2 * GSSAPI Security Extensions
3 * RPC Pipe client and server routines
4 * Copyright (C) Simo Sorce 2010.
5 * Copyright (C) Andrew Bartlett 2004-2011.
6 * Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 /* We support only GSSAPI/KRB5 here */
26 #include "libads/kerberos_proto.h"
27 #include "auth/common_auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "auth/credentials/credentials.h"
30 #include "../librpc/gen_ndr/dcerpc.h"
31 #include "lib/util/asn1.h"
33 #if defined(HAVE_KRB5)
38 static char *gse_errstr(TALLOC_CTX
*mem_ctx
, OM_uint32 maj
, OM_uint32 min
);
41 gss_ctx_id_t gssapi_context
;
42 gss_name_t server_name
;
43 gss_name_t client_name
;
44 OM_uint32 gss_want_flags
, gss_got_flags
;
46 gss_cred_id_t delegated_cred_handle
;
53 gss_OID_desc gss_mech
;
59 #ifndef HAVE_GSS_OID_EQUAL
61 static bool gss_oid_equal(const gss_OID o1
, const gss_OID o2
)
66 if ((o1
== NULL
&& o2
!= NULL
) || (o1
!= NULL
&& o2
== NULL
)) {
69 if (o1
->length
!= o2
->length
) {
72 return memcmp(o1
->elements
, o2
->elements
, o1
->length
) == false;
77 /* free non talloc dependent contexts */
78 static int gse_context_destructor(void *ptr
)
80 struct gse_context
*gse_ctx
;
83 gse_ctx
= talloc_get_type_abort(ptr
, struct gse_context
);
85 if (gse_ctx
->ccache
) {
86 krb5_cc_close(gse_ctx
->k5ctx
, gse_ctx
->ccache
);
87 gse_ctx
->ccache
= NULL
;
89 if (gse_ctx
->keytab
) {
90 krb5_kt_close(gse_ctx
->k5ctx
, gse_ctx
->keytab
);
91 gse_ctx
->keytab
= NULL
;
93 krb5_free_context(gse_ctx
->k5ctx
);
94 gse_ctx
->k5ctx
= NULL
;
96 if (gse_ctx
->gssapi_context
!= GSS_C_NO_CONTEXT
) {
97 (void)gss_delete_sec_context(&gss_min
,
98 &gse_ctx
->gssapi_context
,
101 if (gse_ctx
->server_name
) {
102 (void)gss_release_name(&gss_min
,
103 &gse_ctx
->server_name
);
105 if (gse_ctx
->client_name
) {
106 (void)gss_release_name(&gss_min
,
107 &gse_ctx
->client_name
);
109 if (gse_ctx
->creds
) {
110 (void)gss_release_cred(&gss_min
,
113 if (gse_ctx
->delegated_cred_handle
) {
114 (void)gss_release_cred(&gss_min
,
115 &gse_ctx
->delegated_cred_handle
);
118 /* MIT and Heimdal differ as to if you can call
119 * gss_release_oid() on this OID, generated by
120 * gss_{accept,init}_sec_context(). However, as long as the
121 * oid is gss_mech_krb5 (which it always is at the moment),
122 * then this is a moot point, as both declare this particular
123 * OID static, and so no memory is lost. This assert is in
124 * place to ensure that the programmer who wishes to extend
125 * this code to EAP or other GSS mechanisms determines an
126 * implementation-dependent way of releasing any dynamically
128 SMB_ASSERT(gss_oid_equal(&gse_ctx
->gss_mech
, GSS_C_NO_OID
) || gss_oid_equal(&gse_ctx
->gss_mech
, gss_mech_krb5
));
133 static NTSTATUS
gse_context_init(TALLOC_CTX
*mem_ctx
,
134 bool do_sign
, bool do_seal
,
135 const char *ccache_name
,
136 uint32_t add_gss_c_flags
,
137 struct gse_context
**_gse_ctx
)
139 struct gse_context
*gse_ctx
;
140 krb5_error_code k5ret
;
143 gse_ctx
= talloc_zero(mem_ctx
, struct gse_context
);
145 return NT_STATUS_NO_MEMORY
;
147 talloc_set_destructor((TALLOC_CTX
*)gse_ctx
, gse_context_destructor
);
149 memcpy(&gse_ctx
->gss_mech
, gss_mech_krb5
, sizeof(gss_OID_desc
));
151 gse_ctx
->gss_want_flags
= GSS_C_MUTUAL_FLAG
|
153 GSS_C_DELEG_POLICY_FLAG
|
157 gse_ctx
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
160 gse_ctx
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
161 gse_ctx
->gss_want_flags
|= GSS_C_CONF_FLAG
;
164 gse_ctx
->gss_want_flags
|= add_gss_c_flags
;
166 /* Initialize Kerberos Context */
167 initialize_krb5_error_table();
169 k5ret
= krb5_init_context(&gse_ctx
->k5ctx
);
171 DEBUG(0, ("Failed to initialize kerberos context! (%s)\n",
172 error_message(k5ret
)));
173 status
= NT_STATUS_INTERNAL_ERROR
;
178 ccache_name
= krb5_cc_default_name(gse_ctx
->k5ctx
);
180 k5ret
= krb5_cc_resolve(gse_ctx
->k5ctx
, ccache_name
,
183 DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
184 error_message(k5ret
)));
185 status
= NT_STATUS_INTERNAL_ERROR
;
189 /* TODO: Should we enforce a enc_types list ?
190 ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types);
197 TALLOC_FREE(gse_ctx
);
201 static NTSTATUS
gse_init_client(TALLOC_CTX
*mem_ctx
,
202 bool do_sign
, bool do_seal
,
203 const char *ccache_name
,
206 const char *username
,
207 const char *password
,
208 uint32_t add_gss_c_flags
,
209 struct gse_context
**_gse_ctx
)
211 struct gse_context
*gse_ctx
;
212 OM_uint32 gss_maj
, gss_min
;
213 gss_buffer_desc name_buffer
= {0, NULL
};
214 gss_OID_set_desc mech_set
;
217 if (!server
|| !service
) {
218 return NT_STATUS_INVALID_PARAMETER
;
221 status
= gse_context_init(mem_ctx
, do_sign
, do_seal
,
222 ccache_name
, add_gss_c_flags
,
224 if (!NT_STATUS_IS_OK(status
)) {
225 return NT_STATUS_NO_MEMORY
;
228 /* Guess the realm based on the supplied service, and avoid the GSS libs
229 doing DNS lookups which may fail.
231 TODO: Loop with the KDC on some more combinations (local
232 realm in particular), possibly falling back to
233 GSS_C_NT_HOSTBASED_SERVICE
235 name_buffer
.value
= kerberos_get_principal_from_service_hostname(gse_ctx
,
237 if (!name_buffer
.value
) {
238 status
= NT_STATUS_NO_MEMORY
;
241 name_buffer
.length
= strlen((char *)name_buffer
.value
);
242 gss_maj
= gss_import_name(&gss_min
, &name_buffer
,
244 &gse_ctx
->server_name
);
246 DEBUG(0, ("gss_import_name failed for %s, with [%s]\n",
247 (char *)name_buffer
.value
,
248 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
249 status
= NT_STATUS_INTERNAL_ERROR
;
253 /* TODO: get krb5 ticket using username/password, if no valid
254 * one already available in ccache */
257 mech_set
.elements
= &gse_ctx
->gss_mech
;
259 gss_maj
= gss_acquire_cred(&gss_min
,
267 DEBUG(0, ("gss_acquire_creds failed for %s, with [%s]\n",
268 (char *)name_buffer
.value
,
269 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
270 status
= NT_STATUS_INTERNAL_ERROR
;
275 TALLOC_FREE(name_buffer
.value
);
279 TALLOC_FREE(name_buffer
.value
);
280 TALLOC_FREE(gse_ctx
);
284 static NTSTATUS
gse_get_client_auth_token(TALLOC_CTX
*mem_ctx
,
285 struct gse_context
*gse_ctx
,
286 const DATA_BLOB
*token_in
,
287 DATA_BLOB
*token_out
)
289 OM_uint32 gss_maj
, gss_min
;
290 gss_buffer_desc in_data
;
291 gss_buffer_desc out_data
;
292 DATA_BLOB blob
= data_blob_null
;
295 in_data
.value
= token_in
->data
;
296 in_data
.length
= token_in
->length
;
298 gss_maj
= gss_init_sec_context(&gss_min
,
300 &gse_ctx
->gssapi_context
,
301 gse_ctx
->server_name
,
303 gse_ctx
->gss_want_flags
,
304 0, GSS_C_NO_CHANNEL_BINDINGS
,
305 &in_data
, NULL
, &out_data
,
306 &gse_ctx
->gss_got_flags
, NULL
);
309 /* we are done with it */
310 status
= NT_STATUS_OK
;
312 case GSS_S_CONTINUE_NEEDED
:
313 /* we will need a third leg */
314 status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
317 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
318 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
319 status
= NT_STATUS_INTERNAL_ERROR
;
323 /* we may be told to return nothing */
324 if (out_data
.length
) {
325 blob
= data_blob_talloc(mem_ctx
, out_data
.value
, out_data
.length
);
327 status
= NT_STATUS_NO_MEMORY
;
330 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
338 static NTSTATUS
gse_init_server(TALLOC_CTX
*mem_ctx
,
339 bool do_sign
, bool do_seal
,
340 uint32_t add_gss_c_flags
,
341 struct gse_context
**_gse_ctx
)
343 struct gse_context
*gse_ctx
;
344 OM_uint32 gss_maj
, gss_min
;
348 status
= gse_context_init(mem_ctx
, do_sign
, do_seal
,
349 NULL
, add_gss_c_flags
, &gse_ctx
);
350 if (!NT_STATUS_IS_OK(status
)) {
351 return NT_STATUS_NO_MEMORY
;
354 ret
= gse_krb5_get_server_keytab(gse_ctx
->k5ctx
,
357 status
= NT_STATUS_INTERNAL_ERROR
;
361 #ifdef HAVE_GSS_KRB5_IMPORT_CRED
363 /* This creates a GSSAPI cred_id_t with the keytab set */
364 gss_maj
= gss_krb5_import_cred(&gss_min
, NULL
, NULL
, gse_ctx
->keytab
,
368 && gss_maj
!= (GSS_S_CALL_BAD_STRUCTURE
|GSS_S_BAD_NAME
)) {
369 DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
370 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
371 status
= NT_STATUS_INTERNAL_ERROR
;
374 /* This is the error the MIT krb5 1.9 gives when it
375 * implements the function, but we do not specify the
376 * principal. However, when we specify the principal
377 * as host$@REALM the GSS acceptor fails with 'wrong
378 * principal in request'. Work around the issue by
379 * falling back to the alternate approach below. */
380 } else if (gss_maj
== (GSS_S_CALL_BAD_STRUCTURE
|GSS_S_BAD_NAME
))
383 * This call sets the default keytab for the whole server, not
384 * just for this context. Need to find a way that does not alter
385 * the state of the whole server ... */
388 gss_OID_set_desc mech_set
;
390 ret
= smb_krb5_keytab_name(gse_ctx
, gse_ctx
->k5ctx
,
391 gse_ctx
->keytab
, &ktname
);
393 status
= NT_STATUS_INTERNAL_ERROR
;
397 ret
= gsskrb5_register_acceptor_identity(ktname
);
399 status
= NT_STATUS_INTERNAL_ERROR
;
404 mech_set
.elements
= &gse_ctx
->gss_mech
;
406 gss_maj
= gss_acquire_cred(&gss_min
,
415 DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
416 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
417 status
= NT_STATUS_INTERNAL_ERROR
;
422 status
= NT_STATUS_OK
;
425 if (!NT_STATUS_IS_OK(status
)) {
426 TALLOC_FREE(gse_ctx
);
433 static NTSTATUS
gse_get_server_auth_token(TALLOC_CTX
*mem_ctx
,
434 struct gse_context
*gse_ctx
,
435 const DATA_BLOB
*token_in
,
436 DATA_BLOB
*token_out
)
438 OM_uint32 gss_maj
, gss_min
;
439 gss_buffer_desc in_data
;
440 gss_buffer_desc out_data
;
441 DATA_BLOB blob
= data_blob_null
;
444 in_data
.value
= token_in
->data
;
445 in_data
.length
= token_in
->length
;
447 gss_maj
= gss_accept_sec_context(&gss_min
,
448 &gse_ctx
->gssapi_context
,
451 GSS_C_NO_CHANNEL_BINDINGS
,
452 &gse_ctx
->client_name
,
455 &gse_ctx
->gss_got_flags
, NULL
,
456 &gse_ctx
->delegated_cred_handle
);
459 /* we are done with it */
460 status
= NT_STATUS_OK
;
462 case GSS_S_CONTINUE_NEEDED
:
463 /* we will need a third leg */
464 status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
467 DEBUG(1, ("gss_accept_sec_context failed with [%s]\n",
468 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
470 if (gse_ctx
->gssapi_context
) {
471 gss_delete_sec_context(&gss_min
,
472 &gse_ctx
->gssapi_context
,
476 status
= NT_STATUS_LOGON_FAILURE
;
480 /* we may be told to return nothing */
481 if (out_data
.length
) {
482 blob
= data_blob_talloc(mem_ctx
, out_data
.value
, out_data
.length
);
484 status
= NT_STATUS_NO_MEMORY
;
486 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
495 static char *gse_errstr(TALLOC_CTX
*mem_ctx
, OM_uint32 maj
, OM_uint32 min
)
497 OM_uint32 gss_min
, gss_maj
;
498 gss_buffer_desc msg_min
;
499 gss_buffer_desc msg_maj
;
500 OM_uint32 msg_ctx
= 0;
504 ZERO_STRUCT(msg_min
);
505 ZERO_STRUCT(msg_maj
);
507 gss_maj
= gss_display_status(&gss_min
, maj
, GSS_C_GSS_CODE
,
508 GSS_C_NO_OID
, &msg_ctx
, &msg_maj
);
512 errstr
= talloc_strndup(mem_ctx
,
513 (char *)msg_maj
.value
,
518 gss_maj
= gss_display_status(&gss_min
, min
, GSS_C_MECH_CODE
,
519 (gss_OID
)discard_const(gss_mech_krb5
),
525 errstr
= talloc_strdup_append_buffer(errstr
, ": ");
529 errstr
= talloc_strndup_append_buffer(errstr
,
530 (char *)msg_min
.value
,
538 gss_maj
= gss_release_buffer(&gss_min
, &msg_min
);
541 gss_maj
= gss_release_buffer(&gss_min
, &msg_maj
);
546 static size_t gse_get_signature_length(struct gse_context
*gse_ctx
,
547 bool seal
, size_t payload_size
)
549 OM_uint32 gss_min
, gss_maj
;
550 gss_iov_buffer_desc iov
[2];
554 * gss_wrap_iov_length() only needs the type and length
556 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
557 iov
[0].buffer
.value
= NULL
;
558 iov
[0].buffer
.length
= 0;
559 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
560 iov
[1].buffer
.value
= NULL
;
561 iov
[1].buffer
.length
= payload_size
;
563 gss_maj
= gss_wrap_iov_length(&gss_min
, gse_ctx
->gssapi_context
,
564 seal
, GSS_C_QOP_DEFAULT
,
567 DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
568 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
572 return iov
[0].buffer
.length
;
575 static NTSTATUS
gse_seal(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
576 DATA_BLOB
*data
, DATA_BLOB
*signature
)
578 OM_uint32 gss_min
, gss_maj
;
579 gss_iov_buffer_desc iov
[2];
580 int req_seal
= 1; /* setting to 1 means we request sign+seal */
584 /* allocate the memory ourselves so we do not need to talloc_memdup */
585 signature
->length
= gse_get_signature_length(gse_ctx
, true, data
->length
);
586 if (!signature
->length
) {
587 return NT_STATUS_INTERNAL_ERROR
;
589 signature
->data
= (uint8_t *)talloc_size(mem_ctx
, signature
->length
);
590 if (!signature
->data
) {
591 return NT_STATUS_NO_MEMORY
;
593 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
594 iov
[0].buffer
.value
= signature
->data
;
595 iov
[0].buffer
.length
= signature
->length
;
597 /* data is encrypted in place, which is ok */
598 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
599 iov
[1].buffer
.value
= data
->data
;
600 iov
[1].buffer
.length
= data
->length
;
602 gss_maj
= gss_wrap_iov(&gss_min
, gse_ctx
->gssapi_context
,
603 req_seal
, GSS_C_QOP_DEFAULT
,
606 DEBUG(0, ("gss_wrap_iov failed with [%s]\n",
607 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
608 status
= NT_STATUS_ACCESS_DENIED
;
613 DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
614 status
= NT_STATUS_ACCESS_DENIED
;
618 status
= NT_STATUS_OK
;
620 DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
621 (int)iov
[1].buffer
.length
, (int)iov
[0].buffer
.length
));
627 static NTSTATUS
gse_unseal(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
628 DATA_BLOB
*data
, const DATA_BLOB
*signature
)
630 OM_uint32 gss_min
, gss_maj
;
631 gss_iov_buffer_desc iov
[2];
635 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
636 iov
[0].buffer
.value
= signature
->data
;
637 iov
[0].buffer
.length
= signature
->length
;
639 /* data is decrypted in place, which is ok */
640 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
641 iov
[1].buffer
.value
= data
->data
;
642 iov
[1].buffer
.length
= data
->length
;
644 gss_maj
= gss_unwrap_iov(&gss_min
, gse_ctx
->gssapi_context
,
645 &sealed
, NULL
, iov
, 2);
647 DEBUG(0, ("gss_unwrap_iov failed with [%s]\n",
648 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
649 status
= NT_STATUS_ACCESS_DENIED
;
654 DEBUG(0, ("gss_unwrap_iov says data is not sealed!\n"));
655 status
= NT_STATUS_ACCESS_DENIED
;
659 status
= NT_STATUS_OK
;
661 DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
662 (int)iov
[1].buffer
.length
, (int)iov
[0].buffer
.length
));
668 static NTSTATUS
gse_sign(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
669 DATA_BLOB
*data
, DATA_BLOB
*signature
)
671 OM_uint32 gss_min
, gss_maj
;
672 gss_buffer_desc in_data
= { 0, NULL
};
673 gss_buffer_desc out_data
= { 0, NULL
};
676 in_data
.value
= data
->data
;
677 in_data
.length
= data
->length
;
679 gss_maj
= gss_get_mic(&gss_min
, gse_ctx
->gssapi_context
,
681 &in_data
, &out_data
);
683 DEBUG(0, ("gss_get_mic failed with [%s]\n",
684 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
685 status
= NT_STATUS_ACCESS_DENIED
;
689 *signature
= data_blob_talloc(mem_ctx
,
690 out_data
.value
, out_data
.length
);
691 if (!signature
->data
) {
692 status
= NT_STATUS_NO_MEMORY
;
696 status
= NT_STATUS_OK
;
699 if (out_data
.value
) {
700 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
705 static NTSTATUS
gse_sigcheck(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
706 const DATA_BLOB
*data
, const DATA_BLOB
*signature
)
708 OM_uint32 gss_min
, gss_maj
;
709 gss_buffer_desc in_data
= { 0, NULL
};
710 gss_buffer_desc in_token
= { 0, NULL
};
713 in_data
.value
= data
->data
;
714 in_data
.length
= data
->length
;
715 in_token
.value
= signature
->data
;
716 in_token
.length
= signature
->length
;
718 gss_maj
= gss_verify_mic(&gss_min
, gse_ctx
->gssapi_context
,
719 &in_data
, &in_token
, NULL
);
721 DEBUG(0, ("gss_verify_mic failed with [%s]\n",
722 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
723 status
= NT_STATUS_ACCESS_DENIED
;
727 status
= NT_STATUS_OK
;
733 static NTSTATUS
gensec_gse_client_start(struct gensec_security
*gensec_security
)
735 struct gse_context
*gse_ctx
;
736 struct cli_credentials
*creds
= gensec_get_credentials(gensec_security
);
738 OM_uint32 want_flags
= 0;
739 bool do_sign
= false, do_seal
= false;
740 const char *hostname
= gensec_get_target_hostname(gensec_security
);
741 const char *service
= gensec_get_target_service(gensec_security
);
742 const char *username
= cli_credentials_get_username(creds
);
743 const char *password
= cli_credentials_get_password(creds
);
746 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
747 return NT_STATUS_INVALID_PARAMETER
;
749 if (is_ipaddress(hostname
)) {
750 DEBUG(2, ("Cannot do GSE to an IP address\n"));
751 return NT_STATUS_INVALID_PARAMETER
;
753 if (strcmp(hostname
, "localhost") == 0) {
754 DEBUG(2, ("GSE to 'localhost' does not make sense\n"));
755 return NT_STATUS_INVALID_PARAMETER
;
758 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
761 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
764 if (gensec_security
->want_features
& GENSEC_FEATURE_DCE_STYLE
) {
765 want_flags
|= GSS_C_DCE_STYLE
;
768 nt_status
= gse_init_client(gensec_security
, do_sign
, do_seal
, NULL
,
770 username
, password
, want_flags
,
772 if (!NT_STATUS_IS_OK(nt_status
)) {
775 gensec_security
->private_data
= gse_ctx
;
779 static NTSTATUS
gensec_gse_server_start(struct gensec_security
*gensec_security
)
781 struct gse_context
*gse_ctx
;
783 OM_uint32 want_flags
= 0;
784 bool do_sign
= false, do_seal
= false;
786 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
789 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
792 if (gensec_security
->want_features
& GENSEC_FEATURE_DCE_STYLE
) {
793 want_flags
|= GSS_C_DCE_STYLE
;
796 nt_status
= gse_init_server(gensec_security
, do_sign
, do_seal
, want_flags
,
798 if (!NT_STATUS_IS_OK(nt_status
)) {
801 gensec_security
->private_data
= gse_ctx
;
806 * Check if the packet is one for this mechansim
808 * @param gensec_security GENSEC state
809 * @param in The request, as a DATA_BLOB
810 * @return Error, INVALID_PARAMETER if it's not a packet for us
811 * or NT_STATUS_OK if the packet is ok.
814 static NTSTATUS
gensec_gse_magic(struct gensec_security
*gensec_security
,
817 if (gensec_gssapi_check_oid(in
, GENSEC_OID_KERBEROS5
)) {
820 return NT_STATUS_INVALID_PARAMETER
;
826 * Next state function for the GSE GENSEC mechanism
828 * @param gensec_gse_state GSE State
829 * @param mem_ctx The TALLOC_CTX for *out to be allocated on
830 * @param in The request, as a DATA_BLOB
831 * @param out The reply, as an talloc()ed DATA_BLOB, on *mem_ctx
832 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
833 * or NT_STATUS_OK if the user is authenticated.
836 static NTSTATUS
gensec_gse_update(struct gensec_security
*gensec_security
,
838 struct tevent_context
*ev
,
839 const DATA_BLOB in
, DATA_BLOB
*out
)
842 struct gse_context
*gse_ctx
=
843 talloc_get_type_abort(gensec_security
->private_data
,
846 switch (gensec_security
->gensec_role
) {
848 status
= gse_get_client_auth_token(mem_ctx
, gse_ctx
,
852 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
856 if (!NT_STATUS_IS_OK(status
)) {
863 static NTSTATUS
gensec_gse_wrap(struct gensec_security
*gensec_security
,
868 struct gse_context
*gse_ctx
=
869 talloc_get_type_abort(gensec_security
->private_data
,
871 OM_uint32 maj_stat
, min_stat
;
872 gss_buffer_desc input_token
, output_token
;
874 input_token
.length
= in
->length
;
875 input_token
.value
= in
->data
;
877 maj_stat
= gss_wrap(&min_stat
,
878 gse_ctx
->gssapi_context
,
879 gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
),
884 if (GSS_ERROR(maj_stat
)) {
885 DEBUG(0, ("gensec_gse_wrap: GSS Wrap failed: %s\n",
886 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
887 return NT_STATUS_ACCESS_DENIED
;
890 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
891 gss_release_buffer(&min_stat
, &output_token
);
893 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
895 return NT_STATUS_ACCESS_DENIED
;
900 static NTSTATUS
gensec_gse_unwrap(struct gensec_security
*gensec_security
,
905 struct gse_context
*gse_ctx
=
906 talloc_get_type_abort(gensec_security
->private_data
,
908 OM_uint32 maj_stat
, min_stat
;
909 gss_buffer_desc input_token
, output_token
;
912 input_token
.length
= in
->length
;
913 input_token
.value
= in
->data
;
915 maj_stat
= gss_unwrap(&min_stat
,
916 gse_ctx
->gssapi_context
,
921 if (GSS_ERROR(maj_stat
)) {
922 DEBUG(0, ("gensec_gse_unwrap: GSS UnWrap failed: %s\n",
923 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
924 return NT_STATUS_ACCESS_DENIED
;
927 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
928 gss_release_buffer(&min_stat
, &output_token
);
930 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
932 return NT_STATUS_ACCESS_DENIED
;
937 static NTSTATUS
gensec_gse_seal_packet(struct gensec_security
*gensec_security
,
939 uint8_t *data
, size_t length
,
940 const uint8_t *whole_pdu
, size_t pdu_length
,
943 struct gse_context
*gse_ctx
=
944 talloc_get_type_abort(gensec_security
->private_data
,
946 DATA_BLOB payload
= data_blob_const(data
, length
);
947 return gse_seal(mem_ctx
, gse_ctx
, &payload
, sig
);
950 static NTSTATUS
gensec_gse_unseal_packet(struct gensec_security
*gensec_security
,
951 uint8_t *data
, size_t length
,
952 const uint8_t *whole_pdu
, size_t pdu_length
,
953 const DATA_BLOB
*sig
)
955 struct gse_context
*gse_ctx
=
956 talloc_get_type_abort(gensec_security
->private_data
,
958 DATA_BLOB payload
= data_blob_const(data
, length
);
959 return gse_unseal(talloc_tos() /* unused */, gse_ctx
, &payload
, sig
);
962 static NTSTATUS
gensec_gse_sign_packet(struct gensec_security
*gensec_security
,
964 const uint8_t *data
, size_t length
,
965 const uint8_t *whole_pdu
, size_t pdu_length
,
968 struct gse_context
*gse_ctx
=
969 talloc_get_type_abort(gensec_security
->private_data
,
971 DATA_BLOB payload
= data_blob_const(data
, length
);
972 return gse_sign(mem_ctx
, gse_ctx
, &payload
, sig
);
975 static NTSTATUS
gensec_gse_check_packet(struct gensec_security
*gensec_security
,
976 const uint8_t *data
, size_t length
,
977 const uint8_t *whole_pdu
, size_t pdu_length
,
978 const DATA_BLOB
*sig
)
980 struct gse_context
*gse_ctx
=
981 talloc_get_type_abort(gensec_security
->private_data
,
983 DATA_BLOB payload
= data_blob_const(data
, length
);
984 return gse_sigcheck(NULL
, gse_ctx
, &payload
, sig
);
987 /* Try to figure out what features we actually got on the connection */
988 static bool gensec_gse_have_feature(struct gensec_security
*gensec_security
,
991 struct gse_context
*gse_ctx
=
992 talloc_get_type_abort(gensec_security
->private_data
,
995 if (feature
& GENSEC_FEATURE_SIGN
) {
996 return gse_ctx
->gss_got_flags
& GSS_C_INTEG_FLAG
;
998 if (feature
& GENSEC_FEATURE_SEAL
) {
999 return gse_ctx
->gss_got_flags
& GSS_C_CONF_FLAG
;
1001 if (feature
& GENSEC_FEATURE_SESSION_KEY
) {
1002 /* Only for GSE/Krb5 */
1003 if (gss_oid_equal(gse_ctx
->ret_mech
, gss_mech_krb5
)) {
1007 if (feature
& GENSEC_FEATURE_DCE_STYLE
) {
1008 return gse_ctx
->gss_got_flags
& GSS_C_DCE_STYLE
;
1010 if (feature
& GENSEC_FEATURE_NEW_SPNEGO
) {
1014 if (!(gse_ctx
->gss_got_flags
& GSS_C_INTEG_FLAG
)) {
1018 status
= gssapi_get_session_key(talloc_tos(),
1019 gse_ctx
->gssapi_context
, NULL
, &keytype
);
1021 * We should do a proper sig on the mechListMic unless
1022 * we know we have to be backwards compatible with
1023 * earlier windows versions.
1025 * Negotiating a non-krb5
1026 * mech for example should be regarded as having
1029 if (NT_STATUS_IS_OK(status
)) {
1031 case ENCTYPE_DES_CBC_CRC
:
1032 case ENCTYPE_DES_CBC_MD5
:
1033 case ENCTYPE_ARCFOUR_HMAC
:
1034 case ENCTYPE_DES3_CBC_SHA1
:
1040 /* We can always do async (rather than strict request/reply) packets. */
1041 if (feature
& GENSEC_FEATURE_ASYNC_REPLIES
) {
1048 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1049 * (for encrypting some passwords).
1051 * This breaks all the abstractions, but what do you expect...
1053 static NTSTATUS
gensec_gse_session_key(struct gensec_security
*gensec_security
,
1054 TALLOC_CTX
*mem_ctx
,
1055 DATA_BLOB
*session_key
)
1057 struct gse_context
*gse_ctx
=
1058 talloc_get_type_abort(gensec_security
->private_data
,
1059 struct gse_context
);
1061 return gssapi_get_session_key(mem_ctx
, gse_ctx
->gssapi_context
, session_key
, NULL
);
1064 /* Get some basic (and authorization) information about the user on
1065 * this session. This uses either the PAC (if present) or a local
1066 * database lookup */
1067 static NTSTATUS
gensec_gse_session_info(struct gensec_security
*gensec_security
,
1068 TALLOC_CTX
*mem_ctx
,
1069 struct auth_session_info
**_session_info
)
1071 struct gse_context
*gse_ctx
=
1072 talloc_get_type_abort(gensec_security
->private_data
,
1073 struct gse_context
);
1075 TALLOC_CTX
*tmp_ctx
;
1076 struct auth_session_info
*session_info
= NULL
;
1077 OM_uint32 maj_stat
, min_stat
;
1078 DATA_BLOB pac_blob
, *pac_blob_ptr
= NULL
;
1080 gss_buffer_desc name_token
;
1081 char *principal_string
;
1083 tmp_ctx
= talloc_named(mem_ctx
, 0, "gensec_gse_session_info context");
1084 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1086 maj_stat
= gss_display_name(&min_stat
,
1087 gse_ctx
->client_name
,
1090 if (GSS_ERROR(maj_stat
)) {
1091 DEBUG(1, ("GSS display_name failed: %s\n",
1092 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
1093 talloc_free(tmp_ctx
);
1094 return NT_STATUS_FOOBAR
;
1097 principal_string
= talloc_strndup(tmp_ctx
,
1098 (const char *)name_token
.value
,
1101 gss_release_buffer(&min_stat
, &name_token
);
1103 if (!principal_string
) {
1104 talloc_free(tmp_ctx
);
1105 return NT_STATUS_NO_MEMORY
;
1108 nt_status
= gssapi_obtain_pac_blob(tmp_ctx
, gse_ctx
->gssapi_context
,
1109 gse_ctx
->client_name
,
1112 /* IF we have the PAC - otherwise we need to get this
1113 * data from elsewere
1115 if (NT_STATUS_IS_OK(nt_status
)) {
1116 pac_blob_ptr
= &pac_blob
;
1118 nt_status
= gensec_generate_session_info_pac(tmp_ctx
,
1121 pac_blob_ptr
, principal_string
,
1122 gensec_get_remote_address(gensec_security
),
1124 if (!NT_STATUS_IS_OK(nt_status
)) {
1125 talloc_free(tmp_ctx
);
1129 nt_status
= gensec_gse_session_key(gensec_security
, session_info
,
1130 &session_info
->session_key
);
1131 if (!NT_STATUS_IS_OK(nt_status
)) {
1132 talloc_free(tmp_ctx
);
1136 *_session_info
= talloc_move(mem_ctx
, &session_info
);
1137 talloc_free(tmp_ctx
);
1139 return NT_STATUS_OK
;
1142 static size_t gensec_gse_sig_size(struct gensec_security
*gensec_security
,
1145 struct gse_context
*gse_ctx
=
1146 talloc_get_type_abort(gensec_security
->private_data
,
1147 struct gse_context
);
1149 return gse_get_signature_length(gse_ctx
,
1150 gensec_security
->want_features
& GENSEC_FEATURE_SEAL
,
1154 static const char *gensec_gse_krb5_oids
[] = {
1155 GENSEC_OID_KERBEROS5_OLD
,
1156 GENSEC_OID_KERBEROS5
,
1160 const struct gensec_security_ops gensec_gse_krb5_security_ops
= {
1162 .auth_type
= DCERPC_AUTH_TYPE_KRB5
,
1163 .oid
= gensec_gse_krb5_oids
,
1164 .client_start
= gensec_gse_client_start
,
1165 .server_start
= gensec_gse_server_start
,
1166 .magic
= gensec_gse_magic
,
1167 .update
= gensec_gse_update
,
1168 .session_key
= gensec_gse_session_key
,
1169 .session_info
= gensec_gse_session_info
,
1170 .sig_size
= gensec_gse_sig_size
,
1171 .sign_packet
= gensec_gse_sign_packet
,
1172 .check_packet
= gensec_gse_check_packet
,
1173 .seal_packet
= gensec_gse_seal_packet
,
1174 .unseal_packet
= gensec_gse_unseal_packet
,
1175 .wrap
= gensec_gse_wrap
,
1176 .unwrap
= gensec_gse_unwrap
,
1177 .have_feature
= gensec_gse_have_feature
,
1180 .priority
= GENSEC_GSSAPI
1183 #endif /* HAVE_KRB5 */
