdal_gssapi interface. */
	94
	95	/* Utility functions */
	96	static void
	97	exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
	98	static int
	99	exim_gssapi_error_defer(rmark, OM_uint32, OM_uint32, const char *, ...)
	100	PRINTF_FUNCTION(4, 5);
	101
	102	#define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
	103
	104
	105	/*************************************************
	106	* Initialization entry point *
	107	*************************************************/
	108
	109	/* Called for each instance, after its options have been read, to
	110	enable consistency checks to be done, or anything else that needs
	111	to be set up. */
	112
	113	/* Heimdal provides a GSSAPI extension method for setting the keytab;
	114	in the init, we mostly just use raw krb5 methods so that we can report
	115	the keytab contents, for -D+auth debugging. */
	116
	117	void
	118	auth_heimdal_gssapi_init(auth_instance *ablock)
	119	{
	120	krb5_context context;
	121	krb5_keytab keytab;
	122	krb5_kt_cursor cursor;
	123	krb5_keytab_entry entry;
	124	krb5_error_code krc;
	125	char principal, enctype_s;
	126	const char *k_keytab_typed_name = NULL;
	127	auth_heimdal_gssapi_options_block *ob =
	128	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
	129
	130	ablock->server = FALSE;
	131	ablock->client = FALSE;
	132
	133	if (!ob->server_service \|\| !*ob->server_service)
	134	{
	135	HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
	136	return;
	137	}
	138
	139	if ((krc = krb5_init_context(&context)))
	140	{
	141	int kerr = errno;
	142	HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
	143	strerror(kerr));
	144	return;
	145	}
	146
	147	if (ob->server_keytab)
	148	{
	149	k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
	150	HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
	151	if ((krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab)))
	152	{
	153	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
	154	return;
	155	}
	156	}
	157	else
	158	{
	159	HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
	160	if ((krc = krb5_kt_default(context, &keytab)))
	161	{
	162	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
	163	return;
	164	}
	165	}
	166
	167	HDEBUG(D_auth)
	168	{
	169	/* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
	170	if ((krc = krb5_kt_start_seq_get(context, keytab, &cursor)))
	171	exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
	172	else
	173	{
	174	while (!(krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)))
	175	{
	176	principal = enctype_s = NULL;
	177	krb5_unparse_name(context, entry.principal, &principal);
	178	krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
	179	debug_printf("heimdal: keytab principal: %s vno=%d type=%s\n",
	180	principal ? principal : "??",
	181	entry.vno,
	182	enctype_s ? enctype_s : "??");
	183	free(principal);
	184	free(enctype_s);
	185	krb5_kt_free_entry(context, &entry);
	186	}
	187	if ((krc = krb5_kt_end_seq_get(context, keytab, &cursor)))
	188	exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
	189	}
	190	}
	191
	192	if ((krc = krb5_kt_close(context, keytab)))
	193	HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
	194
	195	krb5_free_context(context);
	196
	197	ablock->server = TRUE;
	198	}
	199
	200
	201	static void
	202	exim_heimdal_error_debug(const char *label,
	203	krb5_context context, krb5_error_code err)
	204	{
	205	const char *kerrsc;
	206	kerrsc = krb5_get_error_message(context, err);
	207	debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
	208	krb5_free_error_message(context, kerrsc);
	209	}
	210
	211	/*************************************************
	212	* Server entry point *
	213	*************************************************/
	214
	215	/* For interface, see auths/README */
	216
	217	/* GSSAPI notes:
	218	OM_uint32: portable type for unsigned int32
	219	gss_buffer_desc / gss_buffer_t: hold/point-to size_t .length & void value
	220	-- all strings/etc passed in should go through one of these
	221	-- when allocated by gssapi, release with gss_release_buffer()
	222	*/
	223
	224	int
	225	auth_heimdal_gssapi_server(auth_instance ablock, uschar initial_data)
	226	{
	227	gss_name_t gclient = GSS_C_NO_NAME;
	228	gss_name_t gserver = GSS_C_NO_NAME;
	229	gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
	230	gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
	231	uschar *ex_server_str;
	232	gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
	233	gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
	234	gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
	235	gss_OID mech_type;
	236	OM_uint32 maj_stat, min_stat;
	237	int step, error_out;
	238	uschar tmp1, tmp2, *from_client;
	239	auth_heimdal_gssapi_options_block *ob =
	240	(auth_heimdal_gssapi_options_block *)(ablock->options_block);
	241	BOOL handled_empty_ir;
	242	rmark store_reset_point;
	243	uschar *keytab;
	244	uschar sasl_config[4];
	245	uschar requested_qop;
	246
	247	store_reset_point = store_mark();
	248
	249	HDEBUG(D_auth)
	250	debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
	251
	252	/* Construct our gss_name_t gserver describing ourselves */
	253	tmp1 = expand_string(ob->server_service);
	254	tmp2 = expand_string(ob->server_hostname);
	255	ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
	256	gbufdesc.value = (void *) ex_server_str;
	257	gbufdesc.length = Ustrlen(ex_server_str);
	258	maj_stat = gss_import_name(&min_stat,
	259	&gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
	260	if (GSS_ERROR(maj_stat))
	261	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	262	"gss_import_name(%s)", CS gbufdesc.value);
	263
	264	/* Use a specific keytab, if specified */
	265	if (ob->server_keytab)
	266	{
	267	keytab = expand_string(ob->server_keytab);
	268	maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
	269	if (GSS_ERROR(maj_stat))
	270	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	271	"registering keytab \"%s\"", keytab);
	272	HDEBUG(D_auth)
	273	debug_printf("heimdal: using keytab \"%s\"\n", keytab);
	274	}
	275
	276	/* Acquire our credentials */
	277	maj_stat = gss_acquire_cred(&min_stat,
	278	gserver, /* desired name */
	279	0, /* time */
	280	GSS_C_NULL_OID_SET, /* desired mechs */
	281	GSS_C_ACCEPT, /* cred usage */
	282	&gcred, /* handle */
	283	NULL /* actual mechs */,
	284	NULL /* time rec */);
	285	if (GSS_ERROR(maj_stat))
	286	return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
	287	"gss_acquire_cred(%s)", ex_server_str);
	288
	289	maj_stat = gss_release_name(&min_stat, &gserver);
	290
	291	HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
	292
	293	/* Loop talking to client */
	294	step = 0;
	295	from_client = initial_data;
	296	handled_empty_ir = FALSE;
	297	error_out = OK;
	298
	299	/* buffer sizes: auth_get_data() uses big_buffer, which we grow per
	300	GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
	301	(big_buffer starts life at the MUST size of 16KB). */
	302
	303	/* step values
	304	0: getting initial data from client to feed into GSSAPI
	305	1: iterating for as long as GSS_S_CONTINUE_NEEDED
	306	2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
	307	3: unpick final auth message from client
	308	4: break/finish (non-step)
	309	*/
	310	while (step < 4)
	311	switch (step)
	312	{
	313	case 0:
	314	if (!from_client \|\| !*from_client)
	315	{
	316	if (handled_empty_ir)
	317	{
	318	HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
	319	error_out = BAD64;
	320	goto ERROR_OUT;
	321	}
	322
	323	HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
	324	if ((error_out = auth_get_data(&from_client, US"", 0)) != OK)
	325	goto ERROR_OUT;
	326	handled_empty_ir = TRUE;
	327	continue;
	328	}
	329	/* We should now have the opening data from the client, base64-encoded. */
	330	step += 1;
	331	HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
	332	break;
	333
	334	case 1:
	335	gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
	336	if (gclient)
	337	{
	338	maj_stat = gss_release_name(&min_stat, &gclient);
	339	gclient = GSS_C_NO_NAME;
	340	}
	341	maj_stat = gss_accept_sec_context(&min_stat,
	342	&gcontext, /* context handle */
	343	gcred, /* acceptor cred handle */
	344	&gbufdesc_in, /* input from client */
	345	GSS_C_NO_CHANNEL_BINDINGS, /* XXX fixme: use the channel bindings from GnuTLS */
	346	&gclient, /* client identifier */
	347	&mech_type, /* mechanism in use */
	348	&gbufdesc_out, /* output to send to client */
	349	NULL, /* return flags */
	350	NULL, /* time rec */
	351	NULL /* delegated cred_handle */
	352	);
	353	if (GSS_ERROR(maj_stat))
	354	{
	355	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	356	"gss_accept_sec_context()");
	357	error_out = FAIL;
	358	goto ERROR_OUT;
	359	}
	360	if (gbufdesc_out.length != 0)
	361	{
	362	error_out = auth_get_data(&from_client,
	363	gbufdesc_out.value, gbufdesc_out.length);
	364	if (error_out != OK)
	365	goto ERROR_OUT;
	366
	367	gss_release_buffer(&min_stat, &gbufdesc_out);
	368	EmptyBuf(gbufdesc_out);
	369	}
	370	if (maj_stat == GSS_S_COMPLETE)
	371	{
	372	step += 1;
	373	HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
	374	}
	375	else
	376	HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
	377	break;
	378
	379	case 2:
	380	memset(sasl_config, 0xFF, 4);
	381	/* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
	382	0x01 No security layer
	383	0x02 Integrity protection
	384	0x04 Confidentiality protection
	385
	386	The remaining three octets are the maximum buffer size for wrapped
	387	content. */
	388	sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
	389	gbufdesc.value = (void *) sasl_config;
	390	gbufdesc.length = 4;
	391	maj_stat = gss_wrap(&min_stat,
	392	gcontext,
	393	0, /* conf_req_flag: integrity only */
	394	GSS_C_QOP_DEFAULT, /* qop requested */
	395	&gbufdesc, /* message to protect */
	396	NULL, /* conf_state: no confidentiality applied */
	397	&gbufdesc_out /* output buffer */
	398	);
	399	if (GSS_ERROR(maj_stat))
	400	{
	401	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	402	"gss_wrap(SASL state after auth)");
	403	error_out = FAIL;
	404	goto ERROR_OUT;
	405	}
	406
	407	HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
	408
	409	error_out = auth_get_data(&from_client,
	410	gbufdesc_out.value, gbufdesc_out.length);
	411	if (error_out != OK)
	412	goto ERROR_OUT;
	413
	414	gss_release_buffer(&min_stat, &gbufdesc_out);
	415	EmptyBuf(gbufdesc_out);
	416	step += 1;
	417	break;
	418
	419	case 3:
	420	gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
	421	maj_stat = gss_unwrap(&min_stat,
	422	gcontext,
	423	&gbufdesc_in, /* data from client */
	424	&gbufdesc_out, /* results */
	425	NULL, /* conf state */
	426	NULL /* qop state */
	427	);
	428	if (GSS_ERROR(maj_stat))
	429	{
	430	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	431	"gss_unwrap(final SASL message from client)");
	432	error_out = FAIL;
	433	goto ERROR_OUT;
	434	}
	435	if (gbufdesc_out.length < 4)
	436	{
	437	HDEBUG(D_auth)
	438	debug_printf("gssapi: final message too short; "
	439	"need flags, buf sizes and optional authzid\n");
	440	error_out = FAIL;
	441	goto ERROR_OUT;
	442	}
	443
	444	requested_qop = (CS gbufdesc_out.value)[0];
	445	if (!(requested_qop & 0x01))
	446	{
	447	HDEBUG(D_auth)
	448	debug_printf("gssapi: client requested security layers (%x)\n",
	449	(unsigned int) requested_qop);
	450	error_out = FAIL;
	451	goto ERROR_OUT;
	452	}
	453
	454	for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
	455	expand_nmax = 0;
	456
	457	/* Identifiers:
	458	The SASL provided identifier is an unverified authzid.
	459	GSSAPI provides us with a verified identifier, but it might be empty
	460	for some clients.
	461	*/
	462
	463	/* $auth2 is authzid requested at SASL layer */
	464	if (gbufdesc_out.length > 4)
	465	{
	466	expand_nlength[2] = gbufdesc_out.length - 4;
	467	auth_vars[1] = expand_nstring[2] =
	468	string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
	469	expand_nmax = 2;
	470	}
	471
	472	gss_release_buffer(&min_stat, &gbufdesc_out);
	473	EmptyBuf(gbufdesc_out);
	474
	475	/* $auth1 is GSSAPI display name */
	476	maj_stat = gss_display_name(&min_stat,
	477	gclient, &gbufdesc_out, &mech_type);
	478	if (GSS_ERROR(maj_stat))
	479	{
	480	auth_vars[1] = expand_nstring[2] = NULL;
	481	expand_nmax = 0;
	482	exim_gssapi_error_defer(NULL, maj_stat, min_stat,
	483	"gss_display_name(client identifier)");
	484	error_out = FAIL;
	485	goto ERROR_OUT;
	486	}
	487
	488	expand_nlength[1] = gbufdesc_out.length;
	489	auth_vars[0] = expand_nstring[1] =
	490	string_copyn(gbufdesc_out.value, gbufdesc_out.length);
	491
	492	if (expand_nmax == 0) /* should be: authzid was empty */
	493	{
	494	expand_nmax = 2;
	495	expand_nlength[2] = expand_nlength[1];
	496	auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
	497	HDEBUG(D_auth)
	498	debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
	499	}
	500
	501	HDEBUG(D_auth)
	502	debug_printf("heimdal SASL: happy with client request\n"
	503	" auth1 (verified GSSAPI display-name): \"%s\"\n"
	504	" auth2 (unverified SASL requested authzid): \"%s\"\n",
	505	auth_vars[0], auth_vars[1]);
	506
	507	step += 1;
	508	break;
	509
	510	} /* switch */
	511	/* while step */
	512
	513
	514	ERROR_OUT:
	515	maj_stat = gss_release_cred(&min_stat, &gcred);
	516	if (gclient)
	517	{
	518	gss_release_name(&min_stat, &gclient);
	519	gclient = GSS_C_NO_NAME;
	520	}
	521	if (gbufdesc_out.length)
	522	{
	523	gss_release_buffer(&min_stat, &gbufdesc_out);
	524	EmptyBuf(gbufdesc_out);
	525	}
	526	if (gcontext != GSS_C_NO_CONTEXT)
	527	gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
	528
	529	store_reset(store_reset_point);
	530
	531	if (error_out != OK)
	532	return error_out;
	533
	534	/* Auth succeeded, check server_condition */
	535	return auth_check_serv_cond(ablock);
	536	}
	537
	538
	539	static int
	540	exim_gssapi_error_defer(rmark store_reset_point,
	541	OM_uint32 major, OM_uint32 minor,
	542	const char *format, ...)
	543	{
	544	va_list ap;
	545	OM_uint32 maj_stat, min_stat;
	546	OM_uint32 msgcontext = 0;
	547	gss_buffer_desc status_string;
	548	gstring * g;
	549
	550	HDEBUG(D_auth)
	551	{
	552	va_start(ap, format);
	553	g = string_vformat(NULL, SVFMT_EXTEND\|SVFMT_REBUFFER, format, ap);
	554	va_end(ap);
	555	}
	556
	557	auth_defer_msg = NULL;
	558
	559	do {
	560	maj_stat = gss_display_status(&min_stat,
	561	major, GSS_C_GSS_CODE, GSS_C_NO_OID, &msgcontext, &status_string);
	562
	563	if (!auth_defer_msg)
	564	auth_defer_msg = string_copy(US status_string.value);
	565
	566	HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
	567	string_from_gstring(g), (int)status_string.length,
	568	CS status_string.value);
	569	gss_release_buffer(&min_stat, &status_string);
	570
	571	} while (msgcontext != 0);
	572
	573	if (store_reset_point)
	574	store_reset(store_reset_point);
	575	return DEFER;
	576	}
	577
	578
	579	/*************************************************
	580	* Client entry point *
	581	*************************************************/
	582
	583	/* For interface, see auths/README */
	584
	585	int
	586	auth_heimdal_gssapi_client(
	587	auth_instance ablock, / authenticator block */
	588	void * sx, /* connection */
	589	int timeout, /* command timeout */
	590	uschar buffer, / buffer for reading response */
	591	int buffsize) /* size of buffer */
	592	{
	593	HDEBUG(D_auth)
	594	debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
	595	/* NOT IMPLEMENTED */
	596	return FAIL;
	597	}
	598
	599	/*************************************************
	600	* Diagnostic API *
	601	*************************************************/
	602
	603	void
	604	auth_heimdal_gssapi_version_report(FILE *f)
	605	{
	606	/* No build-time constants available unless we link against libraries at
	607	build-time and export the result as a string into a header ourselves. */
	608	fprintf(f, "Library version: Heimdal: Runtime: %s\n"
	609	" Build Info: %s\n",
	610	heimdal_version, heimdal_long_version);
	611	}
	612
	613	#endif /!MACRO_PREDEF/
	614	#endif /* AUTH_HEIMDAL_GSSAPI */
	615
	616	/* End of heimdal_gssapi.c */