Context Navigation

← Previous Change
Next Change →

Changeset 740 for vendor/current/source4/auth/gensec

Timestamp:

Nov 14, 2012, 12:59:34 PM (13 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to 3.6.0

Location:

vendor/current/source4/auth/gensec

Files:

: 3 added
: 4 deleted
: 11 edited

config.m4 (deleted)
config.mk (deleted)
cyrus_sasl.c (modified) (8 diffs)
gensec.c (modified) (17 diffs)
gensec.h (modified) (8 diffs)
gensec.pc.in (modified) (1 diff)
gensec_gssapi.c (modified) (29 diffs)
gensec_gssapi.h (modified) (1 diff)
gensec_krb5.c (modified) (21 diffs)
gensec_tstream.c (added)
gensec_tstream.h (added)
pygensec.c (modified) (11 diffs)
schannel.c (modified) (9 diffs)
schannel_state.c (deleted)
socket.c (modified) (1 diff)
spnego.c (modified) (8 diffs)
tests/bindings.py (deleted)
wscript_build (added)

Legend:

: Unmodified
: Added
: Removed

vendor/current/source4/auth/gensec/cyrus_sasl.c

-              r414
+              r740
 #include "includes.h"
 #include "auth/auth.h"
+#include "lib/tsocket/tsocket.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
-#include "lib/socket/socket.h"
 #include <sasl/sasl.h>
 …
         sasl_conn_t *conn;
         int step;
+        bool wrap;
 };
 …
         const char *service = gensec_get_target_service(gensec_security);
         const char *target_name = gensec_get_target_hostname(gensec_security);
         struct socket_address *local_socket_addr = gensec_get_my_addr(gensec_security);
         struct socket_address *remote_socket_addr = gensec_get_peer_addr(gensec_security);
+        const struct tsocket_address *tlocal_addr = gensec_get_local_address(gensec_security);
+        const struct tsocket_address *tremote_addr = gensec_get_remote_address(gensec_security);
         char *local_addr = NULL;
         char *remote_addr = NULL;
 …
         sasl_callback_t *callbacks;
         gensec_sasl_state = talloc(gensec_security, struct gensec_sasl_state);
+        gensec_sasl_state = talloc_zero(gensec_security, struct gensec_sasl_state);
         if (!gensec_sasl_state) {
                 return NT_STATUS_NO_MEMORY;
 …
         gensec_security->private_data = gensec_sasl_state;
         if (local_socket_addr) {
                 local_addr = talloc_asprintf(gensec_sasl_state,
                                              "%s;%d",
                                              local_socket_addr->addr,
                                              local_socket_addr->port);
+        }
         if (remote_socket_addr) {
                 remote_addr = talloc_asprintf(gensec_sasl_state,
                                              "%s;%d",
                                              remote_socket_addr->addr,
                                              remote_socket_addr->port);
+        if (tlocal_addr) {
+                local_addr = talloc_asprintf(gensec_sasl_state,
+                                "%s;%d",
+                                tsocket_address_inet_addr_string(tlocal_addr, gensec_sasl_state),
+                                tsocket_address_inet_port(tlocal_addr));
+        }
+        if (tremote_addr) {
+                remote_addr = talloc_asprintf(gensec_sasl_state,
+                                "%s;%d",
+                                tsocket_address_inet_addr_string(tremote_addr, gensec_sasl_state),
+                                tsocket_address_inet_port(tremote_addr));
+        }
         gensec_sasl_state->step = 0;
 …
                                    &gensec_sasl_state->conn);
         if (sasl_ret == SASL_OK || sasl_ret == SASL_CONTINUE) {
+        if (sasl_ret == SASL_OK) {
                 sasl_security_properties_t props;
                 talloc_set_destructor(gensec_sasl_state, gensec_sasl_dispose);
                 ZERO_STRUCT(props);
                 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
                         props.min_ssf = 1;
+                        props.max_ssf = 1;
+                        props.maxbufsize = 65536;
+                        gensec_sasl_state->wrap = true;
+                }
                 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
                         props.min_ssf = 40;
+                }
+                props.max_ssf = UINT_MAX;
+                props.maxbufsize = 65536;
+                        props.max_ssf = UINT_MAX;
+                        props.maxbufsize = 65536;
+                        gensec_sasl_state->wrap = true;
+                }
                 sasl_ret = sasl_setprop(gensec_sasl_state->conn, SASL_SEC_PROPS, &props);
+                if (sasl_ret != SASL_OK) {
+                        return sasl_nt_status(sasl_ret);
+                }
+        } else {
+        }
+        if (sasl_ret != SASL_OK) {
                 DEBUG(1, ("GENSEC SASL: client_new failed: %s\n", sasl_errdetail(gensec_sasl_state->conn)));
+        }
 …
         const char *out_data;
         unsigned int out_len;
+        int sasl_ret = sasl_encode(gensec_sasl_state->conn,
+                                   (char*)in->data, in->length, &out_data,
+                                   &out_len);
+        unsigned len_permitted;
+        int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
+                        (const void**)&len_permitted);
+        if (sasl_ret != SASL_OK) {
+                return sasl_nt_status(sasl_ret);
+        }
+        len_permitted = MIN(len_permitted, in->length);
+        sasl_ret = sasl_encode(gensec_sasl_state->conn,
+                               (char*)in->data, len_permitted, &out_data,
+                               &out_len);
         if (sasl_ret == SASL_OK) {
                 *out = data_blob_talloc(out_mem_ctx, out_data, out_len);
 …
                                                                       struct gensec_sasl_state);
         sasl_ssf_t ssf;
+        int sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
+        int sasl_ret;
+        /* If we did not elect to wrap, then we have neither sign nor seal, no matter what the SSF claims */
+        if (!gensec_sasl_state->wrap) {
+                return false;
+        }
+        sasl_ret = sasl_getprop(gensec_sasl_state->conn, SASL_SSF,
                         (const void**)&ssf);
         if (sasl_ret != SASL_OK) {

vendor/current/source4/auth/gensec/gensec.c

-              r414
+              r740
 #include "includes.h"
 #include "auth/auth.h"
+#include "system/network.h"
 #include "lib/events/events.h"
+#include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
+#include "../lib/util/tevent_ntstatus.h"
 #include "librpc/rpc/dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_proto.h"
+#include "auth/auth.h"
+#include "auth/system_session_proto.h"
 #include "param/param.h"
+#include "lib/util/tsort.h"
 /* the list of currently registered GENSEC backends */
 …
 bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
+{
         return lp_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+        return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+}
 …
   @param gensec_security Returned GENSEC context pointer.
   @note  The mem_ctx is only a parent and may be NULL.
   @note, the auth context is moved to be a child of the
+  @note, the auth context is moved to be a referenced pointer of the
   @ gensec_security return
 */
 …
+        }
         (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+        (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
-        (*gensec_security)->ops = NULL;
-        (*gensec_security)->private_data = NULL;
-        ZERO_STRUCT((*gensec_security)->target);
-        ZERO_STRUCT((*gensec_security)->peer_addr);
-        ZERO_STRUCT((*gensec_security)->my_addr);
-        (*gensec_security)->subcontext = false;
-        (*gensec_security)->want_features = 0;
         (*gensec_security)->event_ctx = ev;
         SMB_ASSERT(settings->lp_ctx != NULL);
         (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
+        (*gensec_security)->auth_context = talloc_steal(*gensec_security, auth_context);
+        /* We need to reference this, not steal, as the caller may be
+         * python, which won't like it if we steal it's object away
+         * from it */
+        (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
         return NT_STATUS_OK;
 …
                                  struct gensec_security **gensec_security)
+{
         (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+        (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
         NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
 …
         return status;
+}
 /**
 …
         return oid_string;
+}
+/**
+ * Start a GENSEC sub-mechanism with a specifed mechansim structure, used in SPNEGO
+/**
+ * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
+ *
  */
 …
+}
+static void gensec_update_async_timed_handler(struct tevent_context *ev, struct tevent_timer *te,
+                                              struct timeval t, void *ptr)
+{
+        struct gensec_update_request *req = talloc_get_type(ptr, struct gensec_update_request);
+        req->status = req->gensec_security->ops->update(req->gensec_security, req, req->in, &req->out);
+        req->callback.fn(req, req->callback.private_data);
+}
+struct gensec_update_state {
+        struct tevent_immediate *im;
+        struct gensec_security *gensec_security;
+        DATA_BLOB in;
+        DATA_BLOB out;
+};
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+                                        struct tevent_immediate *im,
+                                        void *private_data);
 /**
  * Next state function for the GENSEC state machine async version
+ *
+ *
+ * @param mem_ctx The memory context for the request
+ * @param ev The event context for the request
  * @param gensec_security GENSEC State
  * @param in The request, as a DATA_BLOB
+ * @param callback The function that will be called when the operation is
+ *                 finished, it should return gensec_update_recv() to get output
+ * @param private_data A private pointer that will be passed to the callback function
+ */
+_PUBLIC_ void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
+                                 void (*callback)(struct gensec_update_request *req, void *private_data),
+                                 void *private_data)
+{
+        struct gensec_update_request *req = NULL;
+        struct tevent_timer *te = NULL;
+        req = talloc(gensec_security, struct gensec_update_request);
+        if (!req) goto failed;
+        req->gensec_security            = gensec_security;
+        req->in                         = in;
+        req->out                        = data_blob(NULL, 0);
+        req->callback.fn                = callback;
+        req->callback.private_data      = private_data;
+        te = event_add_timed(gensec_security->event_ctx, req,
+                             timeval_zero(),
+                             gensec_update_async_timed_handler, req);
+        if (!te) goto failed;
+        return;
+failed:
+        talloc_free(req);
+        callback(NULL, private_data);
+ *
+ * @return The request handle or NULL on no memory failure
+ */
+_PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+                                               struct tevent_context *ev,
+                                               struct gensec_security *gensec_security,
+                                               const DATA_BLOB in)
+{
+        struct tevent_req *req;
+        struct gensec_update_state *state = NULL;
+        req = tevent_req_create(mem_ctx, &state,
+                                struct gensec_update_state);
+        if (req == NULL) {
+                return NULL;
+        }
+        state->gensec_security          = gensec_security;
+        state->in                       = in;
+        state->out                      = data_blob(NULL, 0);
+        state->im                       = tevent_create_immediate(state);
+        if (tevent_req_nomem(state->im, req)) {
+                return tevent_req_post(req, ev);
+        }
+        tevent_schedule_immediate(state->im, ev,
+                                  gensec_update_async_trigger,
+                                  req);
+        return req;
+}
+static void gensec_update_async_trigger(struct tevent_context *ctx,
+                                        struct tevent_immediate *im,
+                                        void *private_data)
+{
+        struct tevent_req *req =
+                talloc_get_type_abort(private_data, struct tevent_req);
+        struct gensec_update_state *state =
+                tevent_req_data(req, struct gensec_update_state);
+        NTSTATUS status;
+        status = gensec_update(state->gensec_security, state,
+                               state->in, &state->out);
+        if (tevent_req_nterror(req, status)) {
+                return;
+        }
+        tevent_req_done(req);
+}
 …
  * Next state function for the GENSEC state machine
+ *
  * @param req GENSEC update request state
+ * @param req request state
  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
 …
  *                or NT_STATUS_OK if the user is authenticated.
  */
+_PUBLIC_ NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out)
+{
+_PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
+                                     TALLOC_CTX *out_mem_ctx,
+                                     DATA_BLOB *out)
+{
+        struct gensec_update_state *state =
+                tevent_req_data(req, struct gensec_update_state);
         NTSTATUS status;
+        NT_STATUS_HAVE_NO_MEMORY(req);
+        *out = req->out;
+        if (tevent_req_is_nterror(req, &status)) {
+                if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+                        tevent_req_received(req);
+                        return status;
+                }
+        } else {
+                status = NT_STATUS_OK;
+        }
+        *out = state->out;
         talloc_steal(out_mem_ctx, out->data);
+        status = req->status;
+        talloc_free(req);
+        tevent_req_received(req);
         return status;
+}
 …
+}
+/**
+ * Set (and talloc_reference) local and peer socket addresses onto a socket context on the GENSEC context
+/**
+ * Set (and talloc_reference) local and peer socket addresses onto a socket
+ * context on the GENSEC context.
+ *
  * This is so that kerberos can include these addresses in
 …
  */
+_PUBLIC_ NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr)
+{
+        gensec_security->my_addr = my_addr;
+        if (my_addr && !talloc_reference(gensec_security, my_addr)) {
+/**
+ * @brief Set the local gensec address.
+ *
+ * @param  gensec_security   The gensec security context to use.
+ *
+ * @param  remote       The local address to set.
+ *
+ * @return              On success NT_STATUS_OK is returned or an NT_STATUS
+ *                      error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+                const struct tsocket_address *local)
+{
+        TALLOC_FREE(gensec_security->local_addr);
+        if (local == NULL) {
+                return NT_STATUS_OK;
+        }
+        gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
+        if (gensec_security->local_addr == NULL) {
                 return NT_STATUS_NO_MEMORY;
+        }
         return NT_STATUS_OK;
+}
+_PUBLIC_ NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr)
+{
+        gensec_security->peer_addr = peer_addr;
+        if (peer_addr && !talloc_reference(gensec_security, peer_addr)) {
+/**
+ * @brief Set the remote gensec address.
+ *
+ * @param  gensec_security   The gensec security context to use.
+ *
+ * @param  remote       The remote address to set.
+ *
+ * @return              On success NT_STATUS_OK is returned or an NT_STATUS
+ *                      error.
+ */
+_PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+                const struct tsocket_address *remote)
+{
+        TALLOC_FREE(gensec_security->remote_addr);
+        if (remote == NULL) {
+                return NT_STATUS_OK;
+        }
+        gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
+        if (gensec_security->remote_addr == NULL) {
                 return NT_STATUS_NO_MEMORY;
+        }
         return NT_STATUS_OK;
+}
+struct socket_address *gensec_get_my_addr(struct gensec_security *gensec_security)
+{
+        if (gensec_security->my_addr) {
+                return gensec_security->my_addr;
+        }
+        /* We could add a 'set sockaddr' call, and do a lookup.  This
+         * would avoid needing to do system calls if nothing asks. */
+        return NULL;
+}
+_PUBLIC_ struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security)
+{
+        if (gensec_security->peer_addr) {
+                return gensec_security->peer_addr;
+        }
+        /* We could add a 'set sockaddr' call, and do a lookup.  This
+         * would avoid needing to do system calls if nothing asks.
+         * However, this is not appropriate for the peer addres on
+         * datagram sockets */
+        return NULL;
+}
+/**
+ * @brief Get the local address from a gensec security context.
+ *
+ * @param  gensec_security   The security context to get the address from.
+ *
+ * @return              The address as tsocket_address which could be NULL if
+ *                      no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
+{
+        if (gensec_security == NULL) {
+                return NULL;
+        }
+        return gensec_security->local_addr;
+}
+/**
+ * @brief Get the remote address from a gensec security context.
+ *
+ * @param  gensec_security   The security context to get the address from.
+ *
+ * @return              The address as tsocket_address which could be NULL if
+ *                      no address is set.
+ */
+_PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
+{
+        if (gensec_security == NULL) {
+                return NULL;
+        }
+        return gensec_security->remote_addr;
+}
 /**
 …
  */
+NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
+_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
+{
         gensec_security->target.principal = talloc_strdup(gensec_security, principal);
 …
         return NULL;
+}
+NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
+                                      struct gensec_security *gensec_security,
+                                      struct auth_user_info_dc *user_info_dc,
+                                      struct auth_session_info **session_info)
+{
+        NTSTATUS nt_status;
+        uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+        if (user_info_dc->info->authenticated) {
+                flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+        }
+        if (gensec_security->auth_context) {
+                nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
+                                                                                 user_info_dc,
+                                                                                 flags,
+                                                                                 session_info);
+        } else {
+                flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+                nt_status = auth_generate_session_info(mem_ctx,
+                                                       NULL,
+                                                       NULL,
+                                                       user_info_dc, flags,
+                                                       session_info);
+        }
+        return nt_status;
+}
 …
 int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
+{
         return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+        return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
 bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
+{
         return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+        return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
 …
+{
         static bool initialized = false;
+        extern NTSTATUS gensec_sasl_init(void);
+        extern NTSTATUS gensec_krb5_init(void);
+        extern NTSTATUS gensec_schannel_init(void);
+        extern NTSTATUS gensec_spnego_init(void);
+        extern NTSTATUS gensec_gssapi_init(void);
+        extern NTSTATUS gensec_ntlmssp_init(void);
+#define _MODULE_PROTO(init) extern NTSTATUS init(void);
+        STATIC_gensec_MODULES_PROTO;
         init_module_fn static_init[] = { STATIC_gensec_MODULES };
         init_module_fn *shared_init;
 …
         talloc_free(shared_init);
         qsort(generic_security_ops, gensec_num_backends, sizeof(*generic_security_ops), QSORT_CAST sort_gensec);
+        TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
         return NT_STATUS_OK;

vendor/current/source4/auth/gensec/gensec.h

-              r414
+              r740
 #include "libcli/util/ntstatus.h"
+#define GENSEC_SASL_NAME_NTLMSSP "NTLM"
 #define GENSEC_OID_NTLMSSP "1.3.6.1.4.1.311.2.2.10"
 #define GENSEC_OID_SPNEGO "1.3.6.1.5.5.2"
 …
 struct gensec_settings;
 struct tevent_context;
+struct gensec_update_request {
+        struct gensec_security *gensec_security;
+        void *private_data;
+        DATA_BLOB in;
+        DATA_BLOB out;
+        NTSTATUS status;
+        struct {
+                void (*fn)(struct gensec_update_request *req, void *private_data);
+                void *private_data;
+        } callback;
+};
+struct tevent_req;
 struct gensec_settings {
         struct loadparm_context *lp_ctx;
-        struct smb_iconv_convenience *iconv_convenience;
         const char *target_hostname;
 };
 …
         uint32_t want_features;
         struct tevent_context *event_ctx;
         struct socket_address *my_addr, *peer_addr;
+        struct tsocket_address *local_addr, *remote_addr;
         struct gensec_settings *settings;
 …
 struct socket_context;
 struct auth_context;
+struct auth_user_info_dc;
 NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
 …
 NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
                        const DATA_BLOB in, DATA_BLOB *out);
+void gensec_update_send(struct gensec_security *gensec_security, const DATA_BLOB in,
+                                 void (*callback)(struct gensec_update_request *req, void *private_data),
+                                 void *private_data);
+NTSTATUS gensec_update_recv(struct gensec_update_request *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
+struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+                                      struct tevent_context *ev,
+                                      struct gensec_security *gensec_security,
+                                      const DATA_BLOB in);
+NTSTATUS gensec_update_recv(struct tevent_req *req, TALLOC_CTX *out_mem_ctx, DATA_BLOB *out);
 void gensec_want_feature(struct gensec_security *gensec_security,
                          uint32_t feature);
 …
 const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
 struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
-struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security);
 NTSTATUS gensec_init(struct loadparm_context *lp_ctx);
 NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 …
 NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
                              struct auth_session_info **session_info);
 NTSTATUS auth_nt_status_squash(NTSTATUS nt_status);
+NTSTATUS nt_status_squash(NTSTATUS nt_status);
 struct netlogon_creds_CredentialState;
 NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
                                TALLOC_CTX *mem_ctx,
                                struct netlogon_creds_CredentialState **creds);
+NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr);
+NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr);
+NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
+                const struct tsocket_address *local);
+NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
+                const struct tsocket_address *remote);
+const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security);
+const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security);
 NTSTATUS gensec_start_mech_by_name(struct gensec_security *gensec_security,
 …
 bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
+NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
 #endif /* __GENSEC_H__ */

vendor/current/source4/auth/gensec/gensec.pc.in

-              r414
+              r740
 Name: gensec
 Description: Generic Security Library
 Version: 0.0.1
 Libs: -L${libdir} -lgensec
+Version: @PACKAGE_VERSION@
+Libs: @LIB_RPATH@ -L${libdir} -lgensec
 Cflags: -I${includedir}  -DHAVE_IMMEDIATE_STRUCTURES=1

vendor/current/source4/auth/gensec/gensec_gssapi.c

-              r414
+              r740
 #include "librpc/gen_ndr/krb5pac.h"
 #include "auth/auth.h"
 #include "lib/ldb/include/ldb.h"
+#include <ldb.h>
 #include "auth/auth_sam.h"
 #include "librpc/rpc/dcerpc.h"
 …
 #include <gssapi/gssapi_spnego.h>
 #include "auth/gensec/gensec_gssapi.h"
+#include "lib/util/util_net.h"
 static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
 …
         struct gensec_gssapi_state *gensec_gssapi_state;
         krb5_error_code ret;
         struct gsskrb5_send_to_kdc send_to_kdc;
         gensec_gssapi_state = talloc(gensec_security, struct gensec_gssapi_state);
+        const char *realm;
+        gensec_gssapi_state = talloc_zero(gensec_security, struct gensec_gssapi_state);
         if (!gensec_gssapi_state) {
                 return NT_STATUS_NO_MEMORY;
+        }
-        gensec_gssapi_state->gss_exchange_count = 0;
-        gensec_gssapi_state->max_wrap_buf_size
-                = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
-        gensec_gssapi_state->sasl = false;
-        gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
         gensec_security->private_data = gensec_gssapi_state;
         gensec_gssapi_state->gssapi_context = GSS_C_NO_CONTEXT;
+        /* TODO: Fill in channel bindings */
+        gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
         gensec_gssapi_state->server_name = GSS_C_NO_NAME;
         gensec_gssapi_state->client_name = GSS_C_NO_NAME;
-        gensec_gssapi_state->lucid = NULL;
-        /* TODO: Fill in channel bindings */
-        gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
         gensec_gssapi_state->want_flags = 0;
         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation_by_kdc_policy", true)) {
                 gensec_gssapi_state->want_flags |= GSS_C_DELEG_POLICY_FLAG;
 …
+        }
-        gensec_gssapi_state->got_flags = 0;
-        gensec_gssapi_state->session_key = data_blob(NULL, 0);
-        gensec_gssapi_state->pac = data_blob(NULL, 0);
-        gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
-        gensec_gssapi_state->sig_size = 0;
-        talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
         if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
                 gensec_gssapi_state->want_flags |= GSS_C_INTEG_FLAG;
 …
                 gensec_gssapi_state->want_flags |= GSS_C_DCE_STYLE;
+        }
+        gensec_gssapi_state->got_flags = 0;
         switch (gensec_security->ops->auth_type) {
 …
+        }
+        send_to_kdc.func = smb_krb5_send_and_recv_func;
+        send_to_kdc.ptr = gensec_security->event_ctx;
+        ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
+        if (ret) {
+                DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+                talloc_free(gensec_gssapi_state);
+                return NT_STATUS_INTERNAL_ERROR;
+        }
+        if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) {
+                char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx));
+                if (!upper_realm) {
+                        DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx)));
+                        talloc_free(gensec_gssapi_state);
+                        return NT_STATUS_NO_MEMORY;
+                }
+                ret = gsskrb5_set_default_realm(upper_realm);
+                talloc_free(upper_realm);
+                if (ret) {
+                        DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
+                        talloc_free(gensec_gssapi_state);
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
+        }
+        /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
+        ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
+        if (ret) {
+                DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
+                talloc_free(gensec_gssapi_state);
+                return NT_STATUS_INTERNAL_ERROR;
+        }
+        ret = smb_krb5_init_context(gensec_gssapi_state,
+                                    gensec_security->event_ctx,
+        gensec_gssapi_state->session_key = data_blob(NULL, 0);
+        gensec_gssapi_state->pac = data_blob(NULL, 0);
+        ret = smb_krb5_init_context(gensec_gssapi_state,
+                                    NULL,
                                     gensec_security->settings->lp_ctx,
                                     &gensec_gssapi_state->smb_krb5_context);
 …
                 return NT_STATUS_INTERNAL_ERROR;
+        }
+        gensec_gssapi_state->client_cred = NULL;
+        gensec_gssapi_state->server_cred = NULL;
+        gensec_gssapi_state->lucid = NULL;
+        gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+        gensec_gssapi_state->sasl = false;
+        gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
+        gensec_gssapi_state->sasl_protection = 0;
+        gensec_gssapi_state->max_wrap_buf_size
+                = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
+        gensec_gssapi_state->gss_exchange_count = 0;
+        gensec_gssapi_state->sig_size = 0;
+        talloc_set_destructor(gensec_gssapi_state, gensec_gssapi_destructor);
+        realm = lpcfg_realm(gensec_security->settings->lp_ctx);
+        if (realm != NULL) {
+                ret = gsskrb5_set_default_realm(realm);
+                if (ret) {
+                        DEBUG(1,("gensec_krb5_start: gsskrb5_set_default_realm failed\n"));
+                        talloc_free(gensec_gssapi_state);
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
+        }
+        /* don't do DNS lookups of any kind, it might/will fail for a netbios name */
+        ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
+        if (ret) {
+                DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
+                talloc_free(gensec_gssapi_state);
+                return NT_STATUS_INTERNAL_ERROR;
+        }
         return NT_STATUS_OK;
+}
 …
         } else {
                 ret = cli_credentials_get_server_gss_creds(machine_account,
-                                                           gensec_security->event_ctx,
                                                            gensec_security->settings->lp_ctx, &gcc);
                 if (ret) {
 …
         OM_uint32 maj_stat, min_stat;
         const char *hostname = gensec_get_target_hostname(gensec_security);
-        const char *principal;
         struct gssapi_creds_container *gcc;
+        const char *error_string;
         if (!hostname) {
 …
         gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
         principal = gensec_get_target_principal(gensec_security);
         if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
+        gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security);
+        if (gensec_gssapi_state->target_principal) {
                 name_type = GSS_C_NULL_OID;
         } else {
                 principal = talloc_asprintf(gensec_gssapi_state, "%s@%s",
+                gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s",
                                             gensec_get_target_service(gensec_security),
                                             hostname);
                 name_type = GSS_C_NT_HOSTBASED_SERVICE;
+        }
         name_token.value  = discard_const_p(uint8_t, principal);
         name_token.length = strlen(principal);
+                                            hostname, lpcfg_realm(gensec_security->settings->lp_ctx));
+                name_type = GSS_C_NT_USER_NAME;
+        }
+        name_token.value  = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
+        name_token.length = strlen(gensec_gssapi_state->target_principal);
 …
         ret = cli_credentials_get_client_gss_creds(creds,
                                                    gensec_security->event_ctx,
                                                    gensec_security->settings->lp_ctx, &gcc);
+                                                   gensec_security->settings->lp_ctx, &gcc, &error_string);
         switch (ret) {
         case 0:
                 break;
         case KRB5KDC_ERR_PREAUTH_FAILED:
+        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+                DEBUG(1, ("Wrong username or password: %s\n", error_string));
                 return NT_STATUS_LOGON_FAILURE;
         case KRB5_KDC_UNREACH:
+                DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
+                return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+                DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
+                return NT_STATUS_NO_LOGON_SERVERS;
+        case KRB5_CC_NOTFOUND:
+        case KRB5_CC_END:
+                DEBUG(2, ("Error obtaining ticket we require to contact %s: (possibly due to clock skew between us and the KDC) %s\n", gensec_gssapi_state->target_principal, error_string));
+                return NT_STATUS_TIME_DIFFERENCE_AT_DC;
         default:
                 DEBUG(1, ("Aquiring initiator credentials failed\n"));
+                DEBUG(1, ("Aquiring initiator credentials failed: %s\n", error_string));
                 return NT_STATUS_UNSUCCESSFUL;
+        }
 …
                 case GENSEC_CLIENT:
+                {
+                        struct gsskrb5_send_to_kdc send_to_kdc;
+                        krb5_error_code ret;
+                        send_to_kdc.func = smb_krb5_send_and_recv_func;
+                        send_to_kdc.ptr = gensec_security->event_ctx;
+                        min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc);
+                        if (min_stat) {
+                                DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+                                return NT_STATUS_INTERNAL_ERROR;
+                        }
                         maj_stat = gss_init_sec_context(&min_stat,
                                                         gensec_gssapi_state->client_cred->creds,
 …
                                 gensec_gssapi_state->gss_oid = gss_oid_p;
+                        }
+                        send_to_kdc.func = smb_krb5_send_and_recv_func;
+                        send_to_kdc.ptr = NULL;
+                        ret = gsskrb5_set_send_to_kdc(&send_to_kdc);
+                        if (ret) {
+                                DEBUG(1,("gensec_krb5_start: gsskrb5_set_send_to_kdc failed\n"));
+                                return NT_STATUS_INTERNAL_ERROR;
+                        }
                         break;
+                }
 …
                          * is more work to do */
                         if (gensec_gssapi_state->sasl) {
-                                /* Due to a very subtle interaction
-                                 * with SASL and the LDAP libs, we
-                                 * must ensure the data pointer is
-                                 * != NULL, but the length is 0.
+                                 *
-                                 * This ensures we send a 'zero
-                                 * length' (rather than NULL) response
-                                 */
-                                if (!out->data) {
-                                        out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
+                                }
                                 gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
                                 return NT_STATUS_MORE_PROCESSING_REQUIRED;
 …
                                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
                                         DEBUG(5, ("GSSAPI Connection will be cryptographicly sealed\n"));
+                                        DEBUG(5, ("GSSAPI Connection will be cryptographically sealed\n"));
                                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
                                         DEBUG(5, ("GSSAPI Connection will be cryptographicly signed\n"));
+                                        DEBUG(5, ("GSSAPI Connection will be cryptographically signed\n"));
                                 } else {
                                         DEBUG(5, ("GSSAPI Connection will have no cryptographic protection\n"));
 …
                 } else if (gss_oid_equal(gensec_gssapi_state->gss_oid, gss_mech_krb5)) {
                         switch (min_stat) {
+                        case KRB5KRB_AP_ERR_TKT_NYV:
+                                DEBUG(1, ("Error with ticket to contact %s: possible clock skew between us and the KDC or target server: %s\n",
+                                          gensec_gssapi_state->target_principal,
+                                          gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+                                return NT_STATUS_TIME_DIFFERENCE_AT_DC; /* Make SPNEGO ignore us, we can't go any further here */
+                        case KRB5KRB_AP_ERR_TKT_EXPIRED:
+                                DEBUG(1, ("Error with ticket to contact %s: ticket is expired, possible clock skew between us and the KDC or target server: %s\n",
+                                          gensec_gssapi_state->target_principal,
+                                          gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+                                return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
                         case KRB5_KDC_UNREACH:
+                                DEBUG(3, ("Cannot reach a KDC we require: %s\n",
+                                          gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+                                return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+                                DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticetk to %s: %s\n",
+                                          gensec_gssapi_state->target_principal,
+                                          gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+                                return NT_STATUS_NO_LOGON_SERVERS; /* Make SPNEGO ignore us, we can't go any further here */
                         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
+                                DEBUG(3, ("Server is not registered with our KDC: %s\n",
+                                          gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+                                DEBUG(3, ("Server %s is not registered with our KDC: %s\n",
+                                          gensec_gssapi_state->target_principal,
+                                          gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
                                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
                         case KRB5KRB_AP_ERR_MSG_TYPE:
 …
                                 return NT_STATUS_INVALID_PARAMETER;
                         default:
+                                DEBUG(1, ("GSS Update(krb5)(%d) Update failed: %s\n",
+                                DEBUG(1, ("GSS %s Update(krb5)(%d) Update failed: %s\n",
+                                          gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
                                           gensec_gssapi_state->gss_exchange_count,
                                           gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
 …
+                        }
                 } else {
+                        DEBUG(1, ("GSS Update(%d) failed: %s\n",
+                        DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
+                                  gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
                                   gensec_gssapi_state->gss_exchange_count,
                                   gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
 …
                                                                      gensec_gssapi_state->max_wrap_buf_size);
                         gensec_gssapi_state->sasl_protection = 0;
                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
                                 if (security_supported & NEG_SEAL) {
+                        if (security_supported & NEG_SEAL) {
+                                if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
                                         gensec_gssapi_state->sasl_protection |= NEG_SEAL;
+                                }
+                        } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+                                if (security_supported & NEG_SIGN) {
+                        }
+                        if (security_supported & NEG_SIGN) {
+                                if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
                                         gensec_gssapi_state->sasl_protection |= NEG_SIGN;
+                                }
+                        } else if (security_supported & NEG_NONE) {
+                        }
+                        if (security_supported & NEG_NONE) {
                                 gensec_gssapi_state->sasl_protection |= NEG_NONE;
+                        } else {
+                                DEBUG(1, ("Remote server does not support unprotected connections"));
+                        }
+                        if (gensec_gssapi_state->sasl_protection == 0) {
+                                DEBUG(1, ("Remote server does not support unprotected connections\n"));
                                 return NT_STATUS_ACCESS_DENIED;
+                        }
 …
                         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
+                                DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically sealed\n"));
                         } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
                                 DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
+                                DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographically signed\n"));
                         } else {
                                 DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
+                                DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographically protection\n"));
+                        }
 …
                 security_accepted = maxlength_accepted[0];
                 maxlength_accepted[0] = '\0';
                 /* Rest is the proposed max wrap length */
                 gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0),
 …
                 gensec_gssapi_state->sasl_protection = 0;
+                if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+                        if (security_accepted & NEG_SEAL) {
+                                gensec_gssapi_state->sasl_protection |= NEG_SEAL;
+                        }
+                } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+                        if (security_accepted & NEG_SIGN) {
+                                gensec_gssapi_state->sasl_protection |= NEG_SIGN;
+                        }
+                } else if (security_accepted & NEG_NONE) {
+                if (security_accepted & NEG_SEAL) {
+                        if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+                                DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
+                                return NT_STATUS_ACCESS_DENIED;
+                        }
+                        gensec_gssapi_state->sasl_protection |= NEG_SEAL;
+                }
+                if (security_accepted & NEG_SIGN) {
+                        if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+                                DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
+                                return NT_STATUS_ACCESS_DENIED;
+                        }
+                        gensec_gssapi_state->sasl_protection |= NEG_SIGN;
+                }
+                if (security_accepted & NEG_NONE) {
                         gensec_gssapi_state->sasl_protection |= NEG_NONE;
-                } else {
-                        DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better"));
-                        return NT_STATUS_ACCESS_DENIED;
+                }
 …
                 gensec_gssapi_state->sasl_state = STAGE_DONE;
                 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
+                        DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically sealed\n"));
                 } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
                         DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
+                        DEBUG(5, ("SASL/GSSAPI Connection from client will be cryptographically signed\n"));
                 } else {
                         DEBUG(5, ("SASL/GSSAPI Connection from client will have no cryptographic protection\n"));
 …
         struct gensec_gssapi_state *gensec_gssapi_state
                 = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
         struct auth_serversupplied_info *server_info = NULL;
+        struct auth_user_info_dc *user_info_dc = NULL;
         struct auth_session_info *session_info = NULL;
         OM_uint32 maj_stat, min_stat;
         gss_buffer_desc pac;
         DATA_BLOB pac_blob;
+        struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
+        struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
         if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
 …
          */
         if (pac_blob.length) {
+                nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
+                                                             gensec_security->settings->iconv_convenience,
+                                                             pac_blob,
+                                                             gensec_gssapi_state->smb_krb5_context->krb5_context,
+                                                             &server_info);
+                pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+                if (!pac_srv_sig) {
+                        talloc_free(mem_ctx);
+                        return NT_STATUS_NO_MEMORY;
+                }
+                pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+                if (!pac_kdc_sig) {
+                        talloc_free(mem_ctx);
+                        return NT_STATUS_NO_MEMORY;
+                }
+                nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+                                                              pac_blob,
+                                                              gensec_gssapi_state->smb_krb5_context->krb5_context,
+                                                              &user_info_dc,
+                                                              pac_srv_sig,
+                                                              pac_kdc_sig);
                 if (!NT_STATUS_IS_OK(nt_status)) {
                         talloc_free(mem_ctx);
 …
                         DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
                                   gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
                         nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+                        nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
                                                                                              gensec_security->auth_context,
                                                                                              principal_string,
+                                                                                             &server_info);
+                                                                                             NULL,
+                                                                                             &user_info_dc);
                         if (!NT_STATUS_IS_OK(nt_status)) {
 …
+        }
         /* references the server_info into the session_info */
         nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx,
                                                gensec_security->settings->lp_ctx, server_info, &session_info);
+        /* references the user_info_dc into the session_info */
+        nt_status = gensec_generate_session_info(mem_ctx, gensec_security,
+                                                 user_info_dc, &session_info);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 talloc_free(mem_ctx);
 …
+        }
+        /* Allow torture tests to check the PAC signatures */
+        if (session_info->torture) {
+                session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig);
+                session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig);
+        }
         if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
                 DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
         } else {
                 krb5_error_code ret;
+                const char *error_string;
                 DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
                 session_info->credentials = cli_credentials_init(session_info);
 …
                 ret = cli_credentials_set_client_gss_creds(session_info->credentials,
+                                                           gensec_security->event_ctx,
+                                                           gensec_security->settings->lp_ctx,
+                                                           gensec_security->settings->lp_ctx,
                                                            gensec_gssapi_state->delegated_cred_handle,
                                                            CRED_SPECIFIED);
+                                                           CRED_SPECIFIED, &error_string);
                 if (ret) {
                         talloc_free(mem_ctx);
+                        DEBUG(2,("Failed to get gss creds: %s\n", error_string));
                         return NT_STATUS_NO_MEMORY;
+                }

vendor/current/source4/auth/gensec/gensec_gssapi.h

r414	r740
65	65	int gss_exchange_count;
66	66	size_t sig_size;
	67
	68	const char *target_principal;
67	69	};
68	70

vendor/current/source4/auth/gensec/gensec_krb5.c

-              r414
+              r740
 #include "system/kerberos.h"
 #include "auth/kerberos/kerberos.h"
-#include "librpc/gen_ndr/krb5pac.h"
 #include "auth/auth.h"
-#include "lib/ldb/include/ldb.h"
-#include "auth/auth_sam.h"
 #include "lib/socket/socket.h"
+#include "lib/tsocket/tsocket.h"
 #include "librpc/rpc/dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/credentials/credentials_krb5.h"
+#include "auth/kerberos/kerberos_credentials.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "param/param.h"
-#include "auth/session_proto.h"
 #include "auth/auth_sam_reply.h"
+#include "lib/util/util_net.h"
 enum GENSEC_KRB5_STATE {
 …
         struct gensec_krb5_state *gensec_krb5_state;
         struct cli_credentials *creds;
         const struct socket_address *my_addr, *peer_addr;
+        const struct tsocket_address *tlocal_addr, *tremote_addr;
         krb5_address my_krb5_addr, peer_krb5_addr;
 …
         if (cli_credentials_get_krb5_context(creds,
-                                             gensec_security->event_ctx,
                                              gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
                 talloc_free(gensec_krb5_state);
 …
+        }
+        my_addr = gensec_get_my_addr(gensec_security);
+        if (my_addr && my_addr->sockaddr) {
+                ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
+                                            my_addr->sockaddr, &my_krb5_addr);
+        tlocal_addr = gensec_get_local_address(gensec_security);
+        if (tlocal_addr) {
+                ssize_t socklen;
+                struct sockaddr_storage ss;
+                socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
+                                (struct sockaddr *) &ss,
+                                sizeof(struct sockaddr_storage));
+                if (socklen < 0) {
+                        talloc_free(gensec_krb5_state);
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
+                ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
+                                (const struct sockaddr *) &ss, &my_krb5_addr);
                 if (ret) {
                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
 …
+        }
+        peer_addr = gensec_get_peer_addr(gensec_security);
+        if (peer_addr && peer_addr->sockaddr) {
+                ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
+                                            peer_addr->sockaddr, &peer_krb5_addr);
+        tremote_addr = gensec_get_remote_address(gensec_security);
+        if (tremote_addr) {
+                ssize_t socklen;
+                struct sockaddr_storage ss;
+                socklen = tsocket_address_bsd_sockaddr(tremote_addr,
+                                (struct sockaddr *) &ss,
+                                sizeof(struct sockaddr_storage));
+                if (socklen < 0) {
+                        talloc_free(gensec_krb5_state);
+                        return NT_STATUS_INTERNAL_ERROR;
+                }
+                ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
+                                (const struct sockaddr *) &ss, &peer_krb5_addr);
                 if (ret) {
                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
 …
         ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context,
                                      gensec_krb5_state->auth_context,
                                      my_addr ? &my_krb5_addr : NULL,
                                      peer_addr ? &peer_krb5_addr : NULL);
+                                     tlocal_addr ? &my_krb5_addr : NULL,
+                                     tremote_addr ? &peer_krb5_addr : NULL);
         if (ret) {
                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n",
 …
         struct ccache_container *ccache_container;
         const char *hostname;
+        const char *error_string;
         const char *principal;
         krb5_data in_data;
+        struct tevent_context *previous_ev;
         hostname = gensec_get_target_hostname(gensec_security);
 …
         ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
                                          gensec_security->event_ctx,
                                          gensec_security->settings->lp_ctx, &ccache_container);
+                                         gensec_security->settings->lp_ctx, &ccache_container, &error_string);
         switch (ret) {
         case 0:
                 break;
         case KRB5KDC_ERR_PREAUTH_FAILED:
+        case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
                 return NT_STATUS_LOGON_FAILURE;
         case KRB5_KDC_UNREACH:
+                DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
+                DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string));
+                return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
+        case KRB5_CC_NOTFOUND:
+        case KRB5_CC_END:
+                DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
         default:
                 DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_message(ret)));
+                DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
                 return NT_STATUS_UNSUCCESSFUL;
+        }
         in_data.length = 0;
+        if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
+        /* Do this every time, in case we have weird recursive issues here */
+        ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev);
+        if (ret != 0) {
+                DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
+                return NT_STATUS_NO_MEMORY;
+        }
+        if (principal) {
                 krb5_principal target_principal;
                 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
 …
                                   &gensec_krb5_state->enc_ticket);
+        }
+        smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx);
         switch (ret) {
         case 0:
 …
                 struct keytab_container *keytab;
                 krb5_principal server_in_keytab;
+                const char *error_string;
+                enum credentials_obtained obtained;
                 if (!in.data) {
 …
                 /* Grab the keytab, however generated */
                 ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
-                                                 gensec_security->event_ctx,
                                                  gensec_security->settings->lp_ctx, &keytab);
                 if (ret) {
 …
                 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
                                                  gensec_krb5_state->smb_krb5_context,
                                                  &server_in_keytab);
+                                                 &server_in_keytab, &obtained, &error_string);
                 if (ret) {
+                        DEBUG(2,("Failed to make credentials from principal: %s\n", error_string));
                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+                }
 …
         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
         struct auth_serversupplied_info *server_info = NULL;
+        struct auth_user_info_dc *user_info_dc = NULL;
         struct auth_session_info *session_info = NULL;
         struct PAC_LOGON_INFO *logon_info;
 …
                           smb_get_krb5_error_message(context,
                                                      ret, mem_ctx)));
+                krb5_free_principal(context, client_principal);
                 talloc_free(mem_ctx);
                 return NT_STATUS_NO_MEMORY;
 …
                           smb_get_krb5_error_message(context,
                                                      ret, mem_ctx)));
+                free(principal_string);
                 krb5_free_principal(context, client_principal);
                 free(principal_string);
+                talloc_free(mem_ctx);
                 return NT_STATUS_ACCESS_DENIED;
         } else if (ret) {
 …
                                   principal_string, smb_get_krb5_error_message(context,
                                                      ret, mem_ctx)));
                         nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+                        nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
                                                                                              gensec_security->auth_context,
                                                                                              principal_string,
                                                                                              &server_info);
+                                                                                             NULL, &user_info_dc);
                         if (!NT_STATUS_IS_OK(nt_status)) {
+                                free(principal_string);
+                                krb5_free_principal(context, client_principal);
                                 talloc_free(mem_ctx);
                                 return nt_status;
 …
                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
                                   principal_string));
+                        free(principal_string);
+                        krb5_free_principal(context, client_principal);
+                        talloc_free(mem_ctx);
                         return NT_STATUS_ACCESS_DENIED;
+                }
-                krb5_free_principal(context, client_principal);
-                free(principal_string);
-                if (!NT_STATUS_IS_OK(nt_status)) {
-                        talloc_free(mem_ctx);
-                        return nt_status;
+                }
         } else {
                 /* Found pac */
                 union netr_Validation validation;
-                free(principal_string);
                 pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
                 if (!pac.data) {
+                        free(principal_string);
                         krb5_free_principal(context, client_principal);
                         talloc_free(mem_ctx);
 …
                 /* decode and verify the pac */
                 nt_status = kerberos_pac_logon_info(gensec_krb5_state,
-                                                    gensec_security->settings->iconv_convenience,
                                                     &logon_info, pac,
                                                     gensec_krb5_state->smb_krb5_context->krb5_context,
 …
                                                     client_principal,
                                                     gensec_krb5_state->ticket->ticket.authtime, NULL);
-                krb5_free_principal(context, client_principal);
                 if (!NT_STATUS_IS_OK(nt_status)) {
+                        free(principal_string);
+                        krb5_free_principal(context, client_principal);
                         talloc_free(mem_ctx);
                         return nt_status;
 …
                 validation.sam3 = &logon_info->info3;
                 nt_status = make_server_info_netlogon_validation(mem_ctx,
+                nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
                                                                  NULL,
 , &validation,
                                                                  &server_info);
+                                                                 &user_info_dc);
                 if (!NT_STATUS_IS_OK(nt_status)) {
+                        free(principal_string);
+                        krb5_free_principal(context, client_principal);
                         talloc_free(mem_ctx);
                         return nt_status;
 …
+        }
+        /* references the server_info into the session_info */
+        nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, server_info, &session_info);
+        free(principal_string);
+        krb5_free_principal(context, client_principal);
+        /* references the user_info_dc into the session_info */
+        nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
         if (!NT_STATUS_IS_OK(nt_status)) {

vendor/current/source4/auth/gensec/pygensec.c

-              r414
+              r740
 */
+#include <Python.h>
 #include "includes.h"
+#include <Python.h>
+#include "param/param.h"
+#include "param/pyparam.h"
 #include "auth/gensec/gensec.h"
+#include "auth/credentials/pycredentials.h"
 #include "libcli/util/pyerrors.h"
+#include "pytalloc.h"
+#include "scripting/python/modules.h"
+#include "lib/talloc/pytalloc.h"
 #include <tevent.h>
+#ifndef Py_RETURN_NONE
+#define Py_RETURN_NONE return Py_INCREF(Py_None), Py_None
+#endif
+#include "librpc/rpc/pyrpc_util.h"
 static PyObject *py_get_name_by_authtype(PyObject *self, PyObject *args)
 …
                 return NULL;
         security = (struct gensec_security *)py_talloc_get_ptr(self);
+        security = py_talloc_get_type(self, struct gensec_security);
         name = gensec_get_name_by_authtype(security, type);
 …
+}
+static struct gensec_settings *settings_from_object(PyObject *object)
+{
+        return NULL; /* FIXME */
+static struct gensec_settings *settings_from_object(TALLOC_CTX *mem_ctx, PyObject *object)
+{
+        struct gensec_settings *s;
+        PyObject *py_hostname, *py_lp_ctx;
+        if (!PyDict_Check(object)) {
+                PyErr_SetString(PyExc_ValueError, "settings should be a dictionary");
+                return NULL;
+        }
+        s = talloc_zero(mem_ctx, struct gensec_settings);
+        if (!s) return NULL;
+        py_hostname = PyDict_GetItemString(object, "target_hostname");
+        if (!py_hostname) {
+                PyErr_SetString(PyExc_ValueError, "settings.target_hostname not found");
+                return NULL;
+        }
+        py_lp_ctx = PyDict_GetItemString(object, "lp_ctx");
+        if (!py_lp_ctx) {
+                PyErr_SetString(PyExc_ValueError, "settings.lp_ctx not found");
+                return NULL;
+        }
+        s->target_hostname = PyString_AsString(py_hostname);
+        s->lp_ctx = lpcfg_from_py_object(s, py_lp_ctx);
+        return s;
+}
 …
         PyObject *py_settings;
         struct tevent_context *ev;
+        if (!PyArg_ParseTupleAndKeywords(args, kwargs, "O", kwnames, &py_settings))
+                return NULL;
+        settings = settings_from_object(py_settings);
+        if (settings == NULL)
+                return NULL;
+        struct gensec_security *gensec;
+        if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|O", discard_const_p(char *, kwnames), &py_settings))
+                return NULL;
         self = (py_talloc_Object*)type->tp_alloc(type, 0);
         if (self == NULL) {
 …
                 return NULL;
+        }
+        if (py_settings != Py_None) {
+                settings = settings_from_object(self->talloc_ctx, py_settings);
+                if (settings == NULL) {
+                        PyObject_DEL(self);
+                        return NULL;
+                }
+        } else {
+                settings = talloc_zero(self->talloc_ctx, struct gensec_settings);
+                if (settings == NULL) {
+                        PyObject_DEL(self);
+                        return NULL;
+                }
+                settings->lp_ctx = loadparm_init_global(true);
+        }
         ev = tevent_context_init(self->talloc_ctx);
         if (ev == NULL) {
 …
                 return NULL;
+        }
+        status = gensec_client_start(self->talloc_ctx,
                 (struct gensec_security **)&self->ptr, ev, settings);
+        status = gensec_init(settings->lp_ctx);
         if (!NT_STATUS_IS_OK(status)) {
                 PyErr_SetNTSTATUS(status);
 …
                 return NULL;
+        }
+        status = gensec_client_start(self->talloc_ctx, &gensec, ev, settings);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                PyObject_DEL(self);
+                return NULL;
+        }
+        self->ptr = gensec;
         return (PyObject *)self;
+}
+static PyObject *py_gensec_start_server(PyTypeObject *type, PyObject *args, PyObject *kwargs)
+{
+        NTSTATUS status;
+        py_talloc_Object *self;
+        struct gensec_settings *settings = NULL;
+        const char *kwnames[] = { "settings", "auth_context", NULL };
+        PyObject *py_settings = Py_None;
+        PyObject *py_auth_context = Py_None;
+        struct tevent_context *ev;
+        struct gensec_security *gensec;
+        struct auth_context *auth_context = NULL;
+        if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|OO", discard_const_p(char *, kwnames), &py_settings, &py_auth_context))
+                return NULL;
+        self = (py_talloc_Object*)type->tp_alloc(type, 0);
+        if (self == NULL) {
+                PyErr_NoMemory();
+                return NULL;
+        }
+        self->talloc_ctx = talloc_new(NULL);
+        if (self->talloc_ctx == NULL) {
+                PyErr_NoMemory();
+                return NULL;
+        }
+        if (py_settings != Py_None) {
+                settings = settings_from_object(self->talloc_ctx, py_settings);
+                if (settings == NULL) {
+                        PyObject_DEL(self);
+                        return NULL;
+                }
+        } else {
+                settings = talloc_zero(self->talloc_ctx, struct gensec_settings);
+                if (settings == NULL) {
+                        PyObject_DEL(self);
+                        return NULL;
+                }
+                settings->lp_ctx = loadparm_init_global(true);
+        }
+        ev = tevent_context_init(self->talloc_ctx);
+        if (ev == NULL) {
+                PyErr_NoMemory();
+                PyObject_Del(self);
+                return NULL;
+        }
+        if (py_auth_context != Py_None) {
+                auth_context = py_talloc_get_type(py_auth_context, struct auth_context);
+                if (!auth_context) {
+                        PyErr_Format(PyExc_TypeError,
+                                     "Expected auth.AuthContext for auth_context argument, got %s",
+                                     talloc_get_name(py_talloc_get_ptr(py_auth_context)));
+                        return NULL;
+                }
+        }
+        status = gensec_init(settings->lp_ctx);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                PyObject_DEL(self);
+                return NULL;
+        }
+        status = gensec_server_start(self->talloc_ctx, ev, settings, auth_context, &gensec);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                PyObject_DEL(self);
+                return NULL;
+        }
+        self->ptr = gensec;
+        return (PyObject *)self;
+}
+static PyObject *py_gensec_set_credentials(PyObject *self, PyObject *args)
+{
+        PyObject *py_creds = Py_None;
+        struct cli_credentials *creds;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        NTSTATUS status;
+        if (!PyArg_ParseTuple(args, "O", &py_creds))
+                return NULL;
+        creds = PyCredentials_AsCliCredentials(py_creds);
+        if (!creds) {
+                PyErr_Format(PyExc_TypeError,
+                             "Expected samba.credentaials for credentials argument got  %s",
+                             talloc_get_name(py_talloc_get_ptr(py_creds)));
+        }
+        status = gensec_set_credentials(security, creds);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                return NULL;
+        }
+        Py_RETURN_NONE;
+}
 static PyObject *py_gensec_session_info(PyObject *self)
+{
         NTSTATUS status;
+        struct gensec_security *security = (struct gensec_security *)py_talloc_get_ptr(self);
+        PyObject *py_session_info;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
         struct auth_session_info *info;
+        if (security->ops == NULL) {
+                PyErr_SetString(PyExc_RuntimeError, "no mechanism selected");
+                return NULL;
+        }
         status = gensec_session_info(security, &info);
         if (NT_STATUS_IS_ERR(status)) {
 …
+        }
+        /* FIXME */
+        py_session_info = py_return_ndr_struct("samba.auth", "AuthSession",
+                                                 info, info);
+        return py_session_info;
+}
+static PyObject *py_gensec_start_mech_by_name(PyObject *self, PyObject *args)
+{
+        char *name;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        NTSTATUS status;
+        if (!PyArg_ParseTuple(args, "s", &name))
+                return NULL;
+        status = gensec_start_mech_by_name(security, name);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                return NULL;
+        }
         Py_RETURN_NONE;
+}
+static PyObject *py_gensec_start_mech_by_sasl_name(PyObject *self, PyObject *args)
+{
+        char *sasl_name;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        NTSTATUS status;
+        if (!PyArg_ParseTuple(args, "s", &sasl_name))
+                return NULL;
+        status = gensec_start_mech_by_sasl_name(security, sasl_name);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                return NULL;
+        }
+        Py_RETURN_NONE;
+}
+static PyObject *py_gensec_start_mech_by_authtype(PyObject *self, PyObject *args)
+{
+        int authtype, level;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        NTSTATUS status;
+        if (!PyArg_ParseTuple(args, "ii", &authtype, &level))
+                return NULL;
+        status = gensec_start_mech_by_authtype(security, authtype, level);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                return NULL;
+        }
+        Py_RETURN_NONE;
+}
+static PyObject *py_gensec_want_feature(PyObject *self, PyObject *args)
+{
+        int feature;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        /* This is i (and declared as an int above) by design, as they are handled as an integer in python */
+        if (!PyArg_ParseTuple(args, "i", &feature))
+                return NULL;
+        gensec_want_feature(security, feature);
+        Py_RETURN_NONE;
+}
+static PyObject *py_gensec_have_feature(PyObject *self, PyObject *args)
+{
+        int feature;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        /* This is i (and declared as an int above) by design, as they are handled as an integer in python */
+        if (!PyArg_ParseTuple(args, "i", &feature))
+                return NULL;
+        if (gensec_have_feature(security, feature)) {
+                return Py_True;
+        }
+        return Py_False;
+}
+static PyObject *py_gensec_update(PyObject *self, PyObject *args)
+{
+        NTSTATUS status;
+        TALLOC_CTX *mem_ctx;
+        DATA_BLOB in, out;
+        PyObject *ret, *py_in;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        PyObject *finished_processing;
+        if (!PyArg_ParseTuple(args, "O", &py_in))
+                return NULL;
+        mem_ctx = talloc_new(NULL);
+        if (!PyString_Check(py_in)) {
+                PyErr_Format(PyExc_TypeError, "expected a string");
+                return NULL;
+        }
+        in.data = (uint8_t *)PyString_AsString(py_in);
+        in.length = PyString_Size(py_in);
+        status = gensec_update(security, mem_ctx, in, &out);
+        if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)
+            && !NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                talloc_free(mem_ctx);
+                return NULL;
+        }
+        ret = PyString_FromStringAndSize((const char *)out.data, out.length);
+        talloc_free(mem_ctx);
+        if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+                finished_processing = Py_False;
+        } else {
+                finished_processing = Py_True;
+        }
+        return PyTuple_Pack(2, finished_processing, ret);
+}
+static PyObject *py_gensec_wrap(PyObject *self, PyObject *args)
+{
+        NTSTATUS status;
+        TALLOC_CTX *mem_ctx;
+        DATA_BLOB in, out;
+        PyObject *ret, *py_in;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        if (!PyArg_ParseTuple(args, "O", &py_in))
+                return NULL;
+        mem_ctx = talloc_new(NULL);
+        if (!PyString_Check(py_in)) {
+                PyErr_Format(PyExc_TypeError, "expected a string");
+                return NULL;
+        }
+        in.data = (uint8_t *)PyString_AsString(py_in);
+        in.length = PyString_Size(py_in);
+        status = gensec_wrap(security, mem_ctx, &in, &out);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                talloc_free(mem_ctx);
+                return NULL;
+        }
+        ret = PyString_FromStringAndSize((const char *)out.data, out.length);
+        talloc_free(mem_ctx);
+        return ret;
+}
+static PyObject *py_gensec_unwrap(PyObject *self, PyObject *args)
+{
+        NTSTATUS status;
+        TALLOC_CTX *mem_ctx;
+        DATA_BLOB in, out;
+        PyObject *ret, *py_in;
+        struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
+        if (!PyArg_ParseTuple(args, "O", &py_in))
+                return NULL;
+        mem_ctx = talloc_new(NULL);
+        if (!PyString_Check(py_in)) {
+                PyErr_Format(PyExc_TypeError, "expected a string");
+                return NULL;
+        }
+        in.data = (uint8_t *)PyString_AsString(py_in);
+        in.length = PyString_Size(py_in);
+        status = gensec_unwrap(security, mem_ctx, &in, &out);
+        if (!NT_STATUS_IS_OK(status)) {
+                PyErr_SetNTSTATUS(status);
+                talloc_free(mem_ctx);
+                return NULL;
+        }
+        ret = PyString_FromStringAndSize((const char *)out.data, out.length);
+        talloc_free(mem_ctx);
+        return ret;
+}
 …
         { "start_client", (PyCFunction)py_gensec_start_client, METH_VARARGS|METH_KEYWORDS|METH_CLASS,
                 "S.start_client(settings) -> gensec" },
+/*      { "start_server", (PyCFunction)py_gensec_start_server, METH_VARARGS|METH_KEYWORDS|METH_CLASS,
+                "S.start_server(auth_ctx, settings) -> gensec" },*/
+        { "start_server", (PyCFunction)py_gensec_start_server, METH_VARARGS|METH_KEYWORDS|METH_CLASS,
+                "S.start_server(auth_ctx, settings) -> gensec" },
+        { "set_credentials", (PyCFunction)py_gensec_set_credentials, METH_VARARGS,
+                "S.start_client(credentials)" },
         { "session_info", (PyCFunction)py_gensec_session_info, METH_NOARGS,
+                "S.session_info() -> info" },
+                "S.session_info() -> info" },
+        { "start_mech_by_name", (PyCFunction)py_gensec_start_mech_by_name, METH_VARARGS,
+        "S.start_mech_by_name(name)" },
+        { "start_mech_by_sasl_name", (PyCFunction)py_gensec_start_mech_by_sasl_name, METH_VARARGS,
+        "S.start_mech_by_sasl_name(name)" },
+        { "start_mech_by_authtype", (PyCFunction)py_gensec_start_mech_by_authtype, METH_VARARGS, "S.start_mech_by_authtype(authtype, level)" },
         { "get_name_by_authtype", (PyCFunction)py_get_name_by_authtype, METH_VARARGS,
                 "S.get_name_by_authtype(authtype) -> name\nLookup an auth type." },
+        { "want_feature", (PyCFunction)py_gensec_want_feature, METH_VARARGS,
+          "S.want_feature(feature)\n Request that GENSEC negotiate a particular feature." },
+        { "have_feature", (PyCFunction)py_gensec_have_feature, METH_VARARGS,
+          "S.have_feature()\n Return True if GENSEC negotiated a particular feature." },
+        { "update",  (PyCFunction)py_gensec_update, METH_VARARGS,
+                "S.update(blob_in) -> (finished, blob_out)\nPerform one step in a GENSEC dance.  Repeat with new packets until finished is true or exception." },
+        { "wrap",  (PyCFunction)py_gensec_wrap, METH_VARARGS,
+                "S.wrap(blob_in) -> blob_out\nPackage one clear packet into a wrapped GENSEC packet." },
+        { "unwrap",  (PyCFunction)py_gensec_unwrap, METH_VARARGS,
+                "S.unwrap(blob_in) -> blob_out\nPerform one wrapped GENSEC packet into a clear packet." },
         { NULL }
 };
 …
         .tp_methods = py_gensec_security_methods,
         .tp_basicsize = sizeof(py_talloc_Object),
-        .tp_dealloc = py_talloc_dealloc,
 };
+void initgensec(void);
 void initgensec(void)
+{
         PyObject *m;
+        Py_Security.tp_base = PyTalloc_GetObjectType();
+        if (Py_Security.tp_base == NULL)
+                return;
         if (PyType_Ready(&Py_Security) < 0)
 …
                 return;
+        PyModule_AddObject(m, "FEATURE_SESSION_KEY",     PyInt_FromLong(GENSEC_FEATURE_SESSION_KEY));
+        PyModule_AddObject(m, "FEATURE_SIGN",            PyInt_FromLong(GENSEC_FEATURE_SIGN));
+        PyModule_AddObject(m, "FEATURE_SEAL",            PyInt_FromLong(GENSEC_FEATURE_SEAL));
+        PyModule_AddObject(m, "FEATURE_DCE_STYLE",       PyInt_FromLong(GENSEC_FEATURE_DCE_STYLE));
+        PyModule_AddObject(m, "FEATURE_ASYNC_REPLIES",   PyInt_FromLong(GENSEC_FEATURE_ASYNC_REPLIES));
+        PyModule_AddObject(m, "FEATURE_DATAGRAM_MODE",   PyInt_FromLong(GENSEC_FEATURE_DATAGRAM_MODE));
+        PyModule_AddObject(m, "FEATURE_SIGN_PKT_HEADER", PyInt_FromLong(GENSEC_FEATURE_SIGN_PKT_HEADER));
+        PyModule_AddObject(m, "FEATURE_NEW_SPNEGO",      PyInt_FromLong(GENSEC_FEATURE_NEW_SPNEGO));
         Py_INCREF(&Py_Security);
         PyModule_AddObject(m, "Security", (PyObject *)&Py_Security);

vendor/current/source4/auth/gensec/schannel.c

-              r414
+              r740
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
-#include "auth/gensec/schannel_state.h"
 #include "librpc/rpc/dcerpc.h"
 #include "param/param.h"
-#include "auth/session_proto.h"
 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
+{
+        return 32;
+        struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
+        uint32_t sig_size;
+        sig_size = netsec_outgoing_sig_size(state);
+        return sig_size;
+}
 …
         struct NL_AUTH_MESSAGE bind_schannel_ack;
         struct netlogon_creds_CredentialState *creds;
-        struct ldb_context *schannel_ldb;
         const char *workstation;
         const char *domain;
-        uint32_t required_flags;
         *out = data_blob(NULL, 0);
 …
 #endif
+                ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
+                                               gensec_security->settings->iconv_convenience, &bind_schannel,
+                ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
                                                (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 …
         case GENSEC_SERVER:
-                required_flags = NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
-                                 NL_FLAG_OEM_NETBIOS_DOMAIN_NAME;
                 if (state->state != SCHANNEL_STATE_START) {
                         /* no third leg on this protocol */
 …
                 /* parse the schannel startup blob */
+                ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx,
+                        gensec_security->settings->iconv_convenience,
+                        &bind_schannel,
+                ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
                         (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 …
+                }
+                if (!(required_flags == (bind_schannel.Flags & required_flags))) {
+                        return NT_STATUS_INVALID_PARAMETER;
+                }
+                workstation = bind_schannel.oem_netbios_computer.a;
+                domain = bind_schannel.oem_netbios_domain.a;
+                if (strcasecmp_m(domain, lp_workgroup(gensec_security->settings->lp_ctx)) != 0) {
+                        DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
+                                  domain, lp_workgroup(gensec_security->settings->lp_ctx)));
+                if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
+                        domain = bind_schannel.oem_netbios_domain.a;
+                        if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
+                                DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
+                                          domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
+                                return NT_STATUS_LOGON_FAILURE;
+                        }
+                } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
+                        domain = bind_schannel.utf8_dns_domain.u;
+                        if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
+                                DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
+                                          domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
+                                return NT_STATUS_LOGON_FAILURE;
+                        }
+                } else {
+                        DEBUG(3, ("Request for schannel to without domain\n"));
                         return NT_STATUS_LOGON_FAILURE;
+                }
+                schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx,
+                                                   gensec_security->settings->lp_ctx);
+                if (!schannel_ldb) {
+                        return NT_STATUS_ACCESS_DENIED;
+                }
+                /* pull the session key for this client */
+                status = schannel_fetch_session_key_ldb(schannel_ldb,
+                                                        out_mem_ctx, workstation, &creds);
+                talloc_free(schannel_ldb);
+                if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
+                        workstation = bind_schannel.oem_netbios_computer.a;
+                } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
+                        workstation = bind_schannel.utf8_netbios_computer.u;
+                } else {
+                        DEBUG(3, ("Request for schannel to without netbios workstation\n"));
+                        return NT_STATUS_LOGON_FAILURE;
+                }
+                status = schannel_get_creds_state(out_mem_ctx,
+                                                  lpcfg_private_dir(gensec_security->settings->lp_ctx),
+                                                  workstation, &creds);
                 if (!NT_STATUS_IS_OK(status)) {
                         DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
 …
+                }
                 state->creds = talloc_reference(state, creds);
+                state->creds = talloc_steal(state, creds);
                 bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
 …
                                                             * - gd */
+                ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
+                                               gensec_security->settings->iconv_convenience, &bind_schannel_ack,
+                ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
                                                (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 …
+{
         struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
         return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info);
+        return auth_anonymous_session_info(state, gensec_security->settings->lp_ctx, _session_info);
+}

vendor/current/source4/auth/gensec/socket.c

r414	r740
78	78	&unwrapped, &wrapped);
79	79	if (!NT_STATUS_IS_OK(nt_status)) {
80		~~talloc_free(mem_ctx);~~
81	80	return nt_status;
82	81	}

vendor/current/source4/auth/gensec/spnego.c

-              r414
+              r740
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
+#include "param/param.h"
 enum spnego_state_position {
 …
         if (spnego_state->state_position == SPNEGO_SERVER_START) {
                 for (i=0; all_sec && all_sec[i].op; i++) {
                         /* optomisitic token */
                         if (strcmp(all_sec[i].oid, mechType[0]) == 0) {
+                uint32_t j;
+                for (j=0; mechType && mechType[j]; j++) {
+                        for (i=0; all_sec && all_sec[i].op; i++) {
                                 nt_status = gensec_subcontext_start(spnego_state,
                                                                     gensec_security,
 …
                                         break;
+                                }
+                                if (j > 0) {
+                                        /* no optimistic token */
+                                        spnego_state->neg_oid = all_sec[i].oid;
+                                        *unwrapped_out = data_blob_null;
+                                        nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+                                        break;
+                                }
                                 nt_status = gensec_update(spnego_state->sub_sec_security,
                                                           out_mem_ctx,
 …
                                 break;
+                        }
+                }
+        }
+        /* Having tried any optomisitc token from the client (if we
+                        if (spnego_state->sub_sec_security) {
+                                break;
+                        }
+                }
+                if (!spnego_state->sub_sec_security) {
+                        DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+                        return NT_STATUS_INVALID_PARAMETER;
+                }
+        }
+        /* Having tried any optimistic token from the client (if we
          * were the server), if we didn't get anywhere, walk our list
          * in our preference order */
 …
                         if (spnego_state->state_position != SPNEGO_SERVER_START) {
                                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
+                                    NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
+                                    NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
                                     NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
                                         /* Pretend we never started it (lets the first run find some incompatible demand) */
 …
         DATA_BLOB unwrapped_out = data_blob(NULL, 0);
         const struct gensec_security_ops_wrapper *all_sec;
-        const char *principal = NULL;
         mechTypes = gensec_security_oids(gensec_security,
 …
                 if (spnego_state->state_position == SPNEGO_SERVER_START) {
-                        /* server credentials */
-                        struct cli_credentials *creds = gensec_get_credentials(gensec_security);
-                        if (creds) {
-                                principal = cli_credentials_get_principal(creds, out_mem_ctx);
+                        }
+                }
-                if (principal) {
                         spnego_out.negTokenInit.mechListMIC
                                 = data_blob_string_const(principal);
+                                = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
                 } else {
                         spnego_out.negTokenInit.mechListMIC = null_data_blob;
 …
+                }
+                if (spnego.negTokenInit.targetPrincipal) {
+                if (spnego.negTokenInit.targetPrincipal
+                    && strcmp(spnego.negTokenInit.targetPrincipal, ADS_IGNORE_PRINCIPAL) != 0) {
                         DEBUG(5, ("Server claims it's principal name is %s\n", spnego.negTokenInit.targetPrincipal));
+                        gensec_set_target_principal(gensec_security, spnego.negTokenInit.targetPrincipal);
+                        if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
+                                gensec_set_target_principal(gensec_security, spnego.negTokenInit.targetPrincipal);
+                        }
+                }

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: