2 * GSSAPI Security Extensions
3 * RPC Pipe client and server routines
4 * Copyright (C) Simo Sorce 2010.
5 * Copyright (C) Andrew Bartlett 2004-2011.
6 * Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 /* We support only GSSAPI/KRB5 here */
26 #include "libads/kerberos_proto.h"
27 #include "auth/common_auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "auth/gensec/gensec_internal.h"
30 #include "auth/credentials/credentials.h"
31 #include "../librpc/gen_ndr/dcerpc.h"
33 #if defined(HAVE_KRB5)
35 #include "auth/kerberos/pac_utils.h"
38 static char *gse_errstr(TALLOC_CTX
*mem_ctx
, OM_uint32 maj
, OM_uint32 min
);
41 gss_ctx_id_t gssapi_context
;
42 gss_name_t server_name
;
43 gss_name_t client_name
;
44 OM_uint32 gss_want_flags
, gss_got_flags
;
46 gss_cred_id_t delegated_cred_handle
;
55 gss_OID_desc gss_mech
;
61 /* free non talloc dependent contexts */
62 static int gse_context_destructor(void *ptr
)
64 struct gse_context
*gse_ctx
;
67 gse_ctx
= talloc_get_type_abort(ptr
, struct gse_context
);
69 if (gse_ctx
->ccache
) {
70 krb5_cc_close(gse_ctx
->k5ctx
, gse_ctx
->ccache
);
71 gse_ctx
->ccache
= NULL
;
73 if (gse_ctx
->keytab
) {
74 krb5_kt_close(gse_ctx
->k5ctx
, gse_ctx
->keytab
);
75 gse_ctx
->keytab
= NULL
;
77 krb5_free_context(gse_ctx
->k5ctx
);
78 gse_ctx
->k5ctx
= NULL
;
80 if (gse_ctx
->gssapi_context
!= GSS_C_NO_CONTEXT
) {
81 (void)gss_delete_sec_context(&gss_min
,
82 &gse_ctx
->gssapi_context
,
85 if (gse_ctx
->server_name
) {
86 (void)gss_release_name(&gss_min
,
87 &gse_ctx
->server_name
);
89 if (gse_ctx
->client_name
) {
90 (void)gss_release_name(&gss_min
,
91 &gse_ctx
->client_name
);
94 (void)gss_release_cred(&gss_min
,
97 if (gse_ctx
->delegated_cred_handle
) {
98 (void)gss_release_cred(&gss_min
,
99 &gse_ctx
->delegated_cred_handle
);
102 /* MIT and Heimdal differ as to if you can call
103 * gss_release_oid() on this OID, generated by
104 * gss_{accept,init}_sec_context(). However, as long as the
105 * oid is gss_mech_krb5 (which it always is at the moment),
106 * then this is a moot point, as both declare this particular
107 * OID static, and so no memory is lost. This assert is in
108 * place to ensure that the programmer who wishes to extend
109 * this code to EAP or other GSS mechanisms determines an
110 * implementation-dependent way of releasing any dynamically
112 SMB_ASSERT(smb_gss_oid_equal(&gse_ctx
->gss_mech
, GSS_C_NO_OID
) ||
113 smb_gss_oid_equal(&gse_ctx
->gss_mech
, gss_mech_krb5
));
118 static NTSTATUS
gse_context_init(TALLOC_CTX
*mem_ctx
,
119 bool do_sign
, bool do_seal
,
120 const char *ccache_name
,
121 uint32_t add_gss_c_flags
,
122 struct gse_context
**_gse_ctx
)
124 struct gse_context
*gse_ctx
;
125 krb5_error_code k5ret
;
128 gse_ctx
= talloc_zero(mem_ctx
, struct gse_context
);
130 return NT_STATUS_NO_MEMORY
;
132 talloc_set_destructor((TALLOC_CTX
*)gse_ctx
, gse_context_destructor
);
134 gse_ctx
->expire_time
= GENSEC_EXPIRE_TIME_INFINITY
;
136 memcpy(&gse_ctx
->gss_mech
, gss_mech_krb5
, sizeof(gss_OID_desc
));
138 gse_ctx
->gss_want_flags
= GSS_C_MUTUAL_FLAG
|
140 GSS_C_DELEG_POLICY_FLAG
|
144 gse_ctx
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
147 gse_ctx
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
148 gse_ctx
->gss_want_flags
|= GSS_C_CONF_FLAG
;
151 gse_ctx
->gss_want_flags
|= add_gss_c_flags
;
153 /* Initialize Kerberos Context */
154 initialize_krb5_error_table();
156 k5ret
= krb5_init_context(&gse_ctx
->k5ctx
);
158 DEBUG(0, ("Failed to initialize kerberos context! (%s)\n",
159 error_message(k5ret
)));
160 status
= NT_STATUS_INTERNAL_ERROR
;
165 ccache_name
= krb5_cc_default_name(gse_ctx
->k5ctx
);
167 k5ret
= krb5_cc_resolve(gse_ctx
->k5ctx
, ccache_name
,
170 DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
171 error_message(k5ret
)));
172 status
= NT_STATUS_INTERNAL_ERROR
;
176 /* TODO: Should we enforce a enc_types list ?
177 ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types);
184 TALLOC_FREE(gse_ctx
);
188 static NTSTATUS
gse_init_client(TALLOC_CTX
*mem_ctx
,
189 bool do_sign
, bool do_seal
,
190 const char *ccache_name
,
193 const char *username
,
194 const char *password
,
195 uint32_t add_gss_c_flags
,
196 struct gse_context
**_gse_ctx
)
198 struct gse_context
*gse_ctx
;
199 OM_uint32 gss_maj
, gss_min
;
200 gss_buffer_desc name_buffer
= {0, NULL
};
201 gss_OID_set_desc mech_set
;
204 if (!server
|| !service
) {
205 return NT_STATUS_INVALID_PARAMETER
;
208 status
= gse_context_init(mem_ctx
, do_sign
, do_seal
,
209 ccache_name
, add_gss_c_flags
,
211 if (!NT_STATUS_IS_OK(status
)) {
212 return NT_STATUS_NO_MEMORY
;
215 /* Guess the realm based on the supplied service, and avoid the GSS libs
216 doing DNS lookups which may fail.
218 TODO: Loop with the KDC on some more combinations (local
219 realm in particular), possibly falling back to
220 GSS_C_NT_HOSTBASED_SERVICE
222 name_buffer
.value
= kerberos_get_principal_from_service_hostname(
223 gse_ctx
, service
, server
, lp_realm());
224 if (!name_buffer
.value
) {
225 status
= NT_STATUS_NO_MEMORY
;
228 name_buffer
.length
= strlen((char *)name_buffer
.value
);
229 gss_maj
= gss_import_name(&gss_min
, &name_buffer
,
231 &gse_ctx
->server_name
);
233 DEBUG(0, ("gss_import_name failed for %s, with [%s]\n",
234 (char *)name_buffer
.value
,
235 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
236 status
= NT_STATUS_INTERNAL_ERROR
;
240 /* TODO: get krb5 ticket using username/password, if no valid
241 * one already available in ccache */
244 mech_set
.elements
= &gse_ctx
->gss_mech
;
246 gss_maj
= gss_acquire_cred(&gss_min
,
254 DEBUG(0, ("gss_acquire_creds failed for %s, with [%s]\n",
255 (char *)name_buffer
.value
,
256 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
257 status
= NT_STATUS_INTERNAL_ERROR
;
262 TALLOC_FREE(name_buffer
.value
);
266 TALLOC_FREE(name_buffer
.value
);
267 TALLOC_FREE(gse_ctx
);
271 static NTSTATUS
gse_get_client_auth_token(TALLOC_CTX
*mem_ctx
,
272 struct gse_context
*gse_ctx
,
273 const DATA_BLOB
*token_in
,
274 DATA_BLOB
*token_out
)
276 OM_uint32 gss_maj
, gss_min
;
277 gss_buffer_desc in_data
;
278 gss_buffer_desc out_data
;
279 DATA_BLOB blob
= data_blob_null
;
281 OM_uint32 time_rec
= 0;
284 in_data
.value
= token_in
->data
;
285 in_data
.length
= token_in
->length
;
287 gss_maj
= gss_init_sec_context(&gss_min
,
289 &gse_ctx
->gssapi_context
,
290 gse_ctx
->server_name
,
292 gse_ctx
->gss_want_flags
,
293 0, GSS_C_NO_CHANNEL_BINDINGS
,
294 &in_data
, NULL
, &out_data
,
295 &gse_ctx
->gss_got_flags
, &time_rec
);
298 /* we are done with it */
299 tv
= timeval_current_ofs(time_rec
, 0);
300 gse_ctx
->expire_time
= timeval_to_nttime(&tv
);
302 status
= NT_STATUS_OK
;
304 case GSS_S_CONTINUE_NEEDED
:
305 /* we will need a third leg */
306 status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
309 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
310 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
311 status
= NT_STATUS_INTERNAL_ERROR
;
315 /* we may be told to return nothing */
316 if (out_data
.length
) {
317 blob
= data_blob_talloc(mem_ctx
, out_data
.value
, out_data
.length
);
319 status
= NT_STATUS_NO_MEMORY
;
322 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
330 static NTSTATUS
gse_init_server(TALLOC_CTX
*mem_ctx
,
331 bool do_sign
, bool do_seal
,
332 uint32_t add_gss_c_flags
,
333 struct gse_context
**_gse_ctx
)
335 struct gse_context
*gse_ctx
;
336 OM_uint32 gss_maj
, gss_min
;
340 status
= gse_context_init(mem_ctx
, do_sign
, do_seal
,
341 NULL
, add_gss_c_flags
, &gse_ctx
);
342 if (!NT_STATUS_IS_OK(status
)) {
343 return NT_STATUS_NO_MEMORY
;
346 ret
= gse_krb5_get_server_keytab(gse_ctx
->k5ctx
,
349 status
= NT_STATUS_INTERNAL_ERROR
;
353 #ifdef HAVE_GSS_KRB5_IMPORT_CRED
355 /* This creates a GSSAPI cred_id_t with the keytab set */
356 gss_maj
= gss_krb5_import_cred(&gss_min
, NULL
, NULL
, gse_ctx
->keytab
,
360 && gss_maj
!= (GSS_S_CALL_BAD_STRUCTURE
|GSS_S_BAD_NAME
)) {
361 DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
362 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
363 status
= NT_STATUS_INTERNAL_ERROR
;
366 /* This is the error the MIT krb5 1.9 gives when it
367 * implements the function, but we do not specify the
368 * principal. However, when we specify the principal
369 * as host$@REALM the GSS acceptor fails with 'wrong
370 * principal in request'. Work around the issue by
371 * falling back to the alternate approach below. */
372 } else if (gss_maj
== (GSS_S_CALL_BAD_STRUCTURE
|GSS_S_BAD_NAME
))
375 * This call sets the default keytab for the whole server, not
376 * just for this context. Need to find a way that does not alter
377 * the state of the whole server ... */
380 gss_OID_set_desc mech_set
;
382 ret
= smb_krb5_keytab_name(gse_ctx
, gse_ctx
->k5ctx
,
383 gse_ctx
->keytab
, &ktname
);
385 status
= NT_STATUS_INTERNAL_ERROR
;
389 ret
= gsskrb5_register_acceptor_identity(ktname
);
391 status
= NT_STATUS_INTERNAL_ERROR
;
396 mech_set
.elements
= &gse_ctx
->gss_mech
;
398 gss_maj
= gss_acquire_cred(&gss_min
,
407 DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
408 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
409 status
= NT_STATUS_INTERNAL_ERROR
;
414 status
= NT_STATUS_OK
;
417 if (!NT_STATUS_IS_OK(status
)) {
418 TALLOC_FREE(gse_ctx
);
425 static NTSTATUS
gse_get_server_auth_token(TALLOC_CTX
*mem_ctx
,
426 struct gse_context
*gse_ctx
,
427 const DATA_BLOB
*token_in
,
428 DATA_BLOB
*token_out
)
430 OM_uint32 gss_maj
, gss_min
;
431 gss_buffer_desc in_data
;
432 gss_buffer_desc out_data
;
433 DATA_BLOB blob
= data_blob_null
;
435 OM_uint32 time_rec
= 0;
438 in_data
.value
= token_in
->data
;
439 in_data
.length
= token_in
->length
;
441 gss_maj
= gss_accept_sec_context(&gss_min
,
442 &gse_ctx
->gssapi_context
,
445 GSS_C_NO_CHANNEL_BINDINGS
,
446 &gse_ctx
->client_name
,
449 &gse_ctx
->gss_got_flags
,
451 &gse_ctx
->delegated_cred_handle
);
454 /* we are done with it */
455 tv
= timeval_current_ofs(time_rec
, 0);
456 gse_ctx
->expire_time
= timeval_to_nttime(&tv
);
458 status
= NT_STATUS_OK
;
460 case GSS_S_CONTINUE_NEEDED
:
461 /* we will need a third leg */
462 status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
465 DEBUG(1, ("gss_accept_sec_context failed with [%s]\n",
466 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
468 if (gse_ctx
->gssapi_context
) {
469 gss_delete_sec_context(&gss_min
,
470 &gse_ctx
->gssapi_context
,
474 status
= NT_STATUS_LOGON_FAILURE
;
478 /* we may be told to return nothing */
479 if (out_data
.length
) {
480 blob
= data_blob_talloc(mem_ctx
, out_data
.value
, out_data
.length
);
482 status
= NT_STATUS_NO_MEMORY
;
484 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
493 static char *gse_errstr(TALLOC_CTX
*mem_ctx
, OM_uint32 maj
, OM_uint32 min
)
495 OM_uint32 gss_min
, gss_maj
;
496 gss_buffer_desc msg_min
;
497 gss_buffer_desc msg_maj
;
498 OM_uint32 msg_ctx
= 0;
502 ZERO_STRUCT(msg_min
);
503 ZERO_STRUCT(msg_maj
);
505 gss_maj
= gss_display_status(&gss_min
, maj
, GSS_C_GSS_CODE
,
506 GSS_C_NO_OID
, &msg_ctx
, &msg_maj
);
510 errstr
= talloc_strndup(mem_ctx
,
511 (char *)msg_maj
.value
,
516 gss_maj
= gss_display_status(&gss_min
, min
, GSS_C_MECH_CODE
,
517 (gss_OID
)discard_const(gss_mech_krb5
),
523 errstr
= talloc_strdup_append_buffer(errstr
, ": ");
527 errstr
= talloc_strndup_append_buffer(errstr
,
528 (char *)msg_min
.value
,
536 gss_maj
= gss_release_buffer(&gss_min
, &msg_min
);
539 gss_maj
= gss_release_buffer(&gss_min
, &msg_maj
);
544 static size_t gse_get_signature_length(struct gse_context
*gse_ctx
,
545 bool seal
, size_t payload_size
)
547 OM_uint32 gss_min
, gss_maj
;
548 gss_iov_buffer_desc iov
[2];
552 * gss_wrap_iov_length() only needs the type and length
554 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
555 iov
[0].buffer
.value
= NULL
;
556 iov
[0].buffer
.length
= 0;
557 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
558 iov
[1].buffer
.value
= NULL
;
559 iov
[1].buffer
.length
= payload_size
;
561 gss_maj
= gss_wrap_iov_length(&gss_min
, gse_ctx
->gssapi_context
,
562 seal
, GSS_C_QOP_DEFAULT
,
565 DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
566 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
570 return iov
[0].buffer
.length
;
573 static NTSTATUS
gse_seal(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
574 DATA_BLOB
*data
, DATA_BLOB
*signature
)
576 OM_uint32 gss_min
, gss_maj
;
577 gss_iov_buffer_desc iov
[2];
578 int req_seal
= 1; /* setting to 1 means we request sign+seal */
582 /* allocate the memory ourselves so we do not need to talloc_memdup */
583 signature
->length
= gse_get_signature_length(gse_ctx
, true, data
->length
);
584 if (!signature
->length
) {
585 return NT_STATUS_INTERNAL_ERROR
;
587 signature
->data
= (uint8_t *)talloc_size(mem_ctx
, signature
->length
);
588 if (!signature
->data
) {
589 return NT_STATUS_NO_MEMORY
;
591 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
592 iov
[0].buffer
.value
= signature
->data
;
593 iov
[0].buffer
.length
= signature
->length
;
595 /* data is encrypted in place, which is ok */
596 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
597 iov
[1].buffer
.value
= data
->data
;
598 iov
[1].buffer
.length
= data
->length
;
600 gss_maj
= gss_wrap_iov(&gss_min
, gse_ctx
->gssapi_context
,
601 req_seal
, GSS_C_QOP_DEFAULT
,
604 DEBUG(0, ("gss_wrap_iov failed with [%s]\n",
605 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
606 status
= NT_STATUS_ACCESS_DENIED
;
611 DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
612 status
= NT_STATUS_ACCESS_DENIED
;
616 status
= NT_STATUS_OK
;
618 DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
619 (int)iov
[1].buffer
.length
, (int)iov
[0].buffer
.length
));
625 static NTSTATUS
gse_unseal(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
626 DATA_BLOB
*data
, const DATA_BLOB
*signature
)
628 OM_uint32 gss_min
, gss_maj
;
629 gss_iov_buffer_desc iov
[2];
633 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
634 iov
[0].buffer
.value
= signature
->data
;
635 iov
[0].buffer
.length
= signature
->length
;
637 /* data is decrypted in place, which is ok */
638 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
639 iov
[1].buffer
.value
= data
->data
;
640 iov
[1].buffer
.length
= data
->length
;
642 gss_maj
= gss_unwrap_iov(&gss_min
, gse_ctx
->gssapi_context
,
643 &sealed
, NULL
, iov
, 2);
645 DEBUG(0, ("gss_unwrap_iov failed with [%s]\n",
646 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
647 status
= NT_STATUS_ACCESS_DENIED
;
652 DEBUG(0, ("gss_unwrap_iov says data is not sealed!\n"));
653 status
= NT_STATUS_ACCESS_DENIED
;
657 status
= NT_STATUS_OK
;
659 DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
660 (int)iov
[1].buffer
.length
, (int)iov
[0].buffer
.length
));
666 static NTSTATUS
gse_sign(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
667 DATA_BLOB
*data
, DATA_BLOB
*signature
)
669 OM_uint32 gss_min
, gss_maj
;
670 gss_buffer_desc in_data
= { 0, NULL
};
671 gss_buffer_desc out_data
= { 0, NULL
};
674 in_data
.value
= data
->data
;
675 in_data
.length
= data
->length
;
677 gss_maj
= gss_get_mic(&gss_min
, gse_ctx
->gssapi_context
,
679 &in_data
, &out_data
);
681 DEBUG(0, ("gss_get_mic failed with [%s]\n",
682 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
683 status
= NT_STATUS_ACCESS_DENIED
;
687 *signature
= data_blob_talloc(mem_ctx
,
688 out_data
.value
, out_data
.length
);
689 if (!signature
->data
) {
690 status
= NT_STATUS_NO_MEMORY
;
694 status
= NT_STATUS_OK
;
697 if (out_data
.value
) {
698 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
703 static NTSTATUS
gse_sigcheck(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
704 const DATA_BLOB
*data
, const DATA_BLOB
*signature
)
706 OM_uint32 gss_min
, gss_maj
;
707 gss_buffer_desc in_data
= { 0, NULL
};
708 gss_buffer_desc in_token
= { 0, NULL
};
711 in_data
.value
= data
->data
;
712 in_data
.length
= data
->length
;
713 in_token
.value
= signature
->data
;
714 in_token
.length
= signature
->length
;
716 gss_maj
= gss_verify_mic(&gss_min
, gse_ctx
->gssapi_context
,
717 &in_data
, &in_token
, NULL
);
719 DEBUG(0, ("gss_verify_mic failed with [%s]\n",
720 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
721 status
= NT_STATUS_ACCESS_DENIED
;
725 status
= NT_STATUS_OK
;
731 static NTSTATUS
gensec_gse_client_start(struct gensec_security
*gensec_security
)
733 struct gse_context
*gse_ctx
;
734 struct cli_credentials
*creds
= gensec_get_credentials(gensec_security
);
736 OM_uint32 want_flags
= 0;
737 bool do_sign
= false, do_seal
= false;
738 const char *hostname
= gensec_get_target_hostname(gensec_security
);
739 const char *service
= gensec_get_target_service(gensec_security
);
740 const char *username
= cli_credentials_get_username(creds
);
741 const char *password
= cli_credentials_get_password(creds
);
744 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
745 return NT_STATUS_INVALID_PARAMETER
;
747 if (is_ipaddress(hostname
)) {
748 DEBUG(2, ("Cannot do GSE to an IP address\n"));
749 return NT_STATUS_INVALID_PARAMETER
;
751 if (strcmp(hostname
, "localhost") == 0) {
752 DEBUG(2, ("GSE to 'localhost' does not make sense\n"));
753 return NT_STATUS_INVALID_PARAMETER
;
756 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
759 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
762 if (gensec_security
->want_features
& GENSEC_FEATURE_DCE_STYLE
) {
763 want_flags
|= GSS_C_DCE_STYLE
;
766 nt_status
= gse_init_client(gensec_security
, do_sign
, do_seal
, NULL
,
768 username
, password
, want_flags
,
770 if (!NT_STATUS_IS_OK(nt_status
)) {
773 gensec_security
->private_data
= gse_ctx
;
777 static NTSTATUS
gensec_gse_server_start(struct gensec_security
*gensec_security
)
779 struct gse_context
*gse_ctx
;
781 OM_uint32 want_flags
= 0;
782 bool do_sign
= false, do_seal
= false;
784 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
787 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
790 if (gensec_security
->want_features
& GENSEC_FEATURE_DCE_STYLE
) {
791 want_flags
|= GSS_C_DCE_STYLE
;
794 nt_status
= gse_init_server(gensec_security
, do_sign
, do_seal
, want_flags
,
796 if (!NT_STATUS_IS_OK(nt_status
)) {
799 gensec_security
->private_data
= gse_ctx
;
804 * Next state function for the GSE GENSEC mechanism
806 * @param gensec_gse_state GSE State
807 * @param mem_ctx The TALLOC_CTX for *out to be allocated on
808 * @param in The request, as a DATA_BLOB
809 * @param out The reply, as an talloc()ed DATA_BLOB, on *mem_ctx
810 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
811 * or NT_STATUS_OK if the user is authenticated.
814 static NTSTATUS
gensec_gse_update(struct gensec_security
*gensec_security
,
816 struct tevent_context
*ev
,
817 const DATA_BLOB in
, DATA_BLOB
*out
)
820 struct gse_context
*gse_ctx
=
821 talloc_get_type_abort(gensec_security
->private_data
,
824 switch (gensec_security
->gensec_role
) {
826 status
= gse_get_client_auth_token(mem_ctx
, gse_ctx
,
830 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
834 if (!NT_STATUS_IS_OK(status
)) {
841 static NTSTATUS
gensec_gse_wrap(struct gensec_security
*gensec_security
,
846 struct gse_context
*gse_ctx
=
847 talloc_get_type_abort(gensec_security
->private_data
,
849 OM_uint32 maj_stat
, min_stat
;
850 gss_buffer_desc input_token
, output_token
;
852 input_token
.length
= in
->length
;
853 input_token
.value
= in
->data
;
855 maj_stat
= gss_wrap(&min_stat
,
856 gse_ctx
->gssapi_context
,
857 gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
),
862 if (GSS_ERROR(maj_stat
)) {
863 DEBUG(0, ("gensec_gse_wrap: GSS Wrap failed: %s\n",
864 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
865 return NT_STATUS_ACCESS_DENIED
;
868 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
869 gss_release_buffer(&min_stat
, &output_token
);
871 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
873 return NT_STATUS_ACCESS_DENIED
;
878 static NTSTATUS
gensec_gse_unwrap(struct gensec_security
*gensec_security
,
883 struct gse_context
*gse_ctx
=
884 talloc_get_type_abort(gensec_security
->private_data
,
886 OM_uint32 maj_stat
, min_stat
;
887 gss_buffer_desc input_token
, output_token
;
890 input_token
.length
= in
->length
;
891 input_token
.value
= in
->data
;
893 maj_stat
= gss_unwrap(&min_stat
,
894 gse_ctx
->gssapi_context
,
899 if (GSS_ERROR(maj_stat
)) {
900 DEBUG(0, ("gensec_gse_unwrap: GSS UnWrap failed: %s\n",
901 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
902 return NT_STATUS_ACCESS_DENIED
;
905 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
906 gss_release_buffer(&min_stat
, &output_token
);
908 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
910 return NT_STATUS_ACCESS_DENIED
;
915 static NTSTATUS
gensec_gse_seal_packet(struct gensec_security
*gensec_security
,
917 uint8_t *data
, size_t length
,
918 const uint8_t *whole_pdu
, size_t pdu_length
,
921 struct gse_context
*gse_ctx
=
922 talloc_get_type_abort(gensec_security
->private_data
,
924 DATA_BLOB payload
= data_blob_const(data
, length
);
925 return gse_seal(mem_ctx
, gse_ctx
, &payload
, sig
);
928 static NTSTATUS
gensec_gse_unseal_packet(struct gensec_security
*gensec_security
,
929 uint8_t *data
, size_t length
,
930 const uint8_t *whole_pdu
, size_t pdu_length
,
931 const DATA_BLOB
*sig
)
933 struct gse_context
*gse_ctx
=
934 talloc_get_type_abort(gensec_security
->private_data
,
936 DATA_BLOB payload
= data_blob_const(data
, length
);
937 return gse_unseal(talloc_tos() /* unused */, gse_ctx
, &payload
, sig
);
940 static NTSTATUS
gensec_gse_sign_packet(struct gensec_security
*gensec_security
,
942 const uint8_t *data
, size_t length
,
943 const uint8_t *whole_pdu
, size_t pdu_length
,
946 struct gse_context
*gse_ctx
=
947 talloc_get_type_abort(gensec_security
->private_data
,
949 DATA_BLOB payload
= data_blob_const(data
, length
);
950 return gse_sign(mem_ctx
, gse_ctx
, &payload
, sig
);
953 static NTSTATUS
gensec_gse_check_packet(struct gensec_security
*gensec_security
,
954 const uint8_t *data
, size_t length
,
955 const uint8_t *whole_pdu
, size_t pdu_length
,
956 const DATA_BLOB
*sig
)
958 struct gse_context
*gse_ctx
=
959 talloc_get_type_abort(gensec_security
->private_data
,
961 DATA_BLOB payload
= data_blob_const(data
, length
);
962 return gse_sigcheck(NULL
, gse_ctx
, &payload
, sig
);
965 /* Try to figure out what features we actually got on the connection */
966 static bool gensec_gse_have_feature(struct gensec_security
*gensec_security
,
969 struct gse_context
*gse_ctx
=
970 talloc_get_type_abort(gensec_security
->private_data
,
973 if (feature
& GENSEC_FEATURE_SIGN
) {
974 return gse_ctx
->gss_got_flags
& GSS_C_INTEG_FLAG
;
976 if (feature
& GENSEC_FEATURE_SEAL
) {
977 return gse_ctx
->gss_got_flags
& GSS_C_CONF_FLAG
;
979 if (feature
& GENSEC_FEATURE_SESSION_KEY
) {
980 /* Only for GSE/Krb5 */
981 if (smb_gss_oid_equal(gse_ctx
->ret_mech
, gss_mech_krb5
)) {
985 if (feature
& GENSEC_FEATURE_DCE_STYLE
) {
986 return gse_ctx
->gss_got_flags
& GSS_C_DCE_STYLE
;
988 if (feature
& GENSEC_FEATURE_NEW_SPNEGO
) {
992 if (!(gse_ctx
->gss_got_flags
& GSS_C_INTEG_FLAG
)) {
996 status
= gssapi_get_session_key(talloc_tos(),
997 gse_ctx
->gssapi_context
, NULL
, &keytype
);
999 * We should do a proper sig on the mechListMic unless
1000 * we know we have to be backwards compatible with
1001 * earlier windows versions.
1003 * Negotiating a non-krb5
1004 * mech for example should be regarded as having
1007 if (NT_STATUS_IS_OK(status
)) {
1009 case ENCTYPE_DES_CBC_CRC
:
1010 case ENCTYPE_DES_CBC_MD5
:
1011 case ENCTYPE_ARCFOUR_HMAC
:
1012 case ENCTYPE_DES3_CBC_SHA1
:
1018 /* We can always do async (rather than strict request/reply) packets. */
1019 if (feature
& GENSEC_FEATURE_ASYNC_REPLIES
) {
1025 static NTTIME
gensec_gse_expire_time(struct gensec_security
*gensec_security
)
1027 struct gse_context
*gse_ctx
=
1028 talloc_get_type_abort(gensec_security
->private_data
,
1029 struct gse_context
);
1031 return gse_ctx
->expire_time
;
1035 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1036 * (for encrypting some passwords).
1038 * This breaks all the abstractions, but what do you expect...
1040 static NTSTATUS
gensec_gse_session_key(struct gensec_security
*gensec_security
,
1041 TALLOC_CTX
*mem_ctx
,
1042 DATA_BLOB
*session_key
)
1044 struct gse_context
*gse_ctx
=
1045 talloc_get_type_abort(gensec_security
->private_data
,
1046 struct gse_context
);
1048 return gssapi_get_session_key(mem_ctx
, gse_ctx
->gssapi_context
, session_key
, NULL
);
1051 /* Get some basic (and authorization) information about the user on
1052 * this session. This uses either the PAC (if present) or a local
1053 * database lookup */
1054 static NTSTATUS
gensec_gse_session_info(struct gensec_security
*gensec_security
,
1055 TALLOC_CTX
*mem_ctx
,
1056 struct auth_session_info
**_session_info
)
1058 struct gse_context
*gse_ctx
=
1059 talloc_get_type_abort(gensec_security
->private_data
,
1060 struct gse_context
);
1062 TALLOC_CTX
*tmp_ctx
;
1063 struct auth_session_info
*session_info
= NULL
;
1064 OM_uint32 maj_stat
, min_stat
;
1065 DATA_BLOB pac_blob
, *pac_blob_ptr
= NULL
;
1067 gss_buffer_desc name_token
;
1068 char *principal_string
;
1070 tmp_ctx
= talloc_named(mem_ctx
, 0, "gensec_gse_session_info context");
1071 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1073 maj_stat
= gss_display_name(&min_stat
,
1074 gse_ctx
->client_name
,
1077 if (GSS_ERROR(maj_stat
)) {
1078 DEBUG(1, ("GSS display_name failed: %s\n",
1079 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
1080 talloc_free(tmp_ctx
);
1081 return NT_STATUS_FOOBAR
;
1084 principal_string
= talloc_strndup(tmp_ctx
,
1085 (const char *)name_token
.value
,
1088 gss_release_buffer(&min_stat
, &name_token
);
1090 if (!principal_string
) {
1091 talloc_free(tmp_ctx
);
1092 return NT_STATUS_NO_MEMORY
;
1095 nt_status
= gssapi_obtain_pac_blob(tmp_ctx
, gse_ctx
->gssapi_context
,
1096 gse_ctx
->client_name
,
1099 /* IF we have the PAC - otherwise we need to get this
1100 * data from elsewere
1102 if (NT_STATUS_IS_OK(nt_status
)) {
1103 pac_blob_ptr
= &pac_blob
;
1105 nt_status
= gensec_generate_session_info_pac(tmp_ctx
,
1108 pac_blob_ptr
, principal_string
,
1109 gensec_get_remote_address(gensec_security
),
1111 if (!NT_STATUS_IS_OK(nt_status
)) {
1112 talloc_free(tmp_ctx
);
1116 nt_status
= gensec_gse_session_key(gensec_security
, session_info
,
1117 &session_info
->session_key
);
1118 if (!NT_STATUS_IS_OK(nt_status
)) {
1119 talloc_free(tmp_ctx
);
1123 *_session_info
= talloc_move(mem_ctx
, &session_info
);
1124 talloc_free(tmp_ctx
);
1126 return NT_STATUS_OK
;
1129 static size_t gensec_gse_sig_size(struct gensec_security
*gensec_security
,
1132 struct gse_context
*gse_ctx
=
1133 talloc_get_type_abort(gensec_security
->private_data
,
1134 struct gse_context
);
1136 return gse_get_signature_length(gse_ctx
,
1137 gensec_security
->want_features
& GENSEC_FEATURE_SEAL
,
1141 static const char *gensec_gse_krb5_oids
[] = {
1142 GENSEC_OID_KERBEROS5_OLD
,
1143 GENSEC_OID_KERBEROS5
,
1147 const struct gensec_security_ops gensec_gse_krb5_security_ops
= {
1149 .auth_type
= DCERPC_AUTH_TYPE_KRB5
,
1150 .oid
= gensec_gse_krb5_oids
,
1151 .client_start
= gensec_gse_client_start
,
1152 .server_start
= gensec_gse_server_start
,
1153 .magic
= gensec_magic_check_krb5_oid
,
1154 .update
= gensec_gse_update
,
1155 .session_key
= gensec_gse_session_key
,
1156 .session_info
= gensec_gse_session_info
,
1157 .sig_size
= gensec_gse_sig_size
,
1158 .sign_packet
= gensec_gse_sign_packet
,
1159 .check_packet
= gensec_gse_check_packet
,
1160 .seal_packet
= gensec_gse_seal_packet
,
1161 .unseal_packet
= gensec_gse_unseal_packet
,
1162 .wrap
= gensec_gse_wrap
,
1163 .unwrap
= gensec_gse_unwrap
,
1164 .have_feature
= gensec_gse_have_feature
,
1165 .expire_time
= gensec_gse_expire_time
,
1168 .priority
= GENSEC_GSSAPI
1171 #endif /* HAVE_KRB5 */
