search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-libads: Use a reducing page size to try and cope with a slow LDAP server
[Samba.git] / source4 / auth / gensec / gensec_gssapi.c
bloba23f913264b1b030513c25c3a7e2f879bf9b173d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Kerberos backend for GENSEC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "lib/events/events.h"
26 #include "system/kerberos.h"
27 #include "auth/kerberos/kerberos.h"
28 #include "librpc/gen_ndr/krb5pac.h"
29 #include "auth/auth.h"
30 #include "lib/ldb/include/ldb.h"
31 #include "auth/auth_sam.h"
32 #include "librpc/rpc/dcerpc.h"
33 #include "auth/credentials/credentials.h"
34 #include "auth/credentials/credentials_krb5.h"
35 #include "auth/gensec/gensec.h"
36 #include "auth/gensec/gensec_proto.h"
37 #include "param/param.h"
38 #include "auth/session_proto.h"
39 #include <gssapi/gssapi.h>
40 #include <gssapi/gssapi_krb5.h>
41 #include <gssapi/gssapi_spnego.h>
42 #include "auth/gensec/gensec_gssapi.h"
43
44 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
45 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
46
47 static char *gssapi_error_string(TALLOC_CTX *mem_ctx,
48 OM_uint32 maj_stat, OM_uint32 min_stat,
49 const gss_OID mech)
50 {
51 OM_uint32 disp_min_stat, disp_maj_stat;
52 gss_buffer_desc maj_error_message;
53 gss_buffer_desc min_error_message;
54 char *maj_error_string, *min_error_string;
55 OM_uint32 msg_ctx = 0;
56
57 char *ret;
58
59 maj_error_message.value = NULL;
60 min_error_message.value = NULL;
61 maj_error_message.length = 0;
62 min_error_message.length = 0;
63
64 disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
65 mech, &msg_ctx, &maj_error_message);
66 disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
67 mech, &msg_ctx, &min_error_message);
68
69 maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
70
71 min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
72
73 ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
74
75 talloc_free(maj_error_string);
76 talloc_free(min_error_string);
77
78 gss_release_buffer(&disp_min_stat, &maj_error_message);
79 gss_release_buffer(&disp_min_stat, &min_error_message);
80
81 return ret;
82 }
83
84
85 static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
86 {
87 OM_uint32 maj_stat, min_stat;
88
89 if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
90 maj_stat = gss_release_cred(&min_stat,
91 &gensec_gssapi_state->delegated_cred_handle);
92 }
93
94 if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
95 maj_stat = gss_delete_sec_context (&min_stat,
96 &gensec_gssapi_state->gssapi_context,
97 GSS_C_NO_BUFFER);
98 }
99
100 if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
101 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->server_name);
102 }
103 if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
104 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
105 }
106
107 if (gensec_gssapi_state->lucid) {
108 gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
109 }
110
111 return 0;
112 }
113
114 static NTSTATUS gensec_gssapi_init_lucid(struct gensec_gssapi_state *gensec_gssapi_state)
115 {
116 OM_uint32 maj_stat, min_stat;
117
118 if (gensec_gssapi_state->lucid) {
119 return NT_STATUS_OK;
120 }
121
122 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
123 &gensec_gssapi_state->gssapi_context,
124 1,
125 (void **)&gensec_gssapi_state->lucid);
126 if (maj_stat != GSS_S_COMPLETE) {
127 DEBUG(0,("gensec_gssapi_init_lucid: %s\n",
128 gssapi_error_string(gensec_gssapi_state,
129 maj_stat, min_stat,
130 gensec_gssapi_state->gss_oid)));
131 return NT_STATUS_INTERNAL_ERROR;
132 }
133
134 if (gensec_gssapi_state->lucid->version != 1) {
135 DEBUG(0,("gensec_gssapi_init_lucid: lucid version[%d] != 1\n",
136 gensec_gssapi_state->lucid->version));
137 gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
138 gensec_gssapi_state->lucid = NULL;
139 return NT_STATUS_INTERNAL_ERROR;
140 }
141
142 return NT_STATUS_OK;
143 }
144
145 static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
146 {
147 struct gensec_gssapi_state *gensec_gssapi_state;
148 krb5_error_code ret;
149 struct gsskrb5_send_to_kdc send_to_kdc;
150
151 gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
152 if (!gensec_gssapi_state) {
153 return NT_STATUS_NO_MEMORY;
154 }
155
156 gensec_gssapi_state->gss_exchange_count = 0;
157 gensec_gssapi_state->max_wrap_buf_size
158 = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
159
160 gensec_gssapi_state->sasl = false;
161 gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
162
163 gensec_security->private_data = gensec_gssapi_state;
164
165 gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
166 gensec_gssapi_state->server_name = GSS_C_NO_NAME;
167 gensec_gssapi_state->client_name = GSS_C_NO_NAME;
168 gensec_gssapi_state->lucid = NULL;
169
170 /* TODO: Fill in channel bindings */
171 gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
172
173 gensec_gssapi_state->want_flags = 0;
174 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
175 gensec_gssapi_state->want_flags |= GSS_C_DELEG_POLICY_FLAG;
176 }
177 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
178 gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
179 }
180 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
181 gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
182 }
183 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
184 gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG;
185 }
186 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
187 gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG;
188 }
189
190 gensec_gssapi_state->got_flags = 0;
191
192 gensec_gssapi_state->session_key = data_blob(NULL, 0);
193 gensec_gssapi_state->pac = data_blob(NULL, 0);
194
195 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
196 gensec_gssapi_state->sig_size = 0;
197
198 talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
199
200 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
201 gensec_gssapi_state->want_flags |= GSS_C_INTEG_FLAG;
202 }
203 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
204 gensec_gssapi_state->want_flags |= GSS_C_CONF_FLAG;
205 }
206 if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
207 gensec_gssapi_state->want_flags |= GSS_C_DCE_STYLE;
208 }
209
210 switch (gensec_security->ops->auth_type) {
211 case DCERPC_AUTH_TYPE_SPNEGO:
212 gensec_gssapi_state->gss_oid = gss_mech_spnego;
213 break;
214 case DCERPC_AUTH_TYPE_KRB5:
215 default:
216 gensec_gssapi_state->gss_oid = gss_mech_krb5;
217 break;
218 }
219
220 send_to_kdc.func = smb_krb5_send_and_recv_func;
221 send_to_kdc.ptr = gensec_security->event_ctx;
222
223 ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
224 if (ret) {
225 DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
226 talloc_free(gensec_gssapi_state);
227 return NT_STATUS_INTERNAL_ERROR;
228 }
229 if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) {
230 char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx));
231 if (!upper_realm) {
232 DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx)));
233 talloc_free(gensec_gssapi_state);
234 return NT_STATUS_NO_MEMORY;
235 }
236 ret = gsskrb5_set_default_realm(upper_realm);
237 talloc_free(upper_realm);
238 if (ret) {
239 DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
240 talloc_free(gensec_gssapi_state);
241 return NT_STATUS_INTERNAL_ERROR;
242 }
243 }
244
245 /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
246 ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
247 if (ret) {
248 DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
249 talloc_free(gensec_gssapi_state);
250 return NT_STATUS_INTERNAL_ERROR;
251 }
252
253 ret = smb_krb5_init_context(gensec_gssapi_state,
254 gensec_security->event_ctx,
255 gensec_security->settings->lp_ctx,
256 &gensec_gssapi_state->smb_krb5_context);
257 if (ret) {
258 DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
259 error_message(ret)));
260 talloc_free(gensec_gssapi_state);
261 return NT_STATUS_INTERNAL_ERROR;
262 }
263 return NT_STATUS_OK;
264 }
265
266 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
267 {
268 NTSTATUS nt_status;
269 int ret;
270 struct gensec_gssapi_state *gensec_gssapi_state;
271 struct cli_credentials *machine_account;
272 struct gssapi_creds_container *gcc;
273
274 nt_status = gensec_gssapi_start(gensec_security);
275 if (!NT_STATUS_IS_OK(nt_status)) {
276 return nt_status;
277 }
278
279 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
280
281 machine_account = gensec_get_credentials(gensec_security);
282
283 if (!machine_account) {
284 DEBUG(3, ("No machine account credentials specified\n"));
285 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
286 } else {
287 ret = cli_credentials_get_server_gss_creds(machine_account,
288 gensec_security->event_ctx,
289 gensec_security->settings->lp_ctx, &gcc);
290 if (ret) {
291 DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
292 error_message(ret)));
293 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
294 }
295 }
296
297 gensec_gssapi_state->server_cred = gcc;
298 return NT_STATUS_OK;
299
300 }
301
302 static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
303 {
304 NTSTATUS nt_status;
305 struct gensec_gssapi_state *gensec_gssapi_state;
306 nt_status = gensec_gssapi_server_start(gensec_security);
307
308 if (NT_STATUS_IS_OK(nt_status)) {
309 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
310 gensec_gssapi_state->sasl = true;
311 }
312 return nt_status;
313 }
314
315 static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
316 {
317 struct gensec_gssapi_state *gensec_gssapi_state;
318 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
319 krb5_error_code ret;
320 NTSTATUS nt_status;
321 gss_buffer_desc name_token;
322 gss_OID name_type;
323 OM_uint32 maj_stat, min_stat;
324 const char *hostname = gensec_get_target_hostname(gensec_security);
325 const char *principal;
326 struct gssapi_creds_container *gcc;
327
328 if (!hostname) {
329 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
330 return NT_STATUS_INVALID_PARAMETER;
331 }
332 if (is_ipaddress(hostname)) {
333 DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
334 return NT_STATUS_INVALID_PARAMETER;
335 }
336 if (strcmp(hostname, "localhost") == 0) {
337 DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
338 return NT_STATUS_INVALID_PARAMETER;
339 }
340
341 nt_status = gensec_gssapi_start(gensec_security);
342 if (!NT_STATUS_IS_OK(nt_status)) {
343 return nt_status;
344 }
345
346 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
347
348 principal = gensec_get_target_principal(gensec_security);
349 if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
350 name_type = GSS_C_NULL_OID;
351 } else {
352 principal = talloc_asprintf(gensec_gssapi_state, "%s@%s",
353 gensec_get_target_service(gensec_security),
354 hostname);
355
356 name_type = GSS_C_NT_HOSTBASED_SERVICE;
357 }
358 name_token.value = discard_const_p(uint8_t, principal);
359 name_token.length = strlen(principal);
360
361
362 maj_stat = gss_import_name (&min_stat,
363 &name_token,
364 name_type,
365 &gensec_gssapi_state->server_name);
366 if (maj_stat) {
367 DEBUG(2, ("GSS Import name of %s failed: %s\n",
368 (char *)name_token.value,
369 gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
370 return NT_STATUS_INVALID_PARAMETER;
371 }
372
373 ret = cli_credentials_get_client_gss_creds(creds,
374 gensec_security->event_ctx,
375 gensec_security->settings->lp_ctx, &gcc);
376 switch (ret) {
377 case 0:
378 break;
379 case KRB5KDC_ERR_PREAUTH_FAILED:
380 return NT_STATUS_LOGON_FAILURE;
381 case KRB5_KDC_UNREACH:
382 DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
383 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
384 default:
385 DEBUG(1, ("Aquiring initiator credentials failed\n"));
386 return NT_STATUS_UNSUCCESSFUL;
387 }
388
389 gensec_gssapi_state->client_cred = gcc;
390 if (!talloc_reference(gensec_gssapi_state, gcc)) {
391 return NT_STATUS_NO_MEMORY;
392 }
393
394 return NT_STATUS_OK;
395 }
396
397 static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
398 {
399 NTSTATUS nt_status;
400 struct gensec_gssapi_state *gensec_gssapi_state;
401 nt_status = gensec_gssapi_client_start(gensec_security);
402
403 if (NT_STATUS_IS_OK(nt_status)) {
404 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
405 gensec_gssapi_state->sasl = true;
406 }
407 return nt_status;
408 }
409
410
411 /**
412 * Check if the packet is one for this mechansim
413 *
414 * @param gensec_security GENSEC state
415 * @param in The request, as a DATA_BLOB
416 * @return Error, INVALID_PARAMETER if it's not a packet for us
417 * or NT_STATUS_OK if the packet is ok.
418 */
419
420 static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security,
421 const DATA_BLOB *in)
422 {
423 if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
424 return NT_STATUS_OK;
425 } else {
426 return NT_STATUS_INVALID_PARAMETER;
427 }
428 }
429
430
431 /**
432 * Next state function for the GSSAPI GENSEC mechanism
433 *
434 * @param gensec_gssapi_state GSSAPI State
435 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
436 * @param in The request, as a DATA_BLOB
437 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
438 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
439 * or NT_STATUS_OK if the user is authenticated.
440 */
441
442 static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
443 TALLOC_CTX *out_mem_ctx,
444 const DATA_BLOB in, DATA_BLOB *out)
445 {
446 struct gensec_gssapi_state *gensec_gssapi_state
447 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
448 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
449 OM_uint32 maj_stat, min_stat;
450 OM_uint32 min_stat2;
451 gss_buffer_desc input_token, output_token;
452 gss_OID gss_oid_p = NULL;
453 input_token.length = in.length;
454 input_token.value = in.data;
455
456 switch (gensec_gssapi_state->sasl_state) {
457 case STAGE_GSS_NEG:
458 {
459 switch (gensec_security->gensec_role) {
460 case GENSEC_CLIENT:
461 {
462 maj_stat = gss_init_sec_context(&min_stat,
463 gensec_gssapi_state->client_cred->creds,
464 &gensec_gssapi_state->gssapi_context,
465 gensec_gssapi_state->server_name,
466 gensec_gssapi_state->gss_oid,
467 gensec_gssapi_state->want_flags,
468 0,
469 gensec_gssapi_state->input_chan_bindings,
470 &input_token,
471 &gss_oid_p,
472 &output_token,
473 &gensec_gssapi_state->got_flags, /* ret flags */
474 NULL);
475 if (gss_oid_p) {
476 gensec_gssapi_state->gss_oid = gss_oid_p;
477 }
478 break;
479 }
480 case GENSEC_SERVER:
481 {
482 maj_stat = gss_accept_sec_context(&min_stat,
483 &gensec_gssapi_state->gssapi_context,
484 gensec_gssapi_state->server_cred->creds,
485 &input_token,
486 gensec_gssapi_state->input_chan_bindings,
487 &gensec_gssapi_state->client_name,
488 &gss_oid_p,
489 &output_token,
490 &gensec_gssapi_state->got_flags,
491 NULL,
492 &gensec_gssapi_state->delegated_cred_handle);
493 if (gss_oid_p) {
494 gensec_gssapi_state->gss_oid = gss_oid_p;
495 }
496 break;
497 }
498 default:
499 return NT_STATUS_INVALID_PARAMETER;
500
501 }
502
503 gensec_gssapi_state->gss_exchange_count++;
504
505 if (maj_stat == GSS_S_COMPLETE) {
506 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
507 gss_release_buffer(&min_stat2, &output_token);
508
509 if (gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG) {
510 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
511 } else {
512 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
513 }
514
515 /* We may have been invoked as SASL, so there
516 * is more work to do */
517 if (gensec_gssapi_state->sasl) {
518 /* Due to a very subtle interaction
519 * with SASL and the LDAP libs, we
520 * must ensure the data pointer is
521 * != NULL, but the length is 0.
522 *
523 * This ensures we send a 'zero
524 * length' (rather than NULL) response
525 */
526
527 if (!out->data) {
528 out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
529 }
530
531 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
532 return NT_STATUS_MORE_PROCESSING_REQUIRED;
533 } else {
534 gensec_gssapi_state->sasl_state = STAGE_DONE;
535
536 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
537 DEBUG(5, ("GSSAPI Connection will be cryptographicly sealed\n"));
538 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
539 DEBUG(5, ("GSSAPI Connection will be cryptographicly signed\n"));
540 } else {
541 DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
542 }
543
544 return NT_STATUS_OK;
545 }
546 } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
547 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
548 gss_release_buffer(&min_stat2, &output_token);
549
550 return NT_STATUS_MORE_PROCESSING_REQUIRED;
551 } else if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
552 switch (min_stat) {
553 case KRB5_KDC_UNREACH:
554 DEBUG(3, ("Cannot reach a KDC we require: %s\n",
555 gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
556 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
557 case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
558 DEBUG(3, ("Server is not registered with our KDC: %s\n",
559 gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
560 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
561 case KRB5KRB_AP_ERR_MSG_TYPE:
562 /* garbage input, possibly from the auto-mech detection */
563 return NT_STATUS_INVALID_PARAMETER;
564 default:
565 DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n",
566 gensec_gssapi_state->gss_exchange_count,
567 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
568 return nt_status;
569 }
570 } else {
571 DEBUG(1, ("GSS Update(%d) failed: %s\n",
572 gensec_gssapi_state->gss_exchange_count,
573 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
574 return nt_status;
575 }
576 break;
577 }
578
579 /* These last two stages are only done if we were invoked as SASL */
580 case STAGE_SASL_SSF_NEG:
581 {
582 switch (gensec_security->gensec_role) {
583 case GENSEC_CLIENT:
584 {
585 uint8_t maxlength_proposed[4];
586 uint8_t maxlength_accepted[4];
587 uint8_t security_supported;
588 int conf_state;
589 gss_qop_t qop_state;
590 input_token.length = in.length;
591 input_token.value = in.data;
592
593 /* As a client, we have just send a
594 * zero-length blob to the server (after the
595 * normal GSSAPI exchange), and it has replied
596 * with it's SASL negotiation */
597
598 maj_stat = gss_unwrap(&min_stat,
599 gensec_gssapi_state->gssapi_context,
600 &input_token,
601 &output_token,
602 &conf_state,
603 &qop_state);
604 if (GSS_ERROR(maj_stat)) {
605 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
606 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
607 return NT_STATUS_ACCESS_DENIED;
608 }
609
610 if (output_token.length < 4) {
611 return NT_STATUS_INVALID_PARAMETER;
612 }
613
614 memcpy(maxlength_proposed, output_token.value, 4);
615 gss_release_buffer(&min_stat, &output_token);
616
617 /* first byte is the proposed security */
618 security_supported = maxlength_proposed[0];
619 maxlength_proposed[0] = '\0';
620
621 /* Rest is the proposed max wrap length */
622 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0),
623 gensec_gssapi_state->max_wrap_buf_size);
624 gensec_gssapi_state->sasl_protection = 0;
625 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
626 if (security_supported & NEG_SEAL) {
627 gensec_gssapi_state->sasl_protection |= NEG_SEAL;
628 }
629 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
630 if (security_supported & NEG_SIGN) {
631 gensec_gssapi_state->sasl_protection |= NEG_SIGN;
632 }
633 } else if (security_supported & NEG_NONE) {
634 gensec_gssapi_state->sasl_protection |= NEG_NONE;
635 } else {
636 DEBUG(1, ("Remote server does not support unprotected connections"));
637 return NT_STATUS_ACCESS_DENIED;
638 }
639
640 /* Send back the negotiated max length */
641
642 RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
643
644 maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
645
646 input_token.value = maxlength_accepted;
647 input_token.length = sizeof(maxlength_accepted);
648
649 maj_stat = gss_wrap(&min_stat,
650 gensec_gssapi_state->gssapi_context,
651 false,
652 GSS_C_QOP_DEFAULT,
653 &input_token,
654 &conf_state,
655 &output_token);
656 if (GSS_ERROR(maj_stat)) {
657 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
658 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
659 return NT_STATUS_ACCESS_DENIED;
660 }
661
662 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
663 gss_release_buffer(&min_stat, &output_token);
664
665 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
666 gensec_gssapi_state->sasl_state = STAGE_DONE;
667
668 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
669 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
670 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
671 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
672 } else {
673 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
674 }
675
676 return NT_STATUS_OK;
677 }
678 case GENSEC_SERVER:
679 {
680 uint8_t maxlength_proposed[4];
681 uint8_t security_supported = 0x0;
682 int conf_state;
683
684 /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
685 if (in.length != 0) {
686 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
687 }
688
689 /* Give the client some idea what we will support */
690
691 RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
692 /* first byte is the proposed security */
693 maxlength_proposed[0] = '\0';
694
695 gensec_gssapi_state->sasl_protection = 0;
696 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
697 security_supported |= NEG_SEAL;
698 }
699 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
700 security_supported |= NEG_SIGN;
701 }
702 if (security_supported == 0) {
703 /* If we don't support anything, this must be 0 */
704 RSIVAL(maxlength_proposed, 0, 0x0);
705 }
706
707 /* TODO: We may not wish to support this */
708 security_supported |= NEG_NONE;
709 maxlength_proposed[0] = security_supported;
710
711 input_token.value = maxlength_proposed;
712 input_token.length = sizeof(maxlength_proposed);
713
714 maj_stat = gss_wrap(&min_stat,
715 gensec_gssapi_state->gssapi_context,
716 false,
717 GSS_C_QOP_DEFAULT,
718 &input_token,
719 &conf_state,
720 &output_token);
721 if (GSS_ERROR(maj_stat)) {
722 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
723 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
724 return NT_STATUS_ACCESS_DENIED;
725 }
726
727 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
728 gss_release_buffer(&min_stat, &output_token);
729
730 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
731 return NT_STATUS_MORE_PROCESSING_REQUIRED;
732 }
733 default:
734 return NT_STATUS_INVALID_PARAMETER;
735
736 }
737 }
738 /* This is s server-only stage */
739 case STAGE_SASL_SSF_ACCEPT:
740 {
741 uint8_t maxlength_accepted[4];
742 uint8_t security_accepted;
743 int conf_state;
744 gss_qop_t qop_state;
745 input_token.length = in.length;
746 input_token.value = in.data;
747
748 maj_stat = gss_unwrap(&min_stat,
749 gensec_gssapi_state->gssapi_context,
750 &input_token,
751 &output_token,
752 &conf_state,
753 &qop_state);
754 if (GSS_ERROR(maj_stat)) {
755 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
756 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
757 return NT_STATUS_ACCESS_DENIED;
758 }
759
760 if (output_token.length < 4) {
761 return NT_STATUS_INVALID_PARAMETER;
762 }
763
764 memcpy(maxlength_accepted, output_token.value, 4);
765 gss_release_buffer(&min_stat, &output_token);
766
767 /* first byte is the proposed security */
768 security_accepted = maxlength_accepted[0];
769 maxlength_accepted[0] = '\0';
770
771 /* Rest is the proposed max wrap length */
772 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0),
773 gensec_gssapi_state->max_wrap_buf_size);
774
775 gensec_gssapi_state->sasl_protection = 0;
776 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
777 if (security_accepted & NEG_SEAL) {
778 gensec_gssapi_state->sasl_protection |= NEG_SEAL;
779 }
780 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
781 if (security_accepted & NEG_SIGN) {
782 gensec_gssapi_state->sasl_protection |= NEG_SIGN;
783 }
784 } else if (security_accepted & NEG_NONE) {
785 gensec_gssapi_state->sasl_protection |= NEG_NONE;
786 } else {
787 DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better"));
788 return NT_STATUS_ACCESS_DENIED;
789 }
790
791 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
792 gensec_gssapi_state->sasl_state = STAGE_DONE;
793 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
794 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
795 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
796 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
797 } else {
798 DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
799 }
800
801 *out = data_blob(NULL, 0);
802 return NT_STATUS_OK;
803 }
804 default:
805 return NT_STATUS_INVALID_PARAMETER;
806 }
807 }
808
809 static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security,
810 TALLOC_CTX *mem_ctx,
811 const DATA_BLOB *in,
812 DATA_BLOB *out)
813 {
814 struct gensec_gssapi_state *gensec_gssapi_state
815 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
816 OM_uint32 maj_stat, min_stat;
817 gss_buffer_desc input_token, output_token;
818 int conf_state;
819 input_token.length = in->length;
820 input_token.value = in->data;
821
822 maj_stat = gss_wrap(&min_stat,
823 gensec_gssapi_state->gssapi_context,
824 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
825 GSS_C_QOP_DEFAULT,
826 &input_token,
827 &conf_state,
828 &output_token);
829 if (GSS_ERROR(maj_stat)) {
830 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n",
831 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
832 return NT_STATUS_ACCESS_DENIED;
833 }
834
835 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
836 gss_release_buffer(&min_stat, &output_token);
837
838 if (gensec_gssapi_state->sasl) {
839 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
840 if (max_wrapped_size < out->length) {
841 DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
842 (unsigned)in->length,
843 (unsigned)out->length,
844 (unsigned int)max_wrapped_size));
845 return NT_STATUS_INVALID_PARAMETER;
846 }
847 }
848
849 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
850 && !conf_state) {
851 return NT_STATUS_ACCESS_DENIED;
852 }
853 return NT_STATUS_OK;
854 }
855
856 static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security,
857 TALLOC_CTX *mem_ctx,
858 const DATA_BLOB *in,
859 DATA_BLOB *out)
860 {
861 struct gensec_gssapi_state *gensec_gssapi_state
862 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
863 OM_uint32 maj_stat, min_stat;
864 gss_buffer_desc input_token, output_token;
865 int conf_state;
866 gss_qop_t qop_state;
867 input_token.length = in->length;
868 input_token.value = in->data;
869
870 if (gensec_gssapi_state->sasl) {
871 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
872 if (max_wrapped_size < in->length) {
873 DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
874 return NT_STATUS_INVALID_PARAMETER;
875 }
876 }
877
878 maj_stat = gss_unwrap(&min_stat,
879 gensec_gssapi_state->gssapi_context,
880 &input_token,
881 &output_token,
882 &conf_state,
883 &qop_state);
884 if (GSS_ERROR(maj_stat)) {
885 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n",
886 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
887 return NT_STATUS_ACCESS_DENIED;
888 }
889
890 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
891 gss_release_buffer(&min_stat, &output_token);
892
893 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
894 && !conf_state) {
895 return NT_STATUS_ACCESS_DENIED;
896 }
897 return NT_STATUS_OK;
898 }
899
900 /* Find out the maximum input size negotiated on this connection */
901
902 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security)
903 {
904 struct gensec_gssapi_state *gensec_gssapi_state
905 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
906 OM_uint32 maj_stat, min_stat;
907 OM_uint32 max_input_size;
908
909 maj_stat = gss_wrap_size_limit(&min_stat,
910 gensec_gssapi_state->gssapi_context,
911 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
912 GSS_C_QOP_DEFAULT,
913 gensec_gssapi_state->max_wrap_buf_size,
914 &max_input_size);
915 if (GSS_ERROR(maj_stat)) {
916 TALLOC_CTX *mem_ctx = talloc_new(NULL);
917 DEBUG(1, ("gensec_gssapi_max_input_size: determinaing signature size with gss_wrap_size_limit failed: %s\n",
918 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
919 talloc_free(mem_ctx);
920 return 0;
921 }
922
923 return max_input_size;
924 }
925
926 /* Find out the maximum output size negotiated on this connection */
927 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security)
928 {
929 struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
930 return gensec_gssapi_state->max_wrap_buf_size;
931 }
932
933 static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security,
934 TALLOC_CTX *mem_ctx,
935 uint8_t *data, size_t length,
936 const uint8_t *whole_pdu, size_t pdu_length,
937 DATA_BLOB *sig)
938 {
939 struct gensec_gssapi_state *gensec_gssapi_state
940 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
941 OM_uint32 maj_stat, min_stat;
942 gss_buffer_desc input_token, output_token;
943 int conf_state;
944 ssize_t sig_length;
945
946 input_token.length = length;
947 input_token.value = data;
948
949 maj_stat = gss_wrap(&min_stat,
950 gensec_gssapi_state->gssapi_context,
951 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
952 GSS_C_QOP_DEFAULT,
953 &input_token,
954 &conf_state,
955 &output_token);
956 if (GSS_ERROR(maj_stat)) {
957 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n",
958 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
959 return NT_STATUS_ACCESS_DENIED;
960 }
961
962 if (output_token.length < input_token.length) {
963 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n",
964 (long)output_token.length, (long)length));
965 return NT_STATUS_INTERNAL_ERROR;
966 }
967 sig_length = output_token.length - input_token.length;
968
969 memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
970 *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
971
972 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
973 dump_data_pw("gensec_gssapi_seal_packet: clear\n", data, length);
974 dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length);
975
976 gss_release_buffer(&min_stat, &output_token);
977
978 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
979 && !conf_state) {
980 return NT_STATUS_ACCESS_DENIED;
981 }
982 return NT_STATUS_OK;
983 }
984
985 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security,
986 TALLOC_CTX *mem_ctx,
987 uint8_t *data, size_t length,
988 const uint8_t *whole_pdu, size_t pdu_length,
989 const DATA_BLOB *sig)
990 {
991 struct gensec_gssapi_state *gensec_gssapi_state
992 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
993 OM_uint32 maj_stat, min_stat;
994 gss_buffer_desc input_token, output_token;
995 int conf_state;
996 gss_qop_t qop_state;
997 DATA_BLOB in;
998
999 dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
1000
1001 in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
1002
1003 memcpy(in.data, sig->data, sig->length);
1004 memcpy(in.data + sig->length, data, length);
1005
1006 input_token.length = in.length;
1007 input_token.value = in.data;
1008
1009 maj_stat = gss_unwrap(&min_stat,
1010 gensec_gssapi_state->gssapi_context,
1011 &input_token,
1012 &output_token,
1013 &conf_state,
1014 &qop_state);
1015 if (GSS_ERROR(maj_stat)) {
1016 DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n",
1017 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1018 return NT_STATUS_ACCESS_DENIED;
1019 }
1020
1021 if (output_token.length != length) {
1022 return NT_STATUS_INTERNAL_ERROR;
1023 }
1024
1025 memcpy(data, output_token.value, length);
1026
1027 gss_release_buffer(&min_stat, &output_token);
1028
1029 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1030 && !conf_state) {
1031 return NT_STATUS_ACCESS_DENIED;
1032 }
1033 return NT_STATUS_OK;
1034 }
1035
1036 static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security,
1037 TALLOC_CTX *mem_ctx,
1038 const uint8_t *data, size_t length,
1039 const uint8_t *whole_pdu, size_t pdu_length,
1040 DATA_BLOB *sig)
1041 {
1042 struct gensec_gssapi_state *gensec_gssapi_state
1043 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1044 OM_uint32 maj_stat, min_stat;
1045 gss_buffer_desc input_token, output_token;
1046
1047 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1048 input_token.length = pdu_length;
1049 input_token.value = discard_const_p(uint8_t *, whole_pdu);
1050 } else {
1051 input_token.length = length;
1052 input_token.value = discard_const_p(uint8_t *, data);
1053 }
1054
1055 maj_stat = gss_get_mic(&min_stat,
1056 gensec_gssapi_state->gssapi_context,
1057 GSS_C_QOP_DEFAULT,
1058 &input_token,
1059 &output_token);
1060 if (GSS_ERROR(maj_stat)) {
1061 DEBUG(1, ("GSS GetMic failed: %s\n",
1062 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1063 return NT_STATUS_ACCESS_DENIED;
1064 }
1065
1066 *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length);
1067
1068 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1069
1070 gss_release_buffer(&min_stat, &output_token);
1071
1072 return NT_STATUS_OK;
1073 }
1074
1075 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security,
1076 TALLOC_CTX *mem_ctx,
1077 const uint8_t *data, size_t length,
1078 const uint8_t *whole_pdu, size_t pdu_length,
1079 const DATA_BLOB *sig)
1080 {
1081 struct gensec_gssapi_state *gensec_gssapi_state
1082 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1083 OM_uint32 maj_stat, min_stat;
1084 gss_buffer_desc input_token;
1085 gss_buffer_desc input_message;
1086 gss_qop_t qop_state;
1087
1088 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1089
1090 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1091 input_message.length = pdu_length;
1092 input_message.value = discard_const(whole_pdu);
1093 } else {
1094 input_message.length = length;
1095 input_message.value = discard_const(data);
1096 }
1097
1098 input_token.length = sig->length;
1099 input_token.value = sig->data;
1100
1101 maj_stat = gss_verify_mic(&min_stat,
1102 gensec_gssapi_state->gssapi_context,
1103 &input_message,
1104 &input_token,
1105 &qop_state);
1106 if (GSS_ERROR(maj_stat)) {
1107 DEBUG(1, ("GSS VerifyMic failed: %s\n",
1108 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1109 return NT_STATUS_ACCESS_DENIED;
1110 }
1111
1112 return NT_STATUS_OK;
1113 }
1114
1115 /* Try to figure out what features we actually got on the connection */
1116 static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
1117 uint32_t feature)
1118 {
1119 struct gensec_gssapi_state *gensec_gssapi_state
1120 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1121 if (feature & GENSEC_FEATURE_SIGN) {
1122 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1123 if (gensec_gssapi_state->sasl
1124 && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1125 return ((gensec_gssapi_state->sasl_protection & NEG_SIGN)
1126 && (gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG));
1127 }
1128 return gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG;
1129 }
1130 if (feature & GENSEC_FEATURE_SEAL) {
1131 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1132 if (gensec_gssapi_state->sasl
1133 && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1134 return ((gensec_gssapi_state->sasl_protection & NEG_SEAL)
1135 && (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG));
1136 }
1137 return gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG;
1138 }
1139 if (feature & GENSEC_FEATURE_SESSION_KEY) {
1140 /* Only for GSSAPI/Krb5 */
1141 if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
1142 return true;
1143 }
1144 }
1145 if (feature & GENSEC_FEATURE_DCE_STYLE) {
1146 return gensec_gssapi_state->got_flags & GSS_C_DCE_STYLE;
1147 }
1148 if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
1149 NTSTATUS status;
1150
1151 if (!(gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG)) {
1152 return false;
1153 }
1154
1155 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
1156 return true;
1157 }
1158 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
1159 return false;
1160 }
1161
1162 status = gensec_gssapi_init_lucid(gensec_gssapi_state);
1163 if (!NT_STATUS_IS_OK(status)) {
1164 return false;
1165 }
1166
1167 if (gensec_gssapi_state->lucid->protocol == 1) {
1168 return true;
1169 }
1170
1171 return false;
1172 }
1173 /* We can always do async (rather than strict request/reply) packets. */
1174 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1175 return true;
1176 }
1177 return false;
1178 }
1179
1180 /*
1181 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1182 * (for encrypting some passwords).
1183 *
1184 * This breaks all the abstractions, but what do you expect...
1185 */
1186 static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security,
1187 DATA_BLOB *session_key)
1188 {
1189 struct gensec_gssapi_state *gensec_gssapi_state
1190 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1191 OM_uint32 maj_stat, min_stat;
1192 krb5_keyblock *subkey;
1193
1194 if (gensec_gssapi_state->sasl_state != STAGE_DONE) {
1195 return NT_STATUS_NO_USER_SESSION_KEY;
1196 }
1197
1198 if (gensec_gssapi_state->session_key.data) {
1199 *session_key = gensec_gssapi_state->session_key;
1200 return NT_STATUS_OK;
1201 }
1202
1203 maj_stat = gsskrb5_get_subkey(&min_stat,
1204 gensec_gssapi_state->gssapi_context,
1205 &subkey);
1206 if (maj_stat != 0) {
1207 DEBUG(1, ("NO session key for this mech\n"));
1208 return NT_STATUS_NO_USER_SESSION_KEY;
1209 }
1210
1211 DEBUG(10, ("Got KRB5 session key of length %d%s\n",
1212 (int)KRB5_KEY_LENGTH(subkey),
1213 (gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":""));
1214 *session_key = data_blob_talloc(gensec_gssapi_state,
1215 KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
1216 krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
1217 gensec_gssapi_state->session_key = *session_key;
1218 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
1219
1220 return NT_STATUS_OK;
1221 }
1222
1223 /* Get some basic (and authorization) information about the user on
1224 * this session. This uses either the PAC (if present) or a local
1225 * database lookup */
1226 static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1227 struct auth_session_info **_session_info)
1228 {
1229 NTSTATUS nt_status;
1230 TALLOC_CTX *mem_ctx;
1231 struct gensec_gssapi_state *gensec_gssapi_state
1232 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1233 struct auth_serversupplied_info *server_info = NULL;
1234 struct auth_session_info *session_info = NULL;
1235 OM_uint32 maj_stat, min_stat;
1236 gss_buffer_desc pac;
1237 DATA_BLOB pac_blob;
1238
1239 if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
1240 || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
1241 gensec_gssapi_state->gss_oid->length) != 0)) {
1242 DEBUG(1, ("NO session info available for this mech\n"));
1243 return NT_STATUS_INVALID_PARAMETER;
1244 }
1245
1246 mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context");
1247 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
1248
1249 maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
1250 gensec_gssapi_state->gssapi_context,
1251 KRB5_AUTHDATA_WIN2K_PAC,
1252 &pac);
1253
1254
1255 if (maj_stat == 0) {
1256 pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
1257 gss_release_buffer(&min_stat, &pac);
1258
1259 } else {
1260 pac_blob = data_blob(NULL, 0);
1261 }
1262
1263 /* IF we have the PAC - otherwise we need to get this
1264 * data from elsewere - local ldb, or (TODO) lookup of some
1265 * kind...
1266 */
1267 if (pac_blob.length) {
1268 nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
1269 gensec_security->settings->iconv_convenience,
1270 pac_blob,
1271 gensec_gssapi_state->smb_krb5_context->krb5_context,
1272 &server_info);
1273 if (!NT_STATUS_IS_OK(nt_status)) {
1274 talloc_free(mem_ctx);
1275 return nt_status;
1276 }
1277 } else {
1278 gss_buffer_desc name_token;
1279 char *principal_string;
1280
1281 maj_stat = gss_display_name (&min_stat,
1282 gensec_gssapi_state->client_name,
1283 &name_token,
1284 NULL);
1285 if (GSS_ERROR(maj_stat)) {
1286 DEBUG(1, ("GSS display_name failed: %s\n",
1287 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1288 talloc_free(mem_ctx);
1289 return NT_STATUS_FOOBAR;
1290 }
1291
1292 principal_string = talloc_strndup(mem_ctx,
1293 (const char *)name_token.value,
1294 name_token.length);
1295
1296 gss_release_buffer(&min_stat, &name_token);
1297
1298 if (!principal_string) {
1299 talloc_free(mem_ctx);
1300 return NT_STATUS_NO_MEMORY;
1301 }
1302
1303 if (gensec_security->auth_context &&
1304 !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
1305 DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
1306 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1307 nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
1308 gensec_security->auth_context,
1309 principal_string,
1310 &server_info);
1311
1312 if (!NT_STATUS_IS_OK(nt_status)) {
1313 talloc_free(mem_ctx);
1314 return nt_status;
1315 }
1316 } else {
1317 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
1318 principal_string,
1319 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1320 return NT_STATUS_ACCESS_DENIED;
1321 }
1322 }
1323
1324 /* references the server_info into the session_info */
1325 nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx,
1326 gensec_security->settings->lp_ctx, server_info, &session_info);
1327 if (!NT_STATUS_IS_OK(nt_status)) {
1328 talloc_free(mem_ctx);
1329 return nt_status;
1330 }
1331
1332 nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key);
1333 if (!NT_STATUS_IS_OK(nt_status)) {
1334 talloc_free(mem_ctx);
1335 return nt_status;
1336 }
1337
1338 if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
1339 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1340 } else {
1341 krb5_error_code ret;
1342 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1343 session_info->credentials = cli_credentials_init(session_info);
1344 if (!session_info->credentials) {
1345 talloc_free(mem_ctx);
1346 return NT_STATUS_NO_MEMORY;
1347 }
1348
1349 cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
1350 /* Just so we don't segfault trying to get at a username */
1351 cli_credentials_set_anonymous(session_info->credentials);
1352
1353 ret = cli_credentials_set_client_gss_creds(session_info->credentials,
1354 gensec_security->event_ctx,
1355 gensec_security->settings->lp_ctx,
1356 gensec_gssapi_state->delegated_cred_handle,
1357 CRED_SPECIFIED);
1358 if (ret) {
1359 talloc_free(mem_ctx);
1360 return NT_STATUS_NO_MEMORY;
1361 }
1362
1363 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1364 cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
1365
1366 /* It has been taken from this place... */
1367 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1368 }
1369 talloc_steal(gensec_gssapi_state, session_info);
1370 talloc_free(mem_ctx);
1371 *_session_info = session_info;
1372
1373 return NT_STATUS_OK;
1374 }
1375
1376 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
1377 {
1378 struct gensec_gssapi_state *gensec_gssapi_state
1379 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1380 NTSTATUS status;
1381
1382 if (gensec_gssapi_state->sig_size) {
1383 return gensec_gssapi_state->sig_size;
1384 }
1385
1386 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1387 gensec_gssapi_state->sig_size = 45;
1388 } else {
1389 gensec_gssapi_state->sig_size = 37;
1390 }
1391
1392 status = gensec_gssapi_init_lucid(gensec_gssapi_state);
1393 if (!NT_STATUS_IS_OK(status)) {
1394 return gensec_gssapi_state->sig_size;
1395 }
1396
1397 if (gensec_gssapi_state->lucid->protocol == 1) {
1398 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1399 /*
1400 * TODO: windows uses 76 here, but we don't know
1401 * gss_wrap works with aes keys yet
1402 */
1403 gensec_gssapi_state->sig_size = 76;
1404 } else {
1405 gensec_gssapi_state->sig_size = 28;
1406 }
1407 } else if (gensec_gssapi_state->lucid->protocol == 0) {
1408 switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
1409 case KEYTYPE_DES:
1410 case KEYTYPE_ARCFOUR:
1411 case KEYTYPE_ARCFOUR_56:
1412 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1413 gensec_gssapi_state->sig_size = 45;
1414 } else {
1415 gensec_gssapi_state->sig_size = 37;
1416 }
1417 break;
1418 case KEYTYPE_DES3:
1419 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1420 gensec_gssapi_state->sig_size = 57;
1421 } else {
1422 gensec_gssapi_state->sig_size = 49;
1423 }
1424 break;
1425 }
1426 }
1427
1428 return gensec_gssapi_state->sig_size;
1429 }
1430
1431 static const char *gensec_gssapi_krb5_oids[] = {
1432 GENSEC_OID_KERBEROS5_OLD,
1433 GENSEC_OID_KERBEROS5,
1434 NULL
1435 };
1436
1437 static const char *gensec_gssapi_spnego_oids[] = {
1438 GENSEC_OID_SPNEGO,
1439 NULL
1440 };
1441
1442 /* As a server, this could in theory accept any GSSAPI mech */
1443 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1444 .name = "gssapi_spnego",
1445 .sasl_name = "GSS-SPNEGO",
1446 .auth_type = DCERPC_AUTH_TYPE_SPNEGO,
1447 .oid = gensec_gssapi_spnego_oids,
1448 .client_start = gensec_gssapi_client_start,
1449 .server_start = gensec_gssapi_server_start,
1450 .magic = gensec_gssapi_magic,
1451 .update = gensec_gssapi_update,
1452 .session_key = gensec_gssapi_session_key,
1453 .session_info = gensec_gssapi_session_info,
1454 .sign_packet = gensec_gssapi_sign_packet,
1455 .check_packet = gensec_gssapi_check_packet,
1456 .seal_packet = gensec_gssapi_seal_packet,
1457 .unseal_packet = gensec_gssapi_unseal_packet,
1458 .wrap = gensec_gssapi_wrap,
1459 .unwrap = gensec_gssapi_unwrap,
1460 .have_feature = gensec_gssapi_have_feature,
1461 .enabled = false,
1462 .kerberos = true,
1463 .priority = GENSEC_GSSAPI
1464 };
1465
1466 /* As a server, this could in theory accept any GSSAPI mech */
1467 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1468 .name = "gssapi_krb5",
1469 .auth_type = DCERPC_AUTH_TYPE_KRB5,
1470 .oid = gensec_gssapi_krb5_oids,
1471 .client_start = gensec_gssapi_client_start,
1472 .server_start = gensec_gssapi_server_start,
1473 .magic = gensec_gssapi_magic,
1474 .update = gensec_gssapi_update,
1475 .session_key = gensec_gssapi_session_key,
1476 .session_info = gensec_gssapi_session_info,
1477 .sig_size = gensec_gssapi_sig_size,
1478 .sign_packet = gensec_gssapi_sign_packet,
1479 .check_packet = gensec_gssapi_check_packet,
1480 .seal_packet = gensec_gssapi_seal_packet,
1481 .unseal_packet = gensec_gssapi_unseal_packet,
1482 .wrap = gensec_gssapi_wrap,
1483 .unwrap = gensec_gssapi_unwrap,
1484 .have_feature = gensec_gssapi_have_feature,
1485 .enabled = true,
1486 .kerberos = true,
1487 .priority = GENSEC_GSSAPI
1488 };
1489
1490 /* As a server, this could in theory accept any GSSAPI mech */
1491 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1492 .name = "gssapi_krb5_sasl",
1493 .sasl_name = "GSSAPI",
1494 .client_start = gensec_gssapi_sasl_client_start,
1495 .server_start = gensec_gssapi_sasl_server_start,
1496 .update = gensec_gssapi_update,
1497 .session_key = gensec_gssapi_session_key,
1498 .session_info = gensec_gssapi_session_info,
1499 .max_input_size = gensec_gssapi_max_input_size,
1500 .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1501 .wrap = gensec_gssapi_wrap,
1502 .unwrap = gensec_gssapi_unwrap,
1503 .have_feature = gensec_gssapi_have_feature,
1504 .enabled = true,
1505 .kerberos = true,
1506 .priority = GENSEC_GSSAPI
1507 };
1508
1509 _PUBLIC_ NTSTATUS gensec_gssapi_init(void)
1510 {
1511 NTSTATUS ret;
1512
1513 ret = gensec_register(&gensec_gssapi_spnego_security_ops);
1514 if (!NT_STATUS_IS_OK(ret)) {
1515 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1516 gensec_gssapi_spnego_security_ops.name));
1517 return ret;
1518 }
1519
1520 ret = gensec_register(&gensec_gssapi_krb5_security_ops);
1521 if (!NT_STATUS_IS_OK(ret)) {
1522 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1523 gensec_gssapi_krb5_security_ops.name));
1524 return ret;
1525 }
1526
1527 ret = gensec_register(&gensec_gssapi_sasl_krb5_security_ops);
1528 if (!NT_STATUS_IS_OK(ret)) {
1529 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1530 gensec_gssapi_sasl_krb5_security_ops.name));
1531 return ret;
1532 }
1533
1534 return ret;
1535 }
Samba GIT mirror