2 Unix SMB/CIFS implementation.
4 Kerberos backend for GENSEC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7 Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "lib/events/events.h"
26 #include "system/kerberos.h"
27 #include "auth/kerberos/kerberos.h"
28 #include "librpc/gen_ndr/krb5pac.h"
29 #include "auth/auth.h"
30 #include "lib/ldb/include/ldb.h"
31 #include "auth/auth_sam.h"
32 #include "librpc/rpc/dcerpc.h"
33 #include "auth/credentials/credentials.h"
34 #include "auth/credentials/credentials_krb5.h"
35 #include "auth/gensec/gensec.h"
36 #include "auth/gensec/gensec_proto.h"
37 #include "param/param.h"
38 #include "auth/session_proto.h"
39 #include <gssapi/gssapi.h>
40 #include <gssapi/gssapi_krb5.h>
42 enum gensec_gssapi_sasl_state
46 STAGE_SASL_SSF_ACCEPT,
54 struct gensec_gssapi_state {
55 gss_ctx_id_t gssapi_context;
56 struct gss_channel_bindings_struct *input_chan_bindings;
57 gss_name_t server_name;
58 gss_name_t client_name;
59 OM_uint32 want_flags, got_flags;
62 DATA_BLOB session_key;
65 struct smb_krb5_context *smb_krb5_context;
66 struct gssapi_creds_container *client_cred;
67 struct gssapi_creds_container *server_cred;
69 gss_cred_id_t delegated_cred_handle;
71 bool sasl; /* We have two different mechs in this file: One
72 * for SASL wrapped GSSAPI and another for normal
74 enum gensec_gssapi_sasl_state sasl_state;
75 uint8_t sasl_protection; /* What was negotiated at the SASL
76 * layer, independent of the GSSAPI
79 size_t max_wrap_buf_size;
80 int gss_exchange_count;
84 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
85 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
87 static char *gssapi_error_string(TALLOC_CTX *mem_ctx,
88 OM_uint32 maj_stat, OM_uint32 min_stat,
91 OM_uint32 disp_min_stat, disp_maj_stat;
92 gss_buffer_desc maj_error_message;
93 gss_buffer_desc min_error_message;
94 char *maj_error_string, *min_error_string;
95 OM_uint32 msg_ctx = 0;
99 maj_error_message.value = NULL;
100 min_error_message.value = NULL;
101 maj_error_message.length = 0;
102 min_error_message.length = 0;
104 disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
105 mech, &msg_ctx, &maj_error_message);
106 disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
107 mech, &msg_ctx, &min_error_message);
109 maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
111 min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
113 ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
115 talloc_free(maj_error_string);
116 talloc_free(min_error_string);
118 gss_release_buffer(&disp_min_stat, &maj_error_message);
119 gss_release_buffer(&disp_min_stat, &min_error_message);
125 static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
127 OM_uint32 maj_stat, min_stat;
129 if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
130 maj_stat = gss_release_cred(&min_stat,
131 &gensec_gssapi_state->delegated_cred_handle);
134 if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
135 maj_stat = gss_delete_sec_context (&min_stat,
136 &gensec_gssapi_state->gssapi_context,
140 if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
141 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->server_name);
143 if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
144 maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
149 static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
151 struct gensec_gssapi_state *gensec_gssapi_state;
153 struct gsskrb5_send_to_kdc send_to_kdc;
155 gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
156 if (!gensec_gssapi_state) {
157 return NT_STATUS_NO_MEMORY;
160 gensec_gssapi_state->gss_exchange_count = 0;
161 gensec_gssapi_state->max_wrap_buf_size
162 = lp_parm_int(gensec_security->lp_ctx, NULL, "gensec_gssapi", "max wrap buf size", 65536);
164 gensec_gssapi_state->sasl = false;
165 gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
167 gensec_security->private_data = gensec_gssapi_state;
169 gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
170 gensec_gssapi_state->server_name = GSS_C_NO_NAME;
171 gensec_gssapi_state->client_name = GSS_C_NO_NAME;
173 /* TODO: Fill in channel bindings */
174 gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
176 gensec_gssapi_state->want_flags = 0;
177 if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "mutual", true)) {
178 gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
180 if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "delegation", true)) {
181 gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
183 if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "replay", true)) {
184 gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG;
186 if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "sequence", true)) {
187 gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG;
190 gensec_gssapi_state->got_flags = 0;
192 gensec_gssapi_state->session_key = data_blob(NULL, 0);
193 gensec_gssapi_state->pac = data_blob(NULL, 0);
195 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
196 gensec_gssapi_state->sig_size = 0;
198 talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
200 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
201 gensec_gssapi_state->want_flags |= GSS_C_INTEG_FLAG;
203 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
204 gensec_gssapi_state->want_flags |= GSS_C_CONF_FLAG;
206 if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
207 gensec_gssapi_state->want_flags |= GSS_C_DCE_STYLE;
210 gensec_gssapi_state->gss_oid = GSS_C_NULL_OID;
212 send_to_kdc.func = smb_krb5_send_and_recv_func;
213 send_to_kdc.ptr = gensec_security->event_ctx;
215 ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
217 DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
218 talloc_free(gensec_gssapi_state);
219 return NT_STATUS_INTERNAL_ERROR;
221 if (lp_realm(gensec_security->lp_ctx) && *lp_realm(gensec_security->lp_ctx)) {
222 char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->lp_ctx));
224 DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->lp_ctx)));
225 talloc_free(gensec_gssapi_state);
226 return NT_STATUS_NO_MEMORY;
228 ret = gsskrb5_set_default_realm(upper_realm);
229 talloc_free(upper_realm);
231 DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
232 talloc_free(gensec_gssapi_state);
233 return NT_STATUS_INTERNAL_ERROR;
237 /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
238 ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(gensec_security->lp_ctx, NULL, "krb5", "set_dns_canonicalize", false));
240 DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
241 talloc_free(gensec_gssapi_state);
242 return NT_STATUS_INTERNAL_ERROR;
245 ret = smb_krb5_init_context(gensec_gssapi_state,
246 gensec_security->event_ctx,
247 gensec_security->lp_ctx,
248 &gensec_gssapi_state->smb_krb5_context);
250 DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
251 error_message(ret)));
252 talloc_free(gensec_gssapi_state);
253 return NT_STATUS_INTERNAL_ERROR;
258 static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
262 struct gensec_gssapi_state *gensec_gssapi_state;
263 struct cli_credentials *machine_account;
264 struct gssapi_creds_container *gcc;
266 nt_status = gensec_gssapi_start(gensec_security);
267 if (!NT_STATUS_IS_OK(nt_status)) {
271 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
273 machine_account = gensec_get_credentials(gensec_security);
275 if (!machine_account) {
276 DEBUG(3, ("No machine account credentials specified\n"));
277 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
279 ret = cli_credentials_get_server_gss_creds(machine_account,
280 gensec_security->event_ctx,
281 gensec_security->lp_ctx, &gcc);
283 DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
284 error_message(ret)));
285 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
289 gensec_gssapi_state->server_cred = gcc;
294 static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
297 struct gensec_gssapi_state *gensec_gssapi_state;
298 nt_status = gensec_gssapi_server_start(gensec_security);
300 if (NT_STATUS_IS_OK(nt_status)) {
301 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
302 gensec_gssapi_state->sasl = true;
307 static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
309 struct gensec_gssapi_state *gensec_gssapi_state;
310 struct cli_credentials *creds = gensec_get_credentials(gensec_security);
313 gss_buffer_desc name_token;
315 OM_uint32 maj_stat, min_stat;
316 const char *hostname = gensec_get_target_hostname(gensec_security);
317 const char *principal;
318 struct gssapi_creds_container *gcc;
321 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
322 return NT_STATUS_INVALID_PARAMETER;
324 if (is_ipaddress(hostname)) {
325 DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
326 return NT_STATUS_INVALID_PARAMETER;
328 if (strcmp(hostname, "localhost") == 0) {
329 DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
330 return NT_STATUS_INVALID_PARAMETER;
333 nt_status = gensec_gssapi_start(gensec_security);
334 if (!NT_STATUS_IS_OK(nt_status)) {
338 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
340 gensec_gssapi_state->gss_oid = gss_mech_krb5;
342 principal = gensec_get_target_principal(gensec_security);
343 if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) {
344 name_type = GSS_C_NULL_OID;
346 principal = talloc_asprintf(gensec_gssapi_state, "%s@%s",
347 gensec_get_target_service(gensec_security),
350 name_type = GSS_C_NT_HOSTBASED_SERVICE;
352 name_token.value = discard_const_p(uint8_t, principal);
353 name_token.length = strlen(principal);
356 maj_stat = gss_import_name (&min_stat,
359 &gensec_gssapi_state->server_name);
361 DEBUG(2, ("GSS Import name of %s failed: %s\n",
362 (char *)name_token.value,
363 gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
364 return NT_STATUS_INVALID_PARAMETER;
367 ret = cli_credentials_get_client_gss_creds(creds,
368 gensec_security->event_ctx,
369 gensec_security->lp_ctx, &gcc);
373 case KRB5KDC_ERR_PREAUTH_FAILED:
374 return NT_STATUS_LOGON_FAILURE;
375 case KRB5_KDC_UNREACH:
376 DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
377 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
379 DEBUG(1, ("Aquiring initiator credentials failed\n"));
380 return NT_STATUS_UNSUCCESSFUL;
383 gensec_gssapi_state->client_cred = gcc;
384 if (!talloc_reference(gensec_gssapi_state, gcc)) {
385 return NT_STATUS_NO_MEMORY;
391 static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
394 struct gensec_gssapi_state *gensec_gssapi_state;
395 nt_status = gensec_gssapi_client_start(gensec_security);
397 if (NT_STATUS_IS_OK(nt_status)) {
398 gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
399 gensec_gssapi_state->sasl = true;
406 * Check if the packet is one for this mechansim
408 * @param gensec_security GENSEC state
409 * @param in The request, as a DATA_BLOB
410 * @return Error, INVALID_PARAMETER if it's not a packet for us
411 * or NT_STATUS_OK if the packet is ok.
414 static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security,
417 if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
420 return NT_STATUS_INVALID_PARAMETER;
426 * Next state function for the GSSAPI GENSEC mechanism
428 * @param gensec_gssapi_state GSSAPI State
429 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
430 * @param in The request, as a DATA_BLOB
431 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
432 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
433 * or NT_STATUS_OK if the user is authenticated.
436 static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
437 TALLOC_CTX *out_mem_ctx,
438 const DATA_BLOB in, DATA_BLOB *out)
440 struct gensec_gssapi_state *gensec_gssapi_state
441 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
442 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
443 OM_uint32 maj_stat, min_stat;
445 gss_buffer_desc input_token, output_token;
446 gss_OID gss_oid_p = NULL;
447 input_token.length = in.length;
448 input_token.value = in.data;
450 switch (gensec_gssapi_state->sasl_state) {
453 switch (gensec_security->gensec_role) {
456 maj_stat = gss_init_sec_context(&min_stat,
457 gensec_gssapi_state->client_cred->creds,
458 &gensec_gssapi_state->gssapi_context,
459 gensec_gssapi_state->server_name,
460 gensec_gssapi_state->gss_oid,
461 gensec_gssapi_state->want_flags,
463 gensec_gssapi_state->input_chan_bindings,
467 &gensec_gssapi_state->got_flags, /* ret flags */
470 gensec_gssapi_state->gss_oid = gss_oid_p;
476 maj_stat = gss_accept_sec_context(&min_stat,
477 &gensec_gssapi_state->gssapi_context,
478 gensec_gssapi_state->server_cred->creds,
480 gensec_gssapi_state->input_chan_bindings,
481 &gensec_gssapi_state->client_name,
484 &gensec_gssapi_state->got_flags,
486 &gensec_gssapi_state->delegated_cred_handle);
488 gensec_gssapi_state->gss_oid = gss_oid_p;
493 return NT_STATUS_INVALID_PARAMETER;
497 gensec_gssapi_state->gss_exchange_count++;
499 if (maj_stat == GSS_S_COMPLETE) {
500 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
501 gss_release_buffer(&min_stat2, &output_token);
503 if (gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG) {
504 DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
506 DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
509 /* We may have been invoked as SASL, so there
510 * is more work to do */
511 if (gensec_gssapi_state->sasl) {
512 /* Due to a very subtle interaction
513 * with SASL and the LDAP libs, we
514 * must ensure the data pointer is
515 * != NULL, but the length is 0.
517 * This ensures we send a 'zero
518 * length' (rather than NULL) response
522 out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
525 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
526 return NT_STATUS_MORE_PROCESSING_REQUIRED;
528 gensec_gssapi_state->sasl_state = STAGE_DONE;
530 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
531 DEBUG(5, ("GSSAPI Connection will be cryptographicly sealed\n"));
532 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
533 DEBUG(5, ("GSSAPI Connection will be cryptographicly signed\n"));
535 DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
540 } else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
541 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
542 gss_release_buffer(&min_stat2, &output_token);
544 return NT_STATUS_MORE_PROCESSING_REQUIRED;
545 } else if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
547 case KRB5_KDC_UNREACH:
548 DEBUG(3, ("Cannot reach a KDC we require: %s\n",
549 gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
550 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
551 case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
552 DEBUG(3, ("Server is not registered with our KDC: %s\n",
553 gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
554 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
555 case KRB5KRB_AP_ERR_MSG_TYPE:
556 /* garbage input, possibly from the auto-mech detection */
557 return NT_STATUS_INVALID_PARAMETER;
559 DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n",
560 gensec_gssapi_state->gss_exchange_count,
561 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
565 DEBUG(1, ("GSS Update(%d) failed: %s\n",
566 gensec_gssapi_state->gss_exchange_count,
567 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
573 /* These last two stages are only done if we were invoked as SASL */
574 case STAGE_SASL_SSF_NEG:
576 switch (gensec_security->gensec_role) {
579 uint8_t maxlength_proposed[4];
580 uint8_t maxlength_accepted[4];
581 uint8_t security_supported;
584 input_token.length = in.length;
585 input_token.value = in.data;
587 /* As a client, we have just send a
588 * zero-length blob to the server (after the
589 * normal GSSAPI exchange), and it has replied
590 * with it's SASL negotiation */
592 maj_stat = gss_unwrap(&min_stat,
593 gensec_gssapi_state->gssapi_context,
598 if (GSS_ERROR(maj_stat)) {
599 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
600 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
601 return NT_STATUS_ACCESS_DENIED;
604 if (output_token.length < 4) {
605 return NT_STATUS_INVALID_PARAMETER;
608 memcpy(maxlength_proposed, output_token.value, 4);
609 gss_release_buffer(&min_stat, &output_token);
611 /* first byte is the proposed security */
612 security_supported = maxlength_proposed[0];
613 maxlength_proposed[0] = '\0';
615 /* Rest is the proposed max wrap length */
616 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0),
617 gensec_gssapi_state->max_wrap_buf_size);
618 gensec_gssapi_state->sasl_protection = 0;
619 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
620 if (security_supported & NEG_SEAL) {
621 gensec_gssapi_state->sasl_protection |= NEG_SEAL;
623 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
624 if (security_supported & NEG_SIGN) {
625 gensec_gssapi_state->sasl_protection |= NEG_SIGN;
627 } else if (security_supported & NEG_NONE) {
628 gensec_gssapi_state->sasl_protection |= NEG_NONE;
630 DEBUG(1, ("Remote server does not support unprotected connections"));
631 return NT_STATUS_ACCESS_DENIED;
634 /* Send back the negotiated max length */
636 RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
638 maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
640 input_token.value = maxlength_accepted;
641 input_token.length = sizeof(maxlength_accepted);
643 maj_stat = gss_wrap(&min_stat,
644 gensec_gssapi_state->gssapi_context,
650 if (GSS_ERROR(maj_stat)) {
651 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
652 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
653 return NT_STATUS_ACCESS_DENIED;
656 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
657 gss_release_buffer(&min_stat, &output_token);
659 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
660 gensec_gssapi_state->sasl_state = STAGE_DONE;
662 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
663 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
664 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
665 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
667 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
674 uint8_t maxlength_proposed[4];
675 uint8_t security_supported = 0x0;
678 /* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
679 if (in.length != 0) {
680 DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
683 /* Give the client some idea what we will support */
685 RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
686 /* first byte is the proposed security */
687 maxlength_proposed[0] = '\0';
689 gensec_gssapi_state->sasl_protection = 0;
690 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
691 security_supported |= NEG_SEAL;
693 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
694 security_supported |= NEG_SIGN;
696 if (security_supported == 0) {
697 /* If we don't support anything, this must be 0 */
698 RSIVAL(maxlength_proposed, 0, 0x0);
701 /* TODO: We may not wish to support this */
702 security_supported |= NEG_NONE;
703 maxlength_proposed[0] = security_supported;
705 input_token.value = maxlength_proposed;
706 input_token.length = sizeof(maxlength_proposed);
708 maj_stat = gss_wrap(&min_stat,
709 gensec_gssapi_state->gssapi_context,
715 if (GSS_ERROR(maj_stat)) {
716 DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
717 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
718 return NT_STATUS_ACCESS_DENIED;
721 *out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
722 gss_release_buffer(&min_stat, &output_token);
724 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
725 return NT_STATUS_MORE_PROCESSING_REQUIRED;
728 return NT_STATUS_INVALID_PARAMETER;
732 /* This is s server-only stage */
733 case STAGE_SASL_SSF_ACCEPT:
735 uint8_t maxlength_accepted[4];
736 uint8_t security_accepted;
739 input_token.length = in.length;
740 input_token.value = in.data;
742 maj_stat = gss_unwrap(&min_stat,
743 gensec_gssapi_state->gssapi_context,
748 if (GSS_ERROR(maj_stat)) {
749 DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
750 gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
751 return NT_STATUS_ACCESS_DENIED;
754 if (output_token.length < 4) {
755 return NT_STATUS_INVALID_PARAMETER;
758 memcpy(maxlength_accepted, output_token.value, 4);
759 gss_release_buffer(&min_stat, &output_token);
761 /* first byte is the proposed security */
762 security_accepted = maxlength_accepted[0];
763 maxlength_accepted[0] = '\0';
765 /* Rest is the proposed max wrap length */
766 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0),
767 gensec_gssapi_state->max_wrap_buf_size);
769 gensec_gssapi_state->sasl_protection = 0;
770 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
771 if (security_accepted & NEG_SEAL) {
772 gensec_gssapi_state->sasl_protection |= NEG_SEAL;
774 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
775 if (security_accepted & NEG_SIGN) {
776 gensec_gssapi_state->sasl_protection |= NEG_SIGN;
778 } else if (security_accepted & NEG_NONE) {
779 gensec_gssapi_state->sasl_protection |= NEG_NONE;
781 DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better"));
782 return NT_STATUS_ACCESS_DENIED;
785 /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
786 gensec_gssapi_state->sasl_state = STAGE_DONE;
787 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
788 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
789 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
790 DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
792 DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
795 *out = data_blob(NULL, 0);
799 return NT_STATUS_INVALID_PARAMETER;
803 static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security,
808 struct gensec_gssapi_state *gensec_gssapi_state
809 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
810 OM_uint32 maj_stat, min_stat;
811 gss_buffer_desc input_token, output_token;
813 input_token.length = in->length;
814 input_token.value = in->data;
816 maj_stat = gss_wrap(&min_stat,
817 gensec_gssapi_state->gssapi_context,
818 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
823 if (GSS_ERROR(maj_stat)) {
824 DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n",
825 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
826 return NT_STATUS_ACCESS_DENIED;
829 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
830 gss_release_buffer(&min_stat, &output_token);
832 if (gensec_gssapi_state->sasl) {
833 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
834 if (max_wrapped_size < out->length) {
835 DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
836 (unsigned)in->length,
837 (unsigned)out->length,
838 (unsigned int)max_wrapped_size));
839 return NT_STATUS_INVALID_PARAMETER;
843 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
845 return NT_STATUS_ACCESS_DENIED;
850 static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security,
855 struct gensec_gssapi_state *gensec_gssapi_state
856 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
857 OM_uint32 maj_stat, min_stat;
858 gss_buffer_desc input_token, output_token;
861 input_token.length = in->length;
862 input_token.value = in->data;
864 if (gensec_gssapi_state->sasl) {
865 size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
866 if (max_wrapped_size < in->length) {
867 DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
868 return NT_STATUS_INVALID_PARAMETER;
872 maj_stat = gss_unwrap(&min_stat,
873 gensec_gssapi_state->gssapi_context,
878 if (GSS_ERROR(maj_stat)) {
879 DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n",
880 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
881 return NT_STATUS_ACCESS_DENIED;
884 *out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
885 gss_release_buffer(&min_stat, &output_token);
887 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
889 return NT_STATUS_ACCESS_DENIED;
894 /* Find out the maximum input size negotiated on this connection */
896 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security)
898 struct gensec_gssapi_state *gensec_gssapi_state
899 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
900 OM_uint32 maj_stat, min_stat;
901 OM_uint32 max_input_size;
903 maj_stat = gss_wrap_size_limit(&min_stat,
904 gensec_gssapi_state->gssapi_context,
905 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
907 gensec_gssapi_state->max_wrap_buf_size,
909 if (GSS_ERROR(maj_stat)) {
910 TALLOC_CTX *mem_ctx = talloc_new(NULL);
911 DEBUG(1, ("gensec_gssapi_max_input_size: determinaing signature size with gss_wrap_size_limit failed: %s\n",
912 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
913 talloc_free(mem_ctx);
917 return max_input_size;
920 /* Find out the maximum output size negotiated on this connection */
921 static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security)
923 struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
924 return gensec_gssapi_state->max_wrap_buf_size;
927 static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security,
929 uint8_t *data, size_t length,
930 const uint8_t *whole_pdu, size_t pdu_length,
933 struct gensec_gssapi_state *gensec_gssapi_state
934 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
935 OM_uint32 maj_stat, min_stat;
936 gss_buffer_desc input_token, output_token;
940 input_token.length = length;
941 input_token.value = data;
943 maj_stat = gss_wrap(&min_stat,
944 gensec_gssapi_state->gssapi_context,
945 gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
950 if (GSS_ERROR(maj_stat)) {
951 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n",
952 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
953 return NT_STATUS_ACCESS_DENIED;
956 if (output_token.length < input_token.length) {
957 DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n",
958 (long)output_token.length, (long)length));
959 return NT_STATUS_INTERNAL_ERROR;
961 sig_length = output_token.length - input_token.length;
963 memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
964 *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
966 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
967 dump_data_pw("gensec_gssapi_seal_packet: clear\n", data, length);
968 dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length);
970 gss_release_buffer(&min_stat, &output_token);
972 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
974 return NT_STATUS_ACCESS_DENIED;
979 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security,
981 uint8_t *data, size_t length,
982 const uint8_t *whole_pdu, size_t pdu_length,
983 const DATA_BLOB *sig)
985 struct gensec_gssapi_state *gensec_gssapi_state
986 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
987 OM_uint32 maj_stat, min_stat;
988 gss_buffer_desc input_token, output_token;
993 dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
995 in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
997 memcpy(in.data, sig->data, sig->length);
998 memcpy(in.data + sig->length, data, length);
1000 input_token.length = in.length;
1001 input_token.value = in.data;
1003 maj_stat = gss_unwrap(&min_stat,
1004 gensec_gssapi_state->gssapi_context,
1009 if (GSS_ERROR(maj_stat)) {
1010 DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n",
1011 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1012 return NT_STATUS_ACCESS_DENIED;
1015 if (output_token.length != length) {
1016 return NT_STATUS_INTERNAL_ERROR;
1019 memcpy(data, output_token.value, length);
1021 gss_release_buffer(&min_stat, &output_token);
1023 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1025 return NT_STATUS_ACCESS_DENIED;
1027 return NT_STATUS_OK;
1030 static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security,
1031 TALLOC_CTX *mem_ctx,
1032 const uint8_t *data, size_t length,
1033 const uint8_t *whole_pdu, size_t pdu_length,
1036 struct gensec_gssapi_state *gensec_gssapi_state
1037 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1038 OM_uint32 maj_stat, min_stat;
1039 gss_buffer_desc input_token, output_token;
1041 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1042 input_token.length = pdu_length;
1043 input_token.value = discard_const_p(uint8_t *, whole_pdu);
1045 input_token.length = length;
1046 input_token.value = discard_const_p(uint8_t *, data);
1049 maj_stat = gss_get_mic(&min_stat,
1050 gensec_gssapi_state->gssapi_context,
1054 if (GSS_ERROR(maj_stat)) {
1055 DEBUG(1, ("GSS GetMic failed: %s\n",
1056 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1057 return NT_STATUS_ACCESS_DENIED;
1060 *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length);
1062 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1064 gss_release_buffer(&min_stat, &output_token);
1066 return NT_STATUS_OK;
1069 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security,
1070 TALLOC_CTX *mem_ctx,
1071 const uint8_t *data, size_t length,
1072 const uint8_t *whole_pdu, size_t pdu_length,
1073 const DATA_BLOB *sig)
1075 struct gensec_gssapi_state *gensec_gssapi_state
1076 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1077 OM_uint32 maj_stat, min_stat;
1078 gss_buffer_desc input_token;
1079 gss_buffer_desc input_message;
1080 gss_qop_t qop_state;
1082 dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1084 if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1085 input_message.length = pdu_length;
1086 input_message.value = whole_pdu;
1088 input_message.length = length;
1089 input_message.value = data;
1092 input_token.length = sig->length;
1093 input_token.value = sig->data;
1095 maj_stat = gss_verify_mic(&min_stat,
1096 gensec_gssapi_state->gssapi_context,
1100 if (GSS_ERROR(maj_stat)) {
1101 DEBUG(1, ("GSS VerifyMic failed: %s\n",
1102 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1103 return NT_STATUS_ACCESS_DENIED;
1106 return NT_STATUS_OK;
1109 /* Try to figure out what features we actually got on the connection */
1110 static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
1113 struct gensec_gssapi_state *gensec_gssapi_state
1114 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1115 if (feature & GENSEC_FEATURE_SIGN) {
1116 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1117 if (gensec_gssapi_state->sasl
1118 && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1119 return ((gensec_gssapi_state->sasl_protection & NEG_SIGN)
1120 && (gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG));
1122 return gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG;
1124 if (feature & GENSEC_FEATURE_SEAL) {
1125 /* If we are going GSSAPI SASL, then we honour the second negotiation */
1126 if (gensec_gssapi_state->sasl
1127 && gensec_gssapi_state->sasl_state == STAGE_DONE) {
1128 return ((gensec_gssapi_state->sasl_protection & NEG_SEAL)
1129 && (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG));
1131 return gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG;
1133 if (feature & GENSEC_FEATURE_SESSION_KEY) {
1134 /* Only for GSSAPI/Krb5 */
1135 if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
1139 if (feature & GENSEC_FEATURE_DCE_STYLE) {
1140 return gensec_gssapi_state->got_flags & GSS_C_DCE_STYLE;
1142 /* We can always do async (rather than strict request/reply) packets. */
1143 if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1150 * Extract the 'sesssion key' needed by SMB signing and ncacn_np
1151 * (for encrypting some passwords).
1153 * This breaks all the abstractions, but what do you expect...
1155 static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security,
1156 DATA_BLOB *session_key)
1158 struct gensec_gssapi_state *gensec_gssapi_state
1159 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1160 OM_uint32 maj_stat, min_stat;
1161 krb5_keyblock *subkey;
1163 if (gensec_gssapi_state->session_key.data) {
1164 *session_key = gensec_gssapi_state->session_key;
1165 return NT_STATUS_OK;
1168 maj_stat = gsskrb5_get_subkey(&min_stat,
1169 gensec_gssapi_state->gssapi_context,
1171 if (maj_stat != 0) {
1172 DEBUG(1, ("NO session key for this mech\n"));
1173 return NT_STATUS_NO_USER_SESSION_KEY;
1176 DEBUG(10, ("Got KRB5 session key of length %d\n",
1177 (int)KRB5_KEY_LENGTH(subkey)));
1178 gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state,
1179 KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
1180 krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
1181 *session_key = gensec_gssapi_state->session_key;
1182 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
1184 return NT_STATUS_OK;
1187 /* Get some basic (and authorization) information about the user on
1188 * this session. This uses either the PAC (if present) or a local
1189 * database lookup */
1190 static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1191 struct auth_session_info **_session_info)
1194 TALLOC_CTX *mem_ctx;
1195 struct gensec_gssapi_state *gensec_gssapi_state
1196 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1197 struct auth_serversupplied_info *server_info = NULL;
1198 struct auth_session_info *session_info = NULL;
1199 struct PAC_LOGON_INFO *logon_info;
1200 OM_uint32 maj_stat, min_stat;
1201 gss_buffer_desc name_token;
1202 gss_buffer_desc pac;
1203 krb5_keyblock *keyblock;
1205 krb5_principal principal;
1206 char *principal_string;
1209 if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
1210 || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
1211 gensec_gssapi_state->gss_oid->length) != 0)) {
1212 DEBUG(1, ("NO session info available for this mech\n"));
1213 return NT_STATUS_INVALID_PARAMETER;
1216 mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context");
1217 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
1219 maj_stat = gss_display_name (&min_stat,
1220 gensec_gssapi_state->client_name,
1223 if (GSS_ERROR(maj_stat)) {
1224 DEBUG(1, ("GSS display_name failed: %s\n",
1225 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1226 talloc_free(mem_ctx);
1227 return NT_STATUS_FOOBAR;
1230 principal_string = talloc_strndup(mem_ctx,
1231 (const char *)name_token.value,
1234 gss_release_buffer(&min_stat, &name_token);
1236 if (!principal_string) {
1237 talloc_free(mem_ctx);
1238 return NT_STATUS_NO_MEMORY;
1241 maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
1242 gensec_gssapi_state->gssapi_context,
1243 KRB5_AUTHDATA_WIN2K_PAC,
1247 if (maj_stat == 0) {
1248 pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
1249 gss_release_buffer(&min_stat, &pac);
1252 pac_blob = data_blob(NULL, 0);
1255 /* IF we have the PAC - otherwise we need to get this
1256 * data from elsewere - local ldb, or (TODO) lookup of some
1259 if (pac_blob.length) {
1260 krb5_error_code ret;
1261 union netr_Validation validation;
1263 maj_stat = gsskrb5_extract_authtime_from_sec_context(&min_stat,
1264 gensec_gssapi_state->gssapi_context,
1267 if (GSS_ERROR(maj_stat)) {
1268 DEBUG(1, ("gsskrb5_extract_authtime_from_sec_context: %s\n",
1269 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1270 talloc_free(mem_ctx);
1271 return NT_STATUS_FOOBAR;
1274 maj_stat = gsskrb5_extract_service_keyblock(&min_stat,
1275 gensec_gssapi_state->gssapi_context,
1278 if (GSS_ERROR(maj_stat)) {
1279 DEBUG(1, ("gsskrb5_copy_service_keyblock failed: %s\n",
1280 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1281 talloc_free(mem_ctx);
1282 return NT_STATUS_FOOBAR;
1285 ret = krb5_parse_name_flags(gensec_gssapi_state->smb_krb5_context->krb5_context,
1287 KRB5_PRINCIPAL_PARSE_MUST_REALM,
1290 krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
1292 talloc_free(mem_ctx);
1293 return NT_STATUS_INVALID_PARAMETER;
1296 /* decode and verify the pac */
1297 nt_status = kerberos_pac_logon_info(mem_ctx, lp_iconv_convenience(gensec_security->lp_ctx), &logon_info, pac_blob,
1298 gensec_gssapi_state->smb_krb5_context->krb5_context,
1299 NULL, keyblock, principal, authtime, NULL);
1300 krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
1301 krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context,
1304 if (!NT_STATUS_IS_OK(nt_status)) {
1305 talloc_free(mem_ctx);
1308 validation.sam3 = &logon_info->info3;
1309 nt_status = make_server_info_netlogon_validation(gensec_gssapi_state,
1313 if (!NT_STATUS_IS_OK(nt_status)) {
1314 talloc_free(mem_ctx);
1317 } else if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
1318 DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
1319 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1320 nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string,
1323 if (!NT_STATUS_IS_OK(nt_status)) {
1324 talloc_free(mem_ctx);
1328 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
1330 gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1331 return NT_STATUS_ACCESS_DENIED;
1334 /* references the server_info into the session_info */
1335 nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info);
1336 if (!NT_STATUS_IS_OK(nt_status)) {
1337 talloc_free(mem_ctx);
1341 nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key);
1342 if (!NT_STATUS_IS_OK(nt_status)) {
1343 talloc_free(mem_ctx);
1347 if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
1348 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1350 krb5_error_code ret;
1351 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1352 session_info->credentials = cli_credentials_init(session_info);
1353 if (!session_info->credentials) {
1354 talloc_free(mem_ctx);
1355 return NT_STATUS_NO_MEMORY;
1358 cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx);
1359 /* Just so we don't segfault trying to get at a username */
1360 cli_credentials_set_anonymous(session_info->credentials);
1362 ret = cli_credentials_set_client_gss_creds(session_info->credentials,
1363 gensec_security->event_ctx,
1364 gensec_security->lp_ctx,
1365 gensec_gssapi_state->delegated_cred_handle,
1368 talloc_free(mem_ctx);
1369 return NT_STATUS_NO_MEMORY;
1372 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1373 cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
1375 /* It has been taken from this place... */
1376 gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1378 talloc_steal(gensec_gssapi_state, session_info);
1379 talloc_free(mem_ctx);
1380 *_session_info = session_info;
1382 return NT_STATUS_OK;
1385 size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
1387 struct gensec_gssapi_state *gensec_gssapi_state
1388 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1389 OM_uint32 maj_stat, min_stat;
1390 gss_krb5_lucid_context_v1_t *lucid = NULL;
1392 if (gensec_gssapi_state->sig_size) {
1393 return gensec_gssapi_state->sig_size;
1396 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1397 gensec_gssapi_state->sig_size = 45;
1399 gensec_gssapi_state->sig_size = 37;
1402 maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
1403 &gensec_gssapi_state->gssapi_context,
1404 1, (void **)&lucid);
1405 if (maj_stat != GSS_S_COMPLETE) {
1406 return gensec_gssapi_state->sig_size;
1409 if (lucid->version != 1) {
1410 return gensec_gssapi_state->sig_size;
1413 if (lucid->protocol == 1) {
1414 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1416 * TODO: windows uses 76 here, but we don't know
1417 * gss_wrap works with aes keys yet
1419 gensec_gssapi_state->sig_size = 76;
1421 gensec_gssapi_state->sig_size = 28;
1423 } else if (lucid->protocol == 0) {
1424 switch (lucid->rfc1964_kd.ctx_key.type) {
1426 case KEYTYPE_ARCFOUR:
1427 case KEYTYPE_ARCFOUR_56:
1428 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1429 gensec_gssapi_state->sig_size = 45;
1431 gensec_gssapi_state->sig_size = 37;
1435 if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1436 gensec_gssapi_state->sig_size = 57;
1438 gensec_gssapi_state->sig_size = 49;
1444 gss_krb5_free_lucid_sec_context(&min_stat, lucid);
1446 return gensec_gssapi_state->sig_size;
1449 static const char *gensec_gssapi_krb5_oids[] = {
1450 GENSEC_OID_KERBEROS5_OLD,
1451 GENSEC_OID_KERBEROS5,
1455 static const char *gensec_gssapi_spnego_oids[] = {
1460 /* As a server, this could in theory accept any GSSAPI mech */
1461 static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1462 .name = "gssapi_spnego",
1463 .sasl_name = "GSS-SPNEGO",
1464 .auth_type = DCERPC_AUTH_TYPE_SPNEGO,
1465 .oid = gensec_gssapi_spnego_oids,
1466 .client_start = gensec_gssapi_client_start,
1467 .server_start = gensec_gssapi_server_start,
1468 .magic = gensec_gssapi_magic,
1469 .update = gensec_gssapi_update,
1470 .session_key = gensec_gssapi_session_key,
1471 .session_info = gensec_gssapi_session_info,
1472 .sign_packet = gensec_gssapi_sign_packet,
1473 .check_packet = gensec_gssapi_check_packet,
1474 .seal_packet = gensec_gssapi_seal_packet,
1475 .unseal_packet = gensec_gssapi_unseal_packet,
1476 .wrap = gensec_gssapi_wrap,
1477 .unwrap = gensec_gssapi_unwrap,
1478 .have_feature = gensec_gssapi_have_feature,
1481 .priority = GENSEC_GSSAPI
1484 /* As a server, this could in theory accept any GSSAPI mech */
1485 static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1486 .name = "gssapi_krb5",
1487 .auth_type = DCERPC_AUTH_TYPE_KRB5,
1488 .oid = gensec_gssapi_krb5_oids,
1489 .client_start = gensec_gssapi_client_start,
1490 .server_start = gensec_gssapi_server_start,
1491 .magic = gensec_gssapi_magic,
1492 .update = gensec_gssapi_update,
1493 .session_key = gensec_gssapi_session_key,
1494 .session_info = gensec_gssapi_session_info,
1495 .sig_size = gensec_gssapi_sig_size,
1496 .sign_packet = gensec_gssapi_sign_packet,
1497 .check_packet = gensec_gssapi_check_packet,
1498 .seal_packet = gensec_gssapi_seal_packet,
1499 .unseal_packet = gensec_gssapi_unseal_packet,
1500 .wrap = gensec_gssapi_wrap,
1501 .unwrap = gensec_gssapi_unwrap,
1502 .have_feature = gensec_gssapi_have_feature,
1505 .priority = GENSEC_GSSAPI
1508 /* As a server, this could in theory accept any GSSAPI mech */
1509 static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1510 .name = "gssapi_krb5_sasl",
1511 .sasl_name = "GSSAPI",
1512 .client_start = gensec_gssapi_sasl_client_start,
1513 .server_start = gensec_gssapi_sasl_server_start,
1514 .update = gensec_gssapi_update,
1515 .session_key = gensec_gssapi_session_key,
1516 .session_info = gensec_gssapi_session_info,
1517 .max_input_size = gensec_gssapi_max_input_size,
1518 .max_wrapped_size = gensec_gssapi_max_wrapped_size,
1519 .wrap = gensec_gssapi_wrap,
1520 .unwrap = gensec_gssapi_unwrap,
1521 .have_feature = gensec_gssapi_have_feature,
1524 .priority = GENSEC_GSSAPI
1527 _PUBLIC_ NTSTATUS gensec_gssapi_init(void)
1531 ret = gensec_register(&gensec_gssapi_spnego_security_ops);
1532 if (!NT_STATUS_IS_OK(ret)) {
1533 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1534 gensec_gssapi_spnego_security_ops.name));
1538 ret = gensec_register(&gensec_gssapi_krb5_security_ops);
1539 if (!NT_STATUS_IS_OK(ret)) {
1540 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1541 gensec_gssapi_krb5_security_ops.name));
1545 ret = gensec_register(&gensec_gssapi_sasl_krb5_security_ops);
1546 if (!NT_STATUS_IS_OK(ret)) {
1547 DEBUG(0,("Failed to register '%s' gensec backend!\n",
1548 gensec_gssapi_sasl_krb5_security_ops.name));