2 * GSSAPI Security Extensions
3 * RPC Pipe client and server routines
4 * Copyright (C) Simo Sorce 2010.
5 * Copyright (C) Andrew Bartlett 2004-2011.
6 * Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 /* We support only GSSAPI/KRB5 here */
26 #include "libads/kerberos_proto.h"
27 #include "auth/common_auth.h"
28 #include "auth/gensec/gensec.h"
29 #include "auth/credentials/credentials.h"
30 #include "../librpc/gen_ndr/dcerpc.h"
32 #if defined(HAVE_KRB5)
34 #include "auth/kerberos/pac_utils.h"
37 static char *gse_errstr(TALLOC_CTX
*mem_ctx
, OM_uint32 maj
, OM_uint32 min
);
40 gss_ctx_id_t gssapi_context
;
41 gss_name_t server_name
;
42 gss_name_t client_name
;
43 OM_uint32 gss_want_flags
, gss_got_flags
;
45 gss_cred_id_t delegated_cred_handle
;
54 gss_OID_desc gss_mech
;
60 #ifndef HAVE_GSS_OID_EQUAL
62 static bool gss_oid_equal(const gss_OID o1
, const gss_OID o2
)
67 if ((o1
== NULL
&& o2
!= NULL
) || (o1
!= NULL
&& o2
== NULL
)) {
70 if (o1
->length
!= o2
->length
) {
73 return memcmp(o1
->elements
, o2
->elements
, o1
->length
) == false;
78 /* free non talloc dependent contexts */
79 static int gse_context_destructor(void *ptr
)
81 struct gse_context
*gse_ctx
;
84 gse_ctx
= talloc_get_type_abort(ptr
, struct gse_context
);
86 if (gse_ctx
->ccache
) {
87 krb5_cc_close(gse_ctx
->k5ctx
, gse_ctx
->ccache
);
88 gse_ctx
->ccache
= NULL
;
90 if (gse_ctx
->keytab
) {
91 krb5_kt_close(gse_ctx
->k5ctx
, gse_ctx
->keytab
);
92 gse_ctx
->keytab
= NULL
;
94 krb5_free_context(gse_ctx
->k5ctx
);
95 gse_ctx
->k5ctx
= NULL
;
97 if (gse_ctx
->gssapi_context
!= GSS_C_NO_CONTEXT
) {
98 (void)gss_delete_sec_context(&gss_min
,
99 &gse_ctx
->gssapi_context
,
102 if (gse_ctx
->server_name
) {
103 (void)gss_release_name(&gss_min
,
104 &gse_ctx
->server_name
);
106 if (gse_ctx
->client_name
) {
107 (void)gss_release_name(&gss_min
,
108 &gse_ctx
->client_name
);
110 if (gse_ctx
->creds
) {
111 (void)gss_release_cred(&gss_min
,
114 if (gse_ctx
->delegated_cred_handle
) {
115 (void)gss_release_cred(&gss_min
,
116 &gse_ctx
->delegated_cred_handle
);
119 /* MIT and Heimdal differ as to if you can call
120 * gss_release_oid() on this OID, generated by
121 * gss_{accept,init}_sec_context(). However, as long as the
122 * oid is gss_mech_krb5 (which it always is at the moment),
123 * then this is a moot point, as both declare this particular
124 * OID static, and so no memory is lost. This assert is in
125 * place to ensure that the programmer who wishes to extend
126 * this code to EAP or other GSS mechanisms determines an
127 * implementation-dependent way of releasing any dynamically
129 SMB_ASSERT(gss_oid_equal(&gse_ctx
->gss_mech
, GSS_C_NO_OID
) || gss_oid_equal(&gse_ctx
->gss_mech
, gss_mech_krb5
));
134 static NTSTATUS
gse_context_init(TALLOC_CTX
*mem_ctx
,
135 bool do_sign
, bool do_seal
,
136 const char *ccache_name
,
137 uint32_t add_gss_c_flags
,
138 struct gse_context
**_gse_ctx
)
140 struct gse_context
*gse_ctx
;
141 krb5_error_code k5ret
;
144 gse_ctx
= talloc_zero(mem_ctx
, struct gse_context
);
146 return NT_STATUS_NO_MEMORY
;
148 talloc_set_destructor((TALLOC_CTX
*)gse_ctx
, gse_context_destructor
);
150 gse_ctx
->expire_time
= GENSEC_EXPIRE_TIME_INFINITY
;
152 memcpy(&gse_ctx
->gss_mech
, gss_mech_krb5
, sizeof(gss_OID_desc
));
154 gse_ctx
->gss_want_flags
= GSS_C_MUTUAL_FLAG
|
156 GSS_C_DELEG_POLICY_FLAG
|
160 gse_ctx
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
163 gse_ctx
->gss_want_flags
|= GSS_C_INTEG_FLAG
;
164 gse_ctx
->gss_want_flags
|= GSS_C_CONF_FLAG
;
167 gse_ctx
->gss_want_flags
|= add_gss_c_flags
;
169 /* Initialize Kerberos Context */
170 initialize_krb5_error_table();
172 k5ret
= krb5_init_context(&gse_ctx
->k5ctx
);
174 DEBUG(0, ("Failed to initialize kerberos context! (%s)\n",
175 error_message(k5ret
)));
176 status
= NT_STATUS_INTERNAL_ERROR
;
181 ccache_name
= krb5_cc_default_name(gse_ctx
->k5ctx
);
183 k5ret
= krb5_cc_resolve(gse_ctx
->k5ctx
, ccache_name
,
186 DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
187 error_message(k5ret
)));
188 status
= NT_STATUS_INTERNAL_ERROR
;
192 /* TODO: Should we enforce a enc_types list ?
193 ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types);
200 TALLOC_FREE(gse_ctx
);
204 static NTSTATUS
gse_init_client(TALLOC_CTX
*mem_ctx
,
205 bool do_sign
, bool do_seal
,
206 const char *ccache_name
,
209 const char *username
,
210 const char *password
,
211 uint32_t add_gss_c_flags
,
212 struct gse_context
**_gse_ctx
)
214 struct gse_context
*gse_ctx
;
215 OM_uint32 gss_maj
, gss_min
;
216 gss_buffer_desc name_buffer
= {0, NULL
};
217 gss_OID_set_desc mech_set
;
220 if (!server
|| !service
) {
221 return NT_STATUS_INVALID_PARAMETER
;
224 status
= gse_context_init(mem_ctx
, do_sign
, do_seal
,
225 ccache_name
, add_gss_c_flags
,
227 if (!NT_STATUS_IS_OK(status
)) {
228 return NT_STATUS_NO_MEMORY
;
231 /* Guess the realm based on the supplied service, and avoid the GSS libs
232 doing DNS lookups which may fail.
234 TODO: Loop with the KDC on some more combinations (local
235 realm in particular), possibly falling back to
236 GSS_C_NT_HOSTBASED_SERVICE
238 name_buffer
.value
= kerberos_get_principal_from_service_hostname(
239 gse_ctx
, service
, server
, lp_realm());
240 if (!name_buffer
.value
) {
241 status
= NT_STATUS_NO_MEMORY
;
244 name_buffer
.length
= strlen((char *)name_buffer
.value
);
245 gss_maj
= gss_import_name(&gss_min
, &name_buffer
,
247 &gse_ctx
->server_name
);
249 DEBUG(0, ("gss_import_name failed for %s, with [%s]\n",
250 (char *)name_buffer
.value
,
251 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
252 status
= NT_STATUS_INTERNAL_ERROR
;
256 /* TODO: get krb5 ticket using username/password, if no valid
257 * one already available in ccache */
260 mech_set
.elements
= &gse_ctx
->gss_mech
;
262 gss_maj
= gss_acquire_cred(&gss_min
,
270 DEBUG(0, ("gss_acquire_creds failed for %s, with [%s]\n",
271 (char *)name_buffer
.value
,
272 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
273 status
= NT_STATUS_INTERNAL_ERROR
;
278 TALLOC_FREE(name_buffer
.value
);
282 TALLOC_FREE(name_buffer
.value
);
283 TALLOC_FREE(gse_ctx
);
287 static NTSTATUS
gse_get_client_auth_token(TALLOC_CTX
*mem_ctx
,
288 struct gse_context
*gse_ctx
,
289 const DATA_BLOB
*token_in
,
290 DATA_BLOB
*token_out
)
292 OM_uint32 gss_maj
, gss_min
;
293 gss_buffer_desc in_data
;
294 gss_buffer_desc out_data
;
295 DATA_BLOB blob
= data_blob_null
;
297 OM_uint32 time_rec
= 0;
300 in_data
.value
= token_in
->data
;
301 in_data
.length
= token_in
->length
;
303 gss_maj
= gss_init_sec_context(&gss_min
,
305 &gse_ctx
->gssapi_context
,
306 gse_ctx
->server_name
,
308 gse_ctx
->gss_want_flags
,
309 0, GSS_C_NO_CHANNEL_BINDINGS
,
310 &in_data
, NULL
, &out_data
,
311 &gse_ctx
->gss_got_flags
, &time_rec
);
314 /* we are done with it */
315 tv
= timeval_current_ofs(time_rec
, 0);
316 gse_ctx
->expire_time
= timeval_to_nttime(&tv
);
318 status
= NT_STATUS_OK
;
320 case GSS_S_CONTINUE_NEEDED
:
321 /* we will need a third leg */
322 status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
325 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
326 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
327 status
= NT_STATUS_INTERNAL_ERROR
;
331 /* we may be told to return nothing */
332 if (out_data
.length
) {
333 blob
= data_blob_talloc(mem_ctx
, out_data
.value
, out_data
.length
);
335 status
= NT_STATUS_NO_MEMORY
;
338 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
346 static NTSTATUS
gse_init_server(TALLOC_CTX
*mem_ctx
,
347 bool do_sign
, bool do_seal
,
348 uint32_t add_gss_c_flags
,
349 struct gse_context
**_gse_ctx
)
351 struct gse_context
*gse_ctx
;
352 OM_uint32 gss_maj
, gss_min
;
356 status
= gse_context_init(mem_ctx
, do_sign
, do_seal
,
357 NULL
, add_gss_c_flags
, &gse_ctx
);
358 if (!NT_STATUS_IS_OK(status
)) {
359 return NT_STATUS_NO_MEMORY
;
362 ret
= gse_krb5_get_server_keytab(gse_ctx
->k5ctx
,
365 status
= NT_STATUS_INTERNAL_ERROR
;
369 #ifdef HAVE_GSS_KRB5_IMPORT_CRED
371 /* This creates a GSSAPI cred_id_t with the keytab set */
372 gss_maj
= gss_krb5_import_cred(&gss_min
, NULL
, NULL
, gse_ctx
->keytab
,
376 && gss_maj
!= (GSS_S_CALL_BAD_STRUCTURE
|GSS_S_BAD_NAME
)) {
377 DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
378 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
379 status
= NT_STATUS_INTERNAL_ERROR
;
382 /* This is the error the MIT krb5 1.9 gives when it
383 * implements the function, but we do not specify the
384 * principal. However, when we specify the principal
385 * as host$@REALM the GSS acceptor fails with 'wrong
386 * principal in request'. Work around the issue by
387 * falling back to the alternate approach below. */
388 } else if (gss_maj
== (GSS_S_CALL_BAD_STRUCTURE
|GSS_S_BAD_NAME
))
391 * This call sets the default keytab for the whole server, not
392 * just for this context. Need to find a way that does not alter
393 * the state of the whole server ... */
396 gss_OID_set_desc mech_set
;
398 ret
= smb_krb5_keytab_name(gse_ctx
, gse_ctx
->k5ctx
,
399 gse_ctx
->keytab
, &ktname
);
401 status
= NT_STATUS_INTERNAL_ERROR
;
405 ret
= gsskrb5_register_acceptor_identity(ktname
);
407 status
= NT_STATUS_INTERNAL_ERROR
;
412 mech_set
.elements
= &gse_ctx
->gss_mech
;
414 gss_maj
= gss_acquire_cred(&gss_min
,
423 DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
424 gse_errstr(gse_ctx
, gss_maj
, gss_min
)));
425 status
= NT_STATUS_INTERNAL_ERROR
;
430 status
= NT_STATUS_OK
;
433 if (!NT_STATUS_IS_OK(status
)) {
434 TALLOC_FREE(gse_ctx
);
441 static NTSTATUS
gse_get_server_auth_token(TALLOC_CTX
*mem_ctx
,
442 struct gse_context
*gse_ctx
,
443 const DATA_BLOB
*token_in
,
444 DATA_BLOB
*token_out
)
446 OM_uint32 gss_maj
, gss_min
;
447 gss_buffer_desc in_data
;
448 gss_buffer_desc out_data
;
449 DATA_BLOB blob
= data_blob_null
;
451 OM_uint32 time_rec
= 0;
454 in_data
.value
= token_in
->data
;
455 in_data
.length
= token_in
->length
;
457 gss_maj
= gss_accept_sec_context(&gss_min
,
458 &gse_ctx
->gssapi_context
,
461 GSS_C_NO_CHANNEL_BINDINGS
,
462 &gse_ctx
->client_name
,
465 &gse_ctx
->gss_got_flags
,
467 &gse_ctx
->delegated_cred_handle
);
470 /* we are done with it */
471 tv
= timeval_current_ofs(time_rec
, 0);
472 gse_ctx
->expire_time
= timeval_to_nttime(&tv
);
474 status
= NT_STATUS_OK
;
476 case GSS_S_CONTINUE_NEEDED
:
477 /* we will need a third leg */
478 status
= NT_STATUS_MORE_PROCESSING_REQUIRED
;
481 DEBUG(1, ("gss_accept_sec_context failed with [%s]\n",
482 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
484 if (gse_ctx
->gssapi_context
) {
485 gss_delete_sec_context(&gss_min
,
486 &gse_ctx
->gssapi_context
,
490 status
= NT_STATUS_LOGON_FAILURE
;
494 /* we may be told to return nothing */
495 if (out_data
.length
) {
496 blob
= data_blob_talloc(mem_ctx
, out_data
.value
, out_data
.length
);
498 status
= NT_STATUS_NO_MEMORY
;
500 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
509 static char *gse_errstr(TALLOC_CTX
*mem_ctx
, OM_uint32 maj
, OM_uint32 min
)
511 OM_uint32 gss_min
, gss_maj
;
512 gss_buffer_desc msg_min
;
513 gss_buffer_desc msg_maj
;
514 OM_uint32 msg_ctx
= 0;
518 ZERO_STRUCT(msg_min
);
519 ZERO_STRUCT(msg_maj
);
521 gss_maj
= gss_display_status(&gss_min
, maj
, GSS_C_GSS_CODE
,
522 GSS_C_NO_OID
, &msg_ctx
, &msg_maj
);
526 errstr
= talloc_strndup(mem_ctx
,
527 (char *)msg_maj
.value
,
532 gss_maj
= gss_display_status(&gss_min
, min
, GSS_C_MECH_CODE
,
533 (gss_OID
)discard_const(gss_mech_krb5
),
539 errstr
= talloc_strdup_append_buffer(errstr
, ": ");
543 errstr
= talloc_strndup_append_buffer(errstr
,
544 (char *)msg_min
.value
,
552 gss_maj
= gss_release_buffer(&gss_min
, &msg_min
);
555 gss_maj
= gss_release_buffer(&gss_min
, &msg_maj
);
560 static size_t gse_get_signature_length(struct gse_context
*gse_ctx
,
561 bool seal
, size_t payload_size
)
563 OM_uint32 gss_min
, gss_maj
;
564 gss_iov_buffer_desc iov
[2];
568 * gss_wrap_iov_length() only needs the type and length
570 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
571 iov
[0].buffer
.value
= NULL
;
572 iov
[0].buffer
.length
= 0;
573 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
574 iov
[1].buffer
.value
= NULL
;
575 iov
[1].buffer
.length
= payload_size
;
577 gss_maj
= gss_wrap_iov_length(&gss_min
, gse_ctx
->gssapi_context
,
578 seal
, GSS_C_QOP_DEFAULT
,
581 DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
582 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
586 return iov
[0].buffer
.length
;
589 static NTSTATUS
gse_seal(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
590 DATA_BLOB
*data
, DATA_BLOB
*signature
)
592 OM_uint32 gss_min
, gss_maj
;
593 gss_iov_buffer_desc iov
[2];
594 int req_seal
= 1; /* setting to 1 means we request sign+seal */
598 /* allocate the memory ourselves so we do not need to talloc_memdup */
599 signature
->length
= gse_get_signature_length(gse_ctx
, true, data
->length
);
600 if (!signature
->length
) {
601 return NT_STATUS_INTERNAL_ERROR
;
603 signature
->data
= (uint8_t *)talloc_size(mem_ctx
, signature
->length
);
604 if (!signature
->data
) {
605 return NT_STATUS_NO_MEMORY
;
607 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
608 iov
[0].buffer
.value
= signature
->data
;
609 iov
[0].buffer
.length
= signature
->length
;
611 /* data is encrypted in place, which is ok */
612 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
613 iov
[1].buffer
.value
= data
->data
;
614 iov
[1].buffer
.length
= data
->length
;
616 gss_maj
= gss_wrap_iov(&gss_min
, gse_ctx
->gssapi_context
,
617 req_seal
, GSS_C_QOP_DEFAULT
,
620 DEBUG(0, ("gss_wrap_iov failed with [%s]\n",
621 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
622 status
= NT_STATUS_ACCESS_DENIED
;
627 DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
628 status
= NT_STATUS_ACCESS_DENIED
;
632 status
= NT_STATUS_OK
;
634 DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
635 (int)iov
[1].buffer
.length
, (int)iov
[0].buffer
.length
));
641 static NTSTATUS
gse_unseal(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
642 DATA_BLOB
*data
, const DATA_BLOB
*signature
)
644 OM_uint32 gss_min
, gss_maj
;
645 gss_iov_buffer_desc iov
[2];
649 iov
[0].type
= GSS_IOV_BUFFER_TYPE_HEADER
;
650 iov
[0].buffer
.value
= signature
->data
;
651 iov
[0].buffer
.length
= signature
->length
;
653 /* data is decrypted in place, which is ok */
654 iov
[1].type
= GSS_IOV_BUFFER_TYPE_DATA
;
655 iov
[1].buffer
.value
= data
->data
;
656 iov
[1].buffer
.length
= data
->length
;
658 gss_maj
= gss_unwrap_iov(&gss_min
, gse_ctx
->gssapi_context
,
659 &sealed
, NULL
, iov
, 2);
661 DEBUG(0, ("gss_unwrap_iov failed with [%s]\n",
662 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
663 status
= NT_STATUS_ACCESS_DENIED
;
668 DEBUG(0, ("gss_unwrap_iov says data is not sealed!\n"));
669 status
= NT_STATUS_ACCESS_DENIED
;
673 status
= NT_STATUS_OK
;
675 DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
676 (int)iov
[1].buffer
.length
, (int)iov
[0].buffer
.length
));
682 static NTSTATUS
gse_sign(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
683 DATA_BLOB
*data
, DATA_BLOB
*signature
)
685 OM_uint32 gss_min
, gss_maj
;
686 gss_buffer_desc in_data
= { 0, NULL
};
687 gss_buffer_desc out_data
= { 0, NULL
};
690 in_data
.value
= data
->data
;
691 in_data
.length
= data
->length
;
693 gss_maj
= gss_get_mic(&gss_min
, gse_ctx
->gssapi_context
,
695 &in_data
, &out_data
);
697 DEBUG(0, ("gss_get_mic failed with [%s]\n",
698 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
699 status
= NT_STATUS_ACCESS_DENIED
;
703 *signature
= data_blob_talloc(mem_ctx
,
704 out_data
.value
, out_data
.length
);
705 if (!signature
->data
) {
706 status
= NT_STATUS_NO_MEMORY
;
710 status
= NT_STATUS_OK
;
713 if (out_data
.value
) {
714 gss_maj
= gss_release_buffer(&gss_min
, &out_data
);
719 static NTSTATUS
gse_sigcheck(TALLOC_CTX
*mem_ctx
, struct gse_context
*gse_ctx
,
720 const DATA_BLOB
*data
, const DATA_BLOB
*signature
)
722 OM_uint32 gss_min
, gss_maj
;
723 gss_buffer_desc in_data
= { 0, NULL
};
724 gss_buffer_desc in_token
= { 0, NULL
};
727 in_data
.value
= data
->data
;
728 in_data
.length
= data
->length
;
729 in_token
.value
= signature
->data
;
730 in_token
.length
= signature
->length
;
732 gss_maj
= gss_verify_mic(&gss_min
, gse_ctx
->gssapi_context
,
733 &in_data
, &in_token
, NULL
);
735 DEBUG(0, ("gss_verify_mic failed with [%s]\n",
736 gse_errstr(talloc_tos(), gss_maj
, gss_min
)));
737 status
= NT_STATUS_ACCESS_DENIED
;
741 status
= NT_STATUS_OK
;
747 static NTSTATUS
gensec_gse_client_start(struct gensec_security
*gensec_security
)
749 struct gse_context
*gse_ctx
;
750 struct cli_credentials
*creds
= gensec_get_credentials(gensec_security
);
752 OM_uint32 want_flags
= 0;
753 bool do_sign
= false, do_seal
= false;
754 const char *hostname
= gensec_get_target_hostname(gensec_security
);
755 const char *service
= gensec_get_target_service(gensec_security
);
756 const char *username
= cli_credentials_get_username(creds
);
757 const char *password
= cli_credentials_get_password(creds
);
760 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
761 return NT_STATUS_INVALID_PARAMETER
;
763 if (is_ipaddress(hostname
)) {
764 DEBUG(2, ("Cannot do GSE to an IP address\n"));
765 return NT_STATUS_INVALID_PARAMETER
;
767 if (strcmp(hostname
, "localhost") == 0) {
768 DEBUG(2, ("GSE to 'localhost' does not make sense\n"));
769 return NT_STATUS_INVALID_PARAMETER
;
772 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
775 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
778 if (gensec_security
->want_features
& GENSEC_FEATURE_DCE_STYLE
) {
779 want_flags
|= GSS_C_DCE_STYLE
;
782 nt_status
= gse_init_client(gensec_security
, do_sign
, do_seal
, NULL
,
784 username
, password
, want_flags
,
786 if (!NT_STATUS_IS_OK(nt_status
)) {
789 gensec_security
->private_data
= gse_ctx
;
793 static NTSTATUS
gensec_gse_server_start(struct gensec_security
*gensec_security
)
795 struct gse_context
*gse_ctx
;
797 OM_uint32 want_flags
= 0;
798 bool do_sign
= false, do_seal
= false;
800 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
803 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
806 if (gensec_security
->want_features
& GENSEC_FEATURE_DCE_STYLE
) {
807 want_flags
|= GSS_C_DCE_STYLE
;
810 nt_status
= gse_init_server(gensec_security
, do_sign
, do_seal
, want_flags
,
812 if (!NT_STATUS_IS_OK(nt_status
)) {
815 gensec_security
->private_data
= gse_ctx
;
820 * Next state function for the GSE GENSEC mechanism
822 * @param gensec_gse_state GSE State
823 * @param mem_ctx The TALLOC_CTX for *out to be allocated on
824 * @param in The request, as a DATA_BLOB
825 * @param out The reply, as an talloc()ed DATA_BLOB, on *mem_ctx
826 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
827 * or NT_STATUS_OK if the user is authenticated.
830 static NTSTATUS
gensec_gse_update(struct gensec_security
*gensec_security
,
832 struct tevent_context
*ev
,
833 const DATA_BLOB in
, DATA_BLOB
*out
)
836 struct gse_context
*gse_ctx
=
837 talloc_get_type_abort(gensec_security
->private_data
,
840 switch (gensec_security
->gensec_role
) {
842 status
= gse_get_client_auth_token(mem_ctx
, gse_ctx
,
846 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
850 if (!NT_STATUS_IS_OK(status
)) {
857 static NTSTATUS
gensec_gse_wrap(struct gensec_security
*gensec_security
,
862 struct gse_context
*gse_ctx
=
863 talloc_get_type_abort(gensec_security
->private_data
,
865 OM_uint32 maj_stat
, min_stat
;
866 gss_buffer_desc input_token
, output_token
;
868 input_token
.length
= in
->length
;
869 input_token
.value
= in
->data
;
871 maj_stat
= gss_wrap(&min_stat
,
872 gse_ctx
->gssapi_context
,
873 gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
),
878 if (GSS_ERROR(maj_stat
)) {
879 DEBUG(0, ("gensec_gse_wrap: GSS Wrap failed: %s\n",
880 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
881 return NT_STATUS_ACCESS_DENIED
;
884 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
885 gss_release_buffer(&min_stat
, &output_token
);
887 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
889 return NT_STATUS_ACCESS_DENIED
;
894 static NTSTATUS
gensec_gse_unwrap(struct gensec_security
*gensec_security
,
899 struct gse_context
*gse_ctx
=
900 talloc_get_type_abort(gensec_security
->private_data
,
902 OM_uint32 maj_stat
, min_stat
;
903 gss_buffer_desc input_token
, output_token
;
906 input_token
.length
= in
->length
;
907 input_token
.value
= in
->data
;
909 maj_stat
= gss_unwrap(&min_stat
,
910 gse_ctx
->gssapi_context
,
915 if (GSS_ERROR(maj_stat
)) {
916 DEBUG(0, ("gensec_gse_unwrap: GSS UnWrap failed: %s\n",
917 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
918 return NT_STATUS_ACCESS_DENIED
;
921 *out
= data_blob_talloc(mem_ctx
, output_token
.value
, output_token
.length
);
922 gss_release_buffer(&min_stat
, &output_token
);
924 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)
926 return NT_STATUS_ACCESS_DENIED
;
931 static NTSTATUS
gensec_gse_seal_packet(struct gensec_security
*gensec_security
,
933 uint8_t *data
, size_t length
,
934 const uint8_t *whole_pdu
, size_t pdu_length
,
937 struct gse_context
*gse_ctx
=
938 talloc_get_type_abort(gensec_security
->private_data
,
940 DATA_BLOB payload
= data_blob_const(data
, length
);
941 return gse_seal(mem_ctx
, gse_ctx
, &payload
, sig
);
944 static NTSTATUS
gensec_gse_unseal_packet(struct gensec_security
*gensec_security
,
945 uint8_t *data
, size_t length
,
946 const uint8_t *whole_pdu
, size_t pdu_length
,
947 const DATA_BLOB
*sig
)
949 struct gse_context
*gse_ctx
=
950 talloc_get_type_abort(gensec_security
->private_data
,
952 DATA_BLOB payload
= data_blob_const(data
, length
);
953 return gse_unseal(talloc_tos() /* unused */, gse_ctx
, &payload
, sig
);
956 static NTSTATUS
gensec_gse_sign_packet(struct gensec_security
*gensec_security
,
958 const uint8_t *data
, size_t length
,
959 const uint8_t *whole_pdu
, size_t pdu_length
,
962 struct gse_context
*gse_ctx
=
963 talloc_get_type_abort(gensec_security
->private_data
,
965 DATA_BLOB payload
= data_blob_const(data
, length
);
966 return gse_sign(mem_ctx
, gse_ctx
, &payload
, sig
);
969 static NTSTATUS
gensec_gse_check_packet(struct gensec_security
*gensec_security
,
970 const uint8_t *data
, size_t length
,
971 const uint8_t *whole_pdu
, size_t pdu_length
,
972 const DATA_BLOB
*sig
)
974 struct gse_context
*gse_ctx
=
975 talloc_get_type_abort(gensec_security
->private_data
,
977 DATA_BLOB payload
= data_blob_const(data
, length
);
978 return gse_sigcheck(NULL
, gse_ctx
, &payload
, sig
);
981 /* Try to figure out what features we actually got on the connection */
982 static bool gensec_gse_have_feature(struct gensec_security
*gensec_security
,
985 struct gse_context
*gse_ctx
=
986 talloc_get_type_abort(gensec_security
->private_data
,
989 if (feature
& GENSEC_FEATURE_SIGN
) {
990 return gse_ctx
->gss_got_flags
& GSS_C_INTEG_FLAG
;
992 if (feature
& GENSEC_FEATURE_SEAL
) {
993 return gse_ctx
->gss_got_flags
& GSS_C_CONF_FLAG
;
995 if (feature
& GENSEC_FEATURE_SESSION_KEY
) {
996 /* Only for GSE/Krb5 */
997 if (gss_oid_equal(gse_ctx
->ret_mech
, gss_mech_krb5
)) {
1001 if (feature
& GENSEC_FEATURE_DCE_STYLE
) {
1002 return gse_ctx
->gss_got_flags
& GSS_C_DCE_STYLE
;
1004 if (feature
& GENSEC_FEATURE_NEW_SPNEGO
) {
1008 if (!(gse_ctx
->gss_got_flags
& GSS_C_INTEG_FLAG
)) {
1012 status
= gssapi_get_session_key(talloc_tos(),
1013 gse_ctx
->gssapi_context
, NULL
, &keytype
);
1015 * We should do a proper sig on the mechListMic unless
1016 * we know we have to be backwards compatible with
1017 * earlier windows versions.
1019 * Negotiating a non-krb5
1020 * mech for example should be regarded as having
1023 if (NT_STATUS_IS_OK(status
)) {
1025 case ENCTYPE_DES_CBC_CRC
:
1026 case ENCTYPE_DES_CBC_MD5
:
1027 case ENCTYPE_ARCFOUR_HMAC
:
1028 case ENCTYPE_DES3_CBC_SHA1
:
1034 /* We can always do async (rather than strict request/reply) packets. */
1035 if (feature
& GENSEC_FEATURE_ASYNC_REPLIES
) {
1041 static NTTIME
gensec_gse_expire_time(struct gensec_security
*gensec_security
)
1043 struct gse_context
*gse_ctx
=
1044 talloc_get_type_abort(gensec_security
->private_data
,
1045 struct gse_context
);
1047 return gse_ctx
->expire_time
;
1051 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1052 * (for encrypting some passwords).
1054 * This breaks all the abstractions, but what do you expect...
1056 static NTSTATUS
gensec_gse_session_key(struct gensec_security
*gensec_security
,
1057 TALLOC_CTX
*mem_ctx
,
1058 DATA_BLOB
*session_key
)
1060 struct gse_context
*gse_ctx
=
1061 talloc_get_type_abort(gensec_security
->private_data
,
1062 struct gse_context
);
1064 return gssapi_get_session_key(mem_ctx
, gse_ctx
->gssapi_context
, session_key
, NULL
);
1067 /* Get some basic (and authorization) information about the user on
1068 * this session. This uses either the PAC (if present) or a local
1069 * database lookup */
1070 static NTSTATUS
gensec_gse_session_info(struct gensec_security
*gensec_security
,
1071 TALLOC_CTX
*mem_ctx
,
1072 struct auth_session_info
**_session_info
)
1074 struct gse_context
*gse_ctx
=
1075 talloc_get_type_abort(gensec_security
->private_data
,
1076 struct gse_context
);
1078 TALLOC_CTX
*tmp_ctx
;
1079 struct auth_session_info
*session_info
= NULL
;
1080 OM_uint32 maj_stat
, min_stat
;
1081 DATA_BLOB pac_blob
, *pac_blob_ptr
= NULL
;
1083 gss_buffer_desc name_token
;
1084 char *principal_string
;
1086 tmp_ctx
= talloc_named(mem_ctx
, 0, "gensec_gse_session_info context");
1087 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
1089 maj_stat
= gss_display_name(&min_stat
,
1090 gse_ctx
->client_name
,
1093 if (GSS_ERROR(maj_stat
)) {
1094 DEBUG(1, ("GSS display_name failed: %s\n",
1095 gse_errstr(talloc_tos(), maj_stat
, min_stat
)));
1096 talloc_free(tmp_ctx
);
1097 return NT_STATUS_FOOBAR
;
1100 principal_string
= talloc_strndup(tmp_ctx
,
1101 (const char *)name_token
.value
,
1104 gss_release_buffer(&min_stat
, &name_token
);
1106 if (!principal_string
) {
1107 talloc_free(tmp_ctx
);
1108 return NT_STATUS_NO_MEMORY
;
1111 nt_status
= gssapi_obtain_pac_blob(tmp_ctx
, gse_ctx
->gssapi_context
,
1112 gse_ctx
->client_name
,
1115 /* IF we have the PAC - otherwise we need to get this
1116 * data from elsewere
1118 if (NT_STATUS_IS_OK(nt_status
)) {
1119 pac_blob_ptr
= &pac_blob
;
1121 nt_status
= gensec_generate_session_info_pac(tmp_ctx
,
1124 pac_blob_ptr
, principal_string
,
1125 gensec_get_remote_address(gensec_security
),
1127 if (!NT_STATUS_IS_OK(nt_status
)) {
1128 talloc_free(tmp_ctx
);
1132 nt_status
= gensec_gse_session_key(gensec_security
, session_info
,
1133 &session_info
->session_key
);
1134 if (!NT_STATUS_IS_OK(nt_status
)) {
1135 talloc_free(tmp_ctx
);
1139 *_session_info
= talloc_move(mem_ctx
, &session_info
);
1140 talloc_free(tmp_ctx
);
1142 return NT_STATUS_OK
;
1145 static size_t gensec_gse_sig_size(struct gensec_security
*gensec_security
,
1148 struct gse_context
*gse_ctx
=
1149 talloc_get_type_abort(gensec_security
->private_data
,
1150 struct gse_context
);
1152 return gse_get_signature_length(gse_ctx
,
1153 gensec_security
->want_features
& GENSEC_FEATURE_SEAL
,
1157 static const char *gensec_gse_krb5_oids
[] = {
1158 GENSEC_OID_KERBEROS5_OLD
,
1159 GENSEC_OID_KERBEROS5
,
1163 const struct gensec_security_ops gensec_gse_krb5_security_ops
= {
1165 .auth_type
= DCERPC_AUTH_TYPE_KRB5
,
1166 .oid
= gensec_gse_krb5_oids
,
1167 .client_start
= gensec_gse_client_start
,
1168 .server_start
= gensec_gse_server_start
,
1169 .magic
= gensec_magic_check_krb5_oid
,
1170 .update
= gensec_gse_update
,
1171 .session_key
= gensec_gse_session_key
,
1172 .session_info
= gensec_gse_session_info
,
1173 .sig_size
= gensec_gse_sig_size
,
1174 .sign_packet
= gensec_gse_sign_packet
,
1175 .check_packet
= gensec_gse_check_packet
,
1176 .seal_packet
= gensec_gse_seal_packet
,
1177 .unseal_packet
= gensec_gse_unseal_packet
,
1178 .wrap
= gensec_gse_wrap
,
1179 .unwrap
= gensec_gse_unwrap
,
1180 .have_feature
= gensec_gse_have_feature
,
1181 .expire_time
= gensec_gse_expire_time
,
1184 .priority
= GENSEC_GSSAPI
1187 #endif /* HAVE_KRB5 */