auth/kerberos: Create common helper to get the verified PAC from GSSAPI
[samba.git] / source3 / librpc / crypto / gse.c
1 /*
2  *  GSSAPI Security Extensions
3  *  RPC Pipe client and server routines
4  *  Copyright (C) Simo Sorce 2010.
5  *
6  *  This program is free software; you can redistribute it and/or modify
7  *  it under the terms of the GNU General Public License as published by
8  *  the Free Software Foundation; either version 3 of the License, or
9  *  (at your option) any later version.
10  *
11  *  This program is distributed in the hope that it will be useful,
12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  *  GNU General Public License for more details.
15  *
16  *  You should have received a copy of the GNU General Public License
17  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
18  */
19
20 /* We support only GSSAPI/KRB5 here */
21
22 #include "includes.h"
23 #include "gse.h"
24
25 #if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
26
27 #include "smb_krb5.h"
28 #include "gse_krb5.h"
29
30 #include <gssapi/gssapi.h>
31 #include <gssapi/gssapi_krb5.h>
32 #ifdef HAVE_GSSAPI_GSSAPI_EXT_H
33 #include <gssapi/gssapi_ext.h>
34 #endif
35
36 #ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
37 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
38 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
39 #endif
40
41 gss_OID_desc gse_sesskey_inq_oid = {
42         GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH,
43         (void *)GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
44 };
45
46 #ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID
47 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
48 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID  "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
49 #endif
50
51 gss_OID_desc gse_sesskeytype_oid = {
52         GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
53         (void *)GSS_KRB5_SESSION_KEY_ENCTYPE_OID
54 };
55
56 #define GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID_LENGTH 12
57 /*                                          EXTRACTION OID                                 AUTHZ ID */
58 #define GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a" "\x01"
59
60 gss_OID_desc gse_authz_data_oid = {
61         GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID_LENGTH,
62         (void *)GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID
63 };
64
65 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
66
67 struct gse_context {
68         krb5_context k5ctx;
69         krb5_ccache ccache;
70         krb5_keytab keytab;
71
72         gss_ctx_id_t gss_ctx;
73
74         gss_OID_desc gss_mech;
75         OM_uint32 gss_c_flags;
76         gss_cred_id_t creds;
77         gss_name_t server_name;
78
79         gss_OID ret_mech;
80         OM_uint32 ret_flags;
81         gss_cred_id_t delegated_creds;
82         gss_name_t client_name;
83
84         bool more_processing;
85         bool authenticated;
86 };
87
88 /* free non talloc dependent contexts */
89 static int gse_context_destructor(void *ptr)
90 {
91         struct gse_context *gse_ctx;
92         OM_uint32 gss_min, gss_maj;
93
94         gse_ctx = talloc_get_type_abort(ptr, struct gse_context);
95         if (gse_ctx->k5ctx) {
96                 if (gse_ctx->ccache) {
97                         krb5_cc_close(gse_ctx->k5ctx, gse_ctx->ccache);
98                         gse_ctx->ccache = NULL;
99                 }
100                 if (gse_ctx->keytab) {
101                         krb5_kt_close(gse_ctx->k5ctx, gse_ctx->keytab);
102                         gse_ctx->keytab = NULL;
103                 }
104                 krb5_free_context(gse_ctx->k5ctx);
105                 gse_ctx->k5ctx = NULL;
106         }
107         if (gse_ctx->gss_ctx != GSS_C_NO_CONTEXT) {
108                 gss_maj = gss_delete_sec_context(&gss_min,
109                                                  &gse_ctx->gss_ctx,
110                                                  GSS_C_NO_BUFFER);
111         }
112         if (gse_ctx->server_name) {
113                 gss_maj = gss_release_name(&gss_min,
114                                            &gse_ctx->server_name);
115         }
116         if (gse_ctx->client_name) {
117                 gss_maj = gss_release_name(&gss_min,
118                                            &gse_ctx->client_name);
119         }
120         if (gse_ctx->creds) {
121                 gss_maj = gss_release_cred(&gss_min,
122                                            &gse_ctx->creds);
123         }
124         if (gse_ctx->delegated_creds) {
125                 gss_maj = gss_release_cred(&gss_min,
126                                            &gse_ctx->delegated_creds);
127         }
128         if (gse_ctx->ret_mech) {
129                 gss_maj = gss_release_oid(&gss_min,
130                                           &gse_ctx->ret_mech);
131         }
132         return 0;
133 }
134
135 static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
136                                  bool do_sign, bool do_seal,
137                                  const char *ccache_name,
138                                  uint32_t add_gss_c_flags,
139                                  struct gse_context **_gse_ctx)
140 {
141         struct gse_context *gse_ctx;
142         krb5_error_code k5ret;
143         NTSTATUS status;
144
145         gse_ctx = talloc_zero(mem_ctx, struct gse_context);
146         if (!gse_ctx) {
147                 return NT_STATUS_NO_MEMORY;
148         }
149         talloc_set_destructor((TALLOC_CTX *)gse_ctx, gse_context_destructor);
150
151         memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
152
153         gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
154                                 GSS_C_DELEG_FLAG |
155                                 GSS_C_DELEG_POLICY_FLAG |
156                                 GSS_C_REPLAY_FLAG |
157                                 GSS_C_SEQUENCE_FLAG;
158         if (do_sign) {
159                 gse_ctx->gss_c_flags |= GSS_C_INTEG_FLAG;
160         }
161         if (do_seal) {
162                 gse_ctx->gss_c_flags |= GSS_C_CONF_FLAG;
163         }
164
165         gse_ctx->gss_c_flags |= add_gss_c_flags;
166
167         /* Initialize Kerberos Context */
168         initialize_krb5_error_table();
169
170         k5ret = krb5_init_context(&gse_ctx->k5ctx);
171         if (k5ret) {
172                 DEBUG(0, ("Failed to initialize kerberos context! (%s)\n",
173                           error_message(k5ret)));
174                 status = NT_STATUS_INTERNAL_ERROR;
175                 goto err_out;
176         }
177
178         if (!ccache_name) {
179                 ccache_name = krb5_cc_default_name(gse_ctx->k5ctx);
180         }
181         k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
182                                 &gse_ctx->ccache);
183         if (k5ret) {
184                 DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
185                           error_message(k5ret)));
186                 status = NT_STATUS_INTERNAL_ERROR;
187                 goto err_out;
188         }
189
190         /* TODO: Should we enforce a enc_types list ?
191         ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types);
192         */
193
194         *_gse_ctx = gse_ctx;
195         return NT_STATUS_OK;
196
197 err_out:
198         TALLOC_FREE(gse_ctx);
199         return status;
200 }
201
202 NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
203                           bool do_sign, bool do_seal,
204                           const char *ccache_name,
205                           const char *server,
206                           const char *service,
207                           const char *username,
208                           const char *password,
209                           uint32_t add_gss_c_flags,
210                           struct gse_context **_gse_ctx)
211 {
212         struct gse_context *gse_ctx;
213         OM_uint32 gss_maj, gss_min;
214         gss_buffer_desc name_buffer = {0, NULL};
215         gss_OID_set_desc mech_set;
216         NTSTATUS status;
217
218         if (!server || !service) {
219                 return NT_STATUS_INVALID_PARAMETER;
220         }
221
222         status = gse_context_init(mem_ctx, do_sign, do_seal,
223                                   ccache_name, add_gss_c_flags,
224                                   &gse_ctx);
225         if (!NT_STATUS_IS_OK(status)) {
226                 return NT_STATUS_NO_MEMORY;
227         }
228
229         name_buffer.value = talloc_asprintf(gse_ctx,
230                                             "%s@%s", service, server);
231         if (!name_buffer.value) {
232                 status = NT_STATUS_NO_MEMORY;
233                 goto err_out;
234         }
235         name_buffer.length = strlen((char *)name_buffer.value);
236         gss_maj = gss_import_name(&gss_min, &name_buffer,
237                                   GSS_C_NT_HOSTBASED_SERVICE,
238                                   &gse_ctx->server_name);
239         if (gss_maj) {
240                 DEBUG(0, ("gss_import_name failed for %s, with [%s]\n",
241                           (char *)name_buffer.value,
242                           gse_errstr(gse_ctx, gss_maj, gss_min)));
243                 status = NT_STATUS_INTERNAL_ERROR;
244                 goto err_out;
245         }
246
247         /* TODO: get krb5 ticket using username/password, if no valid
248          * one already available in ccache */
249
250         mech_set.count = 1;
251         mech_set.elements = &gse_ctx->gss_mech;
252
253         gss_maj = gss_acquire_cred(&gss_min,
254                                    GSS_C_NO_NAME,
255                                    GSS_C_INDEFINITE,
256                                    &mech_set,
257                                    GSS_C_INITIATE,
258                                    &gse_ctx->creds,
259                                    NULL, NULL);
260         if (gss_maj) {
261                 DEBUG(0, ("gss_acquire_creds failed for %s, with [%s]\n",
262                           (char *)name_buffer.value,
263                           gse_errstr(gse_ctx, gss_maj, gss_min)));
264                 status = NT_STATUS_INTERNAL_ERROR;
265                 goto err_out;
266         }
267
268         *_gse_ctx = gse_ctx;
269         TALLOC_FREE(name_buffer.value);
270         return NT_STATUS_OK;
271
272 err_out:
273         TALLOC_FREE(name_buffer.value);
274         TALLOC_FREE(gse_ctx);
275         return status;
276 }
277
278 NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
279                                    struct gse_context *gse_ctx,
280                                    DATA_BLOB *token_in,
281                                    DATA_BLOB *token_out)
282 {
283         OM_uint32 gss_maj, gss_min;
284         gss_buffer_desc in_data;
285         gss_buffer_desc out_data;
286         DATA_BLOB blob = data_blob_null;
287         NTSTATUS status;
288
289         in_data.value = token_in->data;
290         in_data.length = token_in->length;
291
292         gss_maj = gss_init_sec_context(&gss_min,
293                                         gse_ctx->creds,
294                                         &gse_ctx->gss_ctx,
295                                         gse_ctx->server_name,
296                                         &gse_ctx->gss_mech,
297                                         gse_ctx->gss_c_flags,
298                                         0, GSS_C_NO_CHANNEL_BINDINGS,
299                                         &in_data, NULL, &out_data,
300                                         NULL, NULL);
301         switch (gss_maj) {
302         case GSS_S_COMPLETE:
303                 /* we are done with it */
304                 gse_ctx->more_processing = false;
305                 status = NT_STATUS_OK;
306                 break;
307         case GSS_S_CONTINUE_NEEDED:
308                 /* we will need a third leg */
309                 gse_ctx->more_processing = true;
310                 /* status = NT_STATUS_MORE_PROCESSING_REQUIRED; */
311                 status = NT_STATUS_OK;
312                 break;
313         default:
314                 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
315                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
316                 status = NT_STATUS_INTERNAL_ERROR;
317                 goto done;
318         }
319
320         blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
321         if (!blob.data) {
322                 status = NT_STATUS_NO_MEMORY;
323         }
324
325         gss_maj = gss_release_buffer(&gss_min, &out_data);
326
327 done:
328         *token_out = blob;
329         return status;
330 }
331
332 NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
333                          bool do_sign, bool do_seal,
334                          uint32_t add_gss_c_flags,
335                          struct gse_context **_gse_ctx)
336 {
337         struct gse_context *gse_ctx;
338         OM_uint32 gss_maj, gss_min;
339         krb5_error_code ret;
340         NTSTATUS status;
341         const char *ktname;
342         gss_OID_set_desc mech_set;
343
344         status = gse_context_init(mem_ctx, do_sign, do_seal,
345                                   NULL, add_gss_c_flags, &gse_ctx);
346         if (!NT_STATUS_IS_OK(status)) {
347                 return NT_STATUS_NO_MEMORY;
348         }
349
350         ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx,
351                                          &gse_ctx->keytab);
352         if (ret) {
353                 status = NT_STATUS_INTERNAL_ERROR;
354                 goto done;
355         }
356
357 #ifdef HAVE_GSS_KRB5_IMPORT_CRED
358         /* This creates a GSSAPI cred_id_t with the principal and keytab set */
359         gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, 
360                                         &gse_ctx->creds);
361         if (gss_maj) {
362                 DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
363                           gse_errstr(gse_ctx, gss_maj, gss_min)));
364                 status = NT_STATUS_INTERNAL_ERROR;
365                 goto done;
366         }
367 #else
368         /* FIXME!!!
369          * This call sets the default keytab for the whole server, not
370          * just for this context. Need to find a way that does not alter
371          * the state of the whole server ... */
372
373         ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
374                                    gse_ctx->keytab, &ktname);
375         if (ret) {
376                 status = NT_STATUS_INTERNAL_ERROR;
377                 goto done;
378         }
379
380         ret = gsskrb5_register_acceptor_identity(ktname);
381         if (ret) {
382                 status = NT_STATUS_INTERNAL_ERROR;
383                 goto done;
384         }
385
386         mech_set.count = 1;
387         mech_set.elements = &gse_ctx->gss_mech;
388         
389         gss_maj = gss_acquire_cred(&gss_min,
390                                    GSS_C_NO_NAME,
391                                    GSS_C_INDEFINITE,
392                                    &mech_set,
393                                    GSS_C_ACCEPT,
394                                    &gse_ctx->creds,
395                                    NULL, NULL);
396
397         if (gss_maj) {
398                 DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
399                           gse_errstr(gse_ctx, gss_maj, gss_min)));
400                 status = NT_STATUS_INTERNAL_ERROR;
401                 goto done;
402         }
403 #endif
404         status = NT_STATUS_OK;
405
406 done:
407         if (!NT_STATUS_IS_OK(status)) {
408                 TALLOC_FREE(gse_ctx);
409         }
410
411         *_gse_ctx = gse_ctx;
412         return status;
413 }
414
415 NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
416                                    struct gse_context *gse_ctx,
417                                    DATA_BLOB *token_in,
418                                    DATA_BLOB *token_out)
419 {
420         OM_uint32 gss_maj, gss_min;
421         gss_buffer_desc in_data;
422         gss_buffer_desc out_data;
423         DATA_BLOB blob = data_blob_null;
424         NTSTATUS status;
425
426         in_data.value = token_in->data;
427         in_data.length = token_in->length;
428
429         gss_maj = gss_accept_sec_context(&gss_min,
430                                          &gse_ctx->gss_ctx,
431                                          gse_ctx->creds,
432                                          &in_data,
433                                          GSS_C_NO_CHANNEL_BINDINGS,
434                                          &gse_ctx->client_name,
435                                          &gse_ctx->ret_mech,
436                                          &out_data,
437                                          &gse_ctx->ret_flags, NULL,
438                                          &gse_ctx->delegated_creds);
439         switch (gss_maj) {
440         case GSS_S_COMPLETE:
441                 /* we are done with it */
442                 gse_ctx->more_processing = false;
443                 gse_ctx->authenticated = true;
444                 status = NT_STATUS_OK;
445                 break;
446         case GSS_S_CONTINUE_NEEDED:
447                 /* we will need a third leg */
448                 gse_ctx->more_processing = true;
449                 /* status = NT_STATUS_MORE_PROCESSING_REQUIRED; */
450                 status = NT_STATUS_OK;
451                 break;
452         default:
453                 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
454                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
455
456                 if (gse_ctx->gss_ctx) {
457                         gss_delete_sec_context(&gss_min,
458                                                 &gse_ctx->gss_ctx,
459                                                 GSS_C_NO_BUFFER);
460                 }
461
462                 status = NT_STATUS_INTERNAL_ERROR;
463                 goto done;
464         }
465
466         /* we may be told to return nothing */
467         if (out_data.length) {
468                 blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
469                 if (!blob.data) {
470                         status = NT_STATUS_NO_MEMORY;
471                 }
472                 gss_maj = gss_release_buffer(&gss_min, &out_data);
473         }
474
475
476 done:
477         *token_out = blob;
478         return status;
479 }
480
481 NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
482 {
483         if (!gse_ctx->authenticated) {
484                 return NT_STATUS_INVALID_HANDLE;
485         }
486
487         if (memcmp(gse_ctx->ret_mech,
488                    gss_mech_krb5, sizeof(gss_OID_desc)) != 0) {
489                 return NT_STATUS_ACCESS_DENIED;
490         }
491
492         /* GSS_C_MUTUAL_FLAG */
493         if (gse_ctx->gss_c_flags & GSS_C_MUTUAL_FLAG) {
494                 if (!(gse_ctx->ret_flags & GSS_C_MUTUAL_FLAG)) {
495                         return NT_STATUS_ACCESS_DENIED;
496                 }
497         }
498
499         /* GSS_C_DELEG_FLAG */
500         /* GSS_C_DELEG_POLICY_FLAG */
501         /* GSS_C_REPLAY_FLAG */
502         /* GSS_C_SEQUENCE_FLAG */
503
504         /* GSS_C_INTEG_FLAG */
505         if (gse_ctx->gss_c_flags & GSS_C_INTEG_FLAG) {
506                 if (!(gse_ctx->ret_flags & GSS_C_INTEG_FLAG)) {
507                         return NT_STATUS_ACCESS_DENIED;
508                 }
509         }
510
511         /* GSS_C_CONF_FLAG */
512         if (gse_ctx->gss_c_flags & GSS_C_CONF_FLAG) {
513                 if (!(gse_ctx->ret_flags & GSS_C_CONF_FLAG)) {
514                         return NT_STATUS_ACCESS_DENIED;
515                 }
516         }
517
518         return NT_STATUS_OK;
519 }
520
521 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
522 {
523         OM_uint32 gss_min, gss_maj;
524         gss_buffer_desc msg_min;
525         gss_buffer_desc msg_maj;
526         OM_uint32 msg_ctx = 0;
527
528         char *errstr = NULL;
529
530         ZERO_STRUCT(msg_min);
531         ZERO_STRUCT(msg_maj);
532
533         gss_maj = gss_display_status(&gss_min, maj, GSS_C_GSS_CODE,
534                                      GSS_C_NO_OID, &msg_ctx, &msg_maj);
535         if (gss_maj) {
536                 goto done;
537         }
538         gss_maj = gss_display_status(&gss_min, min, GSS_C_MECH_CODE,
539                                      (gss_OID)discard_const(gss_mech_krb5),
540                                      &msg_ctx, &msg_min);
541         if (gss_maj) {
542                 goto done;
543         }
544
545         errstr = talloc_strndup(mem_ctx,
546                                 (char *)msg_maj.value,
547                                         msg_maj.length);
548         if (!errstr) {
549                 goto done;
550         }
551         errstr = talloc_strdup_append_buffer(errstr, ": ");
552         if (!errstr) {
553                 goto done;
554         }
555         errstr = talloc_strndup_append_buffer(errstr,
556                                                 (char *)msg_min.value,
557                                                         msg_min.length);
558         if (!errstr) {
559                 goto done;
560         }
561
562 done:
563         if (msg_min.value) {
564                 gss_maj = gss_release_buffer(&gss_min, &msg_min);
565         }
566         if (msg_maj.value) {
567                 gss_maj = gss_release_buffer(&gss_min, &msg_maj);
568         }
569         return errstr;
570 }
571
572 bool gse_require_more_processing(struct gse_context *gse_ctx)
573 {
574         return gse_ctx->more_processing;
575 }
576
577 DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
578                                 struct gse_context *gse_ctx)
579 {
580         OM_uint32 gss_min, gss_maj;
581         gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
582         DATA_BLOB ret;
583
584         gss_maj = gss_inquire_sec_context_by_oid(
585                                 &gss_min, gse_ctx->gss_ctx,
586                                 &gse_sesskey_inq_oid, &set);
587         if (gss_maj) {
588                 DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
589                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
590                 return data_blob_null;
591         }
592
593         if ((set == GSS_C_NO_BUFFER_SET) ||
594             (set->count != 2) ||
595             (memcmp(set->elements[1].value,
596                     gse_sesskeytype_oid.elements,
597                     gse_sesskeytype_oid.length) != 0)) {
598                 DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
599                           "OID for data in results:\n"));
600                 dump_data(1, (uint8_t *)set->elements[1].value,
601                              set->elements[1].length);
602                 return data_blob_null;
603         }
604
605         ret = data_blob_talloc(mem_ctx, set->elements[0].value,
606                                         set->elements[0].length);
607
608         gss_maj = gss_release_buffer_set(&gss_min, &set);
609         return ret;
610 }
611
612 NTSTATUS gse_get_client_name(struct gse_context *gse_ctx,
613                              TALLOC_CTX *mem_ctx, char **cli_name)
614 {
615         OM_uint32 gss_min, gss_maj;
616         gss_buffer_desc name_buffer;
617
618         if (!gse_ctx->authenticated) {
619                 return NT_STATUS_ACCESS_DENIED;
620         }
621
622         if (!gse_ctx->client_name) {
623                 return NT_STATUS_NOT_FOUND;
624         }
625
626         /* TODO: check OID matches KRB5 Principal Name OID ? */
627
628         gss_maj = gss_display_name(&gss_min,
629                                    gse_ctx->client_name,
630                                    &name_buffer, NULL);
631         if (gss_maj) {
632                 DEBUG(0, ("gss_display_name failed [%s]\n",
633                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
634                 return NT_STATUS_INTERNAL_ERROR;
635         }
636
637         *cli_name = talloc_strndup(talloc_tos(),
638                                         (char *)name_buffer.value,
639                                         name_buffer.length);
640
641         gss_maj = gss_release_buffer(&gss_min, &name_buffer);
642
643         if (!*cli_name) {
644                 return NT_STATUS_NO_MEMORY;
645         }
646
647         return NT_STATUS_OK;
648 }
649
650 NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
651                             TALLOC_CTX *mem_ctx, DATA_BLOB *pac)
652 {
653         OM_uint32 gss_min, gss_maj;
654         gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
655
656         if (!gse_ctx->authenticated) {
657                 return NT_STATUS_ACCESS_DENIED;
658         }
659
660         gss_maj = gss_inquire_sec_context_by_oid(
661                                 &gss_min, gse_ctx->gss_ctx,
662                                 &gse_authz_data_oid, &set);
663         if (gss_maj) {
664                 DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
665                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
666                 return NT_STATUS_NOT_FOUND;
667         }
668
669         if (set == GSS_C_NO_BUFFER_SET) {
670                 DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
671                           "data in results.\n"));
672                 return NT_STATUS_INTERNAL_ERROR;
673         }
674
675         /* for now we just hope it is the first value */
676         *pac = data_blob_talloc(mem_ctx,
677                                 set->elements[0].value,
678                                 set->elements[0].length);
679
680         gss_maj = gss_release_buffer_set(&gss_min, &set);
681
682         return NT_STATUS_OK;
683 }
684
685 NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
686                           TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
687 {
688         if (!gse_ctx->authenticated) {
689                 return NT_STATUS_ACCESS_DENIED;
690         }
691
692         return gssapi_obtain_pac_blob(mem_ctx, gse_ctx->gss_ctx,
693                                         gse_ctx->client_name, pac_blob);
694 }
695
696 size_t gse_get_signature_length(struct gse_context *gse_ctx,
697                                 int seal, size_t payload_size)
698 {
699         OM_uint32 gss_min, gss_maj;
700         gss_iov_buffer_desc iov[2];
701         uint8_t fakebuf[payload_size];
702         int sealed;
703
704         iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
705         iov[0].buffer.value = NULL;
706         iov[0].buffer.length = 0;
707         iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
708         iov[1].buffer.value = fakebuf;
709         iov[1].buffer.length = payload_size;
710
711         gss_maj = gss_wrap_iov_length(&gss_min, gse_ctx->gss_ctx,
712                                         seal, GSS_C_QOP_DEFAULT,
713                                         &sealed, iov, 2);
714         if (gss_maj) {
715                 DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
716                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
717                 return 0;
718         }
719
720         return iov[0].buffer.length;
721 }
722
723 NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
724                   DATA_BLOB *data, DATA_BLOB *signature)
725 {
726         OM_uint32 gss_min, gss_maj;
727         gss_iov_buffer_desc iov[2];
728         int req_seal = 1; /* setting to 1 means we request sign+seal */
729         int sealed;
730         NTSTATUS status;
731
732         /* allocate the memory ourselves so we do not need to talloc_memdup */
733         signature->length = gse_get_signature_length(gse_ctx, 1, data->length);
734         if (!signature->length) {
735                 return NT_STATUS_INTERNAL_ERROR;
736         }
737         signature->data = (uint8_t *)talloc_size(mem_ctx, signature->length);
738         if (!signature->data) {
739                 return NT_STATUS_NO_MEMORY;
740         }
741         iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
742         iov[0].buffer.value = signature->data;
743         iov[0].buffer.length = signature->length;
744
745         /* data is encrypted in place, which is ok */
746         iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
747         iov[1].buffer.value = data->data;
748         iov[1].buffer.length = data->length;
749
750         gss_maj = gss_wrap_iov(&gss_min, gse_ctx->gss_ctx,
751                                 req_seal, GSS_C_QOP_DEFAULT,
752                                 &sealed, iov, 2);
753         if (gss_maj) {
754                 DEBUG(0, ("gss_wrap_iov failed with [%s]\n",
755                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
756                 status = NT_STATUS_ACCESS_DENIED;
757                 goto done;
758         }
759
760         if (!sealed) {
761                 DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
762                 status = NT_STATUS_ACCESS_DENIED;
763                 goto done;
764         }
765
766         status = NT_STATUS_OK;
767
768         DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
769                    (int)iov[1].buffer.length, (int)iov[0].buffer.length));
770
771 done:
772         return status;
773 }
774
775 NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
776                     DATA_BLOB *data, DATA_BLOB *signature)
777 {
778         OM_uint32 gss_min, gss_maj;
779         gss_iov_buffer_desc iov[2];
780         int sealed;
781         NTSTATUS status;
782
783         iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
784         iov[0].buffer.value = signature->data;
785         iov[0].buffer.length = signature->length;
786
787         /* data is decrypted in place, which is ok */
788         iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
789         iov[1].buffer.value = data->data;
790         iov[1].buffer.length = data->length;
791
792         gss_maj = gss_unwrap_iov(&gss_min, gse_ctx->gss_ctx,
793                                  &sealed, NULL, iov, 2);
794         if (gss_maj) {
795                 DEBUG(0, ("gss_unwrap_iov failed with [%s]\n",
796                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
797                 status = NT_STATUS_ACCESS_DENIED;
798                 goto done;
799         }
800
801         if (!sealed) {
802                 DEBUG(0, ("gss_unwrap_iov says data is not sealed!\n"));
803                 status = NT_STATUS_ACCESS_DENIED;
804                 goto done;
805         }
806
807         status = NT_STATUS_OK;
808
809         DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
810                    (int)iov[1].buffer.length, (int)iov[0].buffer.length));
811
812 done:
813         return status;
814 }
815
816 NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
817                   DATA_BLOB *data, DATA_BLOB *signature)
818 {
819         OM_uint32 gss_min, gss_maj;
820         gss_buffer_desc in_data = { 0, NULL };
821         gss_buffer_desc out_data = { 0, NULL};
822         NTSTATUS status;
823
824         in_data.value = data->data;
825         in_data.length = data->length;
826
827         gss_maj = gss_get_mic(&gss_min, gse_ctx->gss_ctx,
828                               GSS_C_QOP_DEFAULT,
829                               &in_data, &out_data);
830         if (gss_maj) {
831                 DEBUG(0, ("gss_get_mic failed with [%s]\n",
832                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
833                 status = NT_STATUS_ACCESS_DENIED;
834                 goto done;
835         }
836
837         *signature = data_blob_talloc(mem_ctx,
838                                         out_data.value, out_data.length);
839         if (!signature->data) {
840                 status = NT_STATUS_NO_MEMORY;
841                 goto done;
842         }
843
844         status = NT_STATUS_OK;
845
846 done:
847         if (out_data.value) {
848                 gss_maj = gss_release_buffer(&gss_min, &out_data);
849         }
850         return status;
851 }
852
853 NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
854                       DATA_BLOB *data, DATA_BLOB *signature)
855 {
856         OM_uint32 gss_min, gss_maj;
857         gss_buffer_desc in_data = { 0, NULL };
858         gss_buffer_desc in_token = { 0, NULL};
859         NTSTATUS status;
860
861         in_data.value = data->data;
862         in_data.length = data->length;
863         in_token.value = signature->data;
864         in_token.length = signature->length;
865
866         gss_maj = gss_verify_mic(&gss_min, gse_ctx->gss_ctx,
867                                  &in_data, &in_token, NULL);
868         if (gss_maj) {
869                 DEBUG(0, ("gss_verify_mic failed with [%s]\n",
870                           gse_errstr(talloc_tos(), gss_maj, gss_min)));
871                 status = NT_STATUS_ACCESS_DENIED;
872                 goto done;
873         }
874
875         status = NT_STATUS_OK;
876
877 done:
878         return status;
879 }
880
881 #else
882
883 NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
884                           bool do_sign, bool do_seal,
885                           const char *ccache_name,
886                           const char *server,
887                           const char *service,
888                           const char *username,
889                           const char *password,
890                           uint32_t add_gss_c_flags,
891                           struct gse_context **_gse_ctx)
892 {
893         return NT_STATUS_NOT_IMPLEMENTED;
894 }
895
896 NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
897                                    struct gse_context *gse_ctx,
898                                    DATA_BLOB *token_in,
899                                    DATA_BLOB *token_out)
900 {
901         return NT_STATUS_NOT_IMPLEMENTED;
902 }
903
904 NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
905                          bool do_sign, bool do_seal,
906                          uint32_t add_gss_c_flags,
907                          struct gse_context **_gse_ctx)
908 {
909         return NT_STATUS_NOT_IMPLEMENTED;
910 }
911
912 NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
913                                    struct gse_context *gse_ctx,
914                                    DATA_BLOB *token_in,
915                                    DATA_BLOB *token_out)
916 {
917         return NT_STATUS_NOT_IMPLEMENTED;
918 }
919
920 NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
921 {
922         return NT_STATUS_NOT_IMPLEMENTED;
923 }
924
925 bool gse_require_more_processing(struct gse_context *gse_ctx)
926 {
927         return false;
928 }
929
930 DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
931                               struct gse_context *gse_ctx)
932 {
933         return data_blob_null;
934 }
935
936 NTSTATUS gse_get_client_name(struct gse_context *gse_ctx,
937                              TALLOC_CTX *mem_ctx, char **cli_name)
938 {
939         return NT_STATUS_NOT_IMPLEMENTED;
940 }
941
942 NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
943                             TALLOC_CTX *mem_ctx, DATA_BLOB *pac)
944 {
945         return NT_STATUS_NOT_IMPLEMENTED;
946 }
947
948 NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
949 {
950         return NT_STATUS_NOT_IMPLEMENTED;
951 }
952
953 size_t gse_get_signature_length(struct gse_context *gse_ctx,
954                                 int seal, size_t payload_size)
955 {
956         return 0;
957 }
958
959 NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
960                   DATA_BLOB *data, DATA_BLOB *signature)
961 {
962         return NT_STATUS_NOT_IMPLEMENTED;
963 }
964
965 NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
966                     DATA_BLOB *data, DATA_BLOB *signature)
967 {
968         return NT_STATUS_NOT_IMPLEMENTED;
969 }
970
971 NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
972                   DATA_BLOB *data, DATA_BLOB *signature)
973 {
974         return NT_STATUS_NOT_IMPLEMENTED;
975 }
976
977 NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
978                       DATA_BLOB *data, DATA_BLOB *signature)
979 {
980         return NT_STATUS_NOT_IMPLEMENTED;
981 }
982
983 #endif /* HAVE_KRB5 && HAVE_GSS_WRAP_IOV */