Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.5.x/source4/auth/gensec/gensec_gssapi.c

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 50.1 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Kerberos backend for GENSEC
5
6	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
7	Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2005
8
9	This program is free software; you can redistribute it and/or modify
10	it under the terms of the GNU General Public License as published by
11	the Free Software Foundation; either version 3 of the License, or
12	(at your option) any later version.
13
14	This program is distributed in the hope that it will be useful,
15	but WITHOUT ANY WARRANTY; without even the implied warranty of
16	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17	GNU General Public License for more details.
18
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "lib/events/events.h"
26	#include "system/kerberos.h"
27	#include "auth/kerberos/kerberos.h"
28	#include "librpc/gen_ndr/krb5pac.h"
29	#include "auth/auth.h"
30	#include "lib/ldb/include/ldb.h"
31	#include "auth/auth_sam.h"
32	#include "librpc/rpc/dcerpc.h"
33	#include "auth/credentials/credentials.h"
34	#include "auth/credentials/credentials_krb5.h"
35	#include "auth/gensec/gensec.h"
36	#include "auth/gensec/gensec_proto.h"
37	#include "param/param.h"
38	#include "auth/session_proto.h"
39	#include <gssapi/gssapi.h>
40	#include <gssapi/gssapi_krb5.h>
41	#include <gssapi/gssapi_spnego.h>
42	#include "auth/gensec/gensec_gssapi.h"
43
44	static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
45	static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
46
47	static char gssapi_error_string(TALLOC_CTX mem_ctx,
48	OM_uint32 maj_stat, OM_uint32 min_stat,
49	const gss_OID mech)
50	{
51	OM_uint32 disp_min_stat, disp_maj_stat;
52	gss_buffer_desc maj_error_message;
53	gss_buffer_desc min_error_message;
54	char maj_error_string, min_error_string;
55	OM_uint32 msg_ctx = 0;
56
57	char *ret;
58
59	maj_error_message.value = NULL;
60	min_error_message.value = NULL;
61	maj_error_message.length = 0;
62	min_error_message.length = 0;
63
64	disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
65	mech, &msg_ctx, &maj_error_message);
66	disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
67	mech, &msg_ctx, &min_error_message);
68
69	maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
70
71	min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
72
73	ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
74
75	talloc_free(maj_error_string);
76	talloc_free(min_error_string);
77
78	gss_release_buffer(&disp_min_stat, &maj_error_message);
79	gss_release_buffer(&disp_min_stat, &min_error_message);
80
81	return ret;
82	}
83
84
85	static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
86	{
87	OM_uint32 maj_stat, min_stat;
88
89	if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
90	maj_stat = gss_release_cred(&min_stat,
91	&gensec_gssapi_state->delegated_cred_handle);
92	}
93
94	if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
95	maj_stat = gss_delete_sec_context (&min_stat,
96	&gensec_gssapi_state->gssapi_context,
97	GSS_C_NO_BUFFER);
98	}
99
100	if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
101	maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->server_name);
102	}
103	if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
104	maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
105	}
106
107	if (gensec_gssapi_state->lucid) {
108	gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
109	}
110
111	return 0;
112	}
113
114	static NTSTATUS gensec_gssapi_init_lucid(struct gensec_gssapi_state *gensec_gssapi_state)
115	{
116	OM_uint32 maj_stat, min_stat;
117
118	if (gensec_gssapi_state->lucid) {
119	return NT_STATUS_OK;
120	}
121
122	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
123	&gensec_gssapi_state->gssapi_context,
124	1,
125	(void **)&gensec_gssapi_state->lucid);
126	if (maj_stat != GSS_S_COMPLETE) {
127	DEBUG(0,("gensec_gssapi_init_lucid: %s\n",
128	gssapi_error_string(gensec_gssapi_state,
129	maj_stat, min_stat,
130	gensec_gssapi_state->gss_oid)));
131	return NT_STATUS_INTERNAL_ERROR;
132	}
133
134	if (gensec_gssapi_state->lucid->version != 1) {
135	DEBUG(0,("gensec_gssapi_init_lucid: lucid version[%d] != 1\n",
136	gensec_gssapi_state->lucid->version));
137	gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
138	gensec_gssapi_state->lucid = NULL;
139	return NT_STATUS_INTERNAL_ERROR;
140	}
141
142	return NT_STATUS_OK;
143	}
144
145	static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
146	{
147	struct gensec_gssapi_state *gensec_gssapi_state;
148	krb5_error_code ret;
149	struct gsskrb5_send_to_kdc send_to_kdc;
150
151	gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
152	if (!gensec_gssapi_state) {
153	return NT_STATUS_NO_MEMORY;
154	}
155
156	gensec_gssapi_state->gss_exchange_count = 0;
157	gensec_gssapi_state->max_wrap_buf_size
158	= gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
159
160	gensec_gssapi_state->sasl = false;
161	gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
162
163	gensec_security->private_data = gensec_gssapi_state;
164
165	gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
166	gensec_gssapi_state->server_name = GSS_C_NO_NAME;
167	gensec_gssapi_state->client_name = GSS_C_NO_NAME;
168	gensec_gssapi_state->lucid = NULL;
169
170	/* TODO: Fill in channel bindings */
171	gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
172
173	gensec_gssapi_state->want_flags = 0;
174	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
175	gensec_gssapi_state->want_flags \|= GSS_C_DELEG_POLICY_FLAG;
176	}
177	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
178	gensec_gssapi_state->want_flags \|= GSS_C_MUTUAL_FLAG;
179	}
180	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
181	gensec_gssapi_state->want_flags \|= GSS_C_DELEG_FLAG;
182	}
183	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
184	gensec_gssapi_state->want_flags \|= GSS_C_REPLAY_FLAG;
185	}
186	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
187	gensec_gssapi_state->want_flags \|= GSS_C_SEQUENCE_FLAG;
188	}
189
190	gensec_gssapi_state->got_flags = 0;
191
192	gensec_gssapi_state->session_key = data_blob(NULL, 0);
193	gensec_gssapi_state->pac = data_blob(NULL, 0);
194
195	gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
196	gensec_gssapi_state->sig_size = 0;
197
198	talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
199
200	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
201	gensec_gssapi_state->want_flags \|= GSS_C_INTEG_FLAG;
202	}
203	if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
204	gensec_gssapi_state->want_flags \|= GSS_C_CONF_FLAG;
205	}
206	if (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) {
207	gensec_gssapi_state->want_flags \|= GSS_C_DCE_STYLE;
208	}
209
210	switch (gensec_security->ops->auth_type) {
211	case DCERPC_AUTH_TYPE_SPNEGO:
212	gensec_gssapi_state->gss_oid = gss_mech_spnego;
213	break;
214	case DCERPC_AUTH_TYPE_KRB5:
215	default:
216	gensec_gssapi_state->gss_oid = gss_mech_krb5;
217	break;
218	}
219
220	send_to_kdc.func = smb_krb5_send_and_recv_func;
221	send_to_kdc.ptr = gensec_security->event_ctx;
222
223	ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
224	if (ret) {
225	DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
226	talloc_free(gensec_gssapi_state);
227	return NT_STATUS_INTERNAL_ERROR;
228	}
229	if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) {
230	char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx));
231	if (!upper_realm) {
232	DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx)));
233	talloc_free(gensec_gssapi_state);
234	return NT_STATUS_NO_MEMORY;
235	}
236	ret = gsskrb5_set_default_realm(upper_realm);
237	talloc_free(upper_realm);
238	if (ret) {
239	DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
240	talloc_free(gensec_gssapi_state);
241	return NT_STATUS_INTERNAL_ERROR;
242	}
243	}
244
245	/* don't do DNS lookups of any kind, it might/will fail for a netbios name */
246	ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
247	if (ret) {
248	DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
249	talloc_free(gensec_gssapi_state);
250	return NT_STATUS_INTERNAL_ERROR;
251	}
252
253	ret = smb_krb5_init_context(gensec_gssapi_state,
254	gensec_security->event_ctx,
255	gensec_security->settings->lp_ctx,
256	&gensec_gssapi_state->smb_krb5_context);
257	if (ret) {
258	DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
259	error_message(ret)));
260	talloc_free(gensec_gssapi_state);
261	return NT_STATUS_INTERNAL_ERROR;
262	}
263	return NT_STATUS_OK;
264	}
265
266	static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_security)
267	{
268	NTSTATUS nt_status;
269	int ret;
270	struct gensec_gssapi_state *gensec_gssapi_state;
271	struct cli_credentials *machine_account;
272	struct gssapi_creds_container *gcc;
273
274	nt_status = gensec_gssapi_start(gensec_security);
275	if (!NT_STATUS_IS_OK(nt_status)) {
276	return nt_status;
277	}
278
279	gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
280
281	machine_account = gensec_get_credentials(gensec_security);
282
283	if (!machine_account) {
284	DEBUG(3, ("No machine account credentials specified\n"));
285	return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
286	} else {
287	ret = cli_credentials_get_server_gss_creds(machine_account,
288	gensec_security->event_ctx,
289	gensec_security->settings->lp_ctx, &gcc);
290	if (ret) {
291	DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
292	error_message(ret)));
293	return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
294	}
295	}
296
297	gensec_gssapi_state->server_cred = gcc;
298	return NT_STATUS_OK;
299
300	}
301
302	static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_security)
303	{
304	NTSTATUS nt_status;
305	struct gensec_gssapi_state *gensec_gssapi_state;
306	nt_status = gensec_gssapi_server_start(gensec_security);
307
308	if (NT_STATUS_IS_OK(nt_status)) {
309	gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
310	gensec_gssapi_state->sasl = true;
311	}
312	return nt_status;
313	}
314
315	static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_security)
316	{
317	struct gensec_gssapi_state *gensec_gssapi_state;
318	struct cli_credentials *creds = gensec_get_credentials(gensec_security);
319	krb5_error_code ret;
320	NTSTATUS nt_status;
321	gss_buffer_desc name_token;
322	gss_OID name_type;
323	OM_uint32 maj_stat, min_stat;
324	const char *hostname = gensec_get_target_hostname(gensec_security);
325	const char *principal;
326	struct gssapi_creds_container *gcc;
327
328	if (!hostname) {
329	DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
330	return NT_STATUS_INVALID_PARAMETER;
331	}
332	if (is_ipaddress(hostname)) {
333	DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
334	return NT_STATUS_INVALID_PARAMETER;
335	}
336	if (strcmp(hostname, "localhost") == 0) {
337	DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
338	return NT_STATUS_INVALID_PARAMETER;
339	}
340
341	nt_status = gensec_gssapi_start(gensec_security);
342	if (!NT_STATUS_IS_OK(nt_status)) {
343	return nt_status;
344	}
345
346	gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
347
348	principal = gensec_get_target_principal(gensec_security);
349	if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
350	name_type = GSS_C_NULL_OID;
351	} else {
352	principal = talloc_asprintf(gensec_gssapi_state, "%s@%s",
353	gensec_get_target_service(gensec_security),
354	hostname);
355
356	name_type = GSS_C_NT_HOSTBASED_SERVICE;
357	}
358	name_token.value = discard_const_p(uint8_t, principal);
359	name_token.length = strlen(principal);
360
361
362	maj_stat = gss_import_name (&min_stat,
363	&name_token,
364	name_type,
365	&gensec_gssapi_state->server_name);
366	if (maj_stat) {
367	DEBUG(2, ("GSS Import name of %s failed: %s\n",
368	(char *)name_token.value,
369	gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
370	return NT_STATUS_INVALID_PARAMETER;
371	}
372
373	ret = cli_credentials_get_client_gss_creds(creds,
374	gensec_security->event_ctx,
375	gensec_security->settings->lp_ctx, &gcc);
376	switch (ret) {
377	case 0:
378	break;
379	case KRB5KDC_ERR_PREAUTH_FAILED:
380	return NT_STATUS_LOGON_FAILURE;
381	case KRB5_KDC_UNREACH:
382	DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
383	return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
384	default:
385	DEBUG(1, ("Aquiring initiator credentials failed\n"));
386	return NT_STATUS_UNSUCCESSFUL;
387	}
388
389	gensec_gssapi_state->client_cred = gcc;
390	if (!talloc_reference(gensec_gssapi_state, gcc)) {
391	return NT_STATUS_NO_MEMORY;
392	}
393
394	return NT_STATUS_OK;
395	}
396
397	static NTSTATUS gensec_gssapi_sasl_client_start(struct gensec_security *gensec_security)
398	{
399	NTSTATUS nt_status;
400	struct gensec_gssapi_state *gensec_gssapi_state;
401	nt_status = gensec_gssapi_client_start(gensec_security);
402
403	if (NT_STATUS_IS_OK(nt_status)) {
404	gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
405	gensec_gssapi_state->sasl = true;
406	}
407	return nt_status;
408	}
409
410
411	/**
412	* Check if the packet is one for this mechansim
413	*
414	* @param gensec_security GENSEC state
415	* @param in The request, as a DATA_BLOB
416	* @return Error, INVALID_PARAMETER if it's not a packet for us
417	* or NT_STATUS_OK if the packet is ok.
418	*/
419
420	static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security,
421	const DATA_BLOB *in)
422	{
423	if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
424	return NT_STATUS_OK;
425	} else {
426	return NT_STATUS_INVALID_PARAMETER;
427	}
428	}
429
430
431	/**
432	* Next state function for the GSSAPI GENSEC mechanism
433	*
434	* @param gensec_gssapi_state GSSAPI State
435	* @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
436	* @param in The request, as a DATA_BLOB
437	* @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
438	* @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
439	* or NT_STATUS_OK if the user is authenticated.
440	*/
441
442	static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
443	TALLOC_CTX *out_mem_ctx,
444	const DATA_BLOB in, DATA_BLOB *out)
445	{
446	struct gensec_gssapi_state *gensec_gssapi_state
447	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
448	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
449	OM_uint32 maj_stat, min_stat;
450	OM_uint32 min_stat2;
451	gss_buffer_desc input_token, output_token;
452	gss_OID gss_oid_p = NULL;
453	input_token.length = in.length;
454	input_token.value = in.data;
455
456	switch (gensec_gssapi_state->sasl_state) {
457	case STAGE_GSS_NEG:
458	{
459	switch (gensec_security->gensec_role) {
460	case GENSEC_CLIENT:
461	{
462	maj_stat = gss_init_sec_context(&min_stat,
463	gensec_gssapi_state->client_cred->creds,
464	&gensec_gssapi_state->gssapi_context,
465	gensec_gssapi_state->server_name,
466	gensec_gssapi_state->gss_oid,
467	gensec_gssapi_state->want_flags,
468	0,
469	gensec_gssapi_state->input_chan_bindings,
470	&input_token,
471	&gss_oid_p,
472	&output_token,
473	&gensec_gssapi_state->got_flags, /* ret flags */
474	NULL);
475	if (gss_oid_p) {
476	gensec_gssapi_state->gss_oid = gss_oid_p;
477	}
478	break;
479	}
480	case GENSEC_SERVER:
481	{
482	maj_stat = gss_accept_sec_context(&min_stat,
483	&gensec_gssapi_state->gssapi_context,
484	gensec_gssapi_state->server_cred->creds,
485	&input_token,
486	gensec_gssapi_state->input_chan_bindings,
487	&gensec_gssapi_state->client_name,
488	&gss_oid_p,
489	&output_token,
490	&gensec_gssapi_state->got_flags,
491	NULL,
492	&gensec_gssapi_state->delegated_cred_handle);
493	if (gss_oid_p) {
494	gensec_gssapi_state->gss_oid = gss_oid_p;
495	}
496	break;
497	}
498	default:
499	return NT_STATUS_INVALID_PARAMETER;
500
501	}
502
503	gensec_gssapi_state->gss_exchange_count++;
504
505	if (maj_stat == GSS_S_COMPLETE) {
506	*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
507	gss_release_buffer(&min_stat2, &output_token);
508
509	if (gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG) {
510	DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
511	} else {
512	DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
513	}
514
515	/* We may have been invoked as SASL, so there
516	* is more work to do */
517	if (gensec_gssapi_state->sasl) {
518	/* Due to a very subtle interaction
519	* with SASL and the LDAP libs, we
520	* must ensure the data pointer is
521	* != NULL, but the length is 0.
522	*
523	* This ensures we send a 'zero
524	* length' (rather than NULL) response
525	*/
526
527	if (!out->data) {
528	out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
529	}
530
531	gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
532	return NT_STATUS_MORE_PROCESSING_REQUIRED;
533	} else {
534	gensec_gssapi_state->sasl_state = STAGE_DONE;
535
536	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
537	DEBUG(5, ("GSSAPI Connection will be cryptographicly sealed\n"));
538	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
539	DEBUG(5, ("GSSAPI Connection will be cryptographicly signed\n"));
540	} else {
541	DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
542	}
543
544	return NT_STATUS_OK;
545	}
546	} else if (maj_stat == GSS_S_CONTINUE_NEEDED) {
547	*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
548	gss_release_buffer(&min_stat2, &output_token);
549
550	return NT_STATUS_MORE_PROCESSING_REQUIRED;
551	} else if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
552	switch (min_stat) {
553	case KRB5_KDC_UNREACH:
554	DEBUG(3, ("Cannot reach a KDC we require: %s\n",
555	gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
556	return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
557	case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
558	DEBUG(3, ("Server is not registered with our KDC: %s\n",
559	gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
560	return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
561	case KRB5KRB_AP_ERR_MSG_TYPE:
562	/* garbage input, possibly from the auto-mech detection */
563	return NT_STATUS_INVALID_PARAMETER;
564	default:
565	DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n",
566	gensec_gssapi_state->gss_exchange_count,
567	gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
568	return nt_status;
569	}
570	} else {
571	DEBUG(1, ("GSS Update(%d) failed: %s\n",
572	gensec_gssapi_state->gss_exchange_count,
573	gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
574	return nt_status;
575	}
576	break;
577	}
578
579	/* These last two stages are only done if we were invoked as SASL */
580	case STAGE_SASL_SSF_NEG:
581	{
582	switch (gensec_security->gensec_role) {
583	case GENSEC_CLIENT:
584	{
585	uint8_t maxlength_proposed[4];
586	uint8_t maxlength_accepted[4];
587	uint8_t security_supported;
588	int conf_state;
589	gss_qop_t qop_state;
590	input_token.length = in.length;
591	input_token.value = in.data;
592
593	/* As a client, we have just send a
594	* zero-length blob to the server (after the
595	* normal GSSAPI exchange), and it has replied
596	* with it's SASL negotiation */
597
598	maj_stat = gss_unwrap(&min_stat,
599	gensec_gssapi_state->gssapi_context,
600	&input_token,
601	&output_token,
602	&conf_state,
603	&qop_state);
604	if (GSS_ERROR(maj_stat)) {
605	DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
606	gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
607	return NT_STATUS_ACCESS_DENIED;
608	}
609
610	if (output_token.length < 4) {
611	return NT_STATUS_INVALID_PARAMETER;
612	}
613
614	memcpy(maxlength_proposed, output_token.value, 4);
615	gss_release_buffer(&min_stat, &output_token);
616
617	/* first byte is the proposed security */
618	security_supported = maxlength_proposed[0];
619	maxlength_proposed[0] = '\0';
620
621	/* Rest is the proposed max wrap length */
622	gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0),
623	gensec_gssapi_state->max_wrap_buf_size);
624	gensec_gssapi_state->sasl_protection = 0;
625	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
626	if (security_supported & NEG_SEAL) {
627	gensec_gssapi_state->sasl_protection \|= NEG_SEAL;
628	}
629	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
630	if (security_supported & NEG_SIGN) {
631	gensec_gssapi_state->sasl_protection \|= NEG_SIGN;
632	}
633	} else if (security_supported & NEG_NONE) {
634	gensec_gssapi_state->sasl_protection \|= NEG_NONE;
635	} else {
636	DEBUG(1, ("Remote server does not support unprotected connections"));
637	return NT_STATUS_ACCESS_DENIED;
638	}
639
640	/* Send back the negotiated max length */
641
642	RSIVAL(maxlength_accepted, 0, gensec_gssapi_state->max_wrap_buf_size);
643
644	maxlength_accepted[0] = gensec_gssapi_state->sasl_protection;
645
646	input_token.value = maxlength_accepted;
647	input_token.length = sizeof(maxlength_accepted);
648
649	maj_stat = gss_wrap(&min_stat,
650	gensec_gssapi_state->gssapi_context,
651	false,
652	GSS_C_QOP_DEFAULT,
653	&input_token,
654	&conf_state,
655	&output_token);
656	if (GSS_ERROR(maj_stat)) {
657	DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
658	gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
659	return NT_STATUS_ACCESS_DENIED;
660	}
661
662	*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
663	gss_release_buffer(&min_stat, &output_token);
664
665	/* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
666	gensec_gssapi_state->sasl_state = STAGE_DONE;
667
668	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
669	DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
670	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
671	DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
672	} else {
673	DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
674	}
675
676	return NT_STATUS_OK;
677	}
678	case GENSEC_SERVER:
679	{
680	uint8_t maxlength_proposed[4];
681	uint8_t security_supported = 0x0;
682	int conf_state;
683
684	/* As a server, we have just been sent a zero-length blob (note this, but it isn't fatal) */
685	if (in.length != 0) {
686	DEBUG(1, ("SASL/GSSAPI: client sent non-zero length starting SASL negotiation!\n"));
687	}
688
689	/* Give the client some idea what we will support */
690
691	RSIVAL(maxlength_proposed, 0, gensec_gssapi_state->max_wrap_buf_size);
692	/* first byte is the proposed security */
693	maxlength_proposed[0] = '\0';
694
695	gensec_gssapi_state->sasl_protection = 0;
696	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
697	security_supported \|= NEG_SEAL;
698	}
699	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
700	security_supported \|= NEG_SIGN;
701	}
702	if (security_supported == 0) {
703	/* If we don't support anything, this must be 0 */
704	RSIVAL(maxlength_proposed, 0, 0x0);
705	}
706
707	/* TODO: We may not wish to support this */
708	security_supported \|= NEG_NONE;
709	maxlength_proposed[0] = security_supported;
710
711	input_token.value = maxlength_proposed;
712	input_token.length = sizeof(maxlength_proposed);
713
714	maj_stat = gss_wrap(&min_stat,
715	gensec_gssapi_state->gssapi_context,
716	false,
717	GSS_C_QOP_DEFAULT,
718	&input_token,
719	&conf_state,
720	&output_token);
721	if (GSS_ERROR(maj_stat)) {
722	DEBUG(1, ("GSS Update(SSF_NEG): GSS Wrap failed: %s\n",
723	gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
724	return NT_STATUS_ACCESS_DENIED;
725	}
726
727	*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
728	gss_release_buffer(&min_stat, &output_token);
729
730	gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_ACCEPT;
731	return NT_STATUS_MORE_PROCESSING_REQUIRED;
732	}
733	default:
734	return NT_STATUS_INVALID_PARAMETER;
735
736	}
737	}
738	/* This is s server-only stage */
739	case STAGE_SASL_SSF_ACCEPT:
740	{
741	uint8_t maxlength_accepted[4];
742	uint8_t security_accepted;
743	int conf_state;
744	gss_qop_t qop_state;
745	input_token.length = in.length;
746	input_token.value = in.data;
747
748	maj_stat = gss_unwrap(&min_stat,
749	gensec_gssapi_state->gssapi_context,
750	&input_token,
751	&output_token,
752	&conf_state,
753	&qop_state);
754	if (GSS_ERROR(maj_stat)) {
755	DEBUG(1, ("gensec_gssapi_update: GSS UnWrap of SASL protection negotiation failed: %s\n",
756	gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
757	return NT_STATUS_ACCESS_DENIED;
758	}
759
760	if (output_token.length < 4) {
761	return NT_STATUS_INVALID_PARAMETER;
762	}
763
764	memcpy(maxlength_accepted, output_token.value, 4);
765	gss_release_buffer(&min_stat, &output_token);
766
767	/* first byte is the proposed security */
768	security_accepted = maxlength_accepted[0];
769	maxlength_accepted[0] = '\0';
770
771	/* Rest is the proposed max wrap length */
772	gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0),
773	gensec_gssapi_state->max_wrap_buf_size);
774
775	gensec_gssapi_state->sasl_protection = 0;
776	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
777	if (security_accepted & NEG_SEAL) {
778	gensec_gssapi_state->sasl_protection \|= NEG_SEAL;
779	}
780	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
781	if (security_accepted & NEG_SIGN) {
782	gensec_gssapi_state->sasl_protection \|= NEG_SIGN;
783	}
784	} else if (security_accepted & NEG_NONE) {
785	gensec_gssapi_state->sasl_protection \|= NEG_NONE;
786	} else {
787	DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better"));
788	return NT_STATUS_ACCESS_DENIED;
789	}
790
791	/* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
792	gensec_gssapi_state->sasl_state = STAGE_DONE;
793	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
794	DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
795	} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
796	DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
797	} else {
798	DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
799	}
800
801	*out = data_blob(NULL, 0);
802	return NT_STATUS_OK;
803	}
804	default:
805	return NT_STATUS_INVALID_PARAMETER;
806	}
807	}
808
809	static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security,
810	TALLOC_CTX *mem_ctx,
811	const DATA_BLOB *in,
812	DATA_BLOB *out)
813	{
814	struct gensec_gssapi_state *gensec_gssapi_state
815	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
816	OM_uint32 maj_stat, min_stat;
817	gss_buffer_desc input_token, output_token;
818	int conf_state;
819	input_token.length = in->length;
820	input_token.value = in->data;
821
822	maj_stat = gss_wrap(&min_stat,
823	gensec_gssapi_state->gssapi_context,
824	gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
825	GSS_C_QOP_DEFAULT,
826	&input_token,
827	&conf_state,
828	&output_token);
829	if (GSS_ERROR(maj_stat)) {
830	DEBUG(1, ("gensec_gssapi_wrap: GSS Wrap failed: %s\n",
831	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
832	return NT_STATUS_ACCESS_DENIED;
833	}
834
835	*out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
836	gss_release_buffer(&min_stat, &output_token);
837
838	if (gensec_gssapi_state->sasl) {
839	size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
840	if (max_wrapped_size < out->length) {
841	DEBUG(1, ("gensec_gssapi_wrap: when wrapped, INPUT data (%u) is grew to be larger than SASL negotiated maximum output size (%u > %u)\n",
842	(unsigned)in->length,
843	(unsigned)out->length,
844	(unsigned int)max_wrapped_size));
845	return NT_STATUS_INVALID_PARAMETER;
846	}
847	}
848
849	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
850	&& !conf_state) {
851	return NT_STATUS_ACCESS_DENIED;
852	}
853	return NT_STATUS_OK;
854	}
855
856	static NTSTATUS gensec_gssapi_unwrap(struct gensec_security *gensec_security,
857	TALLOC_CTX *mem_ctx,
858	const DATA_BLOB *in,
859	DATA_BLOB *out)
860	{
861	struct gensec_gssapi_state *gensec_gssapi_state
862	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
863	OM_uint32 maj_stat, min_stat;
864	gss_buffer_desc input_token, output_token;
865	int conf_state;
866	gss_qop_t qop_state;
867	input_token.length = in->length;
868	input_token.value = in->data;
869
870	if (gensec_gssapi_state->sasl) {
871	size_t max_wrapped_size = gensec_gssapi_max_wrapped_size(gensec_security);
872	if (max_wrapped_size < in->length) {
873	DEBUG(1, ("gensec_gssapi_unwrap: WRAPPED data is larger than SASL negotiated maximum size\n"));
874	return NT_STATUS_INVALID_PARAMETER;
875	}
876	}
877
878	maj_stat = gss_unwrap(&min_stat,
879	gensec_gssapi_state->gssapi_context,
880	&input_token,
881	&output_token,
882	&conf_state,
883	&qop_state);
884	if (GSS_ERROR(maj_stat)) {
885	DEBUG(1, ("gensec_gssapi_unwrap: GSS UnWrap failed: %s\n",
886	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
887	return NT_STATUS_ACCESS_DENIED;
888	}
889
890	*out = data_blob_talloc(mem_ctx, output_token.value, output_token.length);
891	gss_release_buffer(&min_stat, &output_token);
892
893	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
894	&& !conf_state) {
895	return NT_STATUS_ACCESS_DENIED;
896	}
897	return NT_STATUS_OK;
898	}
899
900	/* Find out the maximum input size negotiated on this connection */
901
902	static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security)
903	{
904	struct gensec_gssapi_state *gensec_gssapi_state
905	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
906	OM_uint32 maj_stat, min_stat;
907	OM_uint32 max_input_size;
908
909	maj_stat = gss_wrap_size_limit(&min_stat,
910	gensec_gssapi_state->gssapi_context,
911	gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
912	GSS_C_QOP_DEFAULT,
913	gensec_gssapi_state->max_wrap_buf_size,
914	&max_input_size);
915	if (GSS_ERROR(maj_stat)) {
916	TALLOC_CTX *mem_ctx = talloc_new(NULL);
917	DEBUG(1, ("gensec_gssapi_max_input_size: determinaing signature size with gss_wrap_size_limit failed: %s\n",
918	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
919	talloc_free(mem_ctx);
920	return 0;
921	}
922
923	return max_input_size;
924	}
925
926	/* Find out the maximum output size negotiated on this connection */
927	static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security)
928	{
929	struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);;
930	return gensec_gssapi_state->max_wrap_buf_size;
931	}
932
933	static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_security,
934	TALLOC_CTX *mem_ctx,
935	uint8_t *data, size_t length,
936	const uint8_t *whole_pdu, size_t pdu_length,
937	DATA_BLOB *sig)
938	{
939	struct gensec_gssapi_state *gensec_gssapi_state
940	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
941	OM_uint32 maj_stat, min_stat;
942	gss_buffer_desc input_token, output_token;
943	int conf_state;
944	ssize_t sig_length;
945
946	input_token.length = length;
947	input_token.value = data;
948
949	maj_stat = gss_wrap(&min_stat,
950	gensec_gssapi_state->gssapi_context,
951	gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
952	GSS_C_QOP_DEFAULT,
953	&input_token,
954	&conf_state,
955	&output_token);
956	if (GSS_ERROR(maj_stat)) {
957	DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n",
958	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
959	return NT_STATUS_ACCESS_DENIED;
960	}
961
962	if (output_token.length < input_token.length) {
963	DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] less than caller length [%ld]\n",
964	(long)output_token.length, (long)length));
965	return NT_STATUS_INTERNAL_ERROR;
966	}
967	sig_length = output_token.length - input_token.length;
968
969	memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
970	sig = data_blob_talloc(mem_ctx, (uint8_t )output_token.value, sig_length);
971
972	dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
973	dump_data_pw("gensec_gssapi_seal_packet: clear\n", data, length);
974	dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length);
975
976	gss_release_buffer(&min_stat, &output_token);
977
978	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
979	&& !conf_state) {
980	return NT_STATUS_ACCESS_DENIED;
981	}
982	return NT_STATUS_OK;
983	}
984
985	static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security,
986	TALLOC_CTX *mem_ctx,
987	uint8_t *data, size_t length,
988	const uint8_t *whole_pdu, size_t pdu_length,
989	const DATA_BLOB *sig)
990	{
991	struct gensec_gssapi_state *gensec_gssapi_state
992	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
993	OM_uint32 maj_stat, min_stat;
994	gss_buffer_desc input_token, output_token;
995	int conf_state;
996	gss_qop_t qop_state;
997	DATA_BLOB in;
998
999	dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
1000
1001	in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
1002
1003	memcpy(in.data, sig->data, sig->length);
1004	memcpy(in.data + sig->length, data, length);
1005
1006	input_token.length = in.length;
1007	input_token.value = in.data;
1008
1009	maj_stat = gss_unwrap(&min_stat,
1010	gensec_gssapi_state->gssapi_context,
1011	&input_token,
1012	&output_token,
1013	&conf_state,
1014	&qop_state);
1015	if (GSS_ERROR(maj_stat)) {
1016	DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n",
1017	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1018	return NT_STATUS_ACCESS_DENIED;
1019	}
1020
1021	if (output_token.length != length) {
1022	return NT_STATUS_INTERNAL_ERROR;
1023	}
1024
1025	memcpy(data, output_token.value, length);
1026
1027	gss_release_buffer(&min_stat, &output_token);
1028
1029	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
1030	&& !conf_state) {
1031	return NT_STATUS_ACCESS_DENIED;
1032	}
1033	return NT_STATUS_OK;
1034	}
1035
1036	static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_security,
1037	TALLOC_CTX *mem_ctx,
1038	const uint8_t *data, size_t length,
1039	const uint8_t *whole_pdu, size_t pdu_length,
1040	DATA_BLOB *sig)
1041	{
1042	struct gensec_gssapi_state *gensec_gssapi_state
1043	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1044	OM_uint32 maj_stat, min_stat;
1045	gss_buffer_desc input_token, output_token;
1046
1047	if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1048	input_token.length = pdu_length;
1049	input_token.value = discard_const_p(uint8_t *, whole_pdu);
1050	} else {
1051	input_token.length = length;
1052	input_token.value = discard_const_p(uint8_t *, data);
1053	}
1054
1055	maj_stat = gss_get_mic(&min_stat,
1056	gensec_gssapi_state->gssapi_context,
1057	GSS_C_QOP_DEFAULT,
1058	&input_token,
1059	&output_token);
1060	if (GSS_ERROR(maj_stat)) {
1061	DEBUG(1, ("GSS GetMic failed: %s\n",
1062	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1063	return NT_STATUS_ACCESS_DENIED;
1064	}
1065
1066	sig = data_blob_talloc(mem_ctx, (uint8_t )output_token.value, output_token.length);
1067
1068	dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1069
1070	gss_release_buffer(&min_stat, &output_token);
1071
1072	return NT_STATUS_OK;
1073	}
1074
1075	static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security,
1076	TALLOC_CTX *mem_ctx,
1077	const uint8_t *data, size_t length,
1078	const uint8_t *whole_pdu, size_t pdu_length,
1079	const DATA_BLOB *sig)
1080	{
1081	struct gensec_gssapi_state *gensec_gssapi_state
1082	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1083	OM_uint32 maj_stat, min_stat;
1084	gss_buffer_desc input_token;
1085	gss_buffer_desc input_message;
1086	gss_qop_t qop_state;
1087
1088	dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
1089
1090	if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
1091	input_message.length = pdu_length;
1092	input_message.value = discard_const(whole_pdu);
1093	} else {
1094	input_message.length = length;
1095	input_message.value = discard_const(data);
1096	}
1097
1098	input_token.length = sig->length;
1099	input_token.value = sig->data;
1100
1101	maj_stat = gss_verify_mic(&min_stat,
1102	gensec_gssapi_state->gssapi_context,
1103	&input_message,
1104	&input_token,
1105	&qop_state);
1106	if (GSS_ERROR(maj_stat)) {
1107	DEBUG(1, ("GSS VerifyMic failed: %s\n",
1108	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1109	return NT_STATUS_ACCESS_DENIED;
1110	}
1111
1112	return NT_STATUS_OK;
1113	}
1114
1115	/* Try to figure out what features we actually got on the connection */
1116	static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
1117	uint32_t feature)
1118	{
1119	struct gensec_gssapi_state *gensec_gssapi_state
1120	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1121	if (feature & GENSEC_FEATURE_SIGN) {
1122	/* If we are going GSSAPI SASL, then we honour the second negotiation */
1123	if (gensec_gssapi_state->sasl
1124	&& gensec_gssapi_state->sasl_state == STAGE_DONE) {
1125	return ((gensec_gssapi_state->sasl_protection & NEG_SIGN)
1126	&& (gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG));
1127	}
1128	return gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG;
1129	}
1130	if (feature & GENSEC_FEATURE_SEAL) {
1131	/* If we are going GSSAPI SASL, then we honour the second negotiation */
1132	if (gensec_gssapi_state->sasl
1133	&& gensec_gssapi_state->sasl_state == STAGE_DONE) {
1134	return ((gensec_gssapi_state->sasl_protection & NEG_SEAL)
1135	&& (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG));
1136	}
1137	return gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG;
1138	}
1139	if (feature & GENSEC_FEATURE_SESSION_KEY) {
1140	/* Only for GSSAPI/Krb5 */
1141	if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
1142	return true;
1143	}
1144	}
1145	if (feature & GENSEC_FEATURE_DCE_STYLE) {
1146	return gensec_gssapi_state->got_flags & GSS_C_DCE_STYLE;
1147	}
1148	if (feature & GENSEC_FEATURE_NEW_SPNEGO) {
1149	NTSTATUS status;
1150
1151	if (!(gensec_gssapi_state->got_flags & GSS_C_INTEG_FLAG)) {
1152	return false;
1153	}
1154
1155	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
1156	return true;
1157	}
1158	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
1159	return false;
1160	}
1161
1162	status = gensec_gssapi_init_lucid(gensec_gssapi_state);
1163	if (!NT_STATUS_IS_OK(status)) {
1164	return false;
1165	}
1166
1167	if (gensec_gssapi_state->lucid->protocol == 1) {
1168	return true;
1169	}
1170
1171	return false;
1172	}
1173	/* We can always do async (rather than strict request/reply) packets. */
1174	if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
1175	return true;
1176	}
1177	return false;
1178	}
1179
1180	/*
1181	* Extract the 'sesssion key' needed by SMB signing and ncacn_np
1182	* (for encrypting some passwords).
1183	*
1184	* This breaks all the abstractions, but what do you expect...
1185	*/
1186	static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security,
1187	DATA_BLOB *session_key)
1188	{
1189	struct gensec_gssapi_state *gensec_gssapi_state
1190	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1191	OM_uint32 maj_stat, min_stat;
1192	krb5_keyblock *subkey;
1193
1194	if (gensec_gssapi_state->sasl_state != STAGE_DONE) {
1195	return NT_STATUS_NO_USER_SESSION_KEY;
1196	}
1197
1198	if (gensec_gssapi_state->session_key.data) {
1199	*session_key = gensec_gssapi_state->session_key;
1200	return NT_STATUS_OK;
1201	}
1202
1203	maj_stat = gsskrb5_get_subkey(&min_stat,
1204	gensec_gssapi_state->gssapi_context,
1205	&subkey);
1206	if (maj_stat != 0) {
1207	DEBUG(1, ("NO session key for this mech\n"));
1208	return NT_STATUS_NO_USER_SESSION_KEY;
1209	}
1210
1211	DEBUG(10, ("Got KRB5 session key of length %d%s\n",
1212	(int)KRB5_KEY_LENGTH(subkey),
1213	(gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":""));
1214	*session_key = data_blob_talloc(gensec_gssapi_state,
1215	KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
1216	krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
1217	gensec_gssapi_state->session_key = *session_key;
1218	dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
1219
1220	return NT_STATUS_OK;
1221	}
1222
1223	/* Get some basic (and authorization) information about the user on
1224	* this session. This uses either the PAC (if present) or a local
1225	* database lookup */
1226	static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
1227	struct auth_session_info **_session_info)
1228	{
1229	NTSTATUS nt_status;
1230	TALLOC_CTX *mem_ctx;
1231	struct gensec_gssapi_state *gensec_gssapi_state
1232	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1233	struct auth_serversupplied_info *server_info = NULL;
1234	struct auth_session_info *session_info = NULL;
1235	OM_uint32 maj_stat, min_stat;
1236	gss_buffer_desc pac;
1237	DATA_BLOB pac_blob;
1238
1239	if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
1240	\|\| (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
1241	gensec_gssapi_state->gss_oid->length) != 0)) {
1242	DEBUG(1, ("NO session info available for this mech\n"));
1243	return NT_STATUS_INVALID_PARAMETER;
1244	}
1245
1246	mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context");
1247	NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
1248
1249	maj_stat = gsskrb5_extract_authz_data_from_sec_context(&min_stat,
1250	gensec_gssapi_state->gssapi_context,
1251	KRB5_AUTHDATA_WIN2K_PAC,
1252	&pac);
1253
1254
1255	if (maj_stat == 0) {
1256	pac_blob = data_blob_talloc(mem_ctx, pac.value, pac.length);
1257	gss_release_buffer(&min_stat, &pac);
1258
1259	} else {
1260	pac_blob = data_blob(NULL, 0);
1261	}
1262
1263	/* IF we have the PAC - otherwise we need to get this
1264	* data from elsewere - local ldb, or (TODO) lookup of some
1265	* kind...
1266	*/
1267	if (pac_blob.length) {
1268	nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
1269	gensec_security->settings->iconv_convenience,
1270	pac_blob,
1271	gensec_gssapi_state->smb_krb5_context->krb5_context,
1272	&server_info);
1273	if (!NT_STATUS_IS_OK(nt_status)) {
1274	talloc_free(mem_ctx);
1275	return nt_status;
1276	}
1277	} else {
1278	gss_buffer_desc name_token;
1279	char *principal_string;
1280
1281	maj_stat = gss_display_name (&min_stat,
1282	gensec_gssapi_state->client_name,
1283	&name_token,
1284	NULL);
1285	if (GSS_ERROR(maj_stat)) {
1286	DEBUG(1, ("GSS display_name failed: %s\n",
1287	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1288	talloc_free(mem_ctx);
1289	return NT_STATUS_FOOBAR;
1290	}
1291
1292	principal_string = talloc_strndup(mem_ctx,
1293	(const char *)name_token.value,
1294	name_token.length);
1295
1296	gss_release_buffer(&min_stat, &name_token);
1297
1298	if (!principal_string) {
1299	talloc_free(mem_ctx);
1300	return NT_STATUS_NO_MEMORY;
1301	}
1302
1303	if (gensec_security->auth_context &&
1304	!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
1305	DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
1306	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1307	nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
1308	gensec_security->auth_context,
1309	principal_string,
1310	&server_info);
1311
1312	if (!NT_STATUS_IS_OK(nt_status)) {
1313	talloc_free(mem_ctx);
1314	return nt_status;
1315	}
1316	} else {
1317	DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
1318	principal_string,
1319	gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
1320	return NT_STATUS_ACCESS_DENIED;
1321	}
1322	}
1323
1324	/* references the server_info into the session_info */
1325	nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx,
1326	gensec_security->settings->lp_ctx, server_info, &session_info);
1327	if (!NT_STATUS_IS_OK(nt_status)) {
1328	talloc_free(mem_ctx);
1329	return nt_status;
1330	}
1331
1332	nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key);
1333	if (!NT_STATUS_IS_OK(nt_status)) {
1334	talloc_free(mem_ctx);
1335	return nt_status;
1336	}
1337
1338	if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
1339	DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
1340	} else {
1341	krb5_error_code ret;
1342	DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
1343	session_info->credentials = cli_credentials_init(session_info);
1344	if (!session_info->credentials) {
1345	talloc_free(mem_ctx);
1346	return NT_STATUS_NO_MEMORY;
1347	}
1348
1349	cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
1350	/* Just so we don't segfault trying to get at a username */
1351	cli_credentials_set_anonymous(session_info->credentials);
1352
1353	ret = cli_credentials_set_client_gss_creds(session_info->credentials,
1354	gensec_security->event_ctx,
1355	gensec_security->settings->lp_ctx,
1356	gensec_gssapi_state->delegated_cred_handle,
1357	CRED_SPECIFIED);
1358	if (ret) {
1359	talloc_free(mem_ctx);
1360	return NT_STATUS_NO_MEMORY;
1361	}
1362
1363	/* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
1364	cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
1365
1366	/* It has been taken from this place... */
1367	gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
1368	}
1369	talloc_steal(gensec_gssapi_state, session_info);
1370	talloc_free(mem_ctx);
1371	*_session_info = session_info;
1372
1373	return NT_STATUS_OK;
1374	}
1375
1376	static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size)
1377	{
1378	struct gensec_gssapi_state *gensec_gssapi_state
1379	= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
1380	NTSTATUS status;
1381
1382	if (gensec_gssapi_state->sig_size) {
1383	return gensec_gssapi_state->sig_size;
1384	}
1385
1386	if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1387	gensec_gssapi_state->sig_size = 45;
1388	} else {
1389	gensec_gssapi_state->sig_size = 37;
1390	}
1391
1392	status = gensec_gssapi_init_lucid(gensec_gssapi_state);
1393	if (!NT_STATUS_IS_OK(status)) {
1394	return gensec_gssapi_state->sig_size;
1395	}
1396
1397	if (gensec_gssapi_state->lucid->protocol == 1) {
1398	if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1399	/*
1400	* TODO: windows uses 76 here, but we don't know
1401	* gss_wrap works with aes keys yet
1402	*/
1403	gensec_gssapi_state->sig_size = 76;
1404	} else {
1405	gensec_gssapi_state->sig_size = 28;
1406	}
1407	} else if (gensec_gssapi_state->lucid->protocol == 0) {
1408	switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
1409	case KEYTYPE_DES:
1410	case KEYTYPE_ARCFOUR:
1411	case KEYTYPE_ARCFOUR_56:
1412	if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1413	gensec_gssapi_state->sig_size = 45;
1414	} else {
1415	gensec_gssapi_state->sig_size = 37;
1416	}
1417	break;
1418	case KEYTYPE_DES3:
1419	if (gensec_gssapi_state->got_flags & GSS_C_CONF_FLAG) {
1420	gensec_gssapi_state->sig_size = 57;
1421	} else {
1422	gensec_gssapi_state->sig_size = 49;
1423	}
1424	break;
1425	}
1426	}
1427
1428	return gensec_gssapi_state->sig_size;
1429	}
1430
1431	static const char *gensec_gssapi_krb5_oids[] = {
1432	GENSEC_OID_KERBEROS5_OLD,
1433	GENSEC_OID_KERBEROS5,
1434	NULL
1435	};
1436
1437	static const char *gensec_gssapi_spnego_oids[] = {
1438	GENSEC_OID_SPNEGO,
1439	NULL
1440	};
1441
1442	/* As a server, this could in theory accept any GSSAPI mech */
1443	static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
1444	.name = "gssapi_spnego",
1445	.sasl_name = "GSS-SPNEGO",
1446	.auth_type = DCERPC_AUTH_TYPE_SPNEGO,
1447	.oid = gensec_gssapi_spnego_oids,
1448	.client_start = gensec_gssapi_client_start,
1449	.server_start = gensec_gssapi_server_start,
1450	.magic = gensec_gssapi_magic,
1451	.update = gensec_gssapi_update,
1452	.session_key = gensec_gssapi_session_key,
1453	.session_info = gensec_gssapi_session_info,
1454	.sign_packet = gensec_gssapi_sign_packet,
1455	.check_packet = gensec_gssapi_check_packet,
1456	.seal_packet = gensec_gssapi_seal_packet,
1457	.unseal_packet = gensec_gssapi_unseal_packet,
1458	.wrap = gensec_gssapi_wrap,
1459	.unwrap = gensec_gssapi_unwrap,
1460	.have_feature = gensec_gssapi_have_feature,
1461	.enabled = false,
1462	.kerberos = true,
1463	.priority = GENSEC_GSSAPI
1464	};
1465
1466	/* As a server, this could in theory accept any GSSAPI mech */
1467	static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
1468	.name = "gssapi_krb5",
1469	.auth_type = DCERPC_AUTH_TYPE_KRB5,
1470	.oid = gensec_gssapi_krb5_oids,
1471	.client_start = gensec_gssapi_client_start,
1472	.server_start = gensec_gssapi_server_start,
1473	.magic = gensec_gssapi_magic,
1474	.update = gensec_gssapi_update,
1475	.session_key = gensec_gssapi_session_key,
1476	.session_info = gensec_gssapi_session_info,
1477	.sig_size = gensec_gssapi_sig_size,
1478	.sign_packet = gensec_gssapi_sign_packet,
1479	.check_packet = gensec_gssapi_check_packet,
1480	.seal_packet = gensec_gssapi_seal_packet,
1481	.unseal_packet = gensec_gssapi_unseal_packet,
1482	.wrap = gensec_gssapi_wrap,
1483	.unwrap = gensec_gssapi_unwrap,
1484	.have_feature = gensec_gssapi_have_feature,
1485	.enabled = true,
1486	.kerberos = true,
1487	.priority = GENSEC_GSSAPI
1488	};
1489
1490	/* As a server, this could in theory accept any GSSAPI mech */
1491	static const struct gensec_security_ops gensec_gssapi_sasl_krb5_security_ops = {
1492	.name = "gssapi_krb5_sasl",
1493	.sasl_name = "GSSAPI",
1494	.client_start = gensec_gssapi_sasl_client_start,
1495	.server_start = gensec_gssapi_sasl_server_start,
1496	.update = gensec_gssapi_update,
1497	.session_key = gensec_gssapi_session_key,
1498	.session_info = gensec_gssapi_session_info,
1499	.max_input_size = gensec_gssapi_max_input_size,
1500	.max_wrapped_size = gensec_gssapi_max_wrapped_size,
1501	.wrap = gensec_gssapi_wrap,
1502	.unwrap = gensec_gssapi_unwrap,
1503	.have_feature = gensec_gssapi_have_feature,
1504	.enabled = true,
1505	.kerberos = true,
1506	.priority = GENSEC_GSSAPI
1507	};
1508
1509	_PUBLIC_ NTSTATUS gensec_gssapi_init(void)
1510	{
1511	NTSTATUS ret;
1512
1513	ret = gensec_register(&gensec_gssapi_spnego_security_ops);
1514	if (!NT_STATUS_IS_OK(ret)) {
1515	DEBUG(0,("Failed to register '%s' gensec backend!\n",
1516	gensec_gssapi_spnego_security_ops.name));
1517	return ret;
1518	}
1519
1520	ret = gensec_register(&gensec_gssapi_krb5_security_ops);
1521	if (!NT_STATUS_IS_OK(ret)) {
1522	DEBUG(0,("Failed to register '%s' gensec backend!\n",
1523	gensec_gssapi_krb5_security_ops.name));
1524	return ret;
1525	}
1526
1527	ret = gensec_register(&gensec_gssapi_sasl_krb5_security_ops);
1528	if (!NT_STATUS_IS_OK(ret)) {
1529	DEBUG(0,("Failed to register '%s' gensec backend!\n",
1530	gensec_gssapi_sasl_krb5_security_ops.name));
1531	return ret;
1532	}
1533
1534	return ret;
1535	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: