search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-gse Rename gss_ctx to match gensec_gssapi_context
[Samba.git] / source3 / librpc / crypto / gse.c
blobcdc0fd62438b8db42fa42355cd63dccd13269676
1 /*
2 * GSSAPI Security Extensions
3 * RPC Pipe client and server routines
4 * Copyright (C) Simo Sorce 2010.
5 * Copyright (C) Andrew Bartlett 2004-2011.
6 * Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* We support only GSSAPI/KRB5 here */
23
24 #include "includes.h"
25 #include "gse.h"
26 #include "libads/kerberos_proto.h"
27 #include "auth/common_auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "auth/credentials/credentials.h"
30 #include "../librpc/gen_ndr/dcerpc.h"
31
32 #if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
33
34 #include "smb_krb5.h"
35 #include "gse_krb5.h"
36
37 #ifndef GSS_C_DCE_STYLE
38 #define GSS_C_DCE_STYLE 0x1000
39 #endif
40
41 #ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
42 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
43 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
44 #endif
45
46 gss_OID_desc gse_sesskey_inq_oid = {
47 GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH,
48 (void *)GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
49 };
50
51 #ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID
52 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
53 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
54 #endif
55
56 gss_OID_desc gse_sesskeytype_oid = {
57 GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
58 (void *)GSS_KRB5_SESSION_KEY_ENCTYPE_OID
59 };
60
61 #define GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID_LENGTH 12
62 /* EXTRACTION OID AUTHZ ID */
63 #define GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a" "\x01"
64
65 gss_OID_desc gse_authz_data_oid = {
66 GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID_LENGTH,
67 (void *)GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID
68 };
69
70 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
71
72 struct gse_context {
73 krb5_context k5ctx;
74 krb5_ccache ccache;
75 krb5_keytab keytab;
76
77 gss_ctx_id_t gssapi_context;
78
79 gss_OID_desc gss_mech;
80 OM_uint32 gss_c_flags;
81 gss_cred_id_t creds;
82 gss_name_t server_name;
83
84 gss_OID ret_mech;
85 OM_uint32 ret_flags;
86 gss_cred_id_t delegated_cred_handle;
87 gss_name_t client_name;
88
89 bool more_processing;
90 bool authenticated;
91 };
92
93 #ifndef HAVE_GSS_OID_EQUAL
94
95 static bool gss_oid_equal(const gss_OID o1, const gss_OID o2)
96 {
97 if (o1 == o2) {
98 return true;
99 }
100 if ((o1 == NULL && o2 != NULL) || (o1 != NULL && o2 == NULL)) {
101 return false;
102 }
103 if (o1->length != o2->length) {
104 return false;
105 }
106 return memcmp(o1->elements, o2->elements, o1->length) == false;
107 }
108
109 #endif
110
111 /* free non talloc dependent contexts */
112 static int gse_context_destructor(void *ptr)
113 {
114 struct gse_context *gse_ctx;
115 OM_uint32 gss_min, gss_maj;
116
117 gse_ctx = talloc_get_type_abort(ptr, struct gse_context);
118 if (gse_ctx->k5ctx) {
119 if (gse_ctx->ccache) {
120 krb5_cc_close(gse_ctx->k5ctx, gse_ctx->ccache);
121 gse_ctx->ccache = NULL;
122 }
123 if (gse_ctx->keytab) {
124 krb5_kt_close(gse_ctx->k5ctx, gse_ctx->keytab);
125 gse_ctx->keytab = NULL;
126 }
127 krb5_free_context(gse_ctx->k5ctx);
128 gse_ctx->k5ctx = NULL;
129 }
130 if (gse_ctx->gssapi_context != GSS_C_NO_CONTEXT) {
131 gss_maj = gss_delete_sec_context(&gss_min,
132 &gse_ctx->gssapi_context,
133 GSS_C_NO_BUFFER);
134 }
135 if (gse_ctx->server_name) {
136 gss_maj = gss_release_name(&gss_min,
137 &gse_ctx->server_name);
138 }
139 if (gse_ctx->client_name) {
140 gss_maj = gss_release_name(&gss_min,
141 &gse_ctx->client_name);
142 }
143 if (gse_ctx->creds) {
144 gss_maj = gss_release_cred(&gss_min,
145 &gse_ctx->creds);
146 }
147 if (gse_ctx->delegated_cred_handle) {
148 gss_maj = gss_release_cred(&gss_min,
149 &gse_ctx->delegated_cred_handle);
150 }
151
152 /* MIT and Heimdal differ as to if you can call
153 * gss_release_oid() on this OID, generated by
154 * gss_{accept,init}_sec_context(). However, as long as the
155 * oid is gss_mech_krb5 (which it always is at the moment),
156 * then this is a moot point, as both declare this particular
157 * OID static, and so no memory is lost. This assert is in
158 * place to ensure that the programmer who wishes to extend
159 * this code to EAP or other GSS mechanisms determines an
160 * implementation-dependent way of releasing any dynamically
161 * allocated OID */
162 SMB_ASSERT(gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5));
163
164 return 0;
165 }
166
167 static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
168 bool do_sign, bool do_seal,
169 const char *ccache_name,
170 uint32_t add_gss_c_flags,
171 struct gse_context **_gse_ctx)
172 {
173 struct gse_context *gse_ctx;
174 krb5_error_code k5ret;
175 NTSTATUS status;
176
177 gse_ctx = talloc_zero(mem_ctx, struct gse_context);
178 if (!gse_ctx) {
179 return NT_STATUS_NO_MEMORY;
180 }
181 talloc_set_destructor((TALLOC_CTX *)gse_ctx, gse_context_destructor);
182
183 memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
184
185 gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
186 GSS_C_DELEG_FLAG |
187 GSS_C_DELEG_POLICY_FLAG |
188 GSS_C_REPLAY_FLAG |
189 GSS_C_SEQUENCE_FLAG;
190 if (do_sign) {
191 gse_ctx->gss_c_flags |= GSS_C_INTEG_FLAG;
192 }
193 if (do_seal) {
194 gse_ctx->gss_c_flags |= GSS_C_CONF_FLAG;
195 }
196
197 gse_ctx->gss_c_flags |= add_gss_c_flags;
198
199 /* Initialize Kerberos Context */
200 initialize_krb5_error_table();
201
202 k5ret = krb5_init_context(&gse_ctx->k5ctx);
203 if (k5ret) {
204 DEBUG(0, ("Failed to initialize kerberos context! (%s)\n",
205 error_message(k5ret)));
206 status = NT_STATUS_INTERNAL_ERROR;
207 goto err_out;
208 }
209
210 if (!ccache_name) {
211 ccache_name = krb5_cc_default_name(gse_ctx->k5ctx);
212 }
213 k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
214 &gse_ctx->ccache);
215 if (k5ret) {
216 DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
217 error_message(k5ret)));
218 status = NT_STATUS_INTERNAL_ERROR;
219 goto err_out;
220 }
221
222 /* TODO: Should we enforce a enc_types list ?
223 ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types);
224 */
225
226 *_gse_ctx = gse_ctx;
227 return NT_STATUS_OK;
228
229 err_out:
230 TALLOC_FREE(gse_ctx);
231 return status;
232 }
233
234 static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
235 bool do_sign, bool do_seal,
236 const char *ccache_name,
237 const char *server,
238 const char *service,
239 const char *username,
240 const char *password,
241 uint32_t add_gss_c_flags,
242 struct gse_context **_gse_ctx)
243 {
244 struct gse_context *gse_ctx;
245 OM_uint32 gss_maj, gss_min;
246 gss_buffer_desc name_buffer = {0, NULL};
247 gss_OID_set_desc mech_set;
248 NTSTATUS status;
249
250 if (!server || !service) {
251 return NT_STATUS_INVALID_PARAMETER;
252 }
253
254 status = gse_context_init(mem_ctx, do_sign, do_seal,
255 ccache_name, add_gss_c_flags,
256 &gse_ctx);
257 if (!NT_STATUS_IS_OK(status)) {
258 return NT_STATUS_NO_MEMORY;
259 }
260
261 /* Guess the realm based on the supplied service, and avoid the GSS libs
262 doing DNS lookups which may fail.
263
264 TODO: Loop with the KDC on some more combinations (local
265 realm in particular), possibly falling back to
266 GSS_C_NT_HOSTBASED_SERVICE
267 */
268 name_buffer.value = kerberos_get_principal_from_service_hostname(gse_ctx,
269 service, server);
270 if (!name_buffer.value) {
271 status = NT_STATUS_NO_MEMORY;
272 goto err_out;
273 }
274 name_buffer.length = strlen((char *)name_buffer.value);
275 gss_maj = gss_import_name(&gss_min, &name_buffer,
276 GSS_C_NT_USER_NAME,
277 &gse_ctx->server_name);
278 if (gss_maj) {
279 DEBUG(0, ("gss_import_name failed for %s, with [%s]\n",
280 (char *)name_buffer.value,
281 gse_errstr(gse_ctx, gss_maj, gss_min)));
282 status = NT_STATUS_INTERNAL_ERROR;
283 goto err_out;
284 }
285
286 /* TODO: get krb5 ticket using username/password, if no valid
287 * one already available in ccache */
288
289 mech_set.count = 1;
290 mech_set.elements = &gse_ctx->gss_mech;
291
292 gss_maj = gss_acquire_cred(&gss_min,
293 GSS_C_NO_NAME,
294 GSS_C_INDEFINITE,
295 &mech_set,
296 GSS_C_INITIATE,
297 &gse_ctx->creds,
298 NULL, NULL);
299 if (gss_maj) {
300 DEBUG(0, ("gss_acquire_creds failed for %s, with [%s]\n",
301 (char *)name_buffer.value,
302 gse_errstr(gse_ctx, gss_maj, gss_min)));
303 status = NT_STATUS_INTERNAL_ERROR;
304 goto err_out;
305 }
306
307 *_gse_ctx = gse_ctx;
308 TALLOC_FREE(name_buffer.value);
309 return NT_STATUS_OK;
310
311 err_out:
312 TALLOC_FREE(name_buffer.value);
313 TALLOC_FREE(gse_ctx);
314 return status;
315 }
316
317 static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
318 struct gse_context *gse_ctx,
319 const DATA_BLOB *token_in,
320 DATA_BLOB *token_out)
321 {
322 OM_uint32 gss_maj, gss_min;
323 gss_buffer_desc in_data;
324 gss_buffer_desc out_data;
325 DATA_BLOB blob = data_blob_null;
326 NTSTATUS status;
327
328 in_data.value = token_in->data;
329 in_data.length = token_in->length;
330
331 gss_maj = gss_init_sec_context(&gss_min,
332 gse_ctx->creds,
333 &gse_ctx->gssapi_context,
334 gse_ctx->server_name,
335 &gse_ctx->gss_mech,
336 gse_ctx->gss_c_flags,
337 0, GSS_C_NO_CHANNEL_BINDINGS,
338 &in_data, NULL, &out_data,
339 &gse_ctx->ret_flags, NULL);
340 switch (gss_maj) {
341 case GSS_S_COMPLETE:
342 /* we are done with it */
343 gse_ctx->more_processing = false;
344 status = NT_STATUS_OK;
345 break;
346 case GSS_S_CONTINUE_NEEDED:
347 /* we will need a third leg */
348 gse_ctx->more_processing = true;
349 /* status = NT_STATUS_MORE_PROCESSING_REQUIRED; */
350 status = NT_STATUS_OK;
351 break;
352 default:
353 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
354 gse_errstr(talloc_tos(), gss_maj, gss_min)));
355 status = NT_STATUS_INTERNAL_ERROR;
356 goto done;
357 }
358
359 blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
360 if (!blob.data) {
361 status = NT_STATUS_NO_MEMORY;
362 }
363
364 gss_maj = gss_release_buffer(&gss_min, &out_data);
365
366 done:
367 *token_out = blob;
368 return status;
369 }
370
371 static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
372 bool do_sign, bool do_seal,
373 uint32_t add_gss_c_flags,
374 struct gse_context **_gse_ctx)
375 {
376 struct gse_context *gse_ctx;
377 OM_uint32 gss_maj, gss_min;
378 krb5_error_code ret;
379 NTSTATUS status;
380
381 status = gse_context_init(mem_ctx, do_sign, do_seal,
382 NULL, add_gss_c_flags, &gse_ctx);
383 if (!NT_STATUS_IS_OK(status)) {
384 return NT_STATUS_NO_MEMORY;
385 }
386
387 ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx,
388 &gse_ctx->keytab);
389 if (ret) {
390 status = NT_STATUS_INTERNAL_ERROR;
391 goto done;
392 }
393
394 #ifdef HAVE_GSS_KRB5_IMPORT_CRED
395
396 /* This creates a GSSAPI cred_id_t with the keytab set */
397 gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
398 &gse_ctx->creds);
399
400 if (gss_maj != 0
401 && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
402 DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
403 gse_errstr(gse_ctx, gss_maj, gss_min)));
404 status = NT_STATUS_INTERNAL_ERROR;
405 goto done;
406
407 /* This is the error the MIT krb5 1.9 gives when it
408 * implements the function, but we do not specify the
409 * principal. However, when we specify the principal
410 * as host$@REALM the GSS acceptor fails with 'wrong
411 * principal in request'. Work around the issue by
412 * falling back to the alternate approach below. */
413 } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
414 #endif
415 /* FIXME!!!
416 * This call sets the default keytab for the whole server, not
417 * just for this context. Need to find a way that does not alter
418 * the state of the whole server ... */
419 {
420 const char *ktname;
421 gss_OID_set_desc mech_set;
422
423 ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
424 gse_ctx->keytab, &ktname);
425 if (ret) {
426 status = NT_STATUS_INTERNAL_ERROR;
427 goto done;
428 }
429
430 ret = gsskrb5_register_acceptor_identity(ktname);
431 if (ret) {
432 status = NT_STATUS_INTERNAL_ERROR;
433 goto done;
434 }
435
436 mech_set.count = 1;
437 mech_set.elements = &gse_ctx->gss_mech;
438
439 gss_maj = gss_acquire_cred(&gss_min,
440 GSS_C_NO_NAME,
441 GSS_C_INDEFINITE,
442 &mech_set,
443 GSS_C_ACCEPT,
444 &gse_ctx->creds,
445 NULL, NULL);
446
447 if (gss_maj) {
448 DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
449 gse_errstr(gse_ctx, gss_maj, gss_min)));
450 status = NT_STATUS_INTERNAL_ERROR;
451 goto done;
452 }
453 }
454
455 status = NT_STATUS_OK;
456
457 done:
458 if (!NT_STATUS_IS_OK(status)) {
459 TALLOC_FREE(gse_ctx);
460 }
461
462 *_gse_ctx = gse_ctx;
463 return status;
464 }
465
466 static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
467 struct gse_context *gse_ctx,
468 const DATA_BLOB *token_in,
469 DATA_BLOB *token_out)
470 {
471 OM_uint32 gss_maj, gss_min;
472 gss_buffer_desc in_data;
473 gss_buffer_desc out_data;
474 DATA_BLOB blob = data_blob_null;
475 NTSTATUS status;
476
477 in_data.value = token_in->data;
478 in_data.length = token_in->length;
479
480 gss_maj = gss_accept_sec_context(&gss_min,
481 &gse_ctx->gssapi_context,
482 gse_ctx->creds,
483 &in_data,
484 GSS_C_NO_CHANNEL_BINDINGS,
485 &gse_ctx->client_name,
486 &gse_ctx->ret_mech,
487 &out_data,
488 &gse_ctx->ret_flags, NULL,
489 &gse_ctx->delegated_cred_handle);
490 switch (gss_maj) {
491 case GSS_S_COMPLETE:
492 /* we are done with it */
493 gse_ctx->more_processing = false;
494 gse_ctx->authenticated = true;
495 status = NT_STATUS_OK;
496 break;
497 case GSS_S_CONTINUE_NEEDED:
498 /* we will need a third leg */
499 gse_ctx->more_processing = true;
500 /* status = NT_STATUS_MORE_PROCESSING_REQUIRED; */
501 status = NT_STATUS_OK;
502 break;
503 default:
504 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
505 gse_errstr(talloc_tos(), gss_maj, gss_min)));
506
507 if (gse_ctx->gssapi_context) {
508 gss_delete_sec_context(&gss_min,
509 &gse_ctx->gssapi_context,
510 GSS_C_NO_BUFFER);
511 }
512
513 status = NT_STATUS_INTERNAL_ERROR;
514 goto done;
515 }
516
517 /* we may be told to return nothing */
518 if (out_data.length) {
519 blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
520 if (!blob.data) {
521 status = NT_STATUS_NO_MEMORY;
522 }
523 gss_maj = gss_release_buffer(&gss_min, &out_data);
524 }
525
526
527 done:
528 *token_out = blob;
529 return status;
530 }
531
532 static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
533 {
534 if (!gse_ctx->authenticated) {
535 return NT_STATUS_INVALID_HANDLE;
536 }
537
538 if (memcmp(gse_ctx->ret_mech,
539 gss_mech_krb5, sizeof(gss_OID_desc)) != 0) {
540 return NT_STATUS_ACCESS_DENIED;
541 }
542
543 /* GSS_C_MUTUAL_FLAG */
544 if (gse_ctx->gss_c_flags & GSS_C_MUTUAL_FLAG) {
545 if (!(gse_ctx->ret_flags & GSS_C_MUTUAL_FLAG)) {
546 return NT_STATUS_ACCESS_DENIED;
547 }
548 }
549
550 /* GSS_C_DELEG_FLAG */
551 /* GSS_C_DELEG_POLICY_FLAG */
552 /* GSS_C_REPLAY_FLAG */
553 /* GSS_C_SEQUENCE_FLAG */
554
555 /* GSS_C_INTEG_FLAG */
556 if (gse_ctx->gss_c_flags & GSS_C_INTEG_FLAG) {
557 if (!(gse_ctx->ret_flags & GSS_C_INTEG_FLAG)) {
558 return NT_STATUS_ACCESS_DENIED;
559 }
560 }
561
562 /* GSS_C_CONF_FLAG */
563 if (gse_ctx->gss_c_flags & GSS_C_CONF_FLAG) {
564 if (!(gse_ctx->ret_flags & GSS_C_CONF_FLAG)) {
565 return NT_STATUS_ACCESS_DENIED;
566 }
567 }
568
569 return NT_STATUS_OK;
570 }
571
572 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
573 {
574 OM_uint32 gss_min, gss_maj;
575 gss_buffer_desc msg_min;
576 gss_buffer_desc msg_maj;
577 OM_uint32 msg_ctx = 0;
578
579 char *errstr = NULL;
580
581 ZERO_STRUCT(msg_min);
582 ZERO_STRUCT(msg_maj);
583
584 gss_maj = gss_display_status(&gss_min, maj, GSS_C_GSS_CODE,
585 GSS_C_NO_OID, &msg_ctx, &msg_maj);
586 if (gss_maj) {
587 goto done;
588 }
589 errstr = talloc_strndup(mem_ctx,
590 (char *)msg_maj.value,
591 msg_maj.length);
592 if (!errstr) {
593 goto done;
594 }
595 gss_maj = gss_display_status(&gss_min, min, GSS_C_MECH_CODE,
596 (gss_OID)discard_const(gss_mech_krb5),
597 &msg_ctx, &msg_min);
598 if (gss_maj) {
599 goto done;
600 }
601
602 errstr = talloc_strdup_append_buffer(errstr, ": ");
603 if (!errstr) {
604 goto done;
605 }
606 errstr = talloc_strndup_append_buffer(errstr,
607 (char *)msg_min.value,
608 msg_min.length);
609 if (!errstr) {
610 goto done;
611 }
612
613 done:
614 if (msg_min.value) {
615 gss_maj = gss_release_buffer(&gss_min, &msg_min);
616 }
617 if (msg_maj.value) {
618 gss_maj = gss_release_buffer(&gss_min, &msg_maj);
619 }
620 return errstr;
621 }
622
623 static DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
624 struct gse_context *gse_ctx)
625 {
626 OM_uint32 gss_min, gss_maj;
627 gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
628 DATA_BLOB ret;
629
630 gss_maj = gss_inquire_sec_context_by_oid(
631 &gss_min, gse_ctx->gssapi_context,
632 &gse_sesskey_inq_oid, &set);
633 if (gss_maj) {
634 DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
635 gse_errstr(talloc_tos(), gss_maj, gss_min)));
636 return data_blob_null;
637 }
638
639 if ((set == GSS_C_NO_BUFFER_SET) ||
640 (set->count != 2) ||
641 (memcmp(set->elements[1].value,
642 gse_sesskeytype_oid.elements,
643 gse_sesskeytype_oid.length) != 0)) {
644 #ifdef HAVE_GSSKRB5_GET_SUBKEY
645 krb5_keyblock *subkey;
646 gss_maj = gsskrb5_get_subkey(&gss_min,
647 gse_ctx->gssapi_context,
648 &subkey);
649 if (gss_maj != 0) {
650 DEBUG(1, ("NO session key for this mech\n"));
651 return data_blob_null;
652 }
653 ret = data_blob_talloc(mem_ctx,
654 KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
655 krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
656 return ret;
657 #else
658 DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
659 "OID for data in results:\n"));
660 dump_data(1, (uint8_t *)set->elements[1].value,
661 set->elements[1].length);
662 return data_blob_null;
663 #endif
664 }
665
666 ret = data_blob_talloc(mem_ctx, set->elements[0].value,
667 set->elements[0].length);
668
669 gss_maj = gss_release_buffer_set(&gss_min, &set);
670 return ret;
671 }
672
673 static size_t gse_get_signature_length(struct gse_context *gse_ctx,
674 bool seal, size_t payload_size)
675 {
676 OM_uint32 gss_min, gss_maj;
677 gss_iov_buffer_desc iov[2];
678 int sealed;
679
680 /*
681 * gss_wrap_iov_length() only needs the type and length
682 */
683 iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
684 iov[0].buffer.value = NULL;
685 iov[0].buffer.length = 0;
686 iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
687 iov[1].buffer.value = NULL;
688 iov[1].buffer.length = payload_size;
689
690 gss_maj = gss_wrap_iov_length(&gss_min, gse_ctx->gssapi_context,
691 seal, GSS_C_QOP_DEFAULT,
692 &sealed, iov, 2);
693 if (gss_maj) {
694 DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
695 gse_errstr(talloc_tos(), gss_maj, gss_min)));
696 return 0;
697 }
698
699 return iov[0].buffer.length;
700 }
701
702 static NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
703 DATA_BLOB *data, DATA_BLOB *signature)
704 {
705 OM_uint32 gss_min, gss_maj;
706 gss_iov_buffer_desc iov[2];
707 int req_seal = 1; /* setting to 1 means we request sign+seal */
708 int sealed = 1;
709 NTSTATUS status;
710
711 /* allocate the memory ourselves so we do not need to talloc_memdup */
712 signature->length = gse_get_signature_length(gse_ctx, true, data->length);
713 if (!signature->length) {
714 return NT_STATUS_INTERNAL_ERROR;
715 }
716 signature->data = (uint8_t *)talloc_size(mem_ctx, signature->length);
717 if (!signature->data) {
718 return NT_STATUS_NO_MEMORY;
719 }
720 iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
721 iov[0].buffer.value = signature->data;
722 iov[0].buffer.length = signature->length;
723
724 /* data is encrypted in place, which is ok */
725 iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
726 iov[1].buffer.value = data->data;
727 iov[1].buffer.length = data->length;
728
729 gss_maj = gss_wrap_iov(&gss_min, gse_ctx->gssapi_context,
730 req_seal, GSS_C_QOP_DEFAULT,
731 &sealed, iov, 2);
732 if (gss_maj) {
733 DEBUG(0, ("gss_wrap_iov failed with [%s]\n",
734 gse_errstr(talloc_tos(), gss_maj, gss_min)));
735 status = NT_STATUS_ACCESS_DENIED;
736 goto done;
737 }
738
739 if (!sealed) {
740 DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
741 status = NT_STATUS_ACCESS_DENIED;
742 goto done;
743 }
744
745 status = NT_STATUS_OK;
746
747 DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
748 (int)iov[1].buffer.length, (int)iov[0].buffer.length));
749
750 done:
751 return status;
752 }
753
754 static NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
755 DATA_BLOB *data, const DATA_BLOB *signature)
756 {
757 OM_uint32 gss_min, gss_maj;
758 gss_iov_buffer_desc iov[2];
759 int sealed;
760 NTSTATUS status;
761
762 iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
763 iov[0].buffer.value = signature->data;
764 iov[0].buffer.length = signature->length;
765
766 /* data is decrypted in place, which is ok */
767 iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
768 iov[1].buffer.value = data->data;
769 iov[1].buffer.length = data->length;
770
771 gss_maj = gss_unwrap_iov(&gss_min, gse_ctx->gssapi_context,
772 &sealed, NULL, iov, 2);
773 if (gss_maj) {
774 DEBUG(0, ("gss_unwrap_iov failed with [%s]\n",
775 gse_errstr(talloc_tos(), gss_maj, gss_min)));
776 status = NT_STATUS_ACCESS_DENIED;
777 goto done;
778 }
779
780 if (!sealed) {
781 DEBUG(0, ("gss_unwrap_iov says data is not sealed!\n"));
782 status = NT_STATUS_ACCESS_DENIED;
783 goto done;
784 }
785
786 status = NT_STATUS_OK;
787
788 DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
789 (int)iov[1].buffer.length, (int)iov[0].buffer.length));
790
791 done:
792 return status;
793 }
794
795 static NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
796 DATA_BLOB *data, DATA_BLOB *signature)
797 {
798 OM_uint32 gss_min, gss_maj;
799 gss_buffer_desc in_data = { 0, NULL };
800 gss_buffer_desc out_data = { 0, NULL};
801 NTSTATUS status;
802
803 in_data.value = data->data;
804 in_data.length = data->length;
805
806 gss_maj = gss_get_mic(&gss_min, gse_ctx->gssapi_context,
807 GSS_C_QOP_DEFAULT,
808 &in_data, &out_data);
809 if (gss_maj) {
810 DEBUG(0, ("gss_get_mic failed with [%s]\n",
811 gse_errstr(talloc_tos(), gss_maj, gss_min)));
812 status = NT_STATUS_ACCESS_DENIED;
813 goto done;
814 }
815
816 *signature = data_blob_talloc(mem_ctx,
817 out_data.value, out_data.length);
818 if (!signature->data) {
819 status = NT_STATUS_NO_MEMORY;
820 goto done;
821 }
822
823 status = NT_STATUS_OK;
824
825 done:
826 if (out_data.value) {
827 gss_maj = gss_release_buffer(&gss_min, &out_data);
828 }
829 return status;
830 }
831
832 static NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
833 const DATA_BLOB *data, const DATA_BLOB *signature)
834 {
835 OM_uint32 gss_min, gss_maj;
836 gss_buffer_desc in_data = { 0, NULL };
837 gss_buffer_desc in_token = { 0, NULL};
838 NTSTATUS status;
839
840 in_data.value = data->data;
841 in_data.length = data->length;
842 in_token.value = signature->data;
843 in_token.length = signature->length;
844
845 gss_maj = gss_verify_mic(&gss_min, gse_ctx->gssapi_context,
846 &in_data, &in_token, NULL);
847 if (gss_maj) {
848 DEBUG(0, ("gss_verify_mic failed with [%s]\n",
849 gse_errstr(talloc_tos(), gss_maj, gss_min)));
850 status = NT_STATUS_ACCESS_DENIED;
851 goto done;
852 }
853
854 status = NT_STATUS_OK;
855
856 done:
857 return status;
858 }
859
860 static NTSTATUS gensec_gse_client_start(struct gensec_security *gensec_security)
861 {
862 struct gse_context *gse_ctx;
863 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
864 NTSTATUS nt_status;
865 OM_uint32 want_flags = 0;
866 bool do_sign = false, do_seal = false;
867 const char *hostname = gensec_get_target_hostname(gensec_security);
868 const char *service = gensec_get_target_service(gensec_security);
869 const char *username = cli_credentials_get_username(creds);
870 const char *password = cli_credentials_get_password(creds);
871
872 if (!hostname) {
873 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
874 return NT_STATUS_INVALID_PARAMETER;
875 }
876 if (is_ipaddress(hostname)) {
877 DEBUG(2, ("Cannot do GSE to an IP address\n"));
878 return NT_STATUS_INVALID_PARAMETER;
879 }
880 if (strcmp(hostname, "localhost") == 0) {
881 DEBUG(2, ("GSE to 'localhost' does not make sense\n"));
882 return NT_STATUS_INVALID_PARAMETER;
883 }
884
885 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
886 do_sign = true;
887 }
888 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
889 do_seal = true;
890 }
891 if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
892 want_flags |= GSS_C_DCE_STYLE;
893 }
894
895 nt_status = gse_init_client(gensec_security, do_sign, do_seal, NULL,
896 hostname, service,
897 username, password, want_flags,
898 &gse_ctx);
899 if (!NT_STATUS_IS_OK(nt_status)) {
900 return nt_status;
901 }
902 gensec_security->private_data = gse_ctx;
903 return NT_STATUS_OK;
904 }
905
906 static NTSTATUS gensec_gse_server_start(struct gensec_security *gensec_security)
907 {
908 struct gse_context *gse_ctx;
909 NTSTATUS nt_status;
910 OM_uint32 want_flags = 0;
911 bool do_sign = false, do_seal = false;
912
913 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
914 do_sign = true;
915 }
916 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
917 do_seal = true;
918 }
919 if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
920 want_flags |= GSS_C_DCE_STYLE;
921 }
922
923 nt_status = gse_init_server(gensec_security, do_sign, do_seal, want_flags,
924 &gse_ctx);
925 if (!NT_STATUS_IS_OK(nt_status)) {
926 return nt_status;
927 }
928 gensec_security->private_data = gse_ctx;
929 return NT_STATUS_OK;
930 }
931
932 /**
933 * Check if the packet is one for this mechansim
934 *
935 * @param gensec_security GENSEC state
936 * @param in The request, as a DATA_BLOB
937 * @return Error, INVALID_PARAMETER if it's not a packet for us
938 * or NT_STATUS_OK if the packet is ok.
939 */
940
941 static NTSTATUS gensec_gse_magic(struct gensec_security *gensec_security,
942 const DATA_BLOB *in)
943 {
944 if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
945 return NT_STATUS_OK;
946 } else {
947 return NT_STATUS_INVALID_PARAMETER;
948 }
949 }
950
951
952 /**
953 * Next state function for the GSE GENSEC mechanism
954 *
955 * @param gensec_gse_state GSE State
956 * @param mem_ctx The TALLOC_CTX for *out to be allocated on
957 * @param in The request, as a DATA_BLOB
958 * @param out The reply, as an talloc()ed DATA_BLOB, on *mem_ctx
959 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
960 * or NT_STATUS_OK if the user is authenticated.
961 */
962
963 static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security,
964 TALLOC_CTX *mem_ctx,
965 struct tevent_context *ev,
966 const DATA_BLOB in, DATA_BLOB *out)
967 {
968 NTSTATUS status;
969 struct gse_context *gse_ctx =
970 talloc_get_type_abort(gensec_security->private_data,
971 struct gse_context);
972
973 switch (gensec_security->gensec_role) {
974 case GENSEC_CLIENT:
975 status = gse_get_client_auth_token(mem_ctx, gse_ctx,
976 &in, out);
977 break;
978 case GENSEC_SERVER:
979 status = gse_get_server_auth_token(mem_ctx, gse_ctx,
980 &in, out);
981 break;
982 }
983 if (!NT_STATUS_IS_OK(status)) {
984 return status;
985 }
986 if (gse_ctx->more_processing) {
987 return NT_STATUS_MORE_PROCESSING_REQUIRED;
988 }
989
990 if (gensec_security->gensec_role == GENSEC_SERVER) {
991 return gse_verify_server_auth_flags(gse_ctx);
992 }
993
994 return NT_STATUS_OK;
995 }
996
997 static NTSTATUS gensec_gse_wrap(struct gensec_security *gensec_security,
998 TALLOC_CTX *mem_ctx,
999 const DATA_BLOB *in,
1000 DATA_BLOB *out)
1001 {
1002 struct gse_context *gse_ctx =
1003 talloc_get_type_abort(gensec_security->private_data,
1004 struct gse_context);
1005 OM_uint32 maj_stat, min_stat;
1006 gss_buffer_desc input_token, output_token;
1007 int conf_state;
1008 input_token.length = in->length;
1009 input_token.value = in->data;
1010
1011 maj_stat = gss_wrap(&min_stat,
1012 gse_ctx->gssapi_context,
1013 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
1014 GSS_C_QOP_DEFAULT,
1015 &input_token,
1016 &conf_state,
1017 &output_token);
1018 if (GSS_ERROR(maj_stat)) {
1019 DEBUG(0, ("gensec_gse_wrap: GSS Wrap failed: %s\n",
1020 gse_errstr(talloc_tos(), maj_stat, min_stat)));
1021 return NT_STATUS_ACCESS_DENIED;
1022 }
1023
1024 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1025 gss_release_buffer(&min_stat, &output_token);
1026
1027 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1028 && !conf_state) {
1029 return NT_STATUS_ACCESS_DENIED;
1030 }
1031 return NT_STATUS_OK;
1032 }
1033
1034 static NTSTATUS gensec_gse_unwrap(struct gensec_security *gensec_security,
1035 TALLOC_CTX *mem_ctx,
1036 const DATA_BLOB *in,
1037 DATA_BLOB *out)
1038 {
1039 struct gse_context *gse_ctx =
1040 talloc_get_type_abort(gensec_security->private_data,
1041 struct gse_context);
1042 OM_uint32 maj_stat, min_stat;
1043 gss_buffer_desc input_token, output_token;
1044 int conf_state;
1045 gss_qop_t qop_state;
1046 input_token.length = in->length;
1047 input_token.value = in->data;
1048
1049 maj_stat = gss_unwrap(&min_stat,
1050 gse_ctx->gssapi_context,
1051 &input_token,
1052 &output_token,
1053 &conf_state,
1054 &qop_state);
1055 if (GSS_ERROR(maj_stat)) {
1056 DEBUG(0, ("gensec_gse_unwrap: GSS UnWrap failed: %s\n",
1057 gse_errstr(talloc_tos(), maj_stat, min_stat)));
1058 return NT_STATUS_ACCESS_DENIED;
1059 }
1060
1061 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
1062 gss_release_buffer(&min_stat, &output_token);
1063
1064 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1065 && !conf_state) {
1066 return NT_STATUS_ACCESS_DENIED;
1067 }
1068 return NT_STATUS_OK;
1069 }
1070
1071 static NTSTATUS gensec_gse_seal_packet(struct gensec_security *gensec_security,
1072 TALLOC_CTX *mem_ctx,
1073 uint8_t *data, size_t length,
1074 const uint8_t *whole_pdu, size_t pdu_length,
1075 DATA_BLOB *sig)
1076 {
1077 struct gse_context *gse_ctx =
1078 talloc_get_type_abort(gensec_security->private_data,
1079 struct gse_context);
1080 DATA_BLOB payload = data_blob_const(data, length);
1081 return gse_seal(mem_ctx, gse_ctx, &payload, sig);
1082 }
1083
1084 static NTSTATUS gensec_gse_unseal_packet(struct gensec_security *gensec_security,
1085 uint8_t *data, size_t length,
1086 const uint8_t *whole_pdu, size_t pdu_length,
1087 const DATA_BLOB *sig)
1088 {
1089 struct gse_context *gse_ctx =
1090 talloc_get_type_abort(gensec_security->private_data,
1091 struct gse_context);
1092 DATA_BLOB payload = data_blob_const(data, length);
1093 return gse_unseal(talloc_tos() /* unused */, gse_ctx, &payload, sig);
1094 }
1095
1096 static NTSTATUS gensec_gse_sign_packet(struct gensec_security *gensec_security,
1097 TALLOC_CTX *mem_ctx,
1098 const uint8_t *data, size_t length,
1099 const uint8_t *whole_pdu, size_t pdu_length,
1100 DATA_BLOB *sig)
1101 {
1102 struct gse_context *gse_ctx =
1103 talloc_get_type_abort(gensec_security->private_data,
1104 struct gse_context);
1105 DATA_BLOB payload = data_blob_const(data, length);
1106 return gse_sign(mem_ctx, gse_ctx, &payload, sig);
1107 }
1108
1109 static NTSTATUS gensec_gse_check_packet(struct gensec_security *gensec_security,
1110 const uint8_t *data, size_t length,
1111 const uint8_t *whole_pdu, size_t pdu_length,
1112 const DATA_BLOB *sig)
1113 {
1114 struct gse_context *gse_ctx =
1115 talloc_get_type_abort(gensec_security->private_data,
1116 struct gse_context);
1117 DATA_BLOB payload = data_blob_const(data, length);
1118 return gse_sigcheck(NULL, gse_ctx, &payload, sig);
1119 }
1120
1121 /* Try to figure out what features we actually got on the connection */
1122 static bool gensec_gse_have_feature(struct gensec_security *gensec_security,
1123 uint32_t feature)
1124 {
1125 struct gse_context *gse_ctx =
1126 talloc_get_type_abort(gensec_security->private_data,
1127 struct gse_context);
1128
1129 if (feature & GENSEC_FEATURE_SIGN) {
1130 return gse_ctx->ret_flags & GSS_C_INTEG_FLAG;
1131 }
1132 if (feature & GENSEC_FEATURE_SEAL) {
1133 return gse_ctx->ret_flags & GSS_C_CONF_FLAG;
1134 }
1135 if (feature & GENSEC_FEATURE_SESSION_KEY) {
1136 /* Only for GSE/Krb5 */
1137 if (gss_oid_equal(gse_ctx->ret_mech, gss_mech_krb5)) {
1138 return true;
1139 }
1140 }
1141 if (feature & GENSEC_FEATURE_DCE_STYLE) {
1142 return gse_ctx->ret_flags & GSS_C_DCE_STYLE;
1143 }
1144 /* We can always do async (rather than strict request/reply) packets. */
1145 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1146 return true;
1147 }
1148 return false;
1149 }
1150
1151 /*
1152 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1153 * (for encrypting some passwords).
1154 *
1155 * This breaks all the abstractions, but what do you expect...
1156 */
1157 static NTSTATUS gensec_gse_session_key(struct gensec_security *gensec_security,
1158 TALLOC_CTX *mem_ctx,
1159 DATA_BLOB *session_key_out)
1160 {
1161 struct gse_context *gse_ctx =
1162 talloc_get_type_abort(gensec_security->private_data,
1163 struct gse_context);
1164
1165 DATA_BLOB session_key = gse_get_session_key(mem_ctx, gse_ctx);
1166 if (session_key.data == NULL) {
1167 return NT_STATUS_NO_USER_SESSION_KEY;
1168 }
1169
1170 *session_key_out = session_key;
1171
1172 return NT_STATUS_OK;
1173 }
1174
1175 /* Get some basic (and authorization) information about the user on
1176 * this session. This uses either the PAC (if present) or a local
1177 * database lookup */
1178 static NTSTATUS gensec_gse_session_info(struct gensec_security *gensec_security,
1179 TALLOC_CTX *mem_ctx,
1180 struct auth_session_info **_session_info)
1181 {
1182 struct gse_context *gse_ctx =
1183 talloc_get_type_abort(gensec_security->private_data,
1184 struct gse_context);
1185 NTSTATUS nt_status;
1186 TALLOC_CTX *tmp_ctx;
1187 struct auth_session_info *session_info = NULL;
1188 OM_uint32 maj_stat, min_stat;
1189 DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
1190
1191 gss_buffer_desc name_token;
1192 char *principal_string;
1193
1194 tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gse_session_info context");
1195 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
1196
1197 maj_stat = gss_display_name(&min_stat,
1198 gse_ctx->client_name,
1199 &name_token,
1200 NULL);
1201 if (GSS_ERROR(maj_stat)) {
1202 DEBUG(1, ("GSS display_name failed: %s\n",
1203 gse_errstr(talloc_tos(), maj_stat, min_stat)));
1204 talloc_free(tmp_ctx);
1205 return NT_STATUS_FOOBAR;
1206 }
1207
1208 principal_string = talloc_strndup(tmp_ctx,
1209 (const char *)name_token.value,
1210 name_token.length);
1211
1212 gss_release_buffer(&min_stat, &name_token);
1213
1214 if (!principal_string) {
1215 talloc_free(tmp_ctx);
1216 return NT_STATUS_NO_MEMORY;
1217 }
1218
1219 nt_status = gssapi_obtain_pac_blob(tmp_ctx, gse_ctx->gssapi_context,
1220 gse_ctx->client_name,
1221 &pac_blob);
1222
1223 /* IF we have the PAC - otherwise we need to get this
1224 * data from elsewere
1225 */
1226 if (NT_STATUS_IS_OK(nt_status)) {
1227 pac_blob_ptr = &pac_blob;
1228 }
1229 nt_status = gensec_generate_session_info_pac(tmp_ctx,
1230 gensec_security,
1231 NULL,
1232 pac_blob_ptr, principal_string,
1233 gensec_get_remote_address(gensec_security),
1234 &session_info);
1235 if (!NT_STATUS_IS_OK(nt_status)) {
1236 talloc_free(tmp_ctx);
1237 return nt_status;
1238 }
1239
1240 nt_status = gensec_gse_session_key(gensec_security, session_info,
1241 &session_info->session_key);
1242 if (!NT_STATUS_IS_OK(nt_status)) {
1243 talloc_free(tmp_ctx);
1244 return nt_status;
1245 }
1246
1247 *_session_info = talloc_move(mem_ctx, &session_info);
1248 talloc_free(tmp_ctx);
1249
1250 return NT_STATUS_OK;
1251 }
1252
1253 static size_t gensec_gse_sig_size(struct gensec_security *gensec_security,
1254 size_t data_size)
1255 {
1256 struct gse_context *gse_ctx =
1257 talloc_get_type_abort(gensec_security->private_data,
1258 struct gse_context);
1259
1260 return gse_get_signature_length(gse_ctx,
1261 gensec_security->want_features & GENSEC_FEATURE_SEAL,
1262 data_size);
1263 }
1264
1265 static const char *gensec_gse_krb5_oids[] = {
1266 GENSEC_OID_KERBEROS5_OLD,
1267 GENSEC_OID_KERBEROS5,
1268 NULL
1269 };
1270
1271 const struct gensec_security_ops gensec_gse_krb5_security_ops = {
1272 .name = "gse_krb5",
1273 .auth_type = DCERPC_AUTH_TYPE_KRB5,
1274 .oid = gensec_gse_krb5_oids,
1275 .client_start = gensec_gse_client_start,
1276 .server_start = gensec_gse_server_start,
1277 .magic = gensec_gse_magic,
1278 .update = gensec_gse_update,
1279 .session_key = gensec_gse_session_key,
1280 .session_info = gensec_gse_session_info,
1281 .sig_size = gensec_gse_sig_size,
1282 .sign_packet = gensec_gse_sign_packet,
1283 .check_packet = gensec_gse_check_packet,
1284 .seal_packet = gensec_gse_seal_packet,
1285 .unseal_packet = gensec_gse_unseal_packet,
1286 .wrap = gensec_gse_wrap,
1287 .unwrap = gensec_gse_unwrap,
1288 .have_feature = gensec_gse_have_feature,
1289 .enabled = true,
1290 .kerberos = true,
1291 .priority = GENSEC_GSSAPI
1292 };
1293
1294 #endif /* HAVE_KRB5 && HAVE_GSS_WRAP_IOV */
Samba GIT mirror