*/
#include "includes.h"
+#include <tevent.h>
+#include "lib/util/tevent_ntstatus.h"
#include "lib/events/events.h"
#include "system/kerberos.h"
#include "system/gssapi.h"
#include "auth/auth.h"
#include <ldb.h>
#include "auth/auth_sam.h"
-#include "librpc/rpc/dcerpc.h"
+#include "librpc/gen_ndr/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
#include "auth/gensec/gensec_proto.h"
#include "auth/gensec/gensec_toplevel_proto.h"
#include "param/param.h"
#include "gensec_gssapi.h"
#include "lib/util/util_net.h"
#include "auth/kerberos/pac_utils.h"
+#include "auth/kerberos/gssapi_helper.h"
#ifndef gss_mech_spnego
gss_OID_desc spnego_mech_oid_desc =
#define gss_mech_spnego (&spnego_mech_oid_desc)
#endif
-_PUBLIC_ NTSTATUS gensec_gssapi_init(void);
+_PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *);
static size_t gensec_gssapi_max_input_size(struct gensec_security *gensec_security);
static size_t gensec_gssapi_max_wrapped_size(struct gensec_security *gensec_security);
+static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, size_t data_size);
static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_state)
{
- OM_uint32 maj_stat, min_stat;
-
+ OM_uint32 min_stat;
+
if (gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
- maj_stat = gss_release_cred(&min_stat,
- &gensec_gssapi_state->delegated_cred_handle);
+ gss_release_cred(&min_stat,
+ &gensec_gssapi_state->delegated_cred_handle);
}
if (gensec_gssapi_state->gssapi_context != GSS_C_NO_CONTEXT) {
- maj_stat = gss_delete_sec_context (&min_stat,
- &gensec_gssapi_state->gssapi_context,
- GSS_C_NO_BUFFER);
+ gss_delete_sec_context(&min_stat,
+ &gensec_gssapi_state->gssapi_context,
+ GSS_C_NO_BUFFER);
}
if (gensec_gssapi_state->server_name != GSS_C_NO_NAME) {
- maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->server_name);
+ gss_release_name(&min_stat,
+ &gensec_gssapi_state->server_name);
}
if (gensec_gssapi_state->client_name != GSS_C_NO_NAME) {
- maj_stat = gss_release_name(&min_stat, &gensec_gssapi_state->client_name);
- }
-
- if (gensec_gssapi_state->lucid) {
- gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
+ gss_release_name(&min_stat,
+ &gensec_gssapi_state->client_name);
}
return 0;
}
-static NTSTATUS gensec_gssapi_init_lucid(struct gensec_gssapi_state *gensec_gssapi_state)
+static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx,
+ const char *target_principal,
+ const char *service,
+ const char *hostname,
+ const char *realm,
+ const gss_OID mech,
+ char **pserver_principal,
+ gss_name_t *pserver_name)
{
- OM_uint32 maj_stat, min_stat;
+ char *server_principal = NULL;
+ gss_buffer_desc name_token;
+ gss_OID name_type;
+ OM_uint32 maj_stat, min_stat = 0;
- if (gensec_gssapi_state->lucid) {
- return NT_STATUS_OK;
+ if (target_principal != NULL) {
+ server_principal = talloc_strdup(mem_ctx, target_principal);
+ name_type = GSS_C_NULL_OID;
+ } else {
+ server_principal = talloc_asprintf(mem_ctx,
+ "%s/%s@%s",
+ service, hostname, realm);
+ name_type = GSS_C_NT_USER_NAME;
}
-
- maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
- &gensec_gssapi_state->gssapi_context,
- 1,
- (void **)&gensec_gssapi_state->lucid);
- if (maj_stat != GSS_S_COMPLETE) {
- DEBUG(0,("gensec_gssapi_init_lucid: %s\n",
- gssapi_error_string(gensec_gssapi_state,
- maj_stat, min_stat,
- gensec_gssapi_state->gss_oid)));
- return NT_STATUS_INTERNAL_ERROR;
+ if (server_principal == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- if (gensec_gssapi_state->lucid->version != 1) {
- DEBUG(0,("gensec_gssapi_init_lucid: lucid version[%d] != 1\n",
- gensec_gssapi_state->lucid->version));
- gss_krb5_free_lucid_sec_context(&min_stat, gensec_gssapi_state->lucid);
- gensec_gssapi_state->lucid = NULL;
- return NT_STATUS_INTERNAL_ERROR;
+ name_token.value = (uint8_t *)server_principal;
+ name_token.length = strlen(server_principal);
+
+ maj_stat = gss_import_name(&min_stat,
+ &name_token,
+ name_type,
+ pserver_name);
+ if (maj_stat) {
+ DBG_WARNING("GSS Import name of %s failed: %s\n",
+ server_principal,
+ gssapi_error_string(mem_ctx,
+ maj_stat,
+ min_stat,
+ mech));
+ TALLOC_FREE(server_principal);
+ return NT_STATUS_INVALID_PARAMETER;
}
+ *pserver_principal = server_principal;
+
return NT_STATUS_OK;
}
{
struct gensec_gssapi_state *gensec_gssapi_state;
krb5_error_code ret;
+#ifdef SAMBA4_USES_HEIMDAL
const char *realm;
+#endif
gensec_gssapi_state = talloc_zero(gensec_security, struct gensec_gssapi_state);
if (!gensec_gssapi_state) {
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
}
+ if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
+ gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
+ }
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
}
}
ret = smb_krb5_init_context(gensec_gssapi_state,
- NULL,
gensec_security->settings->lp_ctx,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
gensec_gssapi_state->client_cred = NULL;
gensec_gssapi_state->server_cred = NULL;
- gensec_gssapi_state->lucid = NULL;
-
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
gensec_gssapi_state->sasl = false;
ret = cli_credentials_get_server_gss_creds(machine_account,
gensec_security->settings->lp_ctx, &gcc);
if (ret) {
- DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
+ DEBUG(1, ("Acquiring acceptor credentials failed: %s\n",
error_message(ret)));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
return NT_STATUS_INVALID_PARAMETER;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
DEBUG(1, ("Wrong username or password: %s\n", error_string));
return NT_STATUS_LOGON_FAILURE;
+ case KRB5KDC_ERR_CLIENT_REVOKED:
+ DEBUG(1, ("Account locked out: %s\n", error_string));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ case KRB5_REALM_UNKNOWN:
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
return NT_STATUS_NO_LOGON_SERVERS;
struct gensec_gssapi_state *gensec_gssapi_state;
struct cli_credentials *creds = gensec_get_credentials(gensec_security);
NTSTATUS nt_status;
- gss_buffer_desc name_token;
- gss_OID name_type;
- OM_uint32 maj_stat, min_stat;
+ const char *target_principal = NULL;
const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+ const char *realm = cli_credentials_get_realm(creds);
- if (!hostname) {
- DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- if (is_ipaddress(hostname)) {
- DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
- return NT_STATUS_INVALID_PARAMETER;
+ nt_status = gensec_gssapi_try_kerberos(gensec_security);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- if (strcmp(hostname, "localhost") == 0) {
- DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
+
+ target_principal = gensec_get_target_principal(gensec_security);
+ if (target_principal == NULL && realm == NULL) {
+ char *cred_name = cli_credentials_get_unparsed_name(creds,
+ gensec_security);
+ DEBUG(3, ("cli_credentials(%s) without realm, "
+ "cannot use kerberos for this connection %s/%s\n",
+ cred_name, service, hostname));
+ TALLOC_FREE(cred_name);
return NT_STATUS_INVALID_PARAMETER;
}
gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
}
- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security);
- if (gensec_gssapi_state->target_principal) {
- name_type = GSS_C_NULL_OID;
- } else {
- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s",
- gensec_get_target_service(gensec_security),
- hostname, lpcfg_realm(gensec_security->settings->lp_ctx));
-
- name_type = GSS_C_NT_USER_NAME;
- }
- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal);
- name_token.length = strlen(gensec_gssapi_state->target_principal);
-
-
- maj_stat = gss_import_name (&min_stat,
- &name_token,
- name_type,
- &gensec_gssapi_state->server_name);
- if (maj_stat) {
- DEBUG(2, ("GSS Import name of %s failed: %s\n",
- (char *)name_token.value,
- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
return NT_STATUS_OK;
}
return nt_status;
}
-
-/**
- * Next state function for the GSSAPI GENSEC mechanism
- *
- * @param gensec_gssapi_state GSSAPI State
- * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
- * @param in The request, as a DATA_BLOB
- * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
- * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
- * or NT_STATUS_OK if the user is authenticated.
- */
-
-static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ struct tevent_context *ev,
+ const DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
OM_uint32 maj_stat, min_stat;
OM_uint32 min_stat2;
- gss_buffer_desc input_token, output_token;
+ gss_buffer_desc input_token = { 0, NULL };
+ gss_buffer_desc output_token = { 0, NULL };
+ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security);
+ const char *target_principal = gensec_get_target_principal(gensec_security);
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ const char *service = gensec_get_target_service(gensec_security);
+ const char *client_realm = cli_credentials_get_realm(cli_creds);
+ const char *server_realm = NULL;
gss_OID gss_oid_p = NULL;
OM_uint32 time_req = 0;
OM_uint32 time_rec = 0;
{
#ifdef SAMBA4_USES_HEIMDAL
struct gsskrb5_send_to_kdc send_to_kdc;
-#endif
krb5_error_code ret;
+#else
+ bool fallback = false;
+#endif
nt_status = gensec_gssapi_client_creds(gensec_security, ev);
if (!NT_STATUS_IS_OK(nt_status)) {
return NT_STATUS_INTERNAL_ERROR;
}
#endif
+
+ /*
+ * With credentials for
+ * administrator@FOREST1.EXAMPLE.COM this patch changes
+ * the target_principal for the ldap service of host
+ * dc2.forest2.example.com from
+ *
+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+ *
+ * to
+ *
+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM
+ *
+ * Typically
+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM
+ * should be used in order to allow the KDC of
+ * FOREST1.EXAMPLE.COM to generate a referral ticket
+ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM.
+ *
+ * The problem is that KDCs only return such referral
+ * tickets if there's a forest trust between
+ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If
+ * there's only an external domain trust between
+ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC
+ * of FOREST1.EXAMPLE.COM will respond with
+ * S_PRINCIPAL_UNKNOWN when being asked for
+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM.
+ *
+ * In the case of an external trust the client can
+ * still ask explicitly for
+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and
+ * the KDC of FOREST1.EXAMPLE.COM will generate it.
+ *
+ * From there the client can use the
+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM
+ * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a
+ * service ticket for
+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM.
+ *
+ * With Heimdal we'll get the fallback on
+ * S_PRINCIPAL_UNKNOWN behavior when we pass
+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as
+ * target principal. As _krb5_get_cred_kdc_any() first
+ * calls get_cred_kdc_referral() (which always starts
+ * with the client realm) and falls back to
+ * get_cred_kdc_capath() (which starts with the given
+ * realm).
+ *
+ * MIT krb5 only tries the given realm of the target
+ * principal, if we want to autodetect support for
+ * transitive forest trusts, would have to do the
+ * fallback ourself.
+ */
+#ifndef SAMBA4_USES_HEIMDAL
+ if (gensec_gssapi_state->server_name == NULL) {
+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+ target_principal,
+ service,
+ hostname,
+ client_realm,
+ gensec_gssapi_state->gss_oid,
+ &gensec_gssapi_state->target_principal,
+ &gensec_gssapi_state->server_name);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ maj_stat = gss_init_sec_context(&min_stat,
+ gensec_gssapi_state->client_cred->creds,
+ &gensec_gssapi_state->gssapi_context,
+ gensec_gssapi_state->server_name,
+ gensec_gssapi_state->gss_oid,
+ gensec_gssapi_state->gss_want_flags,
+ time_req,
+ gensec_gssapi_state->input_chan_bindings,
+ &input_token,
+ &gss_oid_p,
+ &output_token,
+ &gensec_gssapi_state->gss_got_flags, /* ret flags */
+ &time_rec);
+ if (maj_stat != GSS_S_FAILURE) {
+ goto init_sec_context_done;
+ }
+ if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) {
+ goto init_sec_context_done;
+ }
+ if (target_principal != NULL) {
+ goto init_sec_context_done;
+ }
+
+ fallback = true;
+ TALLOC_FREE(gensec_gssapi_state->target_principal);
+ gss_release_name(&min_stat2, &gensec_gssapi_state->server_name);
+ }
+#endif /* !SAMBA4_USES_HEIMDAL */
+ if (gensec_gssapi_state->server_name == NULL) {
+ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state,
+ hostname,
+ client_realm);
+ if (server_realm == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+#ifndef SAMBA4_USES_HEIMDAL
+ if (fallback &&
+ strequal(client_realm, server_realm)) {
+ goto init_sec_context_done;
+ }
+#endif /* !SAMBA4_USES_HEIMDAL */
+
+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state,
+ target_principal,
+ service,
+ hostname,
+ server_realm,
+ gensec_gssapi_state->gss_oid,
+ &gensec_gssapi_state->target_principal,
+ &gensec_gssapi_state->server_name);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ }
+
maj_stat = gss_init_sec_context(&min_stat,
gensec_gssapi_state->client_cred->creds,
&gensec_gssapi_state->gssapi_context,
&output_token,
&gensec_gssapi_state->gss_got_flags, /* ret flags */
&time_rec);
+ goto init_sec_context_done;
+ /* JUMP! */
+init_sec_context_done:
if (gss_oid_p) {
gensec_gssapi_state->gss_oid = gss_oid_p;
}
*out = data_blob_talloc(out_mem_ctx, output_token.value, output_token.length);
gss_release_buffer(&min_stat2, &output_token);
- if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG) {
+ if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
+ gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
DEBUG(5, ("gensec_gssapi: credentials were delegated\n"));
} else {
DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
return NT_STATUS_MORE_PROCESSING_REQUIRED;
} else if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
- gss_cred_id_t creds;
+ gss_cred_id_t creds = NULL;
gss_name_t name;
gss_buffer_desc buffer;
OM_uint32 lifetime = 0;
&name, &lifetime, &usage, NULL);
if (maj_stat == GSS_S_COMPLETE) {
- const char *usage_string;
+ const char *usage_string = NULL;
switch (usage) {
case GSS_C_BOTH:
usage_string = "GSS_C_BOTH";
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_KDC_UNREACH:
- DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticetk to %s: %s\n",
+ DEBUG(3, ("Cannot reach a KDC we require in order to obtain a ticket to %s: %s\n",
gensec_gssapi_state->target_principal,
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
return NT_STATUS_NO_LOGON_SERVERS; /* Make SPNEGO ignore us, we can't go any further here */
gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
gensec_gssapi_state->gss_exchange_count,
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- return nt_status;
+ return NT_STATUS_LOGON_FAILURE;
}
} else {
DEBUG(1, ("GSS %s Update(%d) failed: %s\n",
gensec_security->gensec_role == GENSEC_CLIENT ? "client" : "server",
gensec_gssapi_state->gss_exchange_count,
gssapi_error_string(out_mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- return nt_status;
+ return NT_STATUS_LOGON_FAILURE;
}
break;
}
}
}
+struct gensec_gssapi_update_state {
+ NTSTATUS status;
+ DATA_BLOB out;
+};
+
+static struct tevent_req *gensec_gssapi_update_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct gensec_security *gensec_security,
+ const DATA_BLOB in)
+{
+ struct tevent_req *req = NULL;
+ struct gensec_gssapi_update_state *state = NULL;
+ NTSTATUS status;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct gensec_gssapi_update_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ status = gensec_gssapi_update_internal(gensec_security,
+ state, ev, in,
+ &state->out);
+ state->status = status;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+}
+
+static NTSTATUS gensec_gssapi_update_recv(struct tevent_req *req,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ struct gensec_gssapi_update_state *state =
+ tevent_req_data(req,
+ struct gensec_gssapi_update_state);
+ NTSTATUS status;
+
+ *out = data_blob_null;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ *out = state->out;
+ talloc_steal(out_mem_ctx, state->out.data);
+ status = state->status;
+ tevent_req_received(req);
+ return status;
+}
+
static NTSTATUS gensec_gssapi_wrap(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const DATA_BLOB *in,
{
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc input_token, output_token;
- int conf_state;
- ssize_t sig_length;
-
- input_token.length = length;
- input_token.value = data;
-
- maj_stat = gss_wrap(&min_stat,
- gensec_gssapi_state->gssapi_context,
- gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL),
- GSS_C_QOP_DEFAULT,
- &input_token,
- &conf_state,
- &output_token);
- if (GSS_ERROR(maj_stat)) {
- DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap failed: %s\n",
- gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- return NT_STATUS_ACCESS_DENIED;
- }
+ bool hdr_signing = false;
+ size_t sig_size = 0;
+ NTSTATUS status;
- if (output_token.length < input_token.length) {
- DEBUG(1, ("gensec_gssapi_seal_packet: GSS Wrap length [%ld] *less* than caller length [%ld]\n",
- (long)output_token.length, (long)length));
- return NT_STATUS_INTERNAL_ERROR;
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+ hdr_signing = true;
}
- sig_length = output_token.length - input_token.length;
-
- memcpy(data, ((uint8_t *)output_token.value) + sig_length, length);
- *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, sig_length);
- dump_data_pw("gensec_gssapi_seal_packet: sig\n", sig->data, sig->length);
- dump_data_pw("gensec_gssapi_seal_packet: clear\n", data, length);
- dump_data_pw("gensec_gssapi_seal_packet: sealed\n", ((uint8_t *)output_token.value) + sig_length, output_token.length - sig_length);
-
- gss_release_buffer(&min_stat, &output_token);
+ sig_size = gensec_gssapi_sig_size(gensec_security, length);
- if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
- && !conf_state) {
- return NT_STATUS_ACCESS_DENIED;
+ status = gssapi_seal_packet(gensec_gssapi_state->gssapi_context,
+ gensec_gssapi_state->gss_oid,
+ hdr_signing, sig_size,
+ data, length,
+ whole_pdu, pdu_length,
+ mem_ctx, sig);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("gssapi_seal_packet(hdr_signing=%u,sig_size=%zu,"
+ "data=%zu,pdu=%zu) failed: %s\n",
+ hdr_signing, sig_size, length, pdu_length,
+ nt_errstr(status)));
+ return status;
}
+
return NT_STATUS_OK;
}
{
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc input_token, output_token;
- int conf_state;
- gss_qop_t qop_state;
- DATA_BLOB in;
-
- dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
-
- in = data_blob_talloc(gensec_security, NULL, sig->length + length);
-
- memcpy(in.data, sig->data, sig->length);
- memcpy(in.data + sig->length, data, length);
+ bool hdr_signing = false;
+ NTSTATUS status;
- input_token.length = in.length;
- input_token.value = in.data;
-
- maj_stat = gss_unwrap(&min_stat,
- gensec_gssapi_state->gssapi_context,
- &input_token,
- &output_token,
- &conf_state,
- &qop_state);
- talloc_free(in.data);
- if (GSS_ERROR(maj_stat)) {
- char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid);
- DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n",
- error_string));
- talloc_free(error_string);
- return NT_STATUS_ACCESS_DENIED;
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+ hdr_signing = true;
}
- if (output_token.length != length) {
- return NT_STATUS_INTERNAL_ERROR;
+ status = gssapi_unseal_packet(gensec_gssapi_state->gssapi_context,
+ gensec_gssapi_state->gss_oid,
+ hdr_signing,
+ data, length,
+ whole_pdu, pdu_length,
+ sig);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("gssapi_unseal_packet(hdr_signing=%u,sig_size=%zu,"
+ "data=%zu,pdu=%zu) failed: %s\n",
+ hdr_signing, sig->length, length, pdu_length,
+ nt_errstr(status)));
+ return status;
}
- memcpy(data, output_token.value, length);
-
- gss_release_buffer(&min_stat, &output_token);
-
- if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)
- && !conf_state) {
- return NT_STATUS_ACCESS_DENIED;
- }
return NT_STATUS_OK;
}
{
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc input_token, output_token;
+ bool hdr_signing = false;
+ NTSTATUS status;
if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
- input_token.length = pdu_length;
- input_token.value = discard_const_p(uint8_t *, whole_pdu);
- } else {
- input_token.length = length;
- input_token.value = discard_const_p(uint8_t *, data);
+ hdr_signing = true;
}
- maj_stat = gss_get_mic(&min_stat,
- gensec_gssapi_state->gssapi_context,
- GSS_C_QOP_DEFAULT,
- &input_token,
- &output_token);
- if (GSS_ERROR(maj_stat)) {
- DEBUG(1, ("GSS GetMic failed: %s\n",
- gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- return NT_STATUS_ACCESS_DENIED;
+ status = gssapi_sign_packet(gensec_gssapi_state->gssapi_context,
+ gensec_gssapi_state->gss_oid,
+ hdr_signing,
+ data, length,
+ whole_pdu, pdu_length,
+ mem_ctx, sig);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("gssapi_sign_packet(hdr_signing=%u,"
+ "data=%zu,pdu=%zu) failed: %s\n",
+ hdr_signing, length, pdu_length,
+ nt_errstr(status)));
+ return status;
}
- *sig = data_blob_talloc(mem_ctx, (uint8_t *)output_token.value, output_token.length);
-
- dump_data_pw("gensec_gssapi_sign_packet: sig\n", sig->data, sig->length);
-
- gss_release_buffer(&min_stat, &output_token);
-
return NT_STATUS_OK;
}
{
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc input_token;
- gss_buffer_desc input_message;
- gss_qop_t qop_state;
-
- dump_data_pw("gensec_gssapi_check_packet: sig\n", sig->data, sig->length);
+ bool hdr_signing = false;
+ NTSTATUS status;
if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
- input_message.length = pdu_length;
- input_message.value = discard_const(whole_pdu);
- } else {
- input_message.length = length;
- input_message.value = discard_const(data);
+ hdr_signing = true;
}
- input_token.length = sig->length;
- input_token.value = sig->data;
-
- maj_stat = gss_verify_mic(&min_stat,
- gensec_gssapi_state->gssapi_context,
- &input_message,
- &input_token,
- &qop_state);
- if (GSS_ERROR(maj_stat)) {
- char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid);
- DEBUG(1, ("GSS VerifyMic failed: %s\n", error_string));
- talloc_free(error_string);
-
- return NT_STATUS_ACCESS_DENIED;
+ status = gssapi_check_packet(gensec_gssapi_state->gssapi_context,
+ gensec_gssapi_state->gss_oid,
+ hdr_signing,
+ data, length,
+ whole_pdu, pdu_length,
+ sig);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("gssapi_check_packet(hdr_signing=%u,sig_size=%zu,"
+ "data=%zu,pdu=%zu) failed: %s\n",
+ hdr_signing, sig->length, length, pdu_length,
+ nt_errstr(status)));
+ return status;
}
return NT_STATUS_OK;
if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
return true;
}
+ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+ return true;
+ }
return false;
}
return nt_status;
}
- if (!(gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG)) {
- DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
- } else {
+ if (gensec_gssapi_state->gss_got_flags & GSS_C_DELEG_FLAG &&
+ gensec_gssapi_state->delegated_cred_handle != GSS_C_NO_CREDENTIAL) {
krb5_error_code ret;
const char *error_string;
DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
- session_info->credentials = cli_credentials_init(session_info);
- if (!session_info->credentials) {
+
+ /*
+ * Create anonymous credentials for now.
+ *
+ * We will update them with the provided client gss creds.
+ */
+ session_info->credentials = cli_credentials_init_anon(session_info);
+ if (session_info->credentials == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
- /* Just so we don't segfault trying to get at a username */
- cli_credentials_set_anonymous(session_info->credentials);
-
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
/* It has been taken from this place... */
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
+ } else {
+ DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
}
+
*_session_info = talloc_steal(mem_ctx, session_info);
talloc_free(tmp_ctx);
{
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- NTSTATUS status;
+ size_t sig_size;
- if (gensec_gssapi_state->sig_size) {
+ if (gensec_gssapi_state->sig_size > 0) {
return gensec_gssapi_state->sig_size;
}
- if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
- gensec_gssapi_state->sig_size = 45;
- } else {
- gensec_gssapi_state->sig_size = 37;
- }
+ sig_size = gssapi_get_sig_size(gensec_gssapi_state->gssapi_context,
+ gensec_gssapi_state->gss_oid,
+ gensec_gssapi_state->gss_got_flags,
+ data_size);
- status = gensec_gssapi_init_lucid(gensec_gssapi_state);
- if (!NT_STATUS_IS_OK(status)) {
- return gensec_gssapi_state->sig_size;
- }
+ gensec_gssapi_state->sig_size = sig_size;
+ return gensec_gssapi_state->sig_size;
+}
- if (gensec_gssapi_state->lucid->protocol == 1) {
- if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
- /*
- * TODO: windows uses 76 here, but we don't know
- * gss_wrap works with aes keys yet
- */
- gensec_gssapi_state->sig_size = 76;
- } else {
- gensec_gssapi_state->sig_size = 28;
- }
- } else if (gensec_gssapi_state->lucid->protocol == 0) {
- switch (gensec_gssapi_state->lucid->rfc1964_kd.ctx_key.type) {
- case ENCTYPE_DES_CBC_CRC:
- case ENCTYPE_ARCFOUR_HMAC:
- case ENCTYPE_ARCFOUR_HMAC_EXP:
- if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
- gensec_gssapi_state->sig_size = 45;
- } else {
- gensec_gssapi_state->sig_size = 37;
- }
- break;
-#ifdef SAMBA4_USES_HEIMDAL
- case ENCTYPE_OLD_DES3_CBC_SHA1:
- if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
- gensec_gssapi_state->sig_size = 57;
- } else {
- gensec_gssapi_state->sig_size = 49;
- }
- break;
-#endif
- }
+static const char *gensec_gssapi_final_auth_type(struct gensec_security *gensec_security)
+{
+ struct gensec_gssapi_state *gensec_gssapi_state
+ = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
+ /* Only return the string for GSSAPI/Krb5 */
+ if (smb_gss_oid_equal(gensec_gssapi_state->gss_oid,
+ gss_mech_krb5)) {
+ return GENSEC_FINAL_AUTH_TYPE_KRB5;
+ } else {
+ return "gensec_gssapi: UNKNOWN MECH";
}
-
- return gensec_gssapi_state->sig_size;
}
static const char *gensec_gssapi_krb5_oids[] = {
.client_start = gensec_gssapi_client_start,
.server_start = gensec_gssapi_server_start,
.magic = gensec_magic_check_krb5_oid,
- .update = gensec_gssapi_update,
+ .update_send = gensec_gssapi_update_send,
+ .update_recv = gensec_gssapi_update_recv,
.session_key = gensec_gssapi_session_key,
.session_info = gensec_gssapi_session_info,
.sign_packet = gensec_gssapi_sign_packet,
.check_packet = gensec_gssapi_check_packet,
.seal_packet = gensec_gssapi_seal_packet,
.unseal_packet = gensec_gssapi_unseal_packet,
+ .max_input_size = gensec_gssapi_max_input_size,
+ .max_wrapped_size = gensec_gssapi_max_wrapped_size,
.wrap = gensec_gssapi_wrap,
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
.expire_time = gensec_gssapi_expire_time,
+ .final_auth_type = gensec_gssapi_final_auth_type,
.enabled = false,
.kerberos = true,
.priority = GENSEC_GSSAPI
.client_start = gensec_gssapi_client_start,
.server_start = gensec_gssapi_server_start,
.magic = gensec_magic_check_krb5_oid,
- .update = gensec_gssapi_update,
+ .update_send = gensec_gssapi_update_send,
+ .update_recv = gensec_gssapi_update_recv,
.session_key = gensec_gssapi_session_key,
.session_info = gensec_gssapi_session_info,
.sig_size = gensec_gssapi_sig_size,
.check_packet = gensec_gssapi_check_packet,
.seal_packet = gensec_gssapi_seal_packet,
.unseal_packet = gensec_gssapi_unseal_packet,
+ .max_input_size = gensec_gssapi_max_input_size,
+ .max_wrapped_size = gensec_gssapi_max_wrapped_size,
.wrap = gensec_gssapi_wrap,
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
.expire_time = gensec_gssapi_expire_time,
+ .final_auth_type = gensec_gssapi_final_auth_type,
.enabled = true,
.kerberos = true,
.priority = GENSEC_GSSAPI
.sasl_name = "GSSAPI",
.client_start = gensec_gssapi_sasl_client_start,
.server_start = gensec_gssapi_sasl_server_start,
- .update = gensec_gssapi_update,
+ .update_send = gensec_gssapi_update_send,
+ .update_recv = gensec_gssapi_update_recv,
.session_key = gensec_gssapi_session_key,
.session_info = gensec_gssapi_session_info,
.max_input_size = gensec_gssapi_max_input_size,
.unwrap = gensec_gssapi_unwrap,
.have_feature = gensec_gssapi_have_feature,
.expire_time = gensec_gssapi_expire_time,
+ .final_auth_type = gensec_gssapi_final_auth_type,
.enabled = true,
.kerberos = true,
.priority = GENSEC_GSSAPI
};
-_PUBLIC_ NTSTATUS gensec_gssapi_init(void)
+_PUBLIC_ NTSTATUS gensec_gssapi_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
- ret = gensec_register(&gensec_gssapi_spnego_security_ops);
+ ret = gensec_register(ctx, &gensec_gssapi_spnego_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_gssapi_spnego_security_ops.name));
return ret;
}
- ret = gensec_register(&gensec_gssapi_krb5_security_ops);
+ ret = gensec_register(ctx, &gensec_gssapi_krb5_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_gssapi_krb5_security_ops.name));
return ret;
}
- ret = gensec_register(&gensec_gssapi_sasl_krb5_security_ops);
+ ret = gensec_register(ctx, &gensec_gssapi_sasl_krb5_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
gensec_gssapi_sasl_krb5_security_ops.name));