2 * GSSAPI Security Extensions
3 * RPC Pipe client and server routines
4 * Copyright (C) Simo Sorce 2010.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 /* We support only GSSAPI/KRB5 here */
24 #include "libads/kerberos_proto.h"
26 #if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
31 #ifndef GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
32 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
33 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
36 gss_OID_desc gse_sesskey_inq_oid = {
37 GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH,
38 (void *)GSS_KRB5_INQ_SSPI_SESSION_KEY_OID
41 #ifndef GSS_KRB5_SESSION_KEY_ENCTYPE_OID
42 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
43 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
46 gss_OID_desc gse_sesskeytype_oid = {
47 GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
48 (void *)GSS_KRB5_SESSION_KEY_ENCTYPE_OID
51 #define GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID_LENGTH 12
52 /* EXTRACTION OID AUTHZ ID */
53 #define GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a" "\x01"
55 gss_OID_desc gse_authz_data_oid = {
56 GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID_LENGTH,
57 (void *)GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID
60 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
69 gss_OID_desc gss_mech;
70 OM_uint32 gss_c_flags;
72 gss_name_t server_name;
76 gss_cred_id_t delegated_creds;
77 gss_name_t client_name;
83 #ifndef HAVE_GSS_OID_EQUAL
85 static bool gss_oid_equal(const gss_OID o1, const gss_OID o2)
90 if ((o1 == NULL && o2 != NULL) || (o1 != NULL && o2 == NULL)) {
93 if (o1->length != o2->length) {
96 return memcmp(o1->elements, o2->elements, o1->length) == false;
101 /* free non talloc dependent contexts */
102 static int gse_context_destructor(void *ptr)
104 struct gse_context *gse_ctx;
105 OM_uint32 gss_min, gss_maj;
107 gse_ctx = talloc_get_type_abort(ptr, struct gse_context);
108 if (gse_ctx->k5ctx) {
109 if (gse_ctx->ccache) {
110 krb5_cc_close(gse_ctx->k5ctx, gse_ctx->ccache);
111 gse_ctx->ccache = NULL;
113 if (gse_ctx->keytab) {
114 krb5_kt_close(gse_ctx->k5ctx, gse_ctx->keytab);
115 gse_ctx->keytab = NULL;
117 krb5_free_context(gse_ctx->k5ctx);
118 gse_ctx->k5ctx = NULL;
120 if (gse_ctx->gss_ctx != GSS_C_NO_CONTEXT) {
121 gss_maj = gss_delete_sec_context(&gss_min,
125 if (gse_ctx->server_name) {
126 gss_maj = gss_release_name(&gss_min,
127 &gse_ctx->server_name);
129 if (gse_ctx->client_name) {
130 gss_maj = gss_release_name(&gss_min,
131 &gse_ctx->client_name);
133 if (gse_ctx->creds) {
134 gss_maj = gss_release_cred(&gss_min,
137 if (gse_ctx->delegated_creds) {
138 gss_maj = gss_release_cred(&gss_min,
139 &gse_ctx->delegated_creds);
142 /* MIT and Heimdal differ as to if you can call
143 * gss_release_oid() on this OID, generated by
144 * gss_{accept,init}_sec_context(). However, as long as the
145 * oid is gss_mech_krb5 (which it always is at the moment),
146 * then this is a moot point, as both declare this particular
147 * OID static, and so no memory is lost. This assert is in
148 * place to ensure that the programmer who wishes to extend
149 * this code to EAP or other GSS mechanisms determines an
150 * implementation-dependent way of releasing any dynamically
152 SMB_ASSERT(gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5));
157 static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
158 bool do_sign, bool do_seal,
159 const char *ccache_name,
160 uint32_t add_gss_c_flags,
161 struct gse_context **_gse_ctx)
163 struct gse_context *gse_ctx;
164 krb5_error_code k5ret;
167 gse_ctx = talloc_zero(mem_ctx, struct gse_context);
169 return NT_STATUS_NO_MEMORY;
171 talloc_set_destructor((TALLOC_CTX *)gse_ctx, gse_context_destructor);
173 memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
175 gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
177 GSS_C_DELEG_POLICY_FLAG |
181 gse_ctx->gss_c_flags |= GSS_C_INTEG_FLAG;
184 gse_ctx->gss_c_flags |= GSS_C_CONF_FLAG;
187 gse_ctx->gss_c_flags |= add_gss_c_flags;
189 /* Initialize Kerberos Context */
190 initialize_krb5_error_table();
192 k5ret = krb5_init_context(&gse_ctx->k5ctx);
194 DEBUG(0, ("Failed to initialize kerberos context! (%s)\n",
195 error_message(k5ret)));
196 status = NT_STATUS_INTERNAL_ERROR;
201 ccache_name = krb5_cc_default_name(gse_ctx->k5ctx);
203 k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
206 DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
207 error_message(k5ret)));
208 status = NT_STATUS_INTERNAL_ERROR;
212 /* TODO: Should we enforce a enc_types list ?
213 ret = krb5_set_default_tgs_ktypes(gse_ctx->k5ctx, enc_types);
220 TALLOC_FREE(gse_ctx);
224 NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
225 bool do_sign, bool do_seal,
226 const char *ccache_name,
229 const char *username,
230 const char *password,
231 uint32_t add_gss_c_flags,
232 struct gse_context **_gse_ctx)
234 struct gse_context *gse_ctx;
235 OM_uint32 gss_maj, gss_min;
236 gss_buffer_desc name_buffer = {0, NULL};
237 gss_OID_set_desc mech_set;
240 if (!server || !service) {
241 return NT_STATUS_INVALID_PARAMETER;
244 status = gse_context_init(mem_ctx, do_sign, do_seal,
245 ccache_name, add_gss_c_flags,
247 if (!NT_STATUS_IS_OK(status)) {
248 return NT_STATUS_NO_MEMORY;
251 /* Guess the realm based on the supplied service, and avoid the GSS libs
252 doing DNS lookups which may fail.
254 TODO: Loop with the KDC on some more combinations (local
255 realm in particular), possibly falling back to
256 GSS_C_NT_HOSTBASED_SERVICE
258 name_buffer.value = kerberos_get_principal_from_service_hostname(gse_ctx,
260 if (!name_buffer.value) {
261 status = NT_STATUS_NO_MEMORY;
264 name_buffer.length = strlen((char *)name_buffer.value);
265 gss_maj = gss_import_name(&gss_min, &name_buffer,
267 &gse_ctx->server_name);
269 DEBUG(0, ("gss_import_name failed for %s, with [%s]\n",
270 (char *)name_buffer.value,
271 gse_errstr(gse_ctx, gss_maj, gss_min)));
272 status = NT_STATUS_INTERNAL_ERROR;
276 /* TODO: get krb5 ticket using username/password, if no valid
277 * one already available in ccache */
280 mech_set.elements = &gse_ctx->gss_mech;
282 gss_maj = gss_acquire_cred(&gss_min,
290 DEBUG(0, ("gss_acquire_creds failed for %s, with [%s]\n",
291 (char *)name_buffer.value,
292 gse_errstr(gse_ctx, gss_maj, gss_min)));
293 status = NT_STATUS_INTERNAL_ERROR;
298 TALLOC_FREE(name_buffer.value);
302 TALLOC_FREE(name_buffer.value);
303 TALLOC_FREE(gse_ctx);
307 NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
308 struct gse_context *gse_ctx,
310 DATA_BLOB *token_out)
312 OM_uint32 gss_maj, gss_min;
313 gss_buffer_desc in_data;
314 gss_buffer_desc out_data;
315 DATA_BLOB blob = data_blob_null;
318 in_data.value = token_in->data;
319 in_data.length = token_in->length;
321 gss_maj = gss_init_sec_context(&gss_min,
324 gse_ctx->server_name,
326 gse_ctx->gss_c_flags,
327 0, GSS_C_NO_CHANNEL_BINDINGS,
328 &in_data, NULL, &out_data,
332 /* we are done with it */
333 gse_ctx->more_processing = false;
334 status = NT_STATUS_OK;
336 case GSS_S_CONTINUE_NEEDED:
337 /* we will need a third leg */
338 gse_ctx->more_processing = true;
339 /* status = NT_STATUS_MORE_PROCESSING_REQUIRED; */
340 status = NT_STATUS_OK;
343 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
344 gse_errstr(talloc_tos(), gss_maj, gss_min)));
345 status = NT_STATUS_INTERNAL_ERROR;
349 blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
351 status = NT_STATUS_NO_MEMORY;
354 gss_maj = gss_release_buffer(&gss_min, &out_data);
361 NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
362 bool do_sign, bool do_seal,
363 uint32_t add_gss_c_flags,
364 struct gse_context **_gse_ctx)
366 struct gse_context *gse_ctx;
367 OM_uint32 gss_maj, gss_min;
371 status = gse_context_init(mem_ctx, do_sign, do_seal,
372 NULL, add_gss_c_flags, &gse_ctx);
373 if (!NT_STATUS_IS_OK(status)) {
374 return NT_STATUS_NO_MEMORY;
377 ret = gse_krb5_get_server_keytab(gse_ctx->k5ctx,
380 status = NT_STATUS_INTERNAL_ERROR;
384 #ifdef HAVE_GSS_KRB5_IMPORT_CRED
386 /* This creates a GSSAPI cred_id_t with the keytab set */
387 gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
391 && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
392 DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
393 gse_errstr(gse_ctx, gss_maj, gss_min)));
394 status = NT_STATUS_INTERNAL_ERROR;
397 /* This is the error the MIT krb5 1.9 gives when it
398 * implements the function, but we do not specify the
399 * principal. However, when we specify the principal
400 * as host$@REALM the GSS acceptor fails with 'wrong
401 * principal in request'. Work around the issue by
402 * falling back to the alternate approach below. */
403 } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
406 * This call sets the default keytab for the whole server, not
407 * just for this context. Need to find a way that does not alter
408 * the state of the whole server ... */
411 gss_OID_set_desc mech_set;
413 ret = smb_krb5_keytab_name(gse_ctx, gse_ctx->k5ctx,
414 gse_ctx->keytab, &ktname);
416 status = NT_STATUS_INTERNAL_ERROR;
420 ret = gsskrb5_register_acceptor_identity(ktname);
422 status = NT_STATUS_INTERNAL_ERROR;
427 mech_set.elements = &gse_ctx->gss_mech;
429 gss_maj = gss_acquire_cred(&gss_min,
438 DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
439 gse_errstr(gse_ctx, gss_maj, gss_min)));
440 status = NT_STATUS_INTERNAL_ERROR;
445 status = NT_STATUS_OK;
448 if (!NT_STATUS_IS_OK(status)) {
449 TALLOC_FREE(gse_ctx);
456 NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
457 struct gse_context *gse_ctx,
459 DATA_BLOB *token_out)
461 OM_uint32 gss_maj, gss_min;
462 gss_buffer_desc in_data;
463 gss_buffer_desc out_data;
464 DATA_BLOB blob = data_blob_null;
467 in_data.value = token_in->data;
468 in_data.length = token_in->length;
470 gss_maj = gss_accept_sec_context(&gss_min,
474 GSS_C_NO_CHANNEL_BINDINGS,
475 &gse_ctx->client_name,
478 &gse_ctx->ret_flags, NULL,
479 &gse_ctx->delegated_creds);
482 /* we are done with it */
483 gse_ctx->more_processing = false;
484 gse_ctx->authenticated = true;
485 status = NT_STATUS_OK;
487 case GSS_S_CONTINUE_NEEDED:
488 /* we will need a third leg */
489 gse_ctx->more_processing = true;
490 /* status = NT_STATUS_MORE_PROCESSING_REQUIRED; */
491 status = NT_STATUS_OK;
494 DEBUG(0, ("gss_init_sec_context failed with [%s]\n",
495 gse_errstr(talloc_tos(), gss_maj, gss_min)));
497 if (gse_ctx->gss_ctx) {
498 gss_delete_sec_context(&gss_min,
503 status = NT_STATUS_INTERNAL_ERROR;
507 /* we may be told to return nothing */
508 if (out_data.length) {
509 blob = data_blob_talloc(mem_ctx, out_data.value, out_data.length);
511 status = NT_STATUS_NO_MEMORY;
513 gss_maj = gss_release_buffer(&gss_min, &out_data);
522 NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
524 if (!gse_ctx->authenticated) {
525 return NT_STATUS_INVALID_HANDLE;
528 if (memcmp(gse_ctx->ret_mech,
529 gss_mech_krb5, sizeof(gss_OID_desc)) != 0) {
530 return NT_STATUS_ACCESS_DENIED;
533 /* GSS_C_MUTUAL_FLAG */
534 if (gse_ctx->gss_c_flags & GSS_C_MUTUAL_FLAG) {
535 if (!(gse_ctx->ret_flags & GSS_C_MUTUAL_FLAG)) {
536 return NT_STATUS_ACCESS_DENIED;
540 /* GSS_C_DELEG_FLAG */
541 /* GSS_C_DELEG_POLICY_FLAG */
542 /* GSS_C_REPLAY_FLAG */
543 /* GSS_C_SEQUENCE_FLAG */
545 /* GSS_C_INTEG_FLAG */
546 if (gse_ctx->gss_c_flags & GSS_C_INTEG_FLAG) {
547 if (!(gse_ctx->ret_flags & GSS_C_INTEG_FLAG)) {
548 return NT_STATUS_ACCESS_DENIED;
552 /* GSS_C_CONF_FLAG */
553 if (gse_ctx->gss_c_flags & GSS_C_CONF_FLAG) {
554 if (!(gse_ctx->ret_flags & GSS_C_CONF_FLAG)) {
555 return NT_STATUS_ACCESS_DENIED;
562 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
564 OM_uint32 gss_min, gss_maj;
565 gss_buffer_desc msg_min;
566 gss_buffer_desc msg_maj;
567 OM_uint32 msg_ctx = 0;
571 ZERO_STRUCT(msg_min);
572 ZERO_STRUCT(msg_maj);
574 gss_maj = gss_display_status(&gss_min, maj, GSS_C_GSS_CODE,
575 GSS_C_NO_OID, &msg_ctx, &msg_maj);
579 errstr = talloc_strndup(mem_ctx,
580 (char *)msg_maj.value,
585 gss_maj = gss_display_status(&gss_min, min, GSS_C_MECH_CODE,
586 (gss_OID)discard_const(gss_mech_krb5),
592 errstr = talloc_strdup_append_buffer(errstr, ": ");
596 errstr = talloc_strndup_append_buffer(errstr,
597 (char *)msg_min.value,
605 gss_maj = gss_release_buffer(&gss_min, &msg_min);
608 gss_maj = gss_release_buffer(&gss_min, &msg_maj);
613 bool gse_require_more_processing(struct gse_context *gse_ctx)
615 return gse_ctx->more_processing;
618 DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
619 struct gse_context *gse_ctx)
621 OM_uint32 gss_min, gss_maj;
622 gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
625 gss_maj = gss_inquire_sec_context_by_oid(
626 &gss_min, gse_ctx->gss_ctx,
627 &gse_sesskey_inq_oid, &set);
629 DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
630 gse_errstr(talloc_tos(), gss_maj, gss_min)));
631 return data_blob_null;
634 if ((set == GSS_C_NO_BUFFER_SET) ||
636 (memcmp(set->elements[1].value,
637 gse_sesskeytype_oid.elements,
638 gse_sesskeytype_oid.length) != 0)) {
639 #ifdef HAVE_GSSKRB5_GET_SUBKEY
640 krb5_keyblock *subkey;
641 gss_maj = gsskrb5_get_subkey(&gss_min,
645 DEBUG(1, ("NO session key for this mech\n"));
646 return data_blob_null;
648 ret = data_blob_talloc(mem_ctx,
649 KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
650 krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
653 DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
654 "OID for data in results:\n"));
655 dump_data(1, (uint8_t *)set->elements[1].value,
656 set->elements[1].length);
657 return data_blob_null;
661 ret = data_blob_talloc(mem_ctx, set->elements[0].value,
662 set->elements[0].length);
664 gss_maj = gss_release_buffer_set(&gss_min, &set);
668 NTSTATUS gse_get_client_name(struct gse_context *gse_ctx,
669 TALLOC_CTX *mem_ctx, char **cli_name)
671 OM_uint32 gss_min, gss_maj;
672 gss_buffer_desc name_buffer;
674 if (!gse_ctx->authenticated) {
675 return NT_STATUS_ACCESS_DENIED;
678 if (!gse_ctx->client_name) {
679 return NT_STATUS_NOT_FOUND;
682 /* TODO: check OID matches KRB5 Principal Name OID ? */
684 gss_maj = gss_display_name(&gss_min,
685 gse_ctx->client_name,
688 DEBUG(0, ("gss_display_name failed [%s]\n",
689 gse_errstr(talloc_tos(), gss_maj, gss_min)));
690 return NT_STATUS_INTERNAL_ERROR;
693 *cli_name = talloc_strndup(talloc_tos(),
694 (char *)name_buffer.value,
697 gss_maj = gss_release_buffer(&gss_min, &name_buffer);
700 return NT_STATUS_NO_MEMORY;
706 NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
707 TALLOC_CTX *mem_ctx, DATA_BLOB *pac)
709 OM_uint32 gss_min, gss_maj;
710 gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
712 if (!gse_ctx->authenticated) {
713 return NT_STATUS_ACCESS_DENIED;
716 gss_maj = gss_inquire_sec_context_by_oid(
717 &gss_min, gse_ctx->gss_ctx,
718 &gse_authz_data_oid, &set);
720 DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
721 gse_errstr(talloc_tos(), gss_maj, gss_min)));
722 return NT_STATUS_NOT_FOUND;
725 if (set == GSS_C_NO_BUFFER_SET) {
726 DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
727 "data in results.\n"));
728 return NT_STATUS_INTERNAL_ERROR;
731 /* for now we just hope it is the first value */
732 *pac = data_blob_talloc(mem_ctx,
733 set->elements[0].value,
734 set->elements[0].length);
736 gss_maj = gss_release_buffer_set(&gss_min, &set);
741 NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
742 TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
744 if (!gse_ctx->authenticated) {
745 return NT_STATUS_ACCESS_DENIED;
748 return gssapi_obtain_pac_blob(mem_ctx, gse_ctx->gss_ctx,
749 gse_ctx->client_name, pac_blob);
752 size_t gse_get_signature_length(struct gse_context *gse_ctx,
753 int seal, size_t payload_size)
755 OM_uint32 gss_min, gss_maj;
756 gss_iov_buffer_desc iov[2];
757 uint8_t fakebuf[payload_size];
760 iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
761 iov[0].buffer.value = NULL;
762 iov[0].buffer.length = 0;
763 iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
764 iov[1].buffer.value = fakebuf;
765 iov[1].buffer.length = payload_size;
767 gss_maj = gss_wrap_iov_length(&gss_min, gse_ctx->gss_ctx,
768 seal, GSS_C_QOP_DEFAULT,
771 DEBUG(0, ("gss_wrap_iov_length failed with [%s]\n",
772 gse_errstr(talloc_tos(), gss_maj, gss_min)));
776 return iov[0].buffer.length;
779 NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
780 DATA_BLOB *data, DATA_BLOB *signature)
782 OM_uint32 gss_min, gss_maj;
783 gss_iov_buffer_desc iov[2];
784 int req_seal = 1; /* setting to 1 means we request sign+seal */
788 /* allocate the memory ourselves so we do not need to talloc_memdup */
789 signature->length = gse_get_signature_length(gse_ctx, 1, data->length);
790 if (!signature->length) {
791 return NT_STATUS_INTERNAL_ERROR;
793 signature->data = (uint8_t *)talloc_size(mem_ctx, signature->length);
794 if (!signature->data) {
795 return NT_STATUS_NO_MEMORY;
797 iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
798 iov[0].buffer.value = signature->data;
799 iov[0].buffer.length = signature->length;
801 /* data is encrypted in place, which is ok */
802 iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
803 iov[1].buffer.value = data->data;
804 iov[1].buffer.length = data->length;
806 gss_maj = gss_wrap_iov(&gss_min, gse_ctx->gss_ctx,
807 req_seal, GSS_C_QOP_DEFAULT,
810 DEBUG(0, ("gss_wrap_iov failed with [%s]\n",
811 gse_errstr(talloc_tos(), gss_maj, gss_min)));
812 status = NT_STATUS_ACCESS_DENIED;
817 DEBUG(0, ("gss_wrap_iov says data was not sealed!\n"));
818 status = NT_STATUS_ACCESS_DENIED;
822 status = NT_STATUS_OK;
824 DEBUG(10, ("Sealed %d bytes, and got %d bytes header/signature.\n",
825 (int)iov[1].buffer.length, (int)iov[0].buffer.length));
831 NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
832 DATA_BLOB *data, DATA_BLOB *signature)
834 OM_uint32 gss_min, gss_maj;
835 gss_iov_buffer_desc iov[2];
839 iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
840 iov[0].buffer.value = signature->data;
841 iov[0].buffer.length = signature->length;
843 /* data is decrypted in place, which is ok */
844 iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
845 iov[1].buffer.value = data->data;
846 iov[1].buffer.length = data->length;
848 gss_maj = gss_unwrap_iov(&gss_min, gse_ctx->gss_ctx,
849 &sealed, NULL, iov, 2);
851 DEBUG(0, ("gss_unwrap_iov failed with [%s]\n",
852 gse_errstr(talloc_tos(), gss_maj, gss_min)));
853 status = NT_STATUS_ACCESS_DENIED;
858 DEBUG(0, ("gss_unwrap_iov says data is not sealed!\n"));
859 status = NT_STATUS_ACCESS_DENIED;
863 status = NT_STATUS_OK;
865 DEBUG(10, ("Unsealed %d bytes, with %d bytes header/signature.\n",
866 (int)iov[1].buffer.length, (int)iov[0].buffer.length));
872 NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
873 DATA_BLOB *data, DATA_BLOB *signature)
875 OM_uint32 gss_min, gss_maj;
876 gss_buffer_desc in_data = { 0, NULL };
877 gss_buffer_desc out_data = { 0, NULL};
880 in_data.value = data->data;
881 in_data.length = data->length;
883 gss_maj = gss_get_mic(&gss_min, gse_ctx->gss_ctx,
885 &in_data, &out_data);
887 DEBUG(0, ("gss_get_mic failed with [%s]\n",
888 gse_errstr(talloc_tos(), gss_maj, gss_min)));
889 status = NT_STATUS_ACCESS_DENIED;
893 *signature = data_blob_talloc(mem_ctx,
894 out_data.value, out_data.length);
895 if (!signature->data) {
896 status = NT_STATUS_NO_MEMORY;
900 status = NT_STATUS_OK;
903 if (out_data.value) {
904 gss_maj = gss_release_buffer(&gss_min, &out_data);
909 NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
910 DATA_BLOB *data, DATA_BLOB *signature)
912 OM_uint32 gss_min, gss_maj;
913 gss_buffer_desc in_data = { 0, NULL };
914 gss_buffer_desc in_token = { 0, NULL};
917 in_data.value = data->data;
918 in_data.length = data->length;
919 in_token.value = signature->data;
920 in_token.length = signature->length;
922 gss_maj = gss_verify_mic(&gss_min, gse_ctx->gss_ctx,
923 &in_data, &in_token, NULL);
925 DEBUG(0, ("gss_verify_mic failed with [%s]\n",
926 gse_errstr(talloc_tos(), gss_maj, gss_min)));
927 status = NT_STATUS_ACCESS_DENIED;
931 status = NT_STATUS_OK;
939 NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
940 bool do_sign, bool do_seal,
941 const char *ccache_name,
944 const char *username,
945 const char *password,
946 uint32_t add_gss_c_flags,
947 struct gse_context **_gse_ctx)
949 return NT_STATUS_NOT_IMPLEMENTED;
952 NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx,
953 struct gse_context *gse_ctx,
955 DATA_BLOB *token_out)
957 return NT_STATUS_NOT_IMPLEMENTED;
960 NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
961 bool do_sign, bool do_seal,
962 uint32_t add_gss_c_flags,
963 struct gse_context **_gse_ctx)
965 return NT_STATUS_NOT_IMPLEMENTED;
968 NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
969 struct gse_context *gse_ctx,
971 DATA_BLOB *token_out)
973 return NT_STATUS_NOT_IMPLEMENTED;
976 NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
978 return NT_STATUS_NOT_IMPLEMENTED;
981 bool gse_require_more_processing(struct gse_context *gse_ctx)
986 DATA_BLOB gse_get_session_key(TALLOC_CTX *mem_ctx,
987 struct gse_context *gse_ctx)
989 return data_blob_null;
992 NTSTATUS gse_get_client_name(struct gse_context *gse_ctx,
993 TALLOC_CTX *mem_ctx, char **cli_name)
995 return NT_STATUS_NOT_IMPLEMENTED;
998 NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
999 TALLOC_CTX *mem_ctx, DATA_BLOB *pac)
1001 return NT_STATUS_NOT_IMPLEMENTED;
1004 NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
1005 TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
1007 return NT_STATUS_NOT_IMPLEMENTED;
1010 size_t gse_get_signature_length(struct gse_context *gse_ctx,
1011 int seal, size_t payload_size)
1016 NTSTATUS gse_seal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
1017 DATA_BLOB *data, DATA_BLOB *signature)
1019 return NT_STATUS_NOT_IMPLEMENTED;
1022 NTSTATUS gse_unseal(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
1023 DATA_BLOB *data, DATA_BLOB *signature)
1025 return NT_STATUS_NOT_IMPLEMENTED;
1028 NTSTATUS gse_sign(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
1029 DATA_BLOB *data, DATA_BLOB *signature)
1031 return NT_STATUS_NOT_IMPLEMENTED;
1034 NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
1035 DATA_BLOB *data, DATA_BLOB *signature)
1037 return NT_STATUS_NOT_IMPLEMENTED;
1040 #endif /* HAVE_KRB5 && HAVE_GSS_WRAP_IOV */