search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: smbd: Correctly process SMB3 POSIX paths in create.
[Samba.git] / source4 / auth / gensec / gensec_gssapi.c
blobcca19646dfc0327ad51d484c304bf740578f2b80
1 /*
2 Unix SMB/CIFS implementation.
3
4 Kerberos backend for GENSEC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include <tevent.h>
26 #include "lib/util/tevent_ntstatus.h"
27 #include "lib/events/events.h"
28 #include "system/kerberos.h"
29 #include "system/gssapi.h"
30 #include "auth/kerberos/kerberos.h"
31 #include "librpc/gen_ndr/krb5pac.h"
32 #include "auth/auth.h"
33 #include <ldb.h>
34 #include "auth/auth_sam.h"
35 #include "librpc/gen_ndr/dcerpc.h"
36 #include "auth/credentials/credentials.h"
37 #include "auth/credentials/credentials_krb5.h"
38 #include "auth/gensec/gensec.h"
39 #include "auth/gensec/gensec_internal.h"
40 #include "auth/gensec/gensec_proto.h"
41 #include "auth/gensec/gensec_toplevel_proto.h"
42 #include "param/param.h"
43 #include "auth/session_proto.h"
44 #include "gensec_gssapi.h"
45 #include "lib/util/util_net.h"
46 #include "auth/kerberos/pac_utils.h"
47 #include "auth/kerberos/gssapi_helper.h"
48 #include "lib/util/smb_strtox.h"
49
50 #ifndef gss_mech_spnego
51 gss_OID_desc spnego_mech_oid_desc =
52 { 6, discard_const_p(void, "\x2b\x06\x01\x05\x05\x02") };
53 #define gss_mech_spnego (&spnego_mech_oid_desc)
54 #endif
55
56 _PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *);
57
58 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
59 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
60 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size);
61
62 static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
63 {
64 OM_uint32 min_stat;
65
66 if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
67 gss_release_cred(&min_stat,
68 &gensec_gssapi_state->delegated_cred_handle);
69 }
70
71 if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
72 gss_delete_sec_context(&min_stat,
73 &gensec_gssapi_state->gssapi_context,
74 GSS_C_NO_BUFFER);
75 }
76
77 if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
78 gss_release_name(&min_stat,
79 &gensec_gssapi_state->server_name);
80 }
81 if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
82 gss_release_name(&min_stat,
83 &gensec_gssapi_state->client_name);
84 }
85
86 return 0;
87 }
88
89 static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx,
90 const char *target_principal,
91 const char *service,
92 const char *hostname,
93 const char *realm,
94 const gss_OID mech,
95 char **pserver_principal,
96 gss_name_t *pserver_name)
97 {
98 char *server_principal = NULL;
99 gss_buffer_desc name_token;
100 gss_OID name_type;
101 OM_uint32 maj_stat, min_stat = 0;
102
103 if (target_principal != NULL) {
104 server_principal = talloc_strdup(mem_ctx, target_principal);
105 name_type = GSS_C_NULL_OID;
106 } else {
107 server_principal = talloc_asprintf(mem_ctx,
108 "%s/%s@%s",
109 service, hostname, realm);
110 name_type = GSS_C_NT_USER_NAME;
111 }
112 if (server_principal == NULL) {
113 return NT_STATUS_NO_MEMORY;
114 }
115
116 name_token.value = (uint8_t *)server_principal;
117 name_token.length = strlen(server_principal);
118
119 maj_stat = gss_import_name(&min_stat,
120 &name_token,
121 name_type,
122 pserver_name);
123 if (maj_stat) {
124 DBG_WARNING("GSS Import name of %s failed: %s\n",
125 server_principal,
126 gssapi_error_string(mem_ctx,
127 maj_stat,
128 min_stat,
129 mech));
130 TALLOC_FREE(server_principal);
131 return NT_STATUS_INVALID_PARAMETER;
132 }
133
134 *pserver_principal = server_principal;
135
136 return NT_STATUS_OK;
137 }
138
139 static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
140 {
141 struct gensec_gssapi_state *gensec_gssapi_state;
142 krb5_error_code ret;
143 #ifdef SAMBA4_USES_HEIMDAL
144 const char *realm;
145 #endif
146
147 gensec_gssapi_state = talloc_zero(gensec_security, struct gensec_gssapi_state);
148 if (!gensec_gssapi_state) {
149 return NT_STATUS_NO_MEMORY;
150 }
151
152 gensec_security->private_data = gensec_gssapi_state;
153
154 gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
155
156 /* TODO: Fill in channel bindings */
157 gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
158
159 gensec_gssapi_state->server_name = GSS_C_NO_NAME;
160 gensec_gssapi_state->client_name = GSS_C_NO_NAME;
161
162 gensec_gssapi_state->gss_want_flags = 0;
163 gensec_gssapi_state->expire_time = GENSEC_EXPIRE_TIME_INFINITY;
164
165 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
166 gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_POLICY_FLAG;
167 }
168 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
169 gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
170 }
171 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
172 gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
173 }
174 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
175 gensec_gssapi_state->gss_want_flags |= GSS_C_REPLAY_FLAG;
176 }
177 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
178 gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
179 }
180
181 if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
182 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
183 }
184 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
185 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
186 }
187 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
188 gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
189 gensec_gssapi_state->gss_want_flags |= GSS_C_CONF_FLAG;
190 }
191 if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
192 gensec_gssapi_state->gss_want_flags |= GSS_C_DCE_STYLE;
193 }
194
195 gensec_gssapi_state->gss_got_flags = 0;
196
197 switch (gensec_security->ops->auth_type) {
198 case DCERPC_AUTH_TYPE_SPNEGO:
199 gensec_gssapi_state->gss_oid = gss_mech_spnego;
200 break;
201 case DCERPC_AUTH_TYPE_KRB5:
202 default:
203 gensec_gssapi_state->gss_oid =
204 discard_const_p(void, gss_mech_krb5);
205 break;
206 }
207
208 ret = smb_krb5_init_context(gensec_gssapi_state,
209 gensec_security->settings->lp_ctx,
210 &gensec_gssapi_state->smb_krb5_context);
211 if (ret) {
212 DEBUG(1,("gensec_gssapi_start: smb_krb5_init_context failed (%s)\n",
213 error_message(ret)));
214 talloc_free(gensec_gssapi_state);
215 return NT_STATUS_INTERNAL_ERROR;
216 }
217
218 gensec_gssapi_state->client_cred = NULL;
219 gensec_gssapi_state->server_cred = NULL;
220
221 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
222
223 gensec_gssapi_state->sasl = false;
224 gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
225 gensec_gssapi_state->sasl_protection = 0;
226
227 gensec_gssapi_state->max_wrap_buf_size
228 = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
229 gensec_gssapi_state->gss_exchange_count = 0;
230 gensec_gssapi_state->sig_size = 0;
231
232 talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
233
234 #ifdef SAMBA4_USES_HEIMDAL
235 realm = lpcfg_realm(gensec_security->settings->lp_ctx);
236 if (realm != NULL) {
237 ret = gsskrb5_set_default_realm(realm);
238 if (ret) {
239 DEBUG(1,("gensec_gssapi_start: gsskrb5_set_default_realm failed\n"));
240 talloc_free(gensec_gssapi_state);
241 return NT_STATUS_INTERNAL_ERROR;
242 }
243 }
244
245 /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
246 ret = gsskrb5_set_dns_canonicalize(false);
247 if (ret) {
248 DEBUG(1,("gensec_gssapi_start: gsskrb5_set_dns_canonicalize failed\n"));
249 talloc_free(gensec_gssapi_state);
250 return NT_STATUS_INTERNAL_ERROR;
251 }
252 #endif
253 return NT_STATUS_OK;
254 }
255
256 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
257 {
258 NTSTATUS nt_status;
259 int ret;
260 struct gensec_gssapi_state *gensec_gssapi_state;
261 struct cli_credentials *machine_account;
262 struct gssapi_creds_container *gcc;
263
264 nt_status = gensec_gssapi_start(gensec_security);
265 if (!NT_STATUS_IS_OK(nt_status)) {
266 return nt_status;
267 }
268
269 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
270
271 machine_account = gensec_get_credentials(gensec_security);
272
273 if (!machine_account) {
274 DEBUG(3, ("No machine account credentials specified\n"));
275 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
276 } else {
277 ret = cli_credentials_get_server_gss_creds(machine_account,
278 gensec_security->settings->lp_ctx, &gcc);
279 if (ret) {
280 DEBUG(1, ("Acquiring acceptor credentials failed: %s\n",
281 error_message(ret)));
282 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
283 }
284 }
285
286 gensec_gssapi_state->server_cred = gcc;
287 return NT_STATUS_OK;
288
289 }
290
291 static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
292 {
293 NTSTATUS nt_status;
294 struct gensec_gssapi_state *gensec_gssapi_state;
295 nt_status = gensec_gssapi_server_start(gensec_security);
296
297 if (NT_STATUS_IS_OK(nt_status)) {
298 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
299 gensec_gssapi_state->sasl = true;
300 }
301 return nt_status;
302 }
303
304 static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_security,
305 struct tevent_context *ev)
306 {
307 struct gensec_gssapi_state *gensec_gssapi_state;
308 struct gssapi_creds_container *gcc;
309 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
310 const char *error_string;
311 int ret;
312
313 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
314
315 /* Only run this the first time the update() call is made */
316 if (gensec_gssapi_state->client_cred) {
317 return NT_STATUS_OK;
318 }
319
320 ret = cli_credentials_get_client_gss_creds(creds,
321 ev,
322 gensec_security->settings->lp_ctx, &gcc, &error_string);
323 switch (ret) {
324 case 0:
325 break;
326 case EINVAL:
327 DEBUG(3, ("Cannot obtain client GSS credentials we need to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
328 return NT_STATUS_INVALID_PARAMETER;
329 case KRB5KDC_ERR_PREAUTH_FAILED:
330 case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
331 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
332 DEBUG(1, ("Wrong username or password: %s\n", error_string));
333 return NT_STATUS_LOGON_FAILURE;
334 case KRB5KDC_ERR_CLIENT_REVOKED:
335 DEBUG(1, ("Account locked out: %s\n", error_string));
336 return NT_STATUS_ACCOUNT_LOCKED_OUT;
337 case KRB5_REALM_UNKNOWN:
338 case KRB5_KDC_UNREACH:
339 DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
340 return NT_STATUS_NO_LOGON_SERVERS;
341 case KRB5_CC_NOTFOUND:
342 case KRB5_CC_END:
343 DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string));
344 return NT_STATUS_TIME_DIFFERENCE_AT_DC;
345 default:
346 DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
347 return NT_STATUS_UNSUCCESSFUL;
348 }
349
350 gensec_gssapi_state->client_cred = gcc;
351 if (!talloc_reference(gensec_gssapi_state, gcc)) {
352 return NT_STATUS_NO_MEMORY;
353 }
354
355 return NT_STATUS_OK;
356 }
357
358 static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
359 {
360 struct gensec_gssapi_state *gensec_gssapi_state;
361 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
362 NTSTATUS nt_status;
363 const char *target_principal = NULL;
364 const char *hostname = gensec_get_target_hostname(gensec_security);
365 const char *service = gensec_get_target_service(gensec_security);
366 const char *realm = cli_credentials_get_realm(creds);
367
368 target_principal = gensec_get_target_principal(gensec_security);
369 if (target_principal != NULL) {
370 goto do_start;
371 }
372
373 if (!hostname) {
374 DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
375 return NT_STATUS_INVALID_PARAMETER;
376 }
377 if (is_ipaddress(hostname)) {
378 DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
379 return NT_STATUS_INVALID_PARAMETER;
380 }
381 if (strcmp(hostname, "localhost") == 0) {
382 DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
383 return NT_STATUS_INVALID_PARAMETER;
384 }
385
386 if (realm == NULL) {
387 char *cred_name = cli_credentials_get_unparsed_name(creds,
388 gensec_security);
389 DEBUG(3, ("cli_credentials(%s) without realm, "
390 "cannot use kerberos for this connection %s/%s\n",
391 cred_name, service, hostname));
392 TALLOC_FREE(cred_name);
393 return NT_STATUS_INVALID_PARAMETER;
394 }
395
396 do_start:
397
398 nt_status = gensec_gssapi_start(gensec_security);
399 if (!NT_STATUS_IS_OK(nt_status)) {
400 return nt_status;
401 }
402
403 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
404
405 if (cli_credentials_get_impersonate_principal(creds)) {
406 gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
407 }
408
409 return NT_STATUS_OK;
410 }
411
412 static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
413 {
414 NTSTATUS nt_status;
415 struct gensec_gssapi_state *gensec_gssapi_state;
416 nt_status = gensec_gssapi_client_start(gensec_security);
417
418 if (NT_STATUS_IS_OK(nt_status)) {
419 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
420 gensec_gssapi_state->sasl = true;
421 }
422 return nt_status;
423 }
424
425 static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_security,
426 TALLOC_CTX *out_mem_ctx,
427 struct tevent_context *ev,
428 const DATA_BLOB in, DATA_BLOB *out)
429 {
430 struct gensec_gssapi_state *gensec_gssapi_state
431 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
432 NTSTATUS nt_status;
433 OM_uint32 maj_stat, min_stat;
434 OM_uint32 min_stat2;
435 gss_buffer_desc input_token = { 0, NULL };
436 gss_buffer_desc output_token = { 0, NULL };
437 struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
438 const char *target_principal = gensec_get_target_principal(gensec_security);
439 const char *hostname = gensec_get_target_hostname(gensec_security);
440 const char *service = gensec_get_target_service(gensec_security);
441 gss_OID gss_oid_p = NULL;
442 OM_uint32 time_req = 0;
443 OM_uint32 time_rec = 0;
444 struct timeval tv;
445
446 time_req = gensec_setting_int(gensec_security->settings,
447 "gensec_gssapi", "requested_life_time",
448 time_req);
449
450 input_token.length = in.length;
451 input_token.value = in.data;
452
453 switch (gensec_gssapi_state->sasl_state) {
454 case STAGE_GSS_NEG:
455 {
456 switch (gensec_security->gensec_role) {
457 case GENSEC_CLIENT:
458 {
459 const char *client_realm = NULL;
460 #ifdef SAMBA4_USES_HEIMDAL
461 struct gsskrb5_send_to_kdc send_to_kdc;
462 krb5_error_code ret;
463 #else
464 bool fallback = false;
465 #endif
466
467 nt_status = gensec_gssapi_client_creds(gensec_security, ev);
468 if (!NT_STATUS_IS_OK(nt_status)) {
469 return nt_status;
470 }
471
472 #ifdef SAMBA4_USES_HEIMDAL
473 send_to_kdc.func = smb_krb5_send_and_recv_func;
474 send_to_kdc.ptr = ev;
475
476 min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
477 if (min_stat) {
478 DEBUG(1,("gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n"));
479 return NT_STATUS_INTERNAL_ERROR;
480 }
481 #endif
482
483 /*
484 * With credentials for
485 * administrator@FOREST1.EXAMPLE.COM this patch changes
486 * the target_principal for the ldap service of host
487 * dc2.forest2.example.com from
488 *
489 * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
490 *
491 * to
492 *
493 * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
494 *
495 * Typically
496 * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
497 * should be used in order to allow the KDC of
498 * FOREST1.EXAMPLE.COM to generate a referral ticket
499 * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
500 *
501 * The problem is that KDCs only return such referral
502 * tickets if there's a forest trust between
503 * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If
504 * there's only an external domain trust between
505 * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC
506 * of FOREST1.EXAMPLE.COM will respond with
507 * S_PRINCIPAL_UNKNOWN when being asked for
508 * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
509 *
510 * In the case of an external trust the client can
511 * still ask explicitly for
512 * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and
513 * the KDC of FOREST1.EXAMPLE.COM will generate it.
514 *
515 * From there the client can use the
516 * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
517 * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
518 * service ticket for
519 * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
520 *
521 * With Heimdal we'll get the fallback on
522 * S_PRINCIPAL_UNKNOWN behavior when we pass
523 * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
524 * target principal. As _krb5_get_cred_kdc_any() first
525 * calls get_cred_kdc_referral() (which always starts
526 * with the client realm) and falls back to
527 * get_cred_kdc_capath() (which starts with the given
528 * realm).
529 *
530 * MIT krb5 only tries the given realm of the target
531 * principal, if we want to autodetect support for
532 * transitive forest trusts, would have to do the
533 * fallback ourself.
534 */
535 client_realm = cli_credentials_get_realm(cli_creds);
536 #ifndef SAMBA4_USES_HEIMDAL
537 if (gensec_gssapi_state->server_name == NULL) {
538 nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
539 target_principal,
540 service,
541 hostname,
542 client_realm,
543 gensec_gssapi_state->gss_oid,
544 &gensec_gssapi_state->target_principal,
545 &gensec_gssapi_state->server_name);
546 if (!NT_STATUS_IS_OK(nt_status)) {
547 return nt_status;
548 }
549
550 maj_stat = gss_init_sec_context(&min_stat,
551 gensec_gssapi_state->client_cred->creds,
552 &gensec_gssapi_state->gssapi_context,
553 gensec_gssapi_state->server_name,
554 gensec_gssapi_state->gss_oid,
555 gensec_gssapi_state->gss_want_flags,
556 time_req,
557 gensec_gssapi_state->input_chan_bindings,
558 &input_token,
559 &gss_oid_p,
560 &output_token,
561 &gensec_gssapi_state->gss_got_flags, /* ret flags */
562 &time_rec);
563 if (maj_stat != GSS_S_FAILURE) {
564 goto init_sec_context_done;
565 }
566 if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
567 goto init_sec_context_done;
568 }
569 if (target_principal != NULL) {
570 goto init_sec_context_done;
571 }
572
573 fallback = true;
574 TALLOC_FREE(gensec_gssapi_state->target_principal);
575 gss_release_name(&min_stat2, &gensec_gssapi_state->server_name);
576 }
577 #endif /* !SAMBA4_USES_HEIMDAL */
578 if (gensec_gssapi_state->server_name == NULL) {
579 const char *server_realm = NULL;
580
581 server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
582 hostname,
583 client_realm);
584 if (server_realm == NULL) {
585 return NT_STATUS_NO_MEMORY;
586 }
587
588 #ifndef SAMBA4_USES_HEIMDAL
589 if (fallback &&
590 strequal(client_realm, server_realm)) {
591 goto init_sec_context_done;
592 }
593 #endif /* !SAMBA4_USES_HEIMDAL */
594
595 nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
596 target_principal,
597 service,
598 hostname,
599 server_realm,
600 gensec_gssapi_state->gss_oid,
601 &gensec_gssapi_state->target_principal,
602 &gensec_gssapi_state->server_name);
603 if (!NT_STATUS_IS_OK(nt_status)) {
604 return nt_status;
605 }
606 }
607
608 maj_stat = gss_init_sec_context(&min_stat,
609 gensec_gssapi_state->client_cred->creds,
610 &gensec_gssapi_state->gssapi_context,
611 gensec_gssapi_state->server_name,
612 gensec_gssapi_state->gss_oid,
613 gensec_gssapi_state->gss_want_flags,
614 time_req,
615 gensec_gssapi_state->input_chan_bindings,
616 &input_token,
617 &gss_oid_p,
618 &output_token,
619 &gensec_gssapi_state->gss_got_flags, /* ret flags */
620 &time_rec);
621 goto init_sec_context_done;
622 /* JUMP! */
623 init_sec_context_done:
624 if (gss_oid_p) {
625 gensec_gssapi_state->gss_oid = gss_oid_p;
626 }
627
628 #ifdef SAMBA4_USES_HEIMDAL
629 send_to_kdc.func = smb_krb5_send_and_recv_func;
630 send_to_kdc.ptr = NULL;
631
632 ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
633 if (ret) {
634 DEBUG(1,("gensec_gssapi_update: gsskrb5_set_send_to_kdc failed\n"));
635 return NT_STATUS_INTERNAL_ERROR;
636 }
637 #endif
638 break;
639 }
640 case GENSEC_SERVER:
641 {
642 maj_stat = gss_accept_sec_context(&min_stat,
643 &gensec_gssapi_state->gssapi_context,
644 gensec_gssapi_state->server_cred->creds,
645 &input_token,
646 gensec_gssapi_state->input_chan_bindings,
647 &gensec_gssapi_state->client_name,
648 &gss_oid_p,
649 &output_token,
650 &gensec_gssapi_state->gss_got_flags,
651 &time_rec,
652 &gensec_gssapi_state->delegated_cred_handle);
653 if (gss_oid_p) {
654 gensec_gssapi_state->gss_oid = gss_oid_p;
655 }
656 break;
657 }
658 default:
659 return NT_STATUS_INVALID_PARAMETER;
660
661 }
662
663 gensec_gssapi_state->gss_exchange_count++;
664
665 if (maj_stat == GSS_S_COMPLETE) {
666 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
667 gss_release_buffer(&min_stat2, &output_token);
668
669 if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
670 gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
671 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
672 } else {
673 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
674 }
675
676 tv = timeval_current_ofs(time_rec, 0);
677 gensec_gssapi_state->expire_time = timeval_to_nttime(&tv);
678
679 /* We may have been invoked as SASL, so there
680 * is more work to do */
681 if (gensec_gssapi_state->sasl) {
682 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
683 return NT_STATUS_MORE_PROCESSING_REQUIRED;
684 } else {
685 gensec_gssapi_state->sasl_state = STAGE_DONE;
686
687 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
688 DEBUG(5, ("GSSAPI Connection will be cryptographically sealed\n"));
689 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
690 DEBUG(5, ("GSSAPI Connection will be cryptographically signed\n"));
691 } else {
692 DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
693 }
694
695 return NT_STATUS_OK;
696 }
697 } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
698 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
699 gss_release_buffer(&min_stat2, &output_token);
700
701 return NT_STATUS_MORE_PROCESSING_REQUIRED;
702 } else if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
703 gss_cred_id_t creds = NULL;
704 gss_name_t name;
705 gss_buffer_desc buffer;
706 OM_uint32 lifetime = 0;
707 gss_cred_usage_t usage;
708 const char *role = NULL;
709
710 switch (gensec_security->gensec_role) {
711 case GENSEC_CLIENT:
712 creds = gensec_gssapi_state->client_cred->creds;
713 role = "client";
714 break;
715 case GENSEC_SERVER:
716 creds = gensec_gssapi_state->server_cred->creds;
717 role = "server";
718 break;
719 }
720
721 DBG_ERR("GSS %s Update(krb5)(%d) failed, credentials "
722 "expired during GSSAPI handshake!\n",
723 role,
724 gensec_gssapi_state->gss_exchange_count);
725
726 maj_stat = gss_inquire_cred(&min_stat,
727 creds,
728 &name, &lifetime, &usage, NULL);
729
730 if (maj_stat == GSS_S_COMPLETE) {
731 const char *usage_string = NULL;
732 switch (usage) {
733 case GSS_C_BOTH:
734 usage_string = "GSS_C_BOTH";
735 break;
736 case GSS_C_ACCEPT:
737 usage_string = "GSS_C_ACCEPT";
738 break;
739 case GSS_C_INITIATE:
740 usage_string = "GSS_C_INITIATE";
741 break;
742 }
743 maj_stat = gss_display_name(&min_stat, name, &buffer, NULL);
744 if (maj_stat) {
745 buffer.value = NULL;
746 buffer.length = 0;
747 }
748 if (lifetime > 0) {
749 DEBUG(0, ("GSSAPI gss_inquire_cred indicates expiry of %*.*s in %u sec for %s\n",
750 (int)buffer.length, (int)buffer.length, (char *)buffer.value,
751 lifetime, usage_string));
752 } else {
753 DEBUG(0, ("GSSAPI gss_inquire_cred indicates %*.*s has already expired for %s\n",
754 (int)buffer.length, (int)buffer.length, (char *)buffer.value,
755 usage_string));
756 }
757 gss_release_buffer(&min_stat, &buffer);
758 gss_release_name(&min_stat, &name);
759 } else if (maj_stat != GSS_S_COMPLETE) {
760 DEBUG(0, ("inquiry of credential lifefime via GSSAPI gss_inquire_cred failed: %s\n",
761 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
762 }
763 return NT_STATUS_INVALID_PARAMETER;
764 } else if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
765 gss_mech_krb5)) {
766 switch (min_stat) {
767 case (OM_uint32)KRB5KRB_AP_ERR_TKT_NYV:
768 DEBUG(1, ("Error with ticket to contact %s: possible clock skew between us and the KDC or target server: %s\n",
769 gensec_gssapi_state->target_principal,
770 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
771 return NT_STATUS_TIME_DIFFERENCE_AT_DC; /* Make SPNEGO ignore us, we can't go any further here */
772 case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED:
773 DEBUG(1, ("Error with ticket to contact %s: ticket is expired, possible clock skew between us and the KDC or target server: %s\n",
774 gensec_gssapi_state->target_principal,
775 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
776 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
777 case (OM_uint32)KRB5_KDC_UNREACH:
778 DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticket to %s: %s\n",
779 gensec_gssapi_state->target_principal,
780 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
781 return NT_STATUS_NO_LOGON_SERVERS; /* Make SPNEGO ignore us, we can't go any further here */
782 case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
783 DEBUG(3, ("Server %s is not registered with our KDC: %s\n",
784 gensec_gssapi_state->target_principal,
785 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
786 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
787 case (OM_uint32)KRB5KRB_AP_ERR_MSG_TYPE:
788 /* garbage input, possibly from the auto-mech detection */
789 return NT_STATUS_INVALID_PARAMETER;
790 default:
791 DEBUG(1, ("GSS %s Update(krb5)(%d) Update failed: %s\n",
792 gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
793 gensec_gssapi_state->gss_exchange_count,
794 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
795 return NT_STATUS_LOGON_FAILURE;
796 }
797 } else {
798 DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
799 gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
800 gensec_gssapi_state->gss_exchange_count,
801 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
802 return NT_STATUS_LOGON_FAILURE;
803 }
804 break;
805 }
806
807 /* These last two stages are only done if we were invoked as SASL */
808 case STAGE_SASL_SSF_NEG:
809 {
810 switch (gensec_security->gensec_role) {
811 case GENSEC_CLIENT:
812 {
813 uint8_t maxlength_proposed[4];
814 uint8_t maxlength_accepted[4];
815 uint8_t security_supported;
816 int conf_state;
817 gss_qop_t qop_state;
818 input_token.length = in.length;
819 input_token.value = in.data;
820
821 /* As a client, we have just send a
822 * zero-length blob to the server (after the
823 * normal GSSAPI exchange), and it has replied
824 * with it's SASL negotiation */
825
826 maj_stat = gss_unwrap(&min_stat,
827 gensec_gssapi_state->gssapi_context,
828 &input_token,
829 &output_token,
830 &conf_state,
831 &qop_state);
832 if (GSS_ERROR(maj_stat)) {
833 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
834 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
835 return NT_STATUS_ACCESS_DENIED;
836 }
837
838 if (output_token.length < 4) {
839 gss_release_buffer(&min_stat, &output_token);
840 return NT_STATUS_INVALID_PARAMETER;
841 }
842
843 memcpy(maxlength_proposed, output_token.value, 4);
844 gss_release_buffer(&min_stat, &output_token);
845
846 /* first byte is the proposed security */
847 security_supported = maxlength_proposed[0];
848 maxlength_proposed[0] = '\0';
849
850 /* Rest is the proposed max wrap length */
851 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0),
852 gensec_gssapi_state->max_wrap_buf_size);
853 gensec_gssapi_state->sasl_protection = 0;
854 if (security_supported & NEG_SEAL) {
855 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
856 gensec_gssapi_state->sasl_protection |= NEG_SEAL;
857 }
858 }
859 if (security_supported & NEG_SIGN) {
860 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
861 gensec_gssapi_state->sasl_protection |= NEG_SIGN;
862 }
863 }
864 if (security_supported & NEG_NONE) {
865 gensec_gssapi_state->sasl_protection |= NEG_NONE;
866 }
867 if (gensec_gssapi_state->sasl_protection == 0) {
868 DEBUG(1, ("Remote server does not support unprotected connections\n"));
869 return NT_STATUS_ACCESS_DENIED;
870 }
871
872 /* Send back the negotiated max length */
873
874 RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
875
876 maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
877
878 input_token.value = maxlength_accepted;
879 input_token.length = sizeof(maxlength_accepted);
880
881 maj_stat = gss_wrap(&min_stat,
882 gensec_gssapi_state->gssapi_context,
883 false,
884 GSS_C_QOP_DEFAULT,
885 &input_token,
886 &conf_state,
887 &output_token);
888 if (GSS_ERROR(maj_stat)) {
889 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
890 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
891 return NT_STATUS_ACCESS_DENIED;
892 }
893
894 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
895 gss_release_buffer(&min_stat, &output_token);
896
897 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
898 gensec_gssapi_state->sasl_state = STAGE_DONE;
899
900 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
901 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically sealed\n"));
902 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
903 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically signed\n"));
904 } else {
905 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographically protection\n"));
906 }
907
908 return NT_STATUS_OK;
909 }
910 case GENSEC_SERVER:
911 {
912 uint8_t maxlength_proposed[4];
913 uint8_t security_supported = 0x0;
914 int conf_state;
915
916 /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
917 if (in.length != 0) {
918 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
919 }
920
921 /* Give the client some idea what we will support */
922
923 RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
924 /* first byte is the proposed security */
925 maxlength_proposed[0] = '\0';
926
927 gensec_gssapi_state->sasl_protection = 0;
928 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
929 security_supported |= NEG_SEAL;
930 }
931 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
932 security_supported |= NEG_SIGN;
933 }
934 if (security_supported == 0) {
935 /* If we don't support anything, this must be 0 */
936 RSIVAL(maxlength_proposed, 0, 0x0);
937 }
938
939 /* TODO: We may not wish to support this */
940 security_supported |= NEG_NONE;
941 maxlength_proposed[0] = security_supported;
942
943 input_token.value = maxlength_proposed;
944 input_token.length = sizeof(maxlength_proposed);
945
946 maj_stat = gss_wrap(&min_stat,
947 gensec_gssapi_state->gssapi_context,
948 false,
949 GSS_C_QOP_DEFAULT,
950 &input_token,
951 &conf_state,
952 &output_token);
953 if (GSS_ERROR(maj_stat)) {
954 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
955 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
956 return NT_STATUS_ACCESS_DENIED;
957 }
958
959 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
960 gss_release_buffer(&min_stat, &output_token);
961
962 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
963 return NT_STATUS_MORE_PROCESSING_REQUIRED;
964 }
965 default:
966 return NT_STATUS_INVALID_PARAMETER;
967
968 }
969 }
970 /* This is s server-only stage */
971 case STAGE_SASL_SSF_ACCEPT:
972 {
973 uint8_t maxlength_accepted[4];
974 uint8_t security_accepted;
975 int conf_state;
976 gss_qop_t qop_state;
977 input_token.length = in.length;
978 input_token.value = in.data;
979
980 maj_stat = gss_unwrap(&min_stat,
981 gensec_gssapi_state->gssapi_context,
982 &input_token,
983 &output_token,
984 &conf_state,
985 &qop_state);
986 if (GSS_ERROR(maj_stat)) {
987 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
988 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
989 return NT_STATUS_ACCESS_DENIED;
990 }
991
992 if (output_token.length < 4) {
993 gss_release_buffer(&min_stat, &output_token);
994 return NT_STATUS_INVALID_PARAMETER;
995 }
996
997 memcpy(maxlength_accepted, output_token.value, 4);
998 gss_release_buffer(&min_stat, &output_token);
999
1000 /* first byte is the proposed security */
1001 security_accepted = maxlength_accepted[0];
1002 maxlength_accepted[0] = '\0';
1003
1004 /* Rest is the proposed max wrap length */
1005 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0),
1006 gensec_gssapi_state->max_wrap_buf_size);
1007
1008 gensec_gssapi_state->sasl_protection = 0;
1009 if (security_accepted & NEG_SEAL) {
1010 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
1011 DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
1012 return NT_STATUS_ACCESS_DENIED;
1013 }
1014 gensec_gssapi_state->sasl_protection |= NEG_SEAL;
1015 }
1016 if (security_accepted & NEG_SIGN) {
1017 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
1018 DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
1019 return NT_STATUS_ACCESS_DENIED;
1020 }
1021 gensec_gssapi_state->sasl_protection |= NEG_SIGN;
1022 }
1023 if (security_accepted & NEG_NONE) {
1024 gensec_gssapi_state->sasl_protection |= NEG_NONE;
1025 }
1026
1027 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
1028 gensec_gssapi_state->sasl_state = STAGE_DONE;
1029 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
1030 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically sealed\n"));
1031 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
1032 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically signed\n"));
1033 } else {
1034 DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
1035 }
1036
1037 *out = data_blob(NULL, 0);
1038 return NT_STATUS_OK;
1039 }
1040 default:
1041 return NT_STATUS_INVALID_PARAMETER;
1042 }
1043 }
1044
1045 struct gensec_gssapi_update_state {
1046 NTSTATUS status;
1047 DATA_BLOB out;
1048 };
1049
1050 static struct tevent_req *gensec_gssapi_update_send(TALLOC_CTX *mem_ctx,
1051 struct tevent_context *ev,
1052 struct gensec_security *gensec_security,
1053 const DATA_BLOB in)
1054 {
1055 struct tevent_req *req = NULL;
1056 struct gensec_gssapi_update_state *state = NULL;
1057 NTSTATUS status;
1058
1059 req = tevent_req_create(mem_ctx, &state,
1060 struct gensec_gssapi_update_state);
1061 if (req == NULL) {
1062 return NULL;
1063 }
1064
1065 status = gensec_gssapi_update_internal(gensec_security,
1066 state, ev, in,
1067 &state->out);
1068 state->status = status;
1069 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1070 tevent_req_done(req);
1071 return tevent_req_post(req, ev);
1072 }
1073 if (tevent_req_nterror(req, status)) {
1074 return tevent_req_post(req, ev);
1075 }
1076
1077 tevent_req_done(req);
1078 return tevent_req_post(req, ev);
1079 }
1080
1081 static NTSTATUS gensec_gssapi_update_recv(struct tevent_req *req,
1082 TALLOC_CTX *out_mem_ctx,
1083 DATA_BLOB *out)
1084 {
1085 struct gensec_gssapi_update_state *state =
1086 tevent_req_data(req,
1087 struct gensec_gssapi_update_state);
1088 NTSTATUS status;
1089
1090 *out = data_blob_null;
1091
1092 if (tevent_req_is_nterror(req, &status)) {
1093 tevent_req_received(req);
1094 return status;
1095 }
1096
1097 *out = state->out;
1098 talloc_steal(out_mem_ctx, state->out.data);
1099 status = state->status;
1100 tevent_req_received(req);
1101 return status;
1102 }
1103
1104 static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security,
1105 TALLOC_CTX *mem_ctx,
1106 const DATA_BLOB *in,
1107 DATA_BLOB *out)
1108 {
1109 struct gensec_gssapi_state *gensec_gssapi_state
1110 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1111 OM_uint32 maj_stat, min_stat;
1112 gss_buffer_desc input_token, output_token;
1113 int conf_state;
1114 input_token.length = in->length;
1115 input_token.value = in->data;
1116
1117 maj_stat = gss_wrap(&min_stat,
1118 gensec_gssapi_state->gssapi_context,
1119 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
1120 GSS_C_QOP_DEFAULT,
1121 &input_token,
1122 &conf_state,
1123 &output_token);
1124 if (GSS_ERROR(maj_stat)) {
1125 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n",
1126 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1127 return NT_STATUS_ACCESS_DENIED;
1128 }
1129
1130 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1131 gss_release_buffer(&min_stat, &output_token);
1132
1133 if (gensec_gssapi_state->sasl) {
1134 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
1135 if (max_wrapped_size < out->length) {
1136 DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
1137 (unsigned)in->length,
1138 (unsigned)out->length,
1139 (unsigned int)max_wrapped_size));
1140 return NT_STATUS_INVALID_PARAMETER;
1141 }
1142 }
1143
1144 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1145 && !conf_state) {
1146 return NT_STATUS_ACCESS_DENIED;
1147 }
1148 return NT_STATUS_OK;
1149 }
1150
1151 static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security,
1152 TALLOC_CTX *mem_ctx,
1153 const DATA_BLOB *in,
1154 DATA_BLOB *out)
1155 {
1156 struct gensec_gssapi_state *gensec_gssapi_state
1157 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1158 OM_uint32 maj_stat, min_stat;
1159 gss_buffer_desc input_token, output_token;
1160 int conf_state;
1161 gss_qop_t qop_state;
1162 input_token.length = in->length;
1163 input_token.value = in->data;
1164
1165 if (gensec_gssapi_state->sasl) {
1166 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
1167 if (max_wrapped_size < in->length) {
1168 DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
1169 return NT_STATUS_INVALID_PARAMETER;
1170 }
1171 }
1172
1173 /*
1174 * FIXME: input_message_buffer is marked const, but gss_unwrap() may
1175 * modify it (see calls to rrc_rotate() in _gssapi_unwrap_cfx()).
1176 */
1177 maj_stat = gss_unwrap(&min_stat,
1178 gensec_gssapi_state->gssapi_context,
1179 &input_token,
1180 &output_token,
1181 &conf_state,
1182 &qop_state);
1183 if (GSS_ERROR(maj_stat)) {
1184 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n",
1185 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1186 return NT_STATUS_ACCESS_DENIED;
1187 }
1188
1189 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1190 gss_release_buffer(&min_stat, &output_token);
1191
1192 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1193 && !conf_state) {
1194 return NT_STATUS_ACCESS_DENIED;
1195 }
1196 return NT_STATUS_OK;
1197 }
1198
1199 /* Find out the maximum input size negotiated on this connection */
1200
1201 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security)
1202 {
1203 struct gensec_gssapi_state *gensec_gssapi_state
1204 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1205 OM_uint32 maj_stat, min_stat;
1206 OM_uint32 max_input_size;
1207
1208 maj_stat = gss_wrap_size_limit(&min_stat,
1209 gensec_gssapi_state->gssapi_context,
1210 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
1211 GSS_C_QOP_DEFAULT,
1212 gensec_gssapi_state->max_wrap_buf_size,
1213 &max_input_size);
1214 if (GSS_ERROR(maj_stat)) {
1215 TALLOC_CTX *mem_ctx = talloc_new(NULL);
1216 DEBUG(1, ("gensec_gssapi_max_input_size: determining signature size with gss_wrap_size_limit failed: %s\n",
1217 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1218 talloc_free(mem_ctx);
1219 return 0;
1220 }
1221
1222 return max_input_size;
1223 }
1224
1225 /* Find out the maximum output size negotiated on this connection */
1226 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security)
1227 {
1228 struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
1229 return gensec_gssapi_state->max_wrap_buf_size;
1230 }
1231
1232 static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security,
1233 TALLOC_CTX *mem_ctx,
1234 uint8_t *data, size_t length,
1235 const uint8_t *whole_pdu, size_t pdu_length,
1236 DATA_BLOB *sig)
1237 {
1238 struct gensec_gssapi_state *gensec_gssapi_state
1239 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1240 bool hdr_signing = false;
1241 size_t sig_size = 0;
1242 NTSTATUS status;
1243
1244 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1245 hdr_signing = true;
1246 }
1247
1248 sig_size = gensec_gssapi_sig_size(gensec_security, length);
1249
1250 status = gssapi_seal_packet(gensec_gssapi_state->gssapi_context,
1251 gensec_gssapi_state->gss_oid,
1252 hdr_signing, sig_size,
1253 data, length,
1254 whole_pdu, pdu_length,
1255 mem_ctx, sig);
1256 if (!NT_STATUS_IS_OK(status)) {
1257 DEBUG(0, ("gssapi_seal_packet(hdr_signing=%u,sig_size=%zu,"
1258 "data=%zu,pdu=%zu) failed: %s\n",
1259 hdr_signing, sig_size, length, pdu_length,
1260 nt_errstr(status)));
1261 return status;
1262 }
1263
1264 return NT_STATUS_OK;
1265 }
1266
1267 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security,
1268 uint8_t *data, size_t length,
1269 const uint8_t *whole_pdu, size_t pdu_length,
1270 const DATA_BLOB *sig)
1271 {
1272 struct gensec_gssapi_state *gensec_gssapi_state
1273 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1274 bool hdr_signing = false;
1275 NTSTATUS status;
1276
1277 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1278 hdr_signing = true;
1279 }
1280
1281 status = gssapi_unseal_packet(gensec_gssapi_state->gssapi_context,
1282 gensec_gssapi_state->gss_oid,
1283 hdr_signing,
1284 data, length,
1285 whole_pdu, pdu_length,
1286 sig);
1287 if (!NT_STATUS_IS_OK(status)) {
1288 DEBUG(0, ("gssapi_unseal_packet(hdr_signing=%u,sig_size=%zu,"
1289 "data=%zu,pdu=%zu) failed: %s\n",
1290 hdr_signing, sig->length, length, pdu_length,
1291 nt_errstr(status)));
1292 return status;
1293 }
1294
1295 return NT_STATUS_OK;
1296 }
1297
1298 static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security,
1299 TALLOC_CTX *mem_ctx,
1300 const uint8_t *data, size_t length,
1301 const uint8_t *whole_pdu, size_t pdu_length,
1302 DATA_BLOB *sig)
1303 {
1304 struct gensec_gssapi_state *gensec_gssapi_state
1305 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1306 bool hdr_signing = false;
1307 NTSTATUS status;
1308
1309 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1310 hdr_signing = true;
1311 }
1312
1313 status = gssapi_sign_packet(gensec_gssapi_state->gssapi_context,
1314 gensec_gssapi_state->gss_oid,
1315 hdr_signing,
1316 data, length,
1317 whole_pdu, pdu_length,
1318 mem_ctx, sig);
1319 if (!NT_STATUS_IS_OK(status)) {
1320 DEBUG(0, ("gssapi_sign_packet(hdr_signing=%u,"
1321 "data=%zu,pdu=%zu) failed: %s\n",
1322 hdr_signing, length, pdu_length,
1323 nt_errstr(status)));
1324 return status;
1325 }
1326
1327 return NT_STATUS_OK;
1328 }
1329
1330 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security,
1331 const uint8_t *data, size_t length,
1332 const uint8_t *whole_pdu, size_t pdu_length,
1333 const DATA_BLOB *sig)
1334 {
1335 struct gensec_gssapi_state *gensec_gssapi_state
1336 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1337 bool hdr_signing = false;
1338 NTSTATUS status;
1339
1340 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1341 hdr_signing = true;
1342 }
1343
1344 status = gssapi_check_packet(gensec_gssapi_state->gssapi_context,
1345 gensec_gssapi_state->gss_oid,
1346 hdr_signing,
1347 data, length,
1348 whole_pdu, pdu_length,
1349 sig);
1350 if (!NT_STATUS_IS_OK(status)) {
1351 DEBUG(0, ("gssapi_check_packet(hdr_signing=%u,sig_size=%zu,"
1352 "data=%zu,pdu=%zu) failed: %s\n",
1353 hdr_signing, sig->length, length, pdu_length,
1354 nt_errstr(status)));
1355 return status;
1356 }
1357
1358 return NT_STATUS_OK;
1359 }
1360
1361 /* Try to figure out what features we actually got on the connection */
1362 static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
1363 uint32_t feature)
1364 {
1365 struct gensec_gssapi_state *gensec_gssapi_state
1366 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1367 if (feature & GENSEC_FEATURE_SIGN) {
1368 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1369 if (gensec_gssapi_state->sasl
1370 && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1371 return ((gensec_gssapi_state->sasl_protection & NEG_SIGN)
1372 && (gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG));
1373 }
1374 return gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG;
1375 }
1376 if (feature & GENSEC_FEATURE_SEAL) {
1377 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1378 if (gensec_gssapi_state->sasl
1379 && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1380 return ((gensec_gssapi_state->sasl_protection & NEG_SEAL)
1381 && (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG));
1382 }
1383 return gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG;
1384 }
1385 if (feature & GENSEC_FEATURE_SESSION_KEY) {
1386 /* Only for GSSAPI/Krb5 */
1387 if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
1388 gss_mech_krb5)) {
1389 return true;
1390 }
1391 }
1392 if (feature & GENSEC_FEATURE_DCE_STYLE) {
1393 return gensec_gssapi_state->gss_got_flags & GSS_C_DCE_STYLE;
1394 }
1395 if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
1396 NTSTATUS status;
1397 uint32_t keytype;
1398
1399 if (!(gensec_gssapi_state->gss_got_flags & GSS_C_INTEG_FLAG)) {
1400 return false;
1401 }
1402
1403 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
1404 return true;
1405 }
1406 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
1407 return false;
1408 }
1409
1410 status = gssapi_get_session_key(gensec_gssapi_state,
1411 gensec_gssapi_state->gssapi_context, NULL, &keytype);
1412 /*
1413 * We should do a proper sig on the mechListMic unless
1414 * we know we have to be backwards compatible with
1415 * earlier windows versions.
1416 *
1417 * Negotiating a non-krb5
1418 * mech for example should be regarded as having
1419 * NEW_SPNEGO
1420 */
1421 if (NT_STATUS_IS_OK(status)) {
1422 switch (keytype) {
1423 case ENCTYPE_DES_CBC_CRC:
1424 case ENCTYPE_DES_CBC_MD5:
1425 case ENCTYPE_ARCFOUR_HMAC:
1426 case ENCTYPE_DES3_CBC_SHA1:
1427 return false;
1428 }
1429 }
1430 return true;
1431 }
1432 /* We can always do async (rather than strict request/reply) packets. */
1433 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1434 return true;
1435 }
1436 if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1437 return true;
1438 }
1439 return false;
1440 }
1441
1442 static NTTIME gensec_gssapi_expire_time(struct gensec_security *gensec_security)
1443 {
1444 struct gensec_gssapi_state *gensec_gssapi_state =
1445 talloc_get_type_abort(gensec_security->private_data,
1446 struct gensec_gssapi_state);
1447
1448 return gensec_gssapi_state->expire_time;
1449 }
1450
1451 /*
1452 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1453 * (for encrypting some passwords).
1454 *
1455 * This breaks all the abstractions, but what do you expect...
1456 */
1457 static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security,
1458 TALLOC_CTX *mem_ctx,
1459 DATA_BLOB *session_key)
1460 {
1461 struct gensec_gssapi_state *gensec_gssapi_state
1462 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1463 return gssapi_get_session_key(mem_ctx, gensec_gssapi_state->gssapi_context, session_key, NULL);
1464 }
1465
1466 /* Get some basic (and authorization) information about the user on
1467 * this session. This uses either the PAC (if present) or a local
1468 * database lookup */
1469 static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1470 TALLOC_CTX *mem_ctx,
1471 struct auth_session_info **_session_info)
1472 {
1473 NTSTATUS nt_status;
1474 TALLOC_CTX *tmp_ctx;
1475 struct gensec_gssapi_state *gensec_gssapi_state
1476 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1477 struct auth_session_info *session_info = NULL;
1478 OM_uint32 maj_stat, min_stat;
1479 DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
1480
1481 gss_buffer_desc name_token;
1482 char *principal_string;
1483
1484 tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
1485 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1486
1487 maj_stat = gss_display_name (&min_stat,
1488 gensec_gssapi_state->client_name,
1489 &name_token,
1490 NULL);
1491 if (GSS_ERROR(maj_stat)) {
1492 DEBUG(1, ("GSS display_name failed: %s\n",
1493 gssapi_error_string(tmp_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1494 talloc_free(tmp_ctx);
1495 return NT_STATUS_FOOBAR;
1496 }
1497
1498 principal_string = talloc_strndup(tmp_ctx,
1499 (const char *)name_token.value,
1500 name_token.length);
1501
1502 gss_release_buffer(&min_stat, &name_token);
1503
1504 if (!principal_string) {
1505 talloc_free(tmp_ctx);
1506 return NT_STATUS_NO_MEMORY;
1507 }
1508
1509 nt_status = gssapi_obtain_pac_blob(tmp_ctx, gensec_gssapi_state->gssapi_context,
1510 gensec_gssapi_state->client_name,
1511 &pac_blob);
1512
1513 /* IF we have the PAC - otherwise we need to get this
1514 * data from elsewere - local ldb, or (TODO) lookup of some
1515 * kind...
1516 */
1517 if (NT_STATUS_IS_OK(nt_status)) {
1518 pac_blob_ptr = &pac_blob;
1519 }
1520 nt_status = gensec_generate_session_info_pac(tmp_ctx,
1521 gensec_security,
1522 gensec_gssapi_state->smb_krb5_context,
1523 pac_blob_ptr, principal_string,
1524 gensec_get_remote_address(gensec_security),
1525 &session_info);
1526 if (!NT_STATUS_IS_OK(nt_status)) {
1527 talloc_free(tmp_ctx);
1528 return nt_status;
1529 }
1530
1531 nt_status = gensec_gssapi_session_key(gensec_security, session_info, &session_info->session_key);
1532 if (!NT_STATUS_IS_OK(nt_status)) {
1533 talloc_free(tmp_ctx);
1534 return nt_status;
1535 }
1536
1537 if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
1538 gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
1539 krb5_error_code ret;
1540 const char *error_string;
1541
1542 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1543
1544 /*
1545 * Create anonymous credentials for now.
1546 *
1547 * We will update them with the provided client gss creds.
1548 */
1549 session_info->credentials = cli_credentials_init_anon(session_info);
1550 if (session_info->credentials == NULL) {
1551 talloc_free(tmp_ctx);
1552 return NT_STATUS_NO_MEMORY;
1553 }
1554
1555 ret = cli_credentials_set_client_gss_creds(session_info->credentials,
1556 gensec_security->settings->lp_ctx,
1557 gensec_gssapi_state->delegated_cred_handle,
1558 CRED_SPECIFIED, &error_string);
1559 if (ret) {
1560 talloc_free(tmp_ctx);
1561 DEBUG(2,("Failed to get gss creds: %s\n", error_string));
1562 return NT_STATUS_NO_MEMORY;
1563 }
1564
1565 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1566 cli_credentials_set_kerberos_state(session_info->credentials,
1567 CRED_USE_KERBEROS_REQUIRED,
1568 CRED_SPECIFIED);
1569
1570 /* It has been taken from this place... */
1571 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1572 } else {
1573 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1574 }
1575
1576 *_session_info = talloc_steal(mem_ctx, session_info);
1577 talloc_free(tmp_ctx);
1578
1579 return NT_STATUS_OK;
1580 }
1581
1582 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
1583 {
1584 struct gensec_gssapi_state *gensec_gssapi_state
1585 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1586 size_t sig_size;
1587
1588 if (gensec_gssapi_state->sig_size > 0) {
1589 return gensec_gssapi_state->sig_size;
1590 }
1591
1592 sig_size = gssapi_get_sig_size(gensec_gssapi_state->gssapi_context,
1593 gensec_gssapi_state->gss_oid,
1594 gensec_gssapi_state->gss_got_flags,
1595 data_size);
1596
1597 gensec_gssapi_state->sig_size = sig_size;
1598 return gensec_gssapi_state->sig_size;
1599 }
1600
1601 static const char *gensec_gssapi_final_auth_type(struct gensec_security *gensec_security)
1602 {
1603 struct gensec_gssapi_state *gensec_gssapi_state
1604 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1605 /* Only return the string for GSSAPI/Krb5 */
1606 if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
1607 gss_mech_krb5)) {
1608 return GENSEC_FINAL_AUTH_TYPE_KRB5;
1609 } else {
1610 return "gensec_gssapi: UNKNOWN MECH";
1611 }
1612 }
1613
1614 static const char *gensec_gssapi_krb5_oids[] = {
1615 GENSEC_OID_KERBEROS5_OLD,
1616 GENSEC_OID_KERBEROS5,
1617 NULL
1618 };
1619
1620 static const char *gensec_gssapi_spnego_oids[] = {
1621 GENSEC_OID_SPNEGO,
1622 NULL
1623 };
1624
1625 /* As a server, this could in theory accept any GSSAPI mech */
1626 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1627 .name = "gssapi_spnego",
1628 .sasl_name = "GSS-SPNEGO",
1629 .auth_type = DCERPC_AUTH_TYPE_SPNEGO,
1630 .oid = gensec_gssapi_spnego_oids,
1631 .client_start = gensec_gssapi_client_start,
1632 .server_start = gensec_gssapi_server_start,
1633 .magic = gensec_magic_check_krb5_oid,
1634 .update_send = gensec_gssapi_update_send,
1635 .update_recv = gensec_gssapi_update_recv,
1636 .session_key = gensec_gssapi_session_key,
1637 .session_info = gensec_gssapi_session_info,
1638 .sign_packet = gensec_gssapi_sign_packet,
1639 .check_packet = gensec_gssapi_check_packet,
1640 .seal_packet = gensec_gssapi_seal_packet,
1641 .unseal_packet = gensec_gssapi_unseal_packet,
1642 .max_input_size = gensec_gssapi_max_input_size,
1643 .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1644 .wrap = gensec_gssapi_wrap,
1645 .unwrap = gensec_gssapi_unwrap,
1646 .have_feature = gensec_gssapi_have_feature,
1647 .expire_time = gensec_gssapi_expire_time,
1648 .final_auth_type = gensec_gssapi_final_auth_type,
1649 .enabled = false,
1650 .kerberos = true,
1651 .priority = GENSEC_GSSAPI
1652 };
1653
1654 /* As a server, this could in theory accept any GSSAPI mech */
1655 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1656 .name = "gssapi_krb5",
1657 .auth_type = DCERPC_AUTH_TYPE_KRB5,
1658 .oid = gensec_gssapi_krb5_oids,
1659 .client_start = gensec_gssapi_client_start,
1660 .server_start = gensec_gssapi_server_start,
1661 .magic = gensec_magic_check_krb5_oid,
1662 .update_send = gensec_gssapi_update_send,
1663 .update_recv = gensec_gssapi_update_recv,
1664 .session_key = gensec_gssapi_session_key,
1665 .session_info = gensec_gssapi_session_info,
1666 .sig_size = gensec_gssapi_sig_size,
1667 .sign_packet = gensec_gssapi_sign_packet,
1668 .check_packet = gensec_gssapi_check_packet,
1669 .seal_packet = gensec_gssapi_seal_packet,
1670 .unseal_packet = gensec_gssapi_unseal_packet,
1671 .max_input_size = gensec_gssapi_max_input_size,
1672 .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1673 .wrap = gensec_gssapi_wrap,
1674 .unwrap = gensec_gssapi_unwrap,
1675 .have_feature = gensec_gssapi_have_feature,
1676 .expire_time = gensec_gssapi_expire_time,
1677 .final_auth_type = gensec_gssapi_final_auth_type,
1678 .enabled = true,
1679 .kerberos = true,
1680 .priority = GENSEC_GSSAPI
1681 };
1682
1683 /* As a server, this could in theory accept any GSSAPI mech */
1684 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1685 .name = "gssapi_krb5_sasl",
1686 .sasl_name = "GSSAPI",
1687 .client_start = gensec_gssapi_sasl_client_start,
1688 .server_start = gensec_gssapi_sasl_server_start,
1689 .update_send = gensec_gssapi_update_send,
1690 .update_recv = gensec_gssapi_update_recv,
1691 .session_key = gensec_gssapi_session_key,
1692 .session_info = gensec_gssapi_session_info,
1693 .max_input_size = gensec_gssapi_max_input_size,
1694 .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1695 .wrap = gensec_gssapi_wrap,
1696 .unwrap = gensec_gssapi_unwrap,
1697 .have_feature = gensec_gssapi_have_feature,
1698 .expire_time = gensec_gssapi_expire_time,
1699 .final_auth_type = gensec_gssapi_final_auth_type,
1700 .enabled = true,
1701 .kerberos = true,
1702 .priority = GENSEC_GSSAPI
1703 };
1704
1705 _PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *ctx)
1706 {
1707 NTSTATUS ret;
1708
1709 ret = gensec_register(ctx, &gensec_gssapi_spnego_security_ops);
1710 if (!NT_STATUS_IS_OK(ret)) {
1711 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1712 gensec_gssapi_spnego_security_ops.name));
1713 return ret;
1714 }
1715
1716 ret = gensec_register(ctx, &gensec_gssapi_krb5_security_ops);
1717 if (!NT_STATUS_IS_OK(ret)) {
1718 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1719 gensec_gssapi_krb5_security_ops.name));
1720 return ret;
1721 }
1722
1723 ret = gensec_register(ctx, &gensec_gssapi_sasl_krb5_security_ops);
1724 if (!NT_STATUS_IS_OK(ret)) {
1725 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1726 gensec_gssapi_sasl_krb5_security_ops.name));
1727 return ret;
1728 }
1729
1730 return ret;
1731 }
Samba GIT mirror