ecf2a73b1f76dc38e584c42ba504faa60e4ab3c0
[samba.git] / source4 / auth / gensec / gensec_gssapi.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7    Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "lib/events/events.h"
26 #include "system/kerberos.h"
27 #include "auth/kerberos/kerberos.h"
28 #include "librpc/gen_ndr/krb5pac.h"
29 #include "auth/auth.h"
30 #include "lib/ldb/include/ldb.h"
31 #include "auth/auth_sam.h"
32 #include "librpc/rpc/dcerpc.h"
33 #include "auth/credentials/credentials.h"
34 #include "auth/credentials/credentials_krb5.h"
35 #include "auth/gensec/gensec.h"
36 #include "auth/gensec/gensec_proto.h"
37 #include "param/param.h"
38 #include "auth/session_proto.h"
39 #include <gssapi/gssapi.h>
40 #include <gssapi/gssapi_krb5.h>
41 #include <gssapi/gssapi_spnego.h>
42 #include "auth/gensec/gensec_gssapi.h"
43 #include "lib/util/util_net.h"
44
45 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
46 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
47
48 static char *gssapi_error_string(TALLOC_CTX *mem_ctx, 
49                                  OM_uint32 maj_stat, OM_uint32 min_stat, 
50                                  const gss_OID mech)
51 {
52         OM_uint32 disp_min_stat, disp_maj_stat;
53         gss_buffer_desc maj_error_message;
54         gss_buffer_desc min_error_message;
55         char *maj_error_string, *min_error_string;
56         OM_uint32 msg_ctx = 0;
57
58         char *ret;
59
60         maj_error_message.value = NULL;
61         min_error_message.value = NULL;
62         maj_error_message.length = 0;
63         min_error_message.length = 0;
64         
65         disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
66                            mech, &msg_ctx, &maj_error_message);
67         disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
68                            mech, &msg_ctx, &min_error_message);
69         
70         maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
71
72         min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
73
74         ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
75
76         talloc_free(maj_error_string);
77         talloc_free(min_error_string);
78
79         gss_release_buffer(&disp_min_stat, &maj_error_message);
80         gss_release_buffer(&disp_min_stat, &min_error_message);
81
82         return ret;
83 }
84
85
86 static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
87 {
88         OM_uint32 maj_stat, min_stat;
89         
90         if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
91                 maj_stat = gss_release_cred(&min_stat, 
92                                             &gensec_gssapi_state->delegated_cred_handle);
93         }
94
95         if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
96                 maj_stat = gss_delete_sec_context (&min_stat,
97                                                    &gensec_gssapi_state->gssapi_context,
98                                                    GSS_C_NO_BUFFER);
99         }
100
101         if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
102                 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->server_name);
103         }
104         if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
105                 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
106         }
107
108         if (gensec_gssapi_state->lucid) {
109                 gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
110         }
111
112         return 0;
113 }
114
115 static NTSTATUS gensec_gssapi_init_lucid(struct gensec_gssapi_state *gensec_gssapi_state)
116 {
117         OM_uint32 maj_stat, min_stat;
118
119         if (gensec_gssapi_state->lucid) {
120                 return NT_STATUS_OK;
121         }
122
123         maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
124                                                      &gensec_gssapi_state->gssapi_context,
125                                                      1,
126                                                      (void **)&gensec_gssapi_state->lucid);
127         if (maj_stat != GSS_S_COMPLETE) {
128                 DEBUG(0,("gensec_gssapi_init_lucid: %s\n",
129                         gssapi_error_string(gensec_gssapi_state,
130                                             maj_stat, min_stat,
131                                             gensec_gssapi_state->gss_oid)));
132                 return NT_STATUS_INTERNAL_ERROR;
133         }
134
135         if (gensec_gssapi_state->lucid->version != 1) {
136                 DEBUG(0,("gensec_gssapi_init_lucid: lucid version[%d] != 1\n",
137                         gensec_gssapi_state->lucid->version));
138                 gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
139                 gensec_gssapi_state->lucid = NULL;
140                 return NT_STATUS_INTERNAL_ERROR;
141         }
142
143         return NT_STATUS_OK;
144 }
145
146 static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
147 {
148         struct gensec_gssapi_state *gensec_gssapi_state;
149         krb5_error_code ret;
150         struct gsskrb5_send_to_kdc send_to_kdc;
151         const char *realm;
152
153         gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
154         if (!gensec_gssapi_state) {
155                 return NT_STATUS_NO_MEMORY;
156         }
157
158         gensec_security->private_data = gensec_gssapi_state;
159
160         gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
161
162         /* TODO: Fill in channel bindings */
163         gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
164
165         gensec_gssapi_state->server_name = GSS_C_NO_NAME;
166         gensec_gssapi_state->client_name = GSS_C_NO_NAME;
167         
168         gensec_gssapi_state->want_flags = 0;
169
170         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
171                 gensec_gssapi_state->want_flags |= GSS_C_DELEG_POLICY_FLAG;
172         }
173         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
174                 gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
175         }
176         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
177                 gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
178         }
179         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
180                 gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG;
181         }
182         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
183                 gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG;
184         }
185
186         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
187                 gensec_gssapi_state->want_flags |= GSS_C_INTEG_FLAG;
188         }
189         if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
190                 gensec_gssapi_state->want_flags |= GSS_C_CONF_FLAG;
191         }
192         if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
193                 gensec_gssapi_state->want_flags |= GSS_C_DCE_STYLE;
194         }
195
196         gensec_gssapi_state->got_flags = 0;
197
198         switch (gensec_security->ops->auth_type) {
199         case DCERPC_AUTH_TYPE_SPNEGO:
200                 gensec_gssapi_state->gss_oid = gss_mech_spnego;
201                 break;
202         case DCERPC_AUTH_TYPE_KRB5:
203         default:
204                 gensec_gssapi_state->gss_oid = gss_mech_krb5;
205                 break;
206         }
207
208         gensec_gssapi_state->session_key = data_blob(NULL, 0);
209         gensec_gssapi_state->pac = data_blob(NULL, 0);
210
211         ret = smb_krb5_init_context(gensec_gssapi_state,
212                                     gensec_security->event_ctx,
213                                     gensec_security->settings->lp_ctx,
214                                     &gensec_gssapi_state->smb_krb5_context);
215         if (ret) {
216                 DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
217                          error_message(ret)));
218                 talloc_free(gensec_gssapi_state);
219                 return NT_STATUS_INTERNAL_ERROR;
220         }
221
222         gensec_gssapi_state->client_cred = NULL;
223         gensec_gssapi_state->server_cred = NULL;
224
225         gensec_gssapi_state->lucid = NULL;
226
227         gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
228
229         gensec_gssapi_state->sasl = false;
230         gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
231         gensec_gssapi_state->sasl_protection = 0;
232
233         gensec_gssapi_state->max_wrap_buf_size
234                 = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
235         gensec_gssapi_state->gss_exchange_count = 0;
236         gensec_gssapi_state->sig_size = 0;
237
238         talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
239
240         send_to_kdc.func = smb_krb5_send_and_recv_func;
241         send_to_kdc.ptr = gensec_security->event_ctx;
242
243         ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
244         if (ret) {
245                 DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
246                 talloc_free(gensec_gssapi_state);
247                 return NT_STATUS_INTERNAL_ERROR;
248         }
249
250         realm = lpcfg_realm(gensec_security->settings->lp_ctx);
251         if (realm != NULL) {
252                 ret = gsskrb5_set_default_realm(realm);
253                 if (ret) {
254                         DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
255                         talloc_free(gensec_gssapi_state);
256                         return NT_STATUS_INTERNAL_ERROR;
257                 }
258         }
259
260         /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
261         ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
262         if (ret) {
263                 DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
264                 talloc_free(gensec_gssapi_state);
265                 return NT_STATUS_INTERNAL_ERROR;
266         }
267
268         return NT_STATUS_OK;
269 }
270
271 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
272 {
273         NTSTATUS nt_status;
274         int ret;
275         struct gensec_gssapi_state *gensec_gssapi_state;
276         struct cli_credentials *machine_account;
277         struct gssapi_creds_container *gcc;
278
279         nt_status = gensec_gssapi_start(gensec_security);
280         if (!NT_STATUS_IS_OK(nt_status)) {
281                 return nt_status;
282         }
283
284         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
285
286         machine_account = gensec_get_credentials(gensec_security);
287         
288         if (!machine_account) {
289                 DEBUG(3, ("No machine account credentials specified\n"));
290                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
291         } else {
292                 ret = cli_credentials_get_server_gss_creds(machine_account, 
293                                                            gensec_security->event_ctx, 
294                                                            gensec_security->settings->lp_ctx, &gcc);
295                 if (ret) {
296                         DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", 
297                                   error_message(ret)));
298                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
299                 }
300         }
301
302         gensec_gssapi_state->server_cred = gcc;
303         return NT_STATUS_OK;
304
305 }
306
307 static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
308 {
309         NTSTATUS nt_status;
310         struct gensec_gssapi_state *gensec_gssapi_state;
311         nt_status = gensec_gssapi_server_start(gensec_security);
312
313         if (NT_STATUS_IS_OK(nt_status)) {
314                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
315                 gensec_gssapi_state->sasl = true;
316         }
317         return nt_status;
318 }
319
320 static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
321 {
322         struct gensec_gssapi_state *gensec_gssapi_state;
323         struct cli_credentials *creds = gensec_get_credentials(gensec_security);
324         krb5_error_code ret;
325         NTSTATUS nt_status;
326         gss_buffer_desc name_token;
327         gss_OID name_type;
328         OM_uint32 maj_stat, min_stat;
329         const char *hostname = gensec_get_target_hostname(gensec_security);
330         const char *principal;
331         struct gssapi_creds_container *gcc;
332         const char *error_string;
333
334         if (!hostname) {
335                 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
336                 return NT_STATUS_INVALID_PARAMETER;
337         }
338         if (is_ipaddress(hostname)) {
339                 DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
340                 return NT_STATUS_INVALID_PARAMETER;
341         }
342         if (strcmp(hostname, "localhost") == 0) {
343                 DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
344                 return NT_STATUS_INVALID_PARAMETER;
345         }
346
347         nt_status = gensec_gssapi_start(gensec_security);
348         if (!NT_STATUS_IS_OK(nt_status)) {
349                 return nt_status;
350         }
351
352         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
353
354         principal = gensec_get_target_principal(gensec_security);
355         if (principal && lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
356                 name_type = GSS_C_NULL_OID;
357         } else {
358                 principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s",
359                                             gensec_get_target_service(gensec_security), 
360                                             hostname, lpcfg_realm(gensec_security->settings->lp_ctx));
361
362                 name_type = GSS_C_NT_USER_NAME;
363         }
364         name_token.value  = discard_const_p(uint8_t, principal);
365         name_token.length = strlen(principal);
366
367
368         maj_stat = gss_import_name (&min_stat,
369                                     &name_token,
370                                     name_type,
371                                     &gensec_gssapi_state->server_name);
372         if (maj_stat) {
373                 DEBUG(2, ("GSS Import name of %s failed: %s\n",
374                           (char *)name_token.value,
375                           gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
376                 return NT_STATUS_INVALID_PARAMETER;
377         }
378
379         ret = cli_credentials_get_client_gss_creds(creds, 
380                                                    gensec_security->event_ctx, 
381                                                    gensec_security->settings->lp_ctx, &gcc, &error_string);
382         switch (ret) {
383         case 0:
384                 break;
385         case KRB5KDC_ERR_PREAUTH_FAILED:
386                 return NT_STATUS_LOGON_FAILURE;
387         case KRB5_KDC_UNREACH:
388                 DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", principal, error_string));
389                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
390         case KRB5_CC_NOTFOUND:
391         case KRB5_CC_END:
392                 DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
393                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
394         default:
395                 DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
396                 return NT_STATUS_UNSUCCESSFUL;
397         }
398
399         gensec_gssapi_state->client_cred = gcc;
400         if (!talloc_reference(gensec_gssapi_state, gcc)) {
401                 return NT_STATUS_NO_MEMORY;
402         }
403         
404         return NT_STATUS_OK;
405 }
406
407 static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
408 {
409         NTSTATUS nt_status;
410         struct gensec_gssapi_state *gensec_gssapi_state;
411         nt_status = gensec_gssapi_client_start(gensec_security);
412
413         if (NT_STATUS_IS_OK(nt_status)) {
414                 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
415                 gensec_gssapi_state->sasl = true;
416         }
417         return nt_status;
418 }
419
420
421 /**
422  * Check if the packet is one for this mechansim
423  * 
424  * @param gensec_security GENSEC state
425  * @param in The request, as a DATA_BLOB
426  * @return Error, INVALID_PARAMETER if it's not a packet for us
427  *                or NT_STATUS_OK if the packet is ok. 
428  */
429
430 static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security, 
431                                     const DATA_BLOB *in) 
432 {
433         if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
434                 return NT_STATUS_OK;
435         } else {
436                 return NT_STATUS_INVALID_PARAMETER;
437         }
438 }
439
440
441 /**
442  * Next state function for the GSSAPI GENSEC mechanism
443  * 
444  * @param gensec_gssapi_state GSSAPI State
445  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
446  * @param in The request, as a DATA_BLOB
447  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
448  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
449  *                or NT_STATUS_OK if the user is authenticated. 
450  */
451
452 static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, 
453                                    TALLOC_CTX *out_mem_ctx, 
454                                    const DATA_BLOB in, DATA_BLOB *out) 
455 {
456         struct gensec_gssapi_state *gensec_gssapi_state
457                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
458         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
459         OM_uint32 maj_stat, min_stat;
460         OM_uint32 min_stat2;
461         gss_buffer_desc input_token, output_token;
462         gss_OID gss_oid_p = NULL;
463         input_token.length = in.length;
464         input_token.value = in.data;
465
466         switch (gensec_gssapi_state->sasl_state) {
467         case STAGE_GSS_NEG:
468         {
469                 switch (gensec_security->gensec_role) {
470                 case GENSEC_CLIENT:
471                 {
472                         maj_stat = gss_init_sec_context(&min_stat, 
473                                                         gensec_gssapi_state->client_cred->creds,
474                                                         &gensec_gssapi_state->gssapi_context, 
475                                                         gensec_gssapi_state->server_name, 
476                                                         gensec_gssapi_state->gss_oid,
477                                                         gensec_gssapi_state->want_flags, 
478                                                         0, 
479                                                         gensec_gssapi_state->input_chan_bindings,
480                                                         &input_token, 
481                                                         &gss_oid_p,
482                                                         &output_token, 
483                                                         &gensec_gssapi_state->got_flags, /* ret flags */
484                                                         NULL);
485                         if (gss_oid_p) {
486                                 gensec_gssapi_state->gss_oid = gss_oid_p;
487                         }
488                         break;
489                 }
490                 case GENSEC_SERVER:
491                 {
492                         maj_stat = gss_accept_sec_context(&min_stat, 
493                                                           &gensec_gssapi_state->gssapi_context, 
494                                                           gensec_gssapi_state->server_cred->creds,
495                                                           &input_token, 
496                                                           gensec_gssapi_state->input_chan_bindings,
497                                                           &gensec_gssapi_state->client_name, 
498                                                           &gss_oid_p,
499                                                           &output_token, 
500                                                           &gensec_gssapi_state->got_flags, 
501                                                           NULL, 
502                                                           &gensec_gssapi_state->delegated_cred_handle);
503                         if (gss_oid_p) {
504                                 gensec_gssapi_state->gss_oid = gss_oid_p;
505                         }
506                         break;
507                 }
508                 default:
509                         return NT_STATUS_INVALID_PARAMETER;
510                         
511                 }
512
513                 gensec_gssapi_state->gss_exchange_count++;
514
515                 if (maj_stat == GSS_S_COMPLETE) {
516                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
517                         gss_release_buffer(&min_stat2, &output_token);
518                         
519                         if (gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG) {
520                                 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
521                         } else {
522                                 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
523                         }
524
525                         /* We may have been invoked as SASL, so there
526                          * is more work to do */
527                         if (gensec_gssapi_state->sasl) {
528                                 /* Due to a very subtle interaction
529                                  * with SASL and the LDAP libs, we
530                                  * must ensure the data pointer is 
531                                  * != NULL, but the length is 0.  
532                                  *
533                                  * This ensures we send a 'zero
534                                  * length' (rather than NULL) response 
535                                  */
536                                 
537                                 if (!out->data) {
538                                         out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
539                                 }
540
541                                 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
542                                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
543                         } else {
544                                 gensec_gssapi_state->sasl_state = STAGE_DONE;
545
546                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
547                                         DEBUG(5, ("GSSAPI Connection will be cryptographicly sealed\n"));
548                                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
549                                         DEBUG(5, ("GSSAPI Connection will be cryptographicly signed\n"));
550                                 } else {
551                                         DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
552                                 }
553
554                                 return NT_STATUS_OK;
555                         }
556                 } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
557                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
558                         gss_release_buffer(&min_stat2, &output_token);
559                         
560                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
561                 } else if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
562                         switch (min_stat) {
563                         case KRB5_KDC_UNREACH:
564                                 DEBUG(3, ("Cannot reach a KDC we require: %s\n",
565                                           gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
566                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
567                         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
568                                 DEBUG(3, ("Server is not registered with our KDC: %s\n", 
569                                           gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
570                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
571                         case KRB5KRB_AP_ERR_MSG_TYPE:
572                                 /* garbage input, possibly from the auto-mech detection */
573                                 return NT_STATUS_INVALID_PARAMETER;
574                         default:
575                                 DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n", 
576                                           gensec_gssapi_state->gss_exchange_count,
577                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
578                                 return nt_status;
579                         }
580                 } else {
581                         DEBUG(1, ("GSS Update(%d) failed: %s\n", 
582                                   gensec_gssapi_state->gss_exchange_count,
583                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
584                         return nt_status;
585                 }
586                 break;
587         }
588
589         /* These last two stages are only done if we were invoked as SASL */
590         case STAGE_SASL_SSF_NEG:
591         {
592                 switch (gensec_security->gensec_role) {
593                 case GENSEC_CLIENT:
594                 {
595                         uint8_t maxlength_proposed[4]; 
596                         uint8_t maxlength_accepted[4]; 
597                         uint8_t security_supported;
598                         int conf_state;
599                         gss_qop_t qop_state;
600                         input_token.length = in.length;
601                         input_token.value = in.data;
602
603                         /* As a client, we have just send a
604                          * zero-length blob to the server (after the
605                          * normal GSSAPI exchange), and it has replied
606                          * with it's SASL negotiation */
607                         
608                         maj_stat = gss_unwrap(&min_stat, 
609                                               gensec_gssapi_state->gssapi_context, 
610                                               &input_token,
611                                               &output_token, 
612                                               &conf_state,
613                                               &qop_state);
614                         if (GSS_ERROR(maj_stat)) {
615                                 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
616                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
617                                 return NT_STATUS_ACCESS_DENIED;
618                         }
619                         
620                         if (output_token.length < 4) {
621                                 return NT_STATUS_INVALID_PARAMETER;
622                         }
623
624                         memcpy(maxlength_proposed, output_token.value, 4);
625                         gss_release_buffer(&min_stat, &output_token);
626
627                         /* first byte is the proposed security */
628                         security_supported = maxlength_proposed[0];
629                         maxlength_proposed[0] = '\0';
630                         
631                         /* Rest is the proposed max wrap length */
632                         gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0), 
633                                                                      gensec_gssapi_state->max_wrap_buf_size);
634                         gensec_gssapi_state->sasl_protection = 0;
635                         if (security_supported & NEG_SEAL) {
636                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
637                                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
638                                 }
639                         }
640                         if (security_supported & NEG_SIGN) {
641                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
642                                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
643                                 }
644                         }
645                         if (security_supported & NEG_NONE) {
646                                 gensec_gssapi_state->sasl_protection |= NEG_NONE;
647                         }
648                         if (gensec_gssapi_state->sasl_protection == 0) {
649                                 DEBUG(1, ("Remote server does not support unprotected connections\n"));
650                                 return NT_STATUS_ACCESS_DENIED;
651                         }
652
653                         /* Send back the negotiated max length */
654
655                         RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
656
657                         maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
658                         
659                         input_token.value = maxlength_accepted;
660                         input_token.length = sizeof(maxlength_accepted);
661
662                         maj_stat = gss_wrap(&min_stat, 
663                                             gensec_gssapi_state->gssapi_context, 
664                                             false,
665                                             GSS_C_QOP_DEFAULT,
666                                             &input_token,
667                                             &conf_state,
668                                             &output_token);
669                         if (GSS_ERROR(maj_stat)) {
670                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
671                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
672                                 return NT_STATUS_ACCESS_DENIED;
673                         }
674                         
675                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
676                         gss_release_buffer(&min_stat, &output_token);
677
678                         /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
679                         gensec_gssapi_state->sasl_state = STAGE_DONE;
680
681                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
682                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
683                         } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
684                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
685                         } else {
686                                 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
687                         }
688
689                         return NT_STATUS_OK;
690                 }
691                 case GENSEC_SERVER:
692                 {
693                         uint8_t maxlength_proposed[4]; 
694                         uint8_t security_supported = 0x0;
695                         int conf_state;
696
697                         /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
698                         if (in.length != 0) {
699                                 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
700                         }
701                         
702                         /* Give the client some idea what we will support */
703                           
704                         RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
705                         /* first byte is the proposed security */
706                         maxlength_proposed[0] = '\0';
707                         
708                         gensec_gssapi_state->sasl_protection = 0;
709                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
710                                 security_supported |= NEG_SEAL;
711                         } 
712                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
713                                 security_supported |= NEG_SIGN;
714                         }
715                         if (security_supported == 0) {
716                                 /* If we don't support anything, this must be 0 */
717                                 RSIVAL(maxlength_proposed, 0, 0x0);
718                         }
719
720                         /* TODO:  We may not wish to support this */
721                         security_supported |= NEG_NONE;
722                         maxlength_proposed[0] = security_supported;
723                         
724                         input_token.value = maxlength_proposed;
725                         input_token.length = sizeof(maxlength_proposed);
726
727                         maj_stat = gss_wrap(&min_stat, 
728                                             gensec_gssapi_state->gssapi_context, 
729                                             false,
730                                             GSS_C_QOP_DEFAULT,
731                                             &input_token,
732                                             &conf_state,
733                                             &output_token);
734                         if (GSS_ERROR(maj_stat)) {
735                                 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n", 
736                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
737                                 return NT_STATUS_ACCESS_DENIED;
738                         }
739                         
740                         *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
741                         gss_release_buffer(&min_stat, &output_token);
742
743                         gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
744                         return NT_STATUS_MORE_PROCESSING_REQUIRED;
745                 }
746                 default:
747                         return NT_STATUS_INVALID_PARAMETER;
748                         
749                 }
750         }
751         /* This is s server-only stage */
752         case STAGE_SASL_SSF_ACCEPT:
753         {
754                 uint8_t maxlength_accepted[4]; 
755                 uint8_t security_accepted;
756                 int conf_state;
757                 gss_qop_t qop_state;
758                 input_token.length = in.length;
759                 input_token.value = in.data;
760                         
761                 maj_stat = gss_unwrap(&min_stat, 
762                                       gensec_gssapi_state->gssapi_context, 
763                                       &input_token,
764                                       &output_token, 
765                                       &conf_state,
766                                       &qop_state);
767                 if (GSS_ERROR(maj_stat)) {
768                         DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n", 
769                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
770                         return NT_STATUS_ACCESS_DENIED;
771                 }
772                         
773                 if (output_token.length < 4) {
774                         return NT_STATUS_INVALID_PARAMETER;
775                 }
776
777                 memcpy(maxlength_accepted, output_token.value, 4);
778                 gss_release_buffer(&min_stat, &output_token);
779                 
780                 /* first byte is the proposed security */
781                 security_accepted = maxlength_accepted[0];
782                 maxlength_accepted[0] = '\0';
783
784                 /* Rest is the proposed max wrap length */
785                 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0), 
786                                                              gensec_gssapi_state->max_wrap_buf_size);
787
788                 gensec_gssapi_state->sasl_protection = 0;
789                 if (security_accepted & NEG_SEAL) {
790                         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
791                                 DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
792                                 return NT_STATUS_ACCESS_DENIED;
793                         }
794                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
795                 }
796                 if (security_accepted & NEG_SIGN) {
797                         if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
798                                 DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
799                                 return NT_STATUS_ACCESS_DENIED;
800                         }
801                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
802                 }
803                 if (security_accepted & NEG_NONE) {
804                         gensec_gssapi_state->sasl_protection |= NEG_NONE;
805                 }
806
807                 /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
808                 gensec_gssapi_state->sasl_state = STAGE_DONE;
809                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
810                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
811                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
812                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
813                 } else {
814                         DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
815                 }
816
817                 *out = data_blob(NULL, 0);
818                 return NT_STATUS_OK;    
819         }
820         default:
821                 return NT_STATUS_INVALID_PARAMETER;
822         }
823 }
824
825 static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security, 
826                                    TALLOC_CTX *mem_ctx, 
827                                    const DATA_BLOB *in, 
828                                    DATA_BLOB *out)
829 {
830         struct gensec_gssapi_state *gensec_gssapi_state
831                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
832         OM_uint32 maj_stat, min_stat;
833         gss_buffer_desc input_token, output_token;
834         int conf_state;
835         input_token.length = in->length;
836         input_token.value = in->data;
837
838         maj_stat = gss_wrap(&min_stat, 
839                             gensec_gssapi_state->gssapi_context, 
840                             gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
841                             GSS_C_QOP_DEFAULT,
842                             &input_token,
843                             &conf_state,
844                             &output_token);
845         if (GSS_ERROR(maj_stat)) {
846                 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n", 
847                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
848                 return NT_STATUS_ACCESS_DENIED;
849         }
850
851         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
852         gss_release_buffer(&min_stat, &output_token);
853
854         if (gensec_gssapi_state->sasl) {
855                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
856                 if (max_wrapped_size < out->length) {
857                         DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
858                                   (unsigned)in->length, 
859                                   (unsigned)out->length, 
860                                   (unsigned int)max_wrapped_size));
861                         return NT_STATUS_INVALID_PARAMETER;
862                 }
863         }
864         
865         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
866             && !conf_state) {
867                 return NT_STATUS_ACCESS_DENIED;
868         }
869         return NT_STATUS_OK;
870 }
871
872 static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security, 
873                                      TALLOC_CTX *mem_ctx, 
874                                      const DATA_BLOB *in, 
875                                      DATA_BLOB *out)
876 {
877         struct gensec_gssapi_state *gensec_gssapi_state
878                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
879         OM_uint32 maj_stat, min_stat;
880         gss_buffer_desc input_token, output_token;
881         int conf_state;
882         gss_qop_t qop_state;
883         input_token.length = in->length;
884         input_token.value = in->data;
885         
886         if (gensec_gssapi_state->sasl) {
887                 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
888                 if (max_wrapped_size < in->length) {
889                         DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
890                         return NT_STATUS_INVALID_PARAMETER;
891                 }
892         }
893         
894         maj_stat = gss_unwrap(&min_stat, 
895                               gensec_gssapi_state->gssapi_context, 
896                               &input_token,
897                               &output_token, 
898                               &conf_state,
899                               &qop_state);
900         if (GSS_ERROR(maj_stat)) {
901                 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n", 
902                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
903                 return NT_STATUS_ACCESS_DENIED;
904         }
905
906         *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
907         gss_release_buffer(&min_stat, &output_token);
908         
909         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
910             && !conf_state) {
911                 return NT_STATUS_ACCESS_DENIED;
912         }
913         return NT_STATUS_OK;
914 }
915
916 /* Find out the maximum input size negotiated on this connection */
917
918 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security) 
919 {
920         struct gensec_gssapi_state *gensec_gssapi_state
921                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
922         OM_uint32 maj_stat, min_stat;
923         OM_uint32 max_input_size;
924
925         maj_stat = gss_wrap_size_limit(&min_stat, 
926                                        gensec_gssapi_state->gssapi_context,
927                                        gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
928                                        GSS_C_QOP_DEFAULT,
929                                        gensec_gssapi_state->max_wrap_buf_size,
930                                        &max_input_size);
931         if (GSS_ERROR(maj_stat)) {
932                 TALLOC_CTX *mem_ctx = talloc_new(NULL); 
933                 DEBUG(1, ("gensec_gssapi_max_input_size: determinaing signature size with gss_wrap_size_limit failed: %s\n", 
934                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
935                 talloc_free(mem_ctx);
936                 return 0;
937         }
938
939         return max_input_size;
940 }
941
942 /* Find out the maximum output size negotiated on this connection */
943 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security) 
944 {
945         struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
946         return gensec_gssapi_state->max_wrap_buf_size;
947 }
948
949 static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security, 
950                                           TALLOC_CTX *mem_ctx, 
951                                           uint8_t *data, size_t length, 
952                                           const uint8_t *whole_pdu, size_t pdu_length, 
953                                           DATA_BLOB *sig)
954 {
955         struct gensec_gssapi_state *gensec_gssapi_state
956                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
957         OM_uint32 maj_stat, min_stat;
958         gss_buffer_desc input_token, output_token;
959         int conf_state;
960         ssize_t sig_length;
961
962         input_token.length = length;
963         input_token.value = data;
964         
965         maj_stat = gss_wrap(&min_stat, 
966                             gensec_gssapi_state->gssapi_context,
967                             gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
968                             GSS_C_QOP_DEFAULT,
969                             &input_token,
970                             &conf_state,
971                             &output_token);
972         if (GSS_ERROR(maj_stat)) {
973                 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n", 
974                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
975                 return NT_STATUS_ACCESS_DENIED;
976         }
977
978         if (output_token.length < input_token.length) {
979                 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n", 
980                           (long)output_token.length, (long)length));
981                 return NT_STATUS_INTERNAL_ERROR;
982         }
983         sig_length = output_token.length - input_token.length;
984
985         memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
986         *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
987
988         dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
989         dump_data_pw("gensec_gssapi_seal_packet: clear\n", data, length);
990         dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length);
991
992         gss_release_buffer(&min_stat, &output_token);
993
994         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
995             && !conf_state) {
996                 return NT_STATUS_ACCESS_DENIED;
997         }
998         return NT_STATUS_OK;
999 }
1000
1001 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security, 
1002                                             TALLOC_CTX *mem_ctx, 
1003                                             uint8_t *data, size_t length, 
1004                                             const uint8_t *whole_pdu, size_t pdu_length,
1005                                             const DATA_BLOB *sig)
1006 {
1007         struct gensec_gssapi_state *gensec_gssapi_state
1008                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1009         OM_uint32 maj_stat, min_stat;
1010         gss_buffer_desc input_token, output_token;
1011         int conf_state;
1012         gss_qop_t qop_state;
1013         DATA_BLOB in;
1014
1015         dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
1016
1017         in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
1018
1019         memcpy(in.data, sig->data, sig->length);
1020         memcpy(in.data + sig->length, data, length);
1021
1022         input_token.length = in.length;
1023         input_token.value = in.data;
1024         
1025         maj_stat = gss_unwrap(&min_stat, 
1026                               gensec_gssapi_state->gssapi_context, 
1027                               &input_token,
1028                               &output_token, 
1029                               &conf_state,
1030                               &qop_state);
1031         if (GSS_ERROR(maj_stat)) {
1032                 DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n", 
1033                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1034                 return NT_STATUS_ACCESS_DENIED;
1035         }
1036
1037         if (output_token.length != length) {
1038                 return NT_STATUS_INTERNAL_ERROR;
1039         }
1040
1041         memcpy(data, output_token.value, length);
1042
1043         gss_release_buffer(&min_stat, &output_token);
1044         
1045         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1046             && !conf_state) {
1047                 return NT_STATUS_ACCESS_DENIED;
1048         }
1049         return NT_STATUS_OK;
1050 }
1051
1052 static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security, 
1053                                           TALLOC_CTX *mem_ctx, 
1054                                           const uint8_t *data, size_t length, 
1055                                           const uint8_t *whole_pdu, size_t pdu_length, 
1056                                           DATA_BLOB *sig)
1057 {
1058         struct gensec_gssapi_state *gensec_gssapi_state
1059                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1060         OM_uint32 maj_stat, min_stat;
1061         gss_buffer_desc input_token, output_token;
1062
1063         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1064                 input_token.length = pdu_length;
1065                 input_token.value = discard_const_p(uint8_t *, whole_pdu);
1066         } else {
1067                 input_token.length = length;
1068                 input_token.value = discard_const_p(uint8_t *, data);
1069         }
1070
1071         maj_stat = gss_get_mic(&min_stat,
1072                             gensec_gssapi_state->gssapi_context,
1073                             GSS_C_QOP_DEFAULT,
1074                             &input_token,
1075                             &output_token);
1076         if (GSS_ERROR(maj_stat)) {
1077                 DEBUG(1, ("GSS GetMic failed: %s\n",
1078                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1079                 return NT_STATUS_ACCESS_DENIED;
1080         }
1081
1082         *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length);
1083
1084         dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1085
1086         gss_release_buffer(&min_stat, &output_token);
1087
1088         return NT_STATUS_OK;
1089 }
1090
1091 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security, 
1092                                            TALLOC_CTX *mem_ctx, 
1093                                            const uint8_t *data, size_t length, 
1094                                            const uint8_t *whole_pdu, size_t pdu_length, 
1095                                            const DATA_BLOB *sig)
1096 {
1097         struct gensec_gssapi_state *gensec_gssapi_state
1098                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1099         OM_uint32 maj_stat, min_stat;
1100         gss_buffer_desc input_token;
1101         gss_buffer_desc input_message;
1102         gss_qop_t qop_state;
1103
1104         dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1105
1106         if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1107                 input_message.length = pdu_length;
1108                 input_message.value = discard_const(whole_pdu);
1109         } else {
1110                 input_message.length = length;
1111                 input_message.value = discard_const(data);
1112         }
1113
1114         input_token.length = sig->length;
1115         input_token.value = sig->data;
1116
1117         maj_stat = gss_verify_mic(&min_stat,
1118                               gensec_gssapi_state->gssapi_context, 
1119                               &input_message,
1120                               &input_token,
1121                               &qop_state);
1122         if (GSS_ERROR(maj_stat)) {
1123                 DEBUG(1, ("GSS VerifyMic failed: %s\n",
1124                           gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1125                 return NT_STATUS_ACCESS_DENIED;
1126         }
1127
1128         return NT_STATUS_OK;
1129 }
1130
1131 /* Try to figure out what features we actually got on the connection */
1132 static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security, 
1133                                        uint32_t feature) 
1134 {
1135         struct gensec_gssapi_state *gensec_gssapi_state
1136                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1137         if (feature & GENSEC_FEATURE_SIGN) {
1138                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1139                 if (gensec_gssapi_state->sasl 
1140                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1141                         return ((gensec_gssapi_state->sasl_protection & NEG_SIGN) 
1142                                 && (gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG));
1143                 }
1144                 return gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG;
1145         }
1146         if (feature & GENSEC_FEATURE_SEAL) {
1147                 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1148                 if (gensec_gssapi_state->sasl 
1149                     && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1150                         return ((gensec_gssapi_state->sasl_protection & NEG_SEAL) 
1151                                  && (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG));
1152                 }
1153                 return gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG;
1154         }
1155         if (feature & GENSEC_FEATURE_SESSION_KEY) {
1156                 /* Only for GSSAPI/Krb5 */
1157                 if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
1158                         return true;
1159                 }
1160         }
1161         if (feature & GENSEC_FEATURE_DCE_STYLE) {
1162                 return gensec_gssapi_state->got_flags & GSS_C_DCE_STYLE;
1163         }
1164         if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
1165                 NTSTATUS status;
1166
1167                 if (!(gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG)) {
1168                         return false;
1169                 }
1170
1171                 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
1172                         return true;
1173                 }
1174                 if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
1175                         return false;
1176                 }
1177
1178                 status = gensec_gssapi_init_lucid(gensec_gssapi_state);
1179                 if (!NT_STATUS_IS_OK(status)) {
1180                         return false;
1181                 }
1182
1183                 if (gensec_gssapi_state->lucid->protocol == 1) {
1184                         return true;
1185                 }
1186
1187                 return false;
1188         }
1189         /* We can always do async (rather than strict request/reply) packets.  */
1190         if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1191                 return true;
1192         }
1193         return false;
1194 }
1195
1196 /*
1197  * Extract the 'sesssion key' needed by SMB signing and ncacn_np 
1198  * (for encrypting some passwords).
1199  * 
1200  * This breaks all the abstractions, but what do you expect...
1201  */
1202 static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security, 
1203                                           DATA_BLOB *session_key) 
1204 {
1205         struct gensec_gssapi_state *gensec_gssapi_state
1206                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1207         OM_uint32 maj_stat, min_stat;
1208         krb5_keyblock *subkey;
1209
1210         if (gensec_gssapi_state->sasl_state != STAGE_DONE) {
1211                 return NT_STATUS_NO_USER_SESSION_KEY;
1212         }
1213
1214         if (gensec_gssapi_state->session_key.data) {
1215                 *session_key = gensec_gssapi_state->session_key;
1216                 return NT_STATUS_OK;
1217         }
1218
1219         maj_stat = gsskrb5_get_subkey(&min_stat,
1220                                       gensec_gssapi_state->gssapi_context,
1221                                       &subkey);
1222         if (maj_stat != 0) {
1223                 DEBUG(1, ("NO session key for this mech\n"));
1224                 return NT_STATUS_NO_USER_SESSION_KEY;
1225         }
1226         
1227         DEBUG(10, ("Got KRB5 session key of length %d%s\n",
1228                    (int)KRB5_KEY_LENGTH(subkey),
1229                    (gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":""));
1230         *session_key = data_blob_talloc(gensec_gssapi_state,
1231                                         KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
1232         krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
1233         gensec_gssapi_state->session_key = *session_key;
1234         dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
1235
1236         return NT_STATUS_OK;
1237 }
1238
1239 /* Get some basic (and authorization) information about the user on
1240  * this session.  This uses either the PAC (if present) or a local
1241  * database lookup */
1242 static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1243                                            struct auth_session_info **_session_info) 
1244 {
1245         NTSTATUS nt_status;
1246         TALLOC_CTX *mem_ctx;
1247         struct gensec_gssapi_state *gensec_gssapi_state
1248                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1249         struct auth_serversupplied_info *server_info = NULL;
1250         struct auth_session_info *session_info = NULL;
1251         OM_uint32 maj_stat, min_stat;
1252         gss_buffer_desc pac;
1253         DATA_BLOB pac_blob;
1254         
1255         if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
1256             || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
1257                        gensec_gssapi_state->gss_oid->length) != 0)) {
1258                 DEBUG(1, ("NO session info available for this mech\n"));
1259                 return NT_STATUS_INVALID_PARAMETER;
1260         }
1261                 
1262         mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context"); 
1263         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
1264
1265         maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat, 
1266                                                                gensec_gssapi_state->gssapi_context, 
1267                                                                KRB5_AUTHDATA_WIN2K_PAC,
1268                                                                &pac);
1269         
1270         
1271         if (maj_stat == 0) {
1272                 pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
1273                 gss_release_buffer(&min_stat, &pac);
1274
1275         } else {
1276                 pac_blob = data_blob(NULL, 0);
1277         }
1278         
1279         /* IF we have the PAC - otherwise we need to get this
1280          * data from elsewere - local ldb, or (TODO) lookup of some
1281          * kind... 
1282          */
1283         if (pac_blob.length) {
1284                 nt_status = kerberos_pac_blob_to_server_info(mem_ctx, 
1285                                                              pac_blob, 
1286                                                              gensec_gssapi_state->smb_krb5_context->krb5_context,
1287                                                              &server_info);
1288                 if (!NT_STATUS_IS_OK(nt_status)) {
1289                         talloc_free(mem_ctx);
1290                         return nt_status;
1291                 }
1292         } else {
1293                 gss_buffer_desc name_token;
1294                 char *principal_string;
1295
1296                 maj_stat = gss_display_name (&min_stat,
1297                                              gensec_gssapi_state->client_name,
1298                                              &name_token,
1299                                              NULL);
1300                 if (GSS_ERROR(maj_stat)) {
1301                         DEBUG(1, ("GSS display_name failed: %s\n", 
1302                                   gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1303                         talloc_free(mem_ctx);
1304                         return NT_STATUS_FOOBAR;
1305                 }
1306                 
1307                 principal_string = talloc_strndup(mem_ctx, 
1308                                                   (const char *)name_token.value, 
1309                                                   name_token.length);
1310                 
1311                 gss_release_buffer(&min_stat, &name_token);
1312                 
1313                 if (!principal_string) {
1314                         talloc_free(mem_ctx);
1315                         return NT_STATUS_NO_MEMORY;
1316                 }
1317
1318                 if (gensec_security->auth_context && 
1319                     !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
1320                         DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
1321                                   gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1322                         nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, 
1323                                                                                              gensec_security->auth_context, 
1324                                                                                              principal_string,
1325                                                                                              NULL,
1326                                                                                              &server_info);
1327                         
1328                         if (!NT_STATUS_IS_OK(nt_status)) {
1329                                 talloc_free(mem_ctx);
1330                                 return nt_status;
1331                         }
1332                 } else {
1333                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
1334                                   principal_string,
1335                                   gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1336                         return NT_STATUS_ACCESS_DENIED;
1337                 }
1338         }
1339
1340         /* references the server_info into the session_info */
1341         nt_status = gensec_generate_session_info(mem_ctx, gensec_security,
1342                                                  server_info, &session_info);
1343         if (!NT_STATUS_IS_OK(nt_status)) {
1344                 talloc_free(mem_ctx);
1345                 return nt_status;
1346         }
1347
1348         nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key);
1349         if (!NT_STATUS_IS_OK(nt_status)) {
1350                 talloc_free(mem_ctx);
1351                 return nt_status;
1352         }
1353
1354         if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
1355                 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1356         } else {
1357                 krb5_error_code ret;
1358                 const char *error_string;
1359
1360                 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1361                 session_info->credentials = cli_credentials_init(session_info);
1362                 if (!session_info->credentials) {
1363                         talloc_free(mem_ctx);
1364                         return NT_STATUS_NO_MEMORY;
1365                 }
1366
1367                 cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
1368                 /* Just so we don't segfault trying to get at a username */
1369                 cli_credentials_set_anonymous(session_info->credentials);
1370                 
1371                 ret = cli_credentials_set_client_gss_creds(session_info->credentials, 
1372                                                            gensec_security->event_ctx,
1373                                                            gensec_security->settings->lp_ctx,
1374                                                            gensec_gssapi_state->delegated_cred_handle,
1375                                                            CRED_SPECIFIED, &error_string);
1376                 if (ret) {
1377                         talloc_free(mem_ctx);
1378                         DEBUG(2,("Failed to get gss creds: %s\n", error_string));
1379                         return NT_STATUS_NO_MEMORY;
1380                 }
1381                 
1382                 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1383                 cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
1384
1385                 /* It has been taken from this place... */
1386                 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1387         }
1388         talloc_steal(gensec_gssapi_state, session_info);
1389         talloc_free(mem_ctx);
1390         *_session_info = session_info;
1391
1392         return NT_STATUS_OK;
1393 }
1394
1395 static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
1396 {
1397         struct gensec_gssapi_state *gensec_gssapi_state
1398                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1399         NTSTATUS status;
1400
1401         if (gensec_gssapi_state->sig_size) {
1402                 return gensec_gssapi_state->sig_size;
1403         }
1404
1405         if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1406                 gensec_gssapi_state->sig_size = 45;
1407         } else {
1408                 gensec_gssapi_state->sig_size = 37;
1409         }
1410
1411         status = gensec_gssapi_init_lucid(gensec_gssapi_state);
1412         if (!NT_STATUS_IS_OK(status)) {
1413                 return gensec_gssapi_state->sig_size;
1414         }
1415
1416         if (gensec_gssapi_state->lucid->protocol == 1) {
1417                 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1418                         /*
1419                          * TODO: windows uses 76 here, but we don't know
1420                          *       gss_wrap works with aes keys yet
1421                          */
1422                         gensec_gssapi_state->sig_size = 76;
1423                 } else {
1424                         gensec_gssapi_state->sig_size = 28;
1425                 }
1426         } else if (gensec_gssapi_state->lucid->protocol == 0) {
1427                 switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
1428                 case KEYTYPE_DES:
1429                 case KEYTYPE_ARCFOUR:
1430                 case KEYTYPE_ARCFOUR_56:
1431                         if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1432                                 gensec_gssapi_state->sig_size = 45;
1433                         } else {
1434                                 gensec_gssapi_state->sig_size = 37;
1435                         }
1436                         break;
1437                 case KEYTYPE_DES3:
1438                         if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1439                                 gensec_gssapi_state->sig_size = 57;
1440                         } else {
1441                                 gensec_gssapi_state->sig_size = 49;
1442                         }
1443                         break;
1444                 }
1445         }
1446
1447         return gensec_gssapi_state->sig_size;
1448 }
1449
1450 static const char *gensec_gssapi_krb5_oids[] = { 
1451         GENSEC_OID_KERBEROS5_OLD,
1452         GENSEC_OID_KERBEROS5,
1453         NULL 
1454 };
1455
1456 static const char *gensec_gssapi_spnego_oids[] = { 
1457         GENSEC_OID_SPNEGO,
1458         NULL 
1459 };
1460
1461 /* As a server, this could in theory accept any GSSAPI mech */
1462 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1463         .name           = "gssapi_spnego",
1464         .sasl_name      = "GSS-SPNEGO",
1465         .auth_type      = DCERPC_AUTH_TYPE_SPNEGO,
1466         .oid            = gensec_gssapi_spnego_oids,
1467         .client_start   = gensec_gssapi_client_start,
1468         .server_start   = gensec_gssapi_server_start,
1469         .magic          = gensec_gssapi_magic,
1470         .update         = gensec_gssapi_update,
1471         .session_key    = gensec_gssapi_session_key,
1472         .session_info   = gensec_gssapi_session_info,
1473         .sign_packet    = gensec_gssapi_sign_packet,
1474         .check_packet   = gensec_gssapi_check_packet,
1475         .seal_packet    = gensec_gssapi_seal_packet,
1476         .unseal_packet  = gensec_gssapi_unseal_packet,
1477         .wrap           = gensec_gssapi_wrap,
1478         .unwrap         = gensec_gssapi_unwrap,
1479         .have_feature   = gensec_gssapi_have_feature,
1480         .enabled        = false,
1481         .kerberos       = true,
1482         .priority       = GENSEC_GSSAPI
1483 };
1484
1485 /* As a server, this could in theory accept any GSSAPI mech */
1486 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1487         .name           = "gssapi_krb5",
1488         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
1489         .oid            = gensec_gssapi_krb5_oids,
1490         .client_start   = gensec_gssapi_client_start,
1491         .server_start   = gensec_gssapi_server_start,
1492         .magic          = gensec_gssapi_magic,
1493         .update         = gensec_gssapi_update,
1494         .session_key    = gensec_gssapi_session_key,
1495         .session_info   = gensec_gssapi_session_info,
1496         .sig_size       = gensec_gssapi_sig_size,
1497         .sign_packet    = gensec_gssapi_sign_packet,
1498         .check_packet   = gensec_gssapi_check_packet,
1499         .seal_packet    = gensec_gssapi_seal_packet,
1500         .unseal_packet  = gensec_gssapi_unseal_packet,
1501         .wrap           = gensec_gssapi_wrap,
1502         .unwrap         = gensec_gssapi_unwrap,
1503         .have_feature   = gensec_gssapi_have_feature,
1504         .enabled        = true,
1505         .kerberos       = true,
1506         .priority       = GENSEC_GSSAPI
1507 };
1508
1509 /* As a server, this could in theory accept any GSSAPI mech */
1510 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1511         .name             = "gssapi_krb5_sasl",
1512         .sasl_name        = "GSSAPI",
1513         .client_start     = gensec_gssapi_sasl_client_start,
1514         .server_start     = gensec_gssapi_sasl_server_start,
1515         .update           = gensec_gssapi_update,
1516         .session_key      = gensec_gssapi_session_key,
1517         .session_info     = gensec_gssapi_session_info,
1518         .max_input_size   = gensec_gssapi_max_input_size,
1519         .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1520         .wrap             = gensec_gssapi_wrap,
1521         .unwrap           = gensec_gssapi_unwrap,
1522         .have_feature     = gensec_gssapi_have_feature,
1523         .enabled          = true,
1524         .kerberos         = true,
1525         .priority         = GENSEC_GSSAPI
1526 };
1527
1528 _PUBLIC_ NTSTATUS gensec_gssapi_init(void)
1529 {
1530         NTSTATUS ret;
1531
1532         ret = gensec_register(&gensec_gssapi_spnego_security_ops);
1533         if (!NT_STATUS_IS_OK(ret)) {
1534                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1535                         gensec_gssapi_spnego_security_ops.name));
1536                 return ret;
1537         }
1538
1539         ret = gensec_register(&gensec_gssapi_krb5_security_ops);
1540         if (!NT_STATUS_IS_OK(ret)) {
1541                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1542                         gensec_gssapi_krb5_security_ops.name));
1543                 return ret;
1544         }
1545
1546         ret = gensec_register(&gensec_gssapi_sasl_krb5_security_ops);
1547         if (!NT_STATUS_IS_OK(ret)) {
1548                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1549                         gensec_gssapi_sasl_krb5_security_ops.name));
1550                 return ret;
1551         }
1552
1553         return ret;
1554 }