projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Prebuild the data structure for builtin macros
[exim.git] / src / src / auths / heimdal_gssapi.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Copyright (c) Twitter Inc 2012
9 Author: Phil Pennock <pdp@exim.org> */
10 /* Copyright (c) Phil Pennock 2012 */
11
12 /* Interface to Heimdal library for GSSAPI authentication. */
13
14 /* Naming and rationale
15
16 Sensibly, this integration would be deferred to a SASL library, but none
17 of them appear to offer keytab file selection interfaces in their APIs. It
18 might be that this driver only requires minor modification to work with MIT
19 Kerberos.
20
21 Heimdal provides a number of interfaces for various forms of authentication.
22 As GS2 does not appear to provide keytab control interfaces either, we may
23 end up supporting that too. It's possible that we could trivially expand to
24 support NTLM support via Heimdal, etc. Rather than try to be too generic
25 immediately, this driver is directly only supporting GSSAPI.
26
27 Without rename, we could add an option for GS2 support in the future.
28 */
29
30 /* Sources
31
32 * mailcheck-imap (Perl, client-side, written by me years ago)
33 * gsasl driver (GPL, server-side)
34 * heimdal sources and man-pages, plus http://www.h5l.org/manual/
35 * FreeBSD man-pages (very informative!)
36 * http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
37 semantics, that found by browsing Heimdal source to find how to set the keytab; however,
38 after multiple attempts I failed to get that to work and instead switched to
39 gsskrb5_register_acceptor_identity().
40 */
41
42 #include "../exim.h"
43
44 #ifndef AUTH_HEIMDAL_GSSAPI
45 /* dummy function to satisfy compilers when we link in an "empty" file. */
46 static void dummy(int x);
47 static void dummy2(int x) { dummy(x-1); }
48 static void dummy(int x) { dummy2(x-1); }
49 #else
50
51 #include <gssapi/gssapi.h>
52 #include <gssapi/gssapi_krb5.h>
53
54 /* for the _init debugging */
55 #include <krb5.h>
56
57 #include "heimdal_gssapi.h"
58
59 /* Authenticator-specific options. */
60 optionlist auth_heimdal_gssapi_options[] = {
61 { "server_hostname", opt_stringptr,
62 (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
63 { "server_keytab", opt_stringptr,
64 (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
65 { "server_service", opt_stringptr,
66 (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
67 };
68
69 int auth_heimdal_gssapi_options_count =
70 sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
71
72 /* Defaults for the authenticator-specific options. */
73 auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
74 US"$primary_hostname", /* server_hostname */
75 NULL, /* server_keytab */
76 US"smtp", /* server_service */
77 };
78
79
80 #ifdef MACRO_PREDEF
81
82 /* Dummy values */
83 void auth_heimdal_init(auth_instance *ablock) {}
84 int auth_heimdal_server(auth_instance *ablock, uschar *data) {return 0;}
85 int auth_heimdal_client(auth_instance *ablock, smtp_inblock *inblock,
86 smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
87
88 #else /*!MACRO_PREDEF*/
89
90
91
92 /* "Globals" for managing the heimdal_gssapi interface. */
93
94 /* Utility functions */
95 static void
96 exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
97 static int
98 exim_gssapi_error_defer(uschar *, OM_uint32, OM_uint32, const char *, ...)
99 PRINTF_FUNCTION(4, 5);
100
101 #define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
102
103
104 /*************************************************
105 * Initialization entry point *
106 *************************************************/
107
108 /* Called for each instance, after its options have been read, to
109 enable consistency checks to be done, or anything else that needs
110 to be set up. */
111
112 /* Heimdal provides a GSSAPI extension method for setting the keytab;
113 in the init, we mostly just use raw krb5 methods so that we can report
114 the keytab contents, for -D+auth debugging. */
115
116 void
117 auth_heimdal_gssapi_init(auth_instance *ablock)
118 {
119 krb5_context context;
120 krb5_keytab keytab;
121 krb5_kt_cursor cursor;
122 krb5_keytab_entry entry;
123 krb5_error_code krc;
124 char *principal, *enctype_s;
125 const char *k_keytab_typed_name = NULL;
126 auth_heimdal_gssapi_options_block *ob =
127 (auth_heimdal_gssapi_options_block *)(ablock->options_block);
128
129 ablock->server = FALSE;
130 ablock->client = FALSE;
131
132 if (!ob->server_service || !*ob->server_service) {
133 HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
134 return;
135 }
136
137 krc = krb5_init_context(&context);
138 if (krc != 0) {
139 int kerr = errno;
140 HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
141 strerror(kerr));
142 return;
143 }
144
145 if (ob->server_keytab) {
146 k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
147 HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
148 krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab);
149 if (krc) {
150 HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
151 return;
152 }
153 } else {
154 HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
155 krc = krb5_kt_default(context, &keytab);
156 if (krc) {
157 HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
158 return;
159 }
160 }
161
162 HDEBUG(D_auth) {
163 /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
164 krc = krb5_kt_start_seq_get(context, keytab, &cursor);
165 if (krc)
166 exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
167 else {
168 while ((krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
169 principal = enctype_s = NULL;
170 krb5_unparse_name(context, entry.principal, &principal);
171 krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
172 debug_printf("heimdal: keytab principal: %s vno=%d type=%s\n",
173 principal ? principal : "??",
174 entry.vno,
175 enctype_s ? enctype_s : "??");
176 free(principal);
177 free(enctype_s);
178 krb5_kt_free_entry(context, &entry);
179 }
180 krc = krb5_kt_end_seq_get(context, keytab, &cursor);
181 if (krc)
182 exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
183 }
184 }
185
186 krc = krb5_kt_close(context, keytab);
187 if (krc)
188 HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
189
190 krb5_free_context(context);
191
192 /* RFC 4121 section 5.2, SHOULD support 64K input buffers */
193 if (big_buffer_size < (64 * 1024)) {
194 uschar *newbuf;
195 big_buffer_size = 64 * 1024;
196 newbuf = store_malloc(big_buffer_size);
197 store_free(big_buffer);
198 big_buffer = newbuf;
199 }
200
201 ablock->server = TRUE;
202 }
203
204
205 static void
206 exim_heimdal_error_debug(const char *label,
207 krb5_context context, krb5_error_code err)
208 {
209 const char *kerrsc;
210 kerrsc = krb5_get_error_message(context, err);
211 debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
212 krb5_free_error_message(context, kerrsc);
213 }
214
215 /*************************************************
216 * Server entry point *
217 *************************************************/
218
219 /* For interface, see auths/README */
220
221 /* GSSAPI notes:
222 OM_uint32: portable type for unsigned int32
223 gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
224 -- all strings/etc passed in should go through one of these
225 -- when allocated by gssapi, release with gss_release_buffer()
226 */
227
228 int
229 auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
230 {
231 gss_name_t gclient = GSS_C_NO_NAME;
232 gss_name_t gserver = GSS_C_NO_NAME;
233 gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
234 gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
235 uschar *ex_server_str;
236 gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
237 gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
238 gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
239 gss_OID mech_type;
240 OM_uint32 maj_stat, min_stat;
241 int step, error_out, i;
242 uschar *tmp1, *tmp2, *from_client;
243 auth_heimdal_gssapi_options_block *ob =
244 (auth_heimdal_gssapi_options_block *)(ablock->options_block);
245 BOOL handled_empty_ir;
246 uschar *store_reset_point;
247 uschar *keytab;
248 uschar sasl_config[4];
249 uschar requested_qop;
250
251 store_reset_point = store_get(0);
252
253 HDEBUG(D_auth)
254 debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
255
256 /* Construct our gss_name_t gserver describing ourselves */
257 tmp1 = expand_string(ob->server_service);
258 tmp2 = expand_string(ob->server_hostname);
259 ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
260 gbufdesc.value = (void *) ex_server_str;
261 gbufdesc.length = Ustrlen(ex_server_str);
262 maj_stat = gss_import_name(&min_stat,
263 &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
264 if (GSS_ERROR(maj_stat))
265 return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
266 "gss_import_name(%s)", CS gbufdesc.value);
267
268 /* Use a specific keytab, if specified */
269 if (ob->server_keytab) {
270 keytab = expand_string(ob->server_keytab);
271 maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
272 if (GSS_ERROR(maj_stat))
273 return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
274 "registering keytab \"%s\"", keytab);
275 HDEBUG(D_auth)
276 debug_printf("heimdal: using keytab \"%s\"\n", keytab);
277 }
278
279 /* Acquire our credentials */
280 maj_stat = gss_acquire_cred(&min_stat,
281 gserver, /* desired name */
282 0, /* time */
283 GSS_C_NULL_OID_SET, /* desired mechs */
284 GSS_C_ACCEPT, /* cred usage */
285 &gcred, /* handle */
286 NULL /* actual mechs */,
287 NULL /* time rec */);
288 if (GSS_ERROR(maj_stat))
289 return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
290 "gss_acquire_cred(%s)", ex_server_str);
291
292 maj_stat = gss_release_name(&min_stat, &gserver);
293
294 HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
295
296 /* Loop talking to client */
297 step = 0;
298 from_client = initial_data;
299 handled_empty_ir = FALSE;
300 error_out = OK;
301
302 /* buffer sizes: auth_get_data() uses big_buffer, which we grow per
303 GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
304 (big_buffer starts life at the MUST size of 16KB). */
305
306 /* step values
307 0: getting initial data from client to feed into GSSAPI
308 1: iterating for as long as GSS_S_CONTINUE_NEEDED
309 2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
310 3: unpick final auth message from client
311 4: break/finish (non-step)
312 */
313 while (step < 4) {
314 switch (step) {
315 case 0:
316 if (!from_client || *from_client == '\0') {
317 if (handled_empty_ir) {
318 HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
319 error_out = BAD64;
320 goto ERROR_OUT;
321 } else {
322 HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
323 error_out = auth_get_data(&from_client, US"", 0);
324 if (error_out != OK)
325 goto ERROR_OUT;
326 handled_empty_ir = TRUE;
327 continue;
328 }
329 }
330 /* We should now have the opening data from the client, base64-encoded. */
331 step += 1;
332 HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
333 break;
334
335 case 1:
336 gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
337 if (gclient) {
338 maj_stat = gss_release_name(&min_stat, &gclient);
339 gclient = GSS_C_NO_NAME;
340 }
341 maj_stat = gss_accept_sec_context(&min_stat,
342 &gcontext, /* context handle */
343 gcred, /* acceptor cred handle */
344 &gbufdesc_in, /* input from client */
345 GSS_C_NO_CHANNEL_BINDINGS, /* XXX fixme: use the channel bindings from GnuTLS */
346 &gclient, /* client identifier */
347 &mech_type, /* mechanism in use */
348 &gbufdesc_out, /* output to send to client */
349 NULL, /* return flags */
350 NULL, /* time rec */
351 NULL /* delegated cred_handle */
352 );
353 if (GSS_ERROR(maj_stat)) {
354 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
355 "gss_accept_sec_context()");
356 error_out = FAIL;
357 goto ERROR_OUT;
358 }
359 if (&gbufdesc_out.length != 0) {
360 error_out = auth_get_data(&from_client,
361 gbufdesc_out.value, gbufdesc_out.length);
362 if (error_out != OK)
363 goto ERROR_OUT;
364
365 gss_release_buffer(&min_stat, &gbufdesc_out);
366 EmptyBuf(gbufdesc_out);
367 }
368 if (maj_stat == GSS_S_COMPLETE) {
369 step += 1;
370 HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
371 } else {
372 HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
373 }
374 break;
375
376 case 2:
377 memset(sasl_config, 0xFF, 4);
378 /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
379 0x01 No security layer
380 0x02 Integrity protection
381 0x04 Confidentiality protection
382
383 The remaining three octets are the maximum buffer size for wrapped
384 content. */
385 sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
386 gbufdesc.value = (void *) sasl_config;
387 gbufdesc.length = 4;
388 maj_stat = gss_wrap(&min_stat,
389 gcontext,
390 0, /* conf_req_flag: integrity only */
391 GSS_C_QOP_DEFAULT, /* qop requested */
392 &gbufdesc, /* message to protect */
393 NULL, /* conf_state: no confidentiality applied */
394 &gbufdesc_out /* output buffer */
395 );
396 if (GSS_ERROR(maj_stat)) {
397 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
398 "gss_wrap(SASL state after auth)");
399 error_out = FAIL;
400 goto ERROR_OUT;
401 }
402
403 HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
404
405 error_out = auth_get_data(&from_client,
406 gbufdesc_out.value, gbufdesc_out.length);
407 if (error_out != OK)
408 goto ERROR_OUT;
409
410 gss_release_buffer(&min_stat, &gbufdesc_out);
411 EmptyBuf(gbufdesc_out);
412 step += 1;
413 break;
414
415 case 3:
416 gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
417 maj_stat = gss_unwrap(&min_stat,
418 gcontext,
419 &gbufdesc_in, /* data from client */
420 &gbufdesc_out, /* results */
421 NULL, /* conf state */
422 NULL /* qop state */
423 );
424 if (GSS_ERROR(maj_stat)) {
425 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
426 "gss_unwrap(final SASL message from client)");
427 error_out = FAIL;
428 goto ERROR_OUT;
429 }
430 if (gbufdesc_out.length < 4) {
431 HDEBUG(D_auth)
432 debug_printf("gssapi: final message too short; "
433 "need flags, buf sizes and optional authzid\n");
434 error_out = FAIL;
435 goto ERROR_OUT;
436 }
437
438 requested_qop = (CS gbufdesc_out.value)[0];
439 if ((requested_qop & 0x01) == 0) {
440 HDEBUG(D_auth)
441 debug_printf("gssapi: client requested security layers (%x)\n",
442 (unsigned int) requested_qop);
443 error_out = FAIL;
444 goto ERROR_OUT;
445 }
446
447 for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
448 expand_nmax = 0;
449
450 /* Identifiers:
451 The SASL provided identifier is an unverified authzid.
452 GSSAPI provides us with a verified identifier, but it might be empty
453 for some clients.
454 */
455
456 /* $auth2 is authzid requested at SASL layer */
457 if (gbufdesc_out.length > 4) {
458 expand_nlength[2] = gbufdesc_out.length - 4;
459 auth_vars[1] = expand_nstring[2] =
460 string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
461 expand_nmax = 2;
462 }
463
464 gss_release_buffer(&min_stat, &gbufdesc_out);
465 EmptyBuf(gbufdesc_out);
466
467 /* $auth1 is GSSAPI display name */
468 maj_stat = gss_display_name(&min_stat,
469 gclient,
470 &gbufdesc_out,
471 &mech_type);
472 if (GSS_ERROR(maj_stat)) {
473 auth_vars[1] = expand_nstring[2] = NULL;
474 expand_nmax = 0;
475 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
476 "gss_display_name(client identifier)");
477 error_out = FAIL;
478 goto ERROR_OUT;
479 }
480
481 expand_nlength[1] = gbufdesc_out.length;
482 auth_vars[0] = expand_nstring[1] =
483 string_copyn(gbufdesc_out.value, gbufdesc_out.length);
484
485 if (expand_nmax == 0) { /* should be: authzid was empty */
486 expand_nmax = 2;
487 expand_nlength[2] = expand_nlength[1];
488 auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
489 HDEBUG(D_auth)
490 debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
491 }
492
493 HDEBUG(D_auth)
494 debug_printf("heimdal SASL: happy with client request\n"
495 " auth1 (verified GSSAPI display-name): \"%s\"\n"
496 " auth2 (unverified SASL requested authzid): \"%s\"\n",
497 auth_vars[0], auth_vars[1]);
498
499 step += 1;
500 break;
501
502 } /* switch */
503 } /* while step */
504
505
506 ERROR_OUT:
507 maj_stat = gss_release_cred(&min_stat, &gcred);
508 if (gclient) {
509 gss_release_name(&min_stat, &gclient);
510 gclient = GSS_C_NO_NAME;
511 }
512 if (gbufdesc_out.length) {
513 gss_release_buffer(&min_stat, &gbufdesc_out);
514 EmptyBuf(gbufdesc_out);
515 }
516 if (gcontext != GSS_C_NO_CONTEXT) {
517 gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
518 }
519
520 store_reset(store_reset_point);
521
522 if (error_out != OK)
523 return error_out;
524
525 /* Auth succeeded, check server_condition */
526 return auth_check_serv_cond(ablock);
527 }
528
529
530 static int
531 exim_gssapi_error_defer(uschar *store_reset_point,
532 OM_uint32 major, OM_uint32 minor,
533 const char *format, ...)
534 {
535 va_list ap;
536 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
537 OM_uint32 maj_stat, min_stat;
538 OM_uint32 msgcontext = 0;
539 gss_buffer_desc status_string;
540
541 va_start(ap, format);
542 if (!string_vformat(buffer, sizeof(buffer), format, ap))
543 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
544 "exim_gssapi_error_defer expansion larger than %lu",
545 sizeof(buffer));
546 va_end(ap);
547
548 auth_defer_msg = NULL;
549
550 do {
551 maj_stat = gss_display_status(&min_stat,
552 major, GSS_C_GSS_CODE, GSS_C_NO_OID,
553 &msgcontext, &status_string);
554
555 if (auth_defer_msg == NULL) {
556 auth_defer_msg = string_copy(US status_string.value);
557 }
558
559 HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
560 buffer, (int)status_string.length, CS status_string.value);
561 gss_release_buffer(&min_stat, &status_string);
562
563 } while (msgcontext != 0);
564
565 if (store_reset_point)
566 store_reset(store_reset_point);
567 return DEFER;
568 }
569
570
571 /*************************************************
572 * Client entry point *
573 *************************************************/
574
575 /* For interface, see auths/README */
576
577 int
578 auth_heimdal_gssapi_client(
579 auth_instance *ablock, /* authenticator block */
580 smtp_inblock *inblock, /* connection inblock */
581 smtp_outblock *outblock, /* connection outblock */
582 int timeout, /* command timeout */
583 uschar *buffer, /* buffer for reading response */
584 int buffsize) /* size of buffer */
585 {
586 HDEBUG(D_auth)
587 debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
588 /* NOT IMPLEMENTED */
589 return FAIL;
590 }
591
592 /*************************************************
593 * Diagnostic API *
594 *************************************************/
595
596 void
597 auth_heimdal_gssapi_version_report(FILE *f)
598 {
599 /* No build-time constants available unless we link against libraries at
600 build-time and export the result as a string into a header ourselves. */
601 fprintf(f, "Library version: Heimdal: Runtime: %s\n"
602 " Build Info: %s\n",
603 heimdal_version, heimdal_long_version);
604 }
605
606 #endif /*!MACRO_PREDEF*/
607 #endif /* AUTH_HEIMDAL_GSSAPI */
608
609 /* End of heimdal_gssapi.c */
Unnamed repository; edit this file 'description' to name the repository.