1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Copyright (c) Twitter Inc 2012
9 Author: Phil Pennock <pdp@exim.org> */
10 /* Copyright (c) Phil Pennock 2012 */
12 /* Interface to Heimdal library for GSSAPI authentication. */
14 /* Naming and rationale
16 Sensibly, this integration would be deferred to a SASL library, but none
17 of them appear to offer keytab file selection interfaces in their APIs. It
18 might be that this driver only requires minor modification to work with MIT
21 Heimdal provides a number of interfaces for various forms of authentication.
22 As GS2 does not appear to provide keytab control interfaces either, we may
23 end up supporting that too. It's possible that we could trivially expand to
24 support NTLM support via Heimdal, etc. Rather than try to be too generic
25 immediately, this driver is directly only supporting GSSAPI.
27 Without rename, we could add an option for GS2 support in the future.
32 * mailcheck-imap (Perl, client-side, written by me years ago)
33 * gsasl driver (GPL, server-side)
34 * heimdal sources and man-pages, plus http://www.h5l.org/manual/
35 * FreeBSD man-pages (very informative!)
36 * http://www.ggf.org/documents/GFD.24.pdf confirming GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X
37 semantics, that found by browsing Heimdal source to find how to set the keytab; however,
38 after multiple attempts I failed to get that to work and instead switched to
39 gsskrb5_register_acceptor_identity().
44 #ifndef AUTH_HEIMDAL_GSSAPI
45 /* dummy function to satisfy compilers when we link in an "empty" file. */
46 static void dummy(int x);
47 static void dummy2(int x) { dummy(x-1); }
48 static void dummy(int x) { dummy2(x-1); }
51 #include <gssapi/gssapi.h>
52 #include <gssapi/gssapi_krb5.h>
54 /* for the _init debugging */
57 #include "heimdal_gssapi.h"
59 /* Authenticator-specific options. */
60 optionlist auth_heimdal_gssapi_options[] = {
61 { "server_hostname", opt_stringptr,
62 (void *)(offsetof(auth_heimdal_gssapi_options_block, server_hostname)) },
63 { "server_keytab", opt_stringptr,
64 (void *)(offsetof(auth_heimdal_gssapi_options_block, server_keytab)) },
65 { "server_service", opt_stringptr,
66 (void *)(offsetof(auth_heimdal_gssapi_options_block, server_service)) }
69 int auth_heimdal_gssapi_options_count =
70 sizeof(auth_heimdal_gssapi_options)/sizeof(optionlist);
72 /* Defaults for the authenticator-specific options. */
73 auth_heimdal_gssapi_options_block auth_heimdal_gssapi_option_defaults = {
74 US"$primary_hostname", /* server_hostname */
75 NULL, /* server_keytab */
76 US"smtp", /* server_service */
83 void auth_heimdal_init(auth_instance *ablock) {}
84 int auth_heimdal_server(auth_instance *ablock, uschar *data) {return 0;}
85 int auth_heimdal_client(auth_instance *ablock, smtp_inblock *inblock,
86 smtp_outblock *outblock, int timeout, uschar *buffer, int buffsize) {return 0;}
88 #else /*!MACRO_PREDEF*/
92 /* "Globals" for managing the heimdal_gssapi interface. */
94 /* Utility functions */
96 exim_heimdal_error_debug(const char *, krb5_context, krb5_error_code);
98 exim_gssapi_error_defer(uschar *, OM_uint32, OM_uint32, const char *, ...)
99 PRINTF_FUNCTION(4, 5);
101 #define EmptyBuf(buf) do { buf.value = NULL; buf.length = 0; } while (0)
104 /*************************************************
105 * Initialization entry point *
106 *************************************************/
108 /* Called for each instance, after its options have been read, to
109 enable consistency checks to be done, or anything else that needs
112 /* Heimdal provides a GSSAPI extension method for setting the keytab;
113 in the init, we mostly just use raw krb5 methods so that we can report
114 the keytab contents, for -D+auth debugging. */
117 auth_heimdal_gssapi_init(auth_instance *ablock)
119 krb5_context context;
121 krb5_kt_cursor cursor;
122 krb5_keytab_entry entry;
124 char *principal, *enctype_s;
125 const char *k_keytab_typed_name = NULL;
126 auth_heimdal_gssapi_options_block *ob =
127 (auth_heimdal_gssapi_options_block *)(ablock->options_block);
129 ablock->server = FALSE;
130 ablock->client = FALSE;
132 if (!ob->server_service || !*ob->server_service) {
133 HDEBUG(D_auth) debug_printf("heimdal: missing server_service\n");
137 krc = krb5_init_context(&context);
140 HDEBUG(D_auth) debug_printf("heimdal: failed to initialise krb5 context: %s\n",
145 if (ob->server_keytab) {
146 k_keytab_typed_name = CCS string_sprintf("file:%s", expand_string(ob->server_keytab));
147 HDEBUG(D_auth) debug_printf("heimdal: using keytab %s\n", k_keytab_typed_name);
148 krc = krb5_kt_resolve(context, k_keytab_typed_name, &keytab);
150 HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_resolve", context, krc);
154 HDEBUG(D_auth) debug_printf("heimdal: using system default keytab\n");
155 krc = krb5_kt_default(context, &keytab);
157 HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_default", context, krc);
163 /* http://www.h5l.org/manual/HEAD/krb5/krb5_keytab_intro.html */
164 krc = krb5_kt_start_seq_get(context, keytab, &cursor);
166 exim_heimdal_error_debug("krb5_kt_start_seq_get", context, krc);
168 while ((krc = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) {
169 principal = enctype_s = NULL;
170 krb5_unparse_name(context, entry.principal, &principal);
171 krb5_enctype_to_string(context, entry.keyblock.keytype, &enctype_s);
172 debug_printf("heimdal: keytab principal: %s vno=%d type=%s\n",
173 principal ? principal : "??",
175 enctype_s ? enctype_s : "??");
178 krb5_kt_free_entry(context, &entry);
180 krc = krb5_kt_end_seq_get(context, keytab, &cursor);
182 exim_heimdal_error_debug("krb5_kt_end_seq_get", context, krc);
186 krc = krb5_kt_close(context, keytab);
188 HDEBUG(D_auth) exim_heimdal_error_debug("krb5_kt_close", context, krc);
190 krb5_free_context(context);
192 /* RFC 4121 section 5.2, SHOULD support 64K input buffers */
193 if (big_buffer_size < (64 * 1024)) {
195 big_buffer_size = 64 * 1024;
196 newbuf = store_malloc(big_buffer_size);
197 store_free(big_buffer);
201 ablock->server = TRUE;
206 exim_heimdal_error_debug(const char *label,
207 krb5_context context, krb5_error_code err)
210 kerrsc = krb5_get_error_message(context, err);
211 debug_printf("heimdal %s: %s\n", label, kerrsc ? kerrsc : "unknown error");
212 krb5_free_error_message(context, kerrsc);
215 /*************************************************
216 * Server entry point *
217 *************************************************/
219 /* For interface, see auths/README */
222 OM_uint32: portable type for unsigned int32
223 gss_buffer_desc / *gss_buffer_t: hold/point-to size_t .length & void *value
224 -- all strings/etc passed in should go through one of these
225 -- when allocated by gssapi, release with gss_release_buffer()
229 auth_heimdal_gssapi_server(auth_instance *ablock, uschar *initial_data)
231 gss_name_t gclient = GSS_C_NO_NAME;
232 gss_name_t gserver = GSS_C_NO_NAME;
233 gss_cred_id_t gcred = GSS_C_NO_CREDENTIAL;
234 gss_ctx_id_t gcontext = GSS_C_NO_CONTEXT;
235 uschar *ex_server_str;
236 gss_buffer_desc gbufdesc = GSS_C_EMPTY_BUFFER;
237 gss_buffer_desc gbufdesc_in = GSS_C_EMPTY_BUFFER;
238 gss_buffer_desc gbufdesc_out = GSS_C_EMPTY_BUFFER;
240 OM_uint32 maj_stat, min_stat;
241 int step, error_out, i;
242 uschar *tmp1, *tmp2, *from_client;
243 auth_heimdal_gssapi_options_block *ob =
244 (auth_heimdal_gssapi_options_block *)(ablock->options_block);
245 BOOL handled_empty_ir;
246 uschar *store_reset_point;
248 uschar sasl_config[4];
249 uschar requested_qop;
251 store_reset_point = store_get(0);
254 debug_printf("heimdal: initialising auth context for %s\n", ablock->name);
256 /* Construct our gss_name_t gserver describing ourselves */
257 tmp1 = expand_string(ob->server_service);
258 tmp2 = expand_string(ob->server_hostname);
259 ex_server_str = string_sprintf("%s@%s", tmp1, tmp2);
260 gbufdesc.value = (void *) ex_server_str;
261 gbufdesc.length = Ustrlen(ex_server_str);
262 maj_stat = gss_import_name(&min_stat,
263 &gbufdesc, GSS_C_NT_HOSTBASED_SERVICE, &gserver);
264 if (GSS_ERROR(maj_stat))
265 return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
266 "gss_import_name(%s)", CS gbufdesc.value);
268 /* Use a specific keytab, if specified */
269 if (ob->server_keytab) {
270 keytab = expand_string(ob->server_keytab);
271 maj_stat = gsskrb5_register_acceptor_identity(CCS keytab);
272 if (GSS_ERROR(maj_stat))
273 return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
274 "registering keytab \"%s\"", keytab);
276 debug_printf("heimdal: using keytab \"%s\"\n", keytab);
279 /* Acquire our credentials */
280 maj_stat = gss_acquire_cred(&min_stat,
281 gserver, /* desired name */
283 GSS_C_NULL_OID_SET, /* desired mechs */
284 GSS_C_ACCEPT, /* cred usage */
286 NULL /* actual mechs */,
287 NULL /* time rec */);
288 if (GSS_ERROR(maj_stat))
289 return exim_gssapi_error_defer(store_reset_point, maj_stat, min_stat,
290 "gss_acquire_cred(%s)", ex_server_str);
292 maj_stat = gss_release_name(&min_stat, &gserver);
294 HDEBUG(D_auth) debug_printf("heimdal: have server credentials.\n");
296 /* Loop talking to client */
298 from_client = initial_data;
299 handled_empty_ir = FALSE;
302 /* buffer sizes: auth_get_data() uses big_buffer, which we grow per
303 GSSAPI RFC in _init, if needed, to meet the SHOULD size of 64KB.
304 (big_buffer starts life at the MUST size of 16KB). */
307 0: getting initial data from client to feed into GSSAPI
308 1: iterating for as long as GSS_S_CONTINUE_NEEDED
309 2: GSS_S_COMPLETE, SASL wrapping for authz and qop to send to client
310 3: unpick final auth message from client
311 4: break/finish (non-step)
316 if (!from_client || *from_client == '\0') {
317 if (handled_empty_ir) {
318 HDEBUG(D_auth) debug_printf("gssapi: repeated empty input, grr.\n");
322 HDEBUG(D_auth) debug_printf("gssapi: missing initial response, nudging.\n");
323 error_out = auth_get_data(&from_client, US"", 0);
326 handled_empty_ir = TRUE;
330 /* We should now have the opening data from the client, base64-encoded. */
332 HDEBUG(D_auth) debug_printf("heimdal: have initial client data\n");
336 gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
338 maj_stat = gss_release_name(&min_stat, &gclient);
339 gclient = GSS_C_NO_NAME;
341 maj_stat = gss_accept_sec_context(&min_stat,
342 &gcontext, /* context handle */
343 gcred, /* acceptor cred handle */
344 &gbufdesc_in, /* input from client */
345 GSS_C_NO_CHANNEL_BINDINGS, /* XXX fixme: use the channel bindings from GnuTLS */
346 &gclient, /* client identifier */
347 &mech_type, /* mechanism in use */
348 &gbufdesc_out, /* output to send to client */
349 NULL, /* return flags */
351 NULL /* delegated cred_handle */
353 if (GSS_ERROR(maj_stat)) {
354 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
355 "gss_accept_sec_context()");
359 if (&gbufdesc_out.length != 0) {
360 error_out = auth_get_data(&from_client,
361 gbufdesc_out.value, gbufdesc_out.length);
365 gss_release_buffer(&min_stat, &gbufdesc_out);
366 EmptyBuf(gbufdesc_out);
368 if (maj_stat == GSS_S_COMPLETE) {
370 HDEBUG(D_auth) debug_printf("heimdal: GSS complete\n");
372 HDEBUG(D_auth) debug_printf("heimdal: need more data\n");
377 memset(sasl_config, 0xFF, 4);
378 /* draft-ietf-sasl-gssapi-06.txt defines bitmasks for first octet
379 0x01 No security layer
380 0x02 Integrity protection
381 0x04 Confidentiality protection
383 The remaining three octets are the maximum buffer size for wrapped
385 sasl_config[0] = 0x01; /* Exim does not wrap/unwrap SASL layers after auth */
386 gbufdesc.value = (void *) sasl_config;
388 maj_stat = gss_wrap(&min_stat,
390 0, /* conf_req_flag: integrity only */
391 GSS_C_QOP_DEFAULT, /* qop requested */
392 &gbufdesc, /* message to protect */
393 NULL, /* conf_state: no confidentiality applied */
394 &gbufdesc_out /* output buffer */
396 if (GSS_ERROR(maj_stat)) {
397 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
398 "gss_wrap(SASL state after auth)");
403 HDEBUG(D_auth) debug_printf("heimdal SASL: requesting QOP with no security layers\n");
405 error_out = auth_get_data(&from_client,
406 gbufdesc_out.value, gbufdesc_out.length);
410 gss_release_buffer(&min_stat, &gbufdesc_out);
411 EmptyBuf(gbufdesc_out);
416 gbufdesc_in.length = b64decode(from_client, USS &gbufdesc_in.value);
417 maj_stat = gss_unwrap(&min_stat,
419 &gbufdesc_in, /* data from client */
420 &gbufdesc_out, /* results */
421 NULL, /* conf state */
424 if (GSS_ERROR(maj_stat)) {
425 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
426 "gss_unwrap(final SASL message from client)");
430 if (gbufdesc_out.length < 4) {
432 debug_printf("gssapi: final message too short; "
433 "need flags, buf sizes and optional authzid\n");
438 requested_qop = (CS gbufdesc_out.value)[0];
439 if ((requested_qop & 0x01) == 0) {
441 debug_printf("gssapi: client requested security layers (%x)\n",
442 (unsigned int) requested_qop);
447 for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
451 The SASL provided identifier is an unverified authzid.
452 GSSAPI provides us with a verified identifier, but it might be empty
456 /* $auth2 is authzid requested at SASL layer */
457 if (gbufdesc_out.length > 4) {
458 expand_nlength[2] = gbufdesc_out.length - 4;
459 auth_vars[1] = expand_nstring[2] =
460 string_copyn((US gbufdesc_out.value) + 4, expand_nlength[2]);
464 gss_release_buffer(&min_stat, &gbufdesc_out);
465 EmptyBuf(gbufdesc_out);
467 /* $auth1 is GSSAPI display name */
468 maj_stat = gss_display_name(&min_stat,
472 if (GSS_ERROR(maj_stat)) {
473 auth_vars[1] = expand_nstring[2] = NULL;
475 exim_gssapi_error_defer(NULL, maj_stat, min_stat,
476 "gss_display_name(client identifier)");
481 expand_nlength[1] = gbufdesc_out.length;
482 auth_vars[0] = expand_nstring[1] =
483 string_copyn(gbufdesc_out.value, gbufdesc_out.length);
485 if (expand_nmax == 0) { /* should be: authzid was empty */
487 expand_nlength[2] = expand_nlength[1];
488 auth_vars[1] = expand_nstring[2] = string_copyn(expand_nstring[1], expand_nlength[1]);
490 debug_printf("heimdal SASL: empty authzid, set to dup of GSSAPI display name\n");
494 debug_printf("heimdal SASL: happy with client request\n"
495 " auth1 (verified GSSAPI display-name): \"%s\"\n"
496 " auth2 (unverified SASL requested authzid): \"%s\"\n",
497 auth_vars[0], auth_vars[1]);
507 maj_stat = gss_release_cred(&min_stat, &gcred);
509 gss_release_name(&min_stat, &gclient);
510 gclient = GSS_C_NO_NAME;
512 if (gbufdesc_out.length) {
513 gss_release_buffer(&min_stat, &gbufdesc_out);
514 EmptyBuf(gbufdesc_out);
516 if (gcontext != GSS_C_NO_CONTEXT) {
517 gss_delete_sec_context(&min_stat, &gcontext, GSS_C_NO_BUFFER);
520 store_reset(store_reset_point);
525 /* Auth succeeded, check server_condition */
526 return auth_check_serv_cond(ablock);
531 exim_gssapi_error_defer(uschar *store_reset_point,
532 OM_uint32 major, OM_uint32 minor,
533 const char *format, ...)
536 uschar buffer[STRING_SPRINTF_BUFFER_SIZE];
537 OM_uint32 maj_stat, min_stat;
538 OM_uint32 msgcontext = 0;
539 gss_buffer_desc status_string;
541 va_start(ap, format);
542 if (!string_vformat(buffer, sizeof(buffer), format, ap))
543 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
544 "exim_gssapi_error_defer expansion larger than %lu",
548 auth_defer_msg = NULL;
551 maj_stat = gss_display_status(&min_stat,
552 major, GSS_C_GSS_CODE, GSS_C_NO_OID,
553 &msgcontext, &status_string);
555 if (auth_defer_msg == NULL) {
556 auth_defer_msg = string_copy(US status_string.value);
559 HDEBUG(D_auth) debug_printf("heimdal %s: %.*s\n",
560 buffer, (int)status_string.length, CS status_string.value);
561 gss_release_buffer(&min_stat, &status_string);
563 } while (msgcontext != 0);
565 if (store_reset_point)
566 store_reset(store_reset_point);
571 /*************************************************
572 * Client entry point *
573 *************************************************/
575 /* For interface, see auths/README */
578 auth_heimdal_gssapi_client(
579 auth_instance *ablock, /* authenticator block */
580 smtp_inblock *inblock, /* connection inblock */
581 smtp_outblock *outblock, /* connection outblock */
582 int timeout, /* command timeout */
583 uschar *buffer, /* buffer for reading response */
584 int buffsize) /* size of buffer */
587 debug_printf("Client side NOT IMPLEMENTED: you should not see this!\n");
588 /* NOT IMPLEMENTED */
592 /*************************************************
594 *************************************************/
597 auth_heimdal_gssapi_version_report(FILE *f)
599 /* No build-time constants available unless we link against libraries at
600 build-time and export the result as a string into a header ourselves. */
601 fprintf(f, "Library version: Heimdal: Runtime: %s\n"
603 heimdal_version, heimdal_long_version);
606 #endif /*!MACRO_PREDEF*/
607 #endif /* AUTH_HEIMDAL_GSSAPI */
609 /* End of heimdal_gssapi.c */