2 Unix SMB/CIFS implementation.
4 Kerberos backend for GENSEC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/events/events.h"
26 #include "system/kerberos.h"
27 #include "system/gssapi.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "librpc/gen_ndr/krb5pac.h"
30 #include "auth/auth.h"
32 #include "auth/auth_sam.h"
33 #include "librpc/rpc/dcerpc.h"
34 #include "auth/credentials/credentials.h"
35 #include "auth/credentials/credentials_krb5.h"
36 #include "auth/gensec/gensec.h"
37 #include "auth/gensec/gensec_proto.h"
38 #include "auth/gensec/gensec_toplevel_proto.h"
39 #include "param/param.h"
40 #include "auth/session_proto.h"
41 #include "gensec_gssapi.h"
42 #include "lib/util/util_net.h"
43 #include "auth/kerberos/pac_utils.h"
45 _PUBLIC_ NTSTATUS
gensec_gssapi_init(void);
47 static size_t gensec_gssapi_max_input_size(struct gensec_security
*gensec_security
);
48 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security
*gensec_security
);
50 static int gensec_gssapi_destructor(struct gensec_gssapi_state
*gensec_gssapi_state
)
52 OM_uint32 maj_stat
, min_stat
;
54 if (gensec_gssapi_state
->delegated_cred_handle
!= GSS_C_NO_CREDENTIAL
) {
55 maj_stat
= gss_release_cred(&min_stat
,
56 &gensec_gssapi_state
->delegated_cred_handle
);
59 if (gensec_gssapi_state
->gssapi_context
!= GSS_C_NO_CONTEXT
) {
60 maj_stat
= gss_delete_sec_context (&min_stat
,
61 &gensec_gssapi_state
->gssapi_context
,
65 if (gensec_gssapi_state
->server_name
!= GSS_C_NO_NAME
) {
66 maj_stat
= gss_release_name(&min_stat
, &gensec_gssapi_state
->server_name
);
68 if (gensec_gssapi_state
->client_name
!= GSS_C_NO_NAME
) {
69 maj_stat
= gss_release_name(&min_stat
, &gensec_gssapi_state
->client_name
);
72 if (gensec_gssapi_state
->lucid
) {
73 gss_krb5_free_lucid_sec_context(&min_stat
, gensec_gssapi_state
->lucid
);
79 static NTSTATUS
gensec_gssapi_init_lucid(struct gensec_gssapi_state
*gensec_gssapi_state
)
81 OM_uint32 maj_stat
, min_stat
;
83 if (gensec_gssapi_state
->lucid
) {
87 maj_stat
= gss_krb5_export_lucid_sec_context(&min_stat
,
88 &gensec_gssapi_state
->gssapi_context
,
90 (void **)&gensec_gssapi_state
->lucid
);
91 if (maj_stat
!= GSS_S_COMPLETE
) {
92 DEBUG(0,("gensec_gssapi_init_lucid: %s\n",
93 gssapi_error_string(gensec_gssapi_state
,
95 gensec_gssapi_state
->gss_oid
)));
96 return NT_STATUS_INTERNAL_ERROR
;
99 if (gensec_gssapi_state
->lucid
->version
!= 1) {
100 DEBUG(0,("gensec_gssapi_init_lucid: lucid version[%d] != 1\n",
101 gensec_gssapi_state
->lucid
->version
));
102 gss_krb5_free_lucid_sec_context(&min_stat
, gensec_gssapi_state
->lucid
);
103 gensec_gssapi_state
->lucid
= NULL
;
104 return NT_STATUS_INTERNAL_ERROR
;
110 static NTSTATUS
gensec_gssapi_start(struct gensec_security
*gensec_security
)
112 struct gensec_gssapi_state
*gensec_gssapi_state
;
116 gensec_gssapi_state
= talloc_zero(gensec_security
, struct gensec_gssapi_state
);
117 if (!gensec_gssapi_state
) {
118 return NT_STATUS_NO_MEMORY
;
121 gensec_security
->private_data
= gensec_gssapi_state
;
123 gensec_gssapi_state
->gssapi_context
= GSS_C_NO_CONTEXT
;
125 /* TODO: Fill in channel bindings */
126 gensec_gssapi_state
->input_chan_bindings
= GSS_C_NO_CHANNEL_BINDINGS
;
128 gensec_gssapi_state
->server_name
= GSS_C_NO_NAME
;
129 gensec_gssapi_state
->client_name
= GSS_C_NO_NAME
;
131 gensec_gssapi_state
->gss_want_flags
= 0;
133 if (gensec_setting_bool(gensec_security
->settings
, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
134 gensec_gssapi_state
->gss_want_flags
|= GSS_C_DELEG_POLICY_FLAG
;
136 if (gensec_setting_bool(gensec_security
->settings
, "gensec_gssapi", "mutual", true)) {
137 gensec_gssapi_state
->gss_want_flags
|= GSS_C_MUTUAL_FLAG
;
139 if (gensec_setting_bool(gensec_security
->settings
, "gensec_gssapi", "delegation", true)) {
140 gensec_gssapi_state
->gss_want_flags
|= GSS_C_DELEG_FLAG
;
142 if (gensec_setting_bool(gensec_security
->settings
, "gensec_gssapi", "replay", true)) {
143 gensec_gssapi_state
->gss_want_flags
|= GSS_C_REPLAY_FLAG
;
145 if (gensec_setting_bool(gensec_security
->settings
, "gensec_gssapi", "sequence", true)) {
146 gensec_gssapi_state
->gss_want_flags
|= GSS_C_SEQUENCE_FLAG
;
149 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
150 gensec_gssapi_state
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
152 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
153 gensec_gssapi_state
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
154 gensec_gssapi_state
->gss_want_flags
|= GSS_C_CONF_FLAG
;
156 if (gensec_security
->want_features
& GENSEC_FEATURE_DCE_STYLE
) {
157 gensec_gssapi_state
->gss_want_flags
|= GSS_C_DCE_STYLE
;
160 gensec_gssapi_state
->gss_got_flags
= 0;
162 switch (gensec_security
->ops
->auth_type
) {
163 case DCERPC_AUTH_TYPE_SPNEGO
:
164 gensec_gssapi_state
->gss_oid
= gss_mech_spnego
;
166 case DCERPC_AUTH_TYPE_KRB5
:
168 gensec_gssapi_state
->gss_oid
= gss_mech_krb5
;
172 ret
= smb_krb5_init_context(gensec_gssapi_state
,
174 gensec_security
->settings
->lp_ctx
,
175 &gensec_gssapi_state
->smb_krb5_context
);
177 DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
178 error_message(ret
)));
179 talloc_free(gensec_gssapi_state
);
180 return NT_STATUS_INTERNAL_ERROR
;
183 gensec_gssapi_state
->client_cred
= NULL
;
184 gensec_gssapi_state
->server_cred
= NULL
;
186 gensec_gssapi_state
->lucid
= NULL
;
188 gensec_gssapi_state
->delegated_cred_handle
= GSS_C_NO_CREDENTIAL
;
190 gensec_gssapi_state
->sasl
= false;
191 gensec_gssapi_state
->sasl_state
= STAGE_GSS_NEG
;
192 gensec_gssapi_state
->sasl_protection
= 0;
194 gensec_gssapi_state
->max_wrap_buf_size
195 = gensec_setting_int(gensec_security
->settings
, "gensec_gssapi", "max wrap buf size", 65536);
196 gensec_gssapi_state
->gss_exchange_count
= 0;
197 gensec_gssapi_state
->sig_size
= 0;
199 talloc_set_destructor(gensec_gssapi_state
, gensec_gssapi_destructor
);
201 realm
= lpcfg_realm(gensec_security
->settings
->lp_ctx
);
203 ret
= gsskrb5_set_default_realm(realm
);
205 DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
206 talloc_free(gensec_gssapi_state
);
207 return NT_STATUS_INTERNAL_ERROR
;
211 /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
212 ret
= gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security
->settings
, "krb5", "set_dns_canonicalize", false));
214 DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
215 talloc_free(gensec_gssapi_state
);
216 return NT_STATUS_INTERNAL_ERROR
;
222 static NTSTATUS
gensec_gssapi_server_start(struct gensec_security
*gensec_security
)
226 struct gensec_gssapi_state
*gensec_gssapi_state
;
227 struct cli_credentials
*machine_account
;
228 struct gssapi_creds_container
*gcc
;
230 nt_status
= gensec_gssapi_start(gensec_security
);
231 if (!NT_STATUS_IS_OK(nt_status
)) {
235 gensec_gssapi_state
= talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
237 machine_account
= gensec_get_credentials(gensec_security
);
239 if (!machine_account
) {
240 DEBUG(3, ("No machine account credentials specified\n"));
241 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
243 ret
= cli_credentials_get_server_gss_creds(machine_account
,
244 gensec_security
->settings
->lp_ctx
, &gcc
);
246 DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
247 error_message(ret
)));
248 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
252 gensec_gssapi_state
->server_cred
= gcc
;
257 static NTSTATUS
gensec_gssapi_sasl_server_start(struct gensec_security
*gensec_security
)
260 struct gensec_gssapi_state
*gensec_gssapi_state
;
261 nt_status
= gensec_gssapi_server_start(gensec_security
);
263 if (NT_STATUS_IS_OK(nt_status
)) {
264 gensec_gssapi_state
= talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
265 gensec_gssapi_state
->sasl
= true;
270 static NTSTATUS
gensec_gssapi_client_creds(struct gensec_security
*gensec_security
,
271 struct tevent_context
*ev
)
273 struct gensec_gssapi_state
*gensec_gssapi_state
;
274 struct gssapi_creds_container
*gcc
;
275 struct cli_credentials
*creds
= gensec_get_credentials(gensec_security
);
276 const char *error_string
;
279 gensec_gssapi_state
= talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
281 /* Only run this the first time the update() call is made */
282 if (gensec_gssapi_state
->client_cred
) {
286 ret
= cli_credentials_get_client_gss_creds(creds
,
288 gensec_security
->settings
->lp_ctx
, &gcc
, &error_string
);
293 DEBUG(3, ("Cannot obtain client GSS credentials we need to contact %s : %s\n", gensec_gssapi_state
->target_principal
, error_string
));
294 return NT_STATUS_INVALID_PARAMETER
;
295 case KRB5KDC_ERR_PREAUTH_FAILED
:
296 case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
:
297 DEBUG(1, ("Wrong username or password: %s\n", error_string
));
298 return NT_STATUS_LOGON_FAILURE
;
299 case KRB5_KDC_UNREACH
:
300 DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state
->target_principal
, error_string
));
301 return NT_STATUS_NO_LOGON_SERVERS
;
302 case KRB5_CC_NOTFOUND
:
304 DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state
->target_principal
, error_string
));
305 return NT_STATUS_TIME_DIFFERENCE_AT_DC
;
307 DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string
));
308 return NT_STATUS_UNSUCCESSFUL
;
311 gensec_gssapi_state
->client_cred
= gcc
;
312 if (!talloc_reference(gensec_gssapi_state
, gcc
)) {
313 return NT_STATUS_NO_MEMORY
;
319 static NTSTATUS
gensec_gssapi_client_start(struct gensec_security
*gensec_security
)
321 struct gensec_gssapi_state
*gensec_gssapi_state
;
322 struct cli_credentials
*creds
= gensec_get_credentials(gensec_security
);
324 gss_buffer_desc name_token
;
326 OM_uint32 maj_stat
, min_stat
;
327 const char *hostname
= gensec_get_target_hostname(gensec_security
);
330 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
331 return NT_STATUS_INVALID_PARAMETER
;
333 if (is_ipaddress(hostname
)) {
334 DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
335 return NT_STATUS_INVALID_PARAMETER
;
337 if (strcmp(hostname
, "localhost") == 0) {
338 DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
339 return NT_STATUS_INVALID_PARAMETER
;
342 nt_status
= gensec_gssapi_start(gensec_security
);
343 if (!NT_STATUS_IS_OK(nt_status
)) {
347 gensec_gssapi_state
= talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
349 if (cli_credentials_get_impersonate_principal(creds
)) {
350 gensec_gssapi_state
->gss_want_flags
&= ~(GSS_C_DELEG_FLAG
|GSS_C_DELEG_POLICY_FLAG
);
353 gensec_gssapi_state
->target_principal
= gensec_get_target_principal(gensec_security
);
354 if (gensec_gssapi_state
->target_principal
) {
355 name_type
= GSS_C_NULL_OID
;
357 gensec_gssapi_state
->target_principal
= talloc_asprintf(gensec_gssapi_state
, "%s/%s@%s",
358 gensec_get_target_service(gensec_security
),
359 hostname
, lpcfg_realm(gensec_security
->settings
->lp_ctx
));
361 name_type
= GSS_C_NT_USER_NAME
;
363 name_token
.value
= discard_const_p(uint8_t, gensec_gssapi_state
->target_principal
);
364 name_token
.length
= strlen(gensec_gssapi_state
->target_principal
);
367 maj_stat
= gss_import_name (&min_stat
,
370 &gensec_gssapi_state
->server_name
);
372 DEBUG(2, ("GSS Import name of %s failed: %s\n",
373 (char *)name_token
.value
,
374 gssapi_error_string(gensec_gssapi_state
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
375 return NT_STATUS_INVALID_PARAMETER
;
381 static NTSTATUS
gensec_gssapi_sasl_client_start(struct gensec_security
*gensec_security
)
384 struct gensec_gssapi_state
*gensec_gssapi_state
;
385 nt_status
= gensec_gssapi_client_start(gensec_security
);
387 if (NT_STATUS_IS_OK(nt_status
)) {
388 gensec_gssapi_state
= talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
389 gensec_gssapi_state
->sasl
= true;
396 * Next state function for the GSSAPI GENSEC mechanism
398 * @param gensec_gssapi_state GSSAPI State
399 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
400 * @param in The request, as a DATA_BLOB
401 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
402 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
403 * or NT_STATUS_OK if the user is authenticated.
406 static NTSTATUS
gensec_gssapi_update(struct gensec_security
*gensec_security
,
407 TALLOC_CTX
*out_mem_ctx
,
408 struct tevent_context
*ev
,
409 const DATA_BLOB in
, DATA_BLOB
*out
)
411 struct gensec_gssapi_state
*gensec_gssapi_state
412 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
413 NTSTATUS nt_status
= NT_STATUS_LOGON_FAILURE
;
414 OM_uint32 maj_stat
, min_stat
;
416 gss_buffer_desc input_token
, output_token
;
417 gss_OID gss_oid_p
= NULL
;
418 input_token
.length
= in
.length
;
419 input_token
.value
= in
.data
;
421 switch (gensec_gssapi_state
->sasl_state
) {
424 switch (gensec_security
->gensec_role
) {
427 struct gsskrb5_send_to_kdc send_to_kdc
;
430 nt_status
= gensec_gssapi_client_creds(gensec_security
, ev
);
431 if (!NT_STATUS_IS_OK(nt_status
)) {
435 #ifdef SAMBA4_USES_HEIMDAL
436 send_to_kdc
.func
= smb_krb5_send_and_recv_func
;
437 send_to_kdc
.ptr
= ev
;
440 min_stat
= gsskrb5_set_send_to_kdc(&send_to_kdc
);
442 DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
443 return NT_STATUS_INTERNAL_ERROR
;
446 maj_stat
= gss_init_sec_context(&min_stat
,
447 gensec_gssapi_state
->client_cred
->creds
,
448 &gensec_gssapi_state
->gssapi_context
,
449 gensec_gssapi_state
->server_name
,
450 gensec_gssapi_state
->gss_oid
,
451 gensec_gssapi_state
->gss_want_flags
,
453 gensec_gssapi_state
->input_chan_bindings
,
457 &gensec_gssapi_state
->gss_got_flags
, /* ret flags */
460 gensec_gssapi_state
->gss_oid
= gss_oid_p
;
463 #ifdef SAMBA4_USES_HEIMDAL
464 send_to_kdc
.func
= smb_krb5_send_and_recv_func
;
465 send_to_kdc
.ptr
= NULL
;
468 ret
= gsskrb5_set_send_to_kdc(&send_to_kdc
);
470 DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
471 return NT_STATUS_INTERNAL_ERROR
;
478 maj_stat
= gss_accept_sec_context(&min_stat
,
479 &gensec_gssapi_state
->gssapi_context
,
480 gensec_gssapi_state
->server_cred
->creds
,
482 gensec_gssapi_state
->input_chan_bindings
,
483 &gensec_gssapi_state
->client_name
,
486 &gensec_gssapi_state
->gss_got_flags
,
488 &gensec_gssapi_state
->delegated_cred_handle
);
490 gensec_gssapi_state
->gss_oid
= gss_oid_p
;
495 return NT_STATUS_INVALID_PARAMETER
;
499 gensec_gssapi_state
->gss_exchange_count
++;
501 if (maj_stat
== GSS_S_COMPLETE
) {
502 *out
= data_blob_talloc(out_mem_ctx
, output_token
.value
, output_token
.length
);
503 gss_release_buffer(&min_stat2
, &output_token
);
505 if (gensec_gssapi_state
->gss_got_flags
& GSS_C_DELEG_FLAG
) {
506 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
508 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
511 /* We may have been invoked as SASL, so there
512 * is more work to do */
513 if (gensec_gssapi_state
->sasl
) {
514 gensec_gssapi_state
->sasl_state
= STAGE_SASL_SSF_NEG
;
515 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
517 gensec_gssapi_state
->sasl_state
= STAGE_DONE
;
519 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
520 DEBUG(5, ("GSSAPI Connection will be cryptographically sealed\n"));
521 } else if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
522 DEBUG(5, ("GSSAPI Connection will be cryptographically signed\n"));
524 DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
529 } else if (maj_stat
== GSS_S_CONTINUE_NEEDED
) {
530 *out
= data_blob_talloc(out_mem_ctx
, output_token
.value
, output_token
.length
);
531 gss_release_buffer(&min_stat2
, &output_token
);
533 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
534 } else if (maj_stat
== GSS_S_CONTEXT_EXPIRED
) {
537 gss_buffer_desc buffer
;
538 OM_uint32 lifetime
= 0;
539 gss_cred_usage_t usage
;
540 const char *role
= NULL
;
541 DEBUG(0, ("GSS %s Update(krb5)(%d) Update failed, credentials expired during GSSAPI handshake!\n",
543 gensec_gssapi_state
->gss_exchange_count
));
546 switch (gensec_security
->gensec_role
) {
548 creds
= gensec_gssapi_state
->client_cred
->creds
;
551 creds
= gensec_gssapi_state
->server_cred
->creds
;
555 maj_stat
= gss_inquire_cred(&min_stat
,
557 &name
, &lifetime
, &usage
, NULL
);
559 if (maj_stat
== GSS_S_COMPLETE
) {
560 const char *usage_string
;
563 usage_string
= "GSS_C_BOTH";
566 usage_string
= "GSS_C_ACCEPT";
569 usage_string
= "GSS_C_INITIATE";
572 maj_stat
= gss_display_name(&min_stat
, name
, &buffer
, NULL
);
578 DEBUG(0, ("GSSAPI gss_inquire_cred indicates expiry of %*.*s in %u sec for %s\n",
579 (int)buffer
.length
, (int)buffer
.length
, (char *)buffer
.value
,
580 lifetime
, usage_string
));
582 DEBUG(0, ("GSSAPI gss_inquire_cred indicates %*.*s has already expired for %s\n",
583 (int)buffer
.length
, (int)buffer
.length
, (char *)buffer
.value
,
586 gss_release_buffer(&min_stat
, &buffer
);
587 gss_release_name(&min_stat
, &name
);
588 } else if (maj_stat
!= GSS_S_COMPLETE
) {
589 DEBUG(0, ("inquiry of credential lifefime via GSSAPI gss_inquire_cred failed: %s\n",
590 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
592 return NT_STATUS_INVALID_PARAMETER
;
593 } else if (gss_oid_equal(gensec_gssapi_state
->gss_oid
, gss_mech_krb5
)) {
595 case KRB5KRB_AP_ERR_TKT_NYV
:
596 DEBUG(1, ("Error with ticket to contact %s: possible clock skew between us and the KDC or target server: %s\n",
597 gensec_gssapi_state
->target_principal
,
598 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
599 return NT_STATUS_TIME_DIFFERENCE_AT_DC
; /* Make SPNEGO ignore us, we can't go any further here */
600 case KRB5KRB_AP_ERR_TKT_EXPIRED
:
601 DEBUG(1, ("Error with ticket to contact %s: ticket is expired, possible clock skew between us and the KDC or target server: %s\n",
602 gensec_gssapi_state
->target_principal
,
603 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
604 return NT_STATUS_INVALID_PARAMETER
; /* Make SPNEGO ignore us, we can't go any further here */
605 case KRB5_KDC_UNREACH
:
606 DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticetk to %s: %s\n",
607 gensec_gssapi_state
->target_principal
,
608 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
609 return NT_STATUS_NO_LOGON_SERVERS
; /* Make SPNEGO ignore us, we can't go any further here */
610 case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
:
611 DEBUG(3, ("Server %s is not registered with our KDC: %s\n",
612 gensec_gssapi_state
->target_principal
,
613 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
614 return NT_STATUS_INVALID_PARAMETER
; /* Make SPNEGO ignore us, we can't go any further here */
615 case KRB5KRB_AP_ERR_MSG_TYPE
:
616 /* garbage input, possibly from the auto-mech detection */
617 return NT_STATUS_INVALID_PARAMETER
;
619 DEBUG(1, ("GSS %s Update(krb5)(%d) Update failed: %s\n",
620 gensec_security
->gensec_role
== GENSEC_CLIENT
? "client" : "server",
621 gensec_gssapi_state
->gss_exchange_count
,
622 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
626 DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
627 gensec_security
->gensec_role
== GENSEC_CLIENT
? "client" : "server",
628 gensec_gssapi_state
->gss_exchange_count
,
629 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
635 /* These last two stages are only done if we were invoked as SASL */
636 case STAGE_SASL_SSF_NEG
:
638 switch (gensec_security
->gensec_role
) {
641 uint8_t maxlength_proposed
[4];
642 uint8_t maxlength_accepted
[4];
643 uint8_t security_supported
;
646 input_token
.length
= in
.length
;
647 input_token
.value
= in
.data
;
649 /* As a client, we have just send a
650 * zero-length blob to the server (after the
651 * normal GSSAPI exchange), and it has replied
652 * with it's SASL negotiation */
654 maj_stat
= gss_unwrap(&min_stat
,
655 gensec_gssapi_state
->gssapi_context
,
660 if (GSS_ERROR(maj_stat
)) {
661 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
662 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
663 return NT_STATUS_ACCESS_DENIED
;
666 if (output_token
.length
< 4) {
667 return NT_STATUS_INVALID_PARAMETER
;
670 memcpy(maxlength_proposed
, output_token
.value
, 4);
671 gss_release_buffer(&min_stat
, &output_token
);
673 /* first byte is the proposed security */
674 security_supported
= maxlength_proposed
[0];
675 maxlength_proposed
[0] = '\0';
677 /* Rest is the proposed max wrap length */
678 gensec_gssapi_state
->max_wrap_buf_size
= MIN(RIVAL(maxlength_proposed
, 0),
679 gensec_gssapi_state
->max_wrap_buf_size
);
680 gensec_gssapi_state
->sasl_protection
= 0;
681 if (security_supported
& NEG_SEAL
) {
682 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
683 gensec_gssapi_state
->sasl_protection
|= NEG_SEAL
;
686 if (security_supported
& NEG_SIGN
) {
687 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
688 gensec_gssapi_state
->sasl_protection
|= NEG_SIGN
;
691 if (security_supported
& NEG_NONE
) {
692 gensec_gssapi_state
->sasl_protection
|= NEG_NONE
;
694 if (gensec_gssapi_state
->sasl_protection
== 0) {
695 DEBUG(1, ("Remote server does not support unprotected connections\n"));
696 return NT_STATUS_ACCESS_DENIED
;
699 /* Send back the negotiated max length */
701 RSIVAL(maxlength_accepted
, 0, gensec_gssapi_state
->max_wrap_buf_size
);
703 maxlength_accepted
[0] = gensec_gssapi_state
->sasl_protection
;
705 input_token
.value
= maxlength_accepted
;
706 input_token
.length
= sizeof(maxlength_accepted
);
708 maj_stat
= gss_wrap(&min_stat
,
709 gensec_gssapi_state
->gssapi_context
,
715 if (GSS_ERROR(maj_stat
)) {
716 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
717 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
718 return NT_STATUS_ACCESS_DENIED
;
721 *out
= data_blob_talloc(out_mem_ctx
, output_token
.value
, output_token
.length
);
722 gss_release_buffer(&min_stat
, &output_token
);
724 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
725 gensec_gssapi_state
->sasl_state
= STAGE_DONE
;
727 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
728 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically sealed\n"));
729 } else if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
730 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically signed\n"));
732 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographically protection\n"));
739 uint8_t maxlength_proposed
[4];
740 uint8_t security_supported
= 0x0;
743 /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
744 if (in
.length
!= 0) {
745 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
748 /* Give the client some idea what we will support */
750 RSIVAL(maxlength_proposed
, 0, gensec_gssapi_state
->max_wrap_buf_size
);
751 /* first byte is the proposed security */
752 maxlength_proposed
[0] = '\0';
754 gensec_gssapi_state
->sasl_protection
= 0;
755 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
756 security_supported
|= NEG_SEAL
;
758 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
759 security_supported
|= NEG_SIGN
;
761 if (security_supported
== 0) {
762 /* If we don't support anything, this must be 0 */
763 RSIVAL(maxlength_proposed
, 0, 0x0);
766 /* TODO: We may not wish to support this */
767 security_supported
|= NEG_NONE
;
768 maxlength_proposed
[0] = security_supported
;
770 input_token
.value
= maxlength_proposed
;
771 input_token
.length
= sizeof(maxlength_proposed
);
773 maj_stat
= gss_wrap(&min_stat
,
774 gensec_gssapi_state
->gssapi_context
,
780 if (GSS_ERROR(maj_stat
)) {
781 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
782 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
783 return NT_STATUS_ACCESS_DENIED
;
786 *out
= data_blob_talloc(out_mem_ctx
, output_token
.value
, output_token
.length
);
787 gss_release_buffer(&min_stat
, &output_token
);
789 gensec_gssapi_state
->sasl_state
= STAGE_SASL_SSF_ACCEPT
;
790 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
793 return NT_STATUS_INVALID_PARAMETER
;
797 /* This is s server-only stage */
798 case STAGE_SASL_SSF_ACCEPT
:
800 uint8_t maxlength_accepted
[4];
801 uint8_t security_accepted
;
804 input_token
.length
= in
.length
;
805 input_token
.value
= in
.data
;
807 maj_stat
= gss_unwrap(&min_stat
,
808 gensec_gssapi_state
->gssapi_context
,
813 if (GSS_ERROR(maj_stat
)) {
814 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
815 gssapi_error_string(out_mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
816 return NT_STATUS_ACCESS_DENIED
;
819 if (output_token
.length
< 4) {
820 return NT_STATUS_INVALID_PARAMETER
;
823 memcpy(maxlength_accepted
, output_token
.value
, 4);
824 gss_release_buffer(&min_stat
, &output_token
);
826 /* first byte is the proposed security */
827 security_accepted
= maxlength_accepted
[0];
828 maxlength_accepted
[0] = '\0';
830 /* Rest is the proposed max wrap length */
831 gensec_gssapi_state
->max_wrap_buf_size
= MIN(RIVAL(maxlength_accepted
, 0),
832 gensec_gssapi_state
->max_wrap_buf_size
);
834 gensec_gssapi_state
->sasl_protection
= 0;
835 if (security_accepted
& NEG_SEAL
) {
836 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
837 DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
838 return NT_STATUS_ACCESS_DENIED
;
840 gensec_gssapi_state
->sasl_protection
|= NEG_SEAL
;
842 if (security_accepted
& NEG_SIGN
) {
843 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
844 DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
845 return NT_STATUS_ACCESS_DENIED
;
847 gensec_gssapi_state
->sasl_protection
|= NEG_SIGN
;
849 if (security_accepted
& NEG_NONE
) {
850 gensec_gssapi_state
->sasl_protection
|= NEG_NONE
;
853 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
854 gensec_gssapi_state
->sasl_state
= STAGE_DONE
;
855 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
856 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically sealed\n"));
857 } else if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
858 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically signed\n"));
860 DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
863 *out
= data_blob(NULL
, 0);
867 return NT_STATUS_INVALID_PARAMETER
;
871 static NTSTATUS
gensec_gssapi_wrap(struct gensec_security
*gensec_security
,
876 struct gensec_gssapi_state
*gensec_gssapi_state
877 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
878 OM_uint32 maj_stat
, min_stat
;
879 gss_buffer_desc input_token
, output_token
;
881 input_token
.length
= in
->length
;
882 input_token
.value
= in
->data
;
884 maj_stat
= gss_wrap(&min_stat
,
885 gensec_gssapi_state
->gssapi_context
,
886 gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
),
891 if (GSS_ERROR(maj_stat
)) {
892 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n",
893 gssapi_error_string(mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
894 return NT_STATUS_ACCESS_DENIED
;
897 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
898 gss_release_buffer(&min_stat
, &output_token
);
900 if (gensec_gssapi_state
->sasl
) {
901 size_t max_wrapped_size
= gensec_gssapi_max_wrapped_size(gensec_security
);
902 if (max_wrapped_size
< out
->length
) {
903 DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
904 (unsigned)in
->length
,
905 (unsigned)out
->length
,
906 (unsigned int)max_wrapped_size
));
907 return NT_STATUS_INVALID_PARAMETER
;
911 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
913 return NT_STATUS_ACCESS_DENIED
;
918 static NTSTATUS
gensec_gssapi_unwrap(struct gensec_security
*gensec_security
,
923 struct gensec_gssapi_state
*gensec_gssapi_state
924 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
925 OM_uint32 maj_stat
, min_stat
;
926 gss_buffer_desc input_token
, output_token
;
929 input_token
.length
= in
->length
;
930 input_token
.value
= in
->data
;
932 if (gensec_gssapi_state
->sasl
) {
933 size_t max_wrapped_size
= gensec_gssapi_max_wrapped_size(gensec_security
);
934 if (max_wrapped_size
< in
->length
) {
935 DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
936 return NT_STATUS_INVALID_PARAMETER
;
940 maj_stat
= gss_unwrap(&min_stat
,
941 gensec_gssapi_state
->gssapi_context
,
946 if (GSS_ERROR(maj_stat
)) {
947 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n",
948 gssapi_error_string(mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
949 return NT_STATUS_ACCESS_DENIED
;
952 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
953 gss_release_buffer(&min_stat
, &output_token
);
955 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
957 return NT_STATUS_ACCESS_DENIED
;
962 /* Find out the maximum input size negotiated on this connection */
964 static size_t gensec_gssapi_max_input_size(struct gensec_security
*gensec_security
)
966 struct gensec_gssapi_state
*gensec_gssapi_state
967 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
968 OM_uint32 maj_stat
, min_stat
;
969 OM_uint32 max_input_size
;
971 maj_stat
= gss_wrap_size_limit(&min_stat
,
972 gensec_gssapi_state
->gssapi_context
,
973 gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
),
975 gensec_gssapi_state
->max_wrap_buf_size
,
977 if (GSS_ERROR(maj_stat
)) {
978 TALLOC_CTX
*mem_ctx
= talloc_new(NULL
);
979 DEBUG(1, ("gensec_gssapi_max_input_size: determinaing signature size with gss_wrap_size_limit failed: %s\n",
980 gssapi_error_string(mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
981 talloc_free(mem_ctx
);
985 return max_input_size
;
988 /* Find out the maximum output size negotiated on this connection */
989 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security
*gensec_security
)
991 struct gensec_gssapi_state
*gensec_gssapi_state
= talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);;
992 return gensec_gssapi_state
->max_wrap_buf_size
;
995 static NTSTATUS
gensec_gssapi_seal_packet(struct gensec_security
*gensec_security
,
997 uint8_t *data
, size_t length
,
998 const uint8_t *whole_pdu
, size_t pdu_length
,
1001 struct gensec_gssapi_state
*gensec_gssapi_state
1002 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1003 OM_uint32 maj_stat
, min_stat
;
1004 gss_buffer_desc input_token
, output_token
;
1008 input_token
.length
= length
;
1009 input_token
.value
= data
;
1011 maj_stat
= gss_wrap(&min_stat
,
1012 gensec_gssapi_state
->gssapi_context
,
1013 gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
),
1018 if (GSS_ERROR(maj_stat
)) {
1019 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n",
1020 gssapi_error_string(mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
1021 return NT_STATUS_ACCESS_DENIED
;
1024 if (output_token
.length
< input_token
.length
) {
1025 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n",
1026 (long)output_token
.length
, (long)length
));
1027 return NT_STATUS_INTERNAL_ERROR
;
1029 sig_length
= output_token
.length
- input_token
.length
;
1031 memcpy(data
, ((uint8_t *)output_token
.value
) + sig_length
, length
);
1032 *sig
= data_blob_talloc(mem_ctx
, (uint8_t *)output_token
.value
, sig_length
);
1034 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig
->data
, sig
->length
);
1035 dump_data_pw("gensec_gssapi_seal_packet: clear\n", data
, length
);
1036 dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token
.value
) + sig_length
, output_token
.length
- sig_length
);
1038 gss_release_buffer(&min_stat
, &output_token
);
1040 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
1042 return NT_STATUS_ACCESS_DENIED
;
1044 return NT_STATUS_OK
;
1047 static NTSTATUS
gensec_gssapi_unseal_packet(struct gensec_security
*gensec_security
,
1048 uint8_t *data
, size_t length
,
1049 const uint8_t *whole_pdu
, size_t pdu_length
,
1050 const DATA_BLOB
*sig
)
1052 struct gensec_gssapi_state
*gensec_gssapi_state
1053 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1054 OM_uint32 maj_stat
, min_stat
;
1055 gss_buffer_desc input_token
, output_token
;
1057 gss_qop_t qop_state
;
1060 dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig
->data
, sig
->length
);
1062 in
= data_blob_talloc(gensec_security
, NULL
, sig
->length
+ length
);
1064 memcpy(in
.data
, sig
->data
, sig
->length
);
1065 memcpy(in
.data
+ sig
->length
, data
, length
);
1067 input_token
.length
= in
.length
;
1068 input_token
.value
= in
.data
;
1070 maj_stat
= gss_unwrap(&min_stat
,
1071 gensec_gssapi_state
->gssapi_context
,
1076 talloc_free(in
.data
);
1077 if (GSS_ERROR(maj_stat
)) {
1078 char *error_string
= gssapi_error_string(NULL
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
);
1079 DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n",
1081 talloc_free(error_string
);
1082 return NT_STATUS_ACCESS_DENIED
;
1085 if (output_token
.length
!= length
) {
1086 return NT_STATUS_INTERNAL_ERROR
;
1089 memcpy(data
, output_token
.value
, length
);
1091 gss_release_buffer(&min_stat
, &output_token
);
1093 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
1095 return NT_STATUS_ACCESS_DENIED
;
1097 return NT_STATUS_OK
;
1100 static NTSTATUS
gensec_gssapi_sign_packet(struct gensec_security
*gensec_security
,
1101 TALLOC_CTX
*mem_ctx
,
1102 const uint8_t *data
, size_t length
,
1103 const uint8_t *whole_pdu
, size_t pdu_length
,
1106 struct gensec_gssapi_state
*gensec_gssapi_state
1107 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1108 OM_uint32 maj_stat
, min_stat
;
1109 gss_buffer_desc input_token
, output_token
;
1111 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN_PKT_HEADER
) {
1112 input_token
.length
= pdu_length
;
1113 input_token
.value
= discard_const_p(uint8_t *, whole_pdu
);
1115 input_token
.length
= length
;
1116 input_token
.value
= discard_const_p(uint8_t *, data
);
1119 maj_stat
= gss_get_mic(&min_stat
,
1120 gensec_gssapi_state
->gssapi_context
,
1124 if (GSS_ERROR(maj_stat
)) {
1125 DEBUG(1, ("GSS GetMic failed: %s\n",
1126 gssapi_error_string(mem_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
1127 return NT_STATUS_ACCESS_DENIED
;
1130 *sig
= data_blob_talloc(mem_ctx
, (uint8_t *)output_token
.value
, output_token
.length
);
1132 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig
->data
, sig
->length
);
1134 gss_release_buffer(&min_stat
, &output_token
);
1136 return NT_STATUS_OK
;
1139 static NTSTATUS
gensec_gssapi_check_packet(struct gensec_security
*gensec_security
,
1140 const uint8_t *data
, size_t length
,
1141 const uint8_t *whole_pdu
, size_t pdu_length
,
1142 const DATA_BLOB
*sig
)
1144 struct gensec_gssapi_state
*gensec_gssapi_state
1145 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1146 OM_uint32 maj_stat
, min_stat
;
1147 gss_buffer_desc input_token
;
1148 gss_buffer_desc input_message
;
1149 gss_qop_t qop_state
;
1151 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig
->data
, sig
->length
);
1153 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN_PKT_HEADER
) {
1154 input_message
.length
= pdu_length
;
1155 input_message
.value
= discard_const(whole_pdu
);
1157 input_message
.length
= length
;
1158 input_message
.value
= discard_const(data
);
1161 input_token
.length
= sig
->length
;
1162 input_token
.value
= sig
->data
;
1164 maj_stat
= gss_verify_mic(&min_stat
,
1165 gensec_gssapi_state
->gssapi_context
,
1169 if (GSS_ERROR(maj_stat
)) {
1170 char *error_string
= gssapi_error_string(NULL
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
);
1171 DEBUG(1, ("GSS VerifyMic failed: %s\n", error_string
));
1172 talloc_free(error_string
);
1174 return NT_STATUS_ACCESS_DENIED
;
1177 return NT_STATUS_OK
;
1180 /* Try to figure out what features we actually got on the connection */
1181 static bool gensec_gssapi_have_feature(struct gensec_security
*gensec_security
,
1184 struct gensec_gssapi_state
*gensec_gssapi_state
1185 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1186 if (feature
& GENSEC_FEATURE_SIGN
) {
1187 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1188 if (gensec_gssapi_state
->sasl
1189 && gensec_gssapi_state
->sasl_state
== STAGE_DONE
) {
1190 return ((gensec_gssapi_state
->sasl_protection
& NEG_SIGN
)
1191 && (gensec_gssapi_state
->gss_got_flags
& GSS_C_INTEG_FLAG
));
1193 return gensec_gssapi_state
->gss_got_flags
& GSS_C_INTEG_FLAG
;
1195 if (feature
& GENSEC_FEATURE_SEAL
) {
1196 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1197 if (gensec_gssapi_state
->sasl
1198 && gensec_gssapi_state
->sasl_state
== STAGE_DONE
) {
1199 return ((gensec_gssapi_state
->sasl_protection
& NEG_SEAL
)
1200 && (gensec_gssapi_state
->gss_got_flags
& GSS_C_CONF_FLAG
));
1202 return gensec_gssapi_state
->gss_got_flags
& GSS_C_CONF_FLAG
;
1204 if (feature
& GENSEC_FEATURE_SESSION_KEY
) {
1205 /* Only for GSSAPI/Krb5 */
1206 if (gss_oid_equal(gensec_gssapi_state
->gss_oid
, gss_mech_krb5
)) {
1210 if (feature
& GENSEC_FEATURE_DCE_STYLE
) {
1211 return gensec_gssapi_state
->gss_got_flags
& GSS_C_DCE_STYLE
;
1213 if (feature
& GENSEC_FEATURE_NEW_SPNEGO
) {
1217 if (!(gensec_gssapi_state
->gss_got_flags
& GSS_C_INTEG_FLAG
)) {
1221 if (gensec_setting_bool(gensec_security
->settings
, "gensec_gssapi", "force_new_spnego", false)) {
1224 if (gensec_setting_bool(gensec_security
->settings
, "gensec_gssapi", "disable_new_spnego", false)) {
1228 status
= gssapi_get_session_key(gensec_gssapi_state
,
1229 gensec_gssapi_state
->gssapi_context
, NULL
, &keytype
);
1231 * We should do a proper sig on the mechListMic unless
1232 * we know we have to be backwards compatible with
1233 * earlier windows versions.
1235 * Negotiating a non-krb5
1236 * mech for example should be regarded as having
1239 if (NT_STATUS_IS_OK(status
)) {
1241 case ENCTYPE_DES_CBC_CRC
:
1242 case ENCTYPE_DES_CBC_MD5
:
1243 case ENCTYPE_ARCFOUR_HMAC
:
1244 case ENCTYPE_DES3_CBC_SHA1
:
1250 /* We can always do async (rather than strict request/reply) packets. */
1251 if (feature
& GENSEC_FEATURE_ASYNC_REPLIES
) {
1258 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1259 * (for encrypting some passwords).
1261 * This breaks all the abstractions, but what do you expect...
1263 static NTSTATUS
gensec_gssapi_session_key(struct gensec_security
*gensec_security
,
1264 TALLOC_CTX
*mem_ctx
,
1265 DATA_BLOB
*session_key
)
1267 struct gensec_gssapi_state
*gensec_gssapi_state
1268 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1269 return gssapi_get_session_key(mem_ctx
, gensec_gssapi_state
->gssapi_context
, session_key
, NULL
);
1272 /* Get some basic (and authorization) information about the user on
1273 * this session. This uses either the PAC (if present) or a local
1274 * database lookup */
1275 static NTSTATUS
gensec_gssapi_session_info(struct gensec_security
*gensec_security
,
1276 TALLOC_CTX
*mem_ctx
,
1277 struct auth_session_info
**_session_info
)
1280 TALLOC_CTX
*tmp_ctx
;
1281 struct gensec_gssapi_state
*gensec_gssapi_state
1282 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1283 struct auth_session_info
*session_info
= NULL
;
1284 OM_uint32 maj_stat
, min_stat
;
1285 DATA_BLOB pac_blob
, *pac_blob_ptr
= NULL
;
1287 gss_buffer_desc name_token
;
1288 char *principal_string
;
1290 tmp_ctx
= talloc_named(mem_ctx
, 0, "gensec_gssapi_session_info context");
1291 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1293 maj_stat
= gss_display_name (&min_stat
,
1294 gensec_gssapi_state
->client_name
,
1297 if (GSS_ERROR(maj_stat
)) {
1298 DEBUG(1, ("GSS display_name failed: %s\n",
1299 gssapi_error_string(tmp_ctx
, maj_stat
, min_stat
, gensec_gssapi_state
->gss_oid
)));
1300 talloc_free(tmp_ctx
);
1301 return NT_STATUS_FOOBAR
;
1304 principal_string
= talloc_strndup(tmp_ctx
,
1305 (const char *)name_token
.value
,
1308 gss_release_buffer(&min_stat
, &name_token
);
1310 if (!principal_string
) {
1311 talloc_free(tmp_ctx
);
1312 return NT_STATUS_NO_MEMORY
;
1315 nt_status
= gssapi_obtain_pac_blob(tmp_ctx
, gensec_gssapi_state
->gssapi_context
,
1316 gensec_gssapi_state
->client_name
,
1319 /* IF we have the PAC - otherwise we need to get this
1320 * data from elsewere - local ldb, or (TODO) lookup of some
1323 if (NT_STATUS_IS_OK(nt_status
)) {
1324 pac_blob_ptr
= &pac_blob
;
1326 nt_status
= gensec_generate_session_info_pac(tmp_ctx
,
1328 gensec_gssapi_state
->smb_krb5_context
,
1329 pac_blob_ptr
, principal_string
,
1330 gensec_get_remote_address(gensec_security
),
1332 if (!NT_STATUS_IS_OK(nt_status
)) {
1333 talloc_free(tmp_ctx
);
1337 nt_status
= gensec_gssapi_session_key(gensec_security
, session_info
, &session_info
->session_key
);
1338 if (!NT_STATUS_IS_OK(nt_status
)) {
1339 talloc_free(tmp_ctx
);
1343 if (!(gensec_gssapi_state
->gss_got_flags
& GSS_C_DELEG_FLAG
)) {
1344 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1346 krb5_error_code ret
;
1347 const char *error_string
;
1349 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1350 session_info
->credentials
= cli_credentials_init(session_info
);
1351 if (!session_info
->credentials
) {
1352 talloc_free(tmp_ctx
);
1353 return NT_STATUS_NO_MEMORY
;
1356 cli_credentials_set_conf(session_info
->credentials
, gensec_security
->settings
->lp_ctx
);
1357 /* Just so we don't segfault trying to get at a username */
1358 cli_credentials_set_anonymous(session_info
->credentials
);
1360 ret
= cli_credentials_set_client_gss_creds(session_info
->credentials
,
1361 gensec_security
->settings
->lp_ctx
,
1362 gensec_gssapi_state
->delegated_cred_handle
,
1363 CRED_SPECIFIED
, &error_string
);
1365 talloc_free(tmp_ctx
);
1366 DEBUG(2,("Failed to get gss creds: %s\n", error_string
));
1367 return NT_STATUS_NO_MEMORY
;
1370 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1371 cli_credentials_set_kerberos_state(session_info
->credentials
, CRED_MUST_USE_KERBEROS
);
1373 /* It has been taken from this place... */
1374 gensec_gssapi_state
->delegated_cred_handle
= GSS_C_NO_CREDENTIAL
;
1376 *_session_info
= talloc_steal(mem_ctx
, session_info
);
1377 talloc_free(tmp_ctx
);
1379 return NT_STATUS_OK
;
1382 static size_t gensec_gssapi_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
1384 struct gensec_gssapi_state
*gensec_gssapi_state
1385 = talloc_get_type(gensec_security
->private_data
, struct gensec_gssapi_state
);
1388 if (gensec_gssapi_state
->sig_size
) {
1389 return gensec_gssapi_state
->sig_size
;
1392 if (gensec_gssapi_state
->gss_got_flags
& GSS_C_CONF_FLAG
) {
1393 gensec_gssapi_state
->sig_size
= 45;
1395 gensec_gssapi_state
->sig_size
= 37;
1398 status
= gensec_gssapi_init_lucid(gensec_gssapi_state
);
1399 if (!NT_STATUS_IS_OK(status
)) {
1400 return gensec_gssapi_state
->sig_size
;
1403 if (gensec_gssapi_state
->lucid
->protocol
== 1) {
1404 if (gensec_gssapi_state
->gss_got_flags
& GSS_C_CONF_FLAG
) {
1406 * TODO: windows uses 76 here, but we don't know
1407 * gss_wrap works with aes keys yet
1409 gensec_gssapi_state
->sig_size
= 76;
1411 gensec_gssapi_state
->sig_size
= 28;
1413 } else if (gensec_gssapi_state
->lucid
->protocol
== 0) {
1414 switch (gensec_gssapi_state
->lucid
->rfc1964_kd
.ctx_key
.type
) {
1416 case KEYTYPE_ARCFOUR
:
1417 case KEYTYPE_ARCFOUR_56
:
1418 if (gensec_gssapi_state
->gss_got_flags
& GSS_C_CONF_FLAG
) {
1419 gensec_gssapi_state
->sig_size
= 45;
1421 gensec_gssapi_state
->sig_size
= 37;
1425 if (gensec_gssapi_state
->gss_got_flags
& GSS_C_CONF_FLAG
) {
1426 gensec_gssapi_state
->sig_size
= 57;
1428 gensec_gssapi_state
->sig_size
= 49;
1434 return gensec_gssapi_state
->sig_size
;
1437 static const char *gensec_gssapi_krb5_oids
[] = {
1438 GENSEC_OID_KERBEROS5_OLD
,
1439 GENSEC_OID_KERBEROS5
,
1443 static const char *gensec_gssapi_spnego_oids
[] = {
1448 /* As a server, this could in theory accept any GSSAPI mech */
1449 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops
= {
1450 .name
= "gssapi_spnego",
1451 .sasl_name
= "GSS-SPNEGO",
1452 .auth_type
= DCERPC_AUTH_TYPE_SPNEGO
,
1453 .oid
= gensec_gssapi_spnego_oids
,
1454 .client_start
= gensec_gssapi_client_start
,
1455 .server_start
= gensec_gssapi_server_start
,
1456 .magic
= gensec_magic_check_krb5_oid
,
1457 .update
= gensec_gssapi_update
,
1458 .session_key
= gensec_gssapi_session_key
,
1459 .session_info
= gensec_gssapi_session_info
,
1460 .sign_packet
= gensec_gssapi_sign_packet
,
1461 .check_packet
= gensec_gssapi_check_packet
,
1462 .seal_packet
= gensec_gssapi_seal_packet
,
1463 .unseal_packet
= gensec_gssapi_unseal_packet
,
1464 .wrap
= gensec_gssapi_wrap
,
1465 .unwrap
= gensec_gssapi_unwrap
,
1466 .have_feature
= gensec_gssapi_have_feature
,
1469 .priority
= GENSEC_GSSAPI
1472 /* As a server, this could in theory accept any GSSAPI mech */
1473 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops
= {
1474 .name
= "gssapi_krb5",
1475 .auth_type
= DCERPC_AUTH_TYPE_KRB5
,
1476 .oid
= gensec_gssapi_krb5_oids
,
1477 .client_start
= gensec_gssapi_client_start
,
1478 .server_start
= gensec_gssapi_server_start
,
1479 .magic
= gensec_magic_check_krb5_oid
,
1480 .update
= gensec_gssapi_update
,
1481 .session_key
= gensec_gssapi_session_key
,
1482 .session_info
= gensec_gssapi_session_info
,
1483 .sig_size
= gensec_gssapi_sig_size
,
1484 .sign_packet
= gensec_gssapi_sign_packet
,
1485 .check_packet
= gensec_gssapi_check_packet
,
1486 .seal_packet
= gensec_gssapi_seal_packet
,
1487 .unseal_packet
= gensec_gssapi_unseal_packet
,
1488 .wrap
= gensec_gssapi_wrap
,
1489 .unwrap
= gensec_gssapi_unwrap
,
1490 .have_feature
= gensec_gssapi_have_feature
,
1493 .priority
= GENSEC_GSSAPI
1496 /* As a server, this could in theory accept any GSSAPI mech */
1497 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops
= {
1498 .name
= "gssapi_krb5_sasl",
1499 .sasl_name
= "GSSAPI",
1500 .client_start
= gensec_gssapi_sasl_client_start
,
1501 .server_start
= gensec_gssapi_sasl_server_start
,
1502 .update
= gensec_gssapi_update
,
1503 .session_key
= gensec_gssapi_session_key
,
1504 .session_info
= gensec_gssapi_session_info
,
1505 .max_input_size
= gensec_gssapi_max_input_size
,
1506 .max_wrapped_size
= gensec_gssapi_max_wrapped_size
,
1507 .wrap
= gensec_gssapi_wrap
,
1508 .unwrap
= gensec_gssapi_unwrap
,
1509 .have_feature
= gensec_gssapi_have_feature
,
1512 .priority
= GENSEC_GSSAPI
1515 _PUBLIC_ NTSTATUS
gensec_gssapi_init(void)
1519 ret
= gensec_register(&gensec_gssapi_spnego_security_ops
);
1520 if (!NT_STATUS_IS_OK(ret
)) {
1521 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1522 gensec_gssapi_spnego_security_ops
.name
));
1526 ret
= gensec_register(&gensec_gssapi_krb5_security_ops
);
1527 if (!NT_STATUS_IS_OK(ret
)) {
1528 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1529 gensec_gssapi_krb5_security_ops
.name
));
1533 ret
= gensec_register(&gensec_gssapi_sasl_krb5_security_ops
);
1534 if (!NT_STATUS_IS_OK(ret
)) {
1535 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1536 gensec_gssapi_sasl_krb5_security_ops
.name
));