Fix Samba3 on OpenIndiana.
[samba.git] / auth / kerberos / gssapi_pac.c
1 /*
2    Unix SMB/CIFS implementation.
3    kerberos authorization data (PAC) utility library
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2011
5    Copyright (C) Simo Sorce 2010.
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #ifdef HAVE_KRB5
23
24 #include "libcli/auth/krb5_wrap.h"
25
26 #if 0
27 /* FIXME - need proper configure/waf test
28  * to determine if gss_mech_krb5 and friends
29  * exist. JRA.
30  */
31 /*
32  * These are not exported by Solaris -lkrb5
33  * Maybe move to libreplace somewhere?
34  */
35 static const gss_OID_desc krb5_gss_oid_array[] = {
36         /* this is the official, rfc-specified OID */
37         { 9, "\052\206\110\206\367\022\001\002\002" },
38         /* this is the pre-RFC mech OID */
39         { 5, "\053\005\001\005\002" },
40         /* this is the unofficial, incorrect mech OID emitted by MS */
41         { 9, "\052\206\110\202\367\022\001\002\002" },
42         { 0, 0 }
43 };
44
45 const gss_OID_desc * const gss_mech_krb5              = krb5_gss_oid_array+0;
46 const gss_OID_desc * const gss_mech_krb5_old          = krb5_gss_oid_array+1;
47 const gss_OID_desc * const gss_mech_krb5_wrong        = krb5_gss_oid_array+2;
48 #endif
49
50 /* The Heimdal OID for getting the PAC */
51 #define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 8
52 /*                                                      EXTRACTION OID             AUTHZ ID */
53 #define EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x85\x70\x2b\x0d\x03" "\x81\x00"
54
55 static gss_OID_desc pac_data_oid = {
56         EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH,
57         (void *)EXTRACT_PAC_AUTHZ_DATA_FROM_SEC_CONTEXT_OID
58 };
59
60 NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
61                                 gss_ctx_id_t gssapi_context,
62                                 gss_name_t gss_client_name,
63                                 DATA_BLOB *pac_blob)
64 {
65         NTSTATUS status;
66         OM_uint32 gss_maj, gss_min;
67 #ifdef HAVE_GSS_GET_NAME_ATTRIBUTE
68         gss_buffer_desc pac_buffer;
69         gss_buffer_desc pac_display_buffer;
70         gss_buffer_desc pac_name = {
71                 .value = "urn:mspac:",
72                 .length = sizeof("urn:mspac:")-1
73         };
74         int more = -1;
75         int authenticated = false;
76         int complete = false;
77
78         gss_maj = gss_get_name_attribute(
79                 &gss_min, gss_client_name, &pac_name,
80                 &authenticated, &complete,
81                 &pac_buffer, &pac_display_buffer, &more);
82
83         if (gss_maj != 0) {
84                 DEBUG(0, ("obtaining PAC via GSSAPI gss_get_name_attribute failed: %s\n",
85                           gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
86                 return NT_STATUS_ACCESS_DENIED;
87         } else if (authenticated && complete) {
88                 /* The PAC blob is returned directly */
89                 *pac_blob = data_blob_talloc(mem_ctx, pac_buffer.value,
90                                             pac_buffer.length);
91
92                 if (!pac_blob->data) {
93                         status = NT_STATUS_NO_MEMORY;
94                 } else {
95                         status = NT_STATUS_OK;
96                 }
97
98                 gss_maj = gss_release_buffer(&gss_min, &pac_buffer);
99                 gss_maj = gss_release_buffer(&gss_min, &pac_display_buffer);
100                 return status;
101         } else {
102                 DEBUG(0, ("obtaining PAC via GSSAPI failed: authenticated: %s, complete: %s, more: %s\n",
103                           authenticated ? "true" : "false",
104                           complete ? "true" : "false",
105                           more ? "true" : "false"));
106                 return NT_STATUS_ACCESS_DENIED;
107         }
108
109 #elif defined(HAVE_GSS_INQUIRE_SEC_CONTEXT_BY_OID)
110
111         gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
112
113         /* If we didn't have the routine to get a verified, validated
114          * PAC (supplied only by MIT at the time of writing), then try
115          * with the Heimdal OID (fetches the PAC directly and always
116          * validates) */
117         gss_maj = gss_inquire_sec_context_by_oid(
118                                 &gss_min, gssapi_context,
119                                 &pac_data_oid, &set);
120
121         /* First check for the error MIT gives for an unknown OID */
122         if (gss_maj == GSS_S_UNAVAILABLE) {
123                 DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
124                           "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
125         } else if (gss_maj != 0) {
126                 DEBUG(2, ("obtaining PAC via GSSAPI gss_inqiure_sec_context_by_oid (Heimdal OID) failed: %s\n",
127                           gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
128         } else {
129                 if (set == GSS_C_NO_BUFFER_SET) {
130                         DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
131                                   "data in results.\n"));
132                         return NT_STATUS_INTERNAL_ERROR;
133                 }
134
135                 /* The PAC blob is returned directly */
136                 *pac_blob = data_blob_talloc(mem_ctx, set->elements[0].value,
137                                             set->elements[0].length);
138                 if (!pac_blob->data) {
139                         status = NT_STATUS_NO_MEMORY;
140                 } else {
141                         status = NT_STATUS_OK;
142                 }
143
144                 gss_maj = gss_release_buffer_set(&gss_min, &set);
145                 return status;
146         }
147 #else
148         DEBUG(1, ("unable to obtain a PAC against this GSSAPI library.  "
149                   "GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
150 #endif
151         return NT_STATUS_ACCESS_DENIED;
152 }
153 #endif